[OCF] Concatenating key and data using PKCS11

[Fotios Basagiannis]

Hi there,

this is my first post to the list.

What I am trying to accomplish with my Cryptoki app (using the Eracom
implementation: eracom-tech.com) is to prepend 8 bytes of data to my
sensitive DES2 key (stored in an HSM based token) and wrap (encrypt) the
whole thing using a different key (also in the HSM token).

My first question is: is it possible to do this securely? Meaning, without
the sensitive key's sensitive attributes ever appearing on insecure HSM host
memory (the HSM is in the form of a PCI card).

I just started using PKCS11 and it seems to me (after consulting
programmer's manuals and the standard's spec itself) that the above should
indeed be possible. Bearing in mind that my CK implementation only supports
simple derivation mechanisms on generic secret keys, here is the strategy I
have decided to use:

* Using the CKM_EXTRACT_KEY_FROM_KEY mechanism, extract a CKK_GENERIC_SECRET
key out of my DES2 key.

* Using the CKM_CONCATENATE_DATA_AND_BASE mechanism, prepend my 8 byte data
buffer to the extracted generic key's payload (16 bytes)

* Wrap that, or if wrapping is not supported, go through the following extra
steps:

* Extract an extractable DES3 key (24 bytes) out of the generic key I
just constructed

* Wrap the DES3 key

However, my CKM_EXTRACT_KEY_FROM_KEY fails, giving me a 'key handle invalid'
error.

Can anyone direct me to or post a working code sample that does such a key
derivation? Any code smaples relating to concatenation of keys or keys and
data would also be very helpful.

Here is my non-working code (this is not even working when I try to extract
a DES2 or DES key out of the existing DES2 key):

 CK_OBJECT_CLASS kc = CKO_SECRET_KEY; 
 
 CK_KEY_TYPE kt0 = CKK_GENERIC_SECRET;
 CK_KEY_TYPE kt1 = CKK_DES2;
 CK_KEY_TYPE kt2 = CKK_DES3;

 // Derive a generic key of the same length out of a DES2 key
 
 // template for key resulting from derivation operation
 len = 16L;
 CK_BYTE label[7];
 memcpy(label, "generic", 7); 
 CK_ATTRIBUTE derivationTmpl[] = {
 {CKA_CLASS, &kc, sizeof(kc)},
 {CKA_KEY_TYPE, &kt0, sizeof(kt0)},
  //{CKA_LABEL, label, sizeof(label)},
  //{CKA_DERIVE, &True, sizeof(True)},
  //{CKA_WRAP, (void*)&False, sizeof(False)},
  //{CKA_EXTRACTABLE, (void*)&True, sizeof(True)},
  {CKA_SENSITIVE, &True, sizeof(True)},
  //{CKA_ALWAYS_SENSITIVE, &False, sizeof(False)},
  //{CKA_NEVER_EXTRACTABLE, (void*)&False, sizeof(False)},
  //{CKA_PRIVATE, &False, sizeof(False)},
  //{CKA_LOCAL, (void*)&False, sizeof(False)}
  //{CKA_MODIFIABLE, (void*)&True, sizeof(True)}, 
  //{CKA_UNWRAP, (void*)&False, sizeof(False)},
  //{CKA_ENCRYPT, (void*)&False, sizeof(False)},
  //{CKA_DECRYPT, (void*)&False, sizeof(False)},
  //{CKA_SIGN, (void*)&False, sizeof(False)},
  //{CKA_VERIFY, (void*)&False, sizeof(False)},
  //{CKA_TRUSTED, (void*)&True, sizeof(True)}
  //{CKA_TOKEN, &True, sizeof(True)}
  {CKA_VALUE_LEN, &len, sizeof(len)}
  //{CKA_VALUE, g1Val, 16}
 }; 
 
 CK_EXTRACT_PARAMS param = 0L;
 
 // Mechanism for generic key derivation
 CK_MECHANISM derivationMech = {
 CKM_EXTRACT_KEY_FROM_KEY,
 ¶m, //pointer to var that holds the bit index to start extraction
from
 sizeof(CK_EXTRACT_PARAMS)  
 };  
 
 rv = C_DeriveKey(hsSession, &derivationMech, hKey, 
  (CK_ATTRIBUTE*)&derivationTmpl, 
  NUMITEMS(derivationTmpl), &hGKey);
 CHECK_RV(FN "C_DeriveKey", rv); //proprietary
 if (rv){
 fprintf(stderr, "Error during generic key derivation\n");
 return 1;  
 } 
 

Many thanks for any help,
Fotios


---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe
! in the body.

[OCF] looking for hardware dealers or integrators

[Sam Goldsmith]

Qty 12,000  NEW GEMPLUS GCR-500 smart card terminals for sale.
 
$price negotiable for a take all situation
 
 
please email with your inquiries.  If you arent interested maybe you know someone that 
is
 
 
do me a favor, please forward my email to that person that might be able to help.
 
GEMPLUS SOLD over 1,000,000 of these units in the late 1990's and early 2000 there has 
to be people out there who need these units for replacements in their loyalty programs 
etc...
 
someone help a guy out??
 
I dont know anything about this business or where I can find some buyers
 
regards
 
 
Sam G
www.usedprinters.com
 
V+"¶Ø^:—§   ªÝÁæìŠ×¶m§ÿðÃ
)zw­Ú+ƒ÷è®j+z)ß¹š¶*'¢s©zpš­ÖââzË(º·r‡^v‡.™éí±8b²X¬¶+z)àj·!Š÷jØm¶ŸÿÃ
(¥éÜj·h®ÚÈb½ïè¥éÜj·N‹§²æìr¸›yúèšØ^¢—§qªÝ—§qªÝ¸&j)bž 
b²ÛÖzf¢–Ú(¥éÜj·kz«ž²Ú)zw­Ú+Ê'µ¨§Šx-…ì(­Û²æìr¸›z)í…æèw

Re: [OCF] Problem loading the right terminal class

[Carl Youngblood]

Steven Ihde wrote:
strace java [...whatever...] 2>&1 | grep -E 'stat|open'
 

This technique worked well.  I got a little farther.  I got it to find 
pcsc-wrapper-src.jar and also found out which opencard.properties file 
was being used. Now I'm getting an error related to the OCF-PCSC 
bridge.  Here's what I get:

Exception in thread "main" java.lang.UnsatisfiedLinkError: no OCFPCSC1 
in java.library.path
   at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1491)
   at java.lang.Runtime.loadLibrary0(Runtime.java:788)
   at java.lang.System.loadLibrary(System.java:834)
   at 
opencard.core.util.SystemAccess.loadLibrary(SystemAccess.java:111)
   at 
com.ibm.opencard.terminal.pcsc10.OCFPCSC1.loadLib(OCFPCSC1.java:64)
   at 
com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory.open(Pcsc10CardTerminalFactory.java:94)
   at 
com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory.(Pcsc10CardTerminalFactory.java:65)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method)
   at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
   at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
   at java.lang.Class.newInstance0(Class.java:308)
   at java.lang.Class.newInstance(Class.java:261)
   at 
opencard.core.service.SmartCard.handleTerminalFactoryEntries(SmartCard.java:424)
   at 
opencard.core.service.SmartCard.configureTerminalRegistry(SmartCard.java:261)
   at opencard.core.service.SmartCard.start(SmartCard.java:534)
   at com.gemplus.tools.gemxpresso.pilot.ServicePilot.open(Unknown 
Source)
   at 
com.gemplus.tools.gemxpresso.pilot.ServicePilot.(Unknown Source)
   at 
com.gemplus.tools.gemxpresso.pilot.TraceCmdTargetJPanel.initServicePilot(Unknown 
Source)
   at 
com.gemplus.tools.gemxpresso.pilot.TraceCmdTargetJPanel.(Unknown 
Source)
   at 
com.gemplus.tools.gemxpresso.pilot.JCardManagerJFrame.(Unknown Source)
   at 
com.gemplus.tools.gemxpresso.pilot.JCardManagerJFrame.main(Unknown Source)

After seeing this error, I tried building the OCFPCSC1 project from 
http://www.linuxnet.com/middleware/files/OCFPCSC1-0.0.1.tar.gz and 
copying to .so file into the place it was being looked for 
(JAVA_HOME/jre/lib/i386).  After doing that it had a different error:

Exception in thread "main" java.lang.UnsatisfiedLinkError: 
/usr/java/j2sdk1.4.2_04/jre/lib/i386/libOCFPCSC1.so: 
/usr/java/j2sdk1.4.2_04/jre/lib/i386/libOCFPCSC1.so: undefined symbol: 
__gxx_personality_v0
   at java.lang.ClassLoader$NativeLibrary.load(Native Method)
   at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560)
   [...]

It seems like it's expecting a different version of the library or 
something.  Any suggestions?

Thanks,
Carl Youngblood
---
Visit the OpenCard web site at http://www.opencard.org/ for more
information on OpenCard---binaries, source code, documents.
This list is being archived at http://www.opencard.org/archive/opencard/
! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe 
! in the body.

Re: [OCF] Problem loading the right terminal class

[Carl Youngblood]

Christophe Muller wrote:
Also, I would advise to test the environement step by step in
order to see whether or not using the RAD or using OCF is the
problem. To check the OCF installation, see my FAQ at:

The links for the various gemplus jar files listed on this page are 
broken.  Do you know where I can find them?

Thanks,
Carl
---
Visit the OpenCard web site at http://www.opencard.org/ for more
information on OpenCard---binaries, source code, documents.
This list is being archived at http://www.opencard.org/archive/opencard/
! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe 
! in the body.

Re: [OCF] Problem loading the right terminal class

[Carl Youngblood]

Steven Ihde wrote:

> strace java [...whatever...] 2>&1 | grep -E 'stat|open'
  
This technique worked well.  I got a little farther.  I got it to find
pcsc-wrapper-src.jar and also found out which opencard.properties file
was being used. Now I'm getting an error related to the OCF-PCSC
bridge.  Here's what I get:

Exception in thread "main" java.lang.UnsatisfiedLinkError: no OCFPCSC1
in java.library.path
   at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1491)
   at java.lang.Runtime.loadLibrary0(Runtime.java:788)
   at java.lang.System.loadLibrary(System.java:834)
   at opencard.core.util.SystemAccess.loadLibrary(SystemAccess.java:111)
   at com.ibm.opencard.terminal.pcsc10.OCFPCSC1.loadLib(OCFPCSC1.java:64)
   at 
com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory.open(Pcsc10CardTerminalFactory.java:94)
   at 
com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory.(Pcsc10CardTerminalFactory.java:65)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
   at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
   at java.lang.Class.newInstance0(Class.java:308)
   at java.lang.Class.newInstance(Class.java:261)
   at 
opencard.core.service.SmartCard.handleTerminalFactoryEntries(SmartCard.java:424)
   at opencard.core.service.SmartCard.configureTerminalRegistry(SmartCard.java:261)
   at opencard.core.service.SmartCard.start(SmartCard.java:534)
   at com.gemplus.tools.gemxpresso.pilot.ServicePilot.open(Unknown Source)
   at com.gemplus.tools.gemxpresso.pilot.ServicePilot.(Unknown Source)
   at 
com.gemplus.tools.gemxpresso.pilot.TraceCmdTargetJPanel.initServicePilot(Unknown
Source)
   at com.gemplus.tools.gemxpresso.pilot.TraceCmdTargetJPanel.(Unknown
Source)
   at com.gemplus.tools.gemxpresso.pilot.JCardManagerJFrame.(Unknown
Source)
   at com.gemplus.tools.gemxpresso.pilot.JCardManagerJFrame.main(Unknown
Source)

After seeing this error, I tried building the OCFPCSC1 project from
http://www.linuxnet.com/middleware/files/OCFPCSC1-0.0.1.tar.gz and
copying to .so file into the place it was being looked for
(JAVA_HOME/jre/lib/i386).  After doing that it had a different error:

Exception in thread "main" java.lang.UnsatisfiedLinkError:
/usr/java/j2sdk1.4.2_04/jre/lib/i386/libOCFPCSC1.so:
/usr/java/j2sdk1.4.2_04/jre/lib/i386/libOCFPCSC1.so: undefined symbol:
__gxx_personality_v0
   at java.lang.ClassLoader$NativeLibrary.load(Native Method)
   at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560)
   [...]

