-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TCOS: pkcs11-tool --login --test fails to sign #1869
Comments
More debug log added |
The instruction Is this key usable for signatures? What does The documentation talks about different types of TCOS cards, but I do not seem to notice the IDKey cards here: There was some discussion about these cards in #712 and it provides also some specification. Checking through the section 7.3.6.3 shows that for signature, we should use different P2 parameter than is used now. Can you try with the following patch:
|
@jmastr, Do you know where to get developer documentation and/or test cards? |
I found a docs here: This looks like normal iso operation so I assume this is a bug. |
@frankmorgner @Jakuje First of all, thank you very much for checking this issue. The IDKey card was mentioned in the commit message of c97fc2e:
But it dates back to 2011. I built OpenSC from that exact commit and a
I am currently not at my work laptop, but I'll check first thing in the morning.
I'll contact the card manufacture and ask them for documentation. |
|
@Jakuje with said patch I get
|
@frankmorgner @Jakuje documentation is on its way. checking the history of
This diff yields to:
|
It actually does not fix the problem, but it is certainly correct according tot he specification. What you did also sounds correct according to the documentation. For the signature generation, there is no 0x80 tag defined so I think it should not be there. It could have worked with older cards, but new seems to bail out on that, I assume. Looking to the second change you did, you allowed > 256 B of data to be signed. Few lines below, the code says it supports max 48 B. The first test is using the RSA_X_509 mechanism, which is RAW RSA and I think the card and driver really do not support that. Reading through "7.3.12 PSO: Compute Digital Signature" section, it says that the input data is really "hash value", not the whole raw input to the RSA operation. If I see right, the author of the driver wanted to implement the signatures using the decipher operation to get around this limitation, but it looks like it is no longer working. I think something similar as I did for CardOS 5 in #1867 will be needed to disable RSA_X_509 mechanism advertisement. Can you try the following branch: https://github.com/Jakuje/OpenSC/commits/tcos I would be interested also in the |
Being on your branch:
So I needed to revert 5d2a2e3:
Otherwise I would have gotten: With the reverted patch I see again:
|
Can you share the respective debug logs for the errors you get with at least the last two APDUs? |
@Jakuje This is all logs after verifying the PIN: https://gist.github.com/jmastr/72ce309a14f90377dff51628c002ab6c |
This already looks like the signature is provided correctly (see lines around 1944), but just the pkcs11-tool has problems finding the public key to verify signature. This is the key with ID 46. As you can see in your previous comment #1869 (comment) , it looks like the public key is really not there, but there are multiple with ID 45 ... this looks like something got messed up during the initialization. I will check the log posted earlier if there will be something suspicious. |
the initialization looks like it is using same IDs for all the certificates. Can you try my updated branch whether we will be able to move further (I dropped the problematic commit too)? |
https://gist.github.com/jmastr/c2d3673a47e22803d16e5adbdd60f6b0 |
If I read the diff right, this fixed the tests with the IDKey2:
Are the other keys also supposed to be working? The third certificate was not found on the card if I read the initial log correctly:
I can probably try to expand the list to try to read 6 certs, if they are supposed to be there and working. Not sure what to do with the keys without certificates and where to get the public key material for them. |
@Jakuje You are completely right to ask that question. I don't know, if the other certificates/keys are supposed to work. For my very use case, which is also related to #1865, I need to have 1ad3d27 tcos: Use unique IDs for certificates The only potential problem I see is 04c7fe3 where we might introduce a regression. I think the author put this line for a reason, although it clearly does not work with my card. I mean, I am good with removing that line obviously. What do you think? |
Problem Description
OpenSC 0.20.0-rc3
Proposed Resolution
Steps to reproduce
Logs
The text was updated successfully, but these errors were encountered: