Bug 1911630

Summary: AusweiseApp2 protocol error when authenticating german id card via usb reader
Product: [Fedora] Fedora Reporter: Arun Babu Neelicattu <arun.neelicattu>
Component: AusweisApp2Assignee: Björn 'besser82' Esser <besser82>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 33CC: besser82, cglombek, chaosben
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: AusweisApp2-1.22.2-3.fc34 AusweisApp2-1.22.2-3.el8 AusweisApp2-1.22.2-3.fc33 AusweisApp2-1.22.2-3.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-01 20:31:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arun Babu Neelicattu 2020-12-30 13:21:26 UTC
Description of problem:

Using a german ID card along with a REINER SCT cyberJack RFID USB reader [1], fails with a protocol error after valid PIN entry.

The card and PIN was verified to work with using the Android app using NFC. Additionally, the reader, card and PIN has been verified using the Open EID app as well on the same workstation.


Version-Release number of selected component (if applicable):

> AusweisApp2-data-1.20.2-10.fc33.noarch
> AusweisApp2-1.20.2-10.fc33.x86_64


How reproducible:
This is consistently and easily reproduced.

Steps to Reproduce:
1. Install and open AusweisApp2 (rpm)
2. Select "See my personal data"
3. Select "Proceed to PIN entry"
4. Place ID card on usb card reader.
5. Enter PIN and continue.

Actual results:
App displays a protocol error.

Expected results:
App authenticates PIN and displays personal data.

Additional info:
The root cause seems to be due to the required elliptical curve being disabled on the openssl install.

> support    2020.12.30 13:47:48.710 12917 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:186) : Starting PACE for PACE_PIN
> card       2020.12.30 13:47:48.711 12917 C ...urveFactory::createCurve(card/base/pace/ec/EllipticCurveFactory.cpp:45) : Error on EC_GROUP_new_by_curve_name, curve is unknown: 927
> card       2020.12.30 13:47:48.711 12917 C EcdhKeyAgreement::create(card/base/pace/ec/EcdhKeyAgreement.cpp:61)        : Creation of elliptic curve failed
> card       2020.12.30 13:47:48.712 12917 C PaceHandler::initialize(card/base/pace/PaceHandler.cpp:134)                : No supported domain parameters found
> support    2020.12.30 13:47:48.712 12917 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:212) : Finished PACE for PACE_PIN with result PROTOCOL_ERROR
> network    2020.12.30 13:47:49.003 12906   ...ndReceive::onReplyFinished(core/states/StateGenericSendReceive.cpp:285) : Status Code: 200 "OK"
> network    2020.12.30 13:47:49.003 12906   ...ndReceive::onReplyFinished(core/states/StateGenericSendReceive.cpp:285) : Header | Connection: keep-alive
> network    2020.12.30 13:47:49.003 12906   ...ndReceive::onReplyFinished(core/states/StateGenericSendReceive.cpp:285) : Header | Content-Type: application/vnd.paos+xml
> network    2020.12.30 13:47:49.003 12906   ...ndReceive::onReplyFinished(core/states/StateGenericSendReceive.cpp:285) : Header | Content-Length: 1415
> network    2020.12.30 13:47:49.004 12906   ...ndReceive::onReplyFinished(core/states/StateGenericSendReceive.cpp:285) : Header | Content-Security-Policy: default-src 'self'
> network    2020.12.30 13:47:49.004 12906   ...ndReceive::onReplyFinished(core/states/StateGenericSendReceive.cpp:285) : Header | Date: Wed, 30 Dec 2020 12:47:48 GMT
> support    2020.12.30 13:47:49.069 12917 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: 3 , PIN deactivated: false
> card       2020.12.30 13:47:49.143 12917 W ReaderManagerWorker::getReader(card/base/ReaderManagerWorker.cpp:235)      : Requested reader does not exist: "REINER SCT cyberJack RFID basis 00 00"
> card       2020.12.30 13:47:49.143 12917 W ...rManagerWorker::updateReaderInfo(card/base/ReaderManagerWorker.cpp:212) : Requested reader does not exist: "REINER SCT cyberJack RFID basis 00 00"
> feedback   2020.12.30 13:47:49.145 12906 I ApplicationModel::showFeedback(ui/qml/ApplicationModel.cpp:457)            : You may now remove your ID card from the device.
> qml        2020.12.30 13:47:49.145 12906 W ApplicationModel::isScreenReaderRunning(ui/qml/ApplicationModel.cpp:428)   : NOT IMPLEMENTED

[1] https://www.amazon.de/REINER-cyberJack-Chip-Kartenleser-basis-Personalausweis/dp/B004FQO10U/ref=asc_df_B004FQO10U/

Comment 1 Fedora Update System 2021-08-31 07:16:43 UTC
FEDORA-2021-b025f69683 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b025f69683

Comment 2 Fedora Update System 2021-08-31 07:16:53 UTC
FEDORA-EPEL-2021-7e4f239518 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-7e4f239518

Comment 3 Fedora Update System 2021-08-31 07:17:02 UTC
FEDORA-2021-ae621237b4 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ae621237b4

Comment 4 Fedora Update System 2021-08-31 07:17:11 UTC
FEDORA-2021-5729f02f4c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-5729f02f4c

Comment 5 Fedora Update System 2021-08-31 17:57:21 UTC
FEDORA-2021-ae621237b4 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ae621237b4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ae621237b4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-08-31 22:04:31 UTC
FEDORA-2021-5729f02f4c has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-5729f02f4c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5729f02f4c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2021-08-31 22:25:50 UTC
FEDORA-EPEL-2021-7e4f239518 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-7e4f239518

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-08-31 22:53:13 UTC
FEDORA-2021-b025f69683 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b025f69683`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b025f69683

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-09-01 20:31:29 UTC
FEDORA-2021-b025f69683 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2021-09-01 20:34:50 UTC
FEDORA-EPEL-2021-7e4f239518 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2021-09-01 20:49:37 UTC
FEDORA-2021-5729f02f4c has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2021-09-24 20:12:02 UTC
FEDORA-2021-ae621237b4 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Benjamin Schwarze 2021-10-25 18:53:25 UTC
The problem still persists in AusweisApp2-1.22.2-3.fc34.x86_64:

remote_... 2021.10.25 20:34:23.203 16182 I ConnectRequest::onConnected(remote_device/ConnectRequest.cpp:73)           : Handshake of tls connection done!
support    2021.10.25 20:34:25.282 16183 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: -1 , PIN deactivated: false
support    2021.10.25 20:34:25.455 16183 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: 3 , PIN deactivated: false
support    2021.10.25 20:34:31.110 16183 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:179) : Starting PACE for PACE_PIN
card       2021.10.25 20:34:31.111 16183 C ...urveFactory::createCurve(card/base/pace/ec/EllipticCurveFactory.cpp:45) : Error on EC_GROUP_new_by_curve_name, curve is unknown: 927
card       2021.10.25 20:34:31.111 16183 C EcdhKeyAgreement::create(card/base/pace/ec/EcdhKeyAgreement.cpp:61)        : Creation of elliptic curve failed
card       2021.10.25 20:34:31.111 16183 C PaceHandler::initialize(card/base/pace/PaceHandler.cpp:117)                : No supported domain parameters found
support    2021.10.25 20:34:31.111 16183 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:229) : Finished PACE for PACE_PIN with result PROTOCOL_ERROR

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2000306