Fix for OpenPGP applet selection

[frankmorgner]

• fixes OpenSC card-opengpg.c not selecting AID correctly #1230
• partially implements Partial support for OpenPGP v3.3 #1215

Checklist

• Tested with the following card: OpenPGP v3.3
  • tested PKCS#11
  • tested Windows Minidriver
  • tested macOS Tokend
  • tested opensc-tool -n

[frankmorgner]

I did some basic testing with openpgp-tool and pkcs15-init and everything seems to work as expected.

[dengert]

@frankmorgner
In some cases after the card has been matched and pgp_init has completed, a command can fail because some other middleware in a different process has done a select AID, for a different applet on the card.
The other process may not be using OpenSC but tries to select an AID to this card to see if it can be used. (The card should ignore this if it does not support the AID, but if the card does support the AID
the new AID gets selected.)

I don't see any code in OpenSC OpenPGP driver to recover from the wrong AID being selected between transactions. (Please correct me if I am wrong.)

Its not easy to test but it is one of things we should support. Basically as part of any begin transaction on a card with multiple AIDs the first command should be to reselect the AID.

The PIV driver tries to do this partly as it can run using disconnect = leave.

See #1230 (comment)
where I said:
"(TODO Some opensc/openpgp developer (not me) needs to look at doing SELECT AID for every transaction. Look at the card-piv.c and look at CI_OTHER_AID_LOSE_STATE and uses of piv_select_aid)"

The openPGP driver needs to do something like this too. Same goes for any multiple applet card, they must expect that the active AID may have been changed since they ended a transaction.

[frankmorgner]

I refactored the changes so that future releases of OpenPGP card should also work (with V2 commands).

[frankmorgner]

Yes, the driver does not protect against resetting the card or deselecting the applet (and so do some other drivers in OpenSC).

Its not easy to test but it is one of things we should support. Basically as part of any begin transaction on a card with multiple AIDs the first command should be to reselect the AID.

I disagree, this problem is not a priority for me. If you're using only OpenSC the worst that can happen is that the applet gets selected twice. The same holds for scdaemon if it uses the card non-exclusively (in exclusive use the card would not be available for OpenSC in the first place). If you're using a different Middlware or program, then, indeed, it can get complicated. Do you some other middleware that people are using together with OpenSC? I don't; and until today, we didn't get any issue reports about such a situation.

We may eventually do something against resetting the card, but deselecting cannot be easily detected nor can it be easily prevented. Hence, we would have a gigantic workload for a problem that's virtually non-existent (and I don't even mention the possibility of introducing new bugs with the new complexity).

Anyway, if you think that more discussion is required, let's put it into #962.

[dengert]

Here is a first cut to make sure the correct AID is selected even if some other driver has selected a different AID on the same card. It uses the the pgp_carcard_reader_lock_obtained that is similar to the piv_card_reader_lock_obtained Both are called from sc_lock if the lock caused the reader lock to be obtained.

Thus the first command after a sBeginTransaction is a SELECT_AID.

Only minimal testing was done with a Yubikey 4 with a PIV and OpenPGP applets but no data in either.

I note that card-openpgp.c does not call sc_lock itself. Thus some commands that could all be done as part of a transaction are treated as individual transaction.

I would really like to see a opensc-debug.log of a signature operation.

I also note that openpgp does not do any special processing of a SC_PIN_CMD_GET_INFO. If it did the logged_in state could have been reset in pgp_carcard_reader_lock_obtained much like it is in piv_card_reader_lock_obtained

This patch is built on top of this PR, and requires at least commit 005cd48 in this PR.

[dengert]

Sorry, forgot the patch:

openpgp-aid-per-sesion.txt

[frankmorgner]

@dengert please open a seperate PR for your work in progress.

[dengert]

@frankmorgner Opened new PR, based on your branch. If you commit your branch or at lease 59963e0
I can rebase and make this a separate commit.

@Jakuje @mouse07410
Please test this in your environments where you have interference from the PIV driver from other processes.

[mouse07410]

@dengert I'd be happy to test it, as now I got a good opportunity for that. Could you please clarify what exactly I should try:

• what base do I start - this master?
• what PRs do I apply? Fix for OpenPGP applet selection #1232? Reselect PKI-Applets after card reset #1243? Both? Concurrent access to multiple applications on card - Yubico, MyEID and others  #962?
• do I still apply your patch https://github.com/OpenSC/OpenSC/files/1626835/openpgp-aid-per-sesion.txt?

[dengert]

@mouse07410 You better ask @frankmorgner. My PR #1232 was to Frank's pgp33 branch because I needed at least 59963e0 Frank has since added more commits to that branch, but not mine,. Frank wrote #1243 which appears to replace my #1232, and also modified many other card drivers to handle the reset issues. I consider that a good thing.

But that still leaves cards with multiple card applications need to SELECT_AID at the start of every sCardBeginTranaaction to make sure the correct AID is selected. @frankmorgner and I disagree on the overhead. I think it is small, as a card driver should batch multiple APDUs under a single transaction. Which I dont think is very much overhead.

So I am holding off on the SELECT_AID at the start of every sCardBeginTranaaction until @frankmorgner commits his current changes to master.

[frankmorgner]

I'm confident with both, #1232 and #1243, and think they are ready to be integrated.

I'm still thinking of a more elegant way of handling the card context in case of no reset; I believe that https://github.com/OpenSC/OpenSC/files/1626835/openpgp-aid-per-sesion.txt is not quite ready.

[dengert]

Yes then please merge #1232 #1243

I agree that #1239 may not be ready. But was ready for testing.
with the openpgp. But it needs to be implemented in other card drivers.
I too am thinking of a more elegant way of handling the card context in case of no reset.

Note: iso7816_select_file command if both in_path->aidlen and in_path->len are set it will do a select AID, by using

       /* First, select the application */
       sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xA4, 4, 0);

then it will do the normal select file.
card-cac.c, card-iasecc.c, card-sc-hsm.c, pkcs15-cache.c, sc.c appear to use this feature. So some card drivers try and make sure the AID is selected before at least a select file. But there are other commands
where there may have been interference from other processes.

So without some way to know for sure the AID was not changed, the best solution is to avoid interference in the first place, by doing a select_aid as the first the card command after a sCardBeginTransaction. And the place to do it is in the *_card_reader_lock_obtained routine of a card driver.

But changing the AID may also lose the login state, ot it may also need to be tested. The PIV specs do talk about the PIV application PIN vs the Global PIN. The Discovery object says which PIN should be used. card-piv.c honers this, but needs some needs some work use this fact in piv_card_reader_lock_obtained

To avoid additional overhead and interference at unexpected times:

• batch card commands under a single transaction. Such as select_file and the read_binary commands to read the whole. And the way to batch them is for the card driver to call sc_lock to start a batch and sc_unlock when it is done or failed.
• for cards which are know to not have multiple applications (old cards which don't have an AID ) don't do the select_aid Batching could still help cut down on interference.
• If there is a way to know for sure the selected AID has not been changed by our code or some code out of our control, that would hep cut down the overhead.

[mouse07410]

I wonder whether it makes sense to worry about additional overhead, considering that smart cards in general are pretty slow, so a user isn't likely to notice that overhead anyway.

[mouse07410]

I've done preliminary testing of #1232 and #1243 (applied both) with the master, and it appears to work. I'm not sure what a good OpenSC-based test of the OpenPGP applet would be, but openpgp-tool -U seemed to work and provide the correct info. PIV applet worked fine too.

If you can think of a better test that you'd like me to try - please let me know.

[Jakuje]

I believe this is as a baseline for other work should be merged.

@mouse07410 Ideal would be some concurrent test -- load the pkcs11 module into Firefox, verify the functionality here, then try some signatures with the openPGP applet from pkcs11-tool and than again the Firefox (without loading and unloading).

I just ran simple pkcs11-tool --test, signature&verification worked, but I got failure for the Decrypt. But it is probably because of the key is designated only for signatures, even though it is not reflected in the usage flags in PKCS#11 (not sure how hard would it be to implement this).

0x7f59621b6880 15:18:56.657 [opensc-pkcs11] framework-pkcs15.c:3790:pkcs15_prkey_decrypt: Initiating decryption.
0x7f59621b6880 15:18:56.657 [opensc-pkcs11] card.c:407:sc_lock: called
0x7f59621b6880 15:18:56.657 [opensc-pkcs11] reader-pcsc.c:612:pcsc_lock: called
0x7f59621b6880 15:18:56.657 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f59621b6880 15:18:56.657 [opensc-pkcs11] pkcs15-sec.c:212:sc_pkcs15_decipher: called
0x7f59621b6880 15:18:56.657 [opensc-pkcs11] padding.c:284:sc_get_encoding_flags: called
0x7f59621b6880 15:18:56.657 [opensc-pkcs11] padding.c:288:sc_get_encoding_flags: iFlags 0x2, card capabilities 0x80000012
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] padding.c:317:sc_get_encoding_flags: pad flags 0x0, secure algorithm flags 0x2
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] padding.c:318:sc_get_encoding_flags: returning with: 0 (Success)
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card.c:407:sc_lock: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] sec.c:75:sc_set_security_env: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card-openpgp.c:1682:pgp_set_security_env: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card-openpgp.c:1696:pgp_set_security_env: Key ref 2
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card-openpgp.c:1707:pgp_set_security_env: Operation: Decipher.
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card-openpgp.c:1722:pgp_set_security_env: returning with: 0 (Success)
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] sec.c:79:sc_set_security_env: returning with: 0 (Success)
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] sec.c:43:sc_decipher: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card-openpgp.c:1796:pgp_decipher: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card.c:407:sc_lock: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:10, INS:2A, P1:80, P2:86, data(255) 0x9f5000
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Yubico Yubikey 4 OTP+U2F+CCID 01 00'
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: 
Outgoing APDU (260 bytes):
10 2A 80 86 FF 00 25 5D 27 E0 C3 62 56 25 A4 CF .*....%]'..bV%..
B8 AC 51 69 BA 3F F0 F5 78 08 BE E9 53 37 9A 92 ..Qi.?..x...S7..
33 27 DD 12 86 D9 83 BE D5 76 65 C7 9E 53 9D 20 3'.......ve..S. 
F3 D1 C4 7B DA 84 9A 9B 11 CD 74 0E 72 B4 11 66 ...{......t.r..f
8D E3 71 3E 37 03 39 7F A8 9C 06 BE 83 A1 DA A7 ..q>7.9.........
AB 27 C5 56 C7 69 50 6A 71 AE C2 24 48 86 70 28 .'.V.iPjq..$H.p(
E3 80 17 C3 3C AF 9F B1 33 1A 1E 5B E9 0E 00 A5 ....<...3..[....
22 2A B6 61 DF 4B 94 36 9B BE BA 16 A0 C8 E2 59 "*.a.K.6.......Y
46 BE 6A 1E 23 2F 87 78 78 E4 D3 EF 76 F2 2F D8 F.j.#/.xx...v./.
F2 59 08 6E 05 4E FC 27 FE 27 BE 7E 1B 04 74 B5 .Y.n.N.'.'.~..t.
9F 4F 9B 39 31 7E 38 EE FA FF C2 50 07 BC B5 37 .O.91~8....P...7
15 4B 52 65 EC 83 DB FB 9B 28 AA 8F F2 2F 60 F8 .KRe.....(.../`.
DF 31 65 5F 01 71 81 CD B4 1A 3C 14 25 EF 77 25 .1e_.q....<.%.w%
B6 7C E5 F5 75 CB 3C 33 2F 9F 00 8B 68 7F 5B FF .|..u.<3/...h.[.
95 D8 01 E9 A0 30 4C 8C 5A 84 C0 00 D7 B7 2A 80 .....0L.Z.....*.
FC C1 E3 62 E4 04 D4 E8 7D 27 4A 45 9D 95 B6 40 ...b....}'JE...@
4C 9D 23 8A                                     L.#.
0x7f59621b6880 15:18:56.658 [opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:0, INS:2A, P1:80, P2:86, data(2) 0x9f50ff
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Yubico Yubikey 4 OTP+U2F+CCID 01 00'
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: 
Outgoing APDU (8 bytes):
00 2A 80 86 02 20 45 00 .*... E.
0x7f59621b6880 15:18:56.659 [opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit: 
Incoming APDU (2 bytes):
69 85 i.
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card.c:459:sc_unlock: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] iso7816.c:124:iso7816_check_sw: Conditions of use not satisfied
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card-openpgp.c:1846:pgp_decipher: Card returned error: -1209 (Not allowed)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] sec.c:47:sc_decipher: returning with: -1209 (Not allowed)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card.c:459:sc_unlock: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] pkcs15-sec.c:227:sc_pkcs15_decipher: use_key() failed: -1209 (Not allowed)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] pkcs15-sec.c:212:sc_pkcs15_decipher: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] padding.c:284:sc_get_encoding_flags: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] padding.c:288:sc_get_encoding_flags: iFlags 0x2, card capabilities 0x80000012
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] padding.c:317:sc_get_encoding_flags: pad flags 0x0, secure algorithm flags 0x2
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] padding.c:318:sc_get_encoding_flags: returning with: 0 (Success)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card.c:407:sc_lock: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] sec.c:75:sc_set_security_env: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card-openpgp.c:1682:pgp_set_security_env: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card-openpgp.c:1696:pgp_set_security_env: Key ref 2
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card-openpgp.c:1707:pgp_set_security_env: Operation: Decipher.
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card-openpgp.c:1722:pgp_set_security_env: returning with: 0 (Success)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] sec.c:79:sc_set_security_env: returning with: 0 (Success)
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] sec.c:43:sc_decipher: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card-openpgp.c:1796:pgp_decipher: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card.c:407:sc_lock: called
