Can't store key on Rutoken ECP 2.0

[hexum]

Can't store SSH key on Rutoken ECP.
ART: 3b:8b:01:52:75:74:6f:6b:65:6e:20:44:53:20:c1

Steps to reproduce

Opensc-0.16.0

rm ssh.key
echo | ssh-keygen -b 2048 -t RSA -f ssh.key
pkcs15-init -E
pkcs15-init -C --so-pin '12345678' --so-puk ''
pkcs15-init -P --id 2 -l "User" --so-pin '12345678'  --pin '12345678' --puk ''
pkcs15-init -a 2 -S ssh.key -l ssh.key --pin '12345678'

Error: "Failed to store private key: Invalid arguments"
Subsequent repeating of the last operation produces error: "Failed to store private key: File already extsts"

Note

I do not want to generate key on the token. Key should be validated and backuped.

[frankmorgner]

Please attach a debug log!

There aren't exactly many maintainers of the ru token, maybe @alonbl can help

[hexum]

[pkcs15-init] card.c:720:sc_select_file: 'SELECT' error: -1201 (File not found)
first.attepmt.log.gz

[hexum]

Seems very similar to #671

[frankmorgner]

Indeed it does, but @viktorTarasov should have fixed the error in 0838520, which is included in 0.16.0. Could you try against a build of master?

[hexum]

I'm using exactly Opensc-0.16.0.
I will try to build master just to see how it works.

[hexum]

Master has been broken.
master.build.log.gz

[konstantinpersidskiy]

Try commit 4ad838e, I think it fixes this issue

[frankmorgner]

@hexum could you please verify if the proposed patch fixes your problem?

[hexum]

Master was built
OpenSC-0.16.0-170-g3635dbe7
Origainal bug with key upload is still reproducible.
Commands rewritten to automate testing by copy-paste.
Does you commit 4ad838e live in master? I can't even checkout to it.

[frankmorgner]

it's not yet in master, because the fix is unconfirmed. Use:

git fetch origin pull/931/head:931
git checkout 931

[hexum]

Instruction doesn't work. Can you create a branch in your own repo and tell me it's name?

git fetch origin pull/931/head:931
fatal: Couldn't find remote ref pull/931/head

[frankmorgner]

Use the existing repository

git checkout -b AktivCo-rtecp_change_reference_data_fix master
git pull https://github.com/AktivCo/OpenSC.git rtecp_change_reference_data_fix

[hexum]

Right commands were

git fetch origin pull/958/head:958
git checkout 958

I've managed to make ebuild and install right version. (I do not know how to use opensc without installation, a lot of LD_LABRARY_PATH magick is needed).

opensc-tool --version
OpenSC-0.16.0-159-g4ad838e7, rev: 4ad838e7, commit-time: 2017-02-02 07:18:43 -0800

Now I can store key. We can close the bug.
But I found another bug while 'smoke' testing. After deletion of private key I still see it in list and can use it.

pkcs15-init -D privkey -i bdd6bbb82486a11cc50bfb0dce898bb8649f1c20
pkcs15-tool -D
.....
Public RSA Key [ssh.key]
	Object Flags   : [0x2], modifiable
	Usage          : [0x40], verify
	Access Flags   : [0x0]
	ModLength      : 2048
	Key ref        : 0 (0x0)
	Native         : no
	Path           : 3f0050000200
	ID             : bdd6bbb82486a11cc50bfb0dce898bb8649f1c20

I'm really bored to be unpaid tester of products I paid for...

[frankmorgner]

@hexum, you certainly didn't pay me to do the project management. Next time if you're buying things, make sure to get the support package as well. And then, use your paid contact to do the problem clearing.

@konstantinpersidskiy, do you think the listing of the old key is a related issue?

[hexum]

You are definitely right.
I did talked to Rutoken and they told me they will provide some help. Sorry if you are not related to Rutoken team.
I just want people to know that Rutoken is a creepy shit in the Opensource world.

[konstantinpersidskiy]

@hexum ,

pkcs15-init -D privkey -i bdd6bbb82486a11cc50bfb0dce898bb8649f1c20
pkcs15-tool -D
.....
Public RSA Key [ssh.key]

You deleted private key and OpenSC lists public key - that's not a bug

@frankmorgner , I suppose there's no issue with old key listing at all (at least, I couldn't find any)

[hexum]

Really this time it works. And double CRUD test is passed.
Just can't understand why pubkey is being created on privkey loading.