OpenSC Minidriver Does Not Display the Second Key Container of JPKI Card When certutil -scinfo Is Executed #3169
Description
Problem Description
Overview:
When using the OpenSC minidriver with a JPKI card, pkcs15-tool --list-keys correctly displays both key containers. However, when running certutil -scinfo, only the first key container is displayed, and the second key (Digital Signature Key) is not recognized. This issue may relate to the security handling or the minidriver's implementation for the JPKI card.
Using reader with a card: Hitachi/Maxell M-500U/M-520U 0
Private RSA Key [User Authentication Key]
Object Flags : [0x01], private
Usage : [0x04], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 1 (0x01)
Native : yes
Auth ID : 01
ID : 01
MD:guid : c5a0a252-9d2d-eb60-fec0-41b4fbd722a2
Private RSA Key [Digital Signature Key]
Object Flags : [0x01], private
Usage : [0x204], sign, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 2 (0x02)
Native : yes
Auth ID : 02
ID : 02
MD:guid : e1bc1dae-59f1-16ab-b43f-9dafbb2acc9b
Details:
Reader and Card Used: Hitachi/Maxell M-500U/M-520U 0
Operating System and Version: Windows 11 22631.3672
OpenSC Version: 0.25.1.0
Other Tools/Aplications: Windows certutil
Error Messages:
certutil -scinfo does not display the Digital Signature Key, although pkcs15-tool --list-keys lists it as available.
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 2
0: Hitachi/Maxell M-500U/M-520U 0
--- Reader: Hitachi/Maxell M-500U/M-520U 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: JPKI-2
--- ATR:
3b da 13 ff 81 31 fb 46 80 12 39 2f 31 c1 73 c6 ;....1.F..9/1.s.
01 c0 3b ..;
=======================================================
Analyzing card in reader: Hitachi/Maxell M-500U/M-520U 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Hitachi/Maxell M-500U/M-520U 0
--- Card: JPKI-2
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]
Serial Number: 06d90f3b
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2023/08/17 1:31
NotAfter: 2024/10/01 23:59
Subject: CN=28*****, C=JP
Non-root Certificate
Cert Hash(sha1): 7c3**********
Performing AT_SIGNATURE public key matching test...
Public key matching test succeeded
Key Container = c5a0a252-9d2d-eb60-fec0-41b4fbd722a2
Provider = Microsoft Base Smart Card Crypto Provider
ProviderType = 1
Flags = 1
0x1 (1)
KeySpec = 2 -- AT_SIGNATURE
Private key verifies
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1010040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
CertContext[0][0]: dwInfoStatus=1 dwErrorStatus=1000040
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2023/08/17 1:31
NotAfter: 2024/10/01 23:59
Subject: CN=2867*********, C=JP
Serial: 06d90f3b
Cert: 7c339b********
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Issuance[0] = 1.2.392.200149.8.5.1.3.30
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Exclude leaf cert:
Chain: da*******
Full chain:
Chain: 7c339b********
Missing Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2023/08/17 1:31
NotAfter: 2024/10/01 23:59
Subject: CN=2867*******, C=JP
Serial: 06d90f3b
Cert: 7c339b********
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
Displayed AT_SIGNATURE cert for reader: Hitachi/Maxell M-500U/M-520U 0
No AT_KEYEXCHANGE key for reader: Hitachi/Maxell M-500U/M-520U 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Hitachi/Maxell M-500U/M-520U 0
--- Card: JPKI-2
Provider = Microsoft Smart Card Key Storage Provider
Key Container = c5a0a252-9d2d-eb60-fec0-41b4fbd722a2
Serial Number: 06d90f3b
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2023/08/17 1:31
NotAfter: 2024/10/01 23:59
Subject: CN=286794E78GACEN13116003A, C=JP
Non-root Certificate
Cert Hash(sha1): 7c339b********
Performing public key matching test...
Public key matching test succeeded
Key Container = c5a0a252-9d2d-eb60-fec0-41b4fbd722a2
Provider = Microsoft Smart Card Key Storage Provider
ProviderType = 0
Flags = 1
0x1 (1)
KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(RSA:CNG) test skipped
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1010040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
CertContext[0][0]: dwInfoStatus=1 dwErrorStatus=1000040
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2023/08/17 1:31
NotAfter: 2024/10/01 23:59
Subject: CN=286794E78GACEN13116003A, C=JP
Serial: 06d90f3b
Cert: 7c339b********
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Issuance[0] = 1.2.392.200149.8.5.1.3.30
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Exclude leaf cert:
Chain: da39*****
Full chain:
Chain: 7c339b********
Missing Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
Issuer: OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
NotBefore: 2023/08/17 1:31
NotAfter: 2024/10/01 23:59
Subject: CN=286794E78GACEN13116003A, C=JP
Serial: 06d90f3b
Cert: 7c339b4c8f5d33dfc8081f3a504fe027852f1858
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
OU=Japan Agency for Local Authority Information Systems, OU=JPKI for user authentication, O=JPKI, C=JP
Displayed cert for reader: Hitachi/Maxell M-500U/M-520U 0
--------------===========================---------------
Done.
CertUtil: -SCInfo command completed successfully.
Steps to Reproduce
Setup Environment: Insert JPKI card into the reader (Hitachi/Maxell M-500U/M-520U 0).
List Keys Using OpenSC Tool: Run pkcs15-tool --list-keys. Both keys should be displayed as listed in the problem description.
Verify with Windows Tool: Run certutil -scinfo on the same setup.
Observe the Output: Note that only the first key (User Authentication Key) is displayed, and the second key (Digital Signature Key) is missing from the output.
Expected Behavior
certutil -scinfo should display both two JPKI certs as does pkcs15-tool --list-keys, indicating proper interaction and recognition by the minidriver and the OS.
Actual Behavior
Only the first cert is displayed in the certutil -scinfo output, indicating a potential issue in the minidriver’s handling of multiple keys or specific security protocols for the second key container.
Additional Info:
According to the JPKI protocol, reading the Digital Signature Public Key (bContainerIndex=1) before READ BINARY: 00 B0 00 00 04 requires a PIN challenge:
SELECT FILE: Public Personal Authentication Application
Command: 00 A4 04 0C 0A D3 92 F0 00 26 01 00 00 00 01
Response: 90 00
SELECT FILE: Signature PIN
Command: 00 A4 02 0C 02 00 1B
Response: 90 00
VERIFY: Signature PIN (Password=123456)
Command: 00 20 00 80 06 31 32 33 34 35 36
Response: 90 00
SELECT FILE: Signature Certificate
Command: 00 A4 02 0C 02 00 01
Response: 90 00
READ BINARY: Read the first 4 bytes to determine the certificate's byte length
Command: 00 B0 00 00 04
Response: 30 82 06 CA 90 00
READ BINARY: Read the full certificate data (excluding the first 4 bytes, remaining 0x06CA bytes)
Command: 00 B0 00 04 00 06 CA
Response: 30 82 ...certificate data... 90 00
This discrepancy in behavior between pkcs15-tool and certutil -scinfo may indicate an issue with how the OpenSC minidriver is handling the card's security protocols or with the implementation of the JPKI card support.
Logs
https://pastebin.com/fuRSSLeY
Outgoing APDU (5 bytes):
00 B0 00 00 04 .....
P:39236; T:5172 2024-06-03 01:53:11.516 [cardmod] reader-pcsc.c:244:pcsc_internal_transmit: called
P:39236; T:5172 2024-06-03 01:53:11.529 [cardmod] reader-pcsc.c:334:pcsc_transmit:
Incoming APDU (2 bytes):
69 82 i.
P:39236; T:5172 2024-06-03 01:53:11.532 [cardmod] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:39236; T:5172 2024-06-03 01:53:11.533 [cardmod] apdu.c:539:sc_transmit: returning with: 0 (Success)
P:39236; T:5172 2024-06-03 01:53:11.535 [cardmod] card.c:523:sc_unlock: called
P:39236; T:5172 2024-06-03 01:53:11.537 [cardmod] Security status not satisfied
P:39236; T:5172 2024-06-03 01:53:11.539 [cardmod] iso7816.c:162:iso7816_read_binary: Check SW error: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.541 [cardmod] card.c:523:sc_unlock: called
P:39236; T:5172 2024-06-03 01:53:11.542 [cardmod] card.c:663:sc_read_binary: returning with: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.545 [cardmod] card-jpki.c:197:jpki_select_file: SW Check failed: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.547 [cardmod] card.c:872:sc_select_file: 'SELECT' error: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.550 [cardmod] card.c:523:sc_unlock: called
P:39236; T:5172 2024-06-03 01:53:11.552 [cardmod] pkcs15.c:2634:sc_pkcs15_read_file: returning with: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.554 [cardmod] pkcs15-pubkey.c:963:sc_pkcs15_read_pubkey: Failed to read public key file.: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.557 [cardmod] pkcs15-pubkey.c:984:sc_pkcs15_read_pubkey: returning with: -1211 (Security status not satisfied)
P:39236; T:5172 2024-06-03 01:53:11.561 [cardmod] public key read error -1211
P:39236; T:5172 2024-06-03 01:53:11.562 [cardmod] now read certificate 'Digital Signature Certificate'