On Sun, Aug 15, 2010 at 13:45, Martin Paljak <mar...@paljak.pri.ee> wrote:

> Great! IMO that's good to go, I have only one small comment:
>  * Do I miss something or does the itacns_compute_signature -> 
> do_compute_signature chain translate almost 1:1 to iso7816_compute_signature 
> with an additional check in itacns_compute_signature ?
>  * The same seems to apply for itacns_decipher -> do_decipher and 
> iso7816_decipher

That's entirely correct. :) I have double-checked, and I have removed
the "custom" functions from card-itacns.c altogether.

> iso7816.c should not be taken as a final, static code, if there are checks 
> missing from there, it is OK to improve iso7816.c as well :)

I think that the checks already in place are all right. I guess that
implementation quirks may arise if and when 2048-bit keys are
supported, but currently I know of no CNS card with keys longer than
1024 bit, so it's safe for the time being.

> I guess #237 would solve the problem almost cleanly for you.
>
> I remember a similar problem with Estonian ID card but after some digging in 
> the specs and card manual it turned out to be somewhat sensible (Maybe 
> something like 0x00 Le indicating "give me as much as you have", like in 
> deciphering comments) but I can't locate the details nor changesets about it 
> now.

This was the right hint – I hadn't thought of that. :)

Even though certainly no data is expected from the card when issuing a
MSE command, I switched to a Case 2 APDU with Le = 0. The transmitted
APDU is exactly the same (P3 set to 0), and I think that leaving room
for a small buffer on the stack is a less ugly workaround than
disabling the check logic in apdu.c. So the driver can live without
#237 :)

> javax.smartcardio also does APDU mangling and it is not possible to send such 
> APDU-s, as it eats away the final zero...

Thanks for the heads up. It might be that I'm going to play with it in
the future (Roberto Resoli graciously pointed me to the Mocca
project[1]). I hope that the CommandAPDU(ByteBuffer apdu) form does
not try to mangle the APDU, but I've never tried.

The revised patch is now at
http://www.opensc-project.org/opensc/attachment/ticket/177/itacns-patch4.diff
, and I feel it addresses all points that have been brought up.

Thanks!

[1] http://mocca.egovlabs.gv.at/

-- 
Emanuele

>
>
>> Thank you in advance for any comment/feedback. I'm looking forward to
>> getting this into shape for integration in trunk.
>
>
> [1] http://www.opensc-project.org/opensc/ticket/237
> --
> Martin Paljak
> @martinpaljak.net
> +3725156495
>
>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to