C_GenerateKeyPair failure with ACS CryptoMate (T2), ...shouldwork.html#0x072F0xB106

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

C_GenerateKeyPair failure with ACS CryptoMate (T2), ...shouldwork.html#0x072F0xB106

Carsten Blüggel
Hello,

C_GenerateKeyPair on hardware ACS CryptoMate (T2),
idVendor: 0x072F
idProduct: 0xB106
always fails with bit size > 3328 (... 4096), it succeeds <= 3328.
As comparison, C_GenerateKeyPair on predecessor hardware https://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x072F0x90DB takes about 3-4 minutes for 4096 bit key pair to complete (with same ccid-git, invoked through scriptor) and #0x072F0xB106 seems to be slower,
thus my assumption, it may be something time-related (or a bug in card operating system?).

Occasionally #0x072F0xB106 also shows some other strange behavior like starting the Linux-User-Logout-countdown (Kubuntu 16.04 xenial) after plugging out/removing the USB token.
And once, after a failed C_GenerateKeyPair, card contents were erased.

My trial to change 'TIME_BEFORE_SUICIDE' from 60 to 300 and manually installing 1.4.26 libpcsclite and pcscd ended in screwing my system, then back with 1.8.14, omitting --auto-exit from pcscd start params didn't change the failure issue.
I hope, the following information is complete and a solution is close? Thanks in advance, Regards

Carsten Blüggel

Versions

  • CCID driver version: git, commit af00591a4a3c437045cc9923f6477e6f2e467bf4 (includes "Add ACS CryptoMate (T2)" dated 2017-03-22, initiated by my eMail to L. Rousseau)
  • pcsc-lite version:  1.8.14-1ubuntu1.16.04.1 , the latest distribution's version
  • smart card reader name: ACS CryptoMate (T2), https://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x072F0xB106
  • the output of the command "/usr/sbin/pcscd --version"

pcsc-lite version 1.8.14.
Copyright (C) 1999-2002 by David Corcoran [hidden email].
Copyright (C) 2001-2011 by Ludovic Rousseau [hidden email].
Copyright (C) 2003-2004 by Damien Sauveron [hidden email].
Report bugs to [hidden email].
Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d


Platform

  • Operating system or GNU/Linux distribution name and version: Kubuntu 16.04 (xenial), Linux tuxim 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  • Smart card middleware name and version: scriptor from pcsc-tools (or same failure issue when using OpenSC + my driver https://github.com/carblue/acos5_64)
  • Reader manufacturer name and reader model name: same as before, also called Advanced Card Systems: CryptoMate Nano Cryptographic USB token (ACOS5T2)
  • Smart card name: ACS ACOS5-64 V3.00, set to operation mode Non-FIPS/64K, which allows up to 4096 bit RSA key pair in steps of 256

Log

I'll supply 3 logs, all with same software and Log-setup (pcscd killed, restarted), except different key sizes and log3 is from different USB token:

log1_failed_0x072F0xB106_CryptoMate_T2 shows the failure reported;  requests 3584-bit RSA key pair generation, CRT for sign+decrypt APDU: 00 46 00 00 02 1C 06
log2_succeeded_0x072F0xB106_CryptoMate_T2  requests 3328-bit RSA key pair gen., CRT for sign+decrypt APDU: 00 46 00 00 02 1A 06

log3_succeeded_0x072F0x90DB_CryptoMate64, predecessor hardware as comparison, requests 4096-bit RSA key pair gen., CRT for sign+decrypt APDU: 00 46 00 00 02 20 06


_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle

log1_failed_0x072F0xB106_CryptoMate_T2 (86K) Download Attachment
log2_succeeded_0x072F0xB106_CryptoMate_T2 (60K) Download Attachment
log3_succeeded_0x072F0x90DB_CryptoMate64 (35K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: C_GenerateKeyPair failure with ACS CryptoMate (T2), ...shouldwork.html#0x072F0xB106

Ludovic Rousseau


2017-04-15 10:55 GMT+02:00 Carsten Blüggel <[hidden email]>:
Hello,

C_GenerateKeyPair on hardware ACS CryptoMate (T2),
idVendor: 0x072F
idProduct: 0xB106
always fails with bit size > 3328 (... 4096), it succeeds <= 3328.
As comparison, C_GenerateKeyPair on predecessor hardware https://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x072F0x90DB takes about 3-4 minutes for 4096 bit key pair to complete (with same ccid-git, invoked through scriptor) and #0x072F0xB106 seems to be slower,
thus my assumption, it may be something time-related (or a bug in card operating system?).

Occasionally #0x072F0xB106 also shows some other strange behavior like starting the Linux-User-Logout-countdown (Kubuntu 16.04 xenial) after plugging out/removing the USB token.
And once, after a failed C_GenerateKeyPair, card contents were erased.

My trial to change 'TIME_BEFORE_SUICIDE' from 60 to 300 and manually installing 1.4.26 libpcsclite and pcscd ended in screwing my system, then back with 1.8.14, omitting --auto-exit from pcscd start params didn't change the failure issue.
I hope, the following information is complete and a solution is close? Thanks in advance, Regards

From log1_failed_0x072F0xB106_CryptoMate_T2:
After a lot of time and many "Time extension request" sent by the "card" the reader reports:
00000023 commands.c:1523:CCID_Receive Card absent or mute

It is a problem within the token itself.
I can't fix the problem.

Bye

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: C_GenerateKeyPair failure with ACS CryptoMate (T2), ...shouldwork.html#0x072F0xB106

Godfrey Chung-3
Hi Carsten

To fix the problem, you need to get ACOS5-Cyptomate Client Kit v4.5
and reinitialize CryptoMate T2 using the ACS CMU tool and middleware.

Regards

Godfrey

On Sat, Apr 15, 2017 at 10:34 PM, Ludovic Rousseau
<[hidden email]> wrote:

>
>
> 2017-04-15 10:55 GMT+02:00 Carsten Blüggel <[hidden email]>:
>>
>> Hello,
>>
>> C_GenerateKeyPair on hardware ACS CryptoMate (T2),
>>
>> idVendor: 0x072F
>> idProduct: 0xB106
>>
>> always fails with bit size > 3328 (... 4096), it succeeds <= 3328.
>> As comparison, C_GenerateKeyPair on predecessor hardware
>> https://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x072F0x90DB takes
>> about 3-4 minutes for 4096 bit key pair to complete (with same ccid-git,
>> invoked through scriptor) and #0x072F0xB106 seems to be slower,
>> thus my assumption, it may be something time-related (or a bug in card
>> operating system?).
>>
>> Occasionally #0x072F0xB106 also shows some other strange behavior like
>> starting the Linux-User-Logout-countdown (Kubuntu 16.04 xenial) after
>> plugging out/removing the USB token.
>> And once, after a failed C_GenerateKeyPair, card contents were erased.
>>
>> My trial to change 'TIME_BEFORE_SUICIDE' from 60 to 300 and manually
>> installing 1.4.26 libpcsclite and pcscd ended in screwing my system, then
>> back with 1.8.14, omitting --auto-exit from pcscd start params didn't change
>> the failure issue.
>> I hope, the following information is complete and a solution is close?
>> Thanks in advance, Regards
>
>
> From log1_failed_0x072F0xB106_CryptoMate_T2:
> After a lot of time and many "Time extension request" sent by the "card" the
> reader reports:
> 00000023 commands.c:1523:CCID_Receive Card absent or mute
>
> It is a problem within the token itself.
> I can't fix the problem.
>
> Bye
>
> --
>  Dr. Ludovic Rousseau
>
> _______________________________________________
> Pcsclite-muscle mailing list
> [hidden email]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle