-
Notifications
You must be signed in to change notification settings - Fork 708
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced Card Systems CryptoMate64: lockout after failed PIN attempts #1204
Comments
Well, obviously OpenSC supports some variant of the card. If you want us to block your type of card we need something to identify your card (the ATR is not sufficient, obviously), otherwise we can't do much for you. If you want us to fix some more specific problem in OpenSC, you need to give us more details (i.e. a debug log) |
Sure, I can gather the logs, as well as a sniff of the successful communication from |
Hi, The underlying problem is the match for CryptoMate64 in internal driver card-acos5.c ! Beginning with opensc version 0.15.0 or 0.16.0, driver acos5/card-acos5.c was added to the internal drivers (contrary to https://github.com/OpenSC/OpenSC/wiki/ACOS5, which states that it does not (yet) support ACOS5), and this driver claims to support ATR 3b:be:96:00:00:41:05:20:00:00:00:00:00:00:00:00:00:90:00 (==ACS CryptoMate64/ACOS5-64 V2.00 smart card) and 3b:be:18:00:00:41:05:10:00:00:00:00:00:00:00:00:00:90:00 (==ACS ACOS5 "ACOS5-32-G" dual card). My recommendation is to remove ATR 3b:be:96:00:00:41:05:20:00:00:00:00:00:00:00:00:00:90:00 (==ACS CryptoMate64/ACOS5-64 V2.00) from card-acos5.c, as this is the current state of affair: Imitating my recommendation by configuring opensc.conf: card_drivers = default; user@host: |
Partial support for CryptoMate64 would be OK, but the things that are not working should give more reasonable errors. @carblue please make a PR either disabling the card or disabling the calls that are not working. |
@frankmorgner |
Problem Description
I just got a Bulgarian "Qualified Electronic Signature" device from Stampit. Following the instructions in Arch Wiki installed
ccid
andopensc
.pcsc_scan
immediately foundThe rest of the story is here, in short: using
pkcs11-tool --login --test
always resulted inCKR_PIN_INCORRECT
. At the issuer's office I had a chat with their tech guy, who immediately knewopensc
doesn't support this card and installedlibcmP11.so
from their OEM tool instead. It works.Proposed Resolution
Don't attempt to PIN-unlock the device, give a meaningful error instead, or support it.
Steps to reproduce
opensc
Logs
I didn't gather any, but can reproduce it, for science.
The text was updated successfully, but these errors were encountered: