Hi, Am Montag, den 10.09.2007, 08:52 +0200 schrieb Andreas Jellinghaus: > > This is not true for all cardos based cards and prevents D-Trust > 2048 > > bit cards from creating a signature and the signature key does not > allow > > decryption. When removing this flag, it works fine. > > any idea how we can improve the logic to find out which cards need > this hack > and which don't?
I looked at several card flags and meta data and did not find anything which is specific to D-Trust which would make it possible to at least detect this type of initialization. So right now i think the only way is to configure it somewhere. I personally think that one single setup only needs support for a limited set of cards, so a configuration option might be sufficient for most people. > > Also there is still the issue with the trial and error code in > > card-cardos.c (as RSA_PURE_SIG does not work with these cards). > > isn't that a restriction of the card? if a key is signing only it > wouldn't be > uncommon if it was restricted to payloads much smaller than the key. > > > So right now i have to apply two patches to opensc for support of > new > > D-Trust 2048 bit signature cards. > > the first is undoing change set 3223? what is the second one? The second patch is to disable RSA_PURE_SIG and RSA_SIG in card-cardos.c which does not work with D-Trust 2048. My patch file is attached to this mail. Do not apply it if you need other CardOS cards beside D-Trust 2048. Best regards, Simon > -- Simon Eisenmann [ mailto:[EMAIL PROTECTED] ] [ struktur AG | Kronenstraße 22a | D-70173 Stuttgart ] [ T. +49.711.896656.68 | F.+49.711.89665610 ] [ http://www.struktur.de | mailto:[EMAIL PROTECTED] ]
diff -dur opensc-0.11.4-rc2.orig/src/libopensc/card-cardos.c opensc-0.11.4-rc2/src/libopensc/card-cardos.c --- opensc-0.11.4-rc2.orig/src/libopensc/card-cardos.c 2007-08-19 21:11:27.000000000 +0200 +++ opensc-0.11.4-rc2/src/libopensc/card-cardos.c 2007-09-04 17:07:03.000000000 +0200 @@ -803,6 +803,7 @@ * succeeds (this is not really beautiful, but currently the * only way I see) -- Nils */ +#if 0 if (ctx->debug >= 3) sc_debug(ctx, "trying RSA_PURE_SIG (padded DigestInfo)\n"); sc_ctx_suppress_errors_on(ctx); @@ -812,6 +813,7 @@ SC_FUNC_RETURN(ctx, 4, r); if (ctx->debug >= 3) sc_debug(ctx, "trying RSA_SIG (just the DigestInfo)\n"); +#endif /* remove padding: first try pkcs1 bt01 padding */ r = sc_pkcs1_strip_01_padding(data, datalen, buf, &tmp_len); if (r != SC_SUCCESS) { @@ -826,6 +828,7 @@ } memcpy(buf, p, tmp_len); } +#if 0 sc_ctx_suppress_errors_on(ctx); r = do_compute_signature(card, buf, tmp_len, out, outlen); sc_ctx_suppress_errors_off(ctx); @@ -833,6 +836,7 @@ SC_FUNC_RETURN(ctx, 4, r); if (ctx->debug >= 3) sc_debug(ctx, "trying to sign raw hash value\n"); +#endif r = sc_pkcs1_strip_digest_info_prefix(NULL,buf,tmp_len,buf,&buf_len); if (r != SC_SUCCESS) SC_FUNC_RETURN(ctx, 4, r); diff -dur opensc-0.11.4-rc2.orig/src/libopensc/pkcs15-sec.c opensc-0.11.4-rc2/src/libopensc/pkcs15-sec.c --- opensc-0.11.4-rc2.orig/src/libopensc/pkcs15-sec.c 2007-08-02 20:52:05.000000000 +0200 +++ opensc-0.11.4-rc2/src/libopensc/pkcs15-sec.c 2007-09-04 16:50:16.000000000 +0200 @@ -149,6 +149,7 @@ SC_FUNC_CALLED(ctx, 1); +#if 0 /* some strange cards/setups need decrypt to sign ... */ if (p15card->flags & SC_PKCS15_CARD_FLAG_SIGN_WITH_DECRYPT) { size_t tmplen = sizeof(buf); @@ -172,6 +173,7 @@ out, outlen); return r; } +#endif /* If the key is extractable, the caller should extract the * key and do the crypto himself */
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel