X25519 improvements 2 in PKCS11-tool, PKCS15 routines and tools and openpgp

[dengert]

Now that 0.25.0 has been released, this PR is being resubmitted and rebased on current master.
Fixes: #2952 which explains most of what was done.

It also addresses #3000 in that it can accept a CKA_EC_POINT as either in a ASN.1 BIT STRING or OCTET STRING but currently only return CKA_EC_POINT in ASN.1 OCTET STRING. It also add support for CKA_PUBLIC_KEY_INFO which is SPKI format.

It also add support for all four curves defined in RFC 8410 and and maps the uses of the experimental OIDs to these official OIDs in OpenSC, and in card-opensc.c that will still write the old OIDs to the cards as needed.

Individual commits have additional information.

Tested using using Yubikey NFC and Nitro Start tokens which only use the old OIDs and do not yet support the X448 keys.
-->

Checklist

• Documentation is added or updated
• New files have a LGPL 2.1 license statement
• PKCS#11 module is tested
• Windows minidriver is tested
• macOS tokend is tested

[Jakuje]

before merging we will certainly need to remove the debugging variables like this.

[dengert]

This is the outstanding question of #3000 Did OpenSC return the CKA_EC_POINT in the wrong ASN.1?
It also looks like other packages followed our lead. This would not be easy to fix. The remedy is to use the CKA_PUBKEY_KEY_INFO as SPKI introduced in KCS11 2.40.

Other commits in this PR adds CKA_PUBKEY_KEY_INFO to OpenSC and will accept CKA_EC_POINT in either BIT STRING or OCTET STRING.

[Jakuje]

I would say that given that we believe the right format should be the bit string, we should output bit string and properly test it with other applications that might expect the other way round and fix them, ideally early in the release cycle. Having this in the code comment should be quite enough. Other option might be to provide some environment variable or configuration option for backward compatibility to satisfy unfixed applications.

Reading through this, I think having a configuration option to revert would be likely the best.

[dengert]

I am afraid that OpenSC was one of the first smartcard pkcs11 project to include ECDSA and got it wrong and other projects picked up on it.

You at RedHat have contacts with p11-kit and PKCS11 OASIS people. Can you ask them if we got to wrong, and what it would to convert? Or is the solution for every one to use CKA_PUBLIC_KEY_INFO that returns a SPKI format.

[Jakuje]

I had some discussion on the OASIS PKCS#11 mailing list to get the format clarified, but as far as I remember, they were not able to provide much more clarity (I do not follow the discussions there much now)

There was recently exactly this topic discussed here:

https://lists.oasis-open.org/archives/pkcs11/202310/msg00008.html

There seems to be some changes in the PKCS#11 3.1.

Let me know if there is something else to bring up there.

[Jakuje]

needless if(x) free(x). Please remove the needless if here, similarly as it was done in the eddsa case.

[dengert]

Just following the coding style in the routine which does the same for RSA, GOST and EC.

a7a524be1c (Doug Engert         2023-12-08 20:18:51 -0600 1169)         case SC_ALGORITHM_EDDSA:
a7a524be1c (Doug Engert         2023-12-08 20:18:51 -0600 1170)         case SC_ALGORITHM_XEDDSA:

I can remove all the needless if if you want..

[Jakuje]

Yes please. This was common antipatern in the past and in a lot of places, probably making people feel safer, but there is not a single case when this would be useful for anything

[Jakuje]

I think ecdsa does can not do wrapping either so these should go away too.

[Jakuje]

can we have this abstraction in compat-ossl header file?

[dengert]

Could be eliminated. OpenSC 1.1.1 and others define function EVP_PKEY_id

OpenSC 3.0, 3.1, 3.2 and 3.3 and above define function EVP_PKEY_get_id but have this define: #define EVP_PKEY_id EVP_PKEY_get_id

I will go ahead and use the EVP_PKEY_id

[dengert]

@Jakuje thanks for the review. I rebased with all the typos and minor changes as "fixup" and resolved those conversations. There are still a few that I left for further comments.

[Jakuje]

Thank you for the prompt reply and addressing the most important issues. I think this is a good start. But we need to catch the corner cases that now make the fuzzer fail, fix to todos ... but good to see all the other tests work for now.

[dengert]

@Jakuje @frankmorgner "The Check Code Style / build (pull_request)" yshui/git-clang-format-lint@master produced a 1052 line diff file for the 9 source files changed by this PR.

Many of the changes are to pre existing code, especially to "ec_curve" and other tables that have been formatted for easy reading and to code I did not change.

I would like to propose, that for these tables, we use // clang-fromat off and // clang-fromat on and I would like to submit a separate PR for these 9 files based on current master so any changes in this PR #3090 are then based on the new coding style.

Any ideas.

(Also have fix for the bug found by fuzzing.)

[Jakuje]

@Jakuje @frankmorgner "The Check Code Style / build (pull_request)" yshui/git-clang-format-lint@master produced a 1052 line diff file for the 9 source files changed by this PR.

With large PRs there will always be some reformatting and better to do it per small parts than all code base as it was in the clang format, which had much more files and much more LoC changes.

Many of the changes are to pre existing code, especially to "ec_curve" and other tables that have been formatted for easy reading and to code I did not change.

Yes, the formatter takes some contexts in to be able to format the new code.

I would like to propose, that for these tables, we use // clang-fromat off and // clang-fromat on and I would like to submit a separate PR for these 9 files based on current master so any changes in this PR #3090 are then based on the new coding style.

I am ok with keeping the tables in the clang-fromat off blocks as the clang does not handle well these large tables with our configuration. I am ok with separate reformatting PR, but keep in mind that some of the changes are just suggested (especially the long lines should be broken).

[dengert]

I am ok with keeping the tables in the clang-fromat off blocks as the clang does not handle well these large tables with our configuration. I am ok with separate reformatting PR, but keep in mind that some of the changes are just suggested (especially the long lines should be broken).

The part I did not like was it took multi-line if statements and made one long line.

[Jakuje]

The part I did not like was it took multi-line if statements and made one long line.

If you will split them manually (with correct breaking after operator and with correct indentation), it will not reformat them to long line anymore.

[Jakuje]

Code wise it looks good (few nits inline). But the openpgp test now fails, which does not look like a false positive. Can you check it?
Given this is a change in behavior, I would like to get this merged rather sooner than later so we have time to test it against other applications and tools before next release.

[Jakuje]

this is printable string. Should we be strict about the case or use the strncasecmp to ignore the case?

[dengert]

But "printable string" was added for "PKCS11 V 3.0 for experimental curves" possibly without registered OIDs to avoid some made up unregistered OID slipping in to general use which is worse then passing in a printable string for testing experimental curves without an OID. In that case it is up to the developer to define the string and we should not second guest if it is case sensitive or not.

The whole problem with 25519 curves was that to use PKCS11 required the use of an OID, and the experimenters used OIDs registered but in private OID space, (better then made up OIDs) but not good to have standards based on private OIDs.

So I would suggest leaving memcmp.

[frankmorgner]

Implementation-wise I only have some minor comments.

Regarding the backward compatibility, I don't have a good overview if we really need that. My feeling is that there may only be some experiments where this has been tried out. So maybe we don't need to support the old (and bad) format anymore.

[frankmorgner]

please integrate this comment to the one a couple of lines below to give it more context

[dengert]

Removed the comments as ec_curves_alt below is used to convert RFC 8410 OID to olde OIDs that are written to the card.

[frankmorgner]

Please remove the DEE identifier (git history has information about the author)

Also, please also add this very comment to the SC_ALGORITHM_XEDDSA block below

[dengert]

Removed comment and added the asn1_decode_ec_params, asn1_encode_ec_params,asn1_free_ec_params as needed.

[frankmorgner]

Please put this comment into a new line

[frankmorgner]

Instead of handling the ASN.1 buffer by hand in case 0x13, please use sc_asn1_read_tag directly.

[frankmorgner]

Please remove the DEE identifier. Also, I do not understand what the comments try to tell me. Please clarify the comment or remove it.

[frankmorgner]

please remove the DEE identifier

[frankmorgner]

Although this is a big jump, 3000 bits should be the recommended minimum key size nowadays

[frankmorgner]

could use some error checking on strdup

[dengert]

Thanks. A lot to keep me busy

…

On Mon, Apr 29, 2024, 2:58 AM Jakub Jelen ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In src/libopensc/pkcs15-pubkey.c <#3090 (comment)>: > + volatile int gdb_test = 0; /* so can reset via gdb for testing new way */ LOG_FUNC_CALLED(ctx); sc_copy_asn1_entry(c_asn1_ec_pointQ, asn1_ec_pointQ); - sc_format_asn1_entry(asn1_ec_pointQ + 0, key->ecpointQ.value, &key->ecpointQ.len, 1); + + if (gdb_test == 1) { + key_len = key->ecpointQ.len * 8; /* encode in bit string */ + sc_format_asn1_entry(asn1_ec_pointQ + 0, key->ecpointQ.value, &key_len, 1); + } else { + key_len = key->ecpointQ.len; + sc_format_asn1_entry(asn1_ec_pointQ + 1, key->ecpointQ.value, &key_len, 1); + } I had some discussion on the OASIS PKCS#11 mailing list to get the format clarified, but as far as I remember, they were not able to provide much more clarity (I do not follow the discussions there much now) There was recently exactly this topic discussed here: https://lists.oasis-open.org/archives/pkcs11/202310/msg00008.html There seems to be some changes in the PKCS#11 3.1. Let me know if there is something else to bring up there. — Reply to this email directly, view it on GitHub <#3090 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGTIMKGEAR7RIWIPSIE7S3Y7X4SFAVCNFSM6AAAAABFK7PMO6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMRXG44DQNJZGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>