-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0.20.0-rc4: sc_pkcs15_compute_signature not called from OpenSCToken #20
Comments
Why do you think it hangs, are you sure to present the correct certificate to the website? Does client authentication work on Firefox? |
Unfortunately I cannot test that, because I can only access the page via Chrome.
Maybe hangs is not wrong wording. The log output just stops, where in rc3 I could a call to Could keychain and token interfere with each other? OpenSC-0.20.0-rc3:
OpenSC-0.20.0-rc4:
I am goind to upgrade from |
@frankmorgner So I did a lot of digging yesterday and I made it work! :) However before commiting a patch I would like to discuss some things. First of all, this is the code line my card cannot pass: OpenSCToken/OpenSCToken/TokenSession.m Lines 202 to 203 in d508acf
Adding some debug log it was shown that For Last but not least in my case it wants to calculate a signature with
works. Could this be an "off-by-one" error? Thank you for your help! |
Maybe, @Jakuje, can look at the TCOS properties... Here is a list of Apple's security mechanisms: https://developer.apple.com/documentation/security/seckeyalgorithm?language=objc In OpenSCToken, I don't check for |
Just to be exact, what would be the exact patch to make client authentication work for you? |
Possible solution 1 (known working):
|
Possible solution 2 (untested):
|
With rc3, the card is still using RAW signature operation emulated with TCOS decryption operation, which is not completely fine. This gets selected by From the input In any way, misusing this works only as long as these padding checks will not be performed by card. |
@Jakuje I kind of understand what your are writing. I put in all the debug output I could and here is what's requested by the OS (for pairing):
and by the Browser (for signing):
|
It always comes back to |
Yes. The OAEP is not supported natively by your driver and then it falls back to raw operation while doing the OAEP internally. Not sure what is the pairing for though. But the |
One can pair his/her MacOS user with the smartcard or what do you mean?
card-tcos.c only advertises: SC_ALGORITHM_RSA_PAD_PKCS1 and SC_ALGORITHM_RSA_HASH_NONE, no? So SHA1 is not supported by the card? Sorry for my lack of knowledge... |
In OpenSC/OpenSC#1869 (comment) you reported that the |
That is true. However in: https://github.com/OpenSC/OpenSC/blob/ee78b0b80514460936c585c3ff5fc477338ae371/src/libopensc/card-tcos.c#L98-L102 those SC_ALGORITHM_RSA_* flags are set and checked against: OpenSCToken/OpenSCToken/TokenSession.m Lines 32 to 63 in 84e0052
Meaning to support SHA1 I would need to add SC_ALGORITHM_RSA_HASH_SHA1 in card-tcos.c. Would that be okay? I am not sure where pkcs11-tool gets that information from. |
The important question is whether it will work. See the commend in https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/opensc.h#L126 -- for RSA PKCS1.5 the NONE value means that the hashing is not done by the card. But it does not mean that the hashing can not be done by the OpenSC. |
With:
I receive Log: https://gist.github.com/jmastr/0076aba4fc6392a8b7c7e53652501ab0 |
I don't know whether we can solve this issue in a satisfactory manner...
|
The thing is that
I asked again for more documentation. Can we revert OpenSC/OpenSC@992ed48 and put a comment to it? |
No problem. Go ahead. |
OK, @jmastr please make a PR with the suggested changes. Please also run |
For 2048 bit keys the padded input is 256 bytes long. Fixes frankmorgner/OpenSCToken#20
@frankmorgner Thank you for uploading the
dmg
file for OpenSC-0.20.0-rc4! With the new release candidate I encounter a strange behaviour:signData
(which itself callssc_pkcs15_compute_signature
) from TokenSessions.m is not called, when I try to log in into a webpage via certificate.On the same machine downgrading from OpenSC-0.20.0-rc4 to OpenSC-0.20.0-rc3 gives me the expected log output (but fails to sign the request due to another issue with TCOS, which was fixed in OpenSC-0.20.0-rc4).
Here is some logs. First OpenSC-0.20.0-rc3:
Here from OpenSC-0.20.0-rc4, where is just hangs:
The strange thing is, even building OpenSC-0.20.0-rc3 on my local machine and trying different commits from OpenSCToken yield to the same result. Have there been any updates to the build environment? How does
signData
get called?Thank you for your help!
The text was updated successfully, but these errors were encountered: