Hello,
Martin Paljak wrote:
> On Aug 30, 2010, at 2:52 PM, Emanuele Pucciarelli wrote:
>>> The handful of drivers with insecure operations I was talking about, I
>>> got with the following command: grep -n OPENSSL libopensc/card-*.c
>>>
>>> But looking closer to each drivers source, I must confess that there are
>>> only two of them affected:
>>>
>>> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-westcos.c#L1244
>>> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-rutoken.c#L1376
>> Looking at card-westcos.c:1117, I'd say that the "insecure mode" is
>> only used with cards that do not have on-board RSA capabilities, but
>> do have a private exportable key. In other words, it should only be a
>> fallback.
> There used to be built in signaling for such scenarios, together with
> SC_ERROR_EXTRACTABLE_KEY return key that was not handled/implemented by the
> generic libopensc. That was not used and is removed since r4645 [1]
>
> Cards that don't support native RSA keys (meaning keys that can not be used
> for on-board operations) should be unsupported by default by OpenSC. Support
> for native but extractable keys is a whole different story. I doubt there are
> any modern smart cards that don't support native RSA these days. At least
> there is no reason to fake the support in OpenSC.
"Rutoken S" is a very old devices (see [1]). They don't support on-board
RSA, They have only on-board GOST 28147-89 cryptographic functions (GOST
28147-89 is a symmetric-key algorithm).
>> On the other hand, it really seems that RSA is only done in software
>> with card-rutoken.c. Perhaps that device does not support RSA in
>> hardware at all?
>
> I suggest to remove the offending code and pay closer attention in the future
> to avoid such code. Will write it to the wiki as well. Apparently we need to
> clarify the capabilities of Rutoken (and different versions of it) regarding
> their RSA support *and* GOST support.
"Rutoken S" [1] doesn't support on-board RSA (as opposed to "Rutoken
ECP"). "Rutoken ECP" [2] have on-board RSA (with RSA keys up to 2048
bits), GOST R 34.10-2001 (public-key cryptography), GOST 34.11-94 (hash)
and GOST 28147-89 (symmetric-key algorithm).
The file card-rutoken.c provides support "Rutoken S". And this code
worked on "old scheme OpenSC". Already now ("new scheme") all old
functionality aren't working at "Rutoken S". Example: software key
generation was removed [3].
Thanks
[1] http://www.opensc-project.org/opensc/wiki/AktivRutokenS
[2] http://www.opensc-project.org/opensc/wiki/AktivRutokenECP
[3] http://www.opensc-project.org/opensc/changeset/4646
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
