Bug 2000306

ECC curve 927 is NID_brainpoolP256r1 which has been removed from the OpenSSL shipped by Fedora (https://src.fedoraproject.org/rpms/openssl/blob/f34/f/openssl-1.1.1-ec-curves.patch#_118)

FWIW this does work in my Xubuntu VM, they seem to be less concerned about patent issues.

I can confirm this error on f34

I can confirm this happens on F35 as well:

remote_... 2021.12.02 19:02:12.131 129294 I ConnectRequest::onConnected(remote_device/ConnectRequest.cpp:73)           : Handshake of tls connection done!
support    2021.12.02 19:02:12.621 129295 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: -1 , PIN deactivated: false
support    2021.12.02 19:02:12.751 129295 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: 3 , PIN deactivated: false
support    2021.12.02 19:02:26.313 129295 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:179) : Starting PACE for PACE_PIN
card       2021.12.02 19:02:26.313 129295 C ...urveFactory::createCurve(card/base/pace/ec/EllipticCurveFactory.cpp:45) : Error on EC_GROUP_new_by_curve_name, curve is unknown: 927
card       2021.12.02 19:02:26.313 129295 C EcdhKeyAgreement::create(card/base/pace/ec/EcdhKeyAgreement.cpp:61)        : Creation of elliptic curve failed
card       2021.12.02 19:02:26.313 129295 C PaceHandler::initialize(card/base/pace/PaceHandler.cpp:117)                : No supported domain parameters found
support    2021.12.02 19:02:26.313 129295 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:229) : Finished PACE for PACE_PIN with result PROTOCOL_ERROR

Created attachment 1844519 [details]
attempted fix

I tried the attached patch but it just changes which error appears:

support    2021.12.02 19:44:07.859 280273 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: -1 , PIN deactivated: false
support    2021.12.02 19:44:08.008 280273 I Reader::updateRetryCounter(card/base/Reader.cpp:83)                        : retrieved retry counter: 3 , was: 3 , PIN deactivated: false
support    2021.12.02 19:44:29.540 280273 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:179) : Starting PACE for PACE_PIN
card       2021.12.02 19:44:29.540 280273 W ...pticCurveFactory::create(card/base/pace/ec/EllipticCurveFactory.cpp:74) : Creation of standardized elliptic curve 13 not supported
card       2021.12.02 19:44:29.540 280273 C EcdhKeyAgreement::create(card/base/pace/ec/EcdhKeyAgreement.cpp:61)        : Creation of elliptic curve failed
card       2021.12.02 19:44:29.540 280273 C PaceHandler::initialize(card/base/pace/PaceHandler.cpp:117)                : No supported domain parameters found
support    2021.12.02 19:44:29.540 280273 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:229) : Finished PACE for PACE_PIN with result PROTOCOL_ERROR

Very likely, the ID card itself supports only brainpool224/256.  There is no way to use it without this algorithm (which was designed to avoid patent problems).

Perhaps AusweisApp2 should be removed from Fedora because there is no way to use there.

I am also able to confirm on Fedora 35.

@rh-bugzilla For my understanding: Although the algorithm brainpool224/256 was designed to avoid patent problems, it was removed from Fedora (see https://bugzilla.redhat.com/show_bug.cgi?id=2000306#c1). Sorry for asking, but in the link to the patch I do not find the reason for removing the algorithm.

Yes, I think it must be the curve used on ID card itself.I can confirm this with the Kobil IDToken as well as using an iPhone via the Apple app there as card reader on F35.

I wonder whether the curve was removed because it is known that inclusion would violate a patent, or merely as a precaution. The patch does not make that clear.

The German BSI agency states:

> 1.1. Patents and side-channel attacks
> In implementations, patents and side-channel attacks play an important role.
> The algorithms described in this guideline have been carefully selected to allow patent-free
> and/or license-free implementations. Nevertheless, some of the described algorithms or its par-
> ticular implementations may be subject of patent rights. The BSI shall not be held responsible
> for identifying any or all such patent rights.
> Implementors and security evaluators shall also pay attention to [6], which gives a general
> guidance to assess the side-channel resistance of implementations on smartcards

Source: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-0_pdf.pdf?__blob=publicationFile

That doc was last updated 2012 and recommends only Brainpool curves, so it seems it was at least then assumed the algos can be implemented without touching on patents.

Could removal of those be reevaluated? cc @t8m

See also https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/WUQNAB4EPWSJMMVECL2TZGKB5KIDESII/

(In reply to Christian Glombek from comment #8)

> Could removal of those be reevaluated? cc @t8m

2

(In reply to Christian Glombek from comment #8)

> Could removal of those be reevaluated? cc @t8m

@sahana is the maintainer of OpenSSL now.

(In reply to Enrico Scholz from comment #6)

> Perhaps AusweisApp2 should be removed from Fedora because there is no way to
> use there.

The German ID card does work with Fedora if card reader "cyberJack RFID standard" (or possibly similar devices) is used, therefore I'd appreciate to keep this package.

Nevertheless it is smarter to reuse an existing smart phone rather than to buy a quite expensive card reader.

Thanks Tomáš. We probably have to wait until a final decision is made by legal (https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/WUQNAB4EPWSJMMVECL2TZGKB5KIDESII/)

@norbert.jurkeit that's surprising to me. For me it doesn't work even when using the phone app as remote card reader ("Fernzugriff"). Using the phone app to authenticate on the phone itself does work.
Maybe the algo was changed on newer IDs. Might I ask when yours was issued?

(In reply to Christian Glombek from comment #13)

> @norbert.jurkeit that's surprising to me. For me it doesn't work even
> when using the phone app as remote card reader ("Fernzugriff"). Using the
> phone app to authenticate on the phone itself does work.
> Maybe the algo was changed on newer IDs. Might I ask when yours was issued?

My ID card was issued in February 2019 and works with mentioned USB card reader, but fails with my Android phone as remote card reader the same way as wurstsemmel described it. Therefore I am also not sure whether the missing Brainpool curve is implemented within the ID card or used for encryption between both instances of AusweisApp2.

As mentioned in comment 2 my Android phone does work as card reader with Xubuntu which I have installed in a VM for testing. This is not astonishing because "openssl ecparam -list_curves" lists Brainpool and many other curves on Xubuntu but very few curves on Fedora.

(In reply to Norbert Jurkeit from comment #12)
> The German ID card does work with Fedora if card reader "cyberJack RFID
> standard" (or possibly similar devices) is used, therefore I'd appreciate to
> keep this package.

Sorry, but i can't confirm this. :-(

Running F35 with "cyberJack RFID basis" it fails with the known error:

support    2021.12.14 06:31:46.785 10220 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:179) : Starting PACE for PACE_PIN
card       2021.12.14 06:31:46.785 10220 C ...urveFactory::createCurve(card/base/pace/ec/EllipticCurveFactory.cpp:45) : Error on EC_GROUP_new_by_curve_name, curve is unknown: 927
card       2021.12.14 06:31:46.785 10220 C EcdhKeyAgreement::create(card/base/pace/ec/EcdhKeyAgreement.cpp:61)        : Creation of elliptic curve failed
card       2021.12.14 06:31:46.785 10220 C PaceHandler::initialize(card/base/pace/PaceHandler.cpp:117)                : No supported domain parameters found
support    2021.12.14 06:31:46.785 10220 I ...ionWorker::establishPaceChannel(card/base/CardConnectionWorker.cpp:229) : Finished PACE for PACE_PIN with result PROTOCOL_ERROR

(In reply to Benjamin Schwarze from comment #15)
> (In reply to Norbert Jurkeit from comment #12)
> > The German ID card does work with Fedora if card reader "cyberJack RFID
> > standard" (or possibly similar devices) is used, therefore I'd appreciate to
> > keep this package.
> 
> Sorry, but i can't confirm this. :-(
> 
> Running F35 with "cyberJack RFID basis" it fails with the known error:
> 

Sorry to hear this. The only explanation that comes to my mind is the usage of different protocols (PC/SC vs. CCID) by both models according to the web site of the manufacturer.

Anyway, one reason more to get support for Brainpool curves in Fedora.

I can probably clear things up a bit as to why for some it seems to work while for others it does not.

The PACE protocol which is used to communicate with the ID card uses the PIN to create a cryptographic channel using the Brainpool curve in question. This happens on the device where the PIN is entered. 

If the PIN is entered on a card reader with a hardware keyboard (as the mentioned cyberJack RFID standard) or a smartphone on which the AusweisApp is configured to read the PIN from the phone keyboard it will work, as these systems support the mentioned curve and the cryptographic channel is created there. 
If the PIN is entered directly in the AusweisApp running in Fedora it will not work since the curve is missing. This is the case for card readers without a hardware keyboard (e.g. cyberJack RFID basis) and for smartphones using the default setting of the AusweisApp2.

If the smartphone is used as a card reader is possible to enable the PIN entry on the phone as a workaround. This can be done in the settings of the AusweisApp on the phone by enabling "Pin pad mode" (or "Tastaturmodus" in German). During the reading process of the ID card the PIN will have to be entered on the phone if this setting is enabled.

Hope this helps some of you to use the app until the curves hopefully get reintroduced into Fedora.

Great explanation Bernd ... it works!
Thank you!

This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

FEDORA-2023-931b7f44af has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-931b7f44af

FEDORA-2023-931b7f44af has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-931b7f44af

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

FEDORA-2023-931b7f44af has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days