-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Towards a new release 0.18.0 #1260
Comments
|
thanks, I've added this to the list. |
EstEID ECDSA and ECDH, or just ECC |
updated to the most recent merges |
|
#1319 is not ready, see my comment here. #1325 needs testing. The changes are small enough to be integrated, if the requested changes/comments get done quickly. |
I suggested the fix should be in pkcs15-sec.c #1319 to catch the problem for all cards. The card in question is from ZeitControl. Anyone using their developer kit can write an applet and If someone feels #1319 is not the place for the fix, submit a different PR. I have no way to test it. The fix is not trivial when added to card-openpgp.c. The openpgp_compute_signature does not have direct access to the RSA modlen, as pkcs15-sec.c does not pass it in the senv and card-openpgp.c does save it in card->drvr_data. The driver has relied on the card returning the correct length of a signature. |
I would like to point out that Estonian ID cards are not usable at all with released versions of OpenSC since October or so, and every distribution needs to grab patches to correct this issue for a million potential users. Some distribution maintainers don't want to do that and prefer if OpenSC had it in a released version. I can imagine similar issues for other smartcards or use cases collected over the many months. Doing only one release per year is very problematic for that. Please simply release more often... Please seriously consider fixing the release process to not happen only once a year. If they happened more often, it wouldn't be such a huge issue in punting things to a later release and delaying a release for months, forcing the latest version to still have the countless other bugs and miss the new features for many more months than necessary. |
This is a community project. If you want change to happen, then engage and do what you think is needed! If there are problems that are not yet solved, please open a ticket. If you think some Estonian organization is obliged to fix things, please talk to them; we're happy to take their (or your) contribution. |
I have no access to make and upload releases more often, which is all that's needed here. Your suggestion to engage is a non-starter. I did open a ticket to ask for a release (#1216); this was closed in November 2017 with a pointer to the 0.18 release progress board. It is now April 2018 with no release having happened still, and released versions are still broken. The relevant Estonian organizations fixed all this about 5 months ago, but there is no OpenSC release that actually contains the fixes. Actually get the improvements this community is making out to its users! Effectively it is still broken, and only because releases happen only once a year. Currently we are waiting for a release that fixes hundreds of issues over 0.17.0 for months now due to waiting on 2-3 issues someone deemed nice to fix for the release, probably all of which are an issue with 0.17.0 as well. It seems the 0.18 progress board is mostly clean now, so I hope it finally happens now, but please seriously consider doing more periodic releases going forward to avoid such problems. This can be very frustrating to your active contributors as well, if they have to wait 6+ months to actually get their code out to users... |
@leio do you volunteer to maintain OpenSC and perform the release process? |
No, I just want to be able to do internet banking without custom local downstream packages of my own after waiting for 5 months, as my opensc downstream maintainer prefers a release, not picking a patchset and hoping all is fine. And I didn't push for the patchset because the release progress board only had a couple things back then and a release seemed imminent. But now 4 months later, still nothing and still waiting. My actual useful volunteering to package esteid stuff in Gentoo (as opposed to having it available only in the rough equivalent of PPAs in a broken form due to no working OpenSC) is also blocked on OpenSC fixes getting into a release. Very frustrating. |
@leio do you have the necessary patches for OpenSC to make it work with Estonian ID? If so - where can I get those fixes from? Also, do you happen to know if Latvian eID is the same as Estonian - i.e., if the fixes for EstID would enable Latvian eID as well? When you say "release" - do you mean providing compiled binaries? Or a version tag in Github? Or...? In general I'd agree that we should release more often... |
Patches are already in master
|
@metsma I'm sorry, but what/where is EstEID master? And do you happen to know if Latvia and Estonia have the same eID standard (i.e., whether the code for EstEID should work with Latvian tokens)? |
@mouse07410 I mean https://github.com/OpenSC/OpenSC/releases of course. Anyhow, a rc1 is out by now, so hopefully not much longer to wait for this case. Concerns remain about the frequency, but at least I and my fellow distribution users can do internet banking once 0.18 is released finally; until the next case of needed fixes or feature additions. I don't know anything about Latvian eID. The EstEID stuff was for ECDSA/ECDH token support, which was necessary after ROCA incident (different tokens or whatnot used that weren't vulnerable to ROCA but the issued cards supported after OpenSC and other updates) - https://en.wikipedia.org/wiki/Estonian_ID_card#Weak_key_vulnerability - the necessary things for getting that to work again have been in OpenSC since November, but still not in a released version - which is what distributions package for Linux users (some have decided to include the necessary patches by themselves out of necessity, but not my distro, which is waiting for 0.18). I hadn't read anything from the media about Latvian cards being subject to ROCA too. I'll conclude my involvement here on this ticket. There's been enough food for thought given for the future, and it looks like 0.18 is happening soon now anyways with rc1 already out, solving my months long wait hopefully soon. |
Please consider #1334 for 0.18.0 |
@mouse07410 While Estonia and Latvia share a border, there is no relation (in terms of code compatibility in OpenSC) in eID card standards. |
@martinpaljak thank you for the answer. But I'm missing one thing: as I understand, both Estonia and Latvia are now in the EU. Isn't there some common eID standard that allows one EU member country to verify/validate an eID issued by another member country? |
EU regulates only cross border digital signatures but not smart cards and middleware. |
I see. Since the signatures comply with the same standard, can I assume they are ECC? Over what curves - NIST? Or Brainpool? Also, do they validate the eID itself "abroad"? Or do they only validate documents that are digitally signed with eID? |
Estonian cards RSA 2048 (old generation cards) and ECC 384 NIST (new RSA broken and updated cards). |
thanks all for your help |
I think it's time to prepare and publish the next major release, @OpenSC/core, @OpenSC/maintainers.
I've created https://github.com/OpenSC/OpenSC/projects/4 with the open tasks I'd still like to see resolved for the release (Please extend the list if you're missing something).
Though I'd like to create a release candidate in about two weeks, I'm currently clueless on how to resolve #1226, which is somewhat of a blocker for a new release. I'm not sure if the problem is caused by OpenSC, my setup or my cards; some more independent input would be nice...
Below you'll find a draft for an update of the NEWS file:
General Improvements
--disable-strict
to avoid)keep_alive
commands for cards with multiple applets to be enabled viaopensc.conf
old
for selectingcard_drivers
viaopensc.conf
leave
as default fordisconnect_action
for PC/SC readersPKCS#11
Minidriver
CriticalSection
Tokend
ignore_private_certificate
)CryptoTokenKit
OpenSC Tools
cardos-tool
pkcs11-tool
pkcs11-spy
pkcs15init
egk-tool
opensc-asn1
opensc-tool
/opensc-explorer
Authentic
Coolkey
Common Access Card
GoID
MyEID
IAS/ECC
PIV
CKA_ALWAYS_AUTHENTICATE
(i.e. PKCS#11C_Login(CKU_CONTEXT_SPECIFIC)
)CardOS
"3b:d2:18:00:81:31:fe:58:c9:02:17"
max_send_size
for PSO:DECDNIe
GIDS
epass 3000
Starcos
EstEID
OpenPGP
German ID card
SC-HSM
Starcos
MioCOS
card_drivers = old;
to enable; driver will be removed soon.BlueZ PKCS#15 applet
card_drivers = old;
to enable; driver will be removed soon.The text was updated successfully, but these errors were encountered: