(a) I remember preferring the CVS version of the applet, and ended up working from the .src version of the cardedge applet source, rebuilding the makefile to modernise it. I half recall that the CVS version was more complete in its implementation of the API/protocol for the crypto command than the version in the framework distribution. Many of the modifications I had made independently to the crypto command became redundant, once I moved to the CVS .src. Ive forgotten the details, however. They all frelated to proving signing worked - the only goal I had.
(b) I recall testing the signing capabiity positively only with code derived from the CVS version of the applet - and only once I altered it to use RSAwithSHA (because of my then card's limitations). I doubt I ever tried my unit test with the code in the packaged release - which I had abandoned by then.
(c) I too recall being very confused with the actual code in the packaged release, re signing modes, 9796 support, and the mapping of muscle crypto ids onto the javacard ids and back. I remember writing some emails, worried, last year. Things worked out, though, once I inspected the .src from the original programming team.
(d) someone altered an applet INS , to address a really-old 7816 conformance VPP issue (anyone seen a VPP-programmed card in 10 years?). Unfortunately, the muscle API never caught up, and muscleTool/API uses the original INS.
Peter.
From: vladimir lenin <[EMAIL PROTECTED]> Reply-To: MUSCLE <[EMAIL PROTECTED]> To: MUSCLE <[EMAIL PROTECTED]> Subject: Re: [Muscle] rsa signature Date: Sun, 16 May 2004 15:55:05 -0700 (PDT)
Mr. Williams, Let me clarify. I did not get confused by the use of key names
In atleast the source code for the applet I have, in ComputeCrypt a key's getType() method's return value
1 KEY_RSA_PUBLIC is TYPE_DES_TRANSIENT_RESET 2 KEY_RSA_PRIVATE is TYPE_DES_TRANSIENT_DESELECT 3 KEY_RSA_PRIVATECRT is TYPE_DES 4 KEY_DSA_PUBLIC is TYPE_RSA_PUBLIC 5 KEY_DSA_PRIVATE is TYPE_RSA_PRIVATE 6 KEY_DES is TYPE_RSA_PRIVATE_CRT 7 KEY_3DES is TYPE_DSA_PUBLIC 8 KEY_3DES3 is TYPE_DSA_PRIVATE
I want to sign using TYPE_RSA_PRIVATE_CRT, but the applet throws SW_INCORRECT_ALG So without changing the applet's source code, I won't be able to sign using TYPE_RSA_PRIVATE_CRT key
I may be able to sign using TYPE_RSA_PUBLIC, TYPE_RSA_PRIVATE but the siganture's getInstance is initialized to 11 Cipher.ALG_RSA_ISO9796 which is actually Signature. ALG_RSA_MD5_PKCS1, but SW_UNSUPPORTED_FEATURE is thrown also. If I stop there seeing the status word I would not be able to use ALG_RSA_MD5_PKCS1
The cyberflex e-gate 32k card I have supports rsa algorithms ALG_RSA_MD5_PKCS1 ALG_RSA_SHA_PKCS1
so without changing the source code, musclecard does not support signatures with TYPE_RSA_PRIVATE_CRT key
thank you
--- Peter Williams <[EMAIL PROTECTED]> wrote: > > > > >From: vladimir lenin <[EMAIL PROTECTED]> > >Reply-To: MUSCLE <[EMAIL PROTECTED]> > >To: MUSCLE <[EMAIL PROTECTED]> > >Subject: Re: [Muscle] rsa signature > >Date: Sun, 16 May 2004 09:52:23 -0700 (PDT) > > > >Hello > >After going through the source code, The conclusion > I > >came to is > >1. musclecard does not have signature capability > >(by signature I mean computing both the > messagedigest > >of plain text and encrypting with private key, like > >ALG_RSA_SHA_PKCS1) > > I'd dispute the conclusion. If the basis for > reasoning is observing the > programmer's use of names in the source code, then I > have some sympathy for > the error in the reasoning. There are other bases > however, that go more to > the heart of the issue. > > >2. musclecard supports encryption and decryption, > so I > >have to calculate the message digest off card and > pad > >it and send it to the card to encrypt. > >(It supports something like ALG_RSA_PKCS1) > >thank you > > My own evidence disputes this: I wasted 2 weeks on a > poor-quality UK > javacard product vendor, whose simulator improperly > packed the PKCS1 type 1 > block with the hash, whereas their card did things > correctly. Obviously, > neither device could verify each other's signatures. > > Muscle didnt help itself on this issue: in my > (considerably-modified) source > of muscle applet, I let the CRT key bind to the > particular signing > algorithm. In this way, I got passed the fact that > the current release > forces use of MD5 - which the vendor's card did NOT > support. > > Other cards may have NO support for any hashing > algorithms, vladimir. This > very practical evidence suggest at least one valid > basis which would allow > you to correctly deduce the wrong conclusion. > > Id get proof that (a) your card can hash anything > (b) then, that it even > supports signature algorithms that bind RSA to > hashing schemes. Perhaps the > card only offers RSA PKCS#1 type 2 or OAEP > padding..., even if it supports > and provides implementations of the common hashing > classes. > > Remember, there are NO conformance standards for > javacard crypto support. > Every card build is different. Some to 512 bit, some > do 1024, some do MD5, > some do SHA1. some have fast eeprom, others do not. > Some do key gen , others > do not. > > > > > > > >--- Christian Schneider <[EMAIL PROTECTED]> > wrote: > > > vladimir lenin wrote: > > > > > > >Mr. schneider, > > > >You are not signing on the card itself. you are > > > >getting the certificate and key from the card > and > > > >using them to sign on the host. I want the card > > > applet > > > >to sign the message digest I send. Correct me > if > > > you I > > > >misunderstood aomething > > > >thank you > > > > > > > > > > > I create the digest on the host. > > > > > > But the signing is done on the card. The key is > not > > > extractable. > > > > > > The library lets me find the private key on the > > > card. But I get only > > > a handle of the key that is then given to the > > > signing function. > > > > > > Perhaps the generation of the hash is the > problem in > > > your case. > > > I think muscle can�t do SHA1RSA but only RSA. So > the > > > hash has to be > > > generated outside the > > > card. > > > > > > In the library I used there is a function to > request > > > the card�s > > > capabilities. > > > > > > best regards, > > > > > > Christian > > > > > > _______________________________________________ > > > Muscle mailing list > > > [EMAIL PROTECTED] > > > http://lists.drizzle.com/mailman/listinfo/muscle > > > > > > > > > > > >__________________________________ > >Do you Yahoo!? > >SBC Yahoo! - Internet access at a great low price. > >http://promo.yahoo.com/sbc/ > >_______________________________________________ > >Muscle mailing list > >[EMAIL PROTECTED] > >http://lists.drizzle.com/mailman/listinfo/muscle > > > _______________________________________________ > Muscle mailing list > [EMAIL PROTECTED] > http://lists.drizzle.com/mailman/listinfo/muscle
__________________________________ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
