HID Omnikey 3121 Smart Card Reader and GPG

Brandon Anderson brandon753.ba at gmail.com
Thu Jul 8 02:57:09 CEST 2021


So I have purchased an Omnikey 3121 smart card reader for use with my 
GPG smart card version 2.1. Whenever I put my card in and request `gpg 
--card-status`, the reader flashes its light for about a minute, and 
then finally, gpg returns with:

```

➜  ~ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

```

Now I know the card reader works because if I use pscs_scan I 
immediately get:

```

➜  ~ pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 Smart Card 
Reader] 00 00

Wed Jul  7 17:41:24 2021
  Reader 0: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 
Smart Card Reader] 00 00
   Event number: 2
   Card state: Card inserted,
   ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C

ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
   TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
     129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
   TC(1) = FF --> Extra guard time: 255 (special value)
   TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
   TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
   TA(3) = FE --> IFSC: 254
   TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5
   TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface 
bytes following
-----
   TA(4) = 03 --> Clock stop: not supported - Class accepted by the 
card: (3G) A 5V B 3V
+ Historical bytes: 00 31 C5 73 C0 01 40 00 90 00
   Category indicator byte: 00 (compact TLV data object)
     Tag: 3, len: 1 (card service data byte)
       Card service data byte: C5
         - Application selection: by full DF name
         - Application selection: by partial DF name
         - EF.DIR and EF.ATR access services: by GET DATA command
         - Card without MF
     Tag: 7, len: 3 (card capabilities)
       Selection methods: C0
         - DF selection by full DF name
         - DF selection by partial DF name
       Data coding byte: 01
         - Behaviour of write functions: one-time write
         - Value 'FF' for the first byte of BER-TLV tag fields: invalid
         - Data unit in quartets: 2
       Command chaining, length fields and logical channels: 40
         - Extended Lc and Le fields
         - Logical channel number assignment: No logical channel
         - Maximum number of logical channels: 1
     Mandatory status indicator (3 last bytes)
       LCS (life card cycle): 00 (No information given)
       SW: 9000 (Normal processing.)
+ TCK = 0C (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
     OpenPGP Card V2

```

And if I run `pkcs15-tool -k`, I get the following returned:

```

➜  ~ pkcs15-tool -k
Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader 
[OMNIKEY 3x21 Smart Card Reader] 00 00
Private RSA Key [Signature key]
     Object Flags   : [0x03], private, modifiable
     Usage          : [0x20C], sign, signRecover, nonRepudiation
     Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, 
local
     Algo_refs      : 0
     ModLength      : 4096
     Key ref        : 0 (0x00)
     Native         : yes
     Auth ID        : 01
     ID             : 01
     MD:guid        : <redacted>

Private RSA Key [Encryption key]
     Object Flags   : [0x03], private, modifiable
     Usage          : [0x22], decrypt, unwrap
     Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, 
local
     Algo_refs      : 0
     ModLength      : 4096
     Key ref        : 1 (0x01)
     Native         : yes
     Auth ID        : 02
     ID             : 02
     MD:guid        : <redacted>

Private RSA Key [Authentication key]
     Object Flags   : [0x03], private, modifiable
     Usage          : [0x222], decrypt, unwrap, nonRepudiation
     Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, 
local
     Algo_refs      : 0
     ModLength      : 4096
     Key ref        : 2 (0x02)
     Native         : yes
     Auth ID        : 02
     ID             : 03
     MD:guid        : <redacted>

```

So I believe the card reader is working fine, but gpg is just not 
working with it for some reason. On the GPG howto page, it's listed as 
(https://www.gnupg.org/howtos/card-howto/en/ch02s02.html):

Omnikey Cardman 3121 (and 2020)
This USB card reader supports CCID and PC/SC. The older Omnikey Cardman 
2020 is no longer produced. The newer reader has not been tested, but 
Omnikey says that the two readers are compatible.

To add some context, I am able to use my Identiv SCR3500 just fine with 
the same system using the same card; I just wanted a more permanent 
setup for my desktop. I am using gpg version 2.3.1 on Debian Sid. Are 
there steps I can/should take to diagnose what's going on? Is this card 
reader not compatible with the GPG drivers? Any advice would be appreciated.

Sincerely,

Brandon Anderson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x255837AEF812E87E.asc
Type: application/pgp-keys
Size: 9076 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210707/076e224d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210707/076e224d/attachment-0001.sig>


More information about the Gnupg-users mailing list