Page MenuHome GnuPG
Create Task
Maniphest T6097

SC-HSM 4K Compatibility
Open, LowPublic
Actions

Description

I am tring it get GnuPG to work with my SmartCard-HSM 4K on Windows, using the GP4Win bundle.

Kleopatra doesn't recognise the SC-HSM 4K at all, even though, it DOES recognise the YubiKey 5 NFC in BOTH PIV and Openpgp Card apps.

Trying to debug this, using CMD:

scdaemon --server
serialno

I get the following result:

scdaemon[xxxxx]: detected reader 'ACS ACR38U 0' scdaemon[xxxxx]:
reader slot 0: not connected scdaemon[xxxxx]: pcsc_control failed:
invalid PC/SC error code (0x1) scdaemon[xxxxx]:
pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
scdaemon[xxxxx]: reader slot 0: active protocol: T1 scdaemon[xxxxx]:
slot 0: ATR=3bde18ff8191fe1fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
scdaemon[xxxxx]: error parsing PrKDF record: Invalid object
scdaemon[xxxxx]: no supported card application found: Invalid object S
PINCACHE_PUT 0// ERR 100696144 No such device <SCD>

Below I am including my configuration files.

scdaemon.conf



###+++--- GPGConf ---+++###
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
disable-ccid
###+++--- GPGConf ---+++### 09/06/y22 23:29:33 GTB Daylight Time
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.

#pcsc-shared

I have tried all possible combinations with `disable-ccid` and `pcsc-shared` and nothing works.


gpgagent.conf


###+++--- GPGConf ---+++###
enable-extended-key-format
ignore-cache-for-signing
no-allow-external-cache
no-allow-loopback-pinentry
grab
pinentry-timeout 10
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
ssh-fingerprint-digest SHA384
###+++--- GPGConf ---+++### 18/04/y22 07:30:51 GTB Daylight Time
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.

enable-putty-support
enable-ssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200

gpgsm.conf


###+++--- GPGConf ---+++###
auto-issuer-key-retrieve
enable-crl-checks
enable-ocsp
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
include-certs -1
cipher-algo AES256
###+++--- GPGConf ---+++### 01/04/y22 19:10:26 GTB Daylight Time
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.

I was never able to get the SC-HSM to work with GnuPG, even though it is supposedly supported. This is the current time I am trying to figure it out. This time, I haven't played with anything else than scdaemon.conf, but, as far as I can tell, the SC-HSM didn't work even with the defaults on a fresh install.

The card otherwise works nicely with everything else.

Details

External Link
https://stackoverflow.com/questions/72749125/gnupg-gpa-exe-hungs-when-click-on-smartcards-and-scdaemon-cannot-recognise-sc
Version
All versions, at least the past 5 years.

Event Timeline

margirou created this task.Jul 25 2022, 12:32 AM
gniibe triaged this task as Low priority.Jul 25 2022, 7:13 AM
gniibe added a subscriber: gniibe.

Please ask your card vendor.

We included the support of SC-HSM in 2014, from its vendor.

I (of the GnuPG team) don't have the smartcard and any of technical document for the card.

margirou raised the priority of this task from Low to Needs Triage.Aug 17 2022, 5:41 AM

Hello again,

I believe I have found the cause of the problem with the GnuPG. When removing the AES key from the card, the error about the invalid PrKDF disappeared, which I believe is progress.

When I try "scdaemon --server" and then type "learn", I get the following:

scdaemon[xxxxx]: detected reader 'ACS CCID USB Reader 0'
scdaemon[xxxxx]: reader slot 0: not connected
scdaemon[xxxxx]: pcsc_control failed: invalid PC/SC error code (0x1)
scdaemon[xxxxx]: pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
scdaemon[xxxxx]: reader slot 0: active protocol: T1
scdaemon[xxxxx]: slot 0: ATR=xxxxxxxxxxxxxx
scdaemon[xxxxx]: DBG: PrKDF C401: id=xxxxxxxxxxxxxx keyref=0x01 keysize=528 usage=sign,derive
scdaemon[xxxxx]: DBG: CDF C401: id=xxxxxxxxxxxxxx fid=CE01
scdaemon[xxxxx]: DBG: PrKDF C402: id=xxxxxxxxxxxxxx keyref=0x02 keysize=2048 usage=decrypt,sign,sign_recover,unwrap
scdaemon[xxxxx]: DBG: CDF C402: id=xxxxxxxxxxxxxx fid=CE02
S READER ACS CCID USB Reader 0
S SERIALNO xxxxxxxxxxxxxx
INQUIRE KNOWNCARDP xxxxxxxxxxxxxx

I then try "gpg --card-edit --expert" and then "admin" and "list"

Reader ...........: ACS CCID USB Reader 0
Application ID ...: xxxxxxxxxxxxxx
Application type .: Unknown

GnuPG is now recognising the private keys and can parse the PrKDF record but still cannot use the keys. Any thoughts on this?

Thanks in advance!

margirou renamed this task from scdaemon cannot recognise SC-HSM to SC-HSM 4K Compatibility.Aug 17 2022, 5:44 AM
werner updated the task description. (Show Details)Aug 17 2022, 7:31 AM
werner added a subscriber: werner.EditedAug 17 2022, 7:36 AM

ACS readers simply don't work reliable under Linux.

For actual debugging you should put this into your scdaemon.conf

log-file  FOO
debug ipc,reader,app,cardio

and if you run into low-level problems with a CCID reader, also

debug-ccid-driver

(I noticed that you disabled the internal CCID driver, so in your case it doesn't matter)

FWIW. You may use

gpgconf --show-configs

to get all active configuration files and some other info. But please attach it and don't inline it.

margirou added a comment.EditedAug 17 2022, 8:52 AM

I am attaching the files. The "gpgconf --list-config" gave the error "gpgconf: can't open global config file 'C:\\ProgramData\\GNU\\etc\\gnupg\\gpgconf.conf': No such file or directory", so I tried the "gpgconf --show-configs".

The ACS readers don't work that reliably on Windows either... But, I think that in this case the problem is with some of the new capabilities/features of the upgraded version of the SC-HSM, and not with the reader. ACS readers are cheap and widespread, e.g. I got mine from the Estonian Digital Resident programme.

FOO.txt27 KBDownload

gpgconf -X.txt5 KBDownload

gniibe triaged this task as Low priority.Aug 18 2022, 3:56 AM

Thank you for your log.

Unfortunately, the log is not helpful. Apparently, it seems that it's artificial session manually; The "learn" command failed when scdaemon inquired "KNOWNCARDP". That's normal.

If you do, you can do "learn --force", then scdaemon won't inquire back by "KNOWNCARDP".

margirou added a comment.EditedOct 4 2022, 4:48 PM

I am attaching one last log I have while trying to use the SC-HSM and using the debug options mentioned. From what I understand, the keys and certificates are recognised by scdaemon, but, for some reason, they don't show up in gpg --card-edit --expert or in Kleopatra. Having AES symmetric keys also causes the PrKDF to show up as invalid.

I have also tried with another card reader, the Thales (Gemalto) IDBridge and the problem still persists, even though this reader is one of the "supported" ones. I think this rules out the possibility that the ACS reader is the problem.

I give up, as I apparently won't be able to use the SC-HSM with GnuPG. I will try to use the YubiKeys instead. Maybe someone with more knowledge will consider investigating this for a fix in a future release. Maybe the SC-HSM versions supported are only the older ones and for the newer cards there needs to be some update for the card profile?

scdaemon.txt7 KBDownload

werner added a comment.Oct 4 2022, 9:01 PM

Yes, that's probably right. I talked to the vendor and they were nice enough to send us specs and samples. However, without a strong business case support for these cards we can't prioritize this work.