Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use ram buffer large requests/responses and only signal RSA PSS support if all hash schemes are supported #30

Merged
merged 5 commits into from
Dec 27, 2022
Merged

use ram buffer large requests/responses and only signal RSA PSS support if all hash schemes are supported #30

merged 5 commits into from
Dec 27, 2022

Conversation

swissbit-csteuer
Copy link
Contributor

@swissbit-csteuer swissbit-csteuer commented Dec 5, 2022
edited
Loading

When testing the isoapplet-v1 changes with real hardware instead of the simulator, I found that the size of the APDU buffer is not large enough to hold all data, e.g. when sending the public EC key, even if extended APDUs are used.

I found in the JavaCard API docs that the guaranteed length of the APDU buffer is only 133 bytes (the buffer size of the smart card that I use for testing is 261 byte).

Therefore, I revived the ram buffer from the v0 version.
I have already tested EC and RSA Keygen, ECDSA and RSA-PKCS1 signature creation and EC/RSA key import.
RSA-PSS signatures and RSA decryption have not been tested yet.

@swissbit-csteuer swissbit-csteuer mentioned this pull request Dec 5, 2022
Closed
@swissbit-csteuer swissbit-csteuer changed the title use ram buffer for request and response data larger than the APDU buffer use ram buffer large requests/responses and only signal RSA PSS support if all hash schemes are supported Dec 6, 2022
@swissbit-csteuer
Copy link
Contributor Author

I tested RSA PSS today with OpenSC.
OpenSC does two things that are kind of incompatible with the RSA PSS implementation in the IsoApplet:

  1. OpenSC prefixes the pre-computed hash with PKCS#1 digest info. The IsoApplet requires the raw hash. I changed the IsoApplet card driver in OpenSC to remove the prefix.
  2. When a card driver sets the SC_ALGORITHM_RSA_PAD_PSS flag, OpenSC assumes that all hash algorithms (SHA1 + SHA2) are supported unless one constrains the available hash algorithms. E.g. we could set the SC_ALGORITHM_RSA_HASH_SHA256 if we only support RSA with SHA256. However, that constrains the hash algorithms that are available to RSA PKCS#1.5 as well. Therefore, I changed the IsoApplet to only signal RSA PSS support if all signature schemes are supported.

I hope its ok that I increased the scope of this PR by adding those changes.

@swissbit-csteuer
Copy link
Contributor Author

I added some more changes to make RSA 4096 work. Everything seems to work now so I do not plan any further changes.

@philipWendland philipWendland merged commit 2fb8253 into philipWendland:isoapplet-v1 Dec 27, 2022
@philipWendland
Copy link
Owner

Hi, I did some testing today. My physical card will throw "CryptoException.ILLEGAL_USE" when calling update() of the ECDSA Signature object. I included your changes into the IsoApplet-v1 branch, but made some changes, so that the sign()-Method is used directly. The message/buffer size shouldn't be a problem here (anymore, since using off-card-hashes).

Could you confirm that this version still works with your card(s)?

@swissbit-csteuer
Copy link
Contributor Author

Hi,

I can confirm that it still works with our card.

Happy new year by the way 🎆 🙂

@philipWendland
Copy link
Owner

Thanks for testing. I commented on the OpenSC PR so that it can be merged.

Happy new year by the way fireworks slightly_smiling_face

Thank you! I also wish you a happy new year!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@swissbit-csteuer @philipWendland