-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Invalid ASN.1 object" with ePass2003 #202
Comments
Also happens with Aventra EID. Did a git bisect, d4be8ec is apparently the problem. |
On 1/9/2014 6:12 AM, astrand wrote:
Do you have a opensc debug trace? That would help show where is is coming from. Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com |
@dengert My inline question was: is it your real intention to use the 'sc_pkcs15_encode_pubkey_as_spki()' for all key types ? (There are no debug messages in 'sc_pkcs15_encode_pubkey_as_spki' in original sources)
|
On 1/10/2014 3:15 AM, viktorTarasov wrote:
The sc_pkcs15_encode_pubkey_as_spki() can work on RSA or EC today. I have asked for the GOST developers PKCS15 allows a pubkey to be stored as RAW, or as a SPKI. The sc-hsm developers may have change the sc_pkcs15init_store_public_key() to always call I don't have the code in front of my, to check I will have to look on Monday. A gdb print out of the sc_pkcs15_pubkey passed to sc_pkcs15_encode_pubkey_as_spki() by sc_pkcs15init_store_public_key()
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com |
It looks like in pkcs145init/pkcs15.lib the call to sc_pkcs15_encode_pubkey() was replaced with sc_pkcs15_encode_pubkey_as_spki() is expecting the sc_pkcs15_pubkey->data to have a DER encoding astrand, can you (or someone) try this attached patch that makes sure the raw DER value is available? On 1/10/2014 3:15 AM, viktorTarasov wrote:
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com
switch (pubkey->algorithm) { |
The previous patch had 3 errors. Astrand, can you (or someone else) try this new patch? On 1/10/2014 3:15 AM, viktorTarasov wrote:
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com
switch (pubkey->algorithm) { |
The patch doesn't help for me. See log: http://www.cendio.com/~astrand/opensc/issue202-1.log |
Well, now pkcs15-init --generate-key works. However, in our script, we are continuing with creating a certificate using openssl and engine_pkcs11, and that fails instead:
This worked before. I've put up the entire script at http://www.cendio.com/~astrand/opensc/pkcs15-selfsigned.sh in case you are interested. |
Based on your opensc debug trace, I think it looks like the sc_pkcs15_pubkey struct sc_algorithm_id * alg_id; Can you use gdb and set a breakpoint at asn1.c:1528 (the place where the "unexpected parm == NULL" message is produced. Then get a stack trace and send it. And can you go up in the stack to find the call to sc_pkcs15init_store_public_key then print *keyargs and send these these too. I am looking to see what is passed in as the publey. On 1/13/2014 6:34 AM, viktorTarasov wrote:
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com |
Please disregard my previous message, on the gdb trace, since you said the patch worked. The following is a different problem, and should be submitted as a new bug report. On 1/13/2014 9:18 AM, astrand wrote:
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com |
@dengert With the current master, --generate-key works, so I don't know if your patch is required at all? I will see if I can pinpoint the other problem. @viktorTarasov, in the future please avoid committing both functional changes and white space / coding style changes at the same time, as was done in 5437f87. |
Since Viktor made a change in the pkcs15-pubkey.c to make sure alg_id was filled in, my changed to In the comment which I said to ignore, was about the alg_id. Viktor added the change for alg_id Just to be sure, I submitted an updated pull request for the RAW DER encoded pubkey. Viktor, can you comment on this? On 1/14/2014 1:51 AM, astrand wrote:
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com |
Well, it seems that the idea to apply in pkcs15init the encoding of public key as spki to all key types was not sufficiently tested. |
On 1/14/2014 1:05 PM, viktorTarasov wrote:
As I have said, I don't have any actual pkcs15 cards and that when this code was submitted The SPKI was tested with PIV, (that emulates PKCS15, but does not using any of the pkcs15init code) There is a general problem with OpenSC. There are are many developers, or companies Even when they do make such a statement,it is ignored be most developers. OpenSC needs a release schedule with plenty of time to get new card drivers added, Accepting large code changes just before a release has caused problems in the past.
A better time might be spent adding a SPKI option to the pkcs15init code with the default to not use it. And test if GOST works with it too.
Douglas E. Engert DEEngert@anl.gov DEEngert@gmail.com |
I have to agree there is a general problem. After almost TWO years, I was able to use the ePass2003 on Fedora - I thought. Now after this is "messed up" again (please excuse my language... ), it might take how long again? Thanks for looking into this everybody... |
Fixed in a399905. |
When trying to use generate, or import, an rsa key as per e.g.:
pkcs15-init --generate-key rsa/2048 --auth-id 01 -u sign,decrypt
...I get the following error message:
Failed to generate key: Invalid ASN.1 object
...any ideas? It seems as its always something new wrong with this... :(
Cheers,
Chris
The text was updated successfully, but these errors were encountered: