Re: [opensc-devel] Initial ECDSA modifications to OpenSC for use with PIV cards in OpenSC #295
On 11/29/2010 4:36 AM, Aleksey Samsonov wrote:
> Hello Douglas,
>
> 2010/11/23 Douglas E. Engert:
>> I would especially like the GOSTR maintainers to look at this closely, as
>> many
>> of the flag tests and if statements where modified to support EC and
>> hopefully
>> make it easier to add algorithms in the future.
>
> There have compile error at libopensc/pkcs15-piv.c (see "struct
> pubdata_st" and "static const pubdata pubkeys[PIV_NUM_CERTS_AND_KEYS]
> =")
>
> After fix it, I have fail in my tests with GOSTR (PKCS#11 C_Sign).
> Unfortunately, I don't have logs now.
One thing to look at:
In pkcs15-sec.c in sc_pkcs15_compute_signature in the old code there
is no mention of GOSTR3410, so I assumed it was RSA only. The old code
had:
- alg_info = sc_card_find_rsa_alg(p15card->card, prkey->modulus_length);
- if (alg_info == NULL) {
- sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Card does not support RSA with key
length %d\n", prkey->modulus_length);
- return SC_ERROR_NOT_SUPPORTED;
-senv.algorithm = SC_ALGORITHM_RSA;
If you card could support both RSA and GOSTR3410 (and card-rtecp.c
supports both with keylength = 256) it might have passed the old test,
and ignored the fact that senv.algorithm = SC_ALGORITHM_RSA.
The new code does a switch(obj->type) and I only added RSA and EC.
So adding something like:
+ case SC_PKCS15_TYPE_PRKEY_GOSTR3410:
+ modlen = prkey->modulus_length / 8;
+ alg_info = sc_card_find_gostr3410_alg(p15card->card,
prkey->modulus_length);
(A sc_card_find_gostr3410_alg routine is needed for this to work.)
+
+ if (alg_info == NULL) {
+ sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Card does not support
GOSTR3410 key length %d\n", prkey->modulus_length);
+ return SC_ERROR_NOT_SUPPORTED;
+ }
+ senv.flags |= SC_SEC_ENV_ALG_PRESENT;
+ senv.algorithm = SC_ALGORITHM_RGOST3410;
+ break;
>
> I need a few days for detail review.
> Thanks!
>
>
--
Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Debian bug 602546libopensc2 package contains unversioned .so files
Le lundi 29 novembre 2010 à 19:09 +0200, Martin Paljak a écrit : > It is 99% a packaging issue that depends on Debian packaging policy. As stated in the discussion on Debian mailing list, the PKCS#11 is backwards compatible. OpenSC 0.12 is not a new version but an enhancement. Plus a lot of cards became end-of-life. So this discussion about .so.X is beyond my understanding. What does Ludovic think of this shared library issue? > If somebody would create sample debian files for upstream to test and > base work on, would be really nice. This far noone has done it (but I > heard Jean-Michel talk about plans for becoming a Debian developer). Still on my radar. I had a discussion at JM2L this week-end with Debian developers and they recommend that we create a Debian repository with daily compiled packages. There are tools to cross compile for most platforms. According to them, it would not be too hard. According to them, a Debian repository is a more flexible solution. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11-tool
On Mon, 2010-11-29 at 08:50 -0600, Douglas E. Engert wrote: > > On 11/25/2010 10:23 AM, Andre Zepezauer wrote: > > Hello, > > > > I would like to commit the attached patch. It modifies the method of > > public key retrieval in pkcs11-tool. > > > > Currently the non standard attribute CKA_VALUE is uses. With the patch > > applied, only attributes defined by PKCS#11 are used for public key > > retrieval. Tested with OpenSSL 0.9.8. > > Yes, some pub key objects don't have CKA_VALUE: RSA and EC. I am not > sure about GOST. I can add the code for EC. > Looks good to me. This is a non complete list of keys with CKA_VALUE attribute. In most cases the value of CKA_VALUE attribute isn't suitable as input for d2i_PublicKey(). EC Private DH Public/Private DSA Public/Private GOST Public/Private ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Debian bug 602546libopensc2 package contains unversioned .so files
Hello, On Nov 29, 2010, at 5:55 PM, Douglas E. Engert wrote: > There is a serious bug on the Debian bug tracking system: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602546 I don't see this as a serious problem for OpenSC codebase, but a serious problem from Debian packaging maintainer/policy POV. How packaging creates symlinks and splits files into packages is entirely up to the packager. For "libopensc3" or 0.12, packaging *will* create some trouble if the distro maintainer wants to keep supporting all the different ways how OpenSC can be compiled, see #216 [1] for an explanation. > Is anyone from OpenSC following this? For some reason it has not popped up in my RSS reader. > It might be that > if we made some changes this would not be an issue. It is 99% a packaging issue that depends on Debian packaging policy. If somebody would create sample debian files for upstream to test and base work on, would be really nice. This far noone has done it (but I heard Jean-Michel talk about plans for becoming a Debian developer). [1] -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Debian bug 602546libopensc2 package contains unversioned .so files
There is a serious bug on the Debian bug tracking system: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602546 Is anyone from OpenSC following this? It might be that if we made some changes this would not be an issue. In any case, someone should respond to the concerns. Andreas? -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial ECDSA modifications to OpenSC for use with PIV cards in OpenSC #295
On 11/29/2010 4:36 AM, Aleksey Samsonov wrote: > Hello Douglas, > > 2010/11/23 Douglas E. Engert: >> I would especially like the GOSTR maintainers to look at this closely, as >> many >> of the flag tests and if statements where modified to support EC and >> hopefully >> make it easier to add algorithms in the future. > > There have compile error at libopensc/pkcs15-piv.c (see "struct > pubdata_st" and "static const pubdata pubkeys[PIV_NUM_CERTS_AND_KEYS] > =") OK, I have fixed that problem. > > After fix it, I have fail in my tests with GOSTR (PKCS#11 C_Sign). > Unfortunately, I don't have logs now. I tested RSA and EC but was worried that I might have made some changes that could cause problem for GOST. > > I need a few days for detail review. > Thanks! > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11-tool
On 11/25/2010 10:23 AM, Andre Zepezauer wrote: > Hello, > > I would like to commit the attached patch. It modifies the method of > public key retrieval in pkcs11-tool. > > Currently the non standard attribute CKA_VALUE is uses. With the patch > applied, only attributes defined by PKCS#11 are used for public key > retrieval. Tested with OpenSSL 0.9.8. Yes, some pub key objects don't have CKA_VALUE: RSA and EC. I am not sure about GOST. I can add the code for EC. Looks good to me. > > Regards > Andre > > > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial ECDSA modifications to OpenSC for use with PIV cards in OpenSC #295
Hello Douglas, 2010/11/23 Douglas E. Engert : > I would especially like the GOSTR maintainers to look at this closely, as many > of the flag tests and if statements where modified to support EC and hopefully > make it easier to add algorithms in the future. There have compile error at libopensc/pkcs15-piv.c (see "struct pubdata_st" and "static const pubdata pubkeys[PIV_NUM_CERTS_AND_KEYS] =") After fix it, I have fail in my tests with GOSTR (PKCS#11 C_Sign). Unfortunately, I don't have logs now. I need a few days for detail review. Thanks! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] [libp11] pkcs11_init_slot: Do not fail if a slot can't be initialized
On Thu, 18 Nov 2010 11:34:30 +0100 Ludovic Rousseau wrote: > New patch proposed attached. > > Since I am not the maintainer of libp11 I do not want to commit a > patch with possible bad side effects. The news patch looks fine for me, I didn't had the time to test it yet (I'm quite busy right now), but it seems harmless. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
