Skip to content

Support for IDPrime MD 830, 930 and 940 cards #2666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 28 commits into from
Jun 7, 2023
Merged

Support for IDPrime MD 830, 930 and 940 cards #2666

Jakuje merged 28 commits into from
Jun 7, 2023

Conversation

@xhanulik
Copy link
Member

@xhanulik xhanulik commented Dec 15, 2022

Driver card-idprime.c does not support some of the IDPrime cards - MD 830, 930 and 940.

The main problem is not matching key references that are assigned during the processing of the index file. The key references were recently set according to the OS version. However, some of the tested cards shared the same OS version but different key references of the private keys. The card matching is now done via ATR for particular card types, and the key reference offsets are distinguished according to card->type.

The idprime_process_index() function for processing the 0x0101 file adds the found certificate objects to the card. The index file contains entries which (probably) differ as the certificates were imported to the card with different tools. The entries can be

  • ksc or kxc alone - card should have corresponding private and public key
  • ksc/kxc with pubkxs/pubkxc - certificate is missing corresponding private key (CA certificates)
  • priprk, ksc/kxc and pubkxs/pubkxc - card should have the corresponding private and public key

Each certificate entry contains an index and the offset used for getting the private key reference.
Certificates that are missing a private key on the card are also added to the card but with some dummy key reference, which is then processed in sc_pkcs15emu_idprime_init(), where only the public key is added.

IDPrime 930 and 940 cards can work with 4096b RSA keys, which is added to the card initialization.

Cards also support EC keys and certificates - the sc_pkcs15emu_idprime_init() is extended by adding EC keys to the card. When signing with ECDSA keys, the data for signature needs to be padded (probably to some multiple of 8 bytes) before sending to the card.

The changes were tested with cards

  • IDPrime 3810 with RSA keys
  • IDPrime MD 830-FIPS with RSA keys
  • IDPrime 930 with RSA keys
  • IDPrime 940 cards with 4096b RSA key and EC key

There are still some issues which need to be addressed

  • key references (and offsets in idprime_process_index()) of EC keys may differ from the key references of RSA key
  • IDPrime 940 cards support CC certificates which are listed as common certificates in the index file

@Jakuje Jakuje mentioned this pull request Jan 12, 2023
Closed
@xhanulik
Copy link
Member Author

xhanulik commented Feb 8, 2023

Added reading of cmap file, which contains records holding private key container names and index of corresponding certificates. It is used for the detection of CA certificates on the card.

For IDPrime 940, there is also a second PIN (Digital Signature PIN) used for accessing CC certificates on the card. File 0x0005 contains key references of private keys with PIN index and index of corresponding certificates. This is used for the classification of key objects to correct PIN.

Jakuje
Jakuje reviewed Feb 9, 2023
View reviewed changes
This was referenced Mar 3, 2023
Closed
Closed
Merged
@xhanulik xhanulik force-pushed the idprime branch 2 times, most recently from 51b87d4 to 84642ac Compare March 29, 2023 11:53
@xhanulik xhanulik marked this pull request as ready for review March 29, 2023 12:10
@xhanulik xhanulik mentioned this pull request Apr 5, 2023
Merged
3 tasks
frankmorgner
frankmorgner requested changes Apr 13, 2023
View reviewed changes
xhanulik added 13 commits April 21, 2023 15:24
@xhanulik
Add ATRs for IDPrime cards
6ba0ea1
@xhanulik
Add RSA alg with 4096b only for idprime 930 and 940
643ccda
@xhanulik
Add EC objects to p15card
d3b38c4
@xhanulik
Add EC algorithm into idprime_init
92692b2
@xhanulik
Parsing of IDPrime index file
b8d6719 
`kxc` and `ksc` objects denote certificates. Certificate objects
can be standalone - then we expect that they have public and private
keys on the card, or there can be `priprk` and `pubksc` denoting
corresponding private a public keys.
@xhanulik
Add ECC
890b073
@xhanulik
Fix double free in OAEP test
e373982
@xhanulik
Remove testing code
88ed4d0
@xhanulik
Pad messages with various length before signing with ECDSA
ea0e2ce
@xhanulik
Fix ATR mask to take country code as two bytes
0b968d8
@xhanulik
Use container map to identify certificates without private keys
d101be2 
Cmap file contains records denoting container name and the record
index corresponds to the index of certificate.
@xhanulik
Add digital signature PIN for IDPrime 940 cards
920e47f 
IDPrime 940 uses digital signature pin for accessing CC certificates
@xhanulik
Read key reference map on IDPrime 940
3832e68 
File 0x0005 on IDPrime 940 contains 8 bytes records, which probably
denote key reference and PIN index associated with certificate index.
Jakuje
Jakuje reviewed May 4, 2023
View reviewed changes
Jakuje
Jakuje reviewed May 10, 2023
View reviewed changes
Copy link
Member

@Jakuje Jakuje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hopefully last comments

frankmorgner
frankmorgner requested changes May 26, 2023
View reviewed changes
Copy link
Member

@frankmorgner frankmorgner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please look at @Jakuje comment about the possible memory leak, thank you.

xhanulik added 2 commits June 2, 2023 16:07
@xhanulik
Fix memory leak
20140e5
@xhanulik
Make PIN ID const
7b72d2b 
To indicate that the returned memory does not need to be free'd.
@Jakuje
Copy link
Member

Jakuje commented Jun 7, 2023

Thank you!

@Jakuje Jakuje merged commit 87aedd3 into OpenSC:master Jun 7, 2023
@jurajsarinay jurajsarinay mentioned this pull request Jun 26, 2023
Merged
1 task
@xhanulik xhanulik mentioned this pull request Jul 3, 2023
Closed
@jurajsarinay jurajsarinay mentioned this pull request Sep 15, 2023
Closed
@xhanulik xhanulik deleted the idprime branch July 19, 2024 16:41
@Somebody25 Somebody25 mentioned this pull request Sep 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

@frankmorgner frankmorgner frankmorgner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xhanulik @Jakuje @frankmorgner