Authentication key on a card with KDF enabled cannot be used on PKCS#11

[wreps8Owt]

PKCS#11 is provided by OpenSC.
certtool --ask-pass -s --template ca.tmpl --load-privkey "pkcs11:token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=private" --outfile ca.crt can successfully generate a self-signed certificate for personal CA from an OpenPGP card 2.1 from ZeitControl (what https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.4 used to sell), but failed on my J3H145 running SmartPGP, with the following error error importing key at pkcs11:token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=private: PKCS #11 error in data after entering the user PIN. Both card have an RSA key in their Authentication slot.

My J3H145 running SmartPGP has KDF enabled. Is this related?

[wreps8Owt]

certtool --ask-pass -s --template ca.tmpl --load-privkey "pkcs11:token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=private" --outfile ca.cr does work well on another java card running SmartPGP but without KDF enabled, so it seems that enabling KDF may break compatibilities with other applications if they do not support KDF of OpenPGP card 3 standard.

[af-anssi]

This problem does not come from the applet but from the OpenSC or GnuPG middleware. The applet does not perform any operation to derive the actual PIN when KDF is enabled; this is done entirely on the "client" side.

[af-anssi]

@wreps8Owt Have you been able to identify which part on the "client" side is responsible of this behavior ?

[wreps8Owt]

@wreps8Owt Have you been able to identify which part on the "client" side is responsible of this behavior ?

I guess it is the main library of the OpenSC project: libopensc.so. The PKCS#15 emulation of OpenPGP card should be implemented here.

[af-anssi]

I see you have opened an issue in Opensc OpenSC/OpenSC#2742.