I am using a somewhat modified version of IsoApplet. Up till now it worked fine. However recently I stumbled upon a web site that
forces a client cert auth with RSA-PSS. And (at least on windows, using minidriver) it didn't work. It looks to me, that it's a bug
in the PSS support code in minidriver, as I cannot find any place where a MGF1 padding scheme is specified. And since none is specified
signing fails. This patch fixes this. It assumes, that the same hash is used for hashing and padding.
This fixes a problem reported in Nitrokey forum at
https://support.nitrokey.com/t/veracrypt-encryption-with-nitrokey-error/2872
as inability to save the VeraCrypt's keyfile onto the token
after deleting an existing one, unless the PKCS11 is reinitialized.
Reason: commit cbc53b9 "OpenPGP: Support write certificate for Gnuk"
introduced a condition on getting the blob handle, which is surplus
(the pgp_find_blob() function actually does that) and prevents
the blob refresh upon deletion, breaking the logic introduced
earlier in commit 9e04ae4 and causing the higher-level effect reported.
While at it, corrected comments to actually reflect the flow logic.
Tested on Fedora 33 using the repro steps from the forum and Nitrokey Pro.
Signed-off-by: alt3r 3go <alt3r.3go@protonmail.com>
Option --use-locking has C_Initialize pass in parameters with the
CKF_OS_LOCKING_OK to tell module to use threads. The default is it passes NULL
which says threads are not needed.
The following is not designed to be used by the general user. There are for debugging
and test scripts and only compiled if the system has threads.
Option --test-threads <arg> can be passed multiple times. Each one starts a thread.
<arg> is a list of 2 byte commands seperated by ":". The thread will execute these.
Current commands are:
IN - C_Initialize(NULL)
IL - C_Initialize with CKF_OS_LOCKING_OK
Pn - Pause for n seconds
GI - C_GetInfo
SL - C_GetSlotList
Tn - C_GetTokenInfo from slot_index n
These are just enough calls to see if threads are working in the module.
Output is written to stderr.
Changes to be committed:
modified: doc/tools/pkcs11-tool.1.xml
modified: src/tools/Makefile.am
modified: src/tools/pkcs11-tool.c
While trying to setup an OpenSC context, the global_locking
and detect cards, it is possible that multiple threads may
call C_Initialize. The current code tries to prevent this using
"if (context == NULL)" but this is not a mutex, and
multiple threads may endup overwrite contexts and global locking and
cause additional problems, with pcsc and segfault.
FireFox appears to do this see #2032
The PR adds a mutex or Critical section to make sure only one
thread creates the context sets the global_locking and does
the initial detect cards, etc.
This allows the global_lock (if requested) to be setup
which is then used for other calls.
All but the first call to C_Initialize will return with CKR_OK,
others will return CKR_CRYPTOKI_ALREADY_INITIALIZED.
Date: Mon Jan 11 12:47:12 2021 -0600
Changes to be committed:
modified: src/pkcs11/pkcs11-global.c
Fixes#2139
Added code to support mechanism GENERIC-SECRET-KEY-GEN.
Improved --help and doc/tools/pkcs11-tool.1.xml because key gen
of symmetric keys pass CKA_VALUE_LEN which is length of key in bytes.
Tested with:
./pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so \
--login --label generic-64 --keygen --key-type GENERIC:64 \
--mechanism GENERIC-SECRET-KEY-GEN
./pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --login -O
config option for MyEID: "disable_hw_pkcs1_padding"
If user set this option to non zero, OpenSC is forced to calculate padding
in software. This will allow users to use RSA 1024 with SHA512.
The --signature-format openssl in pkcs11-tool does the correct
operation to convert the OpenSSL formated signature to rs for PKCS11
This commit modifies pkcs11/openssl.c to convert back to sequence
for EVP_VerifyFinal
Without this mod the signature file was passed unmodified to
PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard.
On branch ECDSA-flags
Changes to be committed:
modified: openssl.c
This PR is based on discussion with @popovec in
https://github.com/OpenSC/OpenSC/issues/2181
and https://github.com/OpenSC/OpenSC/pull/2187
which was cherry-picked as 5e5300816c8
This has been tested with PIV, MyEID and Smartcard-HSM.
with ECDSA keys.
The main fixes include :
- Setting "flags" in card drivers
- added code to sc_pkcs15-compute-signature for handle ECDSA with hashes
- code in framework-pkcs15.c
Signatures made by pkcs11-tool -sigm verify with openssl
but pkcs11-tool --verify does not work with ECDSA but does with RSA
I suspect it has to do with:
and some then creating the wrong PKCS11 mechanisms
It should work with the epass2003 which does hashes in the driver.
CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way.
We need to use sc_pkcs11_register_sign_and_hash_mechanism ()
for CKM_ECDSA_SHA1.
This fix also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c
Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512)
CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
Information about "Life cycle status byte" is now available in listing.
Also src/libopensc/types.h update - added more LCSB definitions.
iso7816_process_fci () update: improved tag 0x8A parsing.
Fixes in card-flex.c and card-miocos.c - SC_FILE_STATUS_xxx is not
bitfield.
Function sc_pkcs15init_update_file(): we will try to select the file, if
file can not be selected, the file is created, and select operation is
repeated. In both cases, the "selected_file" variable contains the current
FCI of the selected file.
Then the sc_pkcs15init_authenticate () function is called, but not with
"selected_file" variable, but "file" variable where the FCP data is present
(from the file creation operation).
Difference between FCP and FCI (pkcs15-init -C / MyEID card).
62 17 80 02 00 FF 82 01 01 83 02 50 31 86 03 01 3F FF 85 02 00 00 8A 01 00
6F 17 80 02 00 FF 82 01 01 83 02 50 31 86 03 01 3F FF 85 02 00 00 8A 01 01
Here it is clear that the data from FCP are outdated. The card changed the
TAG 0x8a from 0 to 1 ("no information given", "creation state".) We need to
respect the authority of the card, FCI is to be used in next code, not FCP.
modified: src/pkcs15init/pkcs15-lib.c
Thanks clang:
/src/libopensc/card-authentic.c:1564:47: warning: The left operand of '==' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
if (acls[AUTHENTIC_ACL_NUM_PIN_RESET].method == SC_AC_CHV) {
^
Thanks clang
/src/libopensc/card-belpic.c:230:7: warning: Although the value stored to 'r' is used in the enclosing expression, the value is never actually read from 'r' [clang-analyzer-deadcode.DeadStores]
if((r = get_carddata(card, carddata, sizeof(carddata))) < 0) {
^
/src/libopensc/card-belpic.c:230:7: note: Although the value stored to 'r' is used in the enclosing expression, the value is never actually read from 'r'
Cleanup trailing whitespaces and protect hand formated structures
in card-piv.c and pkcs15-piv.c
On branch PIV-whitespace
Changes to be committed:
modified: card-piv.c
modified: pkcs15-piv.c
This patch enables using of: SHA224-RSA-PKCS, SHA256-RSA-PKCS,
SHA384-RSA-PKCS, SHA512-RSA-PKCS and PSS variants of these mechanism for
MyEID users. (This patch is related to issue #2173.)
CI tests for these mechanisms are also enabled (using OsEID emulation).
ASN1 tags are represented in two many ways within OpenSC.
This is a trivial change to simplify one aspect of this.
It also makes the code more readable.
SC_ASN1_CLASS_MASK, SC_ASN1_APP, SC_ASN1_CTX, SC_ASN1_PRV,
SC_ASN1_CONS are changed, and SC_ASN1_CLASS_MASK is added.
These then align with the bits defined by SC_ASN1_TAG_CLASS,
SC_ASN1_TAG_APPLICATION, SC_ASN1_TAG_CONTEXT, SC_ASN1_TAG_PRIVATE,
and SC_ASN1_TAG_CONSTRUCTED.
(SC_ASN1_UNI and SC_ASN1_TAG_UNIVERSAL are both 0x00 thus no change
is needed).
(No sign of a right shift of SC_ASN1_CTX or SC_ASN1_PRV causeing
problems has been seen in the code.) If found, can be solved.)
Close examination of the OpenSC code base shows all uses of tags
used by routines and sc_asn1_entry use the defines.
This could allows 26 lines of code in sc_asn1_skip_tag used to test
the 3 CLASS and CONSTRUCTED bits to be replaced by:
if (((cla << 24) | tag) != tag_in)
return NULL;
The 26 lines still work as will any other code in OpenSC
that tests the bits using the defines. It also allows new code
to be simplified.
Problem identified while looking at better way to check response
on GET_DATA (0xCB) that returns TLV as used in card-piv.c
Changes tested using pkcs11-tool --test --login with PIV, SC_HSM
and OpenPGP cards.
Fixes#2141
NIST 800-73-3 based cards only had 2 bits set in first pin policy byte.
NIST 800-73-4 defines additions bits in first pin policy byte.
When one of these bit is set, and the policy prefers the Global pin,
it is not recognized and the local pin is used.
On branch PIV-global-pin-bug
Changes to be committed:
modified: src/libopensc/card-piv.c
When failed to access reader, cxt needs to be released before
exiting the program. Like in the patch of CVE-2019-6502, a
sc_release_context(ctx) is needed before line 71, or a
memory leak may occur.
Update the ATR table for PIV/CAC matrix to 2019 -10-18 version:
https://www.cac.mil/Portals/53/Documents/DoD%20Token%20utilziation%20and%20variation%20matrix%20v2_06_17October2019.docx?ver=2019-10-18-102519-120
Also update table for several PivKey cards, and added ATR for IDEMIA PIV 2.4.1.
But did not update for use of SM or VCI.
Yubico changed the ATR historical data for Yubikey 5 NFC. Code was added to recognize
it, when used with USB or NFC.
Note: Yubikey 5 NFC when used with NFC cant use touch policy. NFC reader may not provide
enough power to power the LED on button.
On branch PIV-update-DOD-Yubikey
Changes to be committed:
modified: card-piv.c
The previous erase sequence did not always work. For example:
% pkcs15-init -C
Using reader with a card: Feitian ePass2003 00 00
New User PIN.
Please enter User PIN: 1234
Please type again to verify: 1234
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Failed to create PKCS #15 meta structure: Security status not satisfied
% pkcs15-init -E
Using reader with a card: Feitian ePass2003 00 00
Failed to erase card: Security status not satisfied
This apparently bricked many people's ePass2003 devices:
https://github.com/OpenSC/OpenSC/issues/767https://sourceforge.net/p/opensc/mailman/message/33621883/https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass2003
Feitian provided a proprietary binary blob called `FIX_TOOL' to recover
devices from this state, but declined to offer source code when asked:
https://download.ftsafe.com/files/ePass/Fix_Tool.tar.gzhttps://download.ftsafe.com/files/reader/SDK/Fix_Tool_20200604.zip
With reverse-engineering help by Saleem Rashid (@saleemrashid on
Github), I was able to find the sequence of three APDUs that the tool
submits to the device to erase it. The mechanism seems to be:
1. Install a magic PIN. This is like install_secret_key, as used by
internal_install_pin, but with a few different magic constants.
2. Verify the magic PIN.
3. Delete the MF file, without selecting anything first.
With this patch, `pkcs15-init -E' successfully erases my ePass2003, and
I am able to initialize it with `pkcs15-init -C -p pkcs15+onepin' if I
set both a user pin and a PUK. (This patch does not prevent the
ePass2003 from getting into the state which could not be erased by the
old erase sequence.)
Fix various spelling errors, mostly in comments but also in texts displayed.
Errors found & interactively fixed using 'codespell', with additional manual
checks after the fixes.
Have do_asn1() accept an optional parameter indicating a record number.
If this is given and the file is a record-oriented file, then ASN.1-decode
the record requested.
Have do_cat() accept an optional second parameter indicating a record number.
If this is given and the file is a record-oriented file, only print the record
requested.
supported by most of the card drivers and can therefore not be regarded to be
part of the public interface.
Modified the only remaining card driver that used it (authentic) to store acls
in a private variable.
- its definition is specific to the IAS-ECC card type
- its presence can not be assumed since it is read from non-mandatory SE type of an SDO
- it is currently not used anywhere in the code
during an unblock operation (this is a sign of a card with invalid PKCS #15
info). Without this error message the program just terminates silently, which
is confusing to the user.
local PINs. This makes the code behave the same way as PIN verification,
change and unblock, before calling the PIN command handler in the card driver.
- Use PIN padding information when provided by upper layers
- Enable PIN padding at card level when min/max len set to same, nonzero value
- Allow PIN-pad use to be dynamically selected for each PIN
excluding the CRT info from the SE-SDO, which is not guaranteed to be
available in all card types.
Use an explicit PIN policy structure type instead of keeping the info in the
sc_pin_cmd_data, since this type of info is only used privately in the card
driver.
- The wrong PIN was selected from the sc_pin_cmd_data structure.
- When the PIN max value was zero from the caller (meaning unknown max), the
reader max value was not used.
- Reset context to undefined handle value on error since call may alter
output parameter.
- Continue to assume -1 as undefined handle value in all PCSC
implementations, to keep this fix as small and surgical as possible.
Frank Morgner
Luka Logar
Jakub Jelen
alt3r 3go
ihsinme
Zhang Xiaohui
Vincent JARDIN
Doug Engert
Peter Popovec
Carsten Blüggel
rickyepoderi
Arya Senna
w00475903
Anton Logachev
Alexander
Conrado P. L. Gouvea
Taylor R Campbell
Zoltan Kelemen
Raul Metsma
Peter Marschall
Ludovic Rousseau
Julian Strobl