Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sc-hsm-tool: Add options to initialize with public key authentication #2301

Merged
merged 31 commits into from
Mar 1, 2022
Merged

sc-hsm-tool: Add options to initialize with public key authentication #2301

merged 31 commits into from
Mar 1, 2022

Conversation

charredlot
Copy link
Contributor

@charredlot charredlot commented Apr 16, 2021
edited
Loading

This PR rebases #1711 and reworks the CVC decoding per suggestions.

Tested on Nitrokey HSM 2 (SmartCard-HSM)

Checklist
  • Documentation is added or updated

@charredlot charredlot mentioned this pull request Apr 16, 2021
Closed
1 task
frankmorgner
frankmorgner requested changes Apr 20, 2021
View reviewed changes
Copy link
Member

@frankmorgner frankmorgner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for lookng into this. The PR looks good at first glance, I've left some inline comments...

src/libopensc/card-sc-hsm.c Outdated Show resolved Hide resolved
src/libopensc/pkcs15-sc-hsm.c Outdated
{
assert(asn1_cvc_pubkey_len >= C_ASN1_CVC_PUBKEY_SIZE);
assert(asn1_cvc_body_len >= C_ASN1_CVC_BODY_SIZE);
assert(asn1_cvcert_len >= C_ASN1_CVCERT_SIZE);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please avoid assert and use return; (and maybe debug output) instead

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to return an error that gets propagated through

src/libopensc/pkcs15-sc-hsm.c Outdated Show resolved Hide resolved
src/libopensc/pkcs15-sc-hsm.c Outdated Show resolved Hide resolved
src/libopensc/pkcs15-sc-hsm.c Outdated Show resolved Hide resolved
src/libopensc/pkcs15-sc-hsm.c Outdated Show resolved Hide resolved
src/tools/sc-hsm-tool.c Outdated Show resolved Hide resolved
frankmorgner
frankmorgner requested changes Apr 21, 2021
View reviewed changes
src/tools/Makefile.am Show resolved Hide resolved
Frank Braun and others added 24 commits April 21, 2021 12:52
@charredlot
pkcs11-tool: Add prime521v1 curve
b425ceb
@charredlot
pkcs11-tool: Add secp521k1 curve
b33429f
@charredlot
sc-hsm-tool: Add options for public key auth
d8ddc20
@charredlot
sc-hsm: Initialize card with public key auth
68f97e9
@charredlot
sc-hsm-tool: Add option --export-for-pub-key-auth
9b19244
@charredlot
sc-hsm-tool: Add option --register-public-key
bf04fd6
@charredlot
sc-hsm-tool: Add option --public-key-auth-status
a4993f0
@charredlot
coding style
d968fdd
@charredlot
convert spaces to tabs (consistent coding style)
7c3277d
@charredlot
sc-hsm: use memcpy() instead of strncpy()
95264fe
@charredlot
sc-hsm: use smaller recvbuf
7ddfc88
@charredlot
sc-hsm: use sc_format_apdu_ex()
7aedafc
@charredlot
sc-hsm-tool: use fread_to_eof()
1d30d09
@charredlot
sc-hsm: fix messed up formatting
3c9b889
@charredlot
sc-hsm: fix error message
8887d7a
@charredlot
sc-hsm-tool: improve argument checks
a46d770
@charredlot
Revert "sc-hsm-tool: use fread_to_eof()"
678fb8d 
This reverts commit a98d1c5.
@charredlot
sc-hsm-tool: simplify argument checks
d6470c8
@charredlot
sc-hsm-tool: use goto for error handling
e90fefe
@charredlot
sc-hsm: strlen() -> strnlen()
03131f3
@charredlot
sc-hsm-tool: check for expected tags (.pka files)
2b3f834
@charredlot
adjust sc_format_apdu_ex() calls
7bf4b1f
@charredlot
check for possible out of bounds write
3786797
@charredlot
card-sc-hsm: add lengths for CHR, CAR, outer CAR
33757da 
This is mainly to make future parsing of sc_cvc_t
easier by providing storage for the lengths.
@charredlot
pkcs15-sc-hsm: free outerSignature on cvc free
fbcebc3 
The outerSignature may be allocated.
@charredlot
pkcs15-sc-hsm: extract CVC ASN.1 parsing setup
1d3b6ea 
Before parsing, sc_pkcs15emu_sc_hsm_decode_cvc sets
up sc_asn1_entry structs to match the expected ASN.1
format and populate the sc_cvc_t struct.

Extract the struct setup code so it can be reused
for parsing other SmartCard HSM formats in the future.
@charredlot
pkcs15-sc-hsm: parse public key format
8195467 
For public key authentication, SmartCard HSMs have two
formats for exporting the public key:

1. Older format

SEQUENCE (0x30)
    authenticatedrequest for public key details (0x67)
        ...
    device CVC (0x7F21)
        ...
    device issuer CA CVC (0x7F21)
        ...

2. Newer format (e.g. if exported from scsh3)

SEQUENCE (0x30)
    OID (0x6) 1.3.6.1.4.1.24991.4.3.1
    Application 1 (0x61)
        device CVC (0x7F21)
            ...
    Application 2 (0x62)
        device issuer CA CVC (0x7F21)
            ...
    Application 3 (0x63)
        authenticatedrequest for public key details (0x67)
            ...

- Add a function to parse these two formats
- Use asn1 callbacks to save a pointer to portions of
the file. The HSM commands will require the ASN.1-encoded
cert bodies.
@charredlot
card-sc-hsm: rework register public key for PKA
66dcf41 
- Remove get_CAR and get_CHR functions
- Remove parsing from sc-hsm-tool.c
- Pass the entire file through sc_card_ctl for parsing
by the functions in pkcs15-sc-hsm.c
- Tweak sc_hsm_register_public_key to parse the public
key file into its components and use those results
- Tweak verify_certificate to use the parsed sc_cvc_t
- Return the public key authentication (PKA) status in
the sc_card_ctl argument for sc-hsm-tool.c to print.
@charredlot
card-sc-hsm: move printing of PKA status to caller
6713739 
card-sc-hsm should quietly return the info and let the
caller (in this case, sc-hsm-tool) display it to the user.
@charredlot
sc-hsm-tool: add PKA options to manpage
0c9ec17
@Viajaz Viajaz mentioned this pull request Aug 10, 2021
Closed
@Jakuje
Copy link
Member

Jakuje commented Aug 24, 2021

Looks good to me. I think we should be fine merging this unless there would be some more comments.
It is a bit specific, but the code looks fine.

@dengert dengert added this to To do in Release 0.23.0 Nov 2, 2021
@frankmorgner frankmorgner merged commit 8f7c23b into OpenSC:master Mar 1, 2022
Release 0.23.0 automation moved this from To do to Done Mar 1, 2022
@Staja
Copy link

Staja commented Mar 1, 2022

Congrats on this, looking forward to testing this in 0.23.0

@xhanulik xhanulik mentioned this pull request Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frankmorgner frankmorgner frankmorgner approved these changes

@Jakuje Jakuje Jakuje approved these changes

@LOLSOR23 LOLSOR23 LOLSOR23 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Release 0.23.0
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@charredlot @Jakuje @Staja @frankmorgner @LOLSOR23