-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
epass2003 elliptic cryptography support #2815
Comments
If anyone can advise, there is also a question regarding longer RSA keys (4096...) ... #1736 (comment) |
My output:
My response is
decoded as follows:
but I do not know if I can shed more light into what these mean. But I went ahead to see if the FIPS certification does not "leak" some info and it does: See table 4:
I think this should be enough to get the algorithm support for the epass driver. Regarding to the 4k RSA support, the nist certificate does not say anything about that and only 2k keys are "certified". Thats probably the only useful part in the document for me now. But there is also description of the operations which might come handy too in the end. |
Thanks for the information and the link to the document. I'm trying to understand where the problem is. My token returns the following info:
The token I have returns exactly the same information for TAG 0x81 as your token = I would assume that both have support for ECDSA, but my attempt to generate a key goes like this:
|
Sounds like you are right. Could it be some defective/old/pre-production token? The SW1 In any case, if you will need to run/test something on a newer epass token, please let me know. I got some recently from Feitian. |
I received that token as a gift in 2017, a colleague bought about 5 of them, but they were never used. I don't think that it was a pre-production or test tokens. I will check with him more precisely the origin of these tokens. The proprietary APDU is like this: 00 46 00 00 07 02 29 00 30 00 (wrapped in SM, tag 0x087, original data field padded and encrypted by AES-CBC and tag 0x8e - MAC (AES-CBC_MAC) ). Details: 02 - EC key, 2900 ID of the private key file, 3000 is the ID of the public key file. The response is classic SM, where the return code is 6a80 in TLV - TAG 0x99, and another TLV with tag 0x8e as MAC for this response. Too bad the token you got from Feitian doesn't support MAC in AES_CMAC mode (it should report TAG 0x87 with value 1 in response for get capabilities..). I wanted to try it first because we don't have a MAC verification code for this mode in the card driver. OpenSC/src/libopensc/card-epass2003.c Lines 1381 to 1385 in 33351d9
Anyway, your token at least supports Elliptical operations, so you can test what my token does not support. If you have an EC key generated on the token, you can try the test script: https://github.com/popovec/epass2003_sim/blob/main/tests/ec_sign_test.sh I assume that ECDSA operations with SHA384 and SHA512 will fail on your token. It should be possible to solve it by adding the code that allows to perform the operation SC_ALGORITHM_ECDSA_RAW. (you can find the patch proposal in my analysis of the EC operation for the epass2003 token available at https://github.com/popovec/epass2003_sim/blob/main/epass2003_doc/EC.txt ) Thank you. |
The Lc=7 does not match the 5 bytes. Is that a misprint?https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-epass2003.c#L3037-L3055 The apdu: 00 CA 01 86 00 So does not have tags 83, 84, 85 or 86 https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-epass2003.c#L1724-L1748 Note lines 1731-1732:
Also note line 1772:
Does the card actually support SC_ALGORITHM_ECDSA_HASH_SHA1?
I will try and generate an EC key later today. |
This card may be too old to do EC. Note different ATR in comment: My card has ATR: This is not the only OpenSC card driver's "init" routine that does not check version numbers of the token and sets all the flags, capabilities, key types and sizes to latest version of the token. |
@dengert you are right .. I quickly copied this from my notes. There should be one more piece of information - how many bits the generated key should have: I also discovered the origin of the key, it also comes from Gooze, but from around October 2012. Thanks for the hint about the ATR version, it would probably be appropriate to take firmware version from ATR (historical bytes, tag 6) ? |
Yes, but do we know all the different versions that may have been produced and what has changed over the years? |
Problem Description
I have epass2003 token:
according to OpenSC, this token supports elliptic encryption:
An attempt to generate a key ends with an error:
I assume that from the information about the token it is possible to correctly generate whether the token has/does not support elliptic encryption.
My token lists the following parameters:
I found several other answers to this APDU in logs available on the Internet, the answer is TLV organized.
I tried to deduce from the epass2003 driver in OpenSC which TAG corresponds to what, but without further help I cannot find which TAG signals support for elliptical encryption. Analysis of the relevant tags is available in my epass2003 simulator:
https://github.com/popovec/epass2003_sim/blob/main/epass2003_doc/get_data.txt
Can anyone help me with information about this problem?
The text was updated successfully, but these errors were encountered: