On 9/19/2012 6:11 PM, Andreas Schwier (ML) wrote: > Dear all, > > we've come across a strange behaviour of the pkcs15-lib in OpenSC when > we generate an EC key pair: > > After generating an fresh EC key pair, our code returns a > sc_pkcs15_pubkey containing the EC public key and DER encoded domain > parameter. The public key is then encoded in sc_pkcs15init_generate_key > and added to the DF in the framework when it's immediately decoded again. > > During this encode / decode step the domain parameter are lost.
Looked at PKCS#15 v1.1 section 6.4.3 The value is a EC_PubKeyChoice, that can be a raw ECPoint or a spki SubjectPublicKeyInfo. It looks like the sc_pkcs15_encode_pubkey_ec is just returning the ECPoint. sc_pkcs15_decode_pubkey_ec is also assuming the ECPoint. It looks like that code has never been fully tested, and the above code should be modified to use the spki SubjectPublicKeyInfo if there are domain parameters. With the EC work I have done in OpenSC including writing the above two routines, I have not looked at the pkcs15init code at all, as the PIV card is not a PKCS#15 card but rather the PKCS#15 is emulated, and the emulation layer is base on the decoded entries. The PIV does not use the pkcs15init code at all, but rather a special pivtool can be used for test cards to generate a key. It also turns out that the PIV card does not store a pubkey object at all, but derives the pubkey from the certificate. > > I'm wondering why this encode / decode step is done ? No one has a PKCS#15 cards that support EC to test this part of the code. > > If it is required for some reason, then I would rather encode the public > key in SubjectPublicKey structure that would also preserve the domain > parameter in AlgorithmIdentifier. Can you come up with a patch? > > Andreas > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
