[opensc-devel] Some results with the Muscle cardlet
Hello, I was trying OpenSC version 0.12.0-svn with Muscle cardlet, in order to verify its compatibility with TLS and client authentication on a web site. Finally I've been able to make an authentication but it's a little bit "tricky", I found this method completely by chance, the only way to make it work for me was : 1)After loading the cardlet in the card: initialize the card with OpenSC * 0.11.4* (create structure , initialize pin code, create keys, certificate request...) 2)Then get the OpenSC version 0.12.0-svn (or 0.11.13) in order to obtain the PKCS11 driver: "opensc-pkcs11.so" and put it in the browser Firefox( or Iceweasel) concerned Then I can go on the website and the authentication works fine. But if I initialize the card with OpenSC 0.11.13 or 0.12.0-svn , I've got the following errors( see Log1.txt). I've compiled the last Muscle cardlet from Debian svn, with ant using Javacard kit 2.2.2 (with the most options possibles like : -DWITH_EXT_APDU, -DWITH_RSA_2048, -DWITH_JC22, -DWITH_3DES, -DWITH_PIN_POLICY) and I've used an Oberthur cosmo V7 for this tests, btw, the TLS authentication works too with 2048 RSA keys. (I precise that I used OpenSC 0.12.0 from *svn of June*, not the last) (PS: Except the 0.11.13 and 0.12.0-svn versions, I had only the 0.11.4 version on my PCs, but it probably works with other ones) regards, Gilles // OpenSC 0.11.13 r...@ubuntu:/home/vm/Desktop# pkcs15-init -G RSA -a 1 -v -u sign,decrypt --split-key Using reader with a card: Gemplus GemPC Twin 00 00 Connecting to card in reader Gemplus GemPC Twin 00 00... Using card driver Muscle Card Driver. Found MUSCLE About to generate key. User PIN required. Please enter User PIN: [pkcs15-init] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=03 [pkcs15-init] muscle.c:558:msc_generate_keypair: returning with: Card command failed [pkcs15-init] card.c:678:sc_card_ctl: returning with: Card command failed [pkcs15-init] pkcs15-muscle.c:272:muscle_generate_key: Unable to generate key [pkcs15-init] pkcs15-muscle.c:273:muscle_generate_key: returning with: Card command failed Failed to generate key: Card command failed //OpenSC 0.12.0-svn debian:/home/admin1/Desktop# pkcs15-init -G RSA -a 1 -v -u sign,decrypt Using reader with a card: Gemplus GemPC Twin 00 00 Connecting to card in reader Gemplus GemPC Twin 00 00... Using card driver MuscleApplet. Found MUSCLE About to generate key. User PIN [User PIN] required. Please enter User PIN [User PIN]: Failed to generate key: Not allowed ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS#15 ObjectValue
Andre,
Now that I have had a few days to look over your approach, it has some merit.
The main issues are:
No one appears to have a card that supports EC and PKCS#15. This
complicates testing.
The Latest official RSA PKCS#15 documents that deals with EC appear to
be from 2000, and is very vague about EC and its parameters.
(Do you have anything more recent?)
The PKCS#11 documents are more up to date and do go into EC
parameters. Even these have changes from V2.01 in 1998, to V2.30
drafts on 2009.
RSA has no parameters associated with the public key, where as
EC, DSA and GOSTR have additional parameters. In the EC case
it could be an OID of a named curve, or a lot of big numbers.
(Even PKCS#11 passes these parameters as DER encoded.)
OpenSC was written to support RSA and support for parameters was
not needed, until GOSTR added some support, and then I don't think
it is complete.
Even with the EC support on the PIV card, only 2 named curves are
supported, so even it is not complete.
The term and variable pubkey is used throughout OpenSC to refer to
PKCS#11, pubkey, PKCS#15 pubkey, RSA pubkey and anything related
to a "pubkey" and since RSA does not have parameters, if the "pubkey"
has parameters are they included or not in a "pubkey"?
As you pointed out below, the ObjectValue is a CHOICE between PATH, RAW
and SubjectPublicKeyInfo and in OpenSC only the PATH choice is supported
today. Whereas a SPKI includes the algorithm and parameters.
There is some support to create a "pubkey" from SPKI from a certificate,
but is this what a real card with EC would use?
So before making any additional changes I suggest that a developer
should have a PKCS#15 card with EC, DSA or GOSTR to use in testing
and see if the card can support SPKI.
Until then I would like to leave the "emulated" variable as is because
the pkcs15-piv.c is creating a sc_pkcs15_pubkey which has the
algorithm, parameters and ecpoint included.
On 12/1/2010 4:05 PM, Andre Zepezauer wrote:
> On Wed, 2010-12-01 at 13:31 -0600, Douglas E. Engert wrote:
>>
>> On 12/1/2010 12:31 PM, Andre Zepezauer wrote:
>>> On Wed, 2010-12-01 at 11:34 -0600, Douglas E. Engert wrote:
On 12/1/2010 9:10 AM, Andre Zepezauer wrote:
> On Wed, 2010-12-01 at 08:31 -0600, Douglas E. Engert wrote:
>>
>> On 11/30/2010 8:16 PM, Andre Zepezauer wrote:
>>> On Tue, 2010-11-30 at 16:16 -0600, Douglas E. Engert wrote:
On 11/30/2010 3:22 PM, Andre Zepezauer wrote:
> Hello Douglas,
>
> for problem you tried to solve with r4901 there is a more general
> solution. That solution would involve the mapping of the ASN1 type
> ObjectValue to the corresponding C-structures.
>
> In the case related to r4901, the hook would be
> sc_pkcs15_pubkey_info_t->path. The underlying ASN1 type of that
> variable
> is ObjectValue. Which is defined by PKCS#15 as a CHOICE between PATH,
> RAW and SubjectPublicKeyInfo. Only the PATH choice is supported yet.
>
> In the long term that should be completed and 'path' should be
> replaced
> by 'value' with a type capable to hold one of PATH, RAW or
> SubjectPublicKeyInfo.
>
> I could implement that. But not before 0.12 is out. Because it
> requires
> some changes on asn1-decoders. In the mean time it's better to place
> the
> variable 'emulated' on sc_pkcs15_pubkey_info_t. Then the function
> sc_pkcs15_read_pubkey could be modified to handle the two cases (path
> or
> emulated) transparently.
Sounds interesting, but today, the "emulated" works with the EC code I
am working on using the PIV card that is emulating the pubkey
>>>
>>> You are going to emulate something that hasn't to be emulated at all.
>>> The use-case where the whole public key is included within the meta-data
>>> is already defined by PKCS#15. Public-key-meta-data is mapped to
>>> sc_pkcs15_pubkey_info_t and so the pubkey as DER-encoded SPKI should
>>> reside there.
>>>
I would like to leave it the way it is, at least until I get all the EC
code committed.
>>>
>>> You could commit to a specialised branch and merge to trunk when 0.12 is
>>> released. In the mean time, things could be integrated better if
>>> necessary.
>>
>> Let me point out that no code is using the mod today, and will only
>> be used by the PIV to start with. As you point out the the pubkey
>> for EC at least could be a SPKI, and this looks promising.
>
> SPKI-encoding is common to all keys. In the specific case of EC,
> DER-encoded ECPoint is possible too. See the ASN1 definitions of
> {KEY-TYPE}PublicKeyChoice in PKCS#15.
>
> KEY-TYPE := RSA | EC | DH | DSA | KEA
>
> According to the s
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
Ok commited this fix. Thanks. On 12/3/2010 9:34 AM, jons...@terra.es wrote: > > > Mensaje original > De: deeng...@anl.gov > Fecha: 03/12/2010 16:18 > Para: > Asunto: Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14 > > Commited r4906 to test for OPENSSL_NO_EC, and opensslconf.h is included. > Please verify id Fedora now compiles. > > Just a simple patch to get it right: > -- > Index: src/tools/piv-tool.c > === > --- src/tools/piv-tool.c (revisión: 4906) > +++ src/tools/piv-tool.c (copia de trabajo) > @@ -34,7 +34,9 @@ > /* Module only built if OPENSSL is enabled */ > #include > #include > +#ifndef OPENSSL_NO_EC > #include > +#endif > #include > #include > #include > @@ -351,7 +353,7 @@ > > EVP_PKEY_assign_EC_KEY(evpkey, eckey); > #else > - fprintf(stderr, "This build of OpenSSL does not support EC keys"\n); > + fprintf(stderr, "This build of OpenSSL does not support EC keys\n"); > r = 1; > #endif /* OPENSSL_NO_EC */ > -- > > Thanks for the work > Juan Antonio -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
Mensaje original De: deeng...@anl.gov Fecha: 03/12/2010 16:18 Para: Asunto: Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14 Commited r4906 to test for OPENSSL_NO_EC, and opensslconf.h is included. Please verify id Fedora now compiles. Just a simple patch to get it right: -- Index: src/tools/piv-tool.c === --- src/tools/piv-tool.c(revisión: 4906) +++ src/tools/piv-tool.c(copia de trabajo) @@ -34,7 +34,9 @@ /* Module only built if OPENSSL is enabled */ #include #include +#ifndef OPENSSL_NO_EC #include +#endif #include #include #include @@ -351,7 +353,7 @@ EVP_PKEY_assign_EC_KEY(evpkey, eckey); #else -fprintf(stderr, "This build of OpenSSL does not support EC keys"\n); +fprintf(stderr, "This build of OpenSSL does not support EC keys\n"); r = 1; #endif /* OPENSSL_NO_EC */ -- Thanks for the work Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
Commited r4906 to test for OPENSSL_NO_EC, and opensslconf.h is included. Please verify id Fedora now compiles. On 12/3/2010 5:46 AM, Aleksey Samsonov wrote: > Hello, > > One remark. We need use 'include' for use > OPENSSL_NO_EC. > > Сomplete example (or see src/pkcs11/openssl.c): > > #include /* for OPENSSL_VERSION_NUMBER */ > #if OPENSSL_VERSION_NUMBER>= 0x1000L > #include > #include /* for OPENSSL_NO_* */ > #ifndef OPENSSL_NO_EC > #include > #endif /* OPENSSL_NO_EC */ > > > 2010/12/3 jons...@terra.es: >>> OPENSSL_VERSION_NUMBER>= 0x1000L&& !defined(OPENSSL_NO_EC) is the >>> key, >>> Douglas hopefully plans that into the next patch unless you do it before >>> (I don't have a Fedora VM available at the moment) >> >> OK :-) attached patch works for me >> >> Juan Antonio > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
I have a patch, will commit it now. On 12/3/2010 2:48 AM, Martin Paljak wrote: > > On Dec 3, 2010, at 10:16 AM, jons...@terra.es wrote: > >> In Fedora 14 (that ships OpenSSL-1.0.0b) seems that EC support is not built >> in OpenSSL package >> >> - >> Making all in tools >> make[3]: se ingresa al directorio >> `/home/jantonio/work/dnie/cenatic/opendnie/opensc-dnie/trunk/src/tools' >> gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src -pthread >> -fno-strict-aliasing -g -O2 -MT pkcs11-tool.o -MD -MP -MF >> .deps/pkcs11-tool.Tpo -c -o pkcs11-tool.o pkcs11-tool.c >> pkcs11-tool.c:27:24: error fatal: openssl/ec.h: No existe el fichero o el >> directorio >> compilación terminada >> --- > > OPENSSL_VERSION_NUMBER>= 0x1000L&& !defined(OPENSSL_NO_EC) is the key, > Douglas hopefully plans that into the next patch unless you do it before (I > don't have a Fedora VM available at the moment) > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