0x7f59621b6880 15:18:56.663 [opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f59621b6880 15:18:56.664 [opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f59621b6880 15:18:56.664 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f59621b6880 15:18:56.664 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:10, INS:2A, P1:80, P2:86, data(255) 0x9f5000
0x7f59621b6880 15:18:56.664 [opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Yubico Yubikey 4 OTP+U2F+CCID 01 00'
0x7f59621b6880 15:18:56.664 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: 
Outgoing APDU (260 bytes):
10 2A 80 86 FF 00 25 5D 27 E0 C3 62 56 25 A4 CF .*....%]'..bV%..
B8 AC 51 69 BA 3F F0 F5 78 08 BE E9 53 37 9A 92 ..Qi.?..x...S7..
33 27 DD 12 86 D9 83 BE D5 76 65 C7 9E 53 9D 20 3'.......ve..S. 
F3 D1 C4 7B DA 84 9A 9B 11 CD 74 0E 72 B4 11 66 ...{......t.r..f
8D E3 71 3E 37 03 39 7F A8 9C 06 BE 83 A1 DA A7 ..q>7.9.........
AB 27 C5 56 C7 69 50 6A 71 AE C2 24 48 86 70 28 .'.V.iPjq..$H.p(
E3 80 17 C3 3C AF 9F B1 33 1A 1E 5B E9 0E 00 A5 ....<...3..[....
22 2A B6 61 DF 4B 94 36 9B BE BA 16 A0 C8 E2 59 "*.a.K.6.......Y
46 BE 6A 1E 23 2F 87 78 78 E4 D3 EF 76 F2 2F D8 F.j.#/.xx...v./.
F2 59 08 6E 05 4E FC 27 FE 27 BE 7E 1B 04 74 B5 .Y.n.N.'.'.~..t.
9F 4F 9B 39 31 7E 38 EE FA FF C2 50 07 BC B5 37 .O.91~8....P...7
15 4B 52 65 EC 83 DB FB 9B 28 AA 8F F2 2F 60 F8 .KRe.....(.../`.
DF 31 65 5F 01 71 81 CD B4 1A 3C 14 25 EF 77 25 .1e_.q....<.%.w%
B6 7C E5 F5 75 CB 3C 33 2F 9F 00 8B 68 7F 5B FF .|..u.<3/...h.[.
95 D8 01 E9 A0 30 4C 8C 5A 84 C0 00 D7 B7 2A 80 .....0L.Z.....*.
FC C1 E3 62 E4 04 D4 E8 7D 27 4A 45 9D 95 B6 40 ...b....}'JE...@
4C 9D 23 8A                                     L.#.
0x7f59621b6880 15:18:56.664 [opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:0, INS:2A, P1:80, P2:86, data(2) 0x9f50ff
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Yubico Yubikey 4 OTP+U2F+CCID 01 00'
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: 
Outgoing APDU (8 bytes):
00 2A 80 86 02 20 45 00 .*... E.
0x7f59621b6880 15:18:56.665 [opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit: 
Incoming APDU (2 bytes):
69 85 i.
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] card.c:459:sc_unlock: called
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] iso7816.c:124:iso7816_check_sw: Conditions of use not satisfied
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] card-openpgp.c:1846:pgp_decipher: Card returned error: -1209 (Not allowed)
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] sec.c:47:sc_decipher: returning with: -1209 (Not allowed)
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] card.c:459:sc_unlock: called
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] pkcs15-sec.c:227:sc_pkcs15_decipher: use_key() failed: -1209 (Not allowed)
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] card.c:459:sc_unlock: called
0x7f59621b6880 15:18:56.668 [opensc-pkcs11] reader-pcsc.c:662:pcsc_unlock: called
0x7f59621b6880 15:18:56.676 [opensc-pkcs11] framework-pkcs15.c:3832:pkcs15_prkey_decrypt: Decryption complete. Result -1209.
0x7f59621b6880 15:18:56.676 [opensc-pkcs11] pkcs11-object.c:903:C_Decrypt: C_Decrypt() = CKR_FUNCTION_FAILED

[frankmorgner]

thanks for testing, @mouse07410. I additionally verified the changes and everything looks good.

[mouse07410]

@frankmorgner This PR is merged, and seems to be working OK - but I have one weird issue. My card has three subkeys on it: Signature, Encryption, and Authentication. OpenSC appears to recognize only two of them - Encryption and Authentication.

What's happening to the first subkey, and how to make it visible/usable?

$ gpg --card-status

Reader ...........: Yubico Yubikey 4 OTP U2F CCID
Application ID ...: D27600012401020100060xxxxxxxx
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 0xxxxxx
Name of cardholder: XXX XXXXX
Language prefs ...: en
Sex ..............: male
URL of public key : [not set]
Login data .......: xxxxxx
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 24
Signature key ....: 359A 0BEC DB88 C52C 2E38  B601 48D4 424D 2C3B 2168
      created ....: 2017-07-18 19:44:03
Encryption key....: D56A E4DE E9D0 D0CB FCE6  5259 E4E3 8FBE 3DA5 6F45
      created ....: 2017-07-18 19:43:22
Authentication key: 5947 68E7 8B26 D515 7CE2  589C 8F26 0FAF 38E0 AFB0
      created ....: 2017-07-18 19:52:49
General key info..: sub  rsa4096/48D4424D2C3B2168 2017-07-18 xxxxxxxxxxxxxxxx
sec   rsa4096/9AD91BAFE644595A  created: 2015-02-20  expires: 2018-08-19
ssb>  rsa4096/E4E38FBE3DA56F45  created: 2017-07-18  expires: 2018-08-19
                                card-no: 0006 0xxxxxx
ssb>  rsa4096/48D4424D2C3B2168  created: 2017-07-18  expires: 2018-08-19
                                card-no: 0006 0xxxxxx
ssb>  rsa4096/8F260FAF38E0AFB0  created: 2017-07-18  expires: 2018-08-19
                                card-no: 0006 0xxxxxx
$ OPENSC_DRIVER=openpgp pkcs11-tool -O --login
Using slot 1 with a present token (0x4)
Logging in to "User PIN (OpenPGP card)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Encryption key
  ID:         02
  Usage:      decrypt, unwrap
Public Key Object; RSA 4096 bits
  label:      Encryption key
  ID:         02
  Usage:      encrypt, wrap
Private Key Object; RSA 
  label:      Authentication key
  ID:         03
  Usage:      decrypt, sign, non-repudiation, unwrap
Public Key Object; RSA 4096 bits
  label:      Authentication key
  ID:         03
  Usage:      encrypt, verify, wrap
$ 

[Jakuje]

FYI, I have similar issue -- I generated only two subkeys if I remember well and I saw only one of them through the pkcs11, but I was accounting it to be bad knowledge of GnuPG, while I was setting that thing up some months ago.

[mouse07410]

but I was accounting it to be bad knowledge of GnuPG...

No, GnuPG is perfect in this respect. Here's an example:

$ gpg --card-status
. . . . .
Signature key ....: 359A 0BEC DB88 C52C 2E38  B601 48D4 424D 2C3B 2168
      created ....: 2017-07-18 19:44:03
Encryption key....: D56A E4DE E9D0 D0CB FCE6  5259 E4E3 8FBE 3DA5 6F45
      created ....: 2017-07-18 19:43:22
Authentication key: 5947 68E7 8B26 D515 7CE2  589C 8F26 0FAF 38E0 AFB0
      created ....: 2017-07-18 19:52:49
General key info..: sub  rsa4096/48D4424D2C3B2168 XXXXXXXX
. . . . .
$ gpg -sea -r "XXXXXXXX" message.txt
gpg: using "CE994DDF383A39DE066B270B9AD91BAFE644595A" as default secret key for signing
$ gpg -d message.txt.asc 
gpg: encrypted with 4096-bit RSA key, ID E4E38FBE3DA56F45, created 2017-07-18
      "XXXXXXXXX"
This is a secret message for XXXXXX
gpg: Signature made Thu Jan 25 15:58:54 2018 EST
gpg:                using RSA key 359A0BECDB88C52C2E38B60148D4424D2C3B2168
gpg: Good signature from "XXXXXXX" [ultimate]
gpg:                 aka "XXXXXXXXXXXX" [ultimate]
$ 

You can correlate the key IDs used by GnuPG, and see that indeed it used the Signature subkey to sign/verify, and the Encryption subkey to encrypt/decrypt. Leaving Authentication subkey alone, as it doesn't belong in this operation. So the problem is solely with OpenSC. Perhaps I should copy this to a new issue...

[frankmorgner]

Sounds interesting, could be a problem that may also be present for OpenPGP before version 3. Please open a seperate issue to track the status (copying the comments should be enough)

[alex-nitrokey]

IMHO this has nothing todo with OpenPGP Card 3. As seen above the Yubikey is using version 2.1 anyway. And I see the exact same behaviour on a Nitrokey Pro with OPC 2 here.

[frankmorgner]

@alex-nitrokey please note different the commit description. Not all of them are are version 3 specific. Yes, some of them apply to all versions of OpenPGP tokens.

[alex-nitrokey]

Maybe I misunderstood.

Sounds interesting, could be a problem that may also be present for OpenPGP before version 3.

This seemed to be in question, therefore I thought of pointing out, that it occurs no matter which OpenPGP Card is used...