Problem mit Cyptostick 1.2 in opensuse 13.1

Es ist möglich das es eine regression in opensuse 13.1 gibt.
Ich habe versucht den Cryptostick in opensuse einzusetzen. In der Version 12.3 ging das noch problemlos. Aber in 13.1 geht gar nichts mehr. Nicht das mich das sehr wundert aber vielleicht ist es ja auch mal zur Abwechslung mal mein Fehler.
Was ich als output bekomme:

Terminal:
su -
lsusb

Der stick wird erkannt als:
Bus 001 Device 003: ID 20a0:4107 Clay Logic

Terminal:
pcsc_scan
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau ludovic.rousseau@free.fr
Compiled with PC/SC lite version: 1.8.10
Using reader plug’n play mechanism
Scanning present readers…
0: German Privacy Foundation Crypto Stick v1.2 00 00

Mon Feb 3 16:31:17 2014
Reader 0: German Privacy Foundation Crypto Stick v1.2 00 00
Card state: Card inserted,
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C

defined(@array) is deprecated at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Chipcard/PCSC.pm line 69.
(Maybe you should just omit the defined()?)
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C

  • TS = 3B → Direct Convention
  • T0 = DA, Y(1): 1101, K: 10 (historical bytes)
    TA(1) = 18 → Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
    TC(1) = FF → Extra guard time: 255 (special value)
    TD(1) = 81 → Y(i+1) = 1000, Protocol T = 1

TD(2) = B1 → Y(i+1) = 1011, Protocol T = 1

TA(3) = FE → IFSC: 254
TB(3) = 75 → Block Waiting Integer: 7 - Character Waiting Integer: 5
TD(3) = 1F → Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following

TA(4) = 03 → Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V

  • Historical bytes: 00 31 C5 73 C0 01 40 00 90 00
    Category indicator byte: 00 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
    Card service data byte: C5
    - Application selection: by full DF name
    - Application selection: by partial DF name
    - EF.DIR and EF.ATR access services: by GET DATA command
    - Card without MF
    Tag: 7, len: 3 (card capabilities)
    Selection methods: C0
    - DF selection by full DF name
    - DF selection by partial DF name
    Data coding byte: 01
    - Behaviour of write functions: one-time write
    - Value ‘FF’ for the first byte of BER-TLV tag fields: invalid
    - Data unit in quartets: 2
    Command chaining, length fields and logical channels: 40
    - Extended Lc and Le fields
    - Logical channel number assignment: No logical channel
    - Maximum number of logical channels: 1
    Mandatory status indicator (3 last bytes)
    LCS (life card cycle): 00 (No information given)
    SW: 9000 (Normal processing.)
  • TCK = 0C (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
GnuPG card V2

Also sieht er die Karte aber wenn sie ist nicht funktional:
gpg --card-status
gpg-agent[6590]: can’t connect to the SCdaemon: IPC connect call failed
gpg: OpenPGP card not available: No SmartCard daemon

Dies ist schon mal eigenartig. PCSC-lite ist installiert, alle möglichen Treiber habe ich auch probiert, habe die udev-regel getested (alles ohne erfolg). gpa da in 12.3 noch klaglos funktionierte gibt: card Anwendung nicht supported.
Ich kann natürlich einfach mal probieren Zeile 69 auszukommentieren: return “” if (! defined @{$byte_array_ref});

aber vorher wollte ich fragen ob jemand eine Idee hat oder ob ein Bugreport angebracht ist.

Habe auch opensc in allen beiden Versionen (0.12.2 und 0.13.0 von factory) ausprobiert. Nix.
Aber mit Terminal:
opensc-tool --atr
Using reader with a card: German Privacy Foundation Crypto Stick v1.2 00 00
3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c

Alles scheint zu funktionieren. Wo ist der Fehler??

Edit schrie: Schreibfehler in der Überschrift! :blush:

As a “bumb” and to see whether there is some know-how in English out there: there appears to be a regression in opensuse 13.1. Before reporting a bug, I would like to check the possible reasons of a problem I do encounter with the use of the stick under 13.1. In version 12.3 everything was just plug and play. However now it is a total no go. Not that this comes as a major surprise, notwithstanding I wanted to be sure that it is a problem of the distribution and not an error of mine. When I open a terminal and do:

su - lsusb

the stick is recognized as

pcsc_scan
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: German Privacy Foundation Crypto Stick v1.2 00 00

Mon Feb 3 16:31:17 2014
Reader 0: German Privacy Foundation Crypto Stick v1.2 00 00
Card state: Card inserted,
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C

defined(@array) is deprecated at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Chipcard/PCSC.pm line 69.
(Maybe you should just omit the defined()?)
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TC(1) = FF --> Extra guard time: 255 (special value)
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5
TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
+ Historical bytes: 00 31 C5 73 C0 01 40 00 90 00
Category indicator byte: 00 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: C5
- Application selection: by full DF name
- Application selection: by partial DF name
- EF.DIR and EF.ATR access services: by GET DATA command
- Card without MF
Tag: 7, len: 3 (card capabilities)
Selection methods: C0
- DF selection by full DF name
- DF selection by partial DF name
Data coding byte: 01
- Behaviour of write functions: one-time write
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 2
Command chaining, length fields and logical channels: 40
- Extended Lc and Le fields
- Logical channel number assignment: No logical channel
- Maximum number of logical channels: 1
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 00 (No information given)
SW: 9000 (Normal processing.)
+ TCK = 0C (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
GnuPG card V2[/code]

so the card is visible but it seems not usable: 
[code]gpg --card-status
gpg-agent[6590]: can't connect to the SCdaemon: IPC connect call failed
gpg: OpenPGP card not available: No SmartCard daemon

Which is curious because PCSC-lite is installed, I tried all available drivers, I did set even the old udev-rule to see if it works. All pointless. gpa that was a “save harbour” still in 12.3 now just gives: card not yet supported.

I tried also both versions of opensc available (0.12.2 und 0.13.0 from factory) ausprobiert. Nothign. But with

opensc-tool --atr Using reader with a card: German Privacy Foundation Crypto Stick v1.2 00 00 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c

All seems to work but nothing goes? Where could be located the error? :frowning:

Try “sudo gpg --card-status”. Does it make a difference?

Eventhough you said you tried using the old UDEV rule; are you sure this isn’t the issue? For me, restarting UDEV (after insalling an UDEV rule) doesn’t always work but I have to restart the entire system.

[code]sudo gpg --card-status
gpg-agent[12366]: can’t connect to the SCdaemon: Chiamata “connect” IPC non riuscita
gpg: OpenPGP card not available: Nessun demone per la SmartCard

[/code]
I think this is yet another bug of opensuse. It appears to have an issue with permissions? It’s complaining that it cannot do the connect call to IPC.

I do not think you are using opensuse 13.1, do you. Sure it would be nice to know if any other user of this distribution encounters this. It is well possible that they are having this issue also because of system.d. Will report a bug I guess. :unamused:
Udev-rules: did restart the whole system. No difference what so ever.

Did you try “pkill -f gnome-keyring-daemon” as described here? crypto-stick.com/en/advanced

yes I did. Actually I finally opted to file this as a bug in opensuse. It has been confirmed as bug, now, we are going to see when someone is going to work on it. Still hopefull to see action before x-mas. :laughing:

Could you provide the link to the bug in the bugtracker, please?

Sorry, di see this only now. Yes I (s)can …oops.

Link:
bugzilla.novell.com/show_bug.cgi?id=863294

There has been some progress with the latest gpg patch. Now the card is seen under gpg with --cardstatus but not under kleo nor under gpa.
Also opensc-tools do not see any card.
Posted details within the bug.
Cheers.

Question: one of the PIN has been inserted 3 times (probably while not getting feedback on doing it.
Is the card blocked? In this case: does Kleopatra see “no card” because it is blocked or is there still a problem on how the support for openscards is done in 13.1?
Gpa also does not see it.

If I have to reset it, given the serial number and the users that did brick it with a wrong reset code: is the rested code given on the homepage of the stick applicable to mine?
With other words, how to reset it without bricking it and b) should the card be visible to the kde apps even if it is blocked?

I don’t use Kleopatra but at least for GPA I would expect it to detect the device (otherwise it couldn’t manage the PINs). So I think you may have another issue. Usually this is because of GPG daemon is conflicting with some other tools. See: crypto-stick.com/en/advanced

The reset code on the webpage is correct (it has been updated a few weeks back).

I think I solved it. However I will have to check one by one, which library was not installed to cause the problem. After seeing syslog:

2014-04-07T08:47:12.344034+02:00 arabafenice systemd[1]: Starting PC/SC Smart Card Daemon... 2014-04-07T08:47:12.359778+02:00 arabafenice systemd[1]: Started PC/SC Smart Card Daemon. 2014-04-07T08:47:12.370760+02:00 arabafenice pcscd[4839]: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory

So as pcsc libraries are installed, I did search for pscsc and installed everything from the repos plus two libraries that has whatever thing to do with smartcards. So now it seems to work (although I am dead sure that only one of the files installed was really missing.
I will ask in openFATE for the creation of a smartcardreader “pattern” to ease installation in opensuse. That should be set up by one click without hassel.
Question: will the comming version require the very same libraries?

Second problem: wasn’t this card sold as capable to handle 4096 RSA/RSA? Because it claims:

000015D6 2.0 (RSA-2048) ZeitControl
(did I get an old card at the time? Or is this just a static output and the card is able to handle 4096?)

GPa now sees the card, Kleopatra doesn’t. I will try to log out and in. In case I will have to file a regression to open-suse kde.

Yes.

[quote=“solucion”]Second problem: wasn’t this card sold as capable to handle 4096 RSA/RSA? Because it claims:

000015D6 2.0 (RSA-2048) ZeitControl
(did I get an old card at the time? Or is this just a static output and the card is able to handle 4096?)[/quote]

I think you can ignore this string. Yes, the card supports RSA 4096 bit. But be aware that GnuPG itself may have some bugs with this keylength which is why we recommend not more than 3072 bit. For 4096 bit, make sure you use the very latest of GnuPG 2.

Please keep me posted about your progress. Thanks.

So as of 2017 (yeah a long time passed) this stick is still in function (although there is not much left from the cherry red plastic cover - not really resistant).
The stick works with just activating the pcsc smartcard support.
You need to have gpa installed for the management as (I use still KDE4 Kleopatra) Kleopatra does currently not handle this kind of cards (maybe will in plasma 5). It seams that if you use the tpm module of this lenovo X201, that the function of gpg is compromised (does not show the keylist claiming the cryptofunction is already started. Since I found out, I do not use the trusted gub with tpm any more and up to now all seems fine.
GPG works and encryption, signing and surprisingly also the use as GPG key for kwallet is functional.
Looking forward to buy maybe the new model but I am not decided which model.