It seems like it's expecting a different version of the library or
something.  Any suggestions?

Thanks,

Carl Youngblood


---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe 
! in the body.

Re: [OCF] Problem loading the right terminal class

[Carl Youngblood]

Sorry to duplicate this message.  My mistake.

On Thu, 17 Jun 2004 18:19:53 -0700, Carl Youngblood
<[EMAIL PROTECTED]> wrote:
> 
> Steven Ihde wrote:


---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe 
! in the body.

RE: [OCF] Problem loading the right terminal class

[Arief Hamdani Gunawan]

Hi Carl,

for your problem is you run the java I guess, the primary solution in the
different class folder/directory; you should run java (and follow with your
class file) in the same folder/directory.

If it is work, another suggestion is check your configuration and library
file that you use in your system.

Please let me know your progress,

Thank you,

Arief Hamdani Gunawan


-Original Message-
From: Carl Youngblood [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 18, 2004 6:18 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [OCF] Problem loading the right terminal class

Steven Ihde wrote:

>strace java [...whatever...] 2>&1 | grep -E 'stat|open'
>  
>
This technique worked well.  I got a little farther.  I got it to find 
pcsc-wrapper-src.jar and also found out which opencard.properties file 
was being used. Now I'm getting an error related to the OCF-PCSC 
bridge.  Here's what I get:

Exception in thread "main" java.lang.UnsatisfiedLinkError: no OCFPCSC1 
in java.library.path
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1491)
at java.lang.Runtime.loadLibrary0(Runtime.java:788)
at java.lang.System.loadLibrary(System.java:834)
at 
opencard.core.util.SystemAccess.loadLibrary(SystemAccess.java:111)
at 
com.ibm.opencard.terminal.pcsc10.OCFPCSC1.loadLib(OCFPCSC1.java:64)
at 
com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory.open(Pcsc10CardTe
rminalFactory.java:94)
at 
com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory.(Pcsc10Card
TerminalFactory.java:65)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method)
at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAcces
sorImpl.java:39)
at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc
torAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
at java.lang.Class.newInstance0(Class.java:308)
at java.lang.Class.newInstance(Class.java:261)
at 
opencard.core.service.SmartCard.handleTerminalFactoryEntries(SmartCard.java:
424)
at 
opencard.core.service.SmartCard.configureTerminalRegistry(SmartCard.java:261
)
at opencard.core.service.SmartCard.start(SmartCard.java:534)
at com.gemplus.tools.gemxpresso.pilot.ServicePilot.open(Unknown 
Source)
at 
com.gemplus.tools.gemxpresso.pilot.ServicePilot.(Unknown Source)
at 
com.gemplus.tools.gemxpresso.pilot.TraceCmdTargetJPanel.initServicePilot(Unk
nown 
Source)
at 
com.gemplus.tools.gemxpresso.pilot.TraceCmdTargetJPanel.(Unknown 
Source)
at 
com.gemplus.tools.gemxpresso.pilot.JCardManagerJFrame.(Unknown Source)
at 
com.gemplus.tools.gemxpresso.pilot.JCardManagerJFrame.main(Unknown Source)

After seeing this error, I tried building the OCFPCSC1 project from 
http://www.linuxnet.com/middleware/files/OCFPCSC1-0.0.1.tar.gz and 
copying to .so file into the place it was being looked for 
(JAVA_HOME/jre/lib/i386).  After doing that it had a different error:

Exception in thread "main" java.lang.UnsatisfiedLinkError: 
/usr/java/j2sdk1.4.2_04/jre/lib/i386/libOCFPCSC1.so: 
/usr/java/j2sdk1.4.2_04/jre/lib/i386/libOCFPCSC1.so: undefined symbol: 
__gxx_personality_v0
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560)
[...]

It seems like it's expecting a different version of the library or 
something.  Any suggestions?

Thanks,

Carl Youngblood


---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe 
! in the body.


---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!   [EMAIL PROTECTED]
! containing the word
!   unsubscribe 
! in the body.