-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool: send DER for EC public keys with default compilation flags #1287
Conversation
PKCS#11 early version were not clear . Later versions do what OpenSC dies.
Talk ro SafeNET
…On Mar 18, 2018 5:08 AM, "aalba6675" ***@***.***> wrote:
- Fixes #1286 <#1286>: "Does it
even make sense to write EC keys not in DER?"
- the naming of the define was confusing, anyway
Checklist
- Documentation is added or updated
- New files have a LGPL 2.1 license statement
- Tested with the following card:
- tested PKCS#11
- tested Windows Minidriver
- tested macOS Tokend
------------------------------
You can view, comment on, or merge this pull request online at:
#1287
Commit Summary
- pkcs11-tool: send DER for EC public keys unconditionally
File Changes
- *M* src/tools/pkcs11-tool.c
<https://github.com/OpenSC/OpenSC/pull/1287/files#diff-0> (4)
Patch Links:
- https://github.com/OpenSC/OpenSC/pull/1287.patch
- https://github.com/OpenSC/OpenSC/pull/1287.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1287>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA00MZMltIk1fiKjlqyodgZN9OMSf-t5ks5tfk5TgaJpZM4SvK9A>
.
|
@dengert - SafeNet is doing the right thing by expecting DER intead of plain binary bytes. This PR is about the default compilation behaviour of pkcs11-tool to make it conform to the standard and the rest of OpenSC. @DDvO in #79 writes "It came to my surprise that PKCS#11 in this case requires an ASN.1 octet (DER) encoding, while for RSA key material this is not the case. I confirmed this from ftp:https://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30m1-d7.pdf. Judging also from the discussion on Bugzilla there are several implementations that are non-compliant in the same way as my card." |
Looking again at the condition I implemented in June 2016:
I now think that I did a mistake and I should have written
instead; then the default behavior would already have been the standard-compliant one.
such that the default behavior is the compliant one, |
3e75e8f
to
664fb76
Compare
Fixes OpenSC#1286. The behaviour of pkcs11-tool will follow the standard - send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will write plain bytes.
664fb76
to
326cde2
Compare
@DDvO thanks for the clearification. |
I would vote remove it. PKCS#11 says use DER. And that is what OpenSC
does. If a card does not use DER, then the driver and PKCS#11 module are
responsible to to add or strip DER for the card. The calling application
(pkcs11-tool) should not have to deal with this.
It should not be an OS issue either.
From the discussion it sounds like there was some PKCS#11 module at onetime
that was not compliant. Is it still being used? Has it been updated by the
vendor?
(I can't do much to help with this till late next week.)
…On Mon, Mar 19, 2018 at 2:44 AM, David von Oheimb ***@***.***> wrote:
Looking again at the condition I implemented in June 2016:
#ifndef EC_POINT_NO_ASN1_OCTET_STRING
I now think that I did a mistake and I should have written
#ifdef EC_POINT_NO_ASN1_OCTET_STRING
instead and the default behavior would already have been the
standard-compliant one.
So instead of removing the conditional workaround as proposed in this PR,
it could also be kept and just corrected to
#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
gost->public.len -= header_len;
gost->public.value += header_len;
#endif
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1287 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AA00MQnbNnlup-3ncNJEwT4R1SPfmbeDks5tf2HigaJpZM4SvK9A>
.
|
Good point that the driver should be responsible for dealing with any DER encoding incompatibility. Back in Aug 2016 I was testing a beta CardOS 5.3 middleware with a beta CardOS 5.0 card. |
So are you saying the original patch was for beta code for CardOS?
Is the code still in beta?
If the CardOS was fixed, and the OpenSC PR is no longer needed we should
revert the original OpenSC PR.
?
…On Mar 19, 2018 10:04 AM, "David von Oheimb" ***@***.***> wrote:
Good point that the driver should be responsible for dealing with any DER
encoding incompatibility.
Yet the driver itself could be faulty in this respect.
Back in Aug 2016 I was testing a beta CardOS 5.3 middleware with a beta
CardOS 5.0 card.
Meanwhile I'm pretty far away from this topic and cannot say if this still
applies and what might have changed in newer driver/module versions.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1287 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AA00MXoWJkKqyJS2g2ILYZ_9Uhbi0x5Dks5tf-UrgaJpZM4SvK9A>
.
|
I've just tested writing an EC public key with the latest CardOS PKCS#11 module I have (of Marc 2017):
to the latest card I have:
Unfortunately, without the workaround I still get:
I do not know if this bug is in the CardOS driver or the card itself. So thanks @aalba6675 for adapting your PR such that the workaround can be enabled easily when needed. |
I object to the way this is implemented, It is a compile time change to an OpenSC utility to support a non standard PKCS#11 module that is still Beta. It means pkcs11-tool will not work with other complaint modules including the OpenSC modules. I realize that it is for EC only. The PR should be rewritten to make it an run time option or to base it on the specific version of the module. |
@dengert, it looks like you misunderstood the nature of the proposed change. BTW, the non-compliant behavior of CardOS (and presumably some other cards/drivers, too) has been around for long time in various (also non-beta) versions and their use is apparently wide-spread. After the change, users who need the workaround will need to compile with |
What I am worried about is some distro will compile with EC_POINT_NO_ASN1_OCTET_STRING |
Indeed this has happened — in the opposite sense. RHEL did not define this in its packaging and as a result the pkcs11-tool in RHEL is sending plain bytes instead of DER. |
Oops. Luckily this only affects sending EC public keys to a token - a pretty rare scenario. After the change proposed in this PR, I'd consider the risk that someone accidentally enables the encoding workaround by defining |
After some other point made above, I just suggest improving the comment |
[UPDATE] PR has been modified according to @DDvO's comment.
By default EC_POINT_NO_ASN1_OCTET_STRING is undefined and you will get standards behaviour.
Define this to get the write to send plain bytes.
This PR specifically fixes the default behaviour of
pkcs11-tool
. Makefile defaults to an undefined EC_POINT_NO_ASN1_OCTET_STRING and therefore EC public keys are written as plain bytes instead of with DER wrapping.This will make pkcs11-tool consistent with the standard.
Checklist