[pkg-opensc-maint] Bug#1034258: opensc: with the new opensc version in Debian testing/sid I am unable to use the new Italian CNS

Tue Apr 11 19:21:12 BST 2023

Package: opensc
Version: 0.23.0-0.2
Severity: normal
X-Debbugs-Cc: Davide.Prina at null.net

Dear Maintainer,

with the new opensc version found in Debian testing/sid I was unable to use the new Italian CNS.
I think that the wrong type card is selected (it is selected the CNS Generic one with type:23002), but I'm unable to force the use of the correct one.

First I list all the differences I have found.
Then I will show what I have done to let the new Italian CNS work correctly in a .deb I have created months ago.

I show rows starting with OK for the working opensc and with KO for the not working opensc

KO Manufacturer ID: IC: Infineon; mask: Oberthur Card Systems
OK Manufacturer ID: IC: Infineon; mask: IDEMIA (Oberthur)

KO Key length: 1024
OK Key length: 2048

KO  token flags        : token initialized
OK  token flags        : login required, token initialized, PIN initialized, user PIN locked

KO  firmware version   : 0.0
OK  firmware version   : 32.0

KO  pin min/max        : 4/8
OK  pin min/max        : 5/8

KO [pkcs15-tool] card.c:sc_connect_card: card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:255/256
OK [pkcs15-tool] card.c:sc_connect_card: card info name:'CNS card', type:23003, flags:0x0, max_send/recv_size:65535/65536

I think that the problem is the type, the 23003 work and the 23002 do not work.

I have try to foce the use of type:23003 in /etc/opensc/opensc.conf but I was unable to have it.
I have made some configuration, but no one work to force the type, I can
only force the card name to not check all possible cards.

I show here the log in witch the type is selected

KO) in this one it select the wrong type
[pkcs15-tool] apdu.c:sc_single_transmit: returning with: 0 (Success)
[pkcs15-tool] apdu.c:sc_transmit: returning with: 0 (Success)
[pkcs15-tool] card.c:sc_unlock: called
[pkcs15-tool] reader-pcsc.c:pcsc_unlock: called
[pkcs15-tool] iso7816.c:iso7816_check_sw: File or application not found
[pkcs15-tool] card-cac.c:cac_select_file_by_type: returning with: -1201 (File not found)
[pkcs15-tool] card.c:sc_connect_card: trying driver 'itacns'
[pkcs15-tool] card.c:match_atr_table: ATR     : 3b:ff:18:00:00:81:31:fe:45:00:6b:05:05:20:00:01:21:01:43:4e:53:10:31:80:79
[pkcs15-tool] card.c:match_atr_table: ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
[pkcs15-tool] card.c:match_atr_table: ignored - wrong length
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 3b against atr[0] == 3b
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 31 against atr[6] == 31
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 0 against atr[9] == 0
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 6b against atr[10] == 6b
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 1 against atr[15] == 1
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 43 against atr[18] == 43
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 4e against atr[19] == 4e
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 53 against atr[20] == 53
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 31 against atr[22] == 31
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 80 against atr[23] == 80
[pkcs15-tool] card.c:sc_connect_card: matched: Italian CNS
[pkcs15-tool] card-itacns.c:itacns_init: called
[pkcs15-tool] card.c:match_atr_table: ATR     : 3b:ff:18:00:00:81:31:fe:45:00:6b:05:05:20:00:01:21:01:43:4e:53:10:31:80:79
[pkcs15-tool] card.c:match_atr_table: ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
[pkcs15-tool] card.c:match_atr_table: ignored - wrong length
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 3b against atr[0] == 3b
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 31 against atr[6] == 31
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 0 against atr[9] == 0
[pkcs15-tool] card-itacns.c:itacns_match_card: Matching 6b against atr[10] == 6b
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 1 against atr[15] == 1
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 43 against atr[18] == 43
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 4e against atr[19] == 4e
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 53 against atr[20] == 53
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 31 against atr[22] == 31
[pkcs15-tool] card-itacns.c:itacns_match_cns_card: Matching 80 against atr[23] == 80
[pkcs15-tool] card.c:sc_connect_card: card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:255/256

OK) in this one it select the working type
[pkcs15-tool] apdu.c:sc_single_transmit: returning with: 0 (Success)
[pkcs15-tool] apdu.c:sc_transmit: returning with: 0 (Success)
[pkcs15-tool] card.c:sc_unlock: called
[pkcs15-tool] reader-pcsc.c:pcsc_unlock: called
[pkcs15-tool] iso7816.c:iso7816_check_sw: File or application not found
[pkcs15-tool] card-cac.c:cac_select_file_by_type: returning with: -1201 (File not found)
[pkcs15-tool] card.c:sc_connect_card: trying driver 'itacns'
[pkcs15-tool] card.c:match_atr_table: ATR     : 3b:ff:18:00:00:81:31:fe:45:00:6b:05:05:20:00:01:21:01:43:4e:53:10:31:80:79
[pkcs15-tool] card.c:match_atr_table: ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
[pkcs15-tool] card.c:match_atr_table: ignored - wrong length
[pkcs15-tool] card.c:match_atr_table: ATR try : 3b:8b:80:01:00:31:c1:64:00:00:00:00:00:00:00:00
[pkcs15-tool] card.c:match_atr_table: ignored - wrong length
[pkcs15-tool] card.c:sc_connect_card: matched: Italian CNS
[pkcs15-tool] card-itacns.c:itacns_init: called
[pkcs15-tool] card.c:sc_connect_card: card info name:'CNS card', type:23003, flags:0x0, max_send/recv_size:65535/65536

Now I describe what I have done to use correctly the new Italian CNS.
I have done that probably the 21 March 2022 in what was the Debian testing at that date.
to have the opensc_0.22.0-2_amd64 working with new Italian CNS

# apt build-dep opensc
$ mkdir ~/src
$ cd /src
$ apt source opensc
$ git clone https://github.com/3v1n0/OpenSC.git
$ cd OpenSC
$ cp -R ../opensc-0.22.0/debian .
$ fakeroot debian/rules binary

If I do the same actually I obtain a .deb file don't working with new Italian CNS.
So I think that you need to build the .deb package using all package that was available at 21 March 2022 to obtain the working packages.

I noted also that in the working deb I will get, wrongly, that the PIN try left is zero, but this is not a problem because all work correctly.

If someone need the .deb I have compiled at 21 March 2022 I can send to him (write directly to me).

I have also try on more PC and have all the same results. I have
noted that with some PC (I think newer one) old card lectors don't work,
I need to use a new one more recent.

I also have try to do some debug with gdb, but the debug symbol of
the compiled driver do not work...

Let me know if you need more info.

Ciao
Davide

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-7-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages opensc depends on:
ii  libc6          2.36-8
ii  libreadline8   8.2-1.3
ii  libssl3        3.0.8-1
ii  opensc-pkcs11  0.23.0-0.2
ii  zlib1g         1:1.2.13.dfsg-1

Versions of packages opensc recommends:
ii  pcscd  1.9.9-1

opensc suggests no packages.

-- Configuration Files:
/etc/opensc/opensc.conf changed:
app default {
	# debug = 3;
	# debug_file = opensc-debug.txt;
card_atr 3b:8b:80:01:00:31:c1:64:00:00:00:00:00:00:00:00 {
                driver = itacns;
                type = 23003;

                }
	framework pkcs15 {
		# use_file_caching = public;
	}
}

-- no debconf information