vsmartcard icon indicating copy to clipboard operation
vsmartcard copied to clipboard

Published 20 hours ago verified publisher icon frankmorgner

¿Possible integration with SoftHSM?

Open polhenarejos opened this issue 3 years ago • 3 comments

Hi. My apologies if it is completely off-topic. VSMartCard works very well and I think it is a pretty good job. Combined with USB CCID opens lots of possibilities.

I tested several virtual cards (Jcardsim with IsoApplet, OpenPGP, CAC, etc.) but support of crypto algorithms is quite limited. In this sense, SoftHSM is fully of features and mechanisms. However, it only runs on local machines (or remotely via PKCS#11 proxies). I do not see the way how to expose SoftHSM via USB CCID.

OpenPGP cards are focused on personal keys and not for HSM functions, despite v3.4 supports RSA-4096, AES or ECC. In this sense, perhaps SC HSM specs could be more suitable, but I did not find any SCHSM emulator.

Do you know if there exist similar project? Or a "virtual pkcs#11 card"? Maybe it is a non-sense.

Thanks and sorry if it is off-topic.

polhenarejos avatar Dec 22 '21 08:12 polhenarejos

For any card or token that you want to use, you need some middleware on the PC where to use it. This piece of middleware is your PKCS#11 library.

USB CCID enables a transport layer to communicate to your token, but it doesn't specify how to use your token. The latter part is coded in the PKCS#11 library. So with USB CCID, you can't avoid installing additional software on your PC.

You could implement an PKCS#11 proxy to pipe the communication through USB CCID rather than through the network. The PKCS#11 library could access the USB CCID reader via PC/SC, sends the serialized PKCS#11 request from the PC with SCardTransmit to the CCID emulator and the CCID emulator (or some software behind it) unpacks the requests and calls SoftHSM (or any other PKCS#11 module). The response is then again serialized and send back to the PC.

frankmorgner avatar Dec 22 '21 13:12 frankmorgner

Thanks for the point @frankmorgner. Based on your comment, I adapted pkcs11-proxy to use PC/SC and communicate with CCID emulator. At the same time, I modified CCID emulator to bypass the XfrBlock processing, forwarding to the pkcs11-proxy daemon.

However, a card (virtual or not) has to be inserted. I used virt_cacard or jcardsim and when are inserted, all works properly. Obviously, using virtual cards is useless as the XfrBlock processing is bypassed, by they help to manage all Icc functions.

Is there a way to fake the Icc procedures in order to go without any virtual card?

polhenarejos avatar Dec 23 '21 08:12 polhenarejos

Actually, I thought of something a little different.

Imagine pkcs11-proxy receives C_GetInfo from the application (1). My idea was to serialize C_GetInfo and its arguments (2), send this request with SCardTransmit to the ccid-emulator via USB (3). ccid-temulator de-serializes C_GetInfo and its arguments (4) and sends the very same request to an attached PKCS#11 module (5). ccid-emulator's PKCS#11 module should be loaded at runtume, so that you can directly use SoftHSM, for example. The responses from ccid-emulator's PKCS#11 module are again forworded through USB and CCID to pkcs11-proxy. In effect, you don't have any additional work in terms of PKCS#11 except form (de-) serializing, because the proxy directly communicates with a real module on the other end. On the PC/SC level, however you just say that a card is always present (detect_card_presence(void)) and on request you return a dummy ATR (get_RDR_to_PC_SlotStatus()).

Note that you should encode your serialized data with 0xFF at the beginning, which is used for reader escape commands and which are ignored by cards that are ISO 7816-compliant.

frankmorgner avatar Dec 28 '21 10:12 frankmorgner