OpenSC in Firefox constantly sending SELECT(AID) APDUs for probing

[CardContact]

Problem Description

Environment: OpenSC 0.25 on Debian Testing with Firefox ESR.

If the card inserted into the reader is not recognized by OpenSC, then SELECT(AID) APDUs are issued at a high frequency, probably for probing. This interferes with other applications accessing the card.

Most APDUs contain the ActivCard AID (A0 00 00 00 79):

00000016 [140675220883136] APDU: 00 CB 3F FF 03 5C 01 7E 00 
00005039 [140675220883136] SW: 6E 00 
00000021 [140675220883136] APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 00 
00007490 [140675220883136] SW: 6A 82 
00000012 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 01 16 DB 00 00 
00006727 [140675220883136] SW: 6A 82 
00000011 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 10 00 00 
00006848 [140675220883136] SW: 6A 82 
00000010 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 00 00 
00006763 [140675220883136] SW: 6A 82 
00000007 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 01 00 
00007016 [140675220883136] SW: 6A 82 
00000013 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 02 00 
00006937 [140675220883136] SW: 6A 82 
00000021 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 03 00 
00007193 [140675220883136] SW: 6A 82 
00000034 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 04 00 
00006927 [140675220883136] SW: 6A 82 
00000012 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 05 00 
00006790 [140675220883136] SW: 6A 82 
00000014 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 06 00 
00006715 [140675220883136] SW: 6A 82 
00000015 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 07 00 
00006945 [140675220883136] SW: 6A 82 
00000014 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 08 00 
00006866 [140675220883136] SW: 6A 82 
00000014 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 09 00 
00006929 [140675220883136] SW: 6A 82 
00000022 [140675220883136] APDU: 00 A4 04 0C 07 A0 00 00 00 79 01 0A 00 
00000697 [140675220883136] SW: 6A 82 

Proposed Resolution

Probing should only happen when cards are inserted and unknown cards should be left alone.

Steps to reproduce

Run pcscd with "pcscd -a -d -f", start Firefox with OpenSc installed and watch the APDUs.

[dengert]

Can you get an opensc-debug.log?

• Show if FireFox is requesting probs for smart cards and at frequency

• Show what card the card driver or drivers are sending the probs.

The first two APDUs like from card-piv.c checking for DISCOVERY OBJECT when PIV is active application.
The second looks SELECT AID for PIV application, with response Application not found.

The rest could be from card-piv.c trying to test for a CAC CCC object or from card-cac.c.

In all the cases status show the card not have the object or application.

Is this causing problems with with the card/token you are trying to use?

I have Firefox 115.9esr on Ubuntu 22.04 and it does not appear to be probing.

[frankmorgner]

I think that constantly probing the card if it is an unrecognized one, should be contained in every version of OpenSC. However, previous versions had less applet-based card drivers and had simpler detection mechanisms, which may be the reason why this problem wasn't recognized earlier. Due to some compilation problem, the earliest version I was able to test is 0.24.0, which also contains this problem.

The problem lies within card_detect() from slot.c:

1. If a token is present (sc_detect_card_presence())
2. and the card is not already known (p11card->card == NULL
3. then a new connection is made (sc_connect_card()
4. and the card's PKCS#15 profile is bound.
5. If one of steps 2 to 4 fails, then we go to fail, which calls sc_pkcs11_card_free() and leads to sc_pkcs11_card_free(p11card);.

Step 1 to 5 are running in a loop, because we're not keeping track between the different runs.

I think, what should work now as a fix, would be setting pkcs11_enable_InitToken to true, because the token will then be kept inside some slot even though it was not recognized. This, however, may not always desirable, because, for example, some other process could not make an exclusive connection.

A different solution would be to create a second sc_context_t and use this to watch state changes of specific readers (sc_wait_for_event() with timeout set to 1). Only when this context detects a new card, the card probing should be executed.
Why use a new context rather than the existing one? It is likely, that we will loose the event state somewhere in libopensc. For example, reader-pcsc.c uses sc_wait_for_event() in many callbacks, which may accidentally drop events, that the PKCS#11 layer will not notice.

So again, I think this kind of problem should be present in all versions of OpenSC. If you think otherwise, please perform git bisect to point to a specific commit that introduced this problem. If we have this kind of context, we maybe find some simpler resolution to the constant card probing.