Hello,
attached is the missing patch. It removes the RSA faking, but leaves
everything else as is.
BTW: Is the source code of that applet publicly available. If so, it
shouldn't be that hard to add the cryptographic operations. With or
without hardware-support.
Regards
Andre
On Wed, 2010-12-08 at 08:35 +0100, [email protected] wrote:
> Hello,
>
> For know I don't have patch for removing software operation on westcos,
>
> This is needed until westcos with cryptographics becomes available...
>
> But like I make my own build, I use openssl, you can build without openssl
>
> I will provide one for westcos user...
>
> It is ok for you this way?
>
> François.
>
>
>
> De :
> Martin Paljak <[email protected]>
> A:
> Andre Zepezauer <[email protected]>
> Cc :
> opensc-devel <[email protected]>
> Date:
> 07/12/2010 19:38
> Objet :
> Re: [opensc-devel] westcos still fakes crypto hardware
> Envoyé par :
> [email protected]
>
>
>
> Hello,
> On Dec 7, 2010, at 8:25 PM, Andre Zepezauer wrote:
>
> > Hello,
> >
> > the westcos driver still fakes crypto-hardware. It first extracts the
> > key material from the card and than performs the crypto operations in
> > software. Following that schema, then every card could easily support
> > every crypto-algorithm. OpenSSL would make it possible. What would be
> > the next thing in OpenSC, support for GSM/UMTS SIM cards?
> Do you know LGPL compatible A5/1 libraries ? :)
>
> Seriously though, a patch that removes the software operations would be
> useful.
>
> François, do you have one or will it break anything?
>
> Password encryption in key importing is also still present. I would really
> like to do a test to see if native exportable keys are supported by some
> cards. I know this can be done with JavaCards but don't know if any applet
> implements it.
>
Index: src/libopensc/card-westcos.c
===================================================================
--- src/libopensc/card-westcos.c (revision 4943)
+++ src/libopensc/card-westcos.c (working copy)
@@ -31,11 +31,6 @@
#ifdef ENABLE_OPENSSL
#include <openssl/des.h>
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include <openssl/bio.h>
#endif
#ifndef min
@@ -50,23 +45,7 @@
#define WESTCOS_RSA_NO_HASH_NO_PAD (0x20)
#define WESTCOS_RSA_NO_HASH_PAD_PKCS1 (0x21)
-#ifdef ENABLE_OPENSSL
-#define DEBUG_SSL
-#ifdef DEBUG_SSL
-static void print_openssl_error(void)
-{
- static int charge = 0;
- long r;
- if (!charge) {
- ERR_load_crypto_strings();
- charge = 1;
- }
- while ((r = ERR_get_error()) != 0)
- fprintf(stderr, "%s\n", ERR_error_string(r, NULL));
-}
-#endif
-#endif
typedef struct {
sc_security_env_t env;
@@ -1099,14 +1078,8 @@
{
int r;
int idx = 0;
- u8 buf[180];
sc_file_t *keyfile = sc_file_new();
priv_data_t *priv_data = NULL;
- int pad;
-#ifdef ENABLE_OPENSSL
- RSA *rsa = NULL;
- BIO *mem = BIO_new(BIO_s_mem());
-#endif
if (card == NULL)
return SC_ERROR_INVALID_ARGUMENTS;
@@ -1138,103 +1111,7 @@
goto out2;
}
-#ifndef ENABLE_OPENSSL
r = SC_ERROR_NOT_SUPPORTED;
-#else
- if (keyfile == NULL || mem == NULL || priv_data == NULL) {
- r = SC_ERROR_OUT_OF_MEMORY;
- goto out;
- }
- if ((priv_data->env.flags) & SC_ALGORITHM_RSA_PAD_PKCS1)
- pad = RSA_PKCS1_PADDING;
-
- else if ((priv_data->env.flags) & SC_ALGORITHM_RSA_RAW)
- pad = RSA_NO_PADDING;
-
- else {
- r = SC_ERROR_INVALID_ARGUMENTS;
- goto out;
- }
- r = sc_select_file(card, &(priv_data->env.file_ref), &keyfile);
- if (r)
- goto out;
-
- do {
- int alire;
- alire = min(((keyfile->size) - idx), sizeof(buf));
- if (alire <= 0)
- break;
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- "idx = %d, alire=%d\n", idx, alire);
- r = sc_read_binary(card, idx, buf, alire, 0);
- if (r < 0)
- goto out;
- BIO_write(mem, buf, r);
- idx += r;
- } while (1);
- BIO_set_mem_eof_return(mem, -1);
- if (!d2i_RSAPrivateKey_bio(mem, &rsa)) {
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- "RSA key invalid, %d\n", ERR_get_error());
- r = SC_ERROR_UNKNOWN;
- goto out;
- }
-
- /* pkcs11 reset openssl functions */
- rsa->meth = RSA_PKCS1_SSLeay();
- if (RSA_size(rsa) > outlen) {
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Buffer too small\n");
- r = SC_ERROR_OUT_OF_MEMORY;
- goto out;
- }
-#if 1
- if (mode) { /* decipher */
- r = RSA_private_decrypt(data_len, data, out, rsa, pad);
- if (r == -1) {
-
-#ifdef DEBUG_SSL
- print_openssl_error();
-
-#endif
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- "Decipher error %d\n", ERR_get_error());
- r = SC_ERROR_UNKNOWN;
- goto out;
- }
- }
-
- else { /* sign */
-
- r = RSA_private_encrypt(data_len, data, out, rsa, pad);
- if (r == -1) {
-
-#ifdef DEBUG_SSL
- print_openssl_error();
-
-#endif
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- "Signature error %d\n", ERR_get_error());
- r = SC_ERROR_UNKNOWN;
- goto out;
- }
- }
-
-#else
- if (RSA_sign(nid, data, data_len, out, &outlen, rsa) != 1) {
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- "RSA_sign error %d \n", ERR_get_error());
- r = SC_ERROR_UNKNOWN;
- goto out;
- }
- r = outlen;
-
-#endif
-out:
- if (mem)
- BIO_free(mem);
- if (rsa)
- RSA_free(rsa);
-#endif /* ENABLE_OPENSSL */
out2:
if (keyfile)
sc_file_free(keyfile);
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
