Minidriver fixes for ECC keys #2523
Conversation
|
@vletoux Any idea when certutil -scinfo does not work with EC keys with OpenSC minidriver but venodor's version does? I have a IDEMIA test card with all ECDSA keys. certutil -scinfo using their minidriver starts with this: Using the same card and clearing out the cert store of any references to the certificates and using certutil and the OpenSC minidriver (just changing the registry 800001=to point at OpenSC minidriver) it shows: They spot that the the base CSP can not handle the card: OpenSC tries to returns this: Then they have: where OpenSC has: There is something wrong OpenSC minidriver when using ECDSA. md.log trace is available. |
|
my first advice would be to test the minidriver with cmck.exe (can provide it to you) |
|
my second advice would be to test it with API monitor (http://www.rohitab.com/apimonitor) to trace KSP / CSP calls |
|
I think that the empty container name can have an impact. Seeing the md.log with the latest property call may help |
|
Yes please provide cmck.exe. I will have a look at apimonitor. Using change msi file from this PR which don't appear to make any difference. |
|
I remember having same issue with curve key sizes with estonian id card minidriver. https://github.com/open-eid/minidriver/blob/master/esteidcm.cpp#L330-L345 |
|
This experimental fix for arekinath/PivApplet#64 has some minor changes but it looks like the main problem is in how OpenSC minidriver is installed. 0b683472b07 "win32 setup: add basic minidriver card registration and unregistration via a custom action" replaces in the normal: with When a card has EC keys, the combination of: "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" and "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" says the minidriver can do both. Without this only the CSP provider is used. A temp solution, to use cards with EC keys is to use change registry entries: These test were done on a Windows 10 PRO 64 bit system using the VS 2015 release versions built from this PR. Using am Idemia PIV test card with 8 EC keys and certs. Since the use of the A long term fix would be to add some other" key" = "value" like "installedByOpenSC" = "VERSION". `certutil -v -scinfo" now works. |
dengert
force-pushed
the
minidriver-ECC
branch
4 times, most recently
from
e162712 to
29dcda4
Compare
dengert
changed the title
|
@vletoux @metsma |
|
Implementation of this PR will affect existing installations because the "Crypto Provider" is saved in the cert store as "Provider". If we want to use ECC keys will will eventually need make the changes. For example from some tests to use a self signed cert on a card: IIRC I was trying to use an ECC key, but went back to test with RSA. |
|
Sorry for the late reply Analyzing card in reader: OMNIKEY CardMan 5x21 0 --------------===========================-------------- X509 Certificate: Here you can see key container has strange value? |
|
is there any way to enable on windows? |
|
What powershell command did you use? "Microsoft Base Smart Card Crypto Provider" only supports RSA See: https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/smart-card-minidrivers "Microsoft Smart Card Key Storage Provider" is the KSP. So it looks like it called both as expected. The container ID should be unique on the machine so a cached certificate can identify a card so user can be told to insert the card. But it looks like container ID was derived from a card unique ID ie.e. the ID private, public and certs share. It could still work. What type of card are you using? NIST does not define a serial number for a PIV card. The OpenSC PIV driver and minidriver uses either the FASC-N or GUID contained in the CHUID to derive a serial number for the card, which can then be used by minidriver to create the Container ID for each cert/key pair. (IIRC the default serial number is all zeros, and the one character ID is then inserted in the middle, thus "00000000000000010000000000000000" The yubikey minidriver may use the Yubikey token serial number, and thus work. If you use the same certificate on different cards windows can get confused as it can only cache one of them with the containerID it saw when first cached. . You will need to delete the cert(s) from the "my" cert store. Easy way is control panel->internet options->content->certificates->personal then find and remove the old certificates that also contain the container ID. As I don't have access to AD, to test login, any additional testing would be helpful. See |
|
While reviewing this PR and #2575 the minidriver is called at: which calls md_query_key_sizes with the dwKeySpec dwKeySpec is a combination of: ECC key, a specific usage (ECDSA or ECDHE), a specific keysize and a specific named curve. But the OpenSC looks at
To see these, run in Microsoft has added additional curves and has defined the OIDs in CNG docs from April 2021 for example: In the last reference above they do list multiple curves with the same size. When and if these will be passed to a minidriver as |
|
dwKeySize is supposed to be zero for ECC keys This is here only to deal with the RSA versability regarding key sizes (1024, 2048 etc) |
|
I am not referring to CardCreateContainer but to CardQueryKeySizes: which says: the OpenSC minidriver implemantaion in master: https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver.c#L4430-L4464 But this only works for some cards. Many do not fill in the vs->p15card->card->algorithms and card drivers do not fill in the OID when calling |
|
my mistake, you are correct |
dengert
force-pushed
the
minidriver-ECC
branch
from
ca911e0 to
244015d
Compare
…lity Add comment: <!-- PR OpenSC#2523 no longer uses "Provider = OpenSC CSP", but existing certificates in cert store may have "Provider = OpenSC CSP" so we continue to add it for backward compatability. Run: "certutil -Silent -store -user My" and look for "Provider = OpenSC CSP". --> Date: Tue Aug 23 14:38:24 2022 -0500 On branch minidriver-ECC Changes to be committed: modified: win32/OpenSC.wxs.in
|
I dont have a way to test this, but the only comment I would have here would be the typo marked by the codespell. The remaining codespell reports are fixed already in #2598. |
"CardGetProperty" "CP_CARD_KEYSIZES" passes key_type in dwFlags SC_ALGORITHM_EXT_EC_NAMEDCURVE in not in the flags, but in ext_flags so remove from the test. If any test is needed it should be to match the curve name to suported by Windows. Date: Sun Mar 13 13:56:43 2022 -0500 On branch minidriver-ECC Changes to be committed: modified: minidriver.c
Newer cards can have more then 12 key on card. Minidriver uses a fixed MD_MAX_KEY_CONTAINERS 12 change to 32 Changes to be committed: modified: minidriver.c
Changes to be committed: modified: minidriver.c
Cards with ECC keys need in registry both: "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" So instead of replacing the crypto Provider, add "InstalledBy"="OpenSC" Then when uninstalling drivers, only uninstall drivers which have "OpenSC" On branch minidriver-ECC Changes to be committed: modified: customactions.cpp
…lity Add comment: <!-- PR OpenSC#2523 no longer uses "Provider = OpenSC CSP", but existing certificates in cert store may have "Provider = OpenSC CSP" so we continue to add it for backward compatibility. Run: "certutil -Silent -store -user My" and look for "Provider = OpenSC CSP". --> Date: Tue Aug 31 13:13:00 2022 -0500 On branch minidriver-ECC Changes to be committed: modified: win32/OpenSC.wxs.in
dengert
force-pushed
the
minidriver-ECC
branch
from
dfb1a0e to
b4bcbef
Compare
Cleaned up the compatibility spelling not covered by #2598 Waiting for checks to run to test msi files on windows. |
|
@dengert any update on this? Did you manage to test it? Ready to merge? |
|
Yes I was able to test this with PIV card with EC keys. But on Windows OpenSC does not add PIV to the registry, because most, PIV card vendors provide plug-and-play windows drivers. I added the OpenSC registry entries manually for testing. The main fix was to not mess with the "Provider = Microsoft Base Smart Card Crypto Provider". There may need to be additional fixes of OpenSC card drivers. Windows CNG also talks about other curves in addition to the P256 and P384 changes may be needed in card drivers in the future. |
|
In other words it is ready to commit. It does not break anything, only made improvements. |
|
Thank you! Merging. |
|
If you use OpenSC on Windows, especially if you were having problems with EC keys, can you try installing OpenSC from https://github.com/OpenSC/Nightly Uninstall any current OpenSC packages both 64 and 32 bit. Then install the nightly versions of the .msi files. Please report if it works or does not work, along with the card type and ATR. It is not clear if certificates already registered in the Microsoft Certificate Store will have to be deleted or not. Previous versions of OpenSC set in registry "Provider = OpenSC" which caused EC keys to not work. #2523 fixes this to use "Provider = Microsoft Base Smart Card Crypto Provider" or "Provider = Microsoft Smart Card Key Storage Provider"
Thanks. |
|
One more issue is cached ATR that may cause Microsoft minidriver for PIV to
get called.
Sent from my phone. More later
…On Fri, Apr 15, 2022, 8:32 AM Doug Engert ***@***.***> wrote:
What powershell command did you use?
"Microsoft Base Smart Card Crypto Provider" only supports RSA See:
https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/smart-card-minidrivers
"Microsoft Smart Card Key Storage Provider" is the KSP.
So it looks like it called both as expected.
The container ID should be unique on the machine so a cached certificate
can identify a card so user can be told to insert the card. But it looks
like container ID was derived from a card unique ID ie.e. the ID private,
public and certs share. It could still work.
What type of card are you using?
If this was a Yubkey, did you create run the yubico-piv-tool with action
"set-chuid"?
NIST does not define a serial number for a PIV card. The OpenSC PIV driver
and minidriver uses either the FASC-N or GUID contained in the CHUID to
derive a serial number for the card, which can then be used by minidriver
to create the Container ID for each cert/key pair. (IIRC the default serial
number is all zeros, and the one character ID is then inserted in the
middle, thus "00000000000000010000000000000000"
The yubikey minidriver may use the Yubikey token serial number, and thus
work.
If you use the same certificate on different cards windows can get
confused as it can only cache one of them with the containerID it saw when
first cached. . You will need to delete the cert(s) from the "my" cert
store. Easy way is control panel->internet
options->content->certificates->personal then find and remove the old
certificates that also contain the container ID.
As I don't have access to AD, to test login, any additional testing would
be helpful. See
https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC on how to get OpenSC
debug logs on Windows.
—
Reply to this email directly, view it on GitHub
<#2523 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGTIMPPDOY526C5QAA7SGLVFFVWXANCNFSM5QTXJ2SA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
…lity Add comment: <!-- PR OpenSC#2523 no longer uses "Provider = OpenSC CSP", but existing certificates in cert store may have "Provider = OpenSC CSP" so we continue to add it for backward compatibility. Run: "certutil -Silent -store -user My" and look for "Provider = OpenSC CSP". --> Date: Tue Aug 31 13:13:00 2022 -0500 On branch minidriver-ECC Changes to be committed: modified: win32/OpenSC.wxs.in
6 participants
Fix for arekinath/PivApplet#64
Minidriver fixes for ECC keys.
Cards with ECC keys need the KSP.
A minidriver is considered to support both CSP and KSP if registry has both:
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider" and
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
Rather then change "Crypto Provider" a new registry key was added:
"InstalledBy"="OpenSC" which is used during uninstall to remove OpenSC registry.
Users and vendors are not expected to use this key so their entries are not deleted by OpenSC.
MD_MAX_KEY_CONTAINERS changed from 13 to 32 to support known cards that have more the 12 keys.
"CardGetProperty" "CP_CARD_KEYSIZES" passes key_type in dwFlags
SC_ALGORITHM_EXT_EC_NAMEDCURVE in not in the flags, but in ext_flags
so remove from the test. If any test is needed it should be to match
the curve name supported by Windows.
On branch minidriver-ECC
Changes to be committed:
modified: minidriver.c
Tested on Windows 10 using Idemia PIV card with 8 ECC keys.
Implementation of this PR will affect existing installations, as the Microsoft cert store saves "Provider = OpenSC CSP" This may require uses to cleanup the cert store so "Provider = Microsoft Base Smart Card Crypto Provider" for RSA. Some entries in cert store have "Provider = Microsoft Smart Card Key Storage Provider" for ECC keys if found on a card.
In other words we should never have tampered with the "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" in the registry.
Checklist