Menu
▾
▴
Re: [Opensc-devel] CardOS 5.3 driver
|
From: Jakub J. <jj...@re...> - 2017-03-22 09:10:56
|
On 03/20/2017 06:08 PM, Douglas E Engert wrote: > First of all, I can not do much until late next week. > > What I was pointing out is sc_get_encoding_flags takes the algorithm > flags and breaks them apart into what the card is expected to do, and > what OpenSC software will do. i.e. who adds/removes the padding. The > card's senv routine can then tell the card what it needs to do. The > algorithm flags should only indicate what the card (or the card driver) > can do . I hope you would find the debugging messages useful so you > could set the algorithm flags to match what the card and card driver and > its senv routine can do. > > There may be a difference is the term RAW. From the PKCS#11 > CKM_RSA_X_509 the input and output will both be the key size and the > calling application will do all hashing and padding for both sign and > decrypt, If the card(and driver) can not do this, then the CKM_RSA_X_509 > should not be registered. > > Actually PKCS#11 mechanisms also have a HW flag, indicating the > mechanism is preformed in hardware, so claiming it is hardware, but > doing parts in the driver can be misleading to an application. > > It sounds like the card has SC_CARD_CAP_ONLY_RAW_HASH_STRIPPED > and SC_CARD_CAP_ONLY_RAW_HASH. These do not sound like CKM_RSA_X_509 > to me but more about does the card expect the hash to be stripped or not. Thank you for your time. I played a bit more with the flags specified in the cardos_init() and managed to "turn off" the RSA_X_509 mechanism by specifying SC_ALGORITHM_RSA_PAD_PKCS1 (other mechanisms stays intact). https://github.com/Jakuje/OpenSC/commit/489508cf This has a "side effect" of disabling the RSA_X_509 mechanisms also for the signatures, but that should not be a big deal, because the signature routine has also some hacks to strip padding from data for signatures in case it fails sign data with padding. I am not sure if this even worked in older CardOS cards. I will fill a pull request with the changes so far and try to ping people who contributed parts of CardOS drivers, if they can verify functionality with their cards (or if this can be changed in older versions too). Thanks, Jakub |
