OpenSC + Smartcard-HSM + secp521r1 + OpenSSH = signing failed for ECDSA "secp521r1": error in libcrypto

[no-usernames-left]

Problem Description

OpenSSH throws an error in libcrypto when trying to use a secp521r1 key on a Smartcard-HSM (3.6) with many keys on it. This is nearly the first key on the card, and the next one is secp384r1. The keys themselves are named on the card after the algorithms.

System is Arch Linux, kernel 6.6.31-1-lts. Reader is Cherry ST-2000 with PIN pad.

Relevant packages:

openssl 3.3.0-1
openssh 9.7p1-2
opensc 0.25.1-1
pcsclite 2.2.2-1
ccid 1.5.5-1
pcsc-tools 1.7.1-1

~/.ssh/config (to enable OpenSC and disable RSA):

PKCS11Provider /usr/lib/opensc-pkcs11.so
PubKeyAcceptedAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],[email protected]

Verbose SSH output, lightly redacted:

[user@host ~]$ ssh username@hostname -v
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 2: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: Connecting to hostname [ip.add.re.ss] port 22.
debug1: Connection established.
debug1: provider /usr/lib/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.25
debug1: provider /usr/lib/opensc-pkcs11.so slot 0: label <DECCnnnnnnn (UserPIN)> manufacturerID <www.CardContact.de> model <PKCS#15 emulated> serial <DECCnnnnnnn> flags 0x50d
debug1: have 1 keys
debug1: have 2 keys
debug1: have 3 keys
debug1: have 4 keys
debug1: have 5 keys
debug1: have 6 keys
debug1: have 7 keys
debug1: have 8 keys
debug1: have 9 keys
debug1: have 10 keys
debug1: have 11 keys
debug1: have 12 keys
debug1: have 13 keys
debug1: have 14 keys
debug1: have 15 keys
debug1: have 16 keys
debug1: have 17 keys
debug1: have 18 keys
debug1: have 19 keys
ossl_error: o2i_ECPublicKey failed
ossl_error: libcrypto error: error:0800006B:elliptic curve routines::point is not on curve
ossl_error: libcrypto error: error:08080010:elliptic curve routines::EC lib
debug1: pkcs11_k11_free: parent 0x5e4645071da0 ptr (nil) idx 1
failed to fetch key
debug1: have 20 keys
debug1: pkcs11_k11_free: parent 0x5e464507de00 ptr 0x5e464507d600 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 21
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u2
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to hostname:22 as 'username'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: pkcs11_k11_free: parent 0x5e464507de00 ptr (nil) idx 1
debug1: pkcs11_k11_free: parent 0x5e464507ccd0 ptr (nil) idx 1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:[ ---8<--- ]
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'ip.add.re.ss' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:2
debug1: pkcs11_k11_free: parent 0x5e464507de00 ptr (nil) idx 1
debug1: pkcs11_k11_free: parent 0x5e464506e5d0 ptr (nil) idx 1
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_ext_info_check_ver: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Skipping ssh-rsa key DevNetCA/Name Goes Here [Timestamp Goes Here] - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464505ff00 ptr 0x5e4645068f50 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 21
debug1: Skipping ssh-rsa key RSA4096 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464505fc60 ptr 0x5e46450695f0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 20
debug1: Skipping ssh-rsa key RSA3072 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464505f9c0 ptr 0x5e4645069e00 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 19
debug1: Skipping ssh-rsa key RSA2048 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464505f720 ptr 0x5e464506a2e0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 18
debug1: Skipping ssh-rsa key RSA1536 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464505f480 ptr 0x5e464506a750 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 17
debug1: Skipping ssh-rsa key RSA1024 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e4645049520 ptr 0x5e464506aa30 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 16
debug1: Skipping ssh-unknown key Group Signer - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506ac20 ptr 0x5e464506b9b0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 15
debug1: Skipping ssh-unknown key secp192r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506cb20 ptr 0x5e464506ce10 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 14
debug1: Skipping ssh-unknown key brainpoolP512r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506ccc0 ptr 0x5e464506e7d0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 13
