C_Login failed: rv = CKR_USER_PIN_NOT_INITIALIZED (0x102)

[saper]

Problem Description

After upgrading from 0.20.0 (built from FreeBSD ports or from source) to master 7840804 (built with --configure --prefix=/usr/local both pkcs11-tool and pkcs15-tool could not find PINs:

> /usr/local/bin/pkcs15-tool --dump --short
Using reader with a card: Gemalto USB Shell Token V2 (457FF72B) 00 00
PKCS#15 Card [CardOS V5.3 | EC00258XX]:
	Version        : 0
	Serial number  : 31
	Manufacturer ID: Atos IT Solutions and Services GmbH
	Flags          : Login required, PRN generation
Card has 0 Authentication object(s).
Card has 1 Private key(s).
	RSA[3072]  ID:45435f353933XXXX  Ref:0x02  AuthID:01
	     03e67016-56c9-478f-b811-4fbf50ed067d [0x26, decrypt, sign, unwrap]
Card has 1 Public key(s).
	RSA[3072]  45435f353933XXXX  Ref:0xFFFFFFFF                     [0x51, encrypt, wrap, verify]
Card has 1 Certificate(s).
	Path:3f00501543044301  ID:45435f353933XXXX
Card has 0 Data object(s).

> /usr/local/bin/pkcs11-tool -O -l         
Using slot 0 with a present token (0x0)
Logging in to "CardOS V5.3 | EC0025873".
Please enter User PIN: 
error: PKCS11 function C_Login failed: rv = CKR_USER_PIN_NOT_INITIALIZED (0x102)
Aborting.

With 0.20.0:

> pkcs11-tool -l -O
Using slot 0 with a present token (0x0)
Logging in to "CardOS V5.3 | EC00258XX".
Please enter User PIN: 
Private Key Object; RSA 
  label:      03e67016-56c9-478f-b811-4fbf50ed067d
  ID:         45435f353933XXXX
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 3072 bits
  label:      
  ID:         45435f353933XXXX
  Usage:      encrypt, verify, wrap
  Access:     local
Certificate Object; type = X.509 cert
  label:      EC_593XX
  subject:    DN: CN=Marcin Tomasz Cie\xC5\x9Blak/serialNumber=PNOPL-74XXXXXXXXX, SN=Cie\xC5\x9Blak, GN=Marcin, C=PL
  ID:         45435f353933XXXX
> pkcs15-tool --dump --short
Using reader with a card: Gemalto USB Shell Token V2 (457FF72B) 00 00
PKCS#15 Card [CardOS V5.3 | EC0025873]:
	Version        : 0
	Serial number  : 31
	Manufacturer ID: Atos IT Solutions and Services GmbH
	Flags          : Login required, PRN generation
Card has 2 Authentication object(s).
	PIN  ID:01  Ref:0x01  AuthID:02  PIN
	PIN  ID:02  Ref:0x02  SO-PIN
Card has 1 Private key(s).
	RSA[3072]  ID:45435f353933XXXX  Ref:0x02  AuthID:01
	     03e67016-56c9-478f-b811-4fbf50ed067d [0x26, decrypt, sign, unwrap]
Card has 1 Public key(s).
	RSA[3072]  45435f353933XXXX  Ref:0xFFFFFFFF                     [0x51, encrypt, wrap, verify]
Card has 1 Certificate(s).
	Path:3f00501543044301  ID:45435f353933XXXX

Steps to reproduce

pkcs11-tool -O -l

Logs

After finding both PIN objects the decoding process fails trying ASN.1 decode:

P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1700:asn1_decode: Looking for 'pinReference', tag 0x20000000, OPTIONAL
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1485:asn1_decode_entry:     decoding 'pinReference', raw data:0001
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1511:asn1_decode_entry:     decoding 'pinReference' returned 0
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1658:asn1_decode_entry: decoding of ASN.1 object 'pinReference' failed: Invalid ASN.1 object
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1658:asn1_decode_entry: decoding of ASN.1 object 'pinAttributes' failed: Invalid ASN.1 object
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1658:asn1_decode_entry: decoding of ASN.1 object 'typeAttributes' failed: Invalid ASN.1 object
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1658:asn1_decode_entry: decoding of ASN.1 object 'pin' failed: Invalid ASN.1 object
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/pkcs15-pin.c:146:sc_pkcs15_decode_aodf_entry: ASN.1 decoding failed: -1401 (Invalid ASN.1 object)
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/pkcs15.c:2095:sc_pkcs15_parse_df: Invalid ASN.1 object: Error decoding DF entry
P:78653; T:0x34412257280 22:52:52.642 [opensc-pkcs11] ../../../OpenSC/src/libopensc/pkcs15.c:2115:sc_pkcs15_parse_df: returning with: -1401 (Invalid ASN.1 object)

With 0.20.0 it works:

P:23446; T:0x34412257280 23:03:37.601 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1642:asn1_decode: Looking for 'pinReference', tag 0x20000000, OPTIONAL
P:23446; T:0x34412257280 23:03:37.601 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1427:asn1_decode_entry:     decoding 'pinReference', raw data:0001
P:23446; T:0x34412257280 23:03:37.601 [opensc-pkcs11] ../../../OpenSC/src/libopensc/asn1.c:1453:asn1_decode_entry:     decoding 'pinReference' returned 1

[saper]

Could this be one of the ASN.1 changes in sc_asn1_decode_integer()? @Jakuje

[Jakuje]

My reading of the ASN1/DER is that Integer should be encoded to minimum number of octets [1]:

Contents octets give the value of the integer, base 256, in two's complement form, most significant digit first, with the minimum number of octets.

which the value given in your log (0001) is certainly not.

Your log do not show enough context to see where is the asn1 parser called, but assuming there might be other cards providing not strictly valid DER encodings, we can default to non-strict parsing. Can you check with the following patch?

diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
--- a/src/libopensc/asn1.c
+++ b/src/libopensc/asn1.c
@@ -1506,7 +1506,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
 	case SC_ASN1_INTEGER:
 	case SC_ASN1_ENUMERATED:
 		if (parm != NULL) {
-			r = sc_asn1_decode_integer(obj, objlen, (int *) entry->parm, 1);
+			r = sc_asn1_decode_integer(obj, objlen, (int *) entry->parm, 0);
 			sc_debug(ctx, SC_LOG_DEBUG_ASN1, "%*.*sdecoding '%s' returned %d\n", depth, depth, "",
 					entry->name, *((int *) entry->parm));
 		}

[1] http://luca.ntop.org/Teaching/Appunti/asn1.html

[saper]

Yes, this patch works. I have seen your attempts to differentiate strict from less-strict.

I tried to dump a PIN structure into the decoder:

https://lapo.it/asn1js/#MCswDAwDUElOAwIGwAQBAjADBAEBoRYwFAMCA4gKAQICAQQCAQACARCAAgAB

SEQUENCE (3 elem)
  SEQUENCE (3 elem)
    UTF8String PIN
    BIT STRING (2 bit) 11
    OCTET STRING (1 byte) 02
  SEQUENCE (1 elem)
    OCTET STRING (1 byte) 01
  [1] (1 elem)
    SEQUENCE (6 elem)
      BIT STRING (5 bit) 10001
      ENUMERATED
      INTEGER 4
      INTEGER 0
      INTEGER 16
      [0] (2 byte) 0001

[Jakuje]

Right. The parsing should be probably less strict by default here. Let me go back to this or let @dengert to pick up this change to his branch as it is quite related bugfix.

[saper]

Thanks, unfortunately signing/verification problems with CardOS 5.3 do not improve with this small change :( It merely enables me to use the card at all.

[dengert]

@Jakuje See commit f13d684 that can work both ways.

[Jakuje]

Thanks. Looks good.

[frankmorgner]

@Jakuje I wonder if we should use the non-strict parsing everywhere. Our main goal is to make the cards usable instead of playing police. I think during normal operation, we don't have a use for the "strict" mode. It could be useful in debug mode but that's it. What do you think?

[Jakuje]

I am aboard (see the initial patch few comments above).

[dengert]

Your patch above removes strict for every integer. If that is what you and Frank want, OK.

[frankmorgner]

I'd even go a step further without adding new flags:

diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
index bf951782f..ad8419347 100644
--- a/src/libopensc/asn1.c
+++ b/src/libopensc/asn1.c
@@ -1506,7 +1506,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
        case SC_ASN1_INTEGER:
        case SC_ASN1_ENUMERATED:
                if (parm != NULL) {
-                       r = sc_asn1_decode_integer(obj, objlen, (int *) entry->parm, 1);
+                       r = sc_asn1_decode_integer(obj, objlen, (int *) entry->parm, 0);
                        sc_debug(ctx, SC_LOG_DEBUG_ASN1, "%*.*sdecoding '%s' returned %d\n", depth, depth, "",
                                        entry->name, *((int *) entry->parm));
                }

[mouse07410]

As Frank said, our job is not playing police but making the cards work. Let's relax this.

[frankmorgner]

Your patch above removes strict for every integer. If that is what you and Frank want, OK.

Yes, indeed. If a card really wants to have strict encoding, it's still available, but for the general part relaxed parsing is enough.

[saper]

Is 80 02 00 01 a valid BER encoding? If yes, maybe BER is acceptable on input...

[Jakuje]

If I read it right, It is valid BER, but not valid DER, which should be minimal:

https://en.wikipedia.org/wiki/X.690#DER_encoding

And from here the confusion as we have asn1 "library" without clean distinction if it should handle DER/BER or other ASN.1 subset. As already said, I am fine with applying the above patch.

[mouse07410]

Any self-respecting DER library would parse/understand BER (at least most of it, maybe excluding truly atrocious encodings), and produce/encoder strict DER.

"Be liberal in what you receive, and conservative on what you send" - this old IETF approach still makes sense.

[srsross]

"Be liberal in what you receive, and conservative on what you send" - this old IETF approach still makes sense.

For a counter point, see https://tools.ietf.org/html/draft-iab-protocol-maintenance-03, titled "The Harmful Consequences of the Robustness Principle".

[saper]

I wonder if I can build "a feedback cycle" with the certificate provider that gave me this card. Sure I can try.

With all the IAB wisdom, I wonder how'd they deal with the badly-specified HTML vs strict XHTML. "Feedback cycle" with all webpage authors?

This is all fine if there are few protocol implementors.

[Jakuje]

This was fixed as part of #1987 with the commit we talked about. Closing.

[konstantintuev]

I am experiencing the same issue on the latest stable and nightly on macOS.

Here is the output of the OPENSC_DEBUG=3 /Library/OpenSC/bin/pkcs11-tool --login --test command after typing in the pin (newest nightly - 2021-03-04_2652f704):

Logging in to "IAS-ECC".
Please enter User PIN: 
P:4216; T:0x4698201600 20:11:37.355 [opensc-pkcs11] pkcs11-session.c:285:C_Login: C_Login(0x7f9b38805510, 1)
P:4216; T:0x4698201600 20:11:37.355 [opensc-pkcs11] pkcs11-global.c:362:C_Finalize: C_Finalize()
P:4216; T:0x4698201600 20:11:37.355 [opensc-pkcs11] ctx.c:906:sc_cancel: called
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] reader-pcsc.c:786:pcsc_cancel: called
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] slot.c:171:card_removed: ACS ACR39U ICC Reader: card removed
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] slot.c:492:slot_token_removed: slot_token_removed(0x0)
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x0) 1
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] pkcs11-session.c:109:sc_pkcs11_close_session: real C_CloseSession(0x7f9b38805510)
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] framework-pkcs15.c:1586:pkcs15_release_token: pkcs15_release_token() not implemented
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] slot.c:492:slot_token_removed: slot_token_removed(0x1)
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x1) 0
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] slot.c:492:slot_token_removed: slot_token_removed(0x2)
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x2) 0
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] slot.c:492:slot_token_removed: slot_token_removed(0x3)
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] pkcs11-session.c:143:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x3) 0
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:4216; T:0x4698201600 20:11:37.356 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: ACS ACR39U ICC Reader check
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] reader-pcsc.c:385:refresh_attributes: returning with: 0 (Success)
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] pkcs15.c:1315:sc_pkcs15_unbind: called
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] pkcs15-pin.c:863:sc_pkcs15_pincache_clear: called
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] misc.c:86:sc_to_cryptoki_error_common: libopensc return value: 0 (Success)
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] card.c:414:sc_disconnect_card: called
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] card-iasecc.c:1446:iasecc_finish: called
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] card-iasecc.c:1458:iasecc_finish: returning with: 0 (Success)
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] reader-pcsc.c:669:pcsc_disconnect: ACS ACR39U ICC Reader:SCardDisconnect returned: 0x00000000
P:4216; T:0x4698201600 20:11:37.358 [opensc-pkcs11] card.c:436:sc_disconnect_card: returning with: 0 (Success)
P:4216; T:0x4698201600 20:11:37.359 [opensc-pkcs11] ctx.c:931:sc_release_context: called
P:4216; T:0x4698201600 20:11:37.359 [opensc-pkcs11] reader-pcsc.c:973:pcsc_finish: called
error: PKCS11 function C_Login failed: rv = CKR_USER_PIN_NOT_INITIALIZED (0x102)
Aborting.

[Jakuje]

Can you check with #2217 ? It is still WIP so not merged yet, but it should work.

[konstantintuev]

@Jakuje it seems promising but I am not sure how to build and test it on Mac as there isn't a ready build to download.

