-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs15-openpgp.c Authentication key for decrypt requires MSE #3042
Conversation
The test-openpgp fails with this because the It is not clear if the |
These are the Encrypt/Decrypt/Wrap/Unwrap usage flags on Authentication key 03. Given that the key can be used only for Signatures, this is expected. Please, update the reference file.
The softhsm2 is not involved in this test. It runs against the OpenPGP applet in javacard emulator. |
I did try updating the
Either github actions was not running with the updated file or the above was not the correct update.
The point is OpenPGP 3.4.1 (and introduced in 3.3) allows for keys 02 and 03 to have alternate usages, but only if the the card supports MSE: The problem was the OpenSC card-openpgp.c code was setting usage for 03 without checking if the card supported it. It looks like that was the difference between the Nitro Start and Nitro Pro. Start does not do MSE, but Pro does. This problem only showed up when pkcs11-tool assumed an RSA key could do DECIPHER no mater what, but the token could not. IMHO, OpenPGP mixed up "key ref" and "algo" from version 1.0 assuming a key could only do one algo. |
Just as a data point, as mentioned in a different thread, this patch does fix [at least] the BTW, I think Start formally supports version 2 of the spec, so if the MSE command is from 3.3, then it would explain why it doesn't have that. The Pro 2 on the other hand supports 3.3 and does support the MSE, which also checks out. |
@dengert Can you add the changes to the ref json file to this PR so we can see what you see? |
pkcs11-tool --test calls "test_decrypt" and test any RSA key that supports decryption. OpenPGP can do this for the Authentication key, but requires the optional MANAGE SECURITY ENVIRONMENT (MSE) command. Do not set decrypt or wrap usage bits unless MSE is supported for the card. Found using YubiKey NFC and Nitro start that do not support MSE. On branch X25519-improvements-2 Changes to be committed: modified: libopensc/pkcs15-openpgp.c
Without MSE, key 03 can not decrypt, encrypt, wrap or unwrap
But Check Code Style fails: https://github.com/OpenSC/OpenSC/actions/runs/8007038450/job/21870157954?pr=3042 I made changes for Authentication key 03 usage would not include ENCRYPT, DECRYPT, WRAP or UNWRAP. |
Yeah. I saw it last time I was updating them. Not sure what would be the best. We can update them to be more indented when they are geneterated, but given that this indentation does not add much readability, I would propose to make the clang ignore the json files. But good to see that with the updated ref file the test works. |
bd54722
to
aa4dc64
Compare
Changes to be committed: modified: restart-pcscd.sh modified: test-openpgp.sh
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the changes look good. The current test-openpgp log is terribly long, but I think we can live for it until we will debug the issue.
@@ -3,6 +3,8 @@ | |||
# This file is made to be sourced into other test scripts and not executed | |||
# manually because it sets trap to restore pcscd to working state | |||
|
|||
# Set PCSCD_DEBUG="-d -a" to debug APDUs before sourcing this file | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Duplicate of #
pkcs11-tool --test calls "test_decrypt" and test any RSA key that supports decryption.
OpenPGP can do this for the Authentication key, but requires the optional MANAGE SECURITY ENVIRONMENT (MSE) command.
Do not set decrypt or wrap usage bits unless MSE is supported for the card.
Found using YubiKey NFC and Nitro start that do not support MSE.
On branch X25519-improvements-2
Changes to be committed:
modified: libopensc/pkcs15-openpgp.c
Checklist