Pin entry doesn't work under Windows

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Pin entry doesn't work under Windows

twisteroid ambassador
Hi,

Entering PINs interactively at the command prompt doesn't seem to work
in Windows 10.

I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
tokens. The same hardware works fine under Linux (Arch x64, latest
OpenSC). Under Windows, however, any operation that involves entering
PIN at the interactive prompt doesn't seem to work.

For example, pkcs15-tool --change-pin:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe --change-pin -vv
2016-03-23 16:16:36.191 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:36.197 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Using reader with a card: FS USB Token 0
2016-03-23 16:16:36.208 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:36.211 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Connecting to card in reader FS USB Token 0...
2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
2016-03-23 16:16:36.220 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:36.223 [pkcs15-tool]
card-entersafe.c:106:entersafe_match_card: called
Using card driver epass2003.
Trying to find a PKCS#15 compatible card...
Found OpenSC Card!
Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:16:43.398 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:43.404 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
with: -1107 (Transmit failed)
PIN code change failed: Transmit failed
2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context: called


(Note the line starting with "Enter old pin". All those prompts do
appear on the same line, as well as the next piece of debug info.
Maybe this hints at a Windows/Linux EOL problem?)

The same command does work if the PIN is included in the arguments:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
--change-pin -vv --pin oldpin12 --new-pin 12345678
2016-03-23 16:22:05.713 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Using reader with a card: FS USB Token 0
2016-03-23 16:22:05.725 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:22:05.730 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Connecting to card in reader FS USB Token 0...
2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
2016-03-23 16:22:05.744 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:22:05.752 [pkcs15-tool]
card-entersafe.c:106:entersafe_match_card: called
Using card driver epass2003.
Trying to find a PKCS#15 compatible card...
Found OpenSC Card!
2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
with: 0 (Success)
2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged to disk
PIN code changed successfully.
2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context: called


Similarly, when using private key stored on token for OpenVPN
authentication, there are errors after entering the PIN interactively.
Console log excerpt:

Enter OpenSC Card (User PIN) token Password:
2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged to disk
Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
512:'CKR_FUNCTION_REJECTED'
Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed



Is this a known problem?
Please inform me if any more information is needed.

Thanks,

--
twisteroid ambassado

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pin entry doesn't work under Windows

Douglas E Engert
In this with the powershell or cmd.exe? Are you using 32 or 64 bit version?

I think it is a lock timeout.
I am seeing something similar on W10 64 bit. in both it fails.

In powershell try this:
./pkcs15-tool --change-pin -vvvvvvvvv

2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-piv.c:1019:sc_pkcs15emu_piv_init: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-syn.c:218:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15.c:1251:sc_pkcs15_bind: returning with: 0 (Success)
Found PIV_II!
Enter old PIN [PIV Card Holder pin]: Enter new PIN [PIV Card Holder pin]: Enter new PIN again [PIV Card Holder pin]: 2016-03-23 16:38:03.
968 [pkcs15-tool] pkcs15-pin.c:390:sc_pkcs15_change_pin: called
2016-03-23 16:38:03.968 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.968 [pkcs15-tool] sec.c:159:sc_pin_cmd: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:563:sc_transmit_apdu: called
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:530:sc_transmit: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:384:sc_single_transmit: called
2016-03-23 16:38:03.984 CLA:0, INS:24, P1:0, P2:80, data(16) 0018D328
2016-03-23 16:38:03.984 reader 'SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0'
2016-03-23 16:38:03.984
Outgoing APDU data [   21 bytes] =====================================
00 24 00 80 10 31 32 33 34 35 36 37 38 31 32 33 .$...12345678123
34 35 36 FF FF                                  456..
======================================================================
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardTransmit/Control failed: 0x80100068
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 current  state: 0x00050122
2016-03-23 16:38:03.984 previous state: 0x00050022
2016-03-23 16:38:03.984 card present
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:313:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 unable to transmit
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:397:sc_single_transmit: unable to transmit APDU: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:533:sc_transmit: transmit APDU failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.984 [pkcs15-tool] iso7816.c:1117:iso7816_pin_cmd: APDU transmit failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning with: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
PIN code change failed: Transmit failed
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15.c:1264:sc_pkcs15_unbind: called
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
2016-03-23 16:38:03.999 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called
2016-03-23 16:38:03.999 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardEndTransaction failed: 0x80100068


Using cut-and-paste and an editor, shows:
Lock first called:
        2016-03-23 16:37:53.607 [pkcs15-tool] reader-pcsc.c:534:pcsc_lock: called

End of last APDU before trying to send change:
         2016-03-23 16:37:55.967 [pkcs15-tool] apdu.c:399:sc_single_transmit: returning with: 0 (Success)

When change pin failed to be sent to card:
         2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called

Lock finally released:
        Line 2491: 2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called

That is just over 8 seconds from last command to card, to prompt and enter 3 pins and try and send next APDU.

I remember reading something about this, but can no0t find the timeout in the registry.


  https://technet.microsoft.com/en-us/library/dn579258.aspx

It could be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider

TransactionTimeoutMilliseconds which is 1.5 seconds.




On 3/23/2016 3:34 PM, twisteroid ambassador wrote:

> Hi,
>
> Entering PINs interactively at the command prompt doesn't seem to work
> in Windows 10.
>
> I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
> tokens. The same hardware works fine under Linux (Arch x64, latest
> OpenSC). Under Windows, however, any operation that involves entering
> PIN at the interactive prompt doesn't seem to work.
>
> For example, pkcs15-tool --change-pin:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe --change-pin -vv
> 2016-03-23 16:16:36.191 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.197 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:16:36.208 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.211 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:16:36.220 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.223 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
> again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.398 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:43.404 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: -1107 (Transmit failed)
> PIN code change failed: Transmit failed
> 2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> (Note the line starting with "Enter old pin". All those prompts do
> appear on the same line, as well as the next piece of debug info.
> Maybe this hints at a Windows/Linux EOL problem?)
>
> The same command does work if the PIN is included in the arguments:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> --change-pin -vv --pin oldpin12 --new-pin 12345678
> 2016-03-23 16:22:05.713 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:22:05.725 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.730 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:22:05.744 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.752 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> 2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: 0 (Success)
> 2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged to disk
> PIN code changed successfully.
> 2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> Similarly, when using private key stored on token for OpenVPN
> authentication, there are errors after entering the PIN interactively.
> Console log excerpt:
>
> Enter OpenSC Card (User PIN) token Password:
> 2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged to disk
> Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
> 512:'CKR_FUNCTION_REJECTED'
> Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
> error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext read error
> Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed
>
>
>
> Is this a known problem?
> Please inform me if any more information is needed.
>
> Thanks,
>
> --
> twisteroid ambassado
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pin entry doesn't work under Windows

Philip Wendland

No time to check, but this is likely related to https://github.com/OpenSC/OpenSC/issues/703


On Wed, 23 Mar 2016, 23:19 Douglas E Engert, <[hidden email]> wrote:
In this with the powershell or cmd.exe? Are you using 32 or 64 bit version?

I think it is a lock timeout.
I am seeing something similar on W10 64 bit. in both it fails.

In powershell try this:
./pkcs15-tool --change-pin -vvvvvvvvv

2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-piv.c:1019:sc_pkcs15emu_piv_init: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-syn.c:218:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15.c:1251:sc_pkcs15_bind: returning with: 0 (Success)
Found PIV_II!
Enter old PIN [PIV Card Holder pin]: Enter new PIN [PIV Card Holder pin]: Enter new PIN again [PIV Card Holder pin]: 2016-03-23 16:38:03.
968 [pkcs15-tool] pkcs15-pin.c:390:sc_pkcs15_change_pin: called
2016-03-23 16:38:03.968 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.968 [pkcs15-tool] sec.c:159:sc_pin_cmd: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:563:sc_transmit_apdu: called
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:530:sc_transmit: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:384:sc_single_transmit: called
2016-03-23 16:38:03.984 CLA:0, INS:24, P1:0, P2:80, data(16) 0018D328
2016-03-23 16:38:03.984 reader 'SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0'
2016-03-23 16:38:03.984
Outgoing APDU data [   21 bytes] =====================================
00 24 00 80 10 31 32 33 34 35 36 37 38 31 32 33 .$...12345678123
34 35 36 FF FF                                  456..
======================================================================
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardTransmit/Control failed: 0x80100068
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 current  state: 0x00050122
2016-03-23 16:38:03.984 previous state: 0x00050022
2016-03-23 16:38:03.984 card present
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:313:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 unable to transmit
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:397:sc_single_transmit: unable to transmit APDU: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:533:sc_transmit: transmit APDU failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.984 [pkcs15-tool] iso7816.c:1117:iso7816_pin_cmd: APDU transmit failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning with: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
PIN code change failed: Transmit failed
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15.c:1264:sc_pkcs15_unbind: called
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
2016-03-23 16:38:03.999 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called
2016-03-23 16:38:03.999 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardEndTransaction failed: 0x80100068


Using cut-and-paste and an editor, shows:
Lock first called:
        2016-03-23 16:37:53.607 [pkcs15-tool] reader-pcsc.c:534:pcsc_lock: called

End of last APDU before trying to send change:
         2016-03-23 16:37:55.967 [pkcs15-tool] apdu.c:399:sc_single_transmit: returning with: 0 (Success)

When change pin failed to be sent to card:
         2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called

Lock finally released:
        Line 2491: 2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called

That is just over 8 seconds from last command to card, to prompt and enter 3 pins and try and send next APDU.

I remember reading something about this, but can no0t find the timeout in the registry.


  https://technet.microsoft.com/en-us/library/dn579258.aspx

It could be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider

TransactionTimeoutMilliseconds which is 1.5 seconds.




On 3/23/2016 3:34 PM, twisteroid ambassador wrote:
> Hi,
>
> Entering PINs interactively at the command prompt doesn't seem to work
> in Windows 10.
>
> I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
> tokens. The same hardware works fine under Linux (Arch x64, latest
> OpenSC). Under Windows, however, any operation that involves entering
> PIN at the interactive prompt doesn't seem to work.
>
> For example, pkcs15-tool --change-pin:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe --change-pin -vv
> 2016-03-23 16:16:36.191 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.197 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:16:36.208 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.211 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:16:36.220 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.223 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
> again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.398 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:43.404 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: -1107 (Transmit failed)
> PIN code change failed: Transmit failed
> 2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> (Note the line starting with "Enter old pin". All those prompts do
> appear on the same line, as well as the next piece of debug info.
> Maybe this hints at a Windows/Linux EOL problem?)
>
> The same command does work if the PIN is included in the arguments:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> --change-pin -vv --pin oldpin12 --new-pin 12345678
> 2016-03-23 16:22:05.713 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:22:05.725 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.730 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:22:05.744 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.752 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> 2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: 0 (Success)
> 2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged to disk
> PIN code changed successfully.
> 2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> Similarly, when using private key stored on token for OpenVPN
> authentication, there are errors after entering the PIN interactively.
> Console log excerpt:
>
> Enter OpenSC Card (User PIN) token Password:
> 2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged to disk
> Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
> 512:'CKR_FUNCTION_REJECTED'
> Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
> error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext read error
> Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed
>
>
>
> Is this a known problem?
> Please inform me if any more information is needed.
>
> Thanks,
>
> --
> twisteroid ambassado
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Pin entry doesn't work under Windows

twisteroid ambassador
In reply to this post by Douglas E Engert

It was cmd.exe and 64 bit. 
Looks like you and Philip are both right. I also see the same errors in the log with enough -v flags. If I use an autohotkey script to enter the pins rapidly, then the PIN is changed successfully.

On Mar 23, 2016 6:19 PM, "Douglas E Engert" <[hidden email]> wrote:
In this with the powershell or cmd.exe? Are you using 32 or 64 bit version?

I think it is a lock timeout.
I am seeing something similar on W10 64 bit. in both it fails.