[frankmorgner]

I've pushed #2217 onto our remote so that CI picks this up for our nightly builds. use https://github.com/OpenSC/Nightly/tree/2021-03-04_db1e178b

[konstantintuev]

I can confirm that the test login works:

/Library/OpenSC/bin/pkcs11-tool --login --test
Using slot 0 with a present token (0x0)
Logging in to "IAS-ECC (Pin de la carte)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 () 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-PKCS: OK
    SHA1-RSA-PKCS: ERR: verification failed
    SHA256-RSA-PKCS: ERR: verification failed
Verify (currently only for RSA)
  testing key 0 ()
    RSA-PKCS: OK
    SHA1-RSA-PKCS:   ERR: verification failed  ERR: C_Verify() returned CKR_SIGNATURE_INVALID (0xc0)
Decryption (currently only for RSA)
  testing key 0 ()
 -- mechanism can't be used to decrypt, skipping
    RSA-PKCS: OK
4 errors

But trying to login in Chrome fails (the certificate is detected successfully and a pin input is shown but then the authentication fails):

ERR_SSL_DECRYPT_ERROR_ALERT

In Safari the certificate is detected but the pin input is not shown.

I am testing after having ran the OpenSCTokenApp successfully.

[dengert]

The pkcs11-tool errors:
SHA1-RSA-PKCS: ERR: verification failed
SHA256-RSA-PKCS: ERR: verification failed
SHA1-RSA-PKCS: ERR: verification failed ERR: C_Verify() returned CKR_SIGNATURE_INVALID (0xc0)
are most likely caused by this addition from #2217

flags |= SC_ALGORITHM_RSA_HASH_SHA1 |
SC_ALGORITHM_RSA_HASH_SHA256;

The card may support it, but the returned signature is not formatted as expected.

[frankmorgner]

Now I'm completely confused. If I'm not mistaken, the problem of @konstantintuev is not related to this issue. I assume that the issue in question has been fixed with #1987. Further, I assume that @konstantintuev 's token is currently not supported by OpenSC, but gets (some) support with #2217.

If this is the case, then please use #2217 or a new issue for your problem description. There may be more work required to get your card supported....

[dengert]

You are right, @saper and original comment is for "CardOS V5.3"
@konstantintuev and #2217 are using IASECC, and I started to comment on #2177.

[nestukh]

Hello I have a brand new Italian CNS ('Tessera Sanitaria', TS-CNS), the provider is ACe 2021 (official driver here). After rebuilding OpenSC from git cloning, on Linux (Debian Bullseye amd64) I'm still getting this error. I've rebuilt CCID too.
My previous TS-CNS smartcard had no problem with the same setup, but the provider was OT2015.

Logs:
the command (OpenSC built in $HOME/.bin/TS-CNS/static/)

$HOME/.bin/TS-CNS/static/bin/pkcs11-tool --login --test --module /home/$USER/.bin/TS-CNS/static/lib/opensc-pkcs11.so

results in

Using slot 0 with a present token (0x0)
error: PKCS11 function C_Login failed: rv = CKR_USER_PIN_NOT_INITIALIZED (0x102)
Aborting.

the full logs of
OPENSC_DEBUG=3 $HOME/.bin/TS-CNS/static/bin/pkcs11-tool --login --test --module /home/$USER/.bin/TS-CNS/static/lib/opensc-pkcs11.so
are (some parts omitted for privacy)

[omitted, issue reported elsewhere]

using the official driver for this card (/usr/lib/bit4id/libbit4opki.so), the command

$HOME/.bin/TS-CNS/static/bin/pkcs11-tool --login --test --module /usr/lib/bit4id/libbit4opki.so

returns

Using slot 0 with a present token (0x0)
Logging in to "Carta Nazionale dei Servizi".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
  SHA256: OK
  ERR: C_Digest() didn't return CKR_BUFFER_TOO_SMALL but CKR_GENERAL_ERROR (0x5)
  ERR: C_Digest() didn't return CKR_OK for a NULL output buffer, but CKR_OPERATION_NOT_INITIALIZED (0x91)
  ERR: digest operation ended prematurely
Signatures (currently only for RSA)
  testing key 0 (CNS1) 
  ERR: C_SignUpdate failed: CKR_FUNCTION_FAILED (0x6)
  ERR: C_Sign() didn't return CKR_BUFFER_TOO_SMALL but CKR_GENERAL_ERROR (0x5)
  ERR: C_Sign() didn't return CKR_OK for a NULL output buf, but CKR_OPERATION_NOT_INITIALIZED (0x91)
error: PKCS11 function C_Sign failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.

the full log with OPENSC_DEBUG=3 doesn't differ (I don't know why)

[saper]

Hello I have a brand new Italian CNS ('Tessera Sanitaria', TS-CNS)

can you open a new issue about that, this is unrelated...

[nestukh]

my bad, the error appeared to be the same.
I've opened a new issue in #2445