help: state machine is DEAD. Reset the card first.

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

help: state machine is DEAD. Reset the card first.

Paulo Lopes
Hi everyone,

For a while i've been using a gnupg card with success and today I tryed to also use it for openid authentication, so i followed the scute documentation and got it to work, until i decided to import the certificate X509 to the card...

so i got my pem file and did what was on many websites:

gpg2 --edit-card > admin > writecert 3 < file.crt

Now ever since that moment i get this on my syslog:

Sep 23 14:34:03 WLT000113 pcscd: openct/proto-t1.c:170:t1_transceive() T=1 state machine is DEAD. Reset the card first.
Sep 23 14:34:03 WLT000113 pcscd: ifdwrapper.c:527:IFDTransmit() Card not transacted: 612
Sep 23 14:34:03 WLT000113 pcscd: winscard.c:1612:SCardTransmit() Card not transacted: 0x80100016

(many many times)

Also now my authentication crashes all the time and scute under firefox too...

I've tried to reset the card with, and after a lot of retries i got it reseted.

So my question is, can i have my 3 keys + 1 cert in the card? how can i import the cert? is there other PKCS11 alternative to scute that uses the card or must i use gpgsm to add the cert to my keyring in the disk and live it it there?

Best regards,
Paulo

--
Paulo Lopes
www.jetdrone.com

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: help: state machine is DEAD. Reset the card first.

Damien Goutte-Gattat
Hi,

On 09/23/2014 04:14 PM, Paulo Lopes wrote:
> so i got my pem file and did what was on many websites:
>
> gpg2 --edit-card > admin > writecert 3 < file.crt

You must first encode the PEM certificate in DER format:

$ openssl x509 -inform PEM -in file.crt -outform DER -out file.der

Then you can import the DER-encoded certificate onto the card.


Damien


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: help: state machine is DEAD. Reset the card first.

Paulo Lopes
so with the reseted card i converted the X509 to der format and imported it, gpg2 did not report any error but my syslog states:

[ 4792.299961] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 6 ep 4 with no TDs queued?

lots and lots of times....

Then i thought, it is saved so lets read it...

readcert 3 > out.der

and i get:

gpg/card> readcert 3 > out.der
gpg: error reading certificate from card: Not found

BTW i am used ubuntu 14.04 64bit if that means anything...

gpg (GnuPG) 2.0.22
libgcrypt 1.5.3



On Tue, Sep 23, 2014 at 5:15 PM, Damien Goutte-Gattat <[hidden email]> wrote:
Hi,

On 09/23/2014 04:14 PM, Paulo Lopes wrote:
> so i got my pem file and did what was on many websites:
>
> gpg2 --edit-card > admin > writecert 3 < file.crt

You must first encode the PEM certificate in DER format:

$ openssl x509 -inform PEM -in file.crt -outform DER -out file.der

Then you can import the DER-encoded certificate onto the card.


Damien




--
Paulo Lopes
www.jetdrone.com

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: help: state machine is DEAD. Reset the card first.

Werner Koch
In reply to this post by Paulo Lopes
On Tue, 23 Sep 2014 16:14, [hidden email] said:

> Sep 23 14:34:03 WLT000113 pcscd: openct/proto-t1.c:170:t1_transceive() T=1
> state machine is DEAD. Reset the card first.
> Sep 23 14:34:03 WLT000113 pcscd: ifdwrapper.c:527:IFDTransmit() Card not
> transacted: 612

"card not transacted" used to be a catch-all error of pcsclite.  Please
try the internal driver of scdaemon: Stop pcscd and that driver will be
used.  If that still does not work check the permissions of the USB
device (you need write access) and add

--8<---------------cut here---------------start------------->8---
debug 2048
debug-ccid-driver
log-file /foo/bar/scd.log
--8<---------------cut here---------------end--------------->8---

to ~/.gnupg/scdaemon.conf.  Kill scdaemon ("gpgconf --kill scdaemon" or
"pkill scdaemon")

> So my question is, can i have my 3 keys + 1 cert in the card? how can i

Yes.  Please use a recent version of GnuPG because a bug concering the
reading of long certificates was recently fixed.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: help: state machine is DEAD. Reset the card first.

Werner Koch
In reply to this post by Paulo Lopes
On Tue, 23 Sep 2014 17:31, [hidden email] said:

> gpg (GnuPG) 2.0.22

I case your certificate (DER format) is larger than 1024 bytes, you are
affected by this bug:

  Date:   Fri Jul 18 18:22:26 2014 +0200

    scd: Allow for certificates > 1024 with PC/SC.
   
    * scd/pcsc-wrapper.c (handle_transmit): Enlarge buffer to 4096 too
    allow for larger certificates.

That fix went into 2.0.26.  The interal ccid-driver is not affected.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

RE: help: state machine is DEAD. Reset the card first.

Paulo Lopes
In reply to this post by Paulo Lopes
I just reseted the card, i will load the keys again and see how it goes, btw i am using 2.0.22, is that too old?

My main issue with this is that everything has been working fine until i imported de certificate, now even gpg agent fails to do ssh authentication, which has been working fine for months...

If i reset the card, does it tottaly wipe it? So if i just copy the 3 keys back it will work as before?

Also and maybe pushing my luck, is there some official ppa for ubuntu 14.04 with the latest gnupg?

Sorry for the noob questions :)

cheers,
paulo

-----Original Message-----
From: Werner Koch
Sent:  23/09/2014, 17:41
To: Paulo Lopes
Cc: [hidden email]
Subject: Re: help: state machine is DEAD. Reset the card first.


On Tue, 23 Sep 2014 16:14, [hidden email] said:

> Sep 23 14:34:03 WLT000113 pcscd: openct/proto-t1.c:170:t1_transceive() T=1
> state machine is DEAD. Reset the card first.
> Sep 23 14:34:03 WLT000113 pcscd: ifdwrapper.c:527:IFDTransmit() Card not
> transacted: 612

"card not transacted" used to be a catch-all error of pcsclite.  Please
try the internal driver of scdaemon: Stop pcscd and that driver will be
used.  If that still does not work check the permissions of the USB
device (you need write access) and add

--8<---------------cut here---------------start------------->8---
debug 2048
debug-ccid-driver
log-file /foo/bar/scd.log
--8<---------------cut here---------------end--------------->8---

to ~/.gnupg/scdaemon.conf.  Kill scdaemon ("gpgconf --kill scdaemon" or
"pkill scdaemon")

> So my question is, can i have my 3 keys + 1 cert in the card? how can i

Yes.  Please use a recent version of GnuPG because a bug concering the
reading of long certificates was recently fixed.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: help: state machine is DEAD. Reset the card first.

Werner Koch
On Tue, 23 Sep 2014 20:57, [hidden email] said:
> I just reseted the card, i will load the keys again and see how it goes, btw i am using 2.0.22, is that too old?

If you want to use pcscd you will likely run into problems with larger
certificates. 2.0.22 is indeed a bit old but I can't say that for sure
because all distros apply important patches so that your 2.0.22 may not
be identically with the upstream 2.0.22.

> My main issue with this is that everything has been working fine until
> i imported de certificate, now even gpg agent fails to do ssh
> authentication, which has been working fine for months...

That is indeed strange.

> If i reset the card, does it tottaly wipe it? So if i just copy the 3 keys back it will work as before?

Yes.  If you created the keys off-card and imported them to the card you
can do that again.  If the keys have been created on-card (default for
sign and ssh key) - they are lost.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users