-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support D-Trust Card 4.1 (Std. RSA 2ca) #2784
Comments
next steps would be getting a debug log to see what code is being used and what are the actual failures. Use either environment variable |
See log.txt. For further analysis please tell which parts of the log might be of interest to avoid posting 6000+ lines of log. Thank you for reviewing. |
Looks like card is enforcing CKA_ALWAYS_AUTHENTICATE on the card. (older cards may not have enforced this)
and when there is a failure line 6664:
OpenSC can cache the pin in the driver, but does not when the key is listed as |
This type of card requires to input a PIN for each signature. There are D-Trust cards which allow to compute 100 or an unlimited number of signatures with a single PIN input, but they are more expensive and I don't have one available.
I tested it. It now fails with
|
I have come across (not necessarily CardOS based) cards that did not tolerate any SELECT in the sequence VERIFY -> MSE SET -> PSO. In your log there is a SELECT in between due to It should not be a problem, sometimes it is. It should not be necessary either. The appropriate Can you please run a test with this single SELECT disabled? For example like this: diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index f408556a..cdbe5836 100644
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -140,13 +140,13 @@ static int use_key(struct sc_pkcs15_card *p15card,
LOG_TEST_RET(p15card->card->ctx, r, "sc_lock() failed");
do {
- if (path.len != 0 || path.aid.len != 0) {
- r = select_key_file(p15card, obj, senv);
- if (r < 0) {
- sc_log(p15card->card->ctx,
- "Unable to select private key file");
- }
- }
+ /* if (path.len != 0 || path.aid.len != 0) {
+ * r = select_key_file(p15card, obj, senv);
+ * if (r < 0) {
+ * sc_log(p15card->card->ctx,
+ * "Unable to select private key file");
+ * }
+ }*/
if (r == SC_SUCCESS)
r = sc_set_security_env(p15card->card, senv, 0);
|
I have also come across (CardOS 5.4 based) cards that expected MSE RESTORE instead of MSE SET. If you have any software (or a PKCS#11 library to use with This log too will contain your PIN code(s), please handle it carefully. Look for a line with an APDU that starts with |
Four calls to
|
Do you have another key on the card that does not require a second pin. Can you try and do the operation with that key. As @jurajsarinay suggested using the vendor's PKCS11 module instead of OpenSC and pscd debugging log might show what the vendor does |
The card has two certificate. A qualified certificate according to the eIDAS regulation and an advanced certificate. The error is independent of the certificate to use.
Unfortunately I don't have an older card available.
Unfortunately, the reference software crashes with a segmentation violation when used together with |
I didn't got
At this point the software asks to input the PIN. Then the following commands are issued (PIN redacted).
Previously a lot of commands enumerating the certificates of the cards are executed. I skipped that to keep this issue brief. Please tell, if these commands are necessary. |
This is significant: |
This is indeed MSE RESTORE with a SEID in P2. It is the same pattern as the one followed by skeid (#2672 (comment)), also a CardOS 5.4 card (identical ATR). I did not feel comfortable adapting card-cardos.c at the time and ended up carving "my" card out (see card-skeid.c). Given #2296 it appears that D-Trust Card 4.1 and skeid are the only CardOS 5.4 cards one has ever hoped OpenSC to work with. If that were the case, it might make sense to revisit @frankmorgner 's suggestion from #2672 (comment) and dissolve card-skeid.c in a more generic card-cardos.c that also supports D-Trust Card 4.1. The question is, where the SEID ( The Private Key CIO within the log uploaded by @hamarituc appears not to contain any seIdentifier, but it is most likely constant and could simply be hardcoded. At the moment there is no room for seIdentifier within |
Regarding "The question is, where the SEID (0x19 for this particular card/key/operation) comes from." As far as I understood, "00 22 F3 19" (MSE Restore) is used to select the signing algorithm. For a D-Trust 4.1/4.4 Std. Card "19" is used for Algorithm "RSASSA PSS-MGF1-SHA256". To be honest - I have no clue whether it make sense what I have written above because I am absolute beginner in this area. So be careful with my post - but maybe it helps. If not - just forget :-) |
@gh47110815 It makes a lot of sense. The 19, 1A and 1B tells the card to do the actual PSS padding with what ever info it needs. But Support to do the PSS on card could be added. It may be needed if this card does not support RSA RAW. The errors are all @jurajsarinay Your proposed patch may work for your card, but this code is used by many other cards. It must be card specific. |
If anyone would be interested in adding D-Trust Card 4.X to OpenSC, please let me know via mail and I will provide the full the Developer-Handbücher (yes, only available in German). |
I also have a D-Trust 4.1 card and cannot get it to work to sign my data and I would really like to see this feature implemented. I am using Cherry ST-2100 reader and could use Linux and Win10 to do some debugging and / or development. I have a software development background, but all this close to hardware development and smartcard area is completely new to me. So if it helps I could try to support with this matter, but I will surely need quite some time to dig into. German manual is not an issue as I am native German speaker. |
Feel free to contact me via e-mail |
FYI: Based on the documents provided by @frankmorgner I started to work on this issue in the Comments to the current code are appreciated. |
Very, Very cool !!! I think I will not be able to "actively" support your work on "coding" BUT .... I have just cloned your repo, checked out the d-trust branch, did a build and voila ....
AND maybe interesting for you: I am using macOS .... so feel free to contact me regarding e.g. testing support and I will try to help. "Good luck" and thanks in advance !!! |
Problem Description
The D-Trust Signature Card 4.1 is currently not supported by OpenSC.
Proposed Resolution
It would be great if this card type is supported by OpenSC. This is merely a feature request than a bug report.
Steps to reproduce
Try to sign some data:
Logs
Card type:
Card infos:
PKCS#15 information:
PKCS#11 information
OpenSC version:
Please tell which information is required for a further analysis.
The text was updated successfully, but these errors were encountered: