CardOS 5 driver for OpenSC #283
Conversation
|
Thanks for this nice work. I applied your diff on the top of the last commit.I found that the share/opensc/cardos5.profile is missing when I installed opensc. I just created one by copying cardos.profile. On a freshly reformatted CardOS5 (erase, create 1024byte MF and apply the ServicePack), I tried to do a pkcs15-init -C --so-pin 12345678 --so-puk 12345678, I have this output: |
|
Hi, Thank you for testing the driver. Would it be possible for you to retrieve the output of OPENSC_DEBUG=10 when this problem happens? My guess is that the difference in behaviour is due to the fact that we are using different tools to format the card. I'm using a proprietary tool which unfortunately cannot be shared (since it contains the payload of an encrypted APDU legally protected by the card manufacturer). Our tools probably create the MF with different permissions, and so parse_df_acl() needs adjustment. With the output of OPENSC_DEBUG, I should be able to patch parse_df_acl() accordingly. |
|
The code modifies iso7816.c. This file should not be modified for individual cards. Can you move the cardos5 code to card-cardos5.c The ctx.c defines the internal card drivers and the order they are detected. Should cardos5 be placed before cardos? |
|
Hi, I've moved the CardOS 5 specific bits back to card-cardos5.c; iso7816.c should now be untouched. Thank you for your suggestion. As to the order in which the CardOS 4 and CardOS 5 drivers are attached: as long as the cards have different ATRs, we don't run the risk of an accidental mismatch. |
|
Looks OK to me, but I have no way to test. The code changes should not affect other cards. Others with cardos5 cards should try this if possible. |
|
Generating, uploading and signing with RSA keys up to 2048-bit in modulus seem to work fine. Keys larger than that are still problematic; I have no idea why. :( I've tested the code in this branch with CardOS 5.0 as well as CardOS 4.4 (for possible side effects). Unless memory fails me, @szikora was also able to test the driver with a CardOS 5.0 card. |
|
Good news: with the four commits above, 4096-bit keys work fine. |
|
No, this pull request does not rely on #260. |
| static int | ||
| asn1_put_tag(unsigned char tag, const unsigned char *tag_content, | ||
| size_t tag_content_len, buf_t *buf) | ||
| { |
There was a problem hiding this comment.
Header files are for definitions and global parameters. Don't put the implementation into a header file.
There was a problem hiding this comment.
This will result in code duplication in pkcs15-cardos5.c and card-cardos5.c. Is that preferable to having self-contained code in this header file, which shouldn't be included by anything else? If so, I will happily duplicate the code.
There was a problem hiding this comment.
At the moment you are not duplicating code, but libopensc.so will contain two implementations of the functions.
You could declare the definition to be non-static and put the implementation into card-cardos5.c.
There was a problem hiding this comment.
That's a very good idea. I will be away from keyboard for about a week; after which I will implement your suggested change. Thank you!
|
Hi Pedro, I've recompiled your last version of the cardos5 branch on a debian7.
Cheers, |
|
Hi, Here's a short list of things I plan to work on in the next few weeks:
Is there anything that I am missing? Would it be possible for this pull request to be merged as it is, so the items listed above could be implemented separately? |
|
The licensing stuff feels mandatory for me. Also refactoring of the header file should be done in my opinion. |
|
Hi! I have committed initial support for elliptic curves. There is even a chance that ECDSA already works with the code as it is; I'm yet to give it a try. The card supports arbitrary curves, which means that you need to tell it which curve you would like to use before a key pair can be generated. Right now only one curve can be configured. The device, however, offers support for multiple coexisting curves. For instance: $ openssl ecparam -list_curves |
|
ECDSA seems to work! I will add some more bits and pieces to cardos5-tool, rebase and squash. |
|
Hi! As can be seen above, the automated merge build of 663b151 failed due to openssl/cmac.h missing on the build machine. cardos5-tool relies on OpenSSL to do AES CMAC, and therefore includes this file. I have removed cardos5-tool from the build for now; I am fairly confident that those in need of this tool will be able to figure out where to find it and how to build it. |
|
In |
|
Thank you, @frankmorgner! I have implemented your suggestion and rebased the branch. |
|
I'm trying to test the code (commit aa3e2f) but I'm having the following result: $ ./cardos5-tool -E -k /home/ecordonnier/startkey_hex -s /home/ecordonnier/seed_hex $ ./cardos5-tool -F -k /home/ecordonnier/startkey_hex -s /home/ecordonnier/seed_hex $ ./pkcs15-init -C --so-pin 12345678 --so-puk 12345678 Do you know what the problem could be? |
|
HI! Is this a CardOS 5.0? If so, you need to install the service pack (which, unfortunately, is proprietary). -p.
|
|
Yes this is a cardOS 5.0. I have the service pack but did not find any documentation stating what it does and if it is required, so I did not know I needed it, thank you very much! |
|
No problem, and sorry for the lack of documentation. That's number one on my TODO list. |
|
You were right, the generation of the RSA key with pkcs15-init is working after I installed the service pack. |
|
Hi! What's the preferred way to document the CardOS 5 driver? mandoc, troff, entry on a html wiki? Text file? :-) |
|
|
Fixed in ef74177; thanks!
|
|
OK. Once the branch is deemed worthy of integration and there are no more objections, please let me know and I will rebase and squash it. |
| int | ||
| aes_cbc(const uint8_t *data, size_t data_len, const uint8_t *syskey, | ||
| size_t syskey_len, uint8_t **out, size_t *out_len) | ||
| { |
There was a problem hiding this comment.
AES-CBC is already implemented mulitple times in card-epass2003.c, card-piv.c and sc-hsm-tool.c. This should definitely be tied together...
There was a problem hiding this comment.
(Some day, I mean. I don't think you should fix all the legacy of OpenSC ;-) )
Yes, b) looks good. Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net |
|
Thanks for extending Could someone try it with a different card? |
|
Hasn't this been done already in 7e7a44a? @martelletto You might be interested in testing the driver rebased upon a recent version of OpenSC. |
|
You are right. I have rebased the branch.
|
|
Implemented in d6e257e; thanks! -p.
|
|
I think that the essential remarks have been fixed now, thanks. Have you thought about using OpenSC's SM infrastructure instead of doing SM "by hand in cardod5-tool? |
|
Just one more thing ;-) Windows reports the following warning: |
|
Hi Frank, It seems I forgot to get back to you on that point. Sorry about that. I saw your earlier suggestion to use OpenSC's SM framework and took a I really like the idea. Unfortunately, the seed used to derive SM keys -p.
|
|
Fixed in 4639a99; thanks! -p.
|
|
Form SM, I think you have two options:
Given your current setup I'd go with the first option. |
|
Oh, I see what you mean. I think. :) Unfortunately I don't have my card
|
|
Unfortunately, I need to put this pull request on hold while NDA issues are cleared up with Atos. I will do so by pushing a dummy branch to replace the one with the CardOS 5 driver. Hopefully this situation will be resolved soon. |
|
Are there any news about the NDA issues with Atos? |
|
Last I heard there were no news. I no longer work for the company that developed the driver. If you are interested, contact me in private (I suppose that's possible through GitHub?) and I will be happy to get you in touch with people able to give a more accurate answer. |
|
Thanks for your offer! Unfortunately GitHub doesn't offer private messaging anymore. If you could write me an email at eduard.bichel AT gmail DOT com, it is maybe the easiest way to get in touch. |
|
Hi, Has anything moved on this side? |
|
Hi, I will ask the company which sponsored the work, but I don't suppose anything has changed, unfortunately. -p. |
|
Indeed, nothing has changed. I was told by the company in question that there is virtually no interest on their part in resolving this issue. :( |
|
:( Funny thing is that I'm currently a subco for AtoS and that I'm trying to use that cardos card to access their time-sheet system. I guess I'll have to continue to use my Windows VM... |
This change builds upon existing CardOS 4 code to implement a CardOS 5
driver for OpenSC. CardOS 4 and 5 differ substantially. The code
currently supports on-card generation and storage of RSA keys up to 2048
bits in modulus.
Support for 4096-bit RSA keys is still defective. I'm currently
investigating why.
The driver was tested using the following commands:
$ pkcs15-init -C --so-pin 12345678 --so-puk 12345678
$ pkcs15-init --store-pin --auth-id 01 --label potato --pin 1234 --puk 1234 --so-pin 12345678
$ pkcs15-init --generate-key rsa/2048 --auth-id 01 --pin 1234 --so-pin 12345678
(or)
$ openssl genrsa 2048 > /tmp/openssl-privkey
$ pkcs15-init --store-private-key /tmp/openssl-privkey --id 45 --auth-id 01 --pin 1234 --so-pin 12345678
And subsequently:
$ ssh-agent ksh
$ ssh-add -s /usr/lib/opensc-pkcs11.so
$ ssh-add -L > /tmp/x && ssh-keygen -e -m PEM -f /tmp/x > /tmp/y && ssh-add -T /tmp/y && echo ok
(where ssh-add -T is an extension to OpenSSH's ssh-add command that generates a random buffer, submits it to the agent to sign and then verifies the signature).
edit: Fixed typo. Added test commands.