Replies: 8 comments 3 replies
-
It is called : "7.2.11 PSO: DECIPHER...........................................................................................67" in OpenPGP Smart Card Application V3.4.1 |
Beta Was this translation helpful? Give feedback.
-
"7.2.18 MANAGE SECURITY ENVIRONMENT" With OpenPGP to only supports 3 keys; So with older versions even though all three keys could by RSA only one can be to decipher. Later versions support the use of MSE that allows some dual usage. |
Beta Was this translation helpful? Give feedback.
-
Thank you. I missed it. |
Beta Was this translation helpful? Give feedback.
-
No. Most cards only implement a very limited set of any standard, and leave padding up to the calling middleware. Many will only do RSA RAW which is used to sign some data where the padding is done in software and sent to the card to do the RSA RAW. Decryption is done be sending the the card the encrypted blob. The card does RSA RAW and returns a blob. The driver software checks that the blob is valid, by checking the padding and removing it. Each OpenSC card driver passed a set of flags when calling
That is out of scope for OpenSC.. OpenSC drivers and code or other software can do the public key operations to encrypt a message and verify signatures. |
Beta Was this translation helpful? Give feedback.
-
Thank you. You are very helpfull. I am fighting with python and I have not seen those flags in that form, but as flags on slot and am already using them to limit capabilities to those that card can do. |
Beta Was this translation helpful? Give feedback.
-
If you really want to connect to "this fine project" (thank you) I would suggest using PKCS11 which deals with all of your issues. In one of you other discussion you were asking about EC curves and public keys. Have you looked at the PKCS11 v 3.0
This returns the EC curve OID and public key in the SPKI format as used in certificates. The CKA_EC_POINT returns just the ec point Q value. Another options is to use OpenSSL and either https://github.com/OpenSC/libp11 or https://github.com/latchset/pkcs11-provider both of which allow OpenSSL to use PKCS11. |
Beta Was this translation helpful? Give feedback.
-
You are right, I have been waiting till after 0.25.0 was release to submit the X25519-improvements-2 branch as a PR. |
Beta Was this translation helpful? Give feedback.
-
No, CKM_RSA_PKCS is RSA using PKCS 1.5 padding. RSA without padding is what I was calling RSA-RAW is CKM-RSA-X-509. Since CKM_RSA_PKCS other padding mechanisms have been defined, CKM-RSA-PKCS-PSS and CKM-RSA-PKCS-OAEP. pkcs11-tool -M will list all the mechanisms (without the leading CKM-) supported by the card or the module's software. |
Beta Was this translation helpful? Give feedback.
-
Using OpenPGP card it lists RSA_PKCS with decrypt flag. I am trying to find if this is not correct as I do not see RSA decryption in OpenPGP standard.
If it is correct, what mecahnism can it use?
Beta Was this translation helpful? Give feedback.
All reactions