Hi, Am Montag, den 10.09.2007, 08:52 +0200 schrieb Andreas Jellinghaus: > > This is not true for all cardos based cards and prevents D-Trust > 2048 > > bit cards from creating a signature and the signature key does not > allow > > decryption. When removing this flag, it works fine. > > any idea how we can improve the logic to find out which cards need > this hack > and which don't?
I looked at several card flags and meta data and did not find anything which is specific to D-Trust which would make it possible to at least detect this type of initialization. So right now i think the only way is to configure it somewhere. I personally think that one single setup only needs support for a limited set of cards, so a configuration option might be sufficient for most people. > > Also there is still the issue with the trial and error code in > > card-cardos.c (as RSA_PURE_SIG does not work with these cards). > > isn't that a restriction of the card? if a key is signing only it > wouldn't be > uncommon if it was restricted to payloads much smaller than the key. > > > So right now i have to apply two patches to opensc for support of > new > > D-Trust 2048 bit signature cards. > > the first is undoing change set 3223? what is the second one? The second patch is to disable RSA_PURE_SIG and RSA_SIG in card-cardos.c which does not work with D-Trust 2048. My patch file is attached to this mail. Do not apply it if you need other CardOS cards beside D-Trust 2048. Best regards, Simon > -- Simon Eisenmann [ mailto:[EMAIL PROTECTED] ] [ struktur AG | Kronenstraße 22a | D-70173 Stuttgart ] [ T. +49.711.896656.68 | F.+49.711.89665610 ] [ http://www.struktur.de | mailto:[EMAIL PROTECTED] ]
diff -dur opensc-0.11.4-rc2.orig/src/libopensc/card-cardos.c opensc-0.11.4-rc2/src/libopensc/card-cardos.c
--- opensc-0.11.4-rc2.orig/src/libopensc/card-cardos.c 2007-08-19 21:11:27.000000000 +0200
+++ opensc-0.11.4-rc2/src/libopensc/card-cardos.c 2007-09-04 17:07:03.000000000 +0200
@@ -803,6 +803,7 @@
* succeeds (this is not really beautiful, but currently the
* only way I see) -- Nils
*/
+#if 0
if (ctx->debug >= 3)
sc_debug(ctx, "trying RSA_PURE_SIG (padded DigestInfo)\n");
sc_ctx_suppress_errors_on(ctx);
@@ -812,6 +813,7 @@
SC_FUNC_RETURN(ctx, 4, r);
if (ctx->debug >= 3)
sc_debug(ctx, "trying RSA_SIG (just the DigestInfo)\n");
+#endif
/* remove padding: first try pkcs1 bt01 padding */
r = sc_pkcs1_strip_01_padding(data, datalen, buf, &tmp_len);
if (r != SC_SUCCESS) {
@@ -826,6 +828,7 @@
}
memcpy(buf, p, tmp_len);
}
+#if 0
sc_ctx_suppress_errors_on(ctx);
r = do_compute_signature(card, buf, tmp_len, out, outlen);
sc_ctx_suppress_errors_off(ctx);
@@ -833,6 +836,7 @@
SC_FUNC_RETURN(ctx, 4, r);
if (ctx->debug >= 3)
sc_debug(ctx, "trying to sign raw hash value\n");
+#endif
r = sc_pkcs1_strip_digest_info_prefix(NULL,buf,tmp_len,buf,&buf_len);
if (r != SC_SUCCESS)
SC_FUNC_RETURN(ctx, 4, r);
diff -dur opensc-0.11.4-rc2.orig/src/libopensc/pkcs15-sec.c opensc-0.11.4-rc2/src/libopensc/pkcs15-sec.c
--- opensc-0.11.4-rc2.orig/src/libopensc/pkcs15-sec.c 2007-08-02 20:52:05.000000000 +0200
+++ opensc-0.11.4-rc2/src/libopensc/pkcs15-sec.c 2007-09-04 16:50:16.000000000 +0200
@@ -149,6 +149,7 @@
SC_FUNC_CALLED(ctx, 1);
+#if 0
/* some strange cards/setups need decrypt to sign ... */
if (p15card->flags & SC_PKCS15_CARD_FLAG_SIGN_WITH_DECRYPT) {
size_t tmplen = sizeof(buf);
@@ -172,6 +173,7 @@
out, outlen);
return r;
}
+#endif
/* If the key is extractable, the caller should extract the
* key and do the crypto himself */
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
