Problems with USB access to Omnikey 4321

Peter Lebbing peter at digitalbrains.com
Sun May 15 18:36:31 CEST 2016


On 15/05/16 13:28, Stefan Midjich wrote:
> Thanks for showing me, I tried gpgconf --kill scdaemon, then did your
> trick but the scdaemon.log after that was still giving the occasional
> swedish error just like the one I pasted.

Oh, then what I showed is not sufficient to get the agent and scdaemon to change
locale, that's too bad.

I'll get back to your earlier mail now.

On 14/05/16 19:25, Stefan Midjich wrote:
> Here is the output of gpg --card-status --debug-ccid-driver with the
> locked card inserted: https://paste.fedoraproject.org/366386/24579314/

Can you tell what version of GnuPG you are using? I can't readily tell...

Anyway, your card still seems responsive. You can still select the OpenPGP
application on it and list its data.

> And here is my scdaemon.log when I've killed scdaemon, inserted my
> card and attempt to use the command 'scd serialno' in the
> gpg-connect-agent console.
> https://paste.fedoraproject.org/366394/32464351/

I'm getting technical, which is also intended to help along any other people
trying to look into your problem. So if you don't understand what I'm saying,
just read on.

Where in the dump of your gpg --card-status --debug-ccid-driver, GnuPG seems to
immediately request for the OpenPGP application by Application Identifier, and
this succeeds, the gpg-connect-agent dump first tries a different SELECT
command, I think for the MF, Master File[1]. Then your card seems to go silent
and does not respond anymore.

On contrast, with a v2.0 card I have here where I depleted the tries for the
PINs, and using GnuPG v2.1, my GnuPG will always do the SELECT MF from [1], also
with gpg2 --card-status. My card then replies with SW1-SW2=6B00, indicating the
SELECT failed. The difference is it doesn't go silent like yours. Subsequently,
my scdaemon request the OpenPGP application by AID[2], this succeeds by
SW1-SW2=9000, and everything goes peachy. Whereas your card is never heard from
again...

At this point, I'd really like to know which version of GnuPG you're using. And
if you're using GnuPG 1.4, do you have 2.x installed? Could you easily install
2.1 if you don't have a 2.x installed already?

My issue here is that my installation issues different commands to my card than
yours. At least, sometimes.

The first part of a dump of my scdaemon log when I do a gpg2 --card-status can
be found here[3].

> My ~/.gnupg/scdaemon.conf looks like this.
>
> pcsc-driver
/usr/lib64/pcsc/drivers/ifdokccid_linux_x86_64-v4.1.8.bundle/Contents/Linux/ifdokccid.so

Now don't trust me on this, but it seems to me that scdaemon is using its
internal CCID driver for your card reader, and this line, AFAIK, is only
relevant to setups where PC/SC is used, that is, not the internal CCID driver.
So I think it's not relevant.

> The driver I downloaded from here hidglobal.com/drivers because I
> think it was necessary for my card reader.

I /think/ this was thus unneeded, as is a running pcscd. In fact, a different
program also accessing the card reader will cause issues when scdaemon is using
its own CCID driver.

Cheers,

Peter.

[1] The raw APDU is 00 A4 00 0C 02 3F 00
[2] The raw APDU is 00 A4 04 00 06 D2 76 00 01 24 01
[3] https://paste.fedoraproject.org/366760/

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list