OpenSC uses of flags for hashes, raw and none

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenSC uses of flags for hashes, raw and none

Douglas E Engert
In regards to:

  https://github.com/OpenSC/OpenSC/pull/241

Are there *ANY* cards that do hashes on the card?

card-gpk.c does not set SC_ALGORITHM_RSA_HASH_NONE implying it can.


Looking at how card drivers set the algorithm flags before calling  _sc_card_add_rsa_alg,
it appears older cards will set the list of hashes they are willing to accept and some of them
use this to modify the APDU, Most likely to set the size of the hash.

Most newer cards just set SC_ALGORITHM_RSA_HASH_NONE, SC_ALGORITHM_RSA_RAW

pkcs15-framework.c then tries to register PKCDS#11 mechanisms. This is then complicated
by ENABLE_OPENSSL in the code in pkcs15-framework.c and many other places.

(The git master does not build without OpenSSL, but that would be another topic.)


It looks like the code in pkcs15-framework.c should use the list of hashes provided
by the card, or if none are provide then use all the hashes that OpenSSL provides.
that have PKCS#11 mechanisms defined.

At one time OpenSC had a SHA1 routine, but I can not find it in the code, so
OpenSSL is required for any hashing done in OpenSC.




Looking at card drivers:
Cards that just set SC_ALGORITHM_RSA_HASH_NONE not included.

card-areust-acos.c *OK*
        does not require OpenSSL
        sets NONE, SHA1, MD5, RIPEMD160, MD5_SHA1 in flags
        changes APDU based on hash

card-authenticate.c *WORKS OPENSSL*
        requires OPENSSL
        sets NONE, SHA1, SHA256 in flags
        Does not change APDU.

card-belpic.c       *May work if call provides HASH.*
        does not require OpenSSL
        set NONE in flags
        will change APDU if SHA1 or MD5. (but never set.)

card-gpk.c
        require OpenSSL
        sets SHA1, MD5, MD5_SHA1 in flag
        Does not change APDU.

        Does setting SC_ALGORITHM_RSA_HASH_NONE imply the card can do SHA1, MD5, and MD5_SHA1?

card-iasecc.c
        requires OPENSSL
        sets NONE, SHA1, SHA256 in flags
        looks like it changes APDU?

card-jcop.c
        does not require OpenSSL
        sets NONE, SHA1, MD5 in flags
        test for the hash, but not clear what it does with it.

card-mcrd.c
        does not require OpenSSL
        depending on card:
        sets RAW, SHA1, SHA256 in flags
        sets RAW, SHA1  in flags
        sets RAW, NONE  in flags


card-miocos.c
        does not require OpenSSL
        sets RAW, NONE and SHA1 in flags
        test for the hash, but not clear what it does with it.


card-myeid.c
        does not depend on OpenSSL
        sets NONE, SHA1 in flags
        test for the hash, but not clear what it does with it.

card-sc-hsm.c
        does not depend on OpenSSL
        sets RAW for RSA in flags (Does EC too)

card-setcos.c
        does not depend on OpenSSL
        sets RAW, SHA1
        test for the hash, but not clear what it does with it.

card-starcos.c
        does not depend on OpenSSL
        sets NONE, SHA1, MD5, RIPEMD160, MD5_SHA1
        changes APDU based on HASH





       
       
       
       

       


       



       
       
       
       

       



--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel