Issue with SignTrust TCOS Card

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with SignTrust TCOS Card

Holger Smolinski
Happy Easter Holidays!

I have run into an issue using a SignTrust TCOS Card (issuer: Deutsche
Telekom) in a Reiner SCT cyberjack smart card reader. I am using the
CTAPI driver supplied by ReinerSCT (libctapi-cyberjack).

I can't create signatures on the card using the default siganture key in
slot 0. The error message is:
{ 0x6A87, SC_ERROR_INCORRECT_PARAMETERS,"Lc inconsistent with P1-P2" },
Using the keys in Slot 1 or 2 works fine for generating signatures.

I have attached a 'diff' of debug-files obtained at two different sign
operations. Lines prefixed with '-' belong to a failing attempt and
lines with '+' belong to a successful attempt.

>From the debug data, I suppose, that signatures in the non-default
security environment succedd, while the siganture in the default
security environment fails...

Unfortunately I got no idea why....can anybody comment and direct me
towards a fix?

 card.c:254:sc_transmit_apdu: called
 card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes):
 00 22 C1 B8 03 84 01 80 ."......
-card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=6A SW2=88)
+card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00)
 sec.c:67:sc_set_security_env: returning with: 0
 sec.c:49:sc_compute_signature: called
 card.c:254:sc_transmit_apdu: called
 card.c:221:sc_transceive: Sending 134 bytes (resp. 258 bytes,
sensitive):
-00 2A 9E 9A 80 31 32 33 34 35 36 37 38 39 30 31 .*...12345678901
+00 2A 80 84 80 31 32 33 34 35 36 37 38 39 30 31 .*...12345678901
 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 2345678901234567
 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 8901234567890123
 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 4567890123456789
@@ -588,6 +588,50 @@
 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 2345678901234567
 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 8901234567890123
 34 35 36 37 0A 00                               4567..
-card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=6A SW2=87)
-framework-pkcs15.c:1849:pkcs15_prkey_sign: Sign complete. Result -1205.
-pkcs11-object.c:583:C_SignFinal: C_SignFinal returns 32
+card.c:274:sc_transmit_apdu: Received 128 bytes (SW1=90 SW2=00)

static int tcos_compute_signature(sc_card_t *card, const u8 * data,
size_t datalen, u8 * out, size_t outlen)
{
...
        if(((tcos_data *)card->drv_data)->sign_with_def_env){
                sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A,
0x9E, 0x9A);
                memcpy(sbuf, data, datalen);
        } else {
                unsigned int keylen=128; /* FIXME: use correct key-size
*/
                sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A,
0x80, 0x84);
                for(i = 0; i < sizeof(sbuf); ++i)
                        sbuf[i]=0xff;
                sbuf[0]=0x00; sbuf[1]=0x01; sbuf[keylen-datalen-1]=0x00;
                memcpy(sbuf+keylen-datalen, data, datalen);
                datalen=keylen;
        }
...

Regards,
  Holger

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with SignTrust TCOS Card

Nils Larsch
Holger Smolinski wrote:
> Happy Easter Holidays!
>
> I have run into an issue using a SignTrust TCOS Card (issuer: Deutsche
> Telekom) in a Reiner SCT cyberjack smart card reader. I am using the
> CTAPI driver supplied by ReinerSCT (libctapi-cyberjack).

which opensc version ?

>
> I can't create signatures on the card using the default siganture key in
> slot 0. The error message is:
> { 0x6A87, SC_ERROR_INCORRECT_PARAMETERS,"Lc inconsistent with P1-P2" },
> Using the keys in Slot 1 or 2 works fine for generating signatures.
>
> I have attached a 'diff' of debug-files obtained at two different sign
> operations. Lines prefixed with '-' belong to a failing attempt and
> lines with '+' belong to a successful attempt.

do you know how long (in bits) the key is ?

>
>>From the debug data, I suppose, that signatures in the non-default
> security environment succedd, while the siganture in the default
> security environment fails...
>
> Unfortunately I got no idea why....can anybody comment and direct me
> towards a fix?
>
>  card.c:254:sc_transmit_apdu: called
>  card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes):
>  00 22 C1 B8 03 84 01 80 ."......
> -card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=6A SW2=88)
> +card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00)

this is not necessarily an error (if one needs to sign with a
decipher operation as opensc tries it below)

>  sec.c:67:sc_set_security_env: returning with: 0
>  sec.c:49:sc_compute_signature: called
>  card.c:254:sc_transmit_apdu: called
>  card.c:221:sc_transceive: Sending 134 bytes (resp. 258 bytes,
> sensitive):
> -00 2A 9E 9A 80 31 32 33 34 35 36 37 38 39 30 31 .*...12345678901
> +00 2A 80 84 80 31 32 33 34 35 36 37 38 39 30 31 .*...12345678901
>  32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 2345678901234567
>  38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 8901234567890123
>  34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 4567890123456789
> @@ -588,6 +588,50 @@
>  32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 2345678901234567
>  38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 8901234567890123
>  34 35 36 37 0A 00                               4567..
> -card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=6A SW2=87)

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with SignTrust TCOS Card

Nils Larsch
In reply to this post by Holger Smolinski
Holger Smolinski wrote:

> Happy Easter Holidays!
>
> I have run into an issue using a SignTrust TCOS Card (issuer: Deutsche
> Telekom) in a Reiner SCT cyberjack smart card reader. I am using the
> CTAPI driver supplied by ReinerSCT (libctapi-cyberjack).
>
> I can't create signatures on the card using the default siganture key in
> slot 0. The error message is:
> { 0x6A87, SC_ERROR_INCORRECT_PARAMETERS,"Lc inconsistent with P1-P2" },
> Using the keys in Slot 1 or 2 works fine for generating signatures.
>
> I have attached a 'diff' of debug-files obtained at two different sign
> operations. Lines prefixed with '-' belong to a failing attempt and
> lines with '+' belong to a successful attempt.
>
>>From the debug data, I suppose, that signatures in the non-default
> security environment succedd, while the siganture in the default
> security environment fails...
>
> Unfortunately I got no idea why....can anybody comment and direct me
> towards a fix?
>
>  card.c:254:sc_transmit_apdu: called
>  card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes):
>  00 22 C1 B8 03 84 01 80 ."......
> -card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=6A SW2=88)
> +card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00)
>  sec.c:67:sc_set_security_env: returning with: 0
>  sec.c:49:sc_compute_signature: called
>  card.c:254:sc_transmit_apdu: called
>  card.c:221:sc_transceive: Sending 134 bytes (resp. 258 bytes,
> sensitive):
> -00 2A 9E 9A 80 31 32 33 34 35 36 37 38 39 30 31 .*...12345678901
> +00 2A 80 84 80 31 32 33 34 35 36 37 38 39 30 31 .*...12345678901
>  32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 2345678901234567
>  38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 8901234567890123
>  34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 4567890123456789

as Andreas already pointed out it looks like TCOS doesn't support
'raw' rsa with a signature key so it doesn't look like a bug in opensc.

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with SignTrust TCOS Card

Peter Koch-3
In reply to this post by Holger Smolinski
Hi Holger!

> I have run into an issue using a SignTrust TCOS Card (issuer: Deutsche
> Telekom) in a Reiner SCT cyberjack smart card reader. I am using the
> CTAPI driver supplied by ReinerSCT (libctapi-cyberjack).
>
> I can't create signatures on the card using the default siganture key in
> slot 0. The error message is:
> { 0x6A87, SC_ERROR_INCORRECT_PARAMETERS,"Lc inconsistent with P1-P2" },
> Using the keys in Slot 1 or 2 works fine for generating signatures.

> From the debug data, I suppose, that signatures in the non-default
> security environment succedd, while the siganture in the default
> security environment fails...
>
> Unfortunately I got no idea why....can anybody comment and direct me
> towards a fix?

There is no fix :-(. TCOS supports two different sorts of keys, i.e.
signature-keys and decryption-keys.

With a signature-key you can do only signature-operations, with a
decryption-key you can do decryption-operations only.

Now calculating the signature of a hash-value is just the same
as decrypting the padded hash-value. Therefore one can calculate
signatures with decryption-keys. But you cannot decrypt with
signature-keys.

So what where you trying to do? Creating a signature (possible with
all keys) or decrypting (possible with decryption-keys only)?

Please let me know - it seems that you were trying to sign something
and this should be possible with all keys.

Peter

--
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail


--
Echte DSL-Flatrate dauerhaft für 0,- Euro*!
"Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel