Open wreps8Owt opened 1 year ago
wreps8Owt
commented
1 year ago certtool --ask-pass -s --template ca.tmpl --load-privkey "pkcs11:token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=private" --outfile ca.cr does work well on another java card running SmartPGP but without KDF enabled, so it seems that enabling KDF may break compatibilities with other applications if they do not support KDF of OpenPGP card 3 standard.
af-anssi
commented
1 year ago This problem does not come from the applet but from the OpenSC or GnuPG middleware. The applet does not perform any operation to derive the actual PIN when KDF is enabled; this is done entirely on the "client" side.
af-anssi
commented
1 year ago @wreps8Owt Have you been able to identify which part on the "client" side is responsible of this behavior ?
wreps8Owt
commented
1 year ago @wreps8Owt Have you been able to identify which part on the "client" side is responsible of this behavior ?
I guess it is the main library of the OpenSC project: libopensc.so. The PKCS#15 emulation of OpenPGP card should be implemented here.
af-anssi
commented
1 year ago I see you have opened an issue in Opensc https://github.com/OpenSC/OpenSC/issues/2742.
PKCS#11 is provided by OpenSC.
certtool --ask-pass -s --template ca.tmpl --load-privkey "pkcs11:token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=private" --outfile ca.crtcan successfully generate a self-signed certificate for personal CA from an OpenPGP card 2.1 from ZeitControl (what https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.4 used to sell), but failed on my J3H145 running SmartPGP, with the following errorerror importing key at pkcs11:token=OpenPGP%20card%20%28User%20PIN%29;id=%03;object=Authentication%20key;type=private: PKCS #11 error in dataafter entering the user PIN. Both card have an RSA key in their Authentication slot.My J3H145 running SmartPGP has KDF enabled. Is this related?