2009/3/17 João Poupino <joao.poup...@data.identity.pt>: > Hello everyone,
Hello, I am surprised I am the only one to comment here. No one is using OpenSC with the Muscle applet (I am not)? > Here are the patches to use 2048 bit keys and the random number generator in > OpenSC with the Muscle Card Applet. Only the Aladdin eToken 72K Java was > tested, but it should work with any Java Card running the Muscle Applet > (that supports 2048 bit keys). > > There are two patches: > > Muscle Card Applet (trunk) (musclecard.diff) > -------------------------------------------- > > * Support for extended APDUs in the ComputeCrypt() method. Encryption, > decryption, etc., can work with 2048 bit keys without needing to use > multiple APDUs. This patch is optional since the smart card and reader need > to support extended APDUs (as is the case with the Aladdin eToken 72K). Already committed in the JavaCard applet. > OpenSC (0.11.7) (opensc.diff) > ----------------------------- > > * Small fix in msc_get_challenge(): the existing code was using the 0x72 > instruction to call the GetChallenge() method, but, at least according to > the latest version in the MUSCLE repository, the correct instruction number > is 0x62. Also, msc_get_challenge() was returning dataLength when it should > be returning 0 to indicate success; Committed in revisions 3668 and 3669. > * Make some buffers larger to support extended APDUs. The change was only > from 256 to 512 bytes since it is more than enough for 2048 bit keys; Committed in revision 3670. > * Card detection in card-muscle.c to detect whether to activate extended > APDUs or not; Committed in revision 3671. > * Remove the 258 byte response limit in card-pcsc.c - any help in how to > correctly solve this issue is greatly appreciated; I went back in history and this code is present since the very first version of reader-pcsc.c in revision 221. http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/reader-pcsc.c?rev=221#L107 The value evolved from 255 to 256 to 258. And now the suggestion is to remove the check. Revision 221 has the comment /* FIXME: PC/SC Lite quirk */. So I guess this code was useful when pcsc-lite could not handle extended APDU. This is no more the case so I remove the check. Committed in revision 3672. > * Do not use msc_crypt_process (OP_PROCESS). This operation is used to do > multipart encryption when, for example, the data is too big to fit in one > APDU. It basically calls the Cipher.update() method until all data has been > processed. However, the Java Card API documentation advises against using > update(): > > "This method requires temporary storage of intermediate results. In > addition, if the input data length is not block aligned (multiple of block > size) then additional internal storage may be allocated at this time to > store a partial input data block. This may result in additional resource > consumption and/or slow performance. > This method should only be used if all the input data required for the > cipher is not available in one byte array. If all the input data required > for the cipher is located in a single byte array, use of the doFinal() > method to process all of the input data is recommended." > > As the card's JVM was returning an internal exception when using OP_PROCESS, > it was decided to implement an msc_crypt_final_object() function in OpenSC > that uses the msc_object_*() functions to read/write all the data from the > card. This way, it is possible to transmit/receive "arbitrarily" large data > chunks to/from the card and use doFinal(). This is the fallback method when, > for example, using 2048 bit keys and the card doesn't support extended > APDUs. > > When I have some time, I plan to update the OpenSC wiki with the > instructions on how to get the Aladdin eToken 72K working. Committed in revision 3673. João, please check that OpenSC is still working correctly for you. Thanks -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
