pkcs11-tool --login --test fails with C_Verify() returned CKR_GENERAL_ERROR (0x5) with CardOS 5.3 #1916
Comments
|
use gist, pastebin or similar to provide a log (remove your PIN first!) |
|
It could indeed be your certificate that's the problem... @Jakuje ? |
Removing the PIN is easy ( |
|
I've just noticed that adding SC_ALGORITHM_RSA_RAW back to the flags solves the issue for me. But I have no idea if it's right or not. This is one of the flags removed in 642a3ee . --- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -173,7 +173,7 @@ static int cardos_init(sc_card_t *card)
/* Set up algorithm info. */
flags = 0;
if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
- flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
+ flags |= SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_RAW;
} else {
flags |= SC_ALGORITHM_RSA_RAW
| SC_ALGORITHM_RSA_HASH_NONE |
|
Same here. |
|
This one works with
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -171,15 +171,13 @@ static int cardos_init(sc_card_t *card)
card->cla = 0x00;
/* Set up algorithm info. */
- flags = 0;
- if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+ if (card->type == SC_CARD_TYPE_CARDOS_V5_0)
flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
- } else {
- flags |= SC_ALGORITHM_RSA_RAW
- | SC_ALGORITHM_RSA_HASH_NONE
- | SC_ALGORITHM_NEED_USAGE
- | SC_ALGORITHM_ONBOARD_KEY_GEN;
- }
+
+ flags |= SC_ALGORITHM_RSA_RAW
+ | SC_ALGORITHM_RSA_HASH_NONE
+ | SC_ALGORITHM_NEED_USAGE
+ | SC_ALGORITHM_ONBOARD_KEY_GEN; |
|
As the #1867 (and several issues before) say, the CardOS 5 really does not support raw RSA operations. As the attached output in the above PR says, it works fine with my CardOS 5 card. If it does not for your card, please, provide a trace at least with the logs around the error you are getting. The PIN is in the trace visible only in the APDU (hexadecimal, ascii). Last comment from @fbezdeka indeed says that with reverting this patch, introduces some errors in the tests (but does not clarify which ones) so clarifying this would be also useful. |
|
Providing a trace seems to be quite hard for me. Any chance to identify the really important part(s) of the trace? The following patch is fine (=no errors) for CardOS 4.2c and produces 4 errors on CardOS 5. --- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -171,15 +171,10 @@ static int cardos_init(sc_card_t *card)
card->cla = 0x00;
/* Set up algorithm info. */
- flags = 0;
- if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
- flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
- } else {
- flags |= SC_ALGORITHM_RSA_RAW
- | SC_ALGORITHM_RSA_HASH_NONE
- | SC_ALGORITHM_NEED_USAGE
- | SC_ALGORITHM_ONBOARD_KEY_GEN;
- }
+ flags |= SC_ALGORITHM_RSA_RAW
+ | SC_ALGORITHM_RSA_HASH_NONE
+ | SC_ALGORITHM_NEED_USAGE
+ | SC_ALGORITHM_ONBOARD_KEY_GEN;
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
r = cardos_have_2048bit_package(card); |
|
As pointed out earlier my/our cards require Otherwise we would fail this way (see initial bug description):
Where does the "really does not support raw RSA operations" come from? |
|
This is actually interesting. If I do the same, my card already rejects the data to be signed as it is not a hash when using The important flag that you changed also is We can probably introduce some logic here to get failures earlier, but as this flag is set before reading any key, we really can not know whether we can use it. The other issue is as you can see that the original data that it starts with one more zero byte. If you define |
|
Debug messages for the function Debug messages for the function Hopefully the same issue @fbezdeka and @loblik are facing... |
This is indeed a signature of some hash data, which worked fine. The data part is der encoded sha1 hash. Do you also get verification issues as @fbezdeka ?
