-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sc-hsm-tool: Add options to initialize with public key authentication #2301
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for lookng into this. The PR looks good at first glance, I've left some inline comments...
src/libopensc/pkcs15-sc-hsm.c
Outdated
{ | ||
assert(asn1_cvc_pubkey_len >= C_ASN1_CVC_PUBKEY_SIZE); | ||
assert(asn1_cvc_body_len >= C_ASN1_CVC_BODY_SIZE); | ||
assert(asn1_cvcert_len >= C_ASN1_CVCERT_SIZE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please avoid assert and use return;
(and maybe debug output) instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed to return an error that gets propagated through
7642a87
to
3f58e36
Compare
This reverts commit a98d1c5.
This is mainly to make future parsing of sc_cvc_t easier by providing storage for the lengths.
The outerSignature may be allocated.
Before parsing, sc_pkcs15emu_sc_hsm_decode_cvc sets up sc_asn1_entry structs to match the expected ASN.1 format and populate the sc_cvc_t struct. Extract the struct setup code so it can be reused for parsing other SmartCard HSM formats in the future.
For public key authentication, SmartCard HSMs have two formats for exporting the public key: 1. Older format SEQUENCE (0x30) authenticatedrequest for public key details (0x67) ... device CVC (0x7F21) ... device issuer CA CVC (0x7F21) ... 2. Newer format (e.g. if exported from scsh3) SEQUENCE (0x30) OID (0x6) 1.3.6.1.4.1.24991.4.3.1 Application 1 (0x61) device CVC (0x7F21) ... Application 2 (0x62) device issuer CA CVC (0x7F21) ... Application 3 (0x63) authenticatedrequest for public key details (0x67) ... - Add a function to parse these two formats - Use asn1 callbacks to save a pointer to portions of the file. The HSM commands will require the ASN.1-encoded cert bodies.
- Remove get_CAR and get_CHR functions - Remove parsing from sc-hsm-tool.c - Pass the entire file through sc_card_ctl for parsing by the functions in pkcs15-sc-hsm.c - Tweak sc_hsm_register_public_key to parse the public key file into its components and use those results - Tweak verify_certificate to use the parsed sc_cvc_t - Return the public key authentication (PKA) status in the sc_card_ctl argument for sc-hsm-tool.c to print.
card-sc-hsm should quietly return the info and let the caller (in this case, sc-hsm-tool) display it to the user.
Looks good to me. I think we should be fine merging this unless there would be some more comments. |
Congrats on this, looking forward to testing this in 0.23.0 |
This PR rebases #1711 and reworks the CVC decoding per suggestions.
Tested on Nitrokey HSM 2 (SmartCard-HSM)
Checklist