-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always use ECDSA with off card hashing #28
Conversation
Hi, When introducing a Version 1 of the IsoApplet (and a new API/protocol), I'd like to add the features that a started to work on some time ago but got distracted from. We still need a solution to differentiate between the IsoApplet versions at the OpenSC side, so that both the v2.2.2 and 3.04 cards work. I am going to look at this when I find time (might be as late as next weekend, I am maintaining this project in my spare time.). If you have any insights or code to share, feel free to let me know. |
Hi and thanks for your response. I agree: we should make sure that old cards still work. Which features do you plan to add to the isoapplet-v1 branch? Maybe I can help with some of those. |
Thank you!
Mainly:
|
That's nice! I actually stumbled upon this problem a few days ago 😅
Sounds like a nice feature. However, I would also prefer to postpone this so that we get the changes for ECC off-card hashing, RSA-4096 and RSA PSS padding support faster into OpenSC mainline.
Requiring extended APDUs should not be a problem. I have updated the OpenSC PR so that it should now work with the v0 and v1 version of the IsoApplet. |
We should use this branch as basis, I rebased the old commits upon the current OpenSC master. There is a commit about announcing the PSS feature of IsoApplet to OpenSC, but it might not be tested.
Thanks, I merged your changes into the IsoApplet-v1 branch. |
I have rebased the OpenSC PR onto this branch with some changes. Last week I started testing with real hardware and found some more issues for which I created another PR (#30). |
With the changes to the v1 IsoApplet in PR #30 and the latest changes to OpenSC in PR OpenSC/OpenSC#2642 everything is working now:
I also tested EC and RSA key generation as well as signature creation with SHA1 (EC and RSA) with the v0 IsoApplet and the OpenSC version from the PR and everything seems to work fine. RSA 4096 could only be tested with the simulator since I do not have hardware with support for that at the moment. |
The changes of this PR are already in the IsoApplet-v1 branch. I am closing this PR, our discussion can be continued in PR #30. |
With this PR raw ECDSA without hashing is performed instead of ECDSA with SHA1 hashing.
The hashing has now to be done on the host side (See OpenSC/OpenSC#2642).
The benefit of this is that all ECDSA mechanisms of the pkcs#11 interface can be used with the ISOApplet.