Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSC 0.24.0 broken on Windows 10 and 11 both at 22H2 for some devices #2964

Closed
dengert opened this issue Dec 18, 2023 · 4 comments
Closed

OpenSC 0.24.0 broken on Windows 10 and 11 both at 22H2 for some devices #2964

dengert opened this issue Dec 18, 2023 · 4 comments

Comments

@dengert
Copy link
Member

dengert commented Dec 18, 2023

Problem Description

Using OpenSC-0.24.0_win64.msi on Windows 11 Pro 22H2 or Windows 10 Pro 22H2 with SC-HSM device fails when using
certutil -v -scinfo or pkcs11-tool -O

This appears to be the same problem as #2944 when building with CygWin. And may apply to any device which uses extended APDUs.

May have been introduced in aadd82b or a06abbf where rv = gpriv->SCardControl(card_handle, CM_IOCTL_GET_FEATURE_REQUEST, NULL, 0, buf, sizeof(buf), &rcount); does not return any features. With #2944 CygWin the above fails with rv = 0x00000001, in my tests rv = 0 and rcount = 0.

@frankmorgner I recall you saying Microsoft has dropped PIN PAD readers. Could they have dropped more then that?

Proposed Resolution

Circumvention: edit C:\Program Files\OpenSC Project\OpenSC\opensc.conf to contain a "reader_driver pcsc" section something like:

app default {
	# debug = 7;
	# debug_file = c:\tmp\opensc-debug.txt;
	 
        reader_driver pcsc {
                max_send_size = 65535;
                max_recv_size = 65536;
        }
}

Steps to reproduce

certutil -v -scinfo and pkcs11-tool -O both fail.

Logs

P:6768; T:16636 2023-12-18 08:48:08.977 [opensc-pkcs11] ===================================
P:6768; T:16636 2023-12-18 08:48:08.977 [opensc-pkcs11] OpenSC version: 0.24.0
P:6768; T:16636 2023-12-18 08:48:08.977 [opensc-pkcs11] Configured for opensc-pkcs11 (C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe)
P:6768; T:16636 2023-12-18 08:48:08.977 [opensc-pkcs11] PC/SC options: connect_exclusive=0 disconnect_action=0 transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=1
P:6768; T:16636 2023-12-18 08:48:08.978 [opensc-pkcs11] reader-pcsc.c:1399:pcsc_detect_readers: called
P:6768; T:16636 2023-12-18 08:48:08.978 [opensc-pkcs11] Probing PC/SC readers
P:6768; T:16636 2023-12-18 08:48:08.979 [opensc-pkcs11] Establish PC/SC context
P:6768; T:16636 2023-12-18 08:48:08.982 [opensc-pkcs11] Adding new PC/SC reader 'SCM Microsystems SCx35xx v2.0 USB SC Reader 0'
P:6768; T:16636 2023-12-18 08:48:08.982 [opensc-pkcs11] SCM Microsystems SCx35xx v2.0 USB SC Reader 0 check
P:6768; T:16636 2023-12-18 08:48:08.982 [opensc-pkcs11] current state: 0x00010422
P:6768; T:16636 2023-12-18 08:48:08.983 [opensc-pkcs11] previous state: 0x00000000
P:6768; T:16636 2023-12-18 08:48:08.983 [opensc-pkcs11] card present, changed
P:6768; T:16636 2023-12-18 08:48:09.133 [opensc-pkcs11] SCM Microsystems SCx35xx v2.0 USB SC Reader 0:SCardConnect(SHARED): 0x00000000
P:6768; T:16636 2023-12-18 08:48:09.133 [opensc-pkcs11] reader-pcsc.c:1146:detect_reader_features: called
P:6768; T:16636 2023-12-18 08:48:09.133 [opensc-pkcs11] Requesting reader features ...
P:6768; T:16636 2023-12-18 08:48:09.135 [opensc-pkcs11] Assuming that the reader supports sending short length APDUs only
P:6768; T:16636 2023-12-18 08:48:09.135 [opensc-pkcs11] Assuming that the reader supports receiving short length APDUs only
@frankmorgner
Copy link
Member

@frankmorgner I recall you saying Microsoft has dropped PIN PAD readers.

They simply don't support the CCID extension for PIN entry (and never did).

Regarding SCardControl, I think it returns 0x00000001 if one of the input parameters are bad (see LudovicRousseau/pyscard#19 for a similar issue) - in this case I assume it doesn't know GET_FEATURE_REQUEST. But as said before, we need more analyis, maybe with pyscard...

@dengert
Copy link
Member Author

dengert commented Dec 20, 2023

It is not clear when this started. I only have Windows 10 22H2 and 11 22H2.

What we really need is for someone with older Windows 10 to try 0.24.0 msi packages with a sc-hsm or other card that needs extended APDUs, i.e. larger then the default 255/256 to work.

CygWin uses the Windows, winscard.dll so would have the same problem. In my testing with CygWin I do not get the rv=0x00000001 I get rv = 0 and rcount is not changed. (I have tried setting it to 0, 256 and sizeof(buf) with same results.
also casting some parameters DWORD. and fiddling with the command code.

Have also installed VS 2022, with C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0 to see the header files. Best I can tell we are doing what is expected, which is slightly different then pcsc-lite on linux.

I also do testing using VirtualBox with an Ubuntu 22.4 guest, which has no problems accessing the sc-hsm token on the windows 11 host. So the token and its reader should return the results. (note that the VM access it in exclusive mode. Have not tried doing that the CygWin or the msi install.

CygWin is using gcc (GCC) 11.4.0 as is Ubuntu gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

If windows can not give us dwMaxAPDUDataSize from a reader that can return it we need to find a better way to allow a driver that depends on extended APDUs to not be stuck with using the default 255/256.

Right now I have been testing with the sc-hsm, there maybe other drivers that could have the same problem.

@dengert
Copy link
Member Author

dengert commented Dec 20, 2023

@frankmorgner
@LudovicRousseau
Using tip from LudovicRousseau/pyscard#19 with x86 version of pkcs11-tool -O
shows:

2023-12-20 10:21:36.639 (Thread = 0x000054E0) - SCardControl( hCard = 0xEA010000 on reader "SCM Microsystems SCx35xx v2.0 USB SC Reader 0", dwControlCode = 0x00313520, lpOutBuffer = 0x00F3F298, nOutBufferSize = 256, lpBytesReturned = 0x00F3F284 ):
 Input command = 
 
2023-12-20 10:21:36.649 (Thread = 0x000054E0) - SCardControl Response   = 
 
 Duration = 1 ms

this looks correct, as on Windows dwControlCode is 0x0031<<16 | 3600<<2 but it looks like it is not returning anything.

@dengert dengert mentioned this issue Dec 21, 2023
Closed
@frankmorgner
Copy link
Member

I think we can close this issue, because

  • we verified that the windows driver doesnt support the request for the query of max data and we can't fix that
  • we are currently already working around this where needed by assuming the reader supports the minimum data sizes required (e.g. in sc-hsm)
  • we have code snippets to set the data sizes based on the reader name

    OpenSC/src/libopensc/reader-pcsc.c

    Lines 1282 to 1286 in 773fcc6

    /* Try to set default limits based on device name */
    if (!strncmp("REINER SCT cyberJack", reader->name, 20)) {
    max_send_size = 1014;
    max_recv_size = 1014;
    }

If you want to, you may add data sizes of your reader with a PR extending reader-pcsc.c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dengert @frankmorgner