Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
card-epass2003.c - get pass failure in get_external_key_retries
get_external_key_retries APDU usei SC_APDU_CASE_1, 0x82, 0x01, 0x80 | kid which is trapped and calls construct_mac_tlv_ which calls aes128_encrypt_cmac_ft. This is a version of CMAC which called used EVP_CIPHER *alg = sc_evp_cipher(card->ctx, "AES-128-ECB"); for creating the subkes k1 and k2 keys and for doing the final encrypt to produce the MAC. See NIST SP 800-38B 6.2 MAC Generation CMAC should use AES-128-CBC for both subkey and final encryption. It looks like this is a fix for some cards. but only in FIPS. Changes to be committed: modified: libopensc/card-epass2003.c
- Loading branch information
84ce488
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a fix for some cards which are in fips,and only these cards will run this code
84ce488
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know. That was the first problem I fixed. where
with this APDU:
If I
git cherry-pick 84ce488355a58b2e86775a2022d71cd41497992b
github master at:993e6469bd1861a0c24d1b013d05a8518eda8af0
and re initialize the card, the command above works.
./pkcs15-init --generate-key rsa/2048 --auth-id 01 --key-usage sign --id 01 --label "Key01"
works
but this does not:
It fails on the RSA signature operation:
ISO 7816-4 does not define
6F 83
. What does6F 83
mean from the epass2003"What version of OpenSC are you using? Do you have a token that matches
The token I purchased 2 weeks ago: "EPass2003FIPS" "FEITIN ePass2003PKI USB_A TOKEN FIPS 140-2"
RSA-2048 does not work, ECDSA works.