OpenSC icon indicating copy to clipboard operation
OpenSC copied to clipboard

Published 20 hours ago verified publisher icon OpenSC

Add support for applet 1.8

Open yoe opened this issue 3 years ago • 3 comments

New ID card types are being issued in Belgium, with secp384r1 ECC keys rather than RSA ones and a new ATR. Update card-belpic.c to support those cards, too.

TODO: understand better how to select the correct algorithms for ECC. Help?

yoe avatar Jun 03 '21 11:06 yoe

EC keys can be used for signature ECDSA and for key derivation ECDH. https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman

sc_format_oid does not format a curvename.

You are passing the pointer to the sc_object_id. This needs to be a static. Grep for _sc_card_add_ec_alg. You will note only ./card-myeid.c and ./card-openpgp.c pass a address of static curve OID. Most other card drivers use NULL.

dengert avatar Jun 04 '21 00:06 dengert

@yoe was there any progress? I recently merged #2455 which added the ATR you used, but not the EC parts.

Jakuje avatar Nov 30 '21 11:11 Jakuje

@yoe was there any progress?

Sorry, no. I've been too busy doing other things.

I recently merged #2455 which added the ATR you used, but not the EC parts.

Thanks.

If someone else is interested in tackling this, the documentation on how the applet 1.8 cards act, and how they differ from the 1.7 ones, can be found at https://github.com/Fedict/eid-mw/blob/master/doc/sdk/documentation/Applet%201.8%20eID%20Cards/Public_Belpic_Applet_v1%208_Ref_Manual_v1%20.pdf

If nobody else manages, I might get around to doing this eventually, but given how busy I am with other things, don't hold your breath...

yoe avatar Nov 30 '21 11:11 yoe

What is the status of this pull request?

frankmorgner avatar Jun 06 '23 08:06 frankmorgner

Nothing has changed since my last comment on this PR.

I got stuck because the changes I made didn't work in ways that tell me that I don't really understand the internals of OpenSC very well, mostly because I haven't don't much OpenSC work in the past (the one fire-and-forget patch that increased the RSA key length for applet 1.7 didn't really count), so in order to make this work I'd have to spend a lot of time that I don't really have to understand those bits.

I do have a pretty good understanding of how the Belgian eid works, so if someone wants to undertake this work I'm happy to help with testing and acting in an advisory capacity. I can maybe even set up some CI system that can interact with a card (although I'd have to confirm), but I'm not going to have the time to implement this myself anymore.

yoe avatar Jun 06 '23 11:06 yoe

Thanks for the update! We'll leave this open for now.

Speaking of CI testing, in OpenSC we are currently testing against a variatey of smart card emulators. If there is some service or infrastructure to test the Belgian ID card, we would be happy to test against that in our CI pipeline...

frankmorgner avatar Jun 06 '23 12:06 frankmorgner

Speaking of CI testing, in OpenSC we are currently testing against a variatey of smart card emulators. If there is some service or infrastructure to test the Belgian ID card, we would be happy to test against that in our CI pipeline...

So.

We developed a robot that is able to insert/eject from a reader, and do the same with the reader and a USB cord. These allow us to do CI against actual hardware, also making sure that the code handles "the card is removed from the reader at the worst possible moment" well (we found bugs in such handling when we first installed this robot).

I'm happy to set up some system so that whoever looks at implementing belpic support is able to do some CI against these cards during development. I can't promise that this will be a long-term arrangement, however, and I can't help you with emulators because we don't have them.

yoe avatar Jun 14 '23 12:06 yoe

Closing this issue due to inactivity. Please re-open the ticket if more input is available.

frankmorgner avatar Jan 30 '24 16:01 frankmorgner