The decipher indeed work only if the key also supports decryption (as I describe in the previous comment). The question is how to get out of this. We can probably agree that using decipher operation for signature is ugly hack, but it looks like it is the only way how to get some newer and stricter cards and some older and unreasonable software to work together. I would certainly like to avoid using this by default, but the supported mechanisms need to be decided during card initialization. |
|
Still running the same patch as above, still 4 failures: Debug messages for the I guess I can not help out with debugs for Searching for |
|
Debug messages for the |
Right, this confirms what I wrote in previous comments -- what you do is not a signature, but decipher. CardOS 5 does not support raw RSA sign even for your card as you can see. I would also like to see the list of objects with @fbezdeka The actual issue you have is a verification, which fails because something (openssl? or even the card?) is stripping the leading zero byte. I think this can happen in case the first byte of public key is zero or something like that. We already had similar issue with OpenPGP if I remember well. Not sure what was the solution though. So now, we know mostly what is going on there, but we are not closer to solving it unless we will come with some creative solution. Neither you nor I want failing tests with my card and it looks like neither solution works now for both configurations. |
Yes, failing tests are annoying, but the most important thing for me is that I can use the card for client-auth and mail signing/decryption. This requires Not sure about |
|
Btw: I went back to 0.19 and there were 4 failing tests for my card as well. So this is nothing new... |
Yes, I do. Look here: https://gist.github.com/Silvanoc/170113fb7f452d9d7e8c93888d3ade74 And here to see the flags of the different objects in the card: https://gist.github.com/Silvanoc/d3244352202982100bd8afc7b39c4243 |
I can also confirm this. I can make the card behave the same like with 0.19 just by adding SC_ALGORITHM_RSA_RAW . Edit: And I'm also having verification and encryption errors. But that is also the case with 0.19. It actually seem it returns correct bytes just with some extra data in the beginning of PDU. Exactly like in the logs above. |
|
The leading zero issue with a signature should have been fixed with #1319. |
|
@dengert thank you for pointers. That is probably right think to fix also for deciphering. Not sure about the flags though. If we are going to put the NEEDS_USAGE back, we need to make sure it checks the decipher flags before attempting to do signature using decipher to fail somehow more sensibly. |
|
Using this one I have no errors for CardOS 5 and 4.2c --- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -173,7 +173,7 @@ static int cardos_init(sc_card_t *card)
/* Set up algorithm info. */
flags = 0;
if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
- flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
+ flags |= SC_ALGORITHM_RSA_RAW;
} else {
flags |= SC_ALGORITHM_RSA_RAW
| SC_ALGORITHM_RSA_HASH_NONE
diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index 42a3a6af..d2cafac4 100644
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -266,6 +266,21 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
sc_security_env_t senv;
const struct sc_pkcs15_prkey_info *prkey = (const struct sc_pkcs15_prkey_info *) obj->data;
unsigned long pad_flags = 0, sec_flags = 0;
+ size_t modlen;
+
+ switch (obj->type) {
+ case SC_PKCS15_TYPE_PRKEY_RSA:
+ modlen = prkey->modulus_length / 8;
+ break;
+ case SC_PKCS15_TYPE_PRKEY_GOSTR3410:
+ modlen = (prkey->modulus_length + 7) / 8 * 2;
+ break;
+ case SC_PKCS15_TYPE_PRKEY_EC:
+ modlen = ((prkey->field_length +7) / 8) * 2; /* 2*nLen */
+ break;
+ default:
+ LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Key type not supported");
+ }
LOG_FUNC_CALLED(ctx);
@@ -284,6 +299,12 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
outlen);
LOG_TEST_RET(ctx, r, "use_key() failed");
+ if (obj->type == SC_PKCS15_TYPE_PRKEY_RSA && (unsigned)r < modlen) {
+ memmove(out + modlen - r, out, r);
+ memset(out, 0, modlen - r);
+ r = modlen;
+ }
+
/* Strip any padding */
if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
size_t s = r; |
|
When trying to bring back the |
|
See the I think you will have to write similar function that strips the 02 padding which is used with encryption. But this asks for reimplementing the ISO decipher function in cardos driver with these modifications, if you really want to go this path. |
|
What would be the steps now? Do we already have enough information? I'm willing to help but not I'm probably not able to solve it on my own as I don't have enough background. Can you (@Jakuje) describe what was the logic behind that change? The commit message just says "fixes" which is not much descriptive. And it seems that change broke quite some users. |
|
Maybe we should split this into two tasks. a) Adding the b) Implement the failing tests, so fully support CardOS 5.x. Care about all the hints from @Jakuje As @loblik I'm happy to help testing, but I'm not really familiar with the opensc code base. |
|
I guess everyone having the issue has the same. Here is mine. Not sure if @Jakuje has a different one. In #1941 @bigon reports having also problems and he seems to have:
|
|
Any user who has any CardOS card please respond to this. The above is a good start. (The attempt to read a version, did not work, and may not for 5.x) We should also get some more information on ATR, card issuer (Gov issued, and what Country) and version number if printed on card from known users with CardOS cards. @Jakuje @bigon https://github.com/eblis @https://github.com/Ragnar-von-Detroit Any other user who has any CardOS card can respond too. The goal is to isolate any changes to specific cards as needed. It is so easy with OpenSC to propose changes that work for "my" card but break others. This may require adding another Care must be taken when proposing changes like in #1916 (comment) to pkcs15-sec.c sc_pkcs15_decipher. This is used by all cards. |
|
I am away from the office where the card I have is lying and because of coronavirus I do not expect getting there in coming weeks. But the trace from my CardOS 5 card is available in https://github.com/OpenSC/OpenSC/blob/1742dfc04503111047db5ab45ca440ea747eb0d7/src/tests/fuzzing/corpus/fuzz_pkcs15_reader/7cf8e9b31dcee040ee438441aca2aecb523ed5e9 where the first block is ATR: From there the ATR is But I do not think this will solve anything. My understanding is that the difference is in the card enrolling and how keys are configured and whether they allow deciphering or not. Mine has strict Signature key, which fails on attempt to do the SKO:DECIPHER. This works on card that allow to do both operations with the key. |
|
Thanks. I don't know much about CardOS, or who issues these cards. pkcs15-piv.c can set the pubkey and prkey usage attributes from the certificate keyUsage starting at: OpenSC/src/libopensc/pkcs15-piv.c Line 792 in dc29b0f This could be made a routined usable by other drivers. |
|
I don't know much either. They are normal access cards used by various companies in the wild, usually enrolled using proprietary software from Atos/Siemens. I don't have access to any more specs that what is available on the internet. The card is quite pkcs15-compatible (it does not even have pkcs15-emulator). I do not understand much these parts, but if I remember well, the usage was set reasonably on the PKCS#15 layer, but the |
|
What is the Those with CardOS 5.x cards may want to run: |
|
Private key flags: X509v3 Key Usage: I'm not sure about public key flags though. The output says
|
|
Sorry, the I got connected to the remote smart card so confirming the atr: And following up the last questions: (there is more certificates than keys, but the additional are CA certificates) You can see that already on the PKCS#15 level, the first Signature Key has appropriate flags set (no decipher), which prevents using the decipher hack to provide raw RSA signatures in this particular case. The lack of decipher flags is visible also in the certificates, which is matching the pkcs15 layer: So my assumption is that this depends on the way how the card is enrolled and how precisely are all the key flags set so they match certificates. |
|
The lack of a public key should not a problem. or at least not the problem of this issue. Some OpenSC card drivers extract the public key from the certificate (because it needs the algorithm (RSA, ECC) and parameters and sizes). The driver can also present the public key to PKCS15 layer. The public key is also contained in the certificate as the subjectPublicKeyInfo (SPKI). But if a PKCS11 application is depending on accessing the public key and this is the issue for CardOS, it can be added to driver or sc_pkcs_pubkey_*routines. |
The card is issued by AtoS itself to access AtoS internal stuff (Global IT) and it shows that it also supports RFID (never tried) Card says "CardOS DI 5.3 v2" |
|
Loblik's and Jakuje's cards both show certificate attributes consistent with private key attributes. What we may be seeing is OpenSC software assuming the attributes define the limitation of the card. But this may not be the case. i.e. OpenSC enforcing the "policy" of the card issuer to not use the same key for sign and decrypt. https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-sec.c#L272 But the card may have been provisioned to not accept RAW RSA commands and always add PKCS1 padding on the card during sign and strip the padding during decrypt. So the card is enforcing the "policy". If keys are created on a card, and not extractable, there must be a way to sign a certificate request for a decrypt only key. This might be part of the provisioning process and once the certificate is created and loaded then the provisioning process cause the card to enforce the "policy". If that is the case there is not much we can do. But I suspect that is not the case. The PIV driver allows for a sign operation during provisioning for any key: https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-piv.c#L1152 A trick could be done for CardOS. This might require writing a pkcs15-cardos.c for this case or add code at the sc_pkcs15 level. How to test... One way it to use We need opensc-debug log showing a decrypt and the preceding senv APDUs. One with SC_ALGORITHM_RSA_RAW set using a key which can sign and decrypt. And a log without using SC_ALGORITHM_RSA_RAW with a key that can be used both for sign and decrypt.
On the card with a sign only private key, we need to use pubkey to encrypt, paste the encrypted data into the APDUs and test against the card. Something like |
|
@bigon 's card is interesting, and the certificate has Digital Signature but the matching private key has decrypt, sign, unwrap |
|
I would like to ask any of you who have a working solution or not (especially if it uses RAW RSA to run the following script. test.decipher.sh.txt You will need to edit the script and change the path, and the ID= to point at key and cert to use. If it worked, the If it worked or not, please send the If your card does not have certificate but does have public key, the script can be changed. Let me know. pkcs15-tool can dump the pubkey and openssl pkeyutl can read a pubkey. I will then look at the APDUs sent in both cases. For the cards that failed, I will come up with a set of APDUs to be used with the the encrypted data from your cards that failed the decipher to be used The |
|
@dengert the hereby reported issue is with signing/verifying. But what you and your script are focusing on is (en/de)-cryption, right? Is there a reason for it that I oversee? I can probably provide you the desired information, once the script has been adapted for signing (assuming it's so). |
|
I could modify the script to use Would it give us the information that we need? |
|
I wanted to focusing on what can card really do. Some say their card can do RAW RSA, some say the card must add or remove the padding on the card and the card only knows how to use PKCS1 padding. If card can do SC_ALGORITHM_RSA_RAW, it can use same APDUs for signing or decryption. With signing, software does digest and padding and card SC_ALGORITHM_RSA_RAW. With decryption, card does SC_ALGORITHM_RSA_RAW, then software removes the padding revealing results. OpenSC sets in Depending on what flags are set, OPenSC will adjust what it does in software vs what is done on the card. If padding is added or removed on card, then only limited types of padding can be done. If card does not support SC_ALGORITHM_RSA_RAW, Signing is easy. Decryption is harder. The encryption with public key is done on another machine and must use the type of padding the card can strip. Some people look at SC_ALGORITHM_RSA_RAW and say it is a security risk because it is easy. Others say pkcs1 is a security risk and want to use other types of padding. which a card may not understand. But we must live with what our card supports. Question is what does it support? No one has all the hardware devices to test with. Users assume if they make a mod and it works it must be a good mod. For them, but other cards may not be the same. @Silvanoc Have you tried the script I sent? Even if it fails, you may have a card that has the wrong flags set in cardos_init. This is the type of input the group needs. What is ATR and what failed. |
|
@dengert your script works successfully for me and my signing script too.
But I have applied the patch [1] from @fbezdeka. I suppose without the patch it wouldn’t work.
[1] #1916 (comment)
On 19. Mar 2020, at 13:44, Doug Engert <[email protected]> wrote:
I wanted to focusing on what can card really do. Some say their card can do RAW RSA, some say the card must add or remove the padding on the card and the card only knows how to use PKCS1 padding.
If card can do SC_ALGORITHM_RSA_RAW, it can use same APDUs for signing or decryption. With signing, software does digest and padding and card SC_ALGORITHM_RSA_RAW. With decryption, card does SC_ALGORITHM_RSA_RAW, then software removes the padding revealing results.
OpenSC sets in cardos_init the flags SC_ALGORITHM_RSA_PAD_PKCS1, SC_ALGORITHM_RSA_RAW, based on card type. It is not clear if these are being set correctly for each card. A SC_CARD_TYPE_CARDOS_V5_0 maybe different then a SC_CARD_TYPE_CARDOS_V5_3 (not yet defined)
Depending on what flags are set, OPenSC will adjust what it does in software vs what is done on the card. If padding is added or removed on card, then only limited types of padding can be done.
If card does not support SC_ALGORITHM_RSA_RAW, Signing is easy. Decryption is harder. The encryption with public key is done on another machine and must use the type of padding the card can strip.
Some people look at SC_ALGORITHM_RSA_RAW and say it is a security risk because it is easy. Others say pkcs1 is a security risk and want to use other types of padding. which a card may not understand. But we must live with what our card supports. Question is what does it support?
No one has all the hardware devices to test with. Users assume if they make a mod and it works it must be a good mod. For them, but other cards may not be the same.
@Silvanoc<https://github.com/Silvanoc> Have you tried the script I sent? Even if it fails, you may have a card that has the wrong flags set in cardos_init. This is the type of input the group needs. What is ATR and what failed.
Yours may be a SC_CARD_TYPE_CARDOS_V5_3.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1916 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB74RAAFIK7JFLCA55XO3QTRIIHSNANCNFSM4KMBWATA>.
|
|
CT_181026_LPM_CardOS_V5-3_Multifunctionality_FS_en3_web.pdf This feature is used by many cards and allows for using short (or extended) APDUs to send blocks of data of any size. RSA decryption with key size 2048 and above needs to send 256 bytes plus other control bytes and can use "command chaining". Both Extended APDU and command chaining are designed to get around the 255 send and 256 receive restrictions. But reader have size restrictions and some readers may not support extended APDUs. As noted by @frankmorgner in one of these issues, the capabilities of the reader is not been considered in the code and support for extended APDU is assumed. We have not looked close at which readers each of you are using. Also read comment: https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-cardos.c#L993 from 2017-11-27 bb4bdc8 when cardos_decipher was first added. Much of the discussion has been RSA_RAW vs PKCS1. RSA 2048 and above signature operation with RAW needs to send > 256 bytes. (This then depends on your reader supporting extended APDUs.) Some of you may be seeing failures of sign operations because of reader restrictions if RSA RAW is used but PKCS1 works, You may also see decipher fail because of reader restriction, or if only PKCS1 is used. So what can be done? I would like to propose the card-cardos.c be changed for V5.3 cards:
I can write the mod if anyone is willing to test it. I do not have a CardOS card. The "command chaining" may have been introduced after 2017-11-17. and work on cards less then V5.3. I will leave that up to someone who has one of these cards to research. |
|
Thanks all participants for fixing this issue! 👏 🎉 |
|
Well the regression remains because distros are waiting for a release. #2061 Fedora did backport https://bugzilla.redhat.com/show_bug.cgi?id=1830528 I am trying to get gentoo to do the same gentoo/gentoo#18285 Right now at least gentoo, arch, and ubuntu 20.04 are affected. debian bullseye is as well https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961123 and they will soon become "stable" not sure how to fix all of them, but a release would certainly help ... |
|
@henning-schild the bug has been marked by @bigon as not found on Debian package opensc:0.20.0-4. Unfortunately the Debian bug tracker is IMO not so expressive as others... I'm using Debian Testing and therefore version 0.20.0-4 of opensc and the issue appears to be fixed in that package as reported! Someone else facing the issue in Ubuntu right now should give it a try. I have to admit I couldn't find neither the fix nor a patch in the source code. @bigon could you give us a hint on how it got fixed? |
|
@Silvanoc Well, no What I did is to say that it's also found in an earlier version (0.20.0-1). I didn't say that it was fixed in 0.20.0-4. The debian bug tracker has a notion of version so if I say it's found in 0.20.0-1 it includes 0.20.0-4 as well as long as I don't mark it as fixed. |
|
Am I misunderstanding then the issue tracker reports? Anyway, I've apparently built myself so long ago, that I already forgot it 😞 So I can confirm that no Debian package provides a fix yet. Not even patching! Although my issue reports that there is a patch... What a pity! |
Problem Description
I have a smartcard with **CardOS 5.**3 that is failing to verify signatures created with the card.
Following works:
Following doesn't:
RSA-PKCS: ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5)).Proposed Resolution
Steps to reproduce
Logs
Extract of the output filtering only "key 0".
More verbose output can be provided, but filtering out certificates and pins from a 12kL document is too cumbersome. Any specific portion needed?
The text was updated successfully, but these errors were encountered: