Summary
On Windows, a non-YubiKey PC/SC reader that returns a hard pcsc transport error (rather than a soft "PIV applet not found" APDU status) aborts the entire reader enumeration, so --list (and other commands) fail even though a working YubiKey is connected on a different reader.
In my case the offending reader is Microsoft UICC ISO Reader — i.e. the SIM card of my laptop's built-in cellular modem (Intel XMM 7360 LTE-A), which Windows exposes to PC/SC as a smart-card reader. The plugin connects to it first, tries to SELECT the PIV applet, gets PC/SC error: An internal error has been detected, but the source is unknown, and aborts before it ever reaches the YubiKey's reader.
This is the same class of problem as #78 (Windows Hello for Business virtual smartcard), but the fix in #129 only tolerates the soft rejection (6a82 → "Missing PIV applet"). A hard PC/SC error is not tolerated, so enumeration aborts.
Environment
- OS: Windows 11 Pro 10.0.22621
- age-plugin-yubikey: v0.5.1 (prebuilt
x86_64-windows release binary)
- YubiKey: 5-series, OTP+FIDO+CCID mode (USB PID
0x0407), working PIV applet
- Conflicting reader:
Microsoft UICC ISO Reader 7861926a 0 — the SIM of an Intel XMM 7360 LTE-A cellular modem
- Note: the UICC reader does not appear as a
SmartCardReader-class PnP device; it is registered directly with the PC/SC resource manager, so it is only visible via SCardListReaders (which is what the plugin enumerates).
What happened
> age-plugin-yubikey --list
Error: Error while communicating with YubiKey: PC/SC error: An internal error has been detected, but the source is unknown
Cause: An internal error has been detected, but the source is unknown
Deterministic — fails identically on every run.
Trace ($env:RUST_LOG="trace")
[INFO yubikey::yubikey] connected to reader: Microsoft UICC ISO Reader 7861926a 0
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[ERROR yubikey::transaction] failed communicating with card: 'PC/SC error: An internal error has been detected, but the source is unknown'
[ERROR yubikey::yubikey] Could not use reader: PC/SC error: An internal error has been detected, but the source is unknown
[INFO yubikey::yubikey] connected to reader: Microsoft UICC ISO Reader 7861926a 0
[TRACE yubikey::apdu] >>> Apdu { cla: 0, ins: SelectApplication, p1: 4, p2: 0, data: [160, 0, 0, 3, 8] }
[TRACE yubikey::transaction] >>> [0, 164, 4, 0, 5, 160, 0, 0, 3, 8]
[ERROR yubikey::transaction] failed communicating with card: 'PC/SC error: An internal error has been detected, but the source is unknown'
[ERROR yubikey::yubikey] Could not use reader: PC/SC error: An internal error has been detected, but the source is unknown
Error: Error while communicating with YubiKey: PC/SC error: An internal error has been detected, but the source is unknown
The trace never reaches the YubiKey's reader (Microsoft Usbccid Smartcard Reader (WUDF)); it aborts on the UICC reader's hard error.
Root cause
--list iterates readers and, per #129, is meant to skip readers that lack the PIV applet. But #129 only handles the soft case — a reader that responds to SELECT PIV with 6a82 (NotFoundError). A reader that fails at the PC/SC transport level (here: SCARD_* internal/unknown error when transmitting to the SIM) produces an Err that is treated as fatal, aborting the whole command.
Suggested fix
Treat a per-reader hard PC/SC error during PIV applet selection the same way #129 treats a missing applet: log a warning and skip that reader, continuing enumeration, rather than aborting. e.g.:
[WARN age_plugin_yubikey::key] Ignoring Microsoft UICC ISO Reader 7861926a 0: PC/SC error during PIV select
For "list all" style commands, skipping the unusable reader and returning results from the remaining (working) readers matches the intent of #78/#129. Non-list commands (--generate, decrypt by serial) would similarly benefit from skipping unusable readers instead of failing on the first one.
This would let YubiKey + age work out-of-the-box on the very common class of laptops that have a built-in cellular modem (which surfaces the SIM as a PC/SC reader).
Summary
On Windows, a non-YubiKey PC/SC reader that returns a hard
pcsctransport error (rather than a soft "PIV applet not found" APDU status) aborts the entire reader enumeration, so--list(and other commands) fail even though a working YubiKey is connected on a different reader.In my case the offending reader is
Microsoft UICC ISO Reader— i.e. the SIM card of my laptop's built-in cellular modem (Intel XMM 7360 LTE-A), which Windows exposes to PC/SC as a smart-card reader. The plugin connects to it first, tries toSELECTthe PIV applet, getsPC/SC error: An internal error has been detected, but the source is unknown, and aborts before it ever reaches the YubiKey's reader.This is the same class of problem as #78 (Windows Hello for Business virtual smartcard), but the fix in #129 only tolerates the soft rejection (
6a82→ "Missing PIV applet"). A hard PC/SC error is not tolerated, so enumeration aborts.Environment
x86_64-windowsrelease binary)0x0407), working PIV appletMicrosoft UICC ISO Reader 7861926a 0— the SIM of an Intel XMM 7360 LTE-A cellular modemSmartCardReader-class PnP device; it is registered directly with the PC/SC resource manager, so it is only visible viaSCardListReaders(which is what the plugin enumerates).What happened
Deterministic — fails identically on every run.
Trace (
$env:RUST_LOG="trace")The trace never reaches the YubiKey's reader (
Microsoft Usbccid Smartcard Reader (WUDF)); it aborts on the UICC reader's hard error.Root cause
--listiterates readers and, per #129, is meant to skip readers that lack the PIV applet. But #129 only handles the soft case — a reader that responds toSELECT PIVwith6a82(NotFoundError). A reader that fails at the PC/SC transport level (here:SCARD_*internal/unknown error when transmitting to the SIM) produces anErrthat is treated as fatal, aborting the whole command.Suggested fix
Treat a per-reader hard PC/SC error during PIV applet selection the same way #129 treats a missing applet: log a warning and skip that reader, continuing enumeration, rather than aborting. e.g.:
For "list all" style commands, skipping the unusable reader and returning results from the remaining (working) readers matches the intent of #78/#129. Non-list commands (
--generate, decrypt by serial) would similarly benefit from skipping unusable readers instead of failing on the first one.This would let YubiKey + age work out-of-the-box on the very common class of laptops that have a built-in cellular modem (which surfaces the SIM as a PC/SC reader).