New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing a PDF in Adobe Acrobat on macOS using the brand new driver for D-TRUST 4.1 Std. Card only works once. #3030
Comments
please run Debug output with level 3 is more helpful, complete logs even more! Note that there is a problem when setting app specific configuration #2999 |
pkcs15-tool -D Using reader with a card: REINER SCT cyberJack RFID komfort PIN [Card-PIN] PIN [Card-PUK] PIN [Signature-PIN] Private RSA Key [Authentisierungsschluessel] Private RSA Key [Signaturschluessel] X.509 Certificate [Authentisierungszertifikat] X.509 Certificate [Signaturzertifikat] X.509 Certificate [CA-Zertifikat fuer Authentisierung] X.509 Certificate [Root-CA-Zertifikat fuer Authentisierung] X.509 Certificate [CA-Zertifikat fuer Signatur] X.509 Certificate [Root-CA-Zertifikat fuer Signatur] |
Sorry, I just noticed that pkcs15-tool doesn't dump user_consent. if you use the debug level 7, then the ASN.1 properties should be printed, I think. Could you check if the string "userConsent" appears in the output of |
pkcs15-tool -D -vvvvvvvvvvvvvvvvvv 2>&1 | grep -i userConsent 11 entries found the 5th entry is ...Private RSA Key [Signaturschluessel] P:1497; T:0x140704553469888 00:31:37.340 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL |
The
|
@frankmorgner : by the way: I would like to give you ALL log files in ALL log levels you need to be able to analyze this issue BUT I have read a notice that I have to be careful with that, because the logs might contain sensitive information like pins etc. And due to the fact, that I feel "overstrained" (überfordert) with tons of lines of output, I decided not to put it here by just pasting it 1:1 - sorry for that. Next time please let me know, what I have to strip/delete and I will provide all the rest. Maybe there is something like a "Beginners-Guide" to log file handling, then just sent me the link ;-) |
I did not read through all the comments, but from the description and if the above use case is not working, I think it is an issue of the software using the OpenSC, that it is not able to detect the card removal and re-issue login. There is nothing in the OpenSC that could do this for the application. Once the card is removed from the reader, OpenSC removes all the structures that represent the card and treat newly inserted card as a new one (because it can be completely different card with different pin and different objects). I do not know what API is used by the Acrobat on Mac so I will not be much help regarding getting debug information from there. |
Hi @Jakuje , just to clear the "API" Question.... In Adobe Acrobat (and also in Adobe Reader) you can "attach" PKCS11 Modules (by the way - that's exactly why I am landed here, because I want to sign PDFs with Acrobat or Reader using OpenSC framework ;-). P.S.: And removing and reinserting was just one of four tests I should do so that the developer of the d-trust card can analyze, where exactly the issue arises in my case. Currently everything is indicating that this is an issue regarding PIN-Caching, because the D-TRUST-Cards require entering a PIN every time you want to sign a document. That's because we are talking about so called "qualified digital signatures" and "eIDAS" here. So maybe, the user (me) would be able to work around just by configuring opensc.conf a way that PIN-Caching is avoided when using such a D-Trust Signature Card. That's my personal understanding of the current situation - but I might be wrong ;-) |
Thank you for clarification. So in that case, I would go ahead to try to gather the PKCS#11 trace using pkcs11-spy to see what is going on there, see https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC You will find much easier to remove the sensitive data from the pkcs11 level log. It will be likely just the pin in the C_Login() function. My assumption is that after you remove the card, the adobe will try to use some stale handles that will not work. After that, it should try to open a new session and login again, which is either not happening or it is happening wrongly (or the opensc returns some unexpected return codes that adobe does not interpret as a need to reauthenticate. We had something similar with NSS couple of years back. |
I asume you re referring to: |
Problem Description
Also see: #2943 (comment)
Using the latest master commit ...
OpenSC-, rev: ccdb3cc, commit-time: 2024-02-13 14:05:22 +0100
... it is possible to sign a PDF-Document on macOS (14.3.1) using Adobes Acrobat Pro (23.8.20470.0) with a REINER SCT cyberJack RFID komfort Card-Reader and a D-TRUST 4.1 Std. Card
BUT
without restarting Acrobat it is not possible to sign a second time.
Typically an PKCS#11 Error 0x101 is shown (pkcs11-object.c:745:C_Sign: C_Sign() = CKR_USER_NOT_LOGGED_IN)
.
Proposed Resolution
Seems that the issue is based on PIN Caching
Steps to reproduce
I have been asked to document 4 different step-by-step-use-cases ...
... seems that beginning with step 4) the system was very "unstable". It was nearly impossible to really track the situation ;-( ....
--> my personal workaround for currently satisfying success with signing exactly ONE PDF:
Logs
Successfully signed ....
9086 P:2912; T:0x140704450545600 21:57:14.835 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_OK
9092 P:2912; T:0x140704450545600 21:57:14.835 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_OK
9225 P:2912; T:0x140704450545600 21:57:15.579 [opensc-pkcs11] framework-pkcs15.c:4438:pkcs15_prkey_sign: Sign complete. Result 384.
9228 P:2912; T:0x140704450545600 21:57:15.579 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_OK
Signing fails ...
17800 P:2912; T:0x140704450545600 21:58:49.750 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_OK
17806 P:2912; T:0x140704450545600 21:58:49.750 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_OK
17913 P:2912; T:0x140704450545600 21:58:49.776 [opensc-pkcs11] pkcs15-sec.c:169:use_key: returning with: -1211 (Security status not satisfied)
17918 P:2912; T:0x140704450545600 21:58:49.776 [opensc-pkcs11] framework-pkcs15.c:4438:pkcs15_prkey_sign: Sign complete. Result -1211.
17922 P:2912; T:0x140704450545600 21:58:49.776 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_USER_NOT_LOGGED_IN
P.S.:
I also tried different settings in opensc.conf like
.... but also without success.
The text was updated successfully, but these errors were encountered: