NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > MUSCLE Smartcard Development> 2010-q1

Re: [Muscle] Questions about musclecard

From: Nick Sayer (nsayerkfu.com)
Date: Tue Feb 23 2010 - 11:34:19 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So the patch that I needed to apply to make it work (which is still required) is this:

--- p11_object.c.orig 2008-05-31 09:24:52.000000000 -0700
+++ p11_object.c 2010-02-23 09:18:42.000000000 -0800
-378,11 +378,28
             }
             else
             {
+ if (pTemplate[i].type == 0x103) {
+ log_Log(LOG_LOW, "Got expected error, faking a 103 attribute (TRUE)");
+ pTemplate[i].ulValueLen = (CK_ULONG)1;
+ if (pTemplate[i].pValue != 0) {
+ ((char*)(pTemplate[i].pValue))[0] = 1;
+ }
+ rv = CKR_OK;
+ } else if (pTemplate[i].type == 0x162) {
+ log_Log(LOG_LOW, "Got expected error, faking a 162 attribute (FALSE)");
+ pTemplate[i].ulValueLen = (CK_ULONG)1;
+ if (pTemplate[i].pValue != 0) {
+ ((char*)(pTemplate[i].pValue))[0] = 0;
+ }
+ rv = CKR_OK;
+ } else
+ {
                 pTemplate[i].ulValueLen = (CK_ULONG)-1;
                 perm_rv = rv;
                 rv = CKR_OK;
             }
         }
+ }

         if ((rv == CKR_OK) && (perm_rv != CKR_OK))
             rv = perm_rv;

I don't say that's the best solution to the problem, but it is necessary for any activities that use a private key using the Sun PKCS11 provider configured to use libmusclepkcs11. The better solution, no doubt, would be to insure that private keys actually *have* those attributes so that libmusclepkcs11 can find them.

It's also unclear to me why jarsigner only works with -sigalg specified. Even if I specify md5withrsa (which is supposed to be jarsigner's default), it *works*, but without any sigalg argument, it fails.

On Feb 23, 2010, at 1:39 AM, Nick Sayer wrote:

> Eureka.
>
> Just as I was about to give up, I wrote some sample code that signed a blob of crap with the private key and verified it against the cert. And it worked. So I wondered if the issue had something to do with the choice of signature algorithms.
>
> And sure enough
>
> jarsigner -sigalg sha256withrsa -storetype pkcs11 gpj.jar signer
>
> works.
>
> And jarsigner -verify gpj.jar also works.
>
> Unless there is some reason why such a signature would not be acceptable for things like webstart, I think that means that I could happily put a code signing cert and key on a smart card and leave it sitting on my desk except when I wanted to use it. Which is nice and secure.
>
>
>
> _______________________________________________
> Muscle mailing list
> Musclelists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle

_______________________________________________
Muscle mailing list
Musclelists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]