Hello, On Aug 30, 2010, at 2:52 PM, Emanuele Pucciarelli wrote: >> The handful of drivers with insecure operations I was talking about, I >> got with the following command: grep -n OPENSSL libopensc/card-*.c >> >> But looking closer to each drivers source, I must confess that there are >> only two of them affected: >> >> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-westcos.c#L1244 >> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-rutoken.c#L1376 > > Looking at card-westcos.c:1117, I'd say that the "insecure mode" is > only used with cards that do not have on-board RSA capabilities, but > do have a private exportable key. In other words, it should only be a > fallback. There used to be built in signaling for such scenarios, together with SC_ERROR_EXTRACTABLE_KEY return key that was not handled/implemented by the generic libopensc. That was not used and is removed since r4645 [1]
Cards that don't support native RSA keys (meaning keys that can not be used for on-board operations) should be unsupported by default by OpenSC. Support for native but extractable keys is a whole different story. I doubt there are any modern smart cards that don't support native RSA these days. At least there is no reason to fake the support in OpenSC. > On the other hand, it really seems that RSA is only done in software > with card-rutoken.c. Perhaps that device does not support RSA in > hardware at all? I suggest to remove the offending code and pay closer attention in the future to avoid such code. Will write it to the wiki as well. Apparently we need to clarify the capabilities of Rutoken (and different versions of it) regarding their RSA support *and* GOST support. [1] http://www.opensc-project.org/opensc/changeset/4645 -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