Hello, One remark. We need use 'include ' for use OPENSSL_NO_EC. Сomplete example (or see src/pkcs11/openssl.c): #include /* for OPENSSL_VERSION_NUMBER */ #if OPENSSL_VERSION_NUMBER >= 0x1000L #include #include /* for OPENSSL_NO_* */ #ifndef OPENSSL_NO_EC #include #endif /* OPENSSL_NO_EC */ 2010/12/3 jons...@terra.es : >> OPENSSL_VERSION_NUMBER >= 0x1000L && !defined(OPENSSL_NO_EC) is the >> key, >> Douglas hopefully plans that into the next patch unless you do it before >> (I don't have a Fedora VM available at the moment) > > OK :-) attached patch works for me > > Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
Mensaje original
De: mar...@paljak.pri.ee
Fecha: 03/12/2010 9:48
Para:
CC:
Asunto: Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
> OPENSSL_VERSION_NUMBER >= 0x1000L && !defined(OPENSSL_NO_EC) is
> the key,
> Douglas hopefully plans that into the next patch unless you do it before
> (I don't have a Fedora VM available at the moment)
OK :-) attached patch works for me
Juan Antonio
diff -rbuN --exclude=.svn opensc/src/tools/piv-tool.c cenatic/opendnie/opensc-dnie/trunk/src/tools/piv-tool.c
--- opensc/src/tools/piv-tool.c 2010-12-03 10:04:30.0 +0100
+++ cenatic/opendnie/opensc-dnie/trunk/src/tools/piv-tool.c 2010-12-03 10:01:57.0 +0100
@@ -31,7 +31,9 @@
#include
#include
#include
+#ifndef OPENSSL_NO_EC
#include
+#endif
#include
#include
#include
@@ -321,7 +323,9 @@
EVP_PKEY_assign_RSA(evpkey, newkey);
- } else { /* EC key */
+ }
+#ifndef OPENSSL_NO_EC
+else { /* EC key */
int i;
BIGNUM *x;
BIGNUM *y;
@@ -348,6 +352,7 @@
EVP_PKEY_assign_EC_KEY(evpkey, eckey);
}
+#endif
if (bp)
r = i2d_PUBKEY_bio(bp, evpkey);
diff -rbuN --exclude=.svn opensc/src/tools/pkcs11-tool.c cenatic/opendnie/opensc-dnie/trunk/src/tools/pkcs11-tool.c
--- opensc/src/tools/pkcs11-tool.c 2010-12-03 10:04:30.0 +0100
+++ cenatic/opendnie/opensc-dnie/trunk/src/tools/pkcs11-tool.c 2010-12-03 11:23:26.0 +0100
@@ -24,7 +24,9 @@
#include
#include
#include
+#ifndef OPENSSL_NO_EC
#include
+#endif
#include
#include
#endif
@@ -1247,6 +1249,9 @@
* so we will write it for OpenSSL if built with OpenSSL
*/
if (opt_mechanism == CKM_ECDSA) {
+#ifdef OPENSSL_NO_EC
+ util_fatal("OpenSSL ECDSA_SIG: not supported");
+#else
int nLen;
ECDSA_SIG * ecsig = NULL;
unsigned char *p = NULL;
@@ -1264,6 +1269,7 @@
free(p);
ECDSA_SIG_free(ecsig);
+#endif
} else
#endif
r = write(fd, buffer, sig_len);
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
On Dec 3, 2010, at 10:16 AM, jons...@terra.es wrote: > In Fedora 14 (that ships OpenSSL-1.0.0b) seems that EC support is not built > in OpenSSL package > > - > Making all in tools > make[3]: se ingresa al directorio > `/home/jantonio/work/dnie/cenatic/opendnie/opensc-dnie/trunk/src/tools' > gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src -pthread > -fno-strict-aliasing -g -O2 -MT pkcs11-tool.o -MD -MP -MF > .deps/pkcs11-tool.Tpo -c -o pkcs11-tool.o pkcs11-tool.c > pkcs11-tool.c:27:24: error fatal: openssl/ec.h: No existe el fichero o el > directorio > compilación terminada > --- OPENSSL_VERSION_NUMBER >= 0x1000L && !defined(OPENSSL_NO_EC) is the key, Douglas hopefully plans that into the next patch unless you do it before (I don't have a Fedora VM available at the moment) -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Rv: r4904 and OpenSSL-1.0.0b in Fedora 14
More info: Seems that Fedora removes all ECC related issues due to patents problems: https://bugzilla.redhat.com/show_bug.cgi?id=615372 ¿How these problems could affect OpenSC? Perhaps we could do some kind of conditional compilation to take care on this Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] r4904 and OpenSSL-1.0.0b in Fedora 14
In Fedora 14 (that ships OpenSSL-1.0.0b) seems that EC support is not built in OpenSSL package - Making all in tools make[3]: se ingresa al directorio `/home/jantonio/work/dnie/cenatic/opendnie/opensc-dnie/trunk/src/tools' gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src -pthread -fno-strict-aliasing -g -O2 -MT pkcs11-tool.o -MD -MP -MF .deps/pkcs11-tool.Tpo -c -o pkcs11-tool.o pkcs11-tool.c pkcs11-tool.c:27:24: error fatal: openssl/ec.h: No existe el fichero o el directorio compilación terminada --- ¿Any easy way to bypass this issue? Juan Antonio___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
