Hi,
sorry, I'm not on the list, so please answer directly.
I use opensc-0.7.0 and pcsc-lite-1.1.1 under FreeBSD 4.6
with Gemplus 410 and 430 smartcard readers and Schlumberger
cryptoflex smartcards.
I used openssh-3.2.2p1 but the relevant file scard-opensc.c
is unchanged in 3.4.
RSA authentication to a remote host running opensshd
did not work with the smartcard.
Investigating the problem I found, that the signature is
not ASN1 encoded, when using smartcards. The following
diff solves the problem:
*** ../openssh-3.2.2p1.orig/scard-opensc.c Tue Apr 23 14:48:46 2002
--- ./scard-opensc.c Sat Jul 20 19:32:19 2002
***************
*** 89,94 ****
--- 89,98 ----
r = sc_establish_context(&ctx, "openssh");
if (r)
goto err;
+ if (sc_reader_id < 0 || sc_reader_id >= ctx->reader_count) {
+ r = SC_ERROR_NO_READERS_FOUND;
+ goto err;
+ }
r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card);
if (r)
goto err;
***************
*** 190,212 ****
unsigned char *sigret, unsigned int *siglen, RSA *rsa)
{
struct sc_pkcs15_object *key_obj;
! int r;
unsigned long flags = 0;
r = sc_prkey_op_init(rsa, &key_obj);
! if (r)
! return -1;
/* FIXME: length of sigret correct? */
/* FIXME: check 'type' and modify flags accordingly */
! flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1;
r = sc_pkcs15_compute_signature(p15card, key_obj, flags,
! m, m_len, sigret, RSA_size(rsa));
sc_unlock(card);
if (r < 0) {
error("sc_pkcs15_compute_signature() failed: %s",
sc_strerror(r));
goto err;
}
*siglen = r;
return 1;
err:
--- 194,253 ----
unsigned char *sigret, unsigned int *siglen, RSA *rsa)
{
struct sc_pkcs15_object *key_obj;
! int i, j, r;
unsigned long flags = 0;
+ X509_SIG sig;
+ X509_ALGOR algor;
+ ASN1_TYPE parameter;
+ ASN1_OCTET_STRING digest;
+ unsigned char *p,*s = NULL;
r = sc_prkey_op_init(rsa, &key_obj);
! if (r) {
! error("sc_prkey_op_init failed: %s",
! sc_strerror(r));
! return 0;
! }
!
! debug3("inlength %d\n", m_len);
! sig.algor= &algor;
! sig.algor->algorithm=OBJ_nid2obj(type);
!
! parameter.type=V_ASN1_NULL;
! parameter.value.ptr=NULL;
! sig.algor->parameter= ¶meter;
!
! sig.digest= &digest;
! sig.digest->data=m;
! sig.digest->length=m_len;
!
! i=i2d_X509_SIG(&sig,NULL);
!
! debug3("x509 sig inlength %d\n", i);
!
! j=RSA_size(rsa);
! if ((i-RSA_PKCS1_PADDING) > j) {
! error("too big %d %d",i-RSA_PKCS1_PADDING,j);
! return 0;
! }
!
! s=xmalloc(RSA_size(rsa)+1);
! p=s;
! i2d_X509_SIG(&sig,&p);
!
!
/* FIXME: length of sigret correct? */
/* FIXME: check 'type' and modify flags accordingly */
! flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE;
r = sc_pkcs15_compute_signature(p15card, key_obj, flags,
! s, i, sigret, RSA_size(rsa));
sc_unlock(card);
if (r < 0) {
error("sc_pkcs15_compute_signature() failed: %s",
sc_strerror(r));
goto err;
}
+ debug3("sc_sign %d\n", r);
*siglen = r;
return 1;
err:
Regards
Juergen Weiss
--
Juergen Weiss | Universitaet Mainz, Zentrum fuer Datenverarbeitung,
weiss at uni-mainz.de| 55099 Mainz, Tel: +49(6131)39-26361, FAX:
+49(6131)39-26407
