-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend CI tests for OpenPGP and PIV with p11test #2872
Conversation
Looking at the CI runs, there are some suspicious parts (probably not related to these changes, but worth investigating):
|
PIV driver determines key type and parameters from public key in the matching certificate. Now that we are using the cached certificate files, this could mean that the cached certificates do not match the certificates on the card or no certificates were written to the card. See NIST sp800-73-4 "Part 1" "C.1 PIV Algorithm Identifier Discovery for Asymmetric Cryptographic Authentication" The cached certificates files feature depends on the serial number from the token. Since NIST does not define a serial, the CHUID object is used to derive a unique serial. If this is not present then a zero serial number is returned. So in the test environment where multiple tests run as the same user, if one test cached a certificate read from the token, the next test might use this this cached certificate which is not the same as the one on the token. Possible solution is to turn off cached certificates or delete Other possibility is the token is emulating some Yubico or other device which does not support EC. |
Is problem with test-piv: Caused by not defining any tests in piv_ref.json at lines 299-302: |
I added running p11test in verbose mode and used EC also for key on 9D so the derive test should pass on it now. However, I haven't yet figured out what is causing no EC mechanisms to list.
I'm not sure what you mean - the JSON file is only a reference for test outputs, so it does not define any tests. |
457c73d
to
441e0fa
Compare
EC mechanisms on PIV fixed by enforcing different card type (without |
If the virtual card has an ATR, it could be added to card-piv.c so it does not set the CI_NO_EC. That should only be set for older Yubico devices. |
The ATR of PivApplet is very generic one and part of configuration (its already in the card-piv): https://github.com/arekinath/PivApplet/blob/master/test/jcardsim.cfg I suggested to use the configuration to avoid need to invent a specific ATR for this test applet, but avoid mangling configuration of existing generic ATRs in the driver. |
441e0fa
to
3283faf
Compare
com.licel.jcardsim.card.ATR=3B80800101 https://smartcard-atr.apdu.fr/parse?ATR=3B+80+80+01+01 Looks like generic contactless card with no historic bytes: Best as I can tell, 3B+80+80+01 is an intermediate step in determine a card's ATR the would never end up in the actual ATR. Thus it was used by PCSC to make up an ATR for a contactless device. NIST 800-73-4 Part 1, "Table 2. Data Model Containers" (and other 800-73 versions) basically say no PIN over contactless without SM and card will enforce it. Note X.509 Certificate for Card Authentication and 9E key do not require a PIN, so can be used over contactless. Some Yubikey devices do not follow the NIST standard and will allow a PIN and crypto operations over contactless. card-piv will allow this for Yubikey devices, by checking historic bytes and reading the yubico_version number.
|
#2872 .github/test-piv.sh says:
Do you have a opensc-debug log level 3 that shows this is the case? If it is true, it needs to be fixed in the driver and not just for for test-piv.sh |
Looking closer, https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-piv.c#L533-L534 https://github.com/arekinath/PivApplet/tree/master#installing lists the SELECT_AID command and response:
The This could be tested for in card-piv.c. I will submit a PR. So this PR #2872 is good for now. |
Fixes: OpenSC#2872 The ATR 3b:80:80:01:01 is known to be used by multiple PIV cards: - "PIVKey uTrust (01) ISO 14443 Type B without historical bytes" - PivApplet when run from simulator which is used in p11test https://github.com/arekinath/PivApplet/blob/master/test/jcardsim.cfg - As no historical bytes are set, PC/SC could also return it if a conctless reader is bein used. Without this modification SC_CARD_TYPE_PIV_II_PIVKEY was assigned to card->type which would then set CI_NO_EC34 and CI_NO_EC. p11test then fails to find any EC keys. This mod now sets SC_CARD_TYPE_PIV_II_BASE for 3b:80:80:01:01 so no card_issue flags are set as defaults. Code is added to parse Application Label from response to SELECT_AID as many card vendors with put thier name in this field. Although the Application Label is not used at this time, it could be used to distinguish between different cards. PivApplet web pages show Application Label is "PivApplet". It is unknown what "PIVKey uTrust (01) ISO 14443 Type B without historical bytes" will return or if this card is still in use. On branch generic-atr Changes to be committed: modified: libopensc/card-piv.c
@dengert I read your last comment as we are good to go and we can resolve the generic ATR issue async in separate PR or after the release. I see you have some changes in https://github.com/dengert/OpenSC/compare/generic-atr but they look incomplete. Do you plan to submit them as a PR for this release or can this wait? |
Yes https://github.com/dengert/OpenSC/compare/generic-atr it is incomplete. I have a note into PIVKey but no response. I also submitted arekinath/PivApplet#74 but no comments yet. I have a number of PIVkey cards but not the generic ATR card. Your #2872 is good for now. You read it correctly: |
Thank you! If you think that something from the above discussion regarding the ATRs requires follow-up issue, please open one so it will not get lost. |
This PR expands the functionality of
test-openpgp.sh
andtest-piv.sh
to include the execution of p11test. The reference JSON files are in thesrc/tests/p11test/
directory.