configure opensc to deliver an other cert as the one requested

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

configure opensc to deliver an other cert as the one requested

Christian Horn-2
Hi,


i am unable to use the keys on this smartcard labeled
"TeleSec NetKey Card" here.
Using pcsc-lite 1.2.9beta9 / openct 0.6.6 / opensc 0.10.0
the card is accessed as a TCOS-card by opensc.
Reading certs and accessing private-keys from the card seems
to work, global/local-pin-problems are solved.

The problem is this: the usual case seems to be someone tells the
application to use private-key with ID 1, and the application also
uses the cert with ID 1 for that communication. Due to a different
use of certs in this card here that doesnt work out: i have to use
private-key with ID 1 and in the same operation the cert with ID 2.

I tried to bend this over in the OpenSwan-code but a) id didnt work
out and b) it doesnt seem to be the right way, as for using the card
with s/mime pgp would have to be modified..

How hard is it to let OpenSC do this?
Ive had a look at the debugging-output that gets generated from
'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite
the path to the cert-file that is read out.

Any comments appreciated,


Greetings, Christian.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Nils Larsch
Christian Horn wrote:

> Hi,
>
>
> i am unable to use the keys on this smartcard labeled
> "TeleSec NetKey Card" here.
> Using pcsc-lite 1.2.9beta9 / openct 0.6.6 / opensc 0.10.0
> the card is accessed as a TCOS-card by opensc.
> Reading certs and accessing private-keys from the card seems
> to work, global/local-pin-problems are solved.
>
> The problem is this: the usual case seems to be someone tells the
> application to use private-key with ID 1, and the application also
> uses the cert with ID 1 for that communication. Due to a different
> use of certs in this card here that doesnt work out: i have to use
> private-key with ID 1 and in the same operation the cert with ID 2.

doesn't the cert with the id 1 belong to the private key with the
id 1 (or what is the exactly problem) ?

>
> I tried to bend this over in the OpenSwan-code but a) id didnt work
> out and b) it doesnt seem to be the right way, as for using the card
> with s/mime pgp would have to be modified..
>
> How hard is it to let OpenSC do this?
> Ive had a look at the debugging-output that gets generated from
> 'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite
> the path to the cert-file that is read out.

the binding between the certs and keys is defined in pkcs15-tcos.c
( in src/libopensc/ ) as this is most likely not a pkcs15 compliant
card.

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Christian Horn-2
On Mon, Jan 30, 2006 at 09:05:45PM +0100, Nils Larsch wrote:
> >The problem is this: the usual case seems to be someone tells the
> >application to use private-key with ID 1, and the application also
> >uses the cert with ID 1 for that communication. Due to a different
> >use of certs in this card here that doesnt work out: i have to use
> >private-key with ID 1 and in the same operation the cert with ID 2.
>
> doesn't the cert with the id 1 belong to the private key with the
> id 1 (or what is the exactly problem) ?
Yes, that was the problem here.


> >Ive had a look at the debugging-output that gets generated from
> >'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite
> >the path to the cert-file that is read out.
>
> the binding between the certs and keys is defined in pkcs15-tcos.c
> ( in src/libopensc/ ) as this is most likely not a pkcs15 compliant
> card.
Thanks a lot! That worked, pkcs15-tool gives me now the cert i need,
not the that is requested, libopensc appears to behave the same way
now.
Unfortunatelly the other side of the OpenSwan-connection still doesnt
accept my authentication, but OpenSwan-debugging show now the cert
with the right subject is used.

On OpenSC-side everything looks good now, guess i will have to look
at the firewall-debug-logs now.


Greetings, Christian.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Peter Koch-3
Hi Christian

> > >The problem is this: the usual case seems to be someone tells the
> > >application to use private-key with ID 1, and the application also
> > >uses the cert with ID 1 for that communication. Due to a different
> > >use of certs in this card here that doesnt work out: i have to use
> > >private-key with ID 1 and in the same operation the cert with ID 2.
> >
> > doesn't the cert with the id 1 belong to the private key with the
> > id 1 (or what is the exactly problem) ?
> Yes, that was the problem here.
>
>
> > >Ive had a look at the debugging-output that gets generated from
> > >'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite
> > >the path to the cert-file that is read out.
> >
> > the binding between the certs and keys is defined in pkcs15-tcos.c
> > ( in src/libopensc/ ) as this is most likely not a pkcs15 compliant
> > card.
>
> Thanks a lot! That worked, pkcs15-tool gives me now the cert i need,
> not the that is requested, libopensc appears to behave the same way
> now.
> Unfortunatelly the other side of the OpenSwan-connection still doesnt
> accept my authentication, but OpenSwan-debugging show now the cert
> with the right subject is used.
>
> On OpenSC-side everything looks good now, guess i will have to look
> at the firewall-debug-logs now.

That's a quick (and dirty) hack. Could you please supply more details
what exactly you are trying to do. A NetKey card has 3 keys, 3 read-only
certificates and 6 empty certificate files where you can store your
own certificates. It's quite normal that a card has more than one
certificate per key so you normally don't have a one-to-one mapping
between key-ids and cert-ids.

What happens very often is that your card does not contain public
keys. In this case the public key corresponding to private key X
will be extracted from certificate X. This means that for each
private key there must exist either a public key or a certificate
with the same ID.

Your software should be able to use a certificate even if the private
key that corresponds to your certificate has a different id. If
you want to use the private key that corresponds to a certificate
with a certain id do NOT assume that this private key has the
same id.

Peter

--
DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert:
GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Christian Horn-2
Hi,

> That's a quick (and dirty) hack.
Yes, but seems to do what i want. If more people need this and i have
overseen an official way to configure this it could be implemented
i.e. using opensc.conf .

> Could you please supply more details
> what exactly you are trying to do.
I want to run OpenSwan. Using clean opensc when using key 1 on the card
cert 1 is used, modified opensc now uses cert 2. Havent seen a way to
configure this in OpenSwan.
The correct cert should be in use now, the other end of the tunnel
(Checkpoint FW-1) sends some '[23] unknown user', will have to look at
the firewall-debuglogs for that.

> A NetKey card has 3 keys, 3 read-only
> certificates and 6 empty certificate files where you can store your
> own certificates. It's quite normal that a card has more than one
> certificate per key so you normally don't have a one-to-one mapping
> between key-ids and cert-ids.
http://fluxcoil.net/files/netkey_e4_dump.txt shows the output of
pkcs15-tool .

> What happens very often is that your card does not contain public
> keys. In this case the public key corresponding to private key X
> will be extracted from certificate X. This means that for each
> private key there must exist either a public key or a certificate
> with the same ID.
Only certs on the card.

> Your software should be able to use a certificate even if the private
> key that corresponds to your certificate has a different id. If
> you want to use the private key that corresponds to a certificate
> with a certain id do NOT assume that this private key has the
> same id.
Didnt see this config-option in OpenSwan.

Greetings, Christian.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Peter Koch-3
> > That's a quick (and dirty) hack.
> Yes, but seems to do what i want. If more people need this and i have
> overseen an official way to configure this it could be implemented
> i.e. using opensc.conf.

I'm sure this works with OpenSwan and with NetKey-cards that have
additional user-certificates. But NetKey-card without user-certificates
won't work at all. So we cannot add this patch into OpenSC. That's why
I called this a "dirty" hack.

> > Your software should be able to use a certificate even if the private
> > key that corresponds to your certificate has a different id. If
> > you want to use the private key that corresponds to a certificate
> > with a certain id do NOT assume that this private key has the
> > same id.
> Didnt see this config-option in OpenSwan.

First: I have never used OpenSwan nor know anything about it.
But from my point of view OpenSwan should allow you to configure
BOTH the cert-id and the key-id of the the cert/key pair to be used.
Or OpenSwan should only allow you to configure the id of the
certificate to be used. In the latter case OpenSwan MUST figure
out themself what key must be used for the configured certificate.

OpenSwan should NOT assume that the key has the same ID as the
certificate as this cannot be true for cards that have more than
one certificate per key.

So maybe you should inform the OpeScwan team about this problem.

Peter

--
DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert:
GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Nils Larsch
Peter Koch wrote:
...
> OpenSwan should NOT assume that the key has the same ID as the
> certificate as this cannot be true for cards that have more than
> one certificate per key.

the pkcs11 (and pkcs15) ids are not unique ids. It is possible
that there is more than one cert with a specific id (actually, all
cert belonging to a specific private key should have the same id
as the corresponding private key as otherwise it would be difficult
to find the private key for a certificate).

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: configure opensc to deliver an other cert as the one requested

Peter Koch-3
> Peter Koch wrote:
> ...
> > OpenSwan should NOT assume that the key has the same ID as the
> > certificate as this cannot be true for cards that have more than
> > one certificate per key.
>
> the pkcs11 (and pkcs15) ids are not unique ids. It is possible
> that there is more than one cert with a specific id (actually, all
> cert belonging to a specific private key should have the same id
> as the corresponding private key as otherwise it would be difficult
> to find the private key for a certificate).

Non-unique identifiers - isn't that a contradiction in terms ?

So the final conclusion of this discussion is: The current
implementation for NetKey E4-cards is buggy. There might be
more than one certificate on a NetKey card that belong to the
same private key and all this certificates MUST have the same
id (namely the id of the corresponding private key).

I will fix that this weekend.

Peter

--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel