[Pcsclite-muscle] Trouble using Yubikey 5 NFC

Tue Apr 18 00:25:07 PDT 2023

Hi everyone,

I own a yubikey 5 NFC (see firmware version at the bottom) and decided to use it with gnupg via the openpgp applet. For a reminder, gpg communicates to the card via scdaemon, which in its turn communicates to pcsclite.

When using the yubikey in USB, I can import my rsa4096 key onto the key and the command gpg --card-status is able to enumerate the features and configuration of the key without problem.

However, when using the key via NFC (using ACS ACR122u nfcreader OR pn522 via UART),  I get a

$> gpg --card-status
gpg: OpenPGP card not available: Card error

(side note : when the NFC key does not contain any GPG key, the above  command succeeds.)

Debugging deeper, I found that scdaemon complains that the public key is not available and that an error has occured (see below)

DBG: send apdu: c=00 i=47 p1=81 p2=00 lc=2 le=526 em=1
DBG:   PCSC_data: 00478100000002b600020e
apdu_send_simple(0) failed: unknown status error
reading public key failed: Missing item in object
DBG: send apdu: c=00 i=47 p1=81 p2=00 lc=2 le=526 em=1
DBG:   PCSC_data: 00478100000002b800020e
DBG:  response: sw=9000  datalen=160
DBG:      dump: 9bc2bc67a6081d9af0d54255704f40abe284a345b5292c07fee98797494e2aeb \
DBG:  b99c262b4115ea00f01fedec0b816b307ade58a27faa8ca43d8499bb506eda80 \
DBG:  a3ba695ec0e93dcbe663317c44892db6d8eb0874eef0be90ccbfa4a95d35896f \
DBG:  9315056f082a40616c331f795295d7ff2311f60e69e3c635d234b4651e8870d9 \
DBG:  f4af1ecedb99cf2c169ddeac055bc4545d02fcf9bcdf94dbc130698203010001
response does not contain the public key data

Which lead me to debug pcsclite and see what response is sent by the token. It looks like the payload sent as a reply from the token is NOT what is expected and that makes the whole chain fail.
For a comparison, I attach a log file (see log-success.txt) when the command succeeds (via USB and not NFC), where we can see that, for the APDU 00 47 81 00, a different (and larger) payload is sent.

I must admit that I am unsure of what to do with all this. How can the yubikey reply two different payload when connected in USB and via NFC ? I searched the net in vain of anyone having the same issue but found nothing looking like it. Which makes me think that have a software issue somewhere.

I tried two NFC readers to try to isolate the issue but I got the same behavior (I think - I didnt  investigate the logs of pcsclite with pn522)

As for gpg, I tried gpg v2.2, v2.3 and v2.4 (and made sure to kill scdaemon and gpg-agent each time)  with no success.

Anyone has an idea of what is happening?

Useful information :
=======
pcsclite package version : 1.9.9-3
pcsc-lite version 1.9.9.
Copyright (C) 1999-2002 by David Corcoran <corcoran at musclecard.com>.
Copyright (C) 2001-2022 by Ludovic Rousseau <ludovic.rousseau at free.fr>.
Copyright (C) 2003-2004 by Damien Sauveron <sauveron at labri.fr>.
Report bugs to <pcsclite-muscle at lists.infradead.org>.
Enabled features: Linux x86_64-pc-linux-gnu libsystemd serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

System : arch linux
packages :
- acsccid 1.1.9-1
- pcsclite 1.9.9-3
- ccid: 1.5.2-1
- libnfc: 1.8.0-2

Configuration : blacklist pn533, pn533_usb and nfc kernel modules

NFC reader : ACS ACR122u (USB connection))

Smart Card : yubikey 5 NFC - firmware 5.4.3

-- 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log.txt
URL: <http://lists.infradead.org/pipermail/pcsclite-muscle/attachments/20230418/9204b2f7/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log-success.txt
URL: <http://lists.infradead.org/pipermail/pcsclite-muscle/attachments/20230418/9204b2f7/attachment-0003.txt>