Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: make EC_POINT_NO_ASN1_OCTET_STRING a runtime option in pkcs11-tool #1286

Closed
aalba6675 opened this issue Mar 18, 2018 · 4 comments · Fixed by #1287
Closed

RFE: make EC_POINT_NO_ASN1_OCTET_STRING a runtime option in pkcs11-tool #1286

aalba6675 opened this issue Mar 18, 2018 · 4 comments · Fixed by #1287

Comments

@aalba6675
Copy link
Contributor

aalba6675 commented Mar 18, 2018
edited

Problem Description

Version: RHEL packaging opensc-0.16.0-5.20170227git777e2a3.el7.x86_64

For pkcs11-tool --write of EC public keys SafeNet HSM requires the full DER (including TAG, LENGTH). Depending on packagers option we send full DER or just content bytes.

Proposed Resolution

Command line option for pkcs11-tool to enable or disable DER TAG/LENGTH on writing EC public keys

Steps to reproduce

  1. opensc compiled without EC_POINT_NO_ASN1_OCTET_STRING; e.g. CentOS/RHEL packaging
  2. pkcs11-tool --write ec_public_key.der will fail with SafeNet HSM with invalid EC_POINT
  3. rebuild package with EC_POINT_NO_ASN1_OCTET_STRING defined, then the --write works

See also

#1285
@mouse07410
Copy link
Contributor

Does it even make sense to write EC keys not in DER?

@aalba6675
Copy link
Contributor Author

aalba6675 commented Mar 18, 2018
edited

Agreed - strange that RHEL made the decision to send content bytes instead of DER. Can I propose that the workaround be removed altogether? Maybe the naming of the define is confusing: it sounds like if you define it you will send "NO_ASN1" (which means content bytes?), therefore the packager chose not to define it. Just speculating here. I'll PR it...

aalba6675 added a commit to aalba6675/OpenSC that referenced this issue Mar 18, 2018
@aalba6675 @rchan1611
pkcs11-tool: send DER for EC public keys
68b27a4 
- addresses OpenSC#1286
aalba6675 added a commit to aalba6675/OpenSC that referenced this issue Mar 18, 2018
@aalba6675 @rchan1611
pkcs11-tool: send DER for EC public keys unconditionally
3e75e8f 
- Fixes OpenSC#1286: "Does it even make sense to write EC keys not in DER?"
- the naming of the define was confusing, anyway
@aalba6675 aalba6675 mentioned this issue Mar 18, 2018
Merged
6 tasks
aalba6675 pushed a commit to aalba6675/OpenSC that referenced this issue Mar 19, 2018
@rchan1611
pkcs11-tool: make ECPoint behaviour standards compliant by default
664fb76 
Fixes OpenSC#1286. The behaviour of pkcs11-tool will follow the standard -
send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
write plain bytes.
aalba6675 added a commit to aalba6675/OpenSC that referenced this issue Mar 19, 2018
@aalba6675
pkcs11-tool: make ECPoint behaviour standards compliant by default
326cde2 
Fixes OpenSC#1286. The behaviour of pkcs11-tool will follow the standard -
send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
write plain bytes.
@frankmorgner
Copy link
Member

With accepting #1287, I think we can close this issue, right?

@aalba6675
Copy link
Contributor Author

@frankmorgner Yes, thank you.

frankmorgner pushed a commit that referenced this issue Mar 19, 2018
@aalba6675 @frankmorgner
pkcs11-tool: make ECPoint behaviour standards compliant by default
ea4baf5 
Fixes #1286. The behaviour of pkcs11-tool will follow the standard -
send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
write plain bytes.
@frankmorgner frankmorgner mentioned this issue Mar 19, 2018
Closed
@ifranzki ifranzki mentioned this issue Jan 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pkcs11-tool: send DER for EC public keys with default compilation flags aalba6675/OpenSC
3 participants
@frankmorgner @aalba6675 @mouse07410