In powershell try this:
./pkcs15-tool --change-pin -vvvvvvvvv

2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-piv.c:1019:sc_pkcs15emu_piv_init: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-syn.c:218:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15.c:1251:sc_pkcs15_bind: returning with: 0 (Success)
Found PIV_II!
Enter old PIN [PIV Card Holder pin]: Enter new PIN [PIV Card Holder pin]: Enter new PIN again [PIV Card Holder pin]: 2016-03-23 16:38:03.
968 [pkcs15-tool] pkcs15-pin.c:390:sc_pkcs15_change_pin: called
2016-03-23 16:38:03.968 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.968 [pkcs15-tool] sec.c:159:sc_pin_cmd: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:563:sc_transmit_apdu: called
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:530:sc_transmit: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:384:sc_single_transmit: called
2016-03-23 16:38:03.984 CLA:0, INS:24, P1:0, P2:80, data(16) 0018D328
2016-03-23 16:38:03.984 reader 'SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0'
2016-03-23 16:38:03.984
Outgoing APDU data [   21 bytes] =====================================
00 24 00 80 10 31 32 33 34 35 36 37 38 31 32 33 .$...12345678123
34 35 36 FF FF                                  456..
======================================================================
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardTransmit/Control failed: 0x80100068
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 current  state: 0x00050122
2016-03-23 16:38:03.984 previous state: 0x00050022
2016-03-23 16:38:03.984 card present
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:313:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 unable to transmit
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:397:sc_single_transmit: unable to transmit APDU: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:533:sc_transmit: transmit APDU failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.984 [pkcs15-tool] iso7816.c:1117:iso7816_pin_cmd: APDU transmit failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning with: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
PIN code change failed: Transmit failed
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15.c:1264:sc_pkcs15_unbind: called
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
2016-03-23 16:38:03.999 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called
2016-03-23 16:38:03.999 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardEndTransaction failed: 0x80100068


Using cut-and-paste and an editor, shows:
Lock first called:
        2016-03-23 16:37:53.607 [pkcs15-tool] reader-pcsc.c:534:pcsc_lock: called

End of last APDU before trying to send change:
         2016-03-23 16:37:55.967 [pkcs15-tool] apdu.c:399:sc_single_transmit: returning with: 0 (Success)

When change pin failed to be sent to card:
         2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called

Lock finally released:
        Line 2491: 2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called

That is just over 8 seconds from last command to card, to prompt and enter 3 pins and try and send next APDU.

I remember reading something about this, but can no0t find the timeout in the registry.


  https://technet.microsoft.com/en-us/library/dn579258.aspx

It could be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider

TransactionTimeoutMilliseconds which is 1.5 seconds.




On 3/23/2016 3:34 PM, twisteroid ambassador wrote:
> Hi,
>
> Entering PINs interactively at the command prompt doesn't seem to work
> in Windows 10.
>
> I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
> tokens. The same hardware works fine under Linux (Arch x64, latest
> OpenSC). Under Windows, however, any operation that involves entering
> PIN at the interactive prompt doesn't seem to work.
>
> For example, pkcs15-tool --change-pin:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe --change-pin -vv
> 2016-03-23 16:16:36.191 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.197 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:16:36.208 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.211 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:16:36.220 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.223 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
> again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.398 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:43.404 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: -1107 (Transmit failed)
> PIN code change failed: Transmit failed
> 2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> (Note the line starting with "Enter old pin". All those prompts do
> appear on the same line, as well as the next piece of debug info.
> Maybe this hints at a Windows/Linux EOL problem?)
>
> The same command does work if the PIN is included in the arguments:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> --change-pin -vv --pin oldpin12 --new-pin 12345678
> 2016-03-23 16:22:05.713 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:22:05.725 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.730 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:22:05.744 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.752 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> 2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: 0 (Success)
> 2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged to disk
> PIN code changed successfully.
> 2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> Similarly, when using private key stored on token for OpenVPN
> authentication, there are errors after entering the PIN interactively.
> Console log excerpt:
>
> Enter OpenSC Card (User PIN) token Password:
> 2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged to disk
> Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
> 512:'CKR_FUNCTION_REJECTED'
> Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
> error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext read error
> Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed
>
>
>
> Is this a known problem?
> Please inform me if any more information is needed.
>
> Thanks,
>
> --
> twisteroid ambassado
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel