Possibility of another JPKI ATR

[U-siro]

Problem Description

I got MyNumber Card recently but this was unable to detect my card.
It has ATR starting with 3b:da:13:ff:81:31:fb:46:80:12:39.
Windows recongizing this card as unknown smart card.

Proposed Resolution

Steps to reproduce

Logs

C:\Users\casta>certutil -scinfo
Microsoft 스마트 카드 리소스 관리자가 실행 중입니다.
현재 판독기/카드 상태:
판독기: 1
  0: Hewlett Packard MFP Smart Card Reader 0
--- 판독기: Hewlett Packard MFP Smart Card Reader 0
--- 상태: SCARD_STATE_PRESENT
--- 상태: 카드를 사용할 수 있습니다.
---   카드:
---    ATR:
        3b da 13 ff 81 31 fb 46  80 12 39 2f 31 c1 73 c6   ;....1.F..9/1.s.
        01 c0 3b                                           ..;


=======================================================
판독기에서 카드 분석 중: Hewlett Packard MFP Smart Card Reader 0
SCardGetCardTypeProviderName: 지정된 파일을 찾을 수 없습니다. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
의 제공자 이름을 검색할 수 없습니다.SCardGetCardTypeProviderName: 지정된 파일을 찾을 수 없습니다. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
의 제공자 이름을 검색할 수 없습니다.
--------------===========================--------------
CertUtil: -SCInfo 명령이 실패되었습니다. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: 지정된 파일을 찾을 수 없습니다.
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
Using reader with a card: Hewlett Packard MFP Smart Card Reader 0
3b:da:13:ff:81:31:fb:46:80:12:39:2f:31:XXXXXXXXXXXXXXXXXXXXXX

[dengert]

If you want to try it with minidriver:

• Run regedit - Registry Editor
• change to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\JPKI
• export the JPKI to some file.
• edit the file replace ATR and ATRmask so it looks like like the following and save as JPKI-2.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\JPKI-2]
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="C:\\Program Files\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll"
"ATR"=hex:3b da 13 ff 81 31 fb 46 80 12 39 2f 31 c1 73 c6 01 c0 3b
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"InstalledBy"="OpenSC"

• With regedit, cd to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
• import the new file

Then for 32 bit with regedit cd to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\SmartCards
and do the same as above.
Note: the 8000001 path has "C:\Program Files (x86)"

[U-siro]

@dengert Yeah, I changed to it then works!
C:\Program Files\OpenSC Project\OpenSC\tools>certutil -scinfo
Microsoft 스마트 카드 리소스 관리자가 실행 중입니다.
현재 판독기/카드 상태:
판독기: 1
0: Hewlett Packard MFP Smart Card Reader 0
--- 판독기: Hewlett Packard MFP Smart Card Reader 0
--- 상태: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- 상태: 다른 프로세스가 카드를 공유하고 있습니다.
--- 카드: JPKI-2
--- ATR:
3b da 13 ff 81 31 fb 46 80 12 39 2f 31 c1 73 c6 ;....1.F..9/1.s.
01 c0 3b ..;

=======================================================
판독기에서 카드 분석 중: Hewlett Packard MFP Smart Card Reader 0

--------------===========================--------------
================ 인증서 0 ================
--- 판독기: Hewlett Packard MFP Smart Card Reader 0
--- 카드: JPKI-2
Provider = Microsoft Base Smart Card Crypto Provider
키 컨테이너 = (null) [기본 컨테이너]

일련 번호: 0705d990
발급자: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2024/01/22 1:37
NotAfter: 2024/12/25 23:59
주체: CN=8439XXXXXXXXXXXXXXXX, C=JP
루트가 아닌 인증서
인증서 해시(sha1): 1cee37bf42c26ba4a9XXXXXXXXXXXXXXXXXXX

AT_SIGNATURE 공개 키 일치 검사를 수행 중...
공개 키 일치 확인 테스트 성공
키 컨테이너 = c5a0a252-9d2dXXXXXXXXXXXXXXXXXXX
Provider = Microsoft Base Smart Card Crypto Provider
ProviderType = 1
Flags = 1
0x1 (1)
KeySpec = 2 -- AT_SIGNATURE
개인 키 확인

인증서 체인 검증 수행 중...
CertGetCertificateChain(dwErrorStatus) = 0x1010040
스마트 카드의 체인이 유효하지 않음
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=1 dwErrorStatus=1000040
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2024/01/22 1:37
NotAfter: 2024/12/25 23:59
Subject: CN=843944E81LXXXXXXXXXXXXXXXXXXXX, C=JP
Serial: 0705d990
Cert: 1cee37bf42c26ba4XXXXXXXXXXXXXXXXXXXXXXXX
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Issuance[0] = 1.2.392.200149.8.5.1.3.30
Application[0] = 1.3.6.1.5.5.7.3.2 클라이언트 인증

Exclude leaf cert:
Chain: da39a3ee5e6b4bXXXXXXXXXXXXXXXXXXX
Full chain:
Chain: 1cee37bf42c26ba4XXXXXXXXXXXXXXXXXXXX
Missing Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2024/01/22 1:37
NotAfter: 2024/12/25 23:59
Subject: CN=843944EXXXXXXXXXXXXXXXX, C=JP
Serial: 0705d990
Cert: 1cee37bf42c26ba4a9378feeXXXXXXXXXXXXXXXX
인증서 체인을 신뢰된 최상위 인증 기관에 만들 수 없습니다. 0x800b010a (-2146762486 CERT_E_CHAINING)

완료되지 않은 인증서 체인
인증서를 찾을 수 없습니다.
OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
다음 판독기를 위해 AT_SIGNATURE 인증서를 표시했습니다. Hewlett Packard MFP Smart Card Reader 0
다음 판독기에 AT_KEYEXCHANGE 키가 없습니다. Hewlett Packard MFP Smart Card Reader 0

--------------===========================--------------
================ 인증서 0 ================
--- 판독기: Hewlett Packard MFP Smart Card Reader 0
--- 카드: JPKI-2
Provider = Microsoft Smart Card Key Storage Provider
키 컨테이너 = c5a0a252-9d2d-eb60-fec0-41b4fbd722a2

일련 번호: 0705d990
발급자: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2024/01/22 1:37
NotAfter: 2024/12/25 23:59
주체: CN=843944EXXXXXXXXXXXXXA, C=JP
루트가 아닌 인증서
인증서 해시(sha1): 1cee37bf42c26XXXXXXXXXXXXXXXXXXXXXXXXXX

공개 키 일치 검사를 수행 중...
공개 키 일치 확인 테스트 성공
키 컨테이너 = c5a0a252-9d2d-ebXXXXXXXXXXXXXXX
Provider = Microsoft Smart Card Key Storage Provider
ProviderType = 0
Flags = 1
0x1 (1)
KeySpec = 0 -- XCN_AT_NONE
개인 키 확인
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(RSA:CNG) 테스트 건너뜀

인증서 체인 검증 수행 중...
CertGetCertificateChain(dwErrorStatus) = 0x1010040
스마트 카드의 체인이 유효하지 않음
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=1 dwErrorStatus=1000040
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2024/01/22 1:37
NotAfter: 2024/12/25 23:59
Subject: CN=843944E81XXXXXXXXXXXXXXXXXXX, C=JP
Serial: 0705d990
Cert: 1cee37bf42c26ba4XXXXXXXXXXXXXXXXXXXXXXXX
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Issuance[0] = 1.2.392.200149.8.5.1.3.30
Application[0] = 1.3.6.1.5.5.7.3.2 클라이언트 인증

Exclude leaf cert:
Chain: da39a3ee5e6b4b0d32XXXXXXXXXXXXXXXXX
Full chain:
Chain: 1cee37bf42c26ba4a937XXXXXXXXXXXXXXXXX
Missing Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2024/01/22 1:37
NotAfter: 2024/12/25 23:59
Subject: CN=843944E8XXXXXXXXXXXXX, C=JP
Serial: 0705d990
Cert: 1cee37bf42c26ba4a937XXXXXXXXXXXXXXXXXX
인증서 체인을 신뢰된 최상위 인증 기관에 만들 수 없습니다. 0x800b010a (-2146762486 CERT_E_CHAINING)

완료되지 않은 인증서 체인
인증서를 찾을 수 없습니다.
OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
다음 판독기를 위해 인증서를 표시했습니다. Hewlett Packard MFP Smart Card Reader 0

--------------===========================--------------

완료.
CertUtil: -SCInfo 명령이 성공적으로 완료되었습니다.

[frankmorgner]

I think we can add this ATR to customactions.cpp and card-jpki.c

@hamano ?

[hamano]

During driver development, I didn't understand ATR well then, and I still don't understand it well now.
What exactly is ATR? Even with the same card, changing the reader will get in a different ATR prefix.
Therefore, it's not possible to detect card types based on ATR.
In card-jpki.c, we're checking the responce of SELECT FILE, so the code for _sc_match_atr() can be removed.
It might take some time to recall the workings of Windows.

Does the result of opensc-tool -n respond "jpki"?

[frankmorgner]

The ATR is an old feature to detect the type of a smart card and Windows still uses this as primary method to select the correct smart card driver (hence, the need for modifying the registry). In you driver everything works fine (has fallback to AID selection), but since the ATR seems to be bijective, you may use this as short cut in the match card callback.

[hamano]

Thank you for your explanation.
I had been considering the possibility of using ATR as a shortcut.
I have five JPKI cards and two readers, so I will list them.
Since ATR relies more on the reader than the card, I still don't think it can be utilized for detecting card types.

# card 1 with reader 1
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR122 0
3b:8c:80:01:50:0d:1d:23:f3:00:00:05:e0:b3:81:a1:eb
jpki

# card 2 with reader 1
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR122 0
3b:8c:80:01:50:44:50:20:8a:00:4b:51:ff:00:81:d1:56
jpki

# card 3 with reader 1
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR122 0
3b:8c:80:01:50:01:2e:ac:d3:00:00:41:e0:b3:81:a1:3f
jpki

# card 4 with reader 1
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR122 0
3b:8c:80:01:50:00:e2:96:c9:00:00:05:e0:b3:81:a1:96
jpki

# card 5 with reader 1
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR122 0
3b:8c:80:01:50:a4:d1:f2:98:00:00:05:e0:b3:81:a1:34
jpki

# card 1 with reader 2
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR1255U-J1 PICC Reader 0
3b:88:80:01:00:00:05:e0:b3:81:a1:00:7f
jpki

# card 2 with reader 2
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR1255U-J1 PICC Reader 0
3b:88:80:01:00:4b:51:ff:00:81:d1:00:bc
jpki

# card 3 with reader 2
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR1255U-J1 PICC Reader 0
3b:88:80:01:00:00:41:e0:b3:81:a1:00:3b
jpki

# card 4 with reader 2
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR1255U-J1 PICC Reader 0
3b:88:80:01:00:00:05:e0:b3:81:a1:00:7f
jpki

# card 5 with reader 2
# opensc-tool.exe -a -n
Using reader with a card: ACS ACR1255U-J1 PICC Reader 0
3b:88:80:01:00:00:05:e0:b3:81:a1:00:7f
jpki

[dengert]

The first reader is a contact reader and the ATR comes from the card. The second reader is using NFC, and in that protocol the ATR from the card is not available, so software constructs ATR. The first part of ATR has voltage, timing and protocol values which are only used with a contact reader.

The historical bytes are usually the same. in both cases. But it could be the card be different
https://cardwerk.com/smart-card-standard-iso7816-4-section-8-historical-bytes/
"The information carried by the historical bytes may also be found in an ATR file (default EF identifier=’2F01′)."

https://www.acs.com.hk/en/products/403/acr1255u-j1-acs-secure-bluetooth%C2%AE-nfc-reader/

https://smartcard-atr.apdu.fr/ can be used to parse an ATR.

[hamano]

Thank you for providing the reference.
The ACS ACR122 and ACS ACR1255U-J1 are both contact-less readers.
I unearthed an old contact-full reader in the garage and when I read five cards, it responded with two types of ATR:

• 3b:e0:00:ff:81:31:fe:45:14
• 3b:da:13:ff:81:31:fb:46:80:12:39:2f:31:c1:73:c6:01:c0:3b

Nowadays, I believe there are few users of contact-full readers, but since these two are likely jpki card-specific identifiers, I agree to add them.
I tried to select ATR file(2F01) but not found it.