debug1: Skipping ssh-unknown key brainpoolP384r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506bd80 ptr 0x5e464506f4b0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 12
debug1: Skipping ssh-unknown key brainpoolP320r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506c910 ptr 0x5e464506faa0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 11
debug1: Skipping ssh-unknown key brainpoolP256r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506e020 ptr 0x5e4645070230 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 10
debug1: Skipping ssh-unknown key brainpoolP224r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e464506de30 ptr 0x5e4645070ab0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 9
debug1: Skipping ssh-unknown key brainpoolP192r1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e4645070530 ptr 0x5e4645071140 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 8
debug1: Skipping ssh-unknown key secp256k1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e4645070db0 ptr 0x5e4645071a20 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 7
debug1: Skipping ssh-unknown key secp192k1 - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e4645071500 ptr 0x5e46450705a0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 6
debug1: Skipping ssh-unknown key XKEK Exchange - corresponding algorithm not in PubkeyAcceptedAlgorithms
debug1: pkcs11_k11_free: parent 0x5e4645072590 ptr 0x5e4645072b80 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 5
debug1: Will attempt key: secp521r1 ECDSA SHA256:[ ---8<--- ] token
debug1: Will attempt key: secp384r1 ECDSA SHA256:[ ---8<--- ] token
debug1: Will attempt key: secp256r1 ECDSA SHA256:[ ---8<--- ] token
debug1: Will attempt key: /home/user/.ssh/id_rsa 
debug1: Will attempt key: /home/user/.ssh/id_ecdsa 
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/user/.ssh/id_ed25519 
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/user/.ssh/id_xmss 
debug1: Will attempt key: /home/user/.ssh/id_dsa 
debug1: Offering public key: secp521r1 ECDSA SHA256:[ ---8<--- ] token
debug1: Server accepts key: secp521r1 ECDSA SHA256:[ ---8<--- ] token
Deferring PIN entry to reader keypad.
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/opensc-pkcs11.so" slot 0 object 103655898743328: attrib 514 = 0
C_Sign failed: 84
debug1: identity_sign: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed for ECDSA "secp521r1": error in libcrypto
debug1: pkcs11_k11_free: parent 0x5e464506b750 ptr (nil) idx 1
debug1: Offering public key: secp384r1 ECDSA SHA256:[ ---8<--- ] token
debug1: Server accepts key: secp384r1 ECDSA SHA256:[ ---8<--- ] token
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/opensc-pkcs11.so" slot 0 object 103655898743424: attrib 514 = 0
debug1: pkcs11_k11_free: parent 0x5e464506b750 ptr (nil) idx 1
debug1: pkcs11_k11_free: parent 0x5e464506c6e0 ptr 0x5e464506d470 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 4
debug1: pkcs11_k11_free: parent 0x5e464506b420 ptr 0x5e464506b620 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 3
debug1: pkcs11_k11_free: parent 0x5e464506adc0 ptr 0x5e464506cd30 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 2
Authenticated to hostname ([ip.add.re.ss]:22) using "publickey".
debug1: check provider "/usr/lib/opensc-pkcs11.so"
debug1: pkcs11_provider_finalize: provider "/usr/lib/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 1
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts for hostname / (none)
debug1: pkcs11_k11_free: parent 0x5e464505f480 ptr (nil) idx 1
debug1: pkcs11_k11_free: parent 0x5e464507fae0 ptr (nil) idx 1
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts2 for hostname / (none)
debug1: client_input_hostkeys: hostkeys file /home/user/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: pkcs11_k11_free: parent 0x5e4645049520 ptr (nil) idx 1
debug1: pkcs11_k11_free: parent 0x5e464506b750 ptr (nil) idx 1
debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: pledge: fork
Last login: Thu May 23 13:09:31 2024 from ip.add.re.ss
user@hostname:~$ [^D]
logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to hostname closed.
Transferred: sent 4264, received 4880 bytes, in 2.4 seconds
Bytes per second: sent 1795.3, received 2054.7
debug1: Exit status 0

Proposed Resolution

This should "just work", like smaller EC key sizes, no?

Steps to reproduce

It seems as though secp521r1 in general is affected.

[no-usernames-left]

pacman reports that /usr/lib/libcrypto.so.3 is owned by openssl 3.3.0-1, so I also filed a bug against OpenSSL (openssl/openssl#24479); if the true cause is there, please feel free to close this issue.

[no-usernames-left]

@CardContact Is this a known issue?

[CardContact]

This is not a known issue. Apparently OpenSC reports CKR_FUNCTION NOT SUPPORTED (84), which I can confirm in my own tests with a secp521 key.

Maybe you can try our own PKCS#11 module to confirm that this is an OpenSC issue.

[dengert]

An OpenSC debug log would help. https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC

Also look at using the SPY capability, that can log PKCS11 calls.

secp521 has a field size of 521 bits which is not a multiple or 8 and it is possible conversion to get a buffer size is not doing
bytes = (bits+7)/8 and is thus too small at some point is any one of the packages being used.

[CardContact]

Did you generate the keys using the Smart Card Shell ?

Turns out, that the Smart Card Shell encodes the field size in PKCS#15 as 528 rather than 521. This leads to the observed CKR_FUNCTION NOT SUPPORTED error in OpenSC.

We'll fix that in the Smart Card Shell and provide a mechanism to fix the PKCS#15 description for existing keys.

[no-usernames-left]

Did you generate the keys using the Smart Card Shell ?

Actually, yes I did.

Turns out, that the Smart Card Shell encodes the field size in PKCS#15 as 528 rather than 521. This leads to the observed CKR_FUNCTION NOT SUPPORTED error in OpenSC.

Nailed it!

We'll fix that in the Smart Card Shell and provide a mechanism to fix the PKCS#15 description for existing keys.

l'll be in touch to get that info.

Thanks again for the quick resolution!

[CardContact]

The Smart Card Shell has been updated to fix the issue.

[no-usernames-left]

provide a mechanism to fix the PKCS#15 description for existing keys.

@CardContact I see a patch for OpenSC, but how can existing keys on the card be repaired?

[CardContact]

Working on it. Will be an option offered in the Smart Card Shell.

[CardContact]

There is now an option in the Smart Card Shell to repair the wrong key length.

The option "Fix wrong key size" is offered in the context menu of a secp521r1 key, if the wrong encoding is detected. The fix will then rewrite the PKCS#15 description for the key.

[no-usernames-left]

There is now an option in the Smart Card Shell to repair the wrong key length.

I can confirm this fix (in version 3.18.28 of SCSH) works! (@CardContact May I suggest that you pop a dialog box after outline creation finishes if the key size issue is detected, with yes/no options to fix it?)

SSH output before fix:

debug2: pubkey_prepare: done
debug1: Offering public key: secp521r1 ECDSA SHA256:[snip] token
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: secp521r1 ECDSA SHA256:[snip] token
debug3: sign_and_send_pubkey: using [email protected] with ECDSA SHA256:[snip]
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp521 SHA256:[snip]
Deferring PIN entry to reader keypad.
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/opensc-pkcs11.so" slot 0 object 104000323084912: attrib 514 = 0
C_Sign failed: 84
debug1: identity_sign: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed for ECDSA "secp521r1": error in libcrypto
debug1: pkcs11_k11_free: parent 0x5e96765117a0 ptr (nil) idx 1
debug1: Offering public key: secp384r1 ECDSA SHA256:[snip] token
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: secp384r1 ECDSA SHA256:[snip] token
debug3: sign_and_send_pubkey: using [email protected] with ECDSA SHA256:[snip]
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp384 SHA256:[snip]
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/opensc-pkcs11.so" slot 0 object 104000323085008: attrib 514 = 0
debug3: send packet: type 50
debug1: pkcs11_k11_free: parent 0x5e96765117a0 ptr (nil) idx 1
debug3: receive packet: type 52
debug1: pkcs11_k11_free: parent 0x5e9676512730 ptr 0x5e96765134c0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 4
debug1: pkcs11_k11_free: parent 0x5e9676511470 ptr 0x5e9676511670 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 3
debug1: pkcs11_k11_free: parent 0x5e9676510e10 ptr 0x5e9676512d80 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 2
Authenticated to hostname ([ip.add.re.ss]:22) using "publickey".

SCSH output of the fix (Shell tab):

Old PRKD
A0 [ CONTEXT 0 ] IMPLICIT SEQUENCE SIZE( 54 )
  SEQUENCE SIZE( 11 )
    UTF8-STRING SIZE( 9 )
      0000  73 65 63 70 35 32 31 72 31                       secp521r1
  SEQUENCE SIZE( 27 )
    OCTET-STRING SIZE( 20 )
      0000  53 4D 67 5A F6 E4 91 95 86 8F 40 3F 34 96 4C B9  SMgZ......@?4.L.
      0010  A0 05 00 B7                                      ....
    BIT-STRING SIZE( 3 )
      0000  07 20 80                                         . .
  A1 [ CONTEXT 1 ] IMPLICIT SEQUENCE SIZE( 10 )
    SEQUENCE SIZE( 8 )
      SEQUENCE SIZE( 2 )
        OCTET-STRING SIZE( 0 )
      INTEGER SIZE( 2 )
        0000  02 10                                            ..

New PRKD
A0 [ CONTEXT 0 ] IMPLICIT SEQUENCE SIZE( 54 )
  SEQUENCE SIZE( 11 )
    UTF8-STRING SIZE( 9 )
      0000  73 65 63 70 35 32 31 72 31                       secp521r1
  SEQUENCE SIZE( 27 )
    OCTET-STRING SIZE( 20 )
      0000  53 4D 67 5A F6 E4 91 95 86 8F 40 3F 34 96 4C B9  SMgZ......@?4.L.
      0010  A0 05 00 B7                                      ....
    BIT-STRING SIZE( 3 )
      0000  07 20 80                                         . .
  A1 [ CONTEXT 1 ] IMPLICIT SEQUENCE SIZE( 10 )
    SEQUENCE SIZE( 8 )
      SEQUENCE SIZE( 2 )
        OCTET-STRING SIZE( 0 )
      INTEGER SIZE( 2 )
        0000  02 09                                            ..

SCSH output of the fix (Trace tab):

DD C: 00 D7 C4 03 - UPDATE BINARY Lc=62 
      0005  54 02 00 00 53 38 A0 36 30 0B 0C 09 73 65 63 70  T...S8.60...secp
      0015  35 32 31 72 31 30 1B 04 14 53 4D 67 5A F6 E4 91  521r10...SMgZ...
      0025  95 86 8F 40 3F 34 96 4C B9 A0 05 00 B7 03 03 07  ...@?4.L........
      0035  20 80 A1 0A 30 08 30 02 04 00 02 02 02 09         ...0.0.......
   R: SW1/SW2=9000 (Normal processing: No error) Lr=0

SSH output after fix:

debug2: pubkey_prepare: done
debug1: Offering public key: secp521r1 ECDSA SHA256:[snip] token
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: secp521r1 ECDSA SHA256:[snip] token
debug3: sign_and_send_pubkey: using [email protected] with ECDSA SHA256:[snip]
debug3: sign_and_send_pubkey: signing using ecdsa-sha2-nistp521 SHA256:[snip]
Deferring PIN entry to reader keypad.
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/opensc-pkcs11.so" slot 0 object 103600836620960: attrib 514 = 0
debug3: send packet: type 50
debug1: pkcs11_k11_free: parent 0x5e39731167d0 ptr (nil) idx 1
debug3: receive packet: type 52
debug1: pkcs11_k11_free: parent 0x5e3973115e40 ptr 0x5e3973117db0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 4
debug1: pkcs11_k11_free: parent 0x5e3973117760 ptr 0x5e39731184f0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 3
debug1: pkcs11_k11_free: parent 0x5e39731164a0 ptr 0x5e39731166a0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/opensc-pkcs11.so" refcount 2
Authenticated to hostname ([ip.add.re.ss]:22) using "publickey".

[no-usernames-left]

Closed as resolved upstream (root cause was external to OpenSC). Thanks for the quick reaction and resolution!