Closed ofcaah closed 11 months ago
martinpaljak
commented
3 years ago This (6999) I guess comes from jcardsim and indicates not selectable applet. But you have selected a very long list of IMHO not needed layers to have something as simple as "key in software to sign things with".
ofcaah
commented
3 years ago "key in software to sign things with".
Well, whole idea behind this is to have qualified key on qualified device. I'll look at jcardsim/isoApplet interface then; thanks for the pointer.
martinpaljak
commented
3 years ago Could you elaborate on what you are trying to achieve or what you mean by "qualified"?
ofcaah
commented
3 years ago https://en.wikipedia.org/wiki/Secure_signature_creation_device
Long story short: certificate providers insist (due to regulatory bodies insisting), that signature users shall not have access to private key used to sign things. Since (luckily) the card still has to generate the key pair, I want to know the private part of the pair that was generated. The whole process of issuing a certificate is remote. It's my guess that signature provider's software creates some kind of CSR with card's assistance.
martinpaljak
commented
3 years ago Secure signature creation device and qualified status in the context of EU eIDAS laws and software emulation like jcardsim or "random uncertified applets from the internet" do not really mix well?
ofcaah
commented
3 years ago Like I said, "I understand the security implications." - and I actually trust "random uncertified applets from the Internet" more than "closed blackbox that does things".
martinpaljak
commented
3 years ago Not trying to undermine trust in anything, just trying to understand how you would apply this in real life, like how would you convince a qualified certificate provider to issue any certificates to unattested devices. If they sign software certificates, why not use something like openssl for a software certificate without 4 layers of emulation (the stack described above). If there is remote issuance to a device, it should by all means make use of secure channels.
ofcaah
commented
3 years ago Their software is communicating directly with card reader on end-user's PC
martinpaljak
commented
3 years ago So you want to try to intercept that communication and provide your own key in the csr?
ofcaah
commented
3 years ago Well, that would be one approach that could perhaps work if CSR isn't sent in some kind of a secure envelope itself. But I want to just provide my own card, that will generate key pair that's known to me (or even better -- will let me upload my own key to it)
martinpaljak
commented
3 years ago Do you think their software is using IsoApplet as the card communication protocol? Or you intend to modify IsoApplet to look and behave like whatever card they are targeting?
Assuming that there is indeed no secure messaging and you could intercept the key generation, please let me know of that CA in private.
ofcaah
commented
3 years ago I want to use virtual card reader (the one I'm using currently as described in OP) with virtual card in it. Perhaps with some name changes. But first I need to make things work, and I seem to be stuck on this 6999 :(
I also tried @frankmorgner 's vpicc/vicc component but it's either incomplete, or I'm missing something that causes python errors. I first need to be fairly confident with every piece before I try it for real, and currently I can't just make a virtual card that can generate a keypair and sign things with it.
And sure, I won't keep my success to myself :)
Oh, and from what I gather, their software is using PKCS, but I plan to test things once I have basics working
martinpaljak
commented
3 years ago While there are easy to understand security implications with software vs hardware keys (and legal compliance implications when it comes to signature validity, when dealing with qualified signatures) there are also implementation implications where my prior experience wants to give a friendly warning that getting opensc + virtualsmartcard + jcardsim + isoapplet to work (look into OpenSC travis here: https://github.com/OpenSC/OpenSC/blob/master/.travis.yml#L134) could be a nice small feat, but it will be the smallest and most obvious things to fix before you can do what I think you're trying to do. A "virtual card" is not precisely a "virtual machine" that both can be used to run a licensed copy of MS office.
ofcaah
commented
3 years ago one step at a time. ;) - worst case scenario is: I'll learn something new
martinpaljak
commented
3 years ago If the software is using PKCS#11, I'd recommend using something like SoftHSM instead of adding 4 extra emulation layers for no reason.
