TCOS / NetKey card and sign operation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

TCOS / NetKey card and sign operation

richter-5
Hi Peter,

Nils ask to contact you about the Netkey card.

I am currently trying to use the Netkey card and other TCOS cards to do
ipsec authentication.

The ipsec authentication needs signing. I noticed that TCOS can only sign
with the first key. From my tcos specs 1.7 page 78: "Für die Berechnung
einer "Digitalen Signatur" ist immer fest der Signaturschlüssel Nr. 0 und
der Algorithmus RSA eingestellt und kann nicht mit manage security
environment verändert werden."

On all the cards I have (one Netkey and some TCOS cards initialzied with
Kobil SmartKey on windows), there is only on key marked for signing and all
other keys marked for encryption.

For this reason I thing that the USAGE_SIGN attribute should only be set for
a key in pkcs15-netkey.c initialization, when the prop_attr & 8 .

Does this make sense from your view or does it break anything?

Since I wanted to do ipsec authentication and therefore needs signing with
the other keys, I have patched strongswan to do the pkcs1 padding in
software and use the decrypt function of the smartcard. This works without
problems.

Instead of doing this in strongswan, it would also be possible to do this in
tcos-card.c so it's available to all applications. Would this make sense to
you or does it break anything for you?

Gerald


---------------------------------------------------------------------------
Gerald Richter            ecos electronic communication services gmbh
IT-Securitylösungen * Webapplikationen mit Apache/Perl/mod_perl/Embperl

Post:       Tulpenstrasse 5          D-55276 Dienheim b. Mainz
E-Mail:     [hidden email]          Voice:   +49 6133 939-122
WWW:        http://www.ecos.de/      Fax:     +49 6133 939-333
---------------------------------------------------------------------------
ECOS BB-5000 Firewall- und IT-Security Appliance: www.bb-5000.info
---------------------------------------------------------------------------

 

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel