-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSC + Smartcard-HSM + secp521r1 + OpenSSH = signing failed for ECDSA "secp521r1": error in libcrypto #3155
Comments
|
@CardContact Is this a known issue? |
This is not a known issue. Apparently OpenSC reports CKR_FUNCTION NOT SUPPORTED (84), which I can confirm in my own tests with a secp521 key. Maybe you can try our own PKCS#11 module to confirm that this is an OpenSC issue. |
An OpenSC debug log would help. https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC Also look at using the SPY capability, that can log PKCS11 calls. secp521 has a field size of 521 bits which is not a multiple or 8 and it is possible conversion to get a buffer size is not doing |
Did you generate the keys using the Smart Card Shell ? Turns out, that the Smart Card Shell encodes the field size in PKCS#15 as 528 rather than 521. This leads to the observed CKR_FUNCTION NOT SUPPORTED error in OpenSC. We'll fix that in the Smart Card Shell and provide a mechanism to fix the PKCS#15 description for existing keys. |
Actually, yes I did.
Nailed it!
l'll be in touch to get that info. Thanks again for the quick resolution! |
The Smart Card Shell has been updated to fix the issue. |
@CardContact I see a patch for OpenSC, but how can existing keys on the card be repaired? |
Working on it. Will be an option offered in the Smart Card Shell. |
There is now an option in the Smart Card Shell to repair the wrong key length. The option "Fix wrong key size" is offered in the context menu of a secp521r1 key, if the wrong encoding is detected. The fix will then rewrite the PKCS#15 description for the key. |
I can confirm this fix (in version 3.18.28 of SCSH) works! (@CardContact May I suggest that you pop a dialog box after outline creation finishes if the key size issue is detected, with yes/no options to fix it?) SSH output before fix:
SCSH output of the fix (Shell tab):
SCSH output of the fix (Trace tab):
SSH output after fix:
|
Closed as resolved upstream (root cause was external to OpenSC). Thanks for the quick reaction and resolution! |
Problem Description
OpenSSH throws an error in libcrypto when trying to use a secp521r1 key on a Smartcard-HSM (3.6) with many keys on it. This is nearly the first key on the card, and the next one is secp384r1. The keys themselves are named on the card after the algorithms.
System is Arch Linux, kernel 6.6.31-1-lts. Reader is Cherry ST-2000 with PIN pad.
Relevant packages:
~/.ssh/config (to enable OpenSC and disable RSA):
Verbose SSH output, lightly redacted:
Proposed Resolution
This should "just work", like smaller EC key sizes, no?
Steps to reproduce
It seems as though secp521r1 in general is affected.
The text was updated successfully, but these errors were encountered: