Comments (5)
With 0494e46 in pkcs15-framwork.c
sc_pkcs15_decrypt
is called twice if first fails and not using PKCS#1 v1.5.
So why limit the test to padding to PKCS#1 v1.5?
It looks like ca08e97 from 2011 was trying to: "Limit the number of cases when applicated re-selection of application DF to strict minimum." It calls sc_pkcs15_decrypt
a second time if it failed for any reason trying to avoid having to call reselect_app_df
. I don't know what cards are depending on this feature.
The PIV card does not depend on this, as it uses the sc_card_operations
card_reader_lock_obtained
callback to
select the PIV AID when the first lock is obtained after SCardBeginTransaction
locks the reader. Nine other card drivers also use this callback.
So the real fix maybe removing most if not all of ca08e97 and making sure all card drivers use the card_reader_lock_obtained
to reselect_app_df
if needed. (A select AID is a form of select app df).
Part of 0494e46
@@ -4609,27 +4611,53 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_session *session, void *obj,
rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted), pMechanism);
- if (rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
+ /* skip for PKCS#1 v1.5 padding prevent side channel attack */
+ if (!(flags & SC_ALGORITHM_RSA_PAD_PKCS1) &&
+ rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
if (reselect_app_df(fw_data->p15_card) == SC_SUCCESS)
rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted), pMechanism);
from opensc.
The PIV card does not depend on this, as it uses the sc_card_operations
card_reader_lock_obtained
callback to
select the PIV AID when the first lock is obtained after SCardBeginTransaction locks the reader. Nine other card drivers also use this callback.
Correct. I think we were moving most of the card drivers to use the card_reader_lock_obtained
, but it was much later than this commit was created so this might not be needed at all anymore
So the real fix maybe removing most if not all of ca08e97 and making sure all card drivers use the card_reader_lock_obtained to reselect_app_df if needed. (A select AID is a form of select app df).
Yes, that was also my thinking that we should be able to remove this part (not only because it clearly does not play well with the always authenticate keys in PIV).
Does anyone have the backup of the old issue tracker? The issue IDs in this old commit, I think, are from the opensc-project.org and not from github. Lets try our luck @viktorTarasov ?
from opensc.
I agree that always reselecting the applet in case of an error destroys the correct error code. However, card_reader_lock_obtained
is currently only used in the scope of the card driver and typically checks whether the card application associated with the card driver is selected. Native OS card drivers (e.g. cardos) are offering DF selection via AID and would all have to implement card_reader_lock_obtained
including the state tracking in XXX_select_file on what AID is selected.
In the past, we have removed the use of struct sc_card_cache
, because it was causing many issues when concurrently running applications were used. And thinking about this, I believe this could now propably be fixed by setting the cache to some unknown state in card_reader_lock_obtained
, meaning that we cannot use a shortcut in path selection and we may have to recover the current DF in case of an error (not only in case of private key operation, but also in case of, for example, EF selection). However, I believe that tracking all this introduces a lot complexity that will be used very rarely.
In my opinion, our best option would be to remove the heuristic introduced with ca08e97, because a) we cannot fix this at the PKCS#11 level and b) use_key()
uses sc_lock()
to bind the private key selection together with the actual usage of the key so that no other application can interfere. I think sc_pkcs15_encrypt/decrypt_sym()
are the only cryptographic operations that do not use use_key()
in the end and we may have to review the locking here (it looks like they have a misplaced logging command about sc_lock without actually locking the card...). In short, yes remove it, but please in the next release.
from opensc.
Sounds like a plan. I would suggest that @xhanulik start with the decrypt, as reselect is causing problems with the "prevent side channel attack"
from opensc.
Sure, I will take look into it.
from opensc.
Related Issues (20)
- How to Check if PKCS11 module is valid or not HOT 1
- OpenPGP card v3.4 pkcs15-init reports not supported private key HOT 13
- Use of biometrics to un-lock smart card HOT 5
- Automate provisioning of WinGet package for OpenSC HOT 8
- Using OpenSC enabled token for signing PDF documents in Adobe HOT 2
- Card misidentification HOT 13
- OpenSC in Firefox constantly sending SELECT(AID) APDUs for probing HOT 2
- Avoid non SELECT(AID) commands for probing HOT 28
- Install p11-kit configuration file HOT 1
- JPKI SELECT AID not following ISO standards HOT 1
- OpenSC 0.25.1 dmg not notarized correctly HOT 2
- SmartCard-HSM issue with Windows AD Smart Card Logon & Micrsoft Encrypting File System HOT 4
- SmartCard-HSM issue with Microsoft Word 2019 & Outlook 2019 HOT 2
- Receiving "No slots" output from pkcs11-tool at boot time HOT 4
- Importing encrypted RSA and plain RSA private keys in SmartCard-HSM HOT 6
- SmartCard-HSM Error creating HSM backup smart card HOT 2
- OpenPGP card v3.4 DestroyObject returns as ok, but does nothing HOT 1
- pkcs11-tool should provide an option to get slot information as pkcs11-uri HOT 1
- pkcs11-tool: extend for printing the PKCS#11 URI for the objects
- Support D-Trust Card 5.1 (Std. RSA CardOS6.0) with CAN HOT 20
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.