On Mon, 2010-08-30 at 16:36 +0300, Martin Paljak wrote: > Hello, > > On Aug 30, 2010, at 2:52 PM, Emanuele Pucciarelli wrote: > >> The handful of drivers with insecure operations I was talking about, I > >> got with the following command: grep -n OPENSSL libopensc/card-*.c > >> > >> But looking closer to each drivers source, I must confess that there are > >> only two of them affected: > >> > >> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-westcos.c#L1244 > >> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-rutoken.c#L1376 > > > > Looking at card-westcos.c:1117, I'd say that the "insecure mode" is > > only used with cards that do not have on-board RSA capabilities, but > > do have a private exportable key. In other words, it should only be a > > fallback. > There used to be built in signaling for such scenarios, together with > SC_ERROR_EXTRACTABLE_KEY return key that was not handled/implemented by the > generic libopensc. That was not used and is removed since r4645 [1] > > Cards that don't support native RSA keys (meaning keys that can not be used > for on-board operations) should be unsupported by default by OpenSC. Support > for native but extractable keys is a whole different story. I doubt there are > any modern smart cards that don't support native RSA these days. At least > there is no reason to fake the support in OpenSC. > > > > On the other hand, it really seems that RSA is only done in software > > with card-rutoken.c. Perhaps that device does not support RSA in > > hardware at all? > > I suggest to remove the offending code and pay closer attention in the future > to avoid such code.
Possibly libksba could replace openssl in the future. It provides the functionality required by opensc (certificate and public key handling) but without the cryptographic operations. I haven't used it in the past, therefore I can't tell you any details. But it may be a target of evaluation. http://www.gnupg.org/related_software/libksba/index.en.html http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/src/ksba.h?revision=322&root=KSBA&view=markup > Will write it to the wiki as well. Apparently we need to clarify the > capabilities of Rutoken (and different versions of it) regarding their RSA > support *and* GOST support. > > [1] http://www.opensc-project.org/opensc/changeset/4645 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
