Athena ID Protect v2 Token triggers Select Card dialog on PKCS#11 C_Login
I am playing around with an Athena IDProtect v2 Token from NXP (the one compatible with the IDProtect Laser product line) on Windows 10 Pro (x64 german).
After installing the Athena client middle ware 7.10.00 (x64) - with and without setting the Athena CSP Provider as default for Windows - and after formatting the token I can use it from Pkcs11Admin tool as well as OpenSC pkcs11-tool.
The library used is C:\Windows\System32\asepkcs.dll from the ASE Cryptoki 3.1.
The "Select Smartcard dialog" pops up on PKCS#11 function C_Login it seems, and it happens no matter if I have one or more readers present. It happens in multiple PKCS11 clients (including Java keytool):
Sorry for the german, the message says "the requested operation cannot be executed or another smartcard is required".
The PKCS11 Spy Log from PKCS11Admin tool is most telling. The C_Login hangs until I press "Cancel" in the dialog and then returns with CKR_OK:
0x00000274 : 0x00001494 : Calling C_OpenSession
0x00000274 : 0x00001494 : Input
0x00000274 : 0x00001494 : slotID: 0
0x00000274 : 0x00001494 : flags: 6
0x00000274 : 0x00001494 : CKF_RW_SESSION: TRUE
0x00000274 : 0x00001494 : CKF_SERIAL_SESSION: TRUE
0x00000274 : 0x00001494 : pApplication: 0000000000000000
0x00000274 : 0x00001494 : Notify: 0000000000000000
0x00000274 : 0x00001494 : phSession: 0000004AD91FD370
0x00000274 : 0x00001494 : *phSession: 3642741616
0x00000274 : 0x00001494 : Output
0x00000274 : 0x00001494 : phSession: 0000004AD91FD370
0x00000274 : 0x00001494 : *phSession: 1
0x00000274 : 0x00001494 : Returning 0 (CKR_OK)
0x00000274 : 0x00001494 : *********************** 2017-06-03 21:24:14 ***
0x00000274 : 0x00001494 : Calling C_Login
0x00000274 : 0x00001494 : Input
0x00000274 : 0x00001494 : hSession: 1
0x00000274 : 0x00001494 : userType: 1 (CKU_USER)
0x00000274 : 0x00001494 : pPin: 00000236C5779128
0x00000274 : 0x00001494 : *pPin: *** Intentionally hidden ***
0x00000274 : 0x00001494 : ulPinLen: 8
... <here it hangs till I cancel the dialog> ...
0x00000274 : 0x00001494 : Returning 0 (CKR_OK)
0x00000274 : 0x00000d38 : ********************** 2017-06-03 21:26:24 ***
0x00000274 : 0x00000d38 : Calling C_GetSlotInfo
0x00000274 : 0x00000d38 : Input
0x00000274 : 0x00000d38 : slotID: 0
0x00000274 : 0x00000d38 : pInfo: 0000004AEBE7E630
0x00000274 : 0x00000d38 : Output
0x00000274 : 0x00000d38 : pInfo: 0000004AEBE7E630
0x00000274 : 0x00000d38 : slotDescription: Athena IDProtect Key v2 0
0x00000274 : 0x00000d38 : manufacturerID: Athena
0x00000274 : 0x00000d38 : flags: 7
0x00000274 : 0x00000d38 : CKF_TOKEN_PRESENT: TRUE
0x00000274 : 0x00000d38 : CKF_REMOVABLE_DEVICE: TRUE
0x00000274 : 0x00000d38 : CKF_HW_SLOT: TRUE
0x00000274 : 0x00000d38 : hardwareVersion:
0x00000274 : 0x00000d38 : major: 1
0x00000274 : 0x00000d38 : minor: 0
0x00000274 : 0x00000d38 : firmwareVersion:
0x00000274 : 0x00000d38 : major: 1
0x00000274 : 0x00000d38 : minor: 0
0x00000274 : 0x00000d38 : Returning 0 (CKR_OK)
I noticed that when I use certutil.exe -SCInfo it has the same problem, but can be suppressed with -silent (but I think certutil is not using PKCS#11 but directly the CNG drivers. In Certutil it happens with both the Microsoft base card driver as well as the Athena card driver).
BTW: only certutil and Windows popup name this card "CJCOP3", an other name is provisioned in the profile.
Any idea what that might be?
1 Answer
I got answer from my Crypto Dealer of choice (shout out to cryptoshop.com). This is a known limitation of the most recent Athena Middleware Clients and it helps to remove those Smartcards from the framework by deleting the following registry keys:
HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CJCOP3
HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\CJCOP3
eckesUser contributions licensed under CC BY-SA 3.0