[Pcsclite-muscle] Gemalto IDBridge CT700/Ezio Shield, problem with specific card

Ludovic Rousseau ludovic.rousseau at gmail.com
Wed Sep 7 05:07:19 PDT 2022 

Le mer. 7 sept. 2022 à 09:15, Patrik Pira <flutter.se at gmail.com> a écrit :
> Hello

Hello,

> I have a problem with a specific combination of smartcard and
> cardreader. Everything works but logging in to the token. For example,
> I can list objects on the card with:
>
> # pkcs11-tool --module /usr/lib/libiidp11.so -O
>
> but doing the same while logging in:
>
> # pkcs11-tool --module /usr/lib/libiidp11.so -O -l
>
> does not work. Error PKCS11 function C_Login failed: rv =
> CKR_FUNCTION_FAILED (0x6)
>
> The same card works fine with other (pinpad and non-pinpad) readers.
> The same reader works fine with other brands of smartcards.

Your log contains:
 ifdhandler.c:1476:IFDHControl() ControlCode: 0x42330006,
usb:08e6/34c2:libudev:0:/dev/bus/usb/002/007 (lun: 0)
 00000062  [140084688668352]  Control TxBuffer: 00 00 82 08
00 08 04 02 FF 09 04 00 00 00 00 45 00 00 00 00 20 00 01 40 FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 00000081  [140084688668352] -> 000000 69 54 00 00 00 00 2D 00
00 00 00 00 82 08 00 08 04 02 FF 09 04 00 00 00 00 00 20 00 01 40 FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 00237950  [140084688668352] <- 000000 80 00 00 00 00 00 2D 42 FE 00
 00000035  [140084688668352]  commands.c:1571:CCID_Receive
Card absent or mute

> Linux distribution: Arch Linux, tried AlmaLinux 8 also
> PKCS#11 middleware: Secmaker NetID 6.8.4.27, tried som older versions also
> Smartcard Reader: Gemalto IDBridge CT700 (new version, identifies as
> Gemalto Ezio Shield also)
> Smartcard name: IDEMIA AWP, model IAS ECC

The reader has: "Firewall: yes" so you should not be able to do a
verify PIN by sending the PIN from the PC to the card.
You have to use the pinpad. And that is what OpenSC is doing. Fine.

The FEATURE_VERIFY_PIN_DIRECT command is sent to the reader.
The reader does not reject the command so it should be happy with it.
But the reader reports "Card absent or mute".

So something happens between the reader and the card while sending the PIN.
Maybe the card did not like the VERIFY APDU and becomes mute.

The next APDU sent to the card also fails with "Card absent or mute".
So the card is really not responding until the next reset.

Without a hardware analyser to spy the communication between the card
and the reader it will be difficult to know what happens.

When you say it works with other pinpad readers, you enter the PIN on
the pinpad or use the pinpad reader as a "transparent" reader and
enter the PIN on the PC keyboard?

Bye

-- 
 Dr. Ludovic Rousseau

More information about the pcsclite-muscle mailing list