Skip to content

Various fixes for ECDSA key operations with ePass 2003 token #2845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 4 commits into from
Oct 8, 2023
Merged

Various fixes for ECDSA key operations with ePass 2003 token #2845

Jakuje merged 4 commits into from
Oct 8, 2023

Conversation

@Jakuje
Copy link
Member

@Jakuje Jakuje commented Aug 28, 2023

While setting up a token for automated CI, I noticed couple of failures that I am trying to fix here.

@FeitianSmartcardReader please, have a look. If the ePass should support also other digest operations with ECDSA, please point us to some documentation.

Checklist
  • Documentation is added or updated
  • PKCS#11 module is tested
  • Windows minidriver is tested
  • macOS tokend is tested

@Jakuje Jakuje mentioned this pull request Aug 30, 2023
Merged
1 task
@Jakuje
Copy link
Member Author

Jakuje commented Sep 7, 2023

rebased to avoid conflicts.

pinging also @xaqfan as he contributed some code to the ePass2003 driver recently and he could proide some insights into the proposed changes.

@FeitianSmartcardReader
Copy link
Contributor

FeitianSmartcardReader commented Sep 8, 2023

let me take a look, thanks

Jakuje added 4 commits October 5, 2023 11:15
@Jakuje
p11test: Add epass2003 reference file
d8cd440
@Jakuje
ePass: Remove trainling whitespace
aa74096
@Jakuje
ePass: Do not return positive exit code when the digest is not supported
589253d 
The code paths for the ECDSA signatures provide SHA1 and SHA256 padding.
Any other padding should return an error as unsopported operation, but
given that the variable r was reused for some temporary calculation
it returned positive value, which was handled by the calling code as
a success.

Moreover, the calling code in use_key() function skipped the key operation
with this return value causing returning the uninitialized memory to the
calling process.
@Jakuje
epass: Pass real data length for RAW ECDSA signatures
4ba9607
@Jakuje
Copy link
Member Author

Jakuje commented Oct 5, 2023

Dropped the commit ab533d0 removing the raw ECDSA mechanism as this is something I do not completely understand and just announce additional mechanism that works only with specific input sizes (SHA1 and SHA256). The others stayed and should land before the 0.24.0 as they cause memory issues.

@Jakuje Jakuje requested a review from frankmorgner October 5, 2023 09:29
@Jakuje Jakuje merged commit 67a3874 into OpenSC:master Oct 8, 2023
@dengert
Copy link
Member

dengert commented Oct 8, 2023

Dropped the commit ab533d0 removing the raw ECDSA mechanism as this is something I do not completely understand and just announce additional mechanism that works only with specific input sizes (SHA1 and SHA256). The others stayed and should land before the 0.24.0 as they cause memory issues.

By setting flags = SC_ALGORITHM_ONBOARD_KEY_GEN | SC_ALGORITHM_ECDSA_HASH_SHA1 | SC_ALGORITHM_ECDSA_HASH_SHA256 the driver is saying the card (or driver in this case) can do the SHA1 or SHA256 on whatever data is passed to it.

The driver sets epass2003_ops.compute_signature = epass2003_decipher; which is strange but lines:
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-epass2003.c#L2282-L2301
do the hash in the driver and set the SHA1 length to 0x14 or SHA256 len to 0x20.
And the lines after: https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-epass2003.c#L2302-L2308 which would allow any length. So should this be removed since they also dropped SC_ALGORITHM_ECDSA_HASH_NONE?

By dropping the SC_ALGORITHM_ECDSA_RAW, upper layers in OpenSC will not do other hashes.

The card appears to only accept length 0x14 or 0x20 requiring strange code.

@dengert
Copy link
Member

dengert commented Oct 8, 2023

My old epass2003 without this mods shows:

  ECDSA, keySize={256,256}, hw, sign, verify
  ECDSA-SHA224, keySize={256,256}, sign, verify
  ECDSA-SHA384, keySize={256,256}, sign, verify
  ECDSA-SHA512, keySize={256,256}, sign, verify
  ECDSA-SHA1, keySize={256,256}, hw, sign, verify
  ECDSA-SHA256, keySize={256,256}, hw, sign, verify

I would expect with this it mod it would only show:

  ECDSA-SHA1, keySize={256,256}, hw, sign, verify
  ECDSA-SHA256, keySize={256,256}, hw, sign, verify

The "hw" is misleading because the driver is doing the hash.

@popovec
Copy link
Member

popovec commented Oct 9, 2023

@Jakuje can you please test this patch? This should allow ECDSA to be used with SHA384 and SHA512.

diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c
index ed2ec649b..2e1ff31a7 100644
--- a/src/libopensc/card-epass2003.c
+++ b/src/libopensc/card-epass2003.c
@@ -2202,6 +2202,11 @@ epass2003_set_security_env(struct sc_card *card, const sc_security_env_t * env,
                        sbuf[2] = 0x92;
                        exdata->ecAlgFlags = SC_ALGORITHM_ECDSA_HASH_NONE;
                }
+               else if (env->algorithm_flags & SC_ALGORITHM_ECDSA_RAW)
+               {
+                       sbuf[2] = 0x92;
+                       exdata->ecAlgFlags = SC_ALGORITHM_ECDSA_HASH_NONE;
+               }
                else
                {
                        r = SC_ERROR_NOT_SUPPORTED;

If we supplement epass2003_decipher() with the function of padding zeros before the shorter input, ECDSA with SHA224 will also work. I have only tested it in the simulator https://github.com/popovec/epass2003_sim/, as my epass2003 does not know anything about EC encryption.

@popovec
Copy link
Member

popovec commented Oct 9, 2023

I have prepared a patch that fixes all ECDSA-SHA* and RAW EDCSA mechanisms. It also removes the incorrectly flagged "hw" attribute. Please try to check if it works on a real token, I only have a simulation.

https://github.com/popovec/OpenSC/tree/epass2003_ec_fix1

@dengert
Copy link
Member

dengert commented Oct 9, 2023

Does anyone have a epass2003 with EC that could test this PR?

My epass2003 is from Gooze in 2011 and does not support EC.

@popovec
Copy link
Member

popovec commented Oct 9, 2023

As far as I know, @Jakuje has the possibility to test it. The simulator test is available here:

https://github.com/popovec/epass2003_sim/actions/runs/6458752219

The error that is there comes from the diff of the reference and the new json file.

@Jakuje
Copy link
Member Author

Jakuje commented Oct 11, 2023

Sorry, I will be able to test this manually only during last week of October. The most I can help with now is just to merge your changes and see what they will do in the gitlab CI, where I have the epass2003 plugged in. I do not have direct access to that machine now.

@popovec
Copy link
Member

popovec commented Oct 11, 2023

I'll leave it up to you, I won't generate a PR from it yet, as I would hate to disrupt the current state of epass2003, which seems to work well at least for ECDSA-SHA1 and ECDSA-SHA256. However, it would be good if 0.24 final already contained functional code for ECDSA and ECDSA-SHA384 and ECDSA-SHA512.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frankmorgner frankmorgner frankmorgner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Jakuje @FeitianSmartcardReader @dengert @popovec @frankmorgner