READCERT immediately after WRITECERT fails
Open, NormalPublic

Description

I'm using master with a Yubikey 5.

Trying to read the certificate stored on a PIV card fails immediately after writing the certificate to the card. Reading works after killing scdaemon. This is somewhat relevant for Kleopatra: After writing a certificate to a PIV card the "Import Certificate" button is still disabled because the button is only enabled if a certificate is found on the card for the corresponding card slot.

Prerequisites:

  • A private key was generated on-card for (or an off-card key was written to) one of the PIV card slots, e.g. PIV.9E (Card Authentication key)
  • A certificate was created for the private key
$ gpg-card
[...]
Card authenticat. : 482BD076054B6950A6FC476C356AF029A5115BBD
      keyref .....: PIV.9E  (auth)
      algorithm ..: rsa2048
      used for ...: X.509
        user id ..: CN=Signing key,O=example,C=DE
        user id ..: <otto@example.net>
[...]
gpg/card> authenticate ***
gpg/card> writecert PIV.9E < sign-rsa2048-offcard-482BD076054B6950A6FC476C356AF029A5115BBD.crt
gpg/card> readcert PIV.9E > sign-rsa2048-offcard-482BD076054B6950A6FC476C356AF029A5115BBD-export.crt
Command 'readcert' failed: Not found

The scd log says:

2020-10-12 16:28:54 scdaemon[3802] DBG: chan_7 <- WRITECERT PIV.9E
2020-10-12 16:28:54 scdaemon[3802] DBG: chan_7 -> INQUIRE CERTDATA
2020-10-12 16:28:54 scdaemon[3802] DBG: chan_7 <- [ 44 20 30 82 03 41 30 82 02 29 a0 03 02 01 02 02 ...(857 byte(s) skipped) ]
2020-10-12 16:28:54 scdaemon[3802] DBG: chan_7 <- END
2020-10-12 16:28:54 scdaemon[3802] DBG: send apdu: c=00 i=CB p1=3F p2=FF lc=5 le=256 em=0
2020-10-12 16:28:54 scdaemon[3802] DBG:  raw apdu: 00cb3fff055c035fc10100
2020-10-12 16:28:54 scdaemon[3802] DBG:  response: sw=6115  datalen=256
2020-10-12 16:28:54 scdaemon[3802] DBG: apdu_send_simple(0): 21 more bytes available
2020-10-12 16:28:54 scdaemon[3802] DBG:  raw apdu: 00c0000015
2020-10-12 16:28:54 scdaemon[3802] DBG:      more: sw=9000  datalen=21
2020-10-12 16:28:54 scdaemon[3802] DBG:      dump: 538201118001077f4982010981820100c6ee77d1b734db6b9b2f7769834a6b81 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  4e42dfce01962001299aefe8ec8b77200d3e12c4ab29729404d4bfcb4970094c \
2020-10-12 16:28:54 scdaemon[3802] DBG:  f3e517be153c8ddbe90aa8daa3d4d2b969d30a9cb1ecb08f1c38d35ccd7eafd6 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  1c315c1118b23920ebea3632b0b7497fa8e9d928e91adc7627e66a15a45a259d \
2020-10-12 16:28:54 scdaemon[3802] DBG:  dc466f20b565b0af6ece7097a9d1bc516c9db43093c6a3ec81bee18214f7cb7a \
2020-10-12 16:28:54 scdaemon[3802] DBG:  11dc9bf44352f2c5f7be2716a49acb885e390b08c8cdfee671c0658d5de1e617 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  4ce4cb0cf35f9a9ea7dfb1e202f33a7a0e64035ba81e49277ee74371cea65f2f \
2020-10-12 16:28:54 scdaemon[3802] DBG:  d0e728647b38a403cd058c816e358dc8cc600e25a85ed8c4864d38bc0c2e8986 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  ef525c5db86b0ec3698348b2df632a478203010001
2020-10-12 16:28:54 scdaemon[3802] DBG: send apdu: c=00 i=DB p1=3F p2=FF lc=855 le=-1 em=-1
2020-10-12 16:28:54 scdaemon[3802] DBG:  raw apdu: 10db3fffff5c035fc1015382034e708203453082034130820229a00302010202 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  081136f6e309018da0300d06092a864886f70d01010b05003035310b30090603 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  550406130244453110300e060355040a13076578616d706c6531143012060355 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  0403130b5369676e696e67206b65793020170d3230303931303134353231335a \
2020-10-12 16:28:54 scdaemon[3802] DBG:  180f32303633303430353137303030305a3035310b3009060355040613024445 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  3110300e060355040a13076578616d706c65311430120603550403130b536967 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  6e696e67206b657930820122300d06092a864886f70d01010105000382010f00 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  3082010a0282010100c6ee77d1b734db6b9b2f7769834a6b814e42dfce019620 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  01299aef
2020-10-12 16:28:54 scdaemon[3802] DBG:  raw apdu: 10db3fffffe8ec8b77200d3e12c4ab29729404d4bfcb4970094cf3e517be153c \
2020-10-12 16:28:54 scdaemon[3802] DBG:  8ddbe90aa8daa3d4d2b969d30a9cb1ecb08f1c38d35ccd7eafd61c315c1118b2 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  3920ebea3632b0b7497fa8e9d928e91adc7627e66a15a45a259ddc466f20b565 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  b0af6ece7097a9d1bc516c9db43093c6a3ec81bee18214f7cb7a11dc9bf44352 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  f2c5f7be2716a49acb885e390b08c8cdfee671c0658d5de1e6174ce4cb0cf35f \
2020-10-12 16:28:54 scdaemon[3802] DBG:  9a9ea7dfb1e202f33a7a0e64035ba81e49277ee74371cea65f2fd0e728647b38 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  a403cd058c816e358dc8cc600e25a85ed8c4864d38bc0c2e8986ef525c5db86b \
2020-10-12 16:28:54 scdaemon[3802] DBG:  0ec3698348b2df632a470203010001a3533051301b0603551d11041430128110 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  6f74746f
2020-10-12 16:28:54 scdaemon[3802] DBG:  raw apdu: 10db3fffff406578616d706c652e6e65743011060a2b06010401da4702020104 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  030101ff300f0603551d130101ff040530030101ff300e0603551d0f0101ff04 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  04030206c0300d06092a864886f70d01010b0500038201010097e41d78485439 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  fac7ecc57f1681c1b2280e76ccee020f4f635a0155a922872c13bd75714ecfd0 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  88acbfdf0ff7cbad8a6da53b4392c16577ce8087bba9e095207c24171630684f \
2020-10-12 16:28:54 scdaemon[3802] DBG:  a7db8ccaf4955be3a02f46d87e014e56ee8a39aa6b07f0397fd15bc90d85b3c7 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  8e9d0fd74422a23a1902fc359ae7a8484ca5a530f051e57f07da639d421db3a3 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  7ae912858ec9fec1246198ed0cd2e55c3ae89c4ef0e6f705a37a4c08d7a646b6 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  d77e032e
2020-10-12 16:28:54 scdaemon[3802] DBG:  raw apdu: 00db3fff5a13b38669597035f02c1fb2e71670b18d7a8d3a31bf19695e2b1fe6 \
2020-10-12 16:28:54 scdaemon[3802] DBG:  e7003a4cf11a1f5d96275da5e198ffd2621b8b68ee2ee5b3f12f7bd0eaba459a \
2020-10-12 16:28:54 scdaemon[3802] DBG:  58e4ae39210b918b6a417de9e7dbe2a64077ab7bec029bb694df710100fe00
2020-10-12 16:28:54 scdaemon[3802] DBG:  response: sw=9000  datalen=0
2020-10-12 16:28:54 scdaemon[3802] DBG:      dump: [all zero]
2020-10-12 16:28:54 scdaemon[3802] operation writecert result: Success
2020-10-12 16:28:54 scdaemon[3802] DBG: chan_7 -> OK

2020-10-12 16:29:45 scdaemon[3802] DBG: chan_7 <- READCERT PIV.9E
2020-10-12 16:29:45 scdaemon[3802] app_readcert failed: Not found
2020-10-12 16:29:45 scdaemon[3802] DBG: chan_7 -> ERR 100663323 Not found <SCD>

After killing scdaemon (gpgconf --kill scdaemon) reading the certificate works:

2020-10-12 16:31:20 scdaemon[4218] DBG: chan_7 <- READCERT PIV.9E
2020-10-12 16:31:20 scdaemon[4218] DBG: chan_7 -> [ 44 20 30 82 03 41 30 82 02 29 a0 03 02 01 02 02 ...(857 byte(s) skipped) ]
2020-10-12 16:31:20 scdaemon[4218] DBG: chan_7 -> OK

Related Objects

werner added a subscriber: werner.Tue, Oct 13, 10:11 AM

Caching issue. do_writecert in app-piv flushes the cache but may be the wrong DO. Can you try to

- flush_cached_data (app, dobj->tag);
+ flush_cached_data (app, 0);

and test again?

This doesn't help. I think that's because after

flush_cached_data (app, dobj->tag);

do_writecert does

do_readkey (...)

which fills the cache again.

Putting another

flush_cached_data (app, dobj->tag);

just before

err = put_data (app_get_slot (app), dobj->tag,

fixes the issue.

gniibe claimed this task.Mon, Oct 19, 6:37 AM
gniibe triaged this task as Normal priority.
gniibe mentioned this in E780: Weekly Standup.