Bad RSA signatures generated by JavaCOS A22

[PaulSD]

I've successfully used GidsApplet on a SmartCafe Expert 6.0 80K card. However, I'm having trouble using GidsApplet on a JavaCOS A22 card - GidsApplet on this card seems to generate invalid RSA signatures. I'm not sure how to go about debugging this, so I'm wondering if you can point me in the right direction?

I purchased this card from here: http://www.smartcardfocus.com/shop/ilp/id~712/javacos-a22-dual-interface-java-card-150k/p/index.shtml ATR is 3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:68:08:04:00:00:00:00:0e

I installed the Applet: gp -install GidsApplet.cap Then I tried to initialize it with gids-tool, but libopensc detected it as an entersafe card instead of a gids card - Apparently the entersafe driver in libopensc matches this card based on ATR rather than Applet/Package ID. I commented out the ATR in src/libopensc/card-entersafe.c in opensc, then recompiled opensc to get past this issue. Then I initialized it:

openssl rand -rand /dev/urandom -hex 24 > admin_key
openssl rand -rand /dev/urandom 128 | tr -dc [:alnum:] | head -c 6 > pin ; echo >> pin
gids-tool --initialize --serial-number '' --admin-key "$(cat admin_key)" --pin "$(cat pin)"

And generated a key: pkcs15-init --verify-pin --auth-id 80 --pin "$(cat pin)" --generate-key rsa/2048 --id 0 --label 'testKey' Everything seemed to be working fine up until this point.

Then I tried to generate a cert request, but openssl failed when validating the request's signature:

$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/ssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
OpenSSL> req -new -engine pkcs11 -keyform engine -key 0  -subj '/CN=request' -out request -verify
engine "pkcs11" set.
PKCS#11 token PIN: 
verify failure
139997861942936:error:04070066:rsa routines:RSA_padding_check_PKCS1_type_1:bad fixed header decrypt:rsa_pk1.c:116:
139997861942936:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
139997861942936:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
OpenSSL> 

Generating a private key using openssl and loading it on the card (rather than generating the key on the card) does not change the behavior:

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
pkcs11-tool --login --pin "$(cat pin)" --write-object private_key.pem --type privkey

Any pointers you can give me to help troubleshoot this would be appreciated. Thanks!

[vletoux]

How much time ago did you buy this card ? Before January ? There was a bug in the card firmware generating invalid rsa signature. Then when generating RSA key. Contact smartcardfocus and ask for a replacement. (I did it too)

For the ATR, the applet should ask the card to change it. Vincent

[PaulSD]

Yes, I bought it before January. I will contact smartcardfocus.

Thanks!