npa-tool.exe fails to perform pace authentication with can value

[codyax1]

Problem Description

I have a german eID test card that i am working on, and a and a compatible PCSC reader on windows 10.
I am trying to read ICCSN value of the card.
First step is to establish secure PACE channel. Test Card has a CAN value.
Doesn't Work. I followed the command prompt syntax as written for npa-tool.exe

Proposed Resolution

Steps to reproduce

Install latest OpenSC on windows 10
Connect PCSC compatible reader with the german eiD card
Perform this command on command prompt
C:\Program Files\OpenSC Project\OpenSC\tools>npa-tool.exe -r 0 -v -v -v -c 123123

Logs

[frankmorgner]

can you post the output?

[codyax1]

I enabled the -verbose flag and it seems it fails at MSE: Set AT
The application is not sending OID params and Domain Parameter in MSE: CRT AT command
Do i have to send EF.CardAccess command to get PACEinfo before sending command npa-tool.exe -r 0 -v -v -v -c 123123 ?
If so how ??
npa-tool log.txt

[frankmorgner]

Having a second look, I think you're right that the OID is missing in the MSE command.

I think this problem is caused by an issue in OpenPACE. This should be fixed in OpenSC's currently available RC for the new release. Could you try this instead, please?

[codyax1]

I tried to install the RC (typical installation). But the installation failed. Attaching the report.

[codyax1]

This is the one i used :

[codyax1]

Ok, the installation works, if i select complete installation (and not for typical installation)
Still, pace authentication doesn't work ! Same problem.
OID (id_PACE_ECDH_GM_AES_CBC_CMAC_128) is not included in MSE: Set AT command.
Domain parameter (OD, brainpool256r1) is also not included in MSE: Set AT command.
CHAT is not required to be included for this card in MSE: Set AT command
See logs and screenshot attached !!
(Looks like in your patch, you included only for using PIN. I am using CAN to establish PACE).
"I have german eGK and HBA test cards"

npa tool (RC) log.txt

[frankmorgner]

For me, the binary installs fine.

However, I can confirm the problem with running PACE in Windows. I'm not sure what causes this problem. Running with similar configuration on Linux works as expected (OpenPACE 1.1.1 and OpenSSL 1.1.1). Maybe there's some problem with the CI environment...

[kansasdev]

I confirm this error still exists on Windows (December 2021), even with other ID cards than German (Incorrect parameters in APDU).
I have been trying to buid it from source with above fix (05057e6), after days of struggling I have finally made it (using openssl 1.1.0 win32) and openpace 1.1.2 and visual studio.
Unfortunately, when I am performing npa-tool command I am seeing error: Failed to establish context: Unable to load external module. I have put all new dlls (including opensc.dll) to same directory and I am out of ideas, probably haven't build something. When I am using Dependency walker, no dlls are missing, but this error came rather from inside of a program.
Any hints? If no, when do you plan to put release with openpace 1.1.2?

[frankmorgner]

#2472 fixes this issue. You can test it with the following installers:

• https://ci.appveyor.com/api/buildjobs/3n1ockvih3rj8ntw/artifacts/OpenSC-0.22.0_win32.msi
• https://ci.appveyor.com/api/buildjobs/qvmhanw8a6xiotgf/artifacts/OpenSC-0.22.0_win64.msi

[kansasdev]

#2472 fixes this issue. You can test it with the following installers:

• https://ci.appveyor.com/api/buildjobs/3n1ockvih3rj8ntw/artifacts/OpenSC-0.22.0_win32.msi
• https://ci.appveyor.com/api/buildjobs/qvmhanw8a6xiotgf/artifacts/OpenSC-0.22.0_win64.msi

I confirm - it works now. Pace can be established on Windows.
BTW - are there any way to dump dg1 or dg2 from ID card? I am not able --read-dg1 --read-dg2 since I am receiving "File not found"

[frankmorgner]

are there any way to dump dg1 or dg2 from ID card? I am not able --read-dg1 --read-dg2 since I am receiving "File not found"

Currently, selecting eID application is only doen when full EAC (TA+CA) is done as well. This changes with #2257, so that always after authentication some application is selected (either eID or ePassport). Please try this PR on top...