Open saper opened 6 months ago
Hi @saper,
Quick search shows that OpenSC for CardOS V5.3 should support SHA256-RSA-PKCS
. So first of all verify if you use newest version of OpenSC. Some OSes/distros/package managers can have old version so that is possible that you will need to build newest version of OpenSC manually.
Secondly: I'm not familiar with that card, but it is possible that different slots have different capabilities. Are you sure your QES is in slot 0
? Consider to verify is there other available slots pkcs11-tool -L
and what is supported by it pkcs11-tool --slot-index <0...N > -M
It turns out I was running https://github.com/OpenSC/OpenSC/commit/9dd5a8bd62a356091bb8e67492ca9171c4deba34 (plus some WIP patches unrelated to this patch) which is between 0.23.0 and 0.24.0 (over a year old at the time of writing this). I have re-tried with 0.25.0 and the list of mechanisms is as follows:
> pkcs11-tool -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-X-509, keySize={512,4096}, hw, decrypt, sign, verify
RSA-PKCS, keySize={512,4096}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={512,4096}, sign, verify
RSA-PKCS-PSS, keySize={512,4096}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={512,4096}, sign, verify
RSA-PKCS-OAEP, keySize={512,4096}, hw, decrypt
There is only one slot:
> /usr/local/bin/pkcs11-tool -L
Available slots:
Slot 0 (0x0): Gemalto USB Shell Token V2 (4FFFFFFF) 00 00
token label : CardOS V5.3 | EC00FFFFF
token manufacturer : Atos IT Solutions and Service...
token model : PKCS#15 emulated
token flags : login required, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 31
pin min/max : 4/16
and any attempt to go beyond 0 results in Slot with index 1 (counting from 0) is not available.
Just managed to extract their PKCS#15 EF(TokenInfo) which describes the token on the card:
$ /usr/local/bin/pkcs15-tool --list-info # serial numbers redacted
PKCS#15 Card [CardOS V5.3 | EC00FFFFF]:
Version : 0
Serial number : 31
Manufacturer ID: Atos IT Solutions and Services GmbH
Flags : Login required, PRN generation
sc_supported_algo_info[0]:
reference : 1 (0x01)
mechanism : [0x01] CKM_RSA_PKCS
operations : [0xa2], compute_signature, decipher, generate/derive_key
algo_id : 1.2.840.113549.1.1.1
algo_ref : [0x0c]
sc_supported_algo_info[1]:
reference : 2 (0x02)
mechanism : [0x01] CKM_RSA_PKCS
operations : [0x82], compute_signature, generate/derive_key
algo_id : 1.2.840.113549.1.1.1
algo_ref : [0x88]
sc_supported_algo_info[2]:
reference : 3 (0x03)
mechanism : [0x01] CKM_RSA_PKCS
operations : [0xa0], decipher, generate/derive_key
algo_id : 1.2.840.113549.1.1.1
algo_ref : [0x08]
sc_supported_algo_info[3]:
reference : 4 (0x04)
mechanism : [0x06] CKM_SHA1_RSA_PKCS
operations : [0x02], compute_signature
algo_id : 1.2.840.113549.1.1.5
algo_ref : [0x88]
sc_supported_algo_info[4]:
reference : 17 (0x11)
mechanism : [0x03] CKM_RSA_X_509
operations : [0xa2], compute_signature, decipher, generate/derive_key
algo_id : 1.2.840.113549.1.1.1
algo_ref : [0x0a]
sc_supported_algo_info[5]:
reference : 18 (0x12)
mechanism : [0x03] CKM_RSA_X_509
operations : [0x82], compute_signature, generate/derive_key
algo_id : 1.2.840.113549.1.1.1
algo_ref : [0x86]
sc_supported_algo_info[6]:
reference : 19 (0x13)
mechanism : [0x03] CKM_RSA_X_509
operations : [0xa0], decipher, generate/derive_key
algo_id : 1.2.840.113549.1.1.1
algo_ref : [0x06]
sc_supported_algo_info[7]:
reference : 20 (0x14)
mechanism : [0x06] CKM_SHA1_RSA_PKCS
operations : [0x02], compute_signature
algo_id : 1.2.840.113549.1.1.5
algo_ref : [0x86]
Hello, cała Polska czekała na ten projekt :poland: :credit_card: :poland:
I know you are working only with KIR card, but I have tried to use this with an EuroCert card and using
opensc-pkcs11.so
PKCS#11 driver that seem to support those cards just fine:An attempt to sign a login document from https://pz.gov.pl fails because the card does not support
CKM_SHA256_RSA_PKCS
and results in the following exception:Here is what my PKCS#11 driver reports:
In theory, the solution is easy - hash first in the software and use
CKM_RSA_PKCS
mechanism as a fall back. But with Java, the questions is which layer should detect this and change the mechanism used.Big thanks for putting this out - it's a new hope for me!