Long story short: for a learning experience (what it seems to be) this all is probably fun. But even for that I'd do some empirical research on the piece of software you are tyring to meddle with (most importantly: pcsc traces. Maybe active debugging etc) to pinpoint what exactly you're trying to do (especially true if this is a learning experience vs exact idea of what you're trying to achieve)
This issue is not something that can be "fixed" in IsoApplet codebase with a PR. Seems more like something that should be discussed in some IRC channel.
ofcaah
commented
3 years ago Thanks for the pointers. Travis log is very close to what I remember doing. I'll see if I can get things working with it. After that I'll take a look at OpenHSM. Please PM me the IRC channel's location ;)
cellarweasel
commented
3 months ago I am also interested in knowing where people hang out to discuss JavaCard / Globalplatform development.
Where is the newbie friendly howto channel?
Hi!
I'm trying to create a virtual card for the sole purpose of having a card for digital signatures that can be used remotely, and while at it, with a private key known by me that can also be used outside the card. I understand the security implications.
To my understanding, the following setup should make it possible: vpcd from https://frankmorgner.github.io/vsmartcard/virtualsmartcard/ jCardSim from https://github.com/licel/jcardsim and isoApplet from here.
not without some struggle I've managed to set things up, but unfortunately rabbit hole is still going deeper :(
I've started all the tools like follows:
pcscd -f -d java -classpath jcardsim-3.0.5-SNAPSHOT.jar:IsoApplet/src com.licel.jcardsim.remote.VSmartCard jcardsim_isoapplet.cfg
pcsc_scan reports:
Using reader plug'n play mechanism Scanning present readers... 0: Virtual PCD 00 00 1: Virtual PCD 00 01
Sun Aug 30 20:21:29 2020 Reader 0: Virtual PCD 00 00 Event number: 1 Card state: Card inserted, ATR: 3B 80 80 01 01
ATR: 3B 80 80 01 01
Possibly identified card (using /root/.cache/smartcard_list.txt): 3B 80 80 01 01 ISO 14443 Type B without historical bytes Electronic Passport Spanish passport (2012) Canadian Passport Venez_Prox Reader 1: Virtual PCD 00 01 Event number: 0 Card state: Card removed,
doing a: pkcs15-init --card-profile /usr/share/opensc/isoApplet.profile -C -vvvvvvvvvvvvv --pin 1234 --puk 12345678 (--profile doesn't change things) causes polling of every known driver. Interesting bits: P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card.c:341:sc_connect_card: trying driver 'isoApplet' P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card-isoApplet.c:114:isoApplet_select_applet: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:546:sc_transmit_apdu: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card.c:473:sc_lock: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:657:pcsc_lock: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card-isoApplet.c:1237:isoApplet_card_reader_lock_obtained: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card-isoApplet.c:1245:isoApplet_card_reader_lock_obtained: returning with: 0 (Success) P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card.c:513:sc_lock: returning with: 0 (Success) P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:513:sc_transmit: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:363:sc_single_transmit: called P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:367:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:0, data(12) 0x7f9ff6c75a28 P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:297:pcsc_transmit: reader 'Virtual PCD 00 00' P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:298:pcsc_transmit: Outgoing APDU (17 bytes): 00 A4 04 00 0C F2 76 A2 88 BC FB A6 9D 34 F3 10 ......v......4.. 01 . P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:216:pcsc_internal_transmit: called P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] reader-pcsc.c:307:pcsc_transmit: Incoming APDU (2 bytes): 69 99 i. P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] apdu.c:382:sc_single_transmit: returning with: 0 (Success) P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] apdu.c:535:sc_transmit: returning with: 0 (Success) P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] card.c:523:sc_unlock: called P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] reader-pcsc.c:709:pcsc_unlock: called P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] iso7816.c:133:iso7816_check_sw: Unknown SWs; SW1=69, SW2=99 P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] card-isoApplet.c:131:isoApplet_select_applet: Card returned error: -1200 (Card command failed)
Am I doing something wrong, or did I hit some obscure bug? Pretty much everything is current version from git, built today. Any hints will be much appreciated. Thanks.
Also tagging @philipWendland @frankmorgner as you were authors of most reading material I've consumed today :)