Bad signature generated by pkcs15-crypt ?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Bad signature generated by pkcs15-crypt ?

Joerg.Kesten
Hi everyone,
 
I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely different.
 
I am doing the following:
$ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt                                                                                                                                                                                   
$ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
$ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
Verification Failure
 
Doing the same with slightly altered input data runs fine:
$ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
$ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
$ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
Verified OK
 
This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
 
I have no idea what I might be doing wrong, any help would be highly appreciated!
Thanks
Jörg

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

bad_signature.txt (43K) Download Attachment
good_signature.txt (42K) Download Attachment
privkey.pem (3K) Download Attachment
pubkey.pem (814 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Douglas E Engert
I don't think you are doing anything wrong, but the openpgp card is.

Using your private key:
echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -sign privkey.pem -sha256  > sig.a

/tmp$ od -t x1 sig.a
0000000 00 8c f6 db 29 a7 d7 bd b3 63 4c fe d6 a9 fb a5
0000020 e0 38 7a ca a8 d4 9c 36 99 ab f6 2e 81 45 26 a7
0000040 60 4b 25 91 67 7e 86 31 10 5a db b4 86 d3 98 4d
0000060 34 94 0e 5e 0a ba 00 e0 47 2b e6 d2 1a d8 8a 61
0000100 d1 d1 69 c1 3c 02 ac 9d 2a af 23 0d cb 4f 40 a7
0000120 42 38 62 4b 6c b6 47 9d 36 80 f7 7c 17 60 49 46
0000140 a3 a9 92 73 44 0a 3f 6b ed de ff 85 76 f3 f2 32
0000160 6f 56 f3 1d dd c6 0d fe d0 99 e2 bd 1e 33 ea de
0000200 f1 00 a1 35 2c 80 e2 b9 cc da 23 fc c5 25 f1 05
0000220 7c 42 2b 99 3c ea a8 be 9d 00 da bc b1 da 6f 4d
...
0000660 a8 46 f4 46 c9 b2 ad 8d bf 9f 55 35 00 aa d9 5c
0000700 a2 29 7b c0 00 d0 dc d3 82 4c a9 18 55 f0 c0 74
0000720 bb 7d 6e 4b e0 b7 0f 84 c5 49 e2 92 f3 9c 9d 1c
0000740 9c 58 f4 12 d5 4b 36 db b2 3f d2 a2 ff 49 fb 7e
0000760 cd 94 33 4e f6 fd 78 cb 2c 7d a2 55 01 d4 7b 48

The signatire is 512 bytes with the first byte being 0x00

in bad_signature.txt lines 597-612 return 513 bytes, signature + 9000

*BUT* the card is tot returning the leading 0x00!
It appears it is a problem with the card, not with OpenSC.





On 2/19/2016 9:08 AM, [hidden email] wrote:

> Hi everyone,
> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
> different.
> I am doing the following:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verification Failure
> Doing the same with slightly altered input data runs fine:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verified OK
> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
> I have no idea what I might be doing wrong, any help would be highly appreciated!
> Thanks
> Jörg
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Douglas E Engert
In reply to this post by Joerg.Kesten
Some one who knows the card-openpgp.c code needs to look at this.


One more comment. Mathematically, the RSA signature is a large integer. But when used in certificates it is stored as
an ASN.1 BIT STRING with leading 0 (because signature is multiple of 8 bits)  followed by the 512 bytes of the signature for the 4096 bit key.
So there is a 1/256 chance the first byte of the actual signature being zero. (I have one such certificate.)
Your card is dropping the leading zero.

I would have assumed that if all openpgp cards dropped a leading zero byte, that this would have showed up long ago
as a bug in the OpenSC openpgp driver. I could be wrong. But code could be added to the driver to handle this.
It may be OpenPGP does not care, but when used within OpenSC, the leading byte should be there.


On 2/19/2016 9:08 AM, [hidden email] wrote:

> Hi everyone,
> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
> different.
> I am doing the following:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verification Failure
> Doing the same with slightly altered input data runs fine:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verified OK
> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
> I have no idea what I might be doing wrong, any help would be highly appreciated!
> Thanks
> Jörg
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Joerg.Kesten
Thanks for your quick reply!

I would also have thought that if this is a general issue with the card
it would have shown up a long time ago...

But if I understood your comment correctly it is really "just" a missing
leading zero, right? In that case it would be relatively straight
forward and a valid workaround to detect and correct this from opensc
without introducing some security issue?

I am obviously not familiar with the source code in card-openpgp and not
an expert in this area, but if someone points me to the right functions
I'd need to look at I'd be happy to help adding this.


On 20.02.2016 16:41, Douglas E Engert wrote:

> Some one who knows the card-openpgp.c code needs to look at this.
>
>
> One more comment. Mathematically, the RSA signature is a large integer. But when used in certificates it is stored as
> an ASN.1 BIT STRING with leading 0 (because signature is multiple of 8 bits)  followed by the 512 bytes of the signature for the 4096 bit key.
> So there is a 1/256 chance the first byte of the actual signature being zero. (I have one such certificate.)
> Your card is dropping the leading zero.
>
> I would have assumed that if all openpgp cards dropped a leading zero byte, that this would have showed up long ago
> as a bug in the OpenSC openpgp driver. I could be wrong. But code could be added to the driver to handle this.
> It may be OpenPGP does not care, but when used within OpenSC, the leading byte should be there.
>
>
> On 2/19/2016 9:08 AM, [hidden email] wrote:
>> Hi everyone,
>> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
>> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
>> different.
>> I am doing the following:
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>> Verification Failure
>> Doing the same with slightly altered input data runs fine:
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>> Verified OK
>> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
>> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
>> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
>> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
>> I have no idea what I might be doing wrong, any help would be highly appreciated!
>> Thanks
>> Jörg
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Douglas E Engert
Try the attache patch. It is against http:/github.com/OpenSC/OpenSC

Using the data and key thea produces the short signature you should see in debug log:
Incoming APDU data [  513 bytes] =====================================
...
card-openpgp.c:XXXX:pgp_compute_signature: returning with: 512
where it used to say 511

On 2/21/2016 3:53 AM, Joerg Kesten wrote:

> Thanks for your quick reply!
>
> I would also have thought that if this is a general issue with the card
> it would have shown up a long time ago...
>
> But if I understood your comment correctly it is really "just" a missing
> leading zero, right? In that case it would be relatively straight
> forward and a valid workaround to detect and correct this from opensc
> without introducing some security issue?
>
> I am obviously not familiar with the source code in card-openpgp and not
> an expert in this area, but if someone points me to the right functions
> I'd need to look at I'd be happy to help adding this.
>
>
> On 20.02.2016 16:41, Douglas E Engert wrote:
>> Some one who knows the card-openpgp.c code needs to look at this.
>>
>>
>> One more comment. Mathematically, the RSA signature is a large integer. But when used in certificates it is stored as
>> an ASN.1 BIT STRING with leading 0 (because signature is multiple of 8 bits)  followed by the 512 bytes of the signature for the 4096 bit key.
>> So there is a 1/256 chance the first byte of the actual signature being zero. (I have one such certificate.)
>> Your card is dropping the leading zero.
>>
>> I would have assumed that if all openpgp cards dropped a leading zero byte, that this would have showed up long ago
>> as a bug in the OpenSC openpgp driver. I could be wrong. But code could be added to the driver to handle this.
>> It may be OpenPGP does not care, but when used within OpenSC, the leading byte should be there.
>>
>>
>> On 2/19/2016 9:08 AM, [hidden email] wrote:
>>> Hi everyone,
>>> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
>>> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
>>> different.
>>> I am doing the following:
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
>>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>>> Verification Failure
>>> Doing the same with slightly altered input data runs fine:
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
>>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>>> Verified OK
>>> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
>>> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
>>> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
>>> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
>>> I have no idea what I might be doing wrong, any help would be highly appreciated!
>>> Thanks
>>> Jörg
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

openpgp-short-signature.txt (646 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Douglas E Engert
The patch I sent you has a bug:

memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
should be:

memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */


I have not tried the patch.

On 2/21/2016 7:53 AM, Douglas E Engert wrote:

> Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
>


--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Joerg.Kesten
Thanks for providing this patch, with this I got it _almost_ working :-)
 
I ran into one real and two minor issues:
1) The real issue is that the outlen does not seem to be the expected signature length,
but the size of the buffer with some extra space. In my case it is 1024 and not the expected
512, so this does not work. But I guess it would be possible to compute the expected signature
length in a general way?
 
2) Minor techical issues: the apdu was not updated in the end to return the new length,
and src and dest were mixed up in the memmove
 
With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only
for exactly my usecase with at most one leading zero:
 
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
        r = sc_check_sw(card, apdu.sw1, apdu.sw2);
        LOG_TEST_RET(card->ctx, r, "Card returned error");
 
+       /* some cards may drop leading 0x00 byte on a signature */
+       if (apdu.resplen < 512) {
+           memmove(out + 1 , out,  apdu.resplen); /* overlaping */
+           memset(out, 0, 1);
+           apdu.resplen = 512;
+       }
+
 
 
 
Gesendet: Sonntag, 21. Februar 2016 um 20:54 Uhr
Von: "Douglas E Engert" <[hidden email]>
An: [hidden email]
Betreff: Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
The patch I sent you has a bug:

memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
should be:

memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */


I have not tried the patch.

On 2/21/2016 7:53 AM, Douglas E Engert wrote:

> Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
>


--

Douglas E. Engert <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Douglas E Engert

On 2/22/2016 9:51 AM, [hidden email] wrote:
> Thanks for providing this patch, with this I got it _almost_ working :-)
> I ran into one real and two minor issues:
> 1) The real issue is that the outlen does not seem to be the expected signature length,
> but the size of the buffer with some extra space. In my case it is 1024 and not the expected
> 512, so this does not work. But I guess it would be possible to compute the expected signature
> length in a general way?

sc_pkcs15_compute_signature set modlen lines 324-336 from the type of key and its size, then tests if outlen is big enough:

339 if (inlen > sizeof(buf) || outlen < modlen)

But then it passes to lower levels, it passes outlen:

434         r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
435                         out, outlen);

In all cases other then the card you have this is not a problem.

So one possible fix is to set line 435 to:
                            out, modlen);
then do the memmove stuff if its too short.

BUT THIS IS A GLOBAL CHANGE, and would need testing for other cards. I don't see why it would be an issue,
but you never know...

If you try and do an openpgp only fix, it looks like by the time pgp_set_security_env and pgp_compute_signature
are called, they size of the key is not known, just the outlen. Som info cold be saved in the

Another way: card-openpgp.c  only supports RSA. And only 4K, 2K and maybe 1K keys are used.
So if apdu.resplen within 4 bytes of one of these values, assume it is dropped 1, 2, 3 or 4 bytes,
and do the memmove stuff then. (Not perfect, but chance of failure to catch a short signature is 1/2^32)

There may be more info in the OpenPGP documents that would show how to save the key size internally
in one of the card-openpgp.c internal structures.


> 2) Minor techical issues: the apdu was not updated in the end to return the new length,
> and src and dest were mixed up in the memmove

OK, I never tested the code. good to here you got it working.

> With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only
> for exactly my usecase with at most one leading zero:
> --- a/src/libopensc/card-openpgp.c
> +++ b/src/libopensc/card-openpgp.c
> @@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
>          r = sc_check_sw(card, apdu.sw1, apdu.sw2);
>          LOG_TEST_RET(card->ctx, r, "Card returned error");
>
> +       /* some cards may drop leading 0x00 byte on a signature */
> +       if (apdu.resplen < 512) {
> +           memmove(out + 1 , out,  apdu.resplen); /* overlaping */
> +           memset(out, 0, 1);
> +           apdu.resplen = 512;
> +       }
> +
> *Gesendet:* Sonntag, 21. Februar 2016 um 20:54 Uhr
> *Von:* "Douglas E Engert" <[hidden email]>
> *An:* [hidden email]
> *Betreff:* Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
> The patch I sent you has a bug:
>
> memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
> should be:
>
> memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */
>
>
> I have not tried the patch.
>
> On 2/21/2016 7:53 AM, Douglas E Engert wrote:
>
>  > Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
>  >
>
>
> --
>
> Douglas E. Engert <[hidden email]>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Joerg.Kesten
Hi again,

thanks for your suggestions!
I took another look at this, but I did not find a nice solution to pass the information of the modlen
to the lower layers without having to change the API, which would probably be too much of a hazzle for everyone else.

But what about checking the returned length in sc_pkcs15_compute_signature itself? By this we'd still make the
entire outlen available to the drivers (in case someone needs more than modlen e.g. for temporary data), and would only
alter something if the retured data is less than modlen (but no error code), which to my understanding would
always be unwanted behavior.
 
The modified patch looks like this:

diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index 019d8a1..9c78acb
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -433,6 +433,14 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
 
        r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
                        out, outlen);
+
+       if (r >= 0 && (size_t)r < modlen) // returned size smaller than expected, add leading zeros
+       {
+               memmove(out + (modlen -r ), out, r); /* overlapping */
+               memset(out, 0, modlen -r );
+               r = modlen;
+       }
+
        LOG_TEST_RET(ctx, r, "use_key() failed");

 
This is working fine for me, I tested it with about 10000 different input strings, but obviously just with my card and
with this one use case.



Gesendet: Montag, 22. Februar 2016 um 19:16 Uhr
Von: "Douglas E Engert" <[hidden email]>
An: [hidden email]
Betreff: Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
On 2/22/2016 9:51 AM, [hidden email] wrote:
> Thanks for providing this patch, with this I got it _almost_ working :-)
> I ran into one real and two minor issues:
> 1) The real issue is that the outlen does not seem to be the expected signature length,
> but the size of the buffer with some extra space. In my case it is 1024 and not the expected
> 512, so this does not work. But I guess it would be possible to compute the expected signature
> length in a general way?

sc_pkcs15_compute_signature set modlen lines 324-336 from the type of key and its size, then tests if outlen is big enough:

339 if (inlen > sizeof(buf) || outlen < modlen)

But then it passes to lower levels, it passes outlen:

434 r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
435 out, outlen);

In all cases other then the card you have this is not a problem.

So one possible fix is to set line 435 to:
out, modlen);
then do the memmove stuff if its too short.

BUT THIS IS A GLOBAL CHANGE, and would need testing for other cards. I don't see why it would be an issue,
but you never know...

If you try and do an openpgp only fix, it looks like by the time pgp_set_security_env and pgp_compute_signature
are called, they size of the key is not known, just the outlen. Som info cold be saved in the

Another way: card-openpgp.c only supports RSA. And only 4K, 2K and maybe 1K keys are used.
So if apdu.resplen within 4 bytes of one of these values, assume it is dropped 1, 2, 3 or 4 bytes,
and do the memmove stuff then. (Not perfect, but chance of failure to catch a short signature is 1/2^32)

There may be more info in the OpenPGP documents that would show how to save the key size internally
in one of the card-openpgp.c internal structures.


> 2) Minor techical issues: the apdu was not updated in the end to return the new length,
> and src and dest were mixed up in the memmove

OK, I never tested the code. good to here you got it working.

> With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only
> for exactly my usecase with at most one leading zero:
> --- a/src/libopensc/card-openpgp.c
> +++ b/src/libopensc/card-openpgp.c
> @@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
> r = sc_check_sw(card, apdu.sw1, apdu.sw2);
> LOG_TEST_RET(card->ctx, r, "Card returned error");
>
> + /* some cards may drop leading 0x00 byte on a signature */
> + if (apdu.resplen < 512) {
> + memmove(out + 1 , out, apdu.resplen); /* overlaping */
> + memset(out, 0, 1);
> + apdu.resplen = 512;
> + }
> +
> *Gesendet:* Sonntag, 21. Februar 2016 um 20:54 Uhr
> *Von:* "Douglas E Engert" <[hidden email]>
> *An:* [hidden email]
> *Betreff:* Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
> The patch I sent you has a bug:
>
> memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
> should be:
>
> memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */
>
>
> I have not tried the patch.
>
> On 2/21/2016 7:53 AM, Douglas E Engert wrote:
>
> > Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
> >
>
>
> --
>
> Douglas E. Engert <[hidden email]>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140[http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140]
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>

--

Douglas E. Engert <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140[http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140]
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Bad signature generated by pkcs15-crypt ?

Douglas E Engert
Look OK to me for RSA, but may have issues with EC or GOST. So should only be done for RSA.

Others need to comment on this.

Can you submit this to github.com/OpenSC/OpenSC as a issue or pull request?

https://github.com/OpenSC/OpenSC/issues
https://github.com/OpenSC/OpenSC/pulls



On 2/24/2016 11:17 AM, [hidden email] wrote:

> Hi again,
>
> thanks for your suggestions!
> I took another look at this, but I did not find a nice solution to pass the information of the modlen
> to the lower layers without having to change the API, which would probably be too much of a hazzle for everyone else.
>
> But what about checking the returned length in sc_pkcs15_compute_signature itself? By this we'd still make the
> entire outlen available to the drivers (in case someone needs more than modlen e.g. for temporary data), and would only
> alter something if the retured data is less than modlen (but no error code), which to my understanding would
> always be unwanted behavior.
>
> The modified patch looks like this:
>
> diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
> index 019d8a1..9c78acb
> --- a/src/libopensc/pkcs15-sec.c
> +++ b/src/libopensc/pkcs15-sec.c
> @@ -433,6 +433,14 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
>
>          r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
>                          out, outlen);
> +
> +       if (r >= 0 && (size_t)r < modlen) // returned size smaller than expected, add leading zeros
> +       {
> +               memmove(out + (modlen -r ), out, r); /* overlapping */
> +               memset(out, 0, modlen -r );
> +               r = modlen;
> +       }
> +
>          LOG_TEST_RET(ctx, r, "use_key() failed");
>
>
> This is working fine for me, I tested it with about 10000 different input strings, but obviously just with my card and
> with this one use case.
>
>
>
> Gesendet: Montag, 22. Februar 2016 um 19:16 Uhr
> Von: "Douglas E Engert" <[hidden email]>
> An: [hidden email]
> Betreff: Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
> On 2/22/2016 9:51 AM, [hidden email] wrote:
>> Thanks for providing this patch, with this I got it _almost_ working :-)
>> I ran into one real and two minor issues:
>> 1) The real issue is that the outlen does not seem to be the expected signature length,
>> but the size of the buffer with some extra space. In my case it is 1024 and not the expected
>> 512, so this does not work. But I guess it would be possible to compute the expected signature
>> length in a general way?
>
> sc_pkcs15_compute_signature set modlen lines 324-336 from the type of key and its size, then tests if outlen is big enough:
>
> 339 if (inlen > sizeof(buf) || outlen < modlen)
>
> But then it passes to lower levels, it passes outlen:
>
> 434 r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
> 435 out, outlen);
>
> In all cases other then the card you have this is not a problem.
>
> So one possible fix is to set line 435 to:
> out, modlen);
> then do the memmove stuff if its too short.
>
> BUT THIS IS A GLOBAL CHANGE, and would need testing for other cards. I don't see why it would be an issue,
> but you never know...
>
> If you try and do an openpgp only fix, it looks like by the time pgp_set_security_env and pgp_compute_signature
> are called, they size of the key is not known, just the outlen. Som info cold be saved in the
>
> Another way: card-openpgp.c only supports RSA. And only 4K, 2K and maybe 1K keys are used.
> So if apdu.resplen within 4 bytes of one of these values, assume it is dropped 1, 2, 3 or 4 bytes,
> and do the memmove stuff then. (Not perfect, but chance of failure to catch a short signature is 1/2^32)
>
> There may be more info in the OpenPGP documents that would show how to save the key size internally
> in one of the card-openpgp.c internal structures.
>
>
>> 2) Minor techical issues: the apdu was not updated in the end to return the new length,
>> and src and dest were mixed up in the memmove
>
> OK, I never tested the code. good to here you got it working.
>
>> With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only
>> for exactly my usecase with at most one leading zero:
>> --- a/src/libopensc/card-openpgp.c
>> +++ b/src/libopensc/card-openpgp.c
>> @@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
>> r = sc_check_sw(card, apdu.sw1, apdu.sw2);
>> LOG_TEST_RET(card->ctx, r, "Card returned error");
>>
>> + /* some cards may drop leading 0x00 byte on a signature */
>> + if (apdu.resplen < 512) {
>> + memmove(out + 1 , out, apdu.resplen); /* overlaping */
>> + memset(out, 0, 1);
>> + apdu.resplen = 512;
>> + }
>> +
>> *Gesendet:* Sonntag, 21. Februar 2016 um 20:54 Uhr
>> *Von:* "Douglas E Engert" <[hidden email]>
>> *An:* [hidden email]
>> *Betreff:* Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
>> The patch I sent you has a bug:
>>
>> memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
>> should be:
>>
>> memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */
>>
>>
>> I have not tried the patch.
>>
>> On 2/21/2016 7:53 AM, Douglas E Engert wrote:
>>
>>> Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
>>>
>>
>>
>> --
>>
>> Douglas E. Engert <[hidden email]>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140[http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140]
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>>
>
> --
>
> Douglas E. Engert <[hidden email]>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140[http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140]
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel