What should happen after key creation on the card to get proper public key information?

[msetina]

After creating a key pair on the card I try to get public key information, but it is invalid. In case of 2048 bit RSA key I get 271 bytes instead of 270 bytes that properly decodes to public key information. (this also applys to EC key)
Getting this key data little latter, the public key information is valid.

[dengert]

Get debug log

…

On Thu, Apr 18, 2024, 11:11 AM msetina ***@***.***> wrote: After creating a key pair on the card I try to get public key information, but it is invalid. In case of 2048 bit RSA key I get 271 bytes instead of 270 bytes that properly decodes to public key information. (this also applys to EC key) Getting this key data little latter, the public key information is valid. — Reply to this email directly, view it on GitHub <#3124>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGTIMMHLJ6HYXVCF3SPQFLY57WE7AVCNFSM6AAAAABGNSZA6WVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWGUZDIOJSGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[dengert]

Also look at #3000 and #3090

[msetina]

OK. I've prepared for #3000, but am not sure if result from ASN.1 BitString will return the same structure or will it need to be processed before I get 04|X|Y to send forward.

[msetina]

In my case when it goes wrong I see:

P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] pkcs15-pubkey.c:684:sc_pkcs15_encode_pubkey_ec: called
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:1826:asn1_encode_entry: encoding 'ecpointQ'
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:1831:asn1_encode_entry: type=4, tag=0x04, parm=0x55f220130410, len=384
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:2024:asn1_encode_entry: length of encoded item=388
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] pkcs15-pubkey.c:688:sc_pkcs15_encode_pubkey_ec: returning with: 0 (Success)
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 94498408565504: CKA_EC_POINT = 04820180E7D7A61073CE87722A6872FD0FA0BC3F1D240EAF3DBB8B4FFBF96053
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] framework-pkcs15.c:4925:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 94498408565504: CKA_EC_PARAMS = 06052B81040022
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] pkcs11-object.c:294:C_GetAttributeValue: C_GetAttributeValue(hSession=0x55f22010f680, hObject=0x55f220130b00) = CKR_OK

After this my code raises exception that the EC POINT is not correctly formated.
but when it is OK I see:

P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] pkcs15-pubkey.c:684:sc_pkcs15_encode_pubkey_ec: called
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] asn1.c:1826:asn1_encode_entry: encoding 'ecpointQ'
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] asn1.c:1831:asn1_encode_entry: type=4, tag=0x04, parm=0x55734dc56bd0, len=97
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] asn1.c:2024:asn1_encode_entry: length of encoded item=99
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] pkcs15-pubkey.c:688:sc_pkcs15_encode_pubkey_ec: returning with: 0 (Success)
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 93953717218000: CKA_EC_POINT = 046104E7D7A61073CE87722A6872FD0FA0BC3F1D240EAF3DBB8B4FFBF9605368
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] framework-pkcs15.c:4925:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 93953717218000: CKA_EC_PARAMS = 06052B81040022
P:5739; T:0x140685497434112 20:08:24.849 [opensc-pkcs11] pkcs11-object.c:294:C_GetAttributeValue: C_GetAttributeValue(hSession=0x55734df0ba30, hObject=0x55734df0aad0) = CKR_OK

This example is for EC key (384 bits).Both should be on the same key.

[dengert]

I am not sure what you mean by: "OK. I've prepared for #3000, but am not sure if result from ASN.1"

The trace does not show enough to see what was read from card.
Or are you calling this routine from somewhere else.
How did you get to sc_pkcs15_encode_pubkey_ec?

Did you take the code from #3000 which may not be complete?
Note: the 2 strings have most of the same bytes: starting at E7 to 53.

04820180E7D7A61073CE87722A6872FD0FA0BC3F1D240EAF3DBB8B4FFBF96053
  046104E7D7A61073CE87722A6872FD0FA0BC3F1D240EAF3DBB8B4FFBF9605368

Both strings start with 04 which is ASN1 for OCTET STRING and breaks down as:

Tag 04 Octet String
Length 61 (decimal 97 97-1=96 ; 96/2=48)
looks like EC compression byte 04?
X and Y of length 48: but should be 32 bytes each based on (length -1)/2

X=E7D7A61073CE87722A6872FD0FA0B too short
Y=C3F1D240EAF3DBB8B4FFBF9605368

If you don't have a copy of: "A Layman`s Guide to a Subset of ASN.1, BER and DER" find on internet.

[msetina]

I am sorry for confusion by answering to new code and data from my test with debug log.
The code I am runing is with OpenSC 0.25.1 . I copied what I thought was enough to see the difference in CKA_EC_POINT. Here are full logs.
opensc-debug_ec.txt
opensc-debug_ec_bad.txt

I found the Laymans guide on the internet. On the other hand the other one 048201 is not in the same form as the other one. I was expecting the for 04|X|Y as you are describing, but I got 01

[msetina]

What is strange to me is that I got different encodings for the same thing.

[msetina]

I cut out as much as I was bothered by this:

P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:1826:asn1_encode_entry: encoding 'ecpointQ'
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:1831:asn1_encode_entry: type=4, tag=0x04, parm=0x55f220130410, len=384
P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:2024:asn1_encode_entry: length of encoded item=388

why would len be 384?

[metsma]

Here is another must have tool for asn1 debugging https://lapo.it/asn1js/

[dengert]

Length of key in bits

…

On Thu, Apr 18, 2024, 4:11 PM msetina ***@***.***> wrote: I cut out as much as I was bothered by this: P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:1826:asn1_encode_entry: encoding 'ecpointQ' P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:1831:asn1_encode_entry: type=4, tag=0x04, parm=0x55f220130410, len=384 P:5584; T:0x140319610138624 20:04:39.327 [opensc-pkcs11] asn1.c:2024:asn1_encode_entry: length of encoded item=388 why would len be 384? — Reply to this email directly, view it on GitHub <#3124 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGTIMMUGY4JLCGSXGVSALLY6AZI3AVCNFSM6AAAAABGNSZA6WVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TCNJZGY4DQ> . You are receiving this because you commented.Message ID: ***@***.***>

[dengert]

In https://github.com/OpenSC/OpenSC/files/15030306/opensc-debug_ec.txt

Duing a session to create a key
lines 1943 to 1983 the code read the b600 openpgp object for an existing object:

Incoming APDU (104 bytes):
7F 49 63 86 61 04 E7 D7 A6 10 73 CE 87 72 2A 68 .Ic.a.....s..r*h
72 FD 0F A0 BC 3F 1D 24 0E AF 3D BB 8B 4F FB F9 r....?.$..=..O..
60 53 68 8E E5 2C 62 BA 5F CE F6 59 12 6B 7F 8F `Sh..,b._..Y.k..
60 DD 8C AF B8 E2 18 E8 89 2B AD 1F 62 F8 11 D8 `........+..b...
26 0C 0E D2 F7 B9 75 13 0E D6 32 33 74 0D 71 30 &.....u...23t.q0
FE BD CC 1C C4 B8 57 70 22 A8 8F 3B B2 AA B3 24 ......Wp"..;...$
25 58 EA 44 E5 1F 90 00                         %X.D....

If you strip off the TLV and APDU status of 90 00 you get 0x61 bytes:

04 E7 D7 A6 10 73 CE 87 72 2A 68 
72 FD 0F A0 BC 3F 1D 24 0E AF 3D BB 8B 4F FB F9 
60 53 68 8E E5 2C 62 BA 5F CE F6 59 12 6B 7F 8F 
60 DD 8C AF B8 E2 18 E8 89 2B AD 1F 62 F8 11 D8 
26 0C 0E D2 F7 B9 75 13 0E D6 32 33 74 0D 71 30 
FE BD CC 1C C4 B8 57 70 22 A8 8F 3B B2 AA B3 24 
25 58 EA 44 E5 1F

This is the 04||X||Y for the curve 'secp384r1' (lines 2030-2032)

(384/2=48= 0x30 the length in bytes for X and for Y
The length (0x61 - 1)/2 = 0x30 = 48 so the length is correct.

In opensc-debug_ec_bad.txt when not creating a key but running some other command?

lines 2418 and following it read:

Incoming APDU (104 bytes):
7F 49 63 86 61 04 E7 D7 A6 10 73 CE 87 72 2A 68 .Ic.a.....s..r*h
72 FD 0F A0 BC 3F 1D 24 0E AF 3D BB 8B 4F FB F9 r....?.$..=..O..
60 53 68 8E E5 2C 62 BA 5F CE F6 59 12 6B 7F 8F `Sh..,b._..Y.k..
60 DD 8C AF B8 E2 18 E8 89 2B AD 1F 62 F8 11 D8 `........+..b...
26 0C 0E D2 F7 B9 75 13 0E D6 32 33 74 0D 71 30 &.....u...23t.q0
FE BD CC 1C C4 B8 57 70 22 A8 8F 3B B2 AA B3 24 ......Wp"..;...$
25 58 EA 44 E5 1F 90 00

04 E7 D7 A6 10 73 CE 87 72 2A 68 
72 FD 0F A0 BC 3F 1D 24 0E AF 3D BB 8B 4F FB F9 
60 53 68 8E E5 2C 62 BA 5F CE F6 59 12 6B 7F 8F 
60 DD 8C AF B8 E2 18 E8 89 2B AD 1F 62 F8 11 D8 
26 0C 0E D2 F7 B9 75 13 0E D6 32 33 74 0D 71 30 
FE BD CC 1C C4 B8 57 70 22 A8 8F 3B B2 AA B3 24 
25 58 EA 44 E5 1F 

The same '04||X||Y' as before.
But at line 2444:

P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] card-openpgp.c:1250:pgp_enumerate_blob: Invalid ASN.1 object
looking to b800 and not finding it goes to read it. 


P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] card-openpgp.c:1624:pgp_get_pubkey: called, tag=b800
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] apdu.c:550:sc_transmit_apdu: called
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] card.c:471:sc_lock: called
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] apdu.c:367:sc_single_transmit: CLA:0, INS:47, P1:81, P2:0, data(2) 0x7ffcd30e8256
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit: reader 'Gemalto PC Twin Reader (83D1F902) 00 00'
P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] reader-pcsc.c:325:pcsc_transmit: 
Outgoing APDU (11 bytes):
00 47 81 00 00 00 02 B8 00 20 00 .G....... .

P:5584; T:0x140319610138624 20:04:39.149 [opensc-pkcs11] reader-pcsc.c:244:pcsc_internal_transmit: called
P:5584; T:0x140319610138624 20:04:39.156 [opensc-pkcs11] reader-pcsc.c:334:pcsc_transmit: 
Incoming APDU (2 bytes):
6A 88 j.

6A 88 is Referenced data or reference data not found (exact meaning depending on the command)

What commands and arguments did you use for these two runs?

The ATR of your card is: 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:f5:73:c0:01:60:00:90:00:1c

https://smartcard-atr.apdu.fr/ says "OpenPGP Card V3"
Where did you get this Card?
Did you load the OpenPGP applet on the card your self?

Most testing of OpenPGP cards are Yubikey or Nitro. So applets may vary.

Also note PKCS11 only supports one user PIN for a slot. OpenPGP has two user keys , and PKCS11 so OpenSC uses 2 slots.
Run these to see what is in each slot: pkcs11-tool --slot 0 -O and pkcs11-tool --slot 1 -O

[msetina]

The https://github.com/OpenSC/OpenSC/files/15030306/opensc-debug_ec.txt is a run whe the key is not created but just read by CKA_ID.
After that the certificate is created from public key, then signed with the private key and then written to the card.
THe run for opensc-debug_ec_bad.txt wants to combine generation of the key and creation of the certificate. As it stands this procedure fails when trying to read the public key as it can not read the data for it properly. It expects to get ByteString and in it the 04|X|Y structure.
I made the https://github.com/OpenSC/OpenSC/files/15030306/opensc-debug_ec.txt to get the difference of getting the public key data from the card in contrast to how it is after the key generation.
I one test run I made 30s sleep after generation the key, but it did not help. This is why my question is as it is. It looks to me that card need something to prepare the public key. The same happens for RSA Key as mentioned. In that case I get data for public key htat is 1 byte longer.

3082010b02820101008376c31aa92a7175c01a753d73b7975e8f4613b7cb9fef13a4ae1c13a1fcbe82d41b544fd238731c932d283a63f5912d20bc0d2581f3ef29c69515f6d07a0d5a40aa744f213b3f7a79af4d34a31b00cb33b1b512080fceb3eb65cadb739451d3a2606c1ff1dea73820dab7e3d867cd12bc8baa2e8ed35c135699cae20046b7e7bd4bf907b93609ad5657f42ae59e43fdbca6d1631cb218e1c02e07b0617b5f7c5d15bb37c24e5aa52520048be96fbd97c6cdd5ddca98ee3508fcef8fa234abf3ae68485bad1cbf46ba17e698da521286fb5f5d33867d774c33f53541e2f7b86ef902e1b224d5718ebfdbd098040f246d9c777f66b43dd4f82434bf5c3a3e33c9020400010001

The value that cryptoraphy is capable of reading into pubic key is one byte shorter:

3082010a02820101008376c31aa92a7175c01a753d73b7975e8f4613b7cb9fef13a4ae1c13a1fcbe82d41b544fd238731c932d283a63f5912d20bc0d2581f3ef29c69515f6d07a0d5a40aa744f213b3f7a79af4d34a31b00cb33b1b512080fceb3eb65cadb739451d3a2606c1ff1dea73820dab7e3d867cd12bc8baa2e8ed35c135699cae20046b7e7bd4bf907b93609ad5657f42ae59e43fdbca6d1631cb218e1c02e07b0617b5f7c5d15bb37c24e5aa52520048be96fbd97c6cdd5ddca98ee3508fcef8fa234abf3ae68485bad1cbf46ba17e698da521286fb5f5d33867d774c33f53541e2f7b86ef902e1b224d5718ebfdbd098040f246d9c777f66b43dd4f82434bf5c3a3e33c90203010001

Which is strange as by online DER parser they should be the same, just the last one has a shorter exponent field. THe one it does not want to read has 010b, but the one it wants to read has 010a in the "head" section (I could not find the meaning of those two)

I got the card here:
https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.4

token label        : OpenPGP card (User PIN (sig))
  token manufacturer : ZeitControl
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4

They prepared the card and it still has the original user and SO pin.
In this case I have only the key 0x01, but I was able to make all three with the procedure tht does not make the certificate and if I run the procedure that prepares the certificates separately (that is the one that produces this https://github.com/OpenSC/OpenSC/files/15030306/opensc-debug_ec.txt) i was able to produce the two certificates. The third can not self sign as it is only for encryption.

[msetina]

With a little intuitive revolation I made it work in multiple processes where it generates key in one process and creates certificate with public key retrieval in another. This execution does not retrieve public key data in the problematic way I saw before.

[dengert]

Good to hear you have a circumvention.
It is not clear why in one case the the exponent is listed as 0400010001 looks like length is 4 with exponent 00010001 and other is 03010001 length 3 with exponent 010001 which are saying the exponents are the same commonly used exponent.

What would be helpful if you were to post the data read from the card in both cases.

It might be the card knows it is an RSA modules followed by a length byte and exponent. And card handles adding/removing leading zero bytes, but when read from the card it always truncates or pads to 4 bytes. This could also happen in software if exponent was stored in OpenSSL BIGNUM and the BIGNUM is stored without leading zeros. "BN_num_bytes() returns the size of a BIGNUM in bytes."

[msetina]

Here they are:
opensc-debug_rsa.txt
opensc-debug_rsa_bad.txt

[dengert]

Also sounds a lot like #1959

[dengert]

What is your ultimate goals for your project?

OpenSC supports many smartcards in a user only mode, for example government issued ID cards. But OpenSC does not support in many cases, initialization and provisioning of cards by users. OpenSC has some special tools for some of these cards.
But many features for some cards are only supported by card vendor tools. GnuPG has such a tool.
And PKCS11 full support for many of these cards in not supported.

You are using an OpenPGP ZeitControl card for your testing. OpenSC support to erase the card is available via pkcs15-init, but via not PKCS11. And OpenSC cards have a number of fields that can read by PKCS11 but not written even by pkcs15-init. Many supported cards are based on PKCS15, and other like OpenPGP are not.

So far all the issues you have found are related to OpenPGP with ZeitControl and PKCS11 using a card with a version of OpenPGP that I am not familiar with. Other developers or users may have these cards.

I have been working on another issue #2952 and PR #3090 as OpenPGP was any early adopter of 25519 curves. The PR is big and needs testing before making even more changes to OpenSC to support what you are requesting via PKCS11.

If you want to get involved with OpenSC please have a look at #3090.

[msetina]

My main goal is to get https://github.com/pyca/cryptography to be usable with PKCS11. I first wanted XML signing, now when I have OpenPGP card for my other state provided cert and I am using one OpenPGP card to clean up this kind of issues. There is still one issue for writing key to the card that has a problem of overreleasing memory on writing private key(that is what PKCS15-init says and also using PKCS11 CreateObject reports before core dump).
When I stubled upon this question, I was preparing a script for preparing all keys on a card and equip them with certificates.

I'll look at those and chime in if I can help.

[dengert]

What would be helpful is to use OpenSC-SPY to show the PKCS11 calls and responses.

I see C_FindObjectsInit(): CKA_CLASS = CKO_PUBLIC_KEY and request to get CKA_VALUE

BUT...

https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/framework-pkcs15.c#L5030-L5038
"* PKCS#11 does not define a CKA_VALUE for a CKO_PUBLIC_KEY."

#3090 adds CKA_PUBLIC_KEY_INFO: which is define in PKCS11 3.0 which is the same as the OPENSC define CKA_SPKI

If you look at key type, there are other ways to get a CKA_EC_POINT, CKA_MODULUS, etc for different type keys if you need them.

https://github.com/OpenSC/OpenSC/files/15040309/opensc-debug_rsa.txt line 3656:

T:0x139929353580544 22:09:12.431 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 94276059045568: CKA_VALUE = 3082010B02820101008376C31AA92A7175C01A753D73B7975E8F4613B7CB9FEF

This is the SPKI of the public key, from lines starting at 3277 and from lines starting at 2955

The term "public key" is over loaded and has different means in different contexts.

In PKCS11 3.0: CKO_PUBLIC_KEY has: CKA_PUBLIC_KEY_INFO
Byte array DER-encoding of the SubjectPublicKeyInfo for this public key. (MAY be empty, DEFAULT derived from the underlying public key data)

The card appears to be working as expected.

[msetina]

Thank you. I see that I need to check my calls to spec.( Not all examples are made the same.) WIll check CKA_PUBLIC_KEY_INFO when it is done. Switching to CKA_MODULUS and CKA_PUBLIC_EXPONENT is simple as cryptography has a simple clear path for it and it also reduces number of different retrieval ways for same data. I already changed the test as softHSM returns null for CKA_VALUE and I blamed softHSM. Now I see the problem was my call.
For the problem at hand I suspect that there is some global context that messes up (so they behave different than normal) calls after generating key. I'll make a minimal example to try to get to the bottom of it. I wonder which of the if branches in CKA_VALUE for RSA produced each of different results. On the other hand the result from CKA_EC_POINT looks deeper.

[msetina]

Her is simple EC example with debug and spy trace:
opensc-debug_ec.txt
logfile_ec.txt
opensc-debug_ec_bad.txt
logfile_EC_bad.txt

[msetina]

It looks like that card returns 388 bytes for public key in a format I can not recognize. If the call for public key data is in a new session, The card returns expected 99 bytes for public key as a uncompressed XY fro Q point.

[msetina]

048201809d383fcaa2883d14facd9509bed3b5e9cf7bc2c8839abafaf597541130c00075cdd8371bfde2bb1aaa4a4f149d7f4e53d0512b25a3fff3d715bad651c51f1e88e99256cf4348285a5ea67596b4f73b0ff0130540e6501f98a32447219bee2dcfcdd80000000000000101000000000000431000000000000000010000000000000902000000000000002800000000000003000000ffffffff5800000000000000503a9754a57f0000000000000000000000000000000000000000000000000000a03a9754a57f000070319754a57f0000302e9754a57f000050299754a57f000020389754a57f0000a0309754a57f0000302b9754a57f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003057e54e4a560000a0269754a57f0000202d9754a57f0000310000000000000043100000000000005502000000000000

[dengert]

Looks like some caching issue and/or compounded by bits vs bytes. in 04 82 0180 82 says 2 bytes for length 0x0180 which is 384 decimal looks more like the key size was used.

This is not on my priority list, but will keep an eye on it.

[msetina]

By not using CKA_VALUE the problem with RSA key is out of scope. If you want I can prepare the same for CKA_VALUE or will it be set to null in the future?