pkcs15-init --store-pin fails silently on a MyEID smartcard

[minfrin]

Problem Description

For reasons not yet known, "pkcs15-init --store-pin" fails silently, no PIN is created, no error message is returned.

opensc-0.22.0-2.el9.x86_64

Proposed Resolution

An error message must be returned to indicate what went wrong.

Steps to reproduce

Format a MyEid smartcard.

blackadder ~ # pkcs15-tool --dump
Using reader with a card: ACS ACR39U ICC Reader 00 00
PKCS#15 Card [Thyone]:
	Version        : 0
	Serial number  : 00007303016884988479
	Manufacturer ID: Aventra Ltd.
	Last update    : 20230615131231Z
	Flags          : PRN generation, EID compliant
		 sc_supported_algo_info[0]:
			 reference  : 1 (0x01)
			 mechanism  : [0x1081] CKM_AES_ECB                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.1
			 algo_ref   : [0x00]
		 sc_supported_algo_info[1]:
			 reference  : 2 (0x02)
			 mechanism  : [0x1082] CKM_AES_CBC                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.2
			 algo_ref   : [0x00]
		 sc_supported_algo_info[2]:
			 reference  : 3 (0x03)
			 mechanism  : [0x1081] CKM_AES_ECB                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.41
			 algo_ref   : [0x00]
		 sc_supported_algo_info[3]:
			 reference  : 4 (0x04)
			 mechanism  : [0x1082] CKM_AES_CBC                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.42
			 algo_ref   : [0x00]


PIN [Security Officer PIN]
	Object Flags   : [0x03], private, modifiable
	ID             : ff
	Flags          : [0xB0], initialized, needs-padding, soPin
	Length         : min_len:4, max_len:8, stored_len:8
	Pad char       : 0xFF
	Reference      : 3 (0x03)
	Type           : ascii-numeric

Attempt to create a PIN. This step has worked fine with many other MyEID cards.

blackadder ~ # pkcs15-init --store-pin --auth-id 1 --label "Smartcard PIN"
Using reader with a card: ACS ACR39U ICC Reader 00 00
New User PIN.
Please enter User PIN: 
Please type again to verify: 
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 
Please type again to verify: 

Note - no error message. Dumping the card, we see no PIN created.

blackadder ~ # pkcs15-tool --dump
Using reader with a card: ACS ACR39U ICC Reader 00 00
PKCS#15 Card [Thyone]:
	Version        : 0
	Serial number  : 00007303016884988479
	Manufacturer ID: Aventra Ltd.
	Last update    : 20230615131231Z
	Flags          : PRN generation, EID compliant
		 sc_supported_algo_info[0]:
			 reference  : 1 (0x01)
			 mechanism  : [0x1081] CKM_AES_ECB                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.1
			 algo_ref   : [0x00]
		 sc_supported_algo_info[1]:
			 reference  : 2 (0x02)
			 mechanism  : [0x1082] CKM_AES_CBC                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.2
			 algo_ref   : [0x00]
		 sc_supported_algo_info[2]:
			 reference  : 3 (0x03)
			 mechanism  : [0x1081] CKM_AES_ECB                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.41
			 algo_ref   : [0x00]
		 sc_supported_algo_info[3]:
			 reference  : 4 (0x04)
			 mechanism  : [0x1082] CKM_AES_CBC                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.42
			 algo_ref   : [0x00]


PIN [Security Officer PIN]
	Object Flags   : [0x03], private, modifiable
	ID             : ff
	Flags          : [0xB0], initialized, needs-padding, soPin
	Length         : min_len:4, max_len:8, stored_len:8
	Pad char       : 0xFF
	Reference      : 3 (0x03)
	Type           : ascii-numeric

Try to set the PIN a second time:

blackadder ~ # pkcs15-init --store-pin --auth-id 1 --label "Smartcard PIN"
Using reader with a card: ACS ACR39U ICC Reader 00 00
New User PIN.
Please enter User PIN: 
Please type again to verify: 
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 
Please type again to verify: 
Failed to store PIN: Invalid arguments

This second attempt above fails with the meaningless message "invalid arguments". Dump shows no PIN:

blackadder ~ # pkcs15-tool --dump
Using reader with a card: ACS ACR39U ICC Reader 00 00
PKCS#15 Card [Thyone]:
	Version        : 0
	Serial number  : 00007303016884988479
	Manufacturer ID: Aventra Ltd.
	Last update    : 20230615131231Z
	Flags          : PRN generation, EID compliant
		 sc_supported_algo_info[0]:
			 reference  : 1 (0x01)
			 mechanism  : [0x1081] CKM_AES_ECB                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.1
			 algo_ref   : [0x00]
		 sc_supported_algo_info[1]:
			 reference  : 2 (0x02)
			 mechanism  : [0x1082] CKM_AES_CBC                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.2
			 algo_ref   : [0x00]
		 sc_supported_algo_info[2]:
			 reference  : 3 (0x03)
			 mechanism  : [0x1081] CKM_AES_ECB                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.41
			 algo_ref   : [0x00]
		 sc_supported_algo_info[3]:
			 reference  : 4 (0x04)
			 mechanism  : [0x1082] CKM_AES_CBC                  
			 operations : [0x30], encipher, decipher
			 algo_id    : 2.16.840.1.101.3.4.1.42
			 algo_ref   : [0x00]


PIN [Security Officer PIN]
	Object Flags   : [0x03], private, modifiable
	ID             : ff
	Flags          : [0xB0], initialized, needs-padding, soPin
	Length         : min_len:4, max_len:8, stored_len:8
	Pad char       : 0xFF
	Reference      : 3 (0x03)
	Type           : ascii-numeric

[popovec]

Can you try adding another PIN to the card?

pkcs15-init --store-pin --auth-id 2 --label "Smartcard PIN2"

[popovec]

One more note, check your configuration again, is file_cache on? This would explain the stated problem.

[minfrin]

Looking at the /etc/opensc.conf in use, file caching appears to be off:

blackadder ~ # cat /etc/opensc.conf 
app default {
	# debug = 3;
	# debug_file = opensc-debug.txt;
	framework pkcs15 {
		use_file_caching = true;
	}
	reader_driver pcsc {
		# The pinpad is disabled by default,
		# because of many broken readers out there
		enable_pinpad = false;
	}
}
# the pkcs15-init is used for card initialization when the file caching
# brings more trouble than use so disable that:
app pkcs15-init {
	framework pkcs15 {
		use_file_caching = false;
	}
}

Changing the app default (not pkcs15-init, default) to false works around the problem.

It looks like:

• file caching breaks PIN setting operations (setting PIN has no effect when file caching is on).
• the "app pkcs15-init" mechanism that tries to switch file caching off doesn't work.

[popovec]

The issue of file_cache was discussed in #2501

I have prepared a solution for the MyEID card, which allows to signal every change in the content of the card in relation to the content of the cache: #2798

Without applying #2798, I do not recommend turning on file_cache while performing any write operation on the card (initializing the card, uploading keys, generating keys, unwrapping keys).

[Jakuje]

the "app pkcs15-init" mechanism that tries to switch file caching off doesn't work.

Can you provide an opensc debug log with the default config containing the app pkcs15-init block? To my testing, the cache disablement solves the issue so I would like to try to understand what is going on there.

[popovec]

It seems to me that the app pkcs15-init section in the opensc configuration does not cause any reaction .. config:

app default {

}
app pkcs15-init {
        debug = 255;
        debug_file = opensc-debug_init.txt;
}

After initializing the card, I don't have the opensc-debug_init.txt file created..

Accordingly, app default overwrites the information in the app pkcs11-init section.

The debug file is created with the following configuration (no app default section):

app pkcs15-init {
        debug = 255;
        debug_file = opensc-debug_init.txt;
}

For this reason, it is not even possible to turn off the file cache only for app pkcs15-init, but leave it on in the app default section.

[Jakuje]

Sigh ... I was putting this together quite some time ago when I did not have MyEID cards to test. I think a colleague tested this and I did not double-check the code. Well, good to have this solved inside of the myeid driver now ...