-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with Secure Messaging, opensc.conf and opensc.conf.example #2452
Comments
The problem with #1453 is that you can use Since you are the first one noticing this after three years, I do not think anyone heavily depended on this functionality. We already noticed that configuration based on atr only is not flexible enough so it might make sense to provide per-driver configuration, with something like the following (would require plugging some more code to get this working though):
Or make these defaults somehow configurable inside of the driver with possibility to override in configuration (which would be less memory demanding than processing the configuration file on every init). All the translations strings from #1126 also did some work with the memory footprint some years back. Certainly it would be great to document what to do with the example configuration file and how to use SM in the manual pages/wiki with some examples as clearly you are not the only one learning something new here :) |
I would look at it as a regression. Users may have checked that SM worked for their tokens, but have not noticed that SM may not be working as expected. |
AFAIK, the previously hard coded SM parameters were related to test cards. For the cards in productive use, a specific version of I personally prefer to have in |
As far as I can tell, many people turn to OpenSC when they have a card (usually issued by their government) that works on windows but the issuer does not provide drivers for linux. These users are their own administrators. I too like a small The " catching all corner cases" include using the security expected by the card issuer. Do you have an answer to the question from the last line of the Problem Description: i.e. how to let the driver use SM if card supports it, without having to add another |
As said before, I think having SM as seperate module is not the best option. If I were you, I'd keep the SM configuration at the card driver level (i.e. keep the pairing code a card driver option), so that the card driver sets SM_MODE_TRANSMIT and initializes both |
Closing this since the original question was solved...
|
Problem Description
In previous versions,
opensc.conf
was a large file with examples and options for many cards. c003f38 changed that to be a minimal version in response to #1102 which introducedopensc.conf.example
.(Comments at that time said at least one distro (redHat) would not overwrite any users changes.
But this has problems too which are not the point of this issue.)
But some of the entries in the larger
opensc.conf
were not just comments. One example of many from an olderopensc.conf
from an Ubuntu installedopensc.conf
:card.c
callssc_card_sm_check
: https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card.c#L1608-L1611that will fail to load an SM module because their is no
card_atr
in opensc.conf.So in effect we have turned off secure messaging be default in new installs and maybe on older installs
depending on how
opensc.conf
is updated by distro.Steps to reproduce
opensc.conf:
with the above commented out gdb shows:
with the above uncommented,
It got far enough to load the module for this card, to show a missing
card_atr
will not even try and load the module.Proposed Resolution
Partial sollution:
#1453 which was rejected just removed comments from
opensc.conf
Better would be have card drivers which know what SM module its cards can support, by default. without the need for
opensc.conf
changes, opensc.conf may still be needed in special cases.Use of a the atr will not work for drivers that support a specific applet based on its AID and not on the atr.
Problem found while looking at how PIV driver could use loaded SM module rather then the proposed one in #2053
The text was updated successfully, but these errors were encountered: