pkcs11-tool fails with (GetSlotInfo failed, CKR_MECHANISM_INVALID) since 0.24 when built with --disable-openssl

[rliebscher]

Problem Description

Since 0.24 pkcs11-tool -L fails with following error:

Available slots:
Slot 0 (0x0): (GetSlotInfo failed, CKR_MECHANISM_INVALID)

0.23 did work.
Both versions were build on cygwin with ./configure --disable-openssl --disable-notify --disable-zlib --disable-readline --disable-shared
0.23 outputs "token manufacturer : www.CardContact.de", and the reader itself is "Identiv uTrust 3522 embd SE Token 0"

When running with OPENSC_DEBUG I see a difference very early in log. (There is some corresponding code in 0.23 but did not made a log output when running.)

P:30293; T:0x42949672976 13:42:58.218 [opensc-pkcs11] reader-pcsc.c:1300:detect_reader_features: Assuming that the reader supports sending short length APDUs only
P:30293; T:0x42949672976 13:42:58.218 [opensc-pkcs11] reader-pcsc.c:1313:detect_reader_features: Assuming that the reader supports receiving short length APDUs only

I also see that later in the log 0.23 has some Incoming APDU (258 bytes) where 0.25 only has 256 bytes.
(Trying to set max_send_size and max_recv_size to 258 in void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle) gives also these larger ADPU but does not resolve the problem, so the wrong sizes might be also some symptom not the cause.)

Proposed Resolution

Steps to reproduce

Logs

I have logs for a run with 0.23 and 0.25, but I do not want to provide them here, just ask me for them.

[Jakuje]

I think we will need more logs to be clever. Likely it is an issue of the max length APDU detection, but both cards and opensc should be able to split the long APDUs and responses mostly transparently.

Can you provide the logs from the APDU that is sending larger amount of data than allowed? Also version of the working 0.23.0 if possible.

[Jakuje]

This sounds like related to the discussion item in #3004. This should have been solved by recent commits in 0.25.0, but if not, we need current debug log from 0.25.0 (at least the affected parts around the failure).

[Jakuje]

Did not want to close this one. From the debug logs I got from @rliebscher over email, it looks like the issue of the APDU lengths as all the init finalizes correctly, but the failure comes from the register_mechanisms() function, which fails for some reason:

pkcs15_bind: cannot register mechanisms; CKR 0x70

The function does not have any logging, the 0x70 is CKR_MECHANISM_INVALID, which does not come from a lot of places, but it is not clear which one failed. I can submit a test PR with some more logging to see what is going on there if you could give it a try.

[Jakuje]

I suspect it will come from sc_pkcs11_register_sign_and_hash_mechanism() when it is supplied by some of the mechanisms that are not supported by the OpenSSL build. Previously, it was likely failing silently, but now we implemented error checking, which probably surfaced this issue.

I opened #3092 to improve logging in the function where I suspect the issue happens. Can you try to install the package from that PR and provide debug log from this part (should not contain any sensitive information).

[rliebscher]

Did not test it yet, but reading OpenSSL in your previous comment, reminds me that I used --disable-openssl with configure (as written in the wiki)

[Jakuje]

Thanks for the pointer. This might be helpful to guess the location of the issue. Looking at the code, it looks like it will be likely the RSA-PSS mechanisms, that are not behind the #if ENABLE_OPENSSL in register_mechanisms().

Let me update the PR with this fix and then you can take time to retry.

Regarding the CI, I think most of all or all the tests now build with openssl. Added on too.

[rliebscher]

I tried this commit 2fa13f5 and it resolves the problem.
I also tried 0.25.1 and it still has the problem.

[Jakuje]

Thank you for testing. I completely forgot about this while putting together the 0.25.1 so it will certainly be in the next release, unsure if 0.25.2 (it there will be some more issues) or 0.26.0 later this year.
The workaround is to build with OpenSSL or applying the patch b492a4c

[rliebscher]

It fails in here (rv is 112 then)

register_mechanisms(struct sc_pkcs11_card * p11card) (d:\opensc-0.25.1\src\pkcs11\framework-pkcs15.c:6731)
pkcs15_bind(struct sc_pkcs11_card * p11card, struct sc_app_info * app_info) (d:\opensc-0.25.1\src\pkcs11\framework-pkcs15.c:346)
card_detect(sc_reader_t * reader) (d:\opensc-0.25.1\src\pkcs11\slot.c:323)
card_detect_all() (d:\opensc-0.25.1\src\pkcs11\slot.c:429)
C_GetSlotList(CK_ULONG_PTR pulCount, CK_SLOT_ID_PTR pSlotList) (d:\opensc-0.25.1\src\pkcs11\pkcs11-global.c:524)
C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) (d:\opensc-0.25.1\src\pkcs11\pkcs11-global.c:496)
list_slots(int tokens, int print) (d:\opensc-0.25.1\src\tools\pkcs11-tool.c:1609)
main(int argc, char ** argv) (d:\opensc-0.25.1\src\tools\pkcs11-tool.c:1211)

sc_pkcs11_find_mechanism(struct sc_pkcs11_card *p11card, CK_MECHANISM_TYPE mech, CK_FLAGS flags)
returns NULL
requested mech is 592
p11card->nmechanisms = 10
p11card->mechanisms[] has mech 4161...4164, 4177, 4176, 4160, 3, 1, 13