-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make CardOS 5.3 working with OpenSC #1003
Conversation
Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the actual implementation in cardos_compute_signature(). It might be bogus also in previous version, but I don't have a way to verify against these cards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RSA-X-509 and RSA-PKCS are both (still) working with CardOS 4.3B.
However, I think we can live with the limitation you've introduced for 5.3 if nobody comes up with a clever solution.
src/libopensc/card-cardos.c
Outdated
@@ -230,7 +237,7 @@ static int cardos_init(sc_card_t *card) | |||
_sc_card_add_rsa_alg(card, 2048, flags, 0); | |||
} | |||
|
|||
if (card->type == SC_CARD_TYPE_CARDOS_V5_0) { | |||
if (card->type >= SC_CARD_TYPE_CARDOS_V5_0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use an explicit test (e.g. in a switch statement) instead of assuming a specific order of the card types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed. Thanks for having a look into that.
Browsing through the history of PRs, there is #283 from @martelletto who was trying to implement the CardOS 5.0 driver. His work was not publishable because of licencing, but hopefully he could either test/verify functionality or confirm some of our assumptions or give some pointers. |
I changed job an haven't touched a CardOS card in almost 2 years. Sorry, I won't be much help here. |
I am in the same situation as @mtausig. Sorry.
|
I have a CardOS 5.0 card, connected through a Cherry USB SC reader. I've built OpenSC Git HEAD on Debian sid amd64, through I can confirm that your patches improve CardOS 5.0 support as well :) After installing the locally built package version:
|
@debrouxl Thank you for testing. It looks like my expectations were confirmed (CardOS 5.0 implementation does not work with This PR was already merged so for further changes I would have to open new one with further simplifications. So far in the following commit: The other improvements you talk about are most probably related to other changes since last stable release. |
I can't seem to use RSA-PKCS either. The fact that I'm more interested in GPG interoperability (for SSH) than in signing / validation / encryption / decryption with that SC. But at least, your changes have made it possible to obtain some information from the SC :) |
Oh ... was reading too fast. My bad. Though the commit I referenced in the previous comment can solve the problems with |
I applied the P1=0x41 change, which was the sole relevant line from Jakuje@7356ee7 . Commands such as In verbose mode:
Maybe that 7F 49 garbage / header is a difference between CardOS 5.0 and CardOS 5.3 ? |
@debrouxl The trailing I am not able to retrieve public keys using Unfortunately I don't have a lot of time to spend on that changes at the moment, but feel free to add me to the conversation at jakuje [at] gmail [dot] com if it is something that cant be said here (I saw your patch somewhere cached on github and it is very sad that it can not be used, though it can clear up some guesses we can have here). |
@debrouxl You also said: Sounds like that is what is expected. RSA_X_509 does a raw RSA operation using the private key. It expects key size input, and produces the key size output. Since you are passing in an encrypted data, the result would be the padding and the data. PKCS 1.5 padding uses random non zero bytes followed by the last byte of the padding of 0x00. Software is then expected to verify the padding. When a card can do RSA_X_509 the same operation is used for both sign and decrypt, as the software for signing pad then has the card do RSA_X_509 and the result is a signature With decrypt the card does RSA_X_509 first, and retuerns tthe padding and data. The software then completes the decrypt by checking for valid padding and removing it. |
See the comments of OpenSC#1003 for more information.
These commits make signatures and encryption with RSA mechanisms working with CardOS 5.3 cards.
The changes are isolated for the this specific version (based on ATR) so it will not affect any previous cards. But it can be that the older cards (CardOS 5.0) can work with the same attributes and therefore I would be glad for some testing and feedback before merging this change from other people who contributed to the earlier versions of CardOS driver. Especially @szikora @mtausig who touched the driver in recent years in context of CardOS 5.0 (but anyone else comments and testing would be appreciated).
Basic test case that can be used to verify functionality is attached in the following gist (
RSA_X_509
will not work for CardOS 5.3 and this PR):https://gist.github.com/Jakuje/5a993d2b2d8a9cac35203599e49e6831