Various CardOS 5.3 Fixes #1987
Various CardOS 5.3 Fixes #1987
Conversation
|
I've run There seems to be some extra padding in the beginning of APDU. However I'm not sure how relevant this is. pkcs11-tool --test also reported some errors in OpenSC 0.19 although I was not experiencing any issues during daily use of the card. Tested with reader |
|
The returned data is with padding. 00 02 says it is pkcs1 bt-02 as
expected. The padding ends with the 00 byte followed by the expected data.
The result should have been striped.
Will look at this later.
…On Sat, Mar 21, 2020, 2:01 PM Pavel Löbl ***@***.***> wrote:
I've run pkcs11-tool --login --test and the only problem seems to be
RSA-PKCS. I got.
RSA-PKCS: resulting cleartext doesn't match input
Original: 00 58 90 01 05 a4 93 fe 9d 7e
Decrypted: 00 02 47 ee c0 29 73 fe 49 9d fb d4 a9 c8 05 b3 9e 29 60 8f fd 86 df c5 72 f2 f1 96 1a 63 54 b6 22 34 5c f1 6b 01 c4 9f 68 c0 bd 86 ab 1c d0 b2 72 37 98 11 f7 93 e8 7d da e8 fb 98 f1 82 a8 7f eb b6 41 83 28 17 66 56 6d d6 a4 a5 eb df 36 fc ce c0 9d a2 17 d2 8f ed 03 72 05 a5 b7 c3 47 af 41 97 f5 b6 f6 f1 05 c2 e0 24 a0 34 b5 9a 10 2a b3 f0 95 ed 2e 95 bb 32 d9 bc 47 70 c3 5c e8 22 2c e2 73 ba f1 c3 af f3 52 7f 8d 12 83 7b 21 13 92 16 11 10 b8 d5 7f 36 58 6b b6 52 cf f2 46 e6 c2 50 fc e2 73 6b ca 6b 58 74 5c ae 85 f6 f1 b8 a2 6c 54 76 e3 4c 25 4b fa 35 1f 51 0d 83 14 b1 3b 9e bc 33 ce f4 e8 9e d4 8a 17 f9 f0 4f 38 0e ba fc 37 c2 1f ad 66 80 d2 b1 8e 68 80 37 bd 34 a4 64 b5 2e 03 b5 3e 9b 21 1e f9 31 50 2c 32 fb f6 da 71 f3 27 00 00 58 90 01 05 a4 93 fe 9d 7e
There seems to be some extra padding in the beginning of APDU. However I'm
not sure how relevant this is. pkcs11-tool --test also reported some errors
in OpenSC 0.19 although I was not experiencing any issues during daily use
of the card.
Tested with reader
0 No Generic Smart Card Reader Interface [Smart Card Reader Interface]
(20070818000000000) 00 00
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1987 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGTIMOMMYP3FTPGT2BFKELRIUFHXANCNFSM4LQ7U6JQ>
.
|
|
Using a card that does support RSA-PKCS1 with decryption, it looks like I should not have added the code in pkcs15-sec.c. because the problem I think this code tried to addressed for the CardOS is @fbezdeka can you explain why you needed to add the code in #1916 (comment) That was where the pkcs15-sec.c code came from. Did you see your card dropping a leading zero or two in the results for decrypt? pkcs11-tool passins in a 512 byte out buller, but only needs 256, with RAW_RSA the results would be 256. but with RSA-PKCS1 after a strip, it would be 16 bytes. @loblik results look similar to mine. Can you try removing the code from pkcs15-sec.c, rebuild and try pkcs11-tool again? |
|
After you reverted pkcs15 changes I have problem for both decryption types By the way I believe I have the same card as @fbezdeka . |
|
Good info. We are close and can fix this is software... Note that the leading 00 byte is missing on both. With RSA-PKCS it looks like it also dropped a leading 00 and returned the pkcs1 BT-2 type padding. So for v5_3 at all we need to do in the cardos_decipher is to insert a zero byte. Can you look at opensc debug log and find the APDU input where these two blocks are returned? I will look at a simple mode to fix this and the card is reported to support PSS padding too. |
|
First of all: Thanks for all the help! @dengert, The reason for the modification of I guess if possible it should be moved to the CardOS specific parts. I'm now going to test your implementation and will report back. |
|
Ok. Now I realized I've forgot to run And also the decryption as noted above (#1987 (comment)) . To your RSA-PKCS decrypt question. This is part of the pkcs11-tool output . And this seems to be corespoding APDU. |
|
@fbezdeka It looks like the card drops the leading byte. It does not inserts a NULL byte. @Lobik Yes, the APDU shows card returned one less byte then expected. Was output in #1987 (comment) with or without 573193d ? |
|
@dengert yes, you are right. It was the other way around. The card removed the NULL byte. |
That was with that change already included. |
|
That leading 00 is a real byte it is the leading 00 of padding and needed to be added back. But not in pkcs15-sec.c which is used by every card. 573193d that last commit I pushed does it in the cardos_decipher routine. I am very interested in seeing the ADPUs sent in decipher especially from someone who has an old reader that can not do extended APDUs. I want to see if chaining works. With this patch by setting the max_send_size and max_recv_size using the MIN of card and reader values, if these turn out to be <= 255 and <=256 lower levels of OpenSC will use chaining to split the data sent over 2 or more APDUs. |
|
I had to remove all "flags" but SC_ALGORITHM_RSA_RAW to get it "running". My first results were identical to the results of @loblik The remaining problem is now that we are missing the last byte. --- src/libopensc/card-cardos.c (revision 45e29056ccde422e70ed3585084a7f150c632515)
+++ src/libopensc/card-cardos.c (date 1584894619908)
@@ -174,6 +174,8 @@
flags = 0;
if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
+ } else if(card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+ flags |= SC_ALGORITHM_RSA_RAW;
} else {
flags |= SC_ALGORITHM_RSA_RAW
| SC_ALGORITHM_RSA_HASH_NONE |
|
Playing around with the flags it turns out that } else if(card->type == SC_CARD_TYPE_CARDOS_V5_3) {
flags |= SC_ALGORITHM_RSA_RAW
| SC_ALGORITHM_RSA_PAD_PKCS1
| SC_ALGORITHM_RSA_HASH_NONE
| SC_ALGORITHM_ONBOARD_KEY_GEN;
}This produces the same results as above. |
|
Just pushed fix for last byte; The SC_ALGORITHM_NEED_USAGE can cause pkcs15-sec.clinre 609 sc_pkcs15_compute_signature to try and use decipher to do a sign. @loblik all the verify failure look strange but could be caused by missing last byte. Things like what is being used for the max_send_size and max_recv_size are now based on the reader and card parameters, what is the data_field_length from the card, is chaining being used or not, what path is signatures and decrypt using for RAW vs PKCS1 is much easier if I could see all of that and others things as well. Also note that when building the code yourself, unless you specify where the opensc-pkcs11.so will reside, you may have to use the |
|
With 1318fac included (and Summary: RSA-PKCS: ERR: verification failed, some padding infront? and invalid last byte. |
I can confirm this. Exactly the same behavior here. |
|
Please send a full opensc-debug.log. |
|
Tested before 78d5623. debug_cardos5.3.log |
|
78d5623 seems to break everything. Edit: Is the order of the Edit 2: And where is out_tmp cleaned up / freed? |
|
r++ in wrong place, fails to copy last byte. See last commit. Sounds like that failed. Where is the opensc-debug.log F-CardOS_DI_V5-3_Enterprise_en1-web.pdf states: Asymmetric algorithms:
The way I read this and what we have seen so far, is the card does not support SC_ALGORITHM_RSA_RAW which is the same as SC_ALGORITHM_RSA_HASH_NONE both = 0x01 Itis not clear if the stripping of the padding is being done on the card or is OpenSC. I think it is in software. A RSA RAW operation is the first decryption. But only an opensc-debug.log wouldshow it this is true or not. |
I've posted one in #1987 (comment) . Or is that not the right one? |
|
Yes was done before 78d5623 I am going to make one more change, and that is to turn off SC_ALGORITHM_RSA_RAW. |
|
Tested with latest changes. Everything fails now. Log: debug_cardos5.3.log |
|
Same here, so I added Looks like some kind of padding, right? |
|
Sorry for the ugly style (end of time for today), but this one fixes all errors (with |
|
@loblik in #1987 (comment) you said everything failed. Can you also sent the pkcs11 output? The cardos5.3.log all the "pkcs11-object.c:929:C_Decrypt: C_Decrypt()" say "= CKR_OK" They all look correct, and the ADPU.s look like good if we add the leading 00, and the patch corrected for leading zero, but only the output of pkcs11-tool would show if the patch is working as expected show what it sees. @fbezdeka you said "Same here, so I added SC_ALGORITHM_RSA_RAW again.". I still have not seen if the APDUs are as expected. or padding is being removed. I still contend the card does not actually do SC_ALGORITHM_RSA_RAW for a sign operation, but is using the tricks in OpenSC to call sc_pkcs15_decipher that ends up calling cardos_decipher. From what I can read, they removed RAW in v5_0 and did not add it back in in 5_3. You also said; "Looks like some kind of padding, right?". Yes it does, and it should have been stripped in pkcs15-sec.c here: The code to add the leading byte may still be wrong. Look at these two line from your output: and you will see the block should have been stripped by |
|
Here is new log: debug_cardos5.3.log And corresponding pkcs11-tool output: |
|
@loblik Thanks for the debug logs. The
The APDU for this is at line 5188. This routine is used by all the versions of CardOS, so may have worked at some time or may work with some cards today. It should have been updated over the years. The comment also implies that the attribute depends on how the key was created, so some cards may support RSA_RAW and some may not. I do not have one of these cards. This is getting way to complicated. The community of CardOS users need to take over this patch. I believe the chaining and MIN(card,reader) part is good, as is the decipher with a minor change to tell it it needs to strip the padding. |
|
@fbezdeka I have just pushed 3477532 is support of this comment. The flags (which saw what operations are supported on the card ) should be set as be: The flags should not include SC_ALGORITHM_RSA_PAD_PKCS1 or SC_ALGORITHM_RSA_PAD_PSS because the OpenSC code is not able to tell the card to do PKCS1 or PSS (add or strip the padding on the card) and the card just does RSA_RAW. OpenSC decipher will still support PKCS1 and PSS in software in higher layers when RSA_RAW is used. Thus the mod in #1987 (comment) should not be needed. It should only be needed if the flags have SC_ALGORITHM_RSA_PAD_PKCS1 If in the future someone can figure out how to tell the card to do SC_ALGORITHM_RSA_PAD_PKCS1 or SC_ALGORITHM_RSA_PAD_PSS on the card, for both sign and decrypt, the code could be added to OpenSC. But that requires vendor documentation. |
|
Thanks for not giving up. Now the decryption works fine. But I still have signing and verification issues. Should I post the full debug log again? |
|
I wasn't able to build it from the scratch, a vagrant provisioning has failed with the following vagrantfile |
|
Same for me (I didn't want to bring this seemingly unrelated Werror problem up in this already long thread): Running make with V=1 and running the gcc command without |
|
82258b6 still works for me. No warning with GCC 9.3.1 (on Fedora 31) |
|
#1987 (comment) should have been fixed in #2003 Its not a cardos issue, but the compiler treating the dropping of a return value from a function. So it should be reported in #2003 if still a problem. |
|
It's fixed by 1202ece which is not on this PRs branch yet. So the next rebase or eventual merge should take care of it. |
see: OpenSC#1995 (comment) On branch cardos-5.3 Changes to be committed: modified: asn1.c
In tests, make sute test data is either padded, or "zero" padded so size if data <= modlen - 11. The smallest pad in 11 bytes, 00 | NN | PS | 00. PS is at least 8 bytes. "zero" padding has N = 00, PS >= 8 byte of 00. On branch cardos-5.3 Changes to be committed: modified: tools/pkcs11-tool.c
CardOS cards may have more then 8 supported_algo_info entries in tokenInfo. We may bemissing some. We have seen 8 in some pkcs15-tool -i -v output. Simple fix is to incrase the limit. More appropriate fix is to remove the limit, much like is done with sc_algorithm_info. and use realloc of the array. On branch cardos-5.3 Changes to be committed: modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-skey.c modified: src/libopensc/pkcs15.c modified: src/libopensc/types.h
Mismatch of ASN1 parsing of tokeninfo.supported_algos[n].paramters
in one place parameter was treated as a pointer to sc_object_id
and in another as inline structure. This caused segfaults
in pkcs15-tool when it tried to print the OID.
Changes to be committed:
modified: src/libopensc/opensc.h
modified: src/libopensc/pkcs15.c
Some cards can provide supported algorithms in tokenInfo which contain ECDSA OID, and PKCS11 mechanism Don't know how many Algo_refs were actually read, and a ref of 0 may be valid. print at least one Algo_refs. Print the mechanism from PKCS11, and print operations Use the $(top_srcdir)/src/pkcs11/pkcs11-display.c on Unix Use the $(TOPDIR)\src\pkcs11\pkcs11-display.obj on Windows pkcs15.tool.c treat ECDSA OID as inline pkcs15-tool prints PKCS11 mechanisms using pkcs11-display.c Automake now warns that the default will change, in the future so "[subdir-objects]" is added to configure.ac Changes to be committed: modified: configure.ac modified: src/tools/Makefile.am modified: src/tools/Makefile.mak modified: src/tools/pkcs15-tool.c
Treat CardOS V5_0 and V5_3 cards differently then older versions:
Use card->dvr_data as a pointer to cardos_data_t to store private driver
data to pass internally, especially between set security environment
and the crypto operations. Sc_get_encoding_flags sets sec_flags from
algo_info->flags in pkcs15-sec.c and it passed to decipher.
Some cards when doing a decipher may drop leading 00 byte when
returning data from RSA_RAW decipher. Add leading byte(s) as needed.
Get Cryptographic Mechanism Reference from Key Reference:
Key reference byte appears to be a 4 bit Cryptographic Mechanism Reference
and a 4 bit key reference.
This is only done if key reference & 0xF0 != 0 i.e. default Cryptographic
mechanism reference is 0. which appears to be the case for RSA RAW.
PKCS1 appears to be 0x10 and ECDSA 0x30
See iso 7816-4 table 55 for DST:
84 Reference of a private key
95 Usage qualifier byte - Table 57 - 40 looks OK
80 Cryptographic mechanism reference and referes to section 9.2
The 4 bit key reference limits card to 16 keys. In future this may not work,
but we can derive a Cryptographic Mechanism Reference from what OpenSC
thinks the card needs to do. Only know RSA RAW, PKCS1 and ECDSA.
ECDSA code has not been tested, but expected to work.
Allow setting CardOS type and flags from opensc.conf using card_atr stanza
This is a fallback if newer cards are added or older cards have problems
giving us time to make need changes in next release.
It will help in identifying what flags are needed for each card.
As user can report what combination of flags work for them. They do this by
adding to opensc.conf with something like this. (Change the ATR to your card's ATR):
card_atr 3b:d2:18:00:81:31:fe:58:c9:03:16 {
driver = "cardos";
# type is decimal from cards.h:
# SC_CARD_TYPE_CARDOS_V5_0 is 1009
# SC_CARD_TYPE_CARDOS_V5_3 is 1010
type = 1010;
# flags is hex from opensc.h:
#define SC_ALGORITHM_ONBOARD_KEY_GEN 0x80000000
#define SC_ALGORITHM_NEED_USAGE 0x40000000
#define SC_ALGORITHM_RSA_RAW 0x00000001 /* RSA_RAW is PAD_NONE */
#define SC_ALGORITHM_RSA_PAD_NONE 0x00000001
#define SC_ALGORITHM_RSA_PAD_PKCS1 0x00000002 /* PKCS#1 v1.5 padding */
#define SC_ALGORITHM_RSA_PAD_ANSI 0x00000004
#define SC_ALGORITHM_RSA_PAD_ISO9796 0x00000008
#define SC_ALGORITHM_RSA_PAD_PSS 0x00000010 /* PKCS#1 v2.0 PSS */
#define SC_ALGORITHM_RSA_PAD_OAEP 0x00000020 /* PKCS#1 v2.0 OAEP */
#define SC_ALGORITHM_RSA_HASH_NONE 0x00000100 /* only applies to PKCS1 padding */
# example: SC_ALGORITHM_ONBOARD_KEY_GEN | SC_ALGORITHM_RSA_HASH_NONE | SC_ALGORITHM_RSA_RAW
flags = 80000101;
#example: SC_ALGORITHM_ONBOARD_KEY_GEN | SC_ALGORITHM_RSA_PAD_PKCS1
flags = 80000002;
}
For V5_0 and v5_3 cards, use sc_get_max_send_size and sc_get_max_recv_size
which takes care or reader sizes even on Windows where SCardControl can not get PART_10 sizes.
(commit eddea6f on Windows forces reader sizes to 255, 256
in reader-pcsc.c if not already set. It should not do this, but leave that up to card drivers.)
pkcs15-cardos.c added:
New file, pkcs15-cardos.c, added as emulation only for CardOS
V5_0 and V5_3 cards.
sc_pkcs15_bind_internal is called to get tokenInfo as CardOS
cards are substantially PKCS15 cards. But some V5_* cards have
errors in the tokenInfo, Which are corrected.
For older CardOS cards, card-cardos.c will create all the
card->algorithms.
Pkcs15-cardos.c will check for card->algorithms and if there
are none, it will do the following:
SC_CARDCTL_CARDOS_PASS_ALGO_FLAGS is called twice. First to get
the flags as set by user via opensc.conf card_atr or default
flags set by the card driver. Then after determining from the
tokenInfo what algorithms the card can support, the new flags
are passed to card_cardos.c to create card->algorithms.
https://atos.net/wp-content/uploads/2018/11/CT_181026_LPM_CardOS_V5-3_Multifunctionality_FS_en3_web.pdf
says card supports: "“Command chaining” in accordance with ISO/IEC 7816-4"
To take advantage of this with older readers, max_send_size and max_recv_size
is now based on minimum of reader limits and "data_field_length" from card.
This should allow card to work in older readers not capable of extended APDU.
So far current cards we have seen do no appear to support “Command chaining”.
Changes to be committed:
modified: src/libopensc/Makefile.am
modified: src/libopensc/Makefile.mak
modified: src/libopensc/card-cardos.c
modified: src/libopensc/cardctl.h
modified: src/libopensc/cards.h
new file: src/libopensc/pkcs15-cardos.c
modified: src/libopensc/pkcs15-syn.c
modified: src/libopensc/pkcs15-syn.h
|
@michaelweiser I forced pushed a rebased PR on current master. This should now include 1202ece The PR is down to 6 commits, with all the card-cardos.c and pkcs15-cardos.c in one commit. Again I ask those of you who have CardOS cards, to test this (hopefully) final version. |
|
Builds and works fine for me. |
|
Same here. Build and tests successful. Thank you @dengert! |
|
@dengert thank you, everything is working |
|
the lastest builds also work fine for me (Tested with cardOS 5.0 and 4.2c) |
|
Thank you @dengert for your hard work on fixing this! 👏 |
|
Hello. I'm apparently affected by this as well. Any ETA on the 0.21 release date ? |
|
@niladam, you should inform the package maintainer of your distribution. It will take some time for 0.21 to be released. Some distributions are already working on a backport / update: Fedora (already released): https://bugzilla.redhat.com/show_bug.cgi?id=1830528 These are all bug reports I know of. If your distribution is missing: Please fill a bug report for your distribution. |
|
@fbezdeka I'm actually using OpenSC's release, on a Mac. Was hoping to get the latest fixes in.. |
|
See https://github.com/OpenSC/OpenSC/projects/7 for missing stuff for a new release. You may try the nightly builds of OpenSC in the mean time, see https://github.com/OpenSC/Nightly. Last successful build for macOS was https://github.com/OpenSC/Nightly/tree/2020-05-13_27a819ba |
Treat CardOS V5.3 differently then other versions.
(Compiles but not tested with any CardOS card. )
Fixes: #1916
Assume card can do SC_ALGORITHM_RSA_RAW and SC_ALGORITHM_RSA_PAD_PKCS1
Reported failures of using RSA_RSA may be caused by older readers.
Older CardOS versions appear to support RAW_RSA.
Base max_send_size and max_recv_size on minimum of what reader provides
or "data_field_length" from card. This will allow it to work
with older readers.
CT_181026_LPM_CardOS_V5-3_Multifunctionality_FS_en3_web.pdf
says it supports: "“Command chaining” in accordance with ISO/IEC 7816-4"
Take advantage of this with older readers.
If caller provides a bigger buffer for decipher, left justify results to modlen.
before doing any software stripping of padding.
(This is based on mod from https://github.com/fbezdeka)
On branch cardos-5.3
Changes to be committed:
modified: card-cardos.c
modified: cards.h
modified: pkcs15-sec.c