Giters

vletoux / GidsApplet

Generic Identity Device Specification Applet

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

deleting keys not working

sebsca opened this issue · comments

commented

Deleting keys does not work / leaves the card in a crippled state.

This is the log where I create a keypair on an empty device and try to delete it afterwards:

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)

$ pkcs11-tool --login --keypairgen --key-type rsa:2048
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: Private Key 00
ID: 75f9a87240334fdd08c43e54bd034539421cbd9f
Usage: decrypt, sign, unwrap
Access: none
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 75f9a87240334fdd08c43e54bd034539421cbd9f
Usage: encrypt, verify, wrap
Access: none

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 00
Usage: encrypt, verify
Access: none

$ pkcs11-tool --login --delete-object --type pubkey --id 00
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: Private Key 00
ID: 00
Usage: encrypt, verify
Access: none

$ pkcs11-tool --login --delete-object --type privkey --id 00
Using slot 0 with a present token (0x0)
Logging in to "GIDS card (UserPIN)".
Please enter User PIN:

$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_GENERAL_ERROR (0x5)

Public Key Object; RSA 0 bits
label:
ID: 00
Usage: none
Access: none

commented

GIDS applet does not work that way.
You'd better read the specification (https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn642100(v=vs.85) ) to understand that they are public/private key pairs, referenced in a cmapfile. In addition to that, certificate are saved as a special file, on a filesystem which is emulated.

The OpenSC driver clearly implemented this 3 steps:
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-gids.c#L1631-L1768

Trying to delete public / private keys separately is a nonsense.

If you identify a problem, you'd better publish it on the OpenSC project rather that invoking a problem in the GIDS applet.
(which was implemented using this GIDS specification)