pkcs11-tool -L hangs with horizon at Uicc Iso device #558
Description
This is the log file:
$ pkcs11-tool -L --module ~/libykcs11.so
DBG ykcs11.c:415 (C_GetSlotList): Initializing slot 0 for 'Alcorlink USB Smart Card Reader 0'
DBG ykcs11.c:428 (C_GetSlotList): Failed to validate Alcorlink USB Smart Card Reader 0: Argument error
DBG ykpiv.c:947 (ykpiv_connect_ex): Connect reader 'Alcorlink USB Smart Card Reader 0'.
DBG ykpiv.c:958 (ykpiv_connect_ex): SCardConnect failed for 'Alcorlink USB Smart Card Reader 0', rc=80100069
DBG ykcs11.c:465 (C_GetSlotList): Unable to connect slot 0 to 'Alcorlink USB Smart Card Reader 0': Error in PCSC call
DBG ykcs11.c:415 (C_GetSlotList): Initializing slot 1 for 'Microsoft UICC ISO Reader 699446e9 1'
DBG ykcs11.c:428 (C_GetSlotList): Failed to validate Microsoft UICC ISO Reader 699446e9 1: Argument error
DBG ykpiv.c:947 (ykpiv_connect_ex): Connect reader 'Microsoft UICC ISO Reader 699446e9 1'.
DBG ykpiv.c:963 (ykpiv_connect_ex): SCardConnect succeeded for 'Microsoft UICC ISO Reader 699446e9 1', protocol=2
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00a4040005a00000030800 (11)
^C
Here you can see that the command is terminated with STRG-C and as as last step it tries to transmit to the Microsoft UICC ISO reader and this never returns and hangs.
libykcs11.so was build with YKCS11_DBG=9.
The Setup
The setup is an Horizon connection from a Windows Laptop into a Linux Redhat 9 System. Horizon is a RDP protocol, at least it forwards the libpcscd commands from windows into linux by using a Smartcard virtual channel extension https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpesc/65c30c99-e816-48b6-9293-8d467b10cc39.
This is only a background info, in case if you are asking yourself why the Windows extensions "Windows Hello", for example, is appearing in Linux.
When I disable the UICC device the listing works fine. (see below)
I go to Device Manager -> Software Devices -> Uicc Reader and disable it.
$ pkcs11-tool -L --module ~/libykcs11.so
DBG ykcs11.c:415 (C_GetSlotList): Initializing slot 0 for 'Alcorlink USB Smart Card Reader 0'
DBG ykcs11.c:428 (C_GetSlotList): Failed to validate Alcorlink USB Smart Card Reader 0: Argument error
DBG ykpiv.c:947 (ykpiv_connect_ex): Connect reader 'Alcorlink USB Smart Card Reader 0'.
DBG ykpiv.c:958 (ykpiv_connect_ex): SCardConnect failed for 'Alcorlink USB Smart Card Reader 0', rc=80100069
DBG ykcs11.c:465 (C_GetSlotList): Unable to connect slot 0 to 'Alcorlink USB Smart Card Reader 0': Error in PCSC call
DBG ykcs11.c:415 (C_GetSlotList): Initializing slot 1 for 'Windows Hello for Business 1'
DBG ykcs11.c:428 (C_GetSlotList): Failed to validate Windows Hello for Business 1: Argument error
DBG ykpiv.c:947 (ykpiv_connect_ex): Connect reader 'Windows Hello for Business 1'.
DBG ykpiv.c:963 (ykpiv_connect_ex): SCardConnect succeeded for 'Windows Hello for Business 1', protocol=2
DBG ykpiv.c:1356 (_ykpiv_transfer_data): Going to send 11 bytes in this go.
DBG ykpiv.c:1235 (_ykpiv_transmit): > 00a4040005a00000030800 (11)
DBG ykpiv.c:1242 (_ykpiv_transmit): < 6a82 (2)
DBG ykpiv.c:1173 (ykpiv_translate_sw_ex): _ykpiv_select_application: SW_ERR_FILE_NOT_FOUND
DBG ykpiv.c:776 (_ykpiv_select_application): Failed selecting application
DBG ykcs11.c:465 (C_GetSlotList): Unable to connect slot 1 to 'Windows Hello for Business 1': Invalid object
DBG ykcs11.c:500 (C_GetSlotList): token present is 0
DBG ykcs11.c:501 (C_GetSlotList): number of slots is 2
DBG ykcs11.c:505 (C_GetSlotList): Out
DBG ykcs11.c:343 (C_GetSlotList): In
DBG ykcs11.c:428 (C_GetSlotList): Failed to validate Alcorlink USB Smart Card Reader 0: Argument error
DBG ykpiv.c:947 (ykpiv_connect_ex): Connect reader 'Alcorlink USB Smart Card Reader 0'.
DBG ykpiv.c:958 (ykpiv_connect_ex): SCardConnect failed for 'Alcorlink USB Smart Card Reader 0', rc=80100069
DBG ykcs11.c:465 (C_GetSlotList): Unable to connect slot 0 to 'Alcorlink USB Smart Card Reader 0': Error in PCSC call
DBG ykpiv.c:892 (ykpiv_validate): Validate reader 'Windows Hello for Business 1'.
DBG ykcs11.c:500 (C_GetSlotList): token present is 0
DBG ykcs11.c:501 (C_GetSlotList): number of slots is 2
DBG ykcs11.c:505 (C_GetSlotList): Out
Available slots:
DBG ykcs11.c:514 (C_GetSlotInfo): In
DBG ykcs11.c:544 (C_GetSlotInfo): Out
Slot 0 (0x0): Alcorlink USB Smart Card Reader 0
(empty)
DBG ykcs11.c:514 (C_GetSlotInfo): In
DBG ykcs11.c:544 (C_GetSlotInfo): Out
Slot 1 (0x1): Windows Hello for Business 1
(empty)
DBG ykcs11.c:218 (C_Finalize): In
DBG ykpiv.c:366 (ykpiv_disconnect): Disconnect card #0.
DBG ykcs11.c:260 (C_Finalize): Out
$
As you can see the command does not hang and it lists the internal reader Alcorlink and Windows Hello.
Thus ykpiv.c sends something to the UICC reader, which then hangs.
Why I'm thinking its a issue with libykcs11.so?
When using opensc and not libykcs11.so, it works without hanging:
$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Alcorlink USB Smart Card Reader 0
(empty)
Slot 1 (0x4): Microsoft UICC ISO Reader 699446e9 1
(token not recognized)
Slot 2 (0x8): Windows Hello for Business 1
token label : GIDS card (UserPIN)
token manufacturer : www.mysmartlogon.com
token model : PKCS#15 emulated
token flags : login required, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 886c4338561347b7
pin min/max : 4/15
uri : pkcs11:model=PKCS%2315%20emulated;manufacturer=www.mysmartlogon.com;serial=886c4338561347b7;token=GIDS%20card%20%28UserPIN%29
As you can see, UICC ISO Reader is listed when using opensc and hangs when using libykcs11.so. There is no yubikey present in the system. Its not necessary to trigger this behavior.