Skip to content

Updated Italian CNS to support IDEMIA (Oberthur) tokens #2483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
frankmorgner merged 7 commits into from
Apr 13, 2023
Merged

Updated Italian CNS to support IDEMIA (Oberthur) tokens #2483

frankmorgner merged 7 commits into from
Apr 13, 2023

Conversation

@3v1n0
Copy link
Contributor

@3v1n0 3v1n0 commented Jan 12, 2022
edited
Loading

Added missing bits to support new Italian CNS cards provided by Idemia that have use now some less-standard mechanisms.

Checklist
  • PKCS#11 module is tested

Fixes #2445

@3v1n0 3v1n0 force-pushed the itacns-idemia-2021 branch 2 times, most recently from 0ca0c92 to 1aab1b9 Compare January 12, 2022 18:22
frankmorgner
frankmorgner requested changes Jan 14, 2022
View reviewed changes
@3v1n0 3v1n0 force-pushed the itacns-idemia-2021 branch 2 times, most recently from 49f1154 to 167dc9f Compare January 14, 2022 19:08
frankmorgner
frankmorgner requested changes Jan 14, 2022
View reviewed changes
@3v1n0 3v1n0 force-pushed the itacns-idemia-2021 branch 3 times, most recently from c1d5a4f to c0821d5 Compare January 15, 2022 00:45
@frankmorgner
Copy link
Member

frankmorgner commented Jan 15, 2022

Please check out frankmorgner@662d2a9 ... this may help you simplify the card matching process...

@3v1n0 3v1n0 force-pushed the itacns-idemia-2021 branch from c0821d5 to a90abd4 Compare January 16, 2022 00:25
Jakuje
Jakuje reviewed Jan 16, 2022
View reviewed changes
frankmorgner
frankmorgner reviewed Jan 17, 2022
View reviewed changes
xhanulik
xhanulik reviewed Feb 1, 2022
View reviewed changes
Copy link
Member

@xhanulik xhanulik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor inconsistency in indentation

@Fale
Copy link

Fale commented Apr 18, 2022

Any news on this? I've received one of those cards and I would be glad if it would be supported!

@rghe
Copy link

rghe commented May 8, 2022

BTW I've built and tested this change both with an older italian CNS (AC 2014) and a brand new ACe 2021.
Everything worked: pkcs11-test, logging on regional and government sites

@Jakuje
Copy link
Member

Jakuje commented Aug 16, 2022

@3v1n0 did you get back to the review comments? This looks like it works ok for several users so it would be great to have this in the coming release.

@dengert
Copy link
Member

dengert commented Aug 16, 2022

Comments the use of the ATR and mask:

  "3b:8b:80:01:00:31:c1:64:00:00:00:00:00:00:00:00",
  "ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00",

This Only supports NFC, and is very generic, and could be mistaken for some other card. Can this card be used in a normal contact reader? If so it would have a different ATR.

I see you have figured out how to use already parsed ATR to get at the history bytes: card->reader->atr_info.hist_bytes_len
and removed much local parsing, but the original card had only 4 bytes of history and the new one has 11 from the b in 8b.
Whats in these bytes? Have you looked at using: https://smartcard-atr.apdu.fr/ with the ATR? I do not recall seeing in any of the comments what the ATR is.

frankmorgner and others added 7 commits November 13, 2022 05:14
@frankmorgner @3v1n0
itacns: simplify ATR matching
f12c766 
... and modify internal data only during initialization
@3v1n0
card-itacns: Use generic card fields to store hw and fw versions
0ab6233 
There's no need to use custom values, while in this way we can expose
such information to the card users
@3v1n0
pkcs15-itacns: Update mask manufacturers to match last definitions
cff00ca 
Gemalto was added in the last reference of CNS –
Carta Nazionale dei Servizi  Functional Specification [1], while
Oberthur is now named IDEMIA.

[1] https://www.agid.gov.it/sites/default/files/repository_files/documentazione_trasparenza/cns_functional_specification_1.1.6_02042011.pdf
@3v1n0
pkcs15-itacns: Only add x509 certificate if it is a valid one
5115785 
In case a card has some contents in the fetched path, but that's not an
X.509 certificate, we're accepting it anyways until it's actually going
to be used, and so will be listed as an available object.

Instead ensure whether this is valid through openssl before adding it.
@3v1n0
card-itacns: Support creating random numbers in smaller chunks
3365f3a 
Some cards can generate very small random numbers, so perform the action
multiple times to get up to the requested value.

This is handled by OpenSC, when the returned size is just less than
expected.
@3v1n0
itacns: Add support for 2021 Idemia CNS cards
a4eed95 
New Idemia / Oberthur cards have been provided to people and they use a
slightly different protocol, as per the reverse engineering of the new
protocol, I've adapted the missing bits.

Main key points:
 - Certificate path is 140090012002
 - Public key path is 11001102
 - The certificate has a size of 2048
 - Private key path is 14009002
 - The random number generator can only provide up to 32 bytes, so
   we just request multiple chunks in case a bigger number is requested.

Also, official driver uses chained APDU commands to handle signing
operations, however the card also supports extended APDU, so we can just
use that instead of using chained commands (that would require some
adjustments on the main library)

Fixes: OpenSC#2445
@3v1n0
card-itacns: Add NFC ATR for Idemia CNS
1708c06 
When using the card with a NFC reader the ATR is different, so we need
to use hard matching.
@3v1n0 3v1n0 force-pushed the itacns-idemia-2021 branch from a90abd4 to 1708c06 Compare November 13, 2022 04:17
@3v1n0
Copy link
Contributor Author

3v1n0 commented Nov 13, 2022

Sorry, took a while to update this, but comments should be handled now.

@3v1n0
Copy link
Contributor Author

3v1n0 commented Nov 13, 2022

This Only supports NFC, and is very generic, and could be mistaken for some other card. Can this card be used in a normal contact reader? If so it would have a different ATR.

Yes, it can be used both in a physical and NFC reader.

I see you have figured out how to use already parsed ATR to get at the history bytes: card->reader->atr_info.hist_bytes_len and removed much local parsing, but the original card had only 4 bytes of history and the new one has 11 from the b in 8b. Whats in these bytes? Have you looked at using: https://smartcard-atr.apdu.fr/ with the ATR? I do not recall seeing in any of the comments what the ATR is.

The ATR of the card I'm using here is 3B:8B:80:01:00:31:C1:64:08:92:33:54:00:90:00:F3, and I'm not aware if there are others. I'm quite sure this is the only one available for now.

But I didn't want to be too strict with it, in case some other card may change it.

Jakuje
Jakuje reviewed Nov 18, 2022
View reviewed changes
Copy link
Member

@Jakuje Jakuje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

except for the minor comments inline, looks good.

src/libopensc/card-itacns.c
itacns_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
{
if (card->type == SC_CARD_TYPE_ITACNS_CNS_IDEMIA_2021)
len = MIN (0x20, len);
Copy link
Member

@Jakuje Jakuje Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: using decimal representation in this context might be more readable than hexadecimal.

frankmorgner
frankmorgner requested changes Jan 19, 2023
View reviewed changes
Copy link
Member

@frankmorgner frankmorgner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall the code looks good. If you address the comments posted in the previous reviews, then I think we can move forward.

frankmorgner
frankmorgner approved these changes Feb 24, 2023
View reviewed changes
Copy link
Member

@frankmorgner frankmorgner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the comments are really just nits. We should merge this PR as is and move on.

@frankmorgner frankmorgner merged commit 47ac091 into OpenSC:master Apr 13, 2023
@dengert dengert mentioned this pull request Apr 27, 2023
Closed
@xhanulik xhanulik mentioned this pull request Jul 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje left review comments

@xhanulik xhanulik xhanulik left review comments

@frankmorgner frankmorgner frankmorgner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Brand new Italian CNS (ACe 2021) not working: C_Login failed: rv = CKR_USER_PIN_NOT_INITIALIZED (0x102)

7 participants

@3v1n0 @frankmorgner @Fale @rghe @Jakuje @dengert @xhanulik