Menu
▾
▴
Re: [Opensc-devel] CardOS 5.3 driver
|
From: Jakub J. <jj...@re...> - 2017-03-20 12:41:52
|
On 03/19/2017 10:30 PM, Douglas E Engert wrote: > In regards to RSA_X_509, it may be the algorithm flags are wrong. > > An RSA_X_509 operation to a card can be the same operation used to sign > a padded block the size of the key, or to decrypt a key size block and > return the results, without removing any padding, which allows for using > other other padding mechanisms. The cardos driver has its method to compute signature, which works with a little bit of guesswork [1] what method will be available and in case in the need of the others, it fixes the padding, if I read the comments and code right. This can not be used by the decryption, because you don't know what random bytes were added as a padding while encrypting. > It could also be the senv is setting flags that tell the card to remove > the padding whenit should not, or the card can not do RSA_X_509. > > It would be interesting to see an opensc-debug.log for > sc_pkcs15_decipher > when it calls sc_get_encoding_flags in padding.c Without the first commit in my branch it fails during setting up security environment [2]. After adding this commit, RSA_X_509 mechanism succeeds and RSA_PKCS fails (the logs also in the linked gist [2]). In the readme, there are also command I used to create the encrypted data using OpenSSL (in case there could go something wrong, though the tests were performed also with the same testsuite I use for other cards). Let me know if you want the whole logs. [1] https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-cardos.c#L888 [2] https://gist.github.com/Jakuje/5a993d2b2d8a9cac35203599e49e6831#file-opensc-master-log Jakub > On Fri, Mar 17, 2017 at 6:38 AM, Jakub Jelen <jj...@re... > <mailto:jj...@re...>> wrote: > > Hello all, > we got several CardOS 5.3 cards that I tried to implement support for in > OpenSC. The initial detection is already merged [1]. > > The approach used CardOS 5.0 was not working everywhere so before > submitting the pull request with all the changes, I would like to hear > some feedback on some questionable parts and preferable verify that the > changes are not breaking anything that worked with CardOS 5.0 as > originally implemented years ago (adding szikora, who implemented > initial CardOS 5.0 support in PR#170) or if some of the concepts in new > cards work also in the old ones. > > All changes are in my branch [2] are in four commits > > The first two make the signatures working: > * Separately detect 5.3 version and use p1 = 0x41 for security > environment -- will it work also in the old cards? > * Remove SC_ALGORITHM_NEED_USAGE which prevented using > cardos_compute_signature() with 5.3 cards. Does 5.0 or older cards need > that? > > The last two changes are more hackish and used to make decipher > mechanisms working (it looks like the card strips all the padding). Or > is there any possibility to disable in OpenSC RSA_X_509 raw decipher > mechanisms for this driver? > > Comments, thoughts? > > [1] https://github.com/OpenSC/OpenSC/commit/ac96e73 > <https://github.com/OpenSC/OpenSC/commit/ac96e73> > [2] https://github.com/Jakuje/OpenSC/commits/jjelen-cardos53 > <https://github.com/Jakuje/OpenSC/commits/jjelen-cardos53> > > Regards, > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > <https://lists.sourceforge.net/lists/listinfo/opensc-devel> > > -- Jakub Jelen Software Engineer Security Technologies Red Hat |
