frankmorgner / openpace Goto Github PK

View Code? Open in Web Editor NEW

68.0 19.0 30.0 6.05 MB

Cryptographic library for EAC version 2

Home Page: http://frankmorgner.github.io/openpace/

License: GNU General Public License v3.0

Go 0.32% Java 0.38% Python 4.44% Ruby 0.24% Shell 1.00% C 81.71% Makefile 2.24% M4 3.31% SWIG 6.38%

eac certificate pace c openssl cryptography smartcard mrtd

openpace's Introduction

OpenPACE - Cryptographic library for EAC version 2

OpenPACE implements Extended Access Control (EAC) version 2 as specified in BSI TR-03110. OpenPACE comprises support for the following protocols:

Password Authenticated Connection Establishment (PACE) Establish a secure channel with a strong key between two parties that only share a weak secret.
Terminal Authentication (TA) Verify/prove the terminal's certificate (or rather certificate chain) and secret key.
Chip Authentication (CA) Establish a secure channel based on the chip's static key pair proving its authenticy.

Furthermore, OpenPACE also supports Card Verifiable Certificates (CV Certificates) as well as easy to use wrappers for using the established secure channels.

The handlers for looking up trust anchors during TA and CA (i.e. the CVCA and the CSCA certificates) can be customized. By default, the appropriate certificates will be looked up in the file system.

OpenPACE supports all variants of PACE (DH/ECDH, GM/IM), TA (RSASSA-PKCS1-v1_5/RSASSA-PSS/ECDSA), CA (DH/ECDH) and all standardized domain parameters (GFP/ECP).

OpenPACE is implemented as C-library and comes with native language wrappers for:

Python
Ruby
Javascript
Java
Go

Please refer to our project's website for more information.

License

Proprietary licensing is possible on request.

Tested Platforms

Windows
Linux (Debian, Ubuntu, SUSE, OpenMoko)
FreeBSD
Mac OS
Solaris
Android
Javascript

openpace's People

Contributors

Stargazers

Watchers

openpace's Issues

Compilation error: recipe for target 'libeac_la-ca_lib.lo' failed

Hi,
Installing Openpace 1.1, when using "make", i got the following:

make[4]: Entering directory '/root/installation/openpace/src'
CC libeac_la-ca_lib.lo
In file included from /usr/local/include/openssl/crypto.h:23:0,
from /usr/local/include/openssl/bio.h:20,
from /usr/local/include/openssl/err.h:21,
from eac_err.h:31,
from ca_lib.c:31:
/usr/local/include/openssl/safestack.h:159:1: error: unknown type name ‘ossl_unused’
DEFINE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
...
recipe for target 'libeac_la-ca_lib.lo' failed
Makefile:748: recipe for target 'libeac_la-ca_lib.lo' failed
make[4]: *** [libeac_la-ca_lib.lo] Error 1
make[4]: Leaving directory '/root/installation/openpace/src'
Makefile:1112: recipe for target 'all-recursive' failed
make[3]: *** [all-recursive] Error 1

Question: How may I correct it, knowing that the OS is a Debian, ARM64? Vagrant is only available for AMD

implicit declaration of some functions invalid [MacOS]

Expected behaviour

I'm trying to install the repository as following:

./configure
make
sudo make install

Due to the fact I'm Mac-User I had a problem with make, but I solved it using make osx instead of make.
After performing
make osx
I get 5 errros and some warnings, for example:
cv_cert.c:551:11: error: implicit declaration of function 'RSA_set0_key' is invalid in C99 [-Werror,-Wimplicit-function-declaration] check(RSA_set0_key(rsa,
For more errors and warnings see below my post.

For our project we need the branch 1.1.2. My gcc-Version is "Apple clang version 13.1.6 (clang-1316.0.21.2)". I have already installed all necessary libriaries needed to run the repository: pkg-config, swig, autoreconf, help2man, gengentopt, openssl, libcrypto.

Could somebody help me?

for cert in ff3d20d2; do /usr/bin/install -c -m 644 ./${cert} "/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/etc/eac/x509"; done
../.././install-sh -c -d "/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/etc/eac/cvc"
for cert in DECVCAeID00102 DECVCAEPASS00102 DECVCAeSign00102;   do /usr/bin/install -c -m 644 ./${cert} "/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/etc/eac/cvc";  done
  CC       libeac_la-ca_lib.lo
  CC       libeac_la-cv_cert.lo
cv_cert.c:551:11: error: implicit declaration of function 'RSA_set0_key' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    check(RSA_set0_key(rsa,
          ^
cv_cert.c:551:11: note: did you mean 'RSA_check_key'?
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/rsa.h:333:5: note: 'RSA_check_key' declared here
int RSA_check_key(const RSA *);
    ^
cv_cert.c:1335:5: error: implicit declaration of function 'RSA_get0_key' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    RSA_get0_key(rsa, &n, &e, NULL);
    ^
cv_cert.c:1335:5: note: did you mean 'RSA_check_key'?
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/rsa.h:333:5: note: 'RSA_check_key' declared here
int RSA_check_key(const RSA *);
    ^
cv_cert.c:1364:5: error: implicit declaration of function 'DH_get0_key' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    DH_get0_key(dh, &pub_key, NULL);
    ^
cv_cert.c:1370:9: error: implicit declaration of function 'DH_get0_pqg' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
        DH_get0_pqg(dh, &p, NULL, &g);
        ^
cv_cert.c:1489:20: error: implicit declaration of function 'ASN1_STRING_get0_data' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    if (!BN_bin2bn(ASN1_STRING_get0_data(p), ASN1_STRING_length(p), p_bn) ||
                   ^
cv_cert.c:1489:20: note: did you mean 'ASN1_STRING_data'?
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/asn1.h:812:16: note: 'ASN1_STRING_data' declared here
unsigned char *ASN1_STRING_data(ASN1_STRING *x);
               ^
cv_cert.c:1489:20: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
    if (!BN_bin2bn(ASN1_STRING_get0_data(p), ASN1_STRING_length(p), p_bn) ||
                   ^~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/bn.h:493:40: note: passing argument to parameter 's' here
BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
                                       ^
cv_cert.c:1490:20: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
        !BN_bin2bn(ASN1_STRING_get0_data(a), ASN1_STRING_length(a), a_bn) ||
                   ^~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/bn.h:493:40: note: passing argument to parameter 's' here
BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
                                       ^
cv_cert.c:1491:20: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
        !BN_bin2bn(ASN1_STRING_get0_data(b), ASN1_STRING_length(b), b_bn))
                   ^~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/bn.h:493:40: note: passing argument to parameter 's' here
BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
                                       ^
cv_cert.c:1500:20: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
    if (!BN_bin2bn(ASN1_STRING_get0_data(cofactor), ASN1_STRING_length(cofactor), cofactor_bn) ||
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/bn.h:493:40: note: passing argument to parameter 's' here
BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
                                       ^
cv_cert.c:1501:20: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
        !BN_bin2bn(ASN1_STRING_get0_data(base_order), ASN1_STRING_length(base_order), order_bn))
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/bn.h:493:40: note: passing argument to parameter 's' here
BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
                                       ^
cv_cert.c:1508:47: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
    if (!EC_POINT_oct2point(group, generator, ASN1_STRING_get0_data(base),
                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/ec.h:587:45: note: passing argument to parameter 'buf' here
                       const unsigned char *buf, size_t len, BN_CTX *ctx);
                                            ^
cv_cert.c:1532:51: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const unsigned char *' [-Wint-conversion]
        if (!EC_POINT_oct2point(group, pub_point, ASN1_STRING_get0_data(pub),
                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~
/Users/orszula/mpse/openpace/openpace-1.1.2_osx/Library/OpenPACE/include/openssl/ec.h:587:45: note: passing argument to parameter 'buf' here
                       const unsigned char *buf, size_t len, BN_CTX *ctx);
                                            ^
7 warnings and 5 errors generated.
make[5]: *** [libeac_la-cv_cert.lo] Error 1
make[4]: *** [install-recursive] Error 1
make[3]: *** [install] Error 2
make[2]: *** [install-recursive] Error 1
make[1]: *** [osx] Error 2
make: *** [osx] Error 2

Precompiled Windows binaries not available

"precompiled Windows 32 bit binaries and 64 bit binaries" are not available (anymore?) at appveyor as described in https://frankmorgner.github.io/openpace/install.html

EAC binding for Windows is crashing the python.exe

The simple test to start python interpreter and doing:

import eac
eac.EAC_init()

shows all is fine, I see the "Established PACE channel" Output. But the init is not really done, see add-on below.

With a lot of debug prints I pointed the problem to the call of function eac.CVC_get_chr(self.cvc) in eac.py.

If I add some prints there, I don't see the Outputs, the eac.CVC_get_chr() is never really called??!?:
def CVC_get_chr(_args):
print “DEBUG: I’m in def CVC_get_chr(_args) and will return now with return _eac.CVC_get_chr(_args)” <--- this print is NOT shown!!!
return _eac.CVC_get_chr(_args)
print “DEBUG: will do now CVC_get_chr = _eac.CVC_get_chr” <--- this print is shown during call of Init
CVC_get_chr = _eac.CVC_get_chr
print “DEBUG: done CVC_get_chr = _eac.CVC_get_chr” <--- this print is shown during call of Init

If I add a print into the eac.EAC_init(), I don't see the output in that simple check

import eac
DEBUG: …some additional output is shown….
eac.EAC_init()
<--- this print „DEBUG: …“ output is missing

EJBCA can't parse CV certificate with extension

Expected behaviour

Normally the certificate can be read by cert-cvc

The certificate data should be printed out correctly.
7f21 CV_CERTIFICATE
7f4e CERTIFICATE_BODY
5f29 PROFILE_IDENTIFIER 0
42 CA_REFERENCE AT/DV_NXP/00001
7f49 PUBLIC_KEY
6 OID 0.4.0.127.0.7.2.2.2.2.1
86 PUBLIC_POINT_Y 0473203DC23D908ABF572F3D8F2022172856A8B0C93FADB961BB5CD08A24185BDD58DA076C2440BA0C4C55F3C8727C8659
5f20 HOLDER_REFERENCE AT/IS_NXP/00001
7f4c HOLDER_AUTH_TEMPLATE
6 OID 0.4.0.127.0.7.3.1.2.1
53 ROLE_AND_ACCESS_RIGHTS 03: IS/DG3+DG4
5f25 EFFECTIVE_DATE 2015-06-10
5f24 EXPIRATION_DATE 2016-06-10
5f37 SIGNATURE 03A5309FDF0B67D0BF83C5D775EC90B8C72029629B5539D3A740FD38F28161929EF64E7D5923475D42E83BB8876A3681

Actual behaviour

While read the certificate, I get the following stacktrace.

org.ejbca.cvc.exception.ParseException: Unknown CVC tag value 65
at org.ejbca.cvc.CertificateParser.findTagFromValue(CertificateParser.java:135)
at org.ejbca.cvc.CertificateParser.decode(CertificateParser.java:81)
at org.ejbca.cvc.CertificateParser.decode(CertificateParser.java:100)
at org.ejbca.cvc.CertificateParser.decode(CertificateParser.java:100)
at org.ejbca.cvc.CertificateParser.decode(CertificateParser.java:63)
at org.ejbca.cvc.CertificateParser.parseCertificate(CertificateParser.java:53)
at com.pakgon.testcvc.App.loadCert(App.java:42)
at com.pakgon.testcvc.App.main(App.java:52)

Steps to reproduce

This java code simply load the certificate.

package com.pakgon.testcvc;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.ejbca.cvc.CVCertificate;
import org.ejbca.cvc.CardVerifiableCertificate;
import org.ejbca.cvc.CertificateParser;
import org.ejbca.cvc.exception.ConstructionException;
import org.ejbca.cvc.exception.ParseException;

public class App 
{
	private static byte[] loadFile(String filePath) throws IOException {
		File inFile = new File(filePath);
		FileInputStream inStream = new FileInputStream(inFile);
		int iInBufferRead = 0;
		int iInBufferOffset = 0;
		byte[] inBuffer = new byte[(int)inFile.length()];
		while ((iInBufferRead = inStream.read(inBuffer, iInBufferOffset, (int)(inFile.length()-iInBufferOffset))) > 0) {
			iInBufferOffset += iInBufferRead;
		}
		inStream.close();
		return inBuffer;
	}

	private static CVCertificate loadCert(String filePath) throws IOException, ParseException, ConstructionException {
		byte[] cert = loadFile(filePath);
		CVCertificate cvCertificate = (CVCertificate) CertificateParser.parseCertificate(cert);
		return cvCertificate;
	}

	public static void main( String[] args )
	{
		//sample usage for org.ejbca.cvc
		try {
			Security.addProvider(new BouncyCastleProvider());
			
			CVCertificate taCert = loadCert(
					"/path/to/file.cvcert");
			System.out.println(taCert.toString());

		} catch (IOException e) {
			e.printStackTrace();
		} catch (ParseException e) {
			e.printStackTrace();
		} catch (ConstructionException e) {
			e.printStackTrace();
		}
	}
}

Certificate not verified

Expected behaviour

What should happen?
I use the command cvc-print.exe -c certfile and after i get an error like this

[ERROR] (ta_lib.c:212 ) Could not verify certificate's validity period
certificate not verified

I use openpace on windows 11
How can i disable this error message, or how can i disable certificate validation check?
Thank you

Actual behaviour

What happens instead?

Steps to reproduce

Logs

Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.

Paste Log output with less than 10 lines here

1.1.2

What's the deal with version 1.1.2? There's a tag for it but no release. The project's main web page says the latest release is 1.1.1.

Build is suddenly broken on Travis CI

Today I fixed a simple typo in configure.ac(see 268bb03). When I pushed the commit, I realized that the Travis build was no longer passing (see https://travis-ci.org/d0/openpace/builds/131920604). Apparently one of the reasons was, that the swig installation on the Travis CI build servers no longer supports the -intgosize parameter. Removing this parameter (see 21a44de) leads to the build succeeding again on linux (https://travis-ci.org/d0/openpace/builds/131939436). However, the build still fails on Windows and I don't understand why.

Expected behaviour

The OpenPACE build should pass in all configurations on Travis CI.

Actual behaviour

The OpenPACE build does not pass for the windows configurations. Furthermore, -intgosize 32 doesn't seem to be supported anymore and should therefore maybe be default from the default configuration in configure.ac

Steps to reproduce

Trigger a new Travis CI build.

Logs

how to generate k_pi from k?

Expected behaviour

What should happen?

Actual behaviour

What happens instead?

Steps to reproduce

Logs

Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.

Paste Log output with less than 10 lines here

Cross compile from Ubuntu (or Debian) to Windows

Expected behaviour

cross compilation to Windows should work according to the documentation.

What should happen?

make win should cross-compile the project to Windows.

Actual behaviour

I followed the documentation, trying Ubuntu 14.04 (failed OpenSSL version in ./configure - has 1.0.1 but 1.0.2 of libcrypto is requested), Debian Wheezy (same), and Ubuntu 16.04.

Ubuntu 16.04 compiles to linux correctly (simple make), but make win exits with an error after a lot of "undefined reference" errors (Entire make win output, including stdout and stderr is in the gist below).

All tests were done with vagrant boxes (ubuntu/trusty64, ubuntu/xenial64, debian/wheezy64).

Logs

make win output is in this gist:
https://gist.github.com/Bartzy/062363856fc23b730c8c38b9d64abdda

Thanks!

Dead links in the documentation

The documentation published under https://frankmorgner.github.io/ contains some dead links under the folder _static e.g. https://frankmorgner.github.io/_static/eactest.html Probably the generation of github pages from the sphinx documentation doesn't work for these files.

Cross compilation for Android

Hi,

Thank you very much for the openpace library. I can make it work with Python and I think this is really nice.
I have tried to compile it for Android with Ubuntu 15.10 and Debian Wheezy.
I have tried with the github version and with the 0.9 and I could not manage to get it working.
I have had different issues and I was wondering whether you could just add some more things to the Android installation guide for newbees like me.
I am sorry not to be more specific because I have tried to fix things and now I am not sure anymore the errors I get are to be taken into consideration or whether they come from mistakes I have made.
Instead, I would very much need a more detailled howto.
Is the installation page based on the 0.9 release ?
Is there something I miss when I try
autoreconf --verbose --install
./configure --enable-openssl-install --prefix=$HOME/openpace
export MAKE_STANDALONE_TOOLCHAIN=~/Sdk/ndk-bundle/build/tools/make-standalone-toolchain.sh
make android

Any help would be very very appreciated !

Julien

The latest problem I have is with the rolling version

cvc_print-cvc-print-cmdline.o:cvc-print-cmdline.c:function cmdline_parser_params_create: error: undefined reference to 'rpl_malloc'
cvc_print-cvc-print-cmdline.o:cvc-print-cmdline.c:function gengetopt_strdup: error: undefined reference to 'rpl_malloc'
collect2: error: ld returned 1 exit status
Makefile:606: recipe for target 'cvc-print' failed
make[5]: *** [cvc-print] Error 1
make[5]: Leaving directory '/home/julien/Documents/Temporary/openpace/src'
Makefile:1105: recipe for target 'install' failed
make[4]: *** [install] Error 2
make[4]: Leaving directory '/home/julien/Documents/Temporary/openpace/src'
Makefile:516: recipe for target 'install-recursive' failed
make[3]: *** [install-recursive] Error 1
make[3]: Leaving directory '/home/julien/Documents/Temporary/openpace'
Makefile:567: recipe for target '/home/julien/Documents/Temporary/openpace/openpace-1.0.0_arm/lib/libeac.so' failed
make[2]: *** [/home/julien/Documents/Temporary/openpace/openpace-1.0.0_arm/lib/libeac.so] Error 2
make[2]: Leaving directory '/home/julien/Documents/Temporary/openpace/cross'
Makefile:552: recipe for target 'android' failed
make[1]: *** [android] Error 2
make[1]: Leaving directory '/home/julien/Documents/Temporary/openpace/cross'
Makefile:943: recipe for target 'android' failed
make: *** [android] Error 2

Compilation fails when using OpenSSL 1.1.0 in Windows

Expected behaviour

What should happen?
The compilation process should not have errors.
When using OpenSSL 1.0.2 the compilation doesn't fail

Actual behaviour

What happens instead?
A lot of errors like these in ssl_compat.h and misc.h:

c:\clibs\openpace\openpace-1.0.2\src\ssl_compat.h(51): error C2059: syntax error: 'string'
c:\clibs\openpace\openpace-1.0.2\src\ssl_compat.h(51): error C2059: syntax error: 'constant'
...
c:\clibs\openpace\openpace-1.0.2\src\misc.h(93): error C2143: syntax error: missing '{' before '*'
...
c:\clibs\openpace\openpace-1.0.2\src\ssl_compat.h(51): error C2059: syntax error: 'string'
c:\clibs\openpace\openpace-1.0.2\src\ssl_compat.h(51): error C2059: syntax error: 'constant'
...

Steps to reproduce

Follow the steps for compilation detailed in: https://github.com/OpenSC/OpenSC/wiki/Compiling-on-Windows

Download and unpack the source code of the latest release of OpenPACE.
Open a Visual Studio Developer Command Prompt and change to the OpenPACE’s src directory.
Compile the library:

set OPENSSL=C:\OpenSSL-Win64
cl /I%OPENSSL%\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c

Cannot verify CSR

Expected behaviour

What should happen?

When cvc-print -r test.csr , it should return a successful message.

Actual behaviour

What happens instead?
It complaints for some ASN.1 error.

Steps to reproduce

Use the attached file
test.csr.txt
The file is apparently correct, following the specs of BSI TR 03110 Part 2 C.2 (unless I missed something).

Logs

Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.

Paste Log output with less than 10 lines here

could not parse certificate request
4372495680:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
4372495680:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=CVC_CERT_REQUEST_SEQ
4372495680:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:637:
4372495680:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:101:
4372495680:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1137:
4372495680:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:572:

test-cvcutils: could not parse certificate description

Expected behaviour

Tests should pass ;-).

Actual behaviour

Tests fail with the following error:

Certificate:
  Profile identifier: 0
  CAR: ZZATDVCA00001
  CHR: ZZATTERM00001
  CHAT:
    Authentication terminal
      Restricted Identification
      Terminal certificate
  Effective Date: 2019-08-10
  Expiration Date: 2019-08-17
  Certificate Extensions:
    id-description
certificate verified
could not parse certificate description
140069084788544:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:crypto/asn1/asn1_lib.c:91:
140069084788544:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1117:
140069084788544:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:crypto/asn1/tasn_dec.c:678:
140069084788544:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:626:Field=termsOfUsage.other, Type=CVC_CERTIFICATE_DESCRIPTION
make[2]: *** [Makefile:968: test-cvcutils] Error 1
make[2]: Leaving directory '/tmp/openpace'
make[1]: *** [Makefile:809: check-am] Error 2
make[1]: Leaving directory '/tmp/openpace'
make: *** [Makefile:518: check-recursive] Error 1

Steps to reproduce

./bootstrap
make
make check

Logs

https://gist.github.com/mgorny/1b97f23762c852d6d99c90a025c5dcf6

This is on Gentoo Linux, with openssl 1.1.0k.

openpace does not build in fedora environment

Trying to build oppenpace in fedora environment according to docs/install.html

./configure terminates with:

openpace 1.0.3 has been configured with following options:

Libraries: /usr/local/lib
CVC directory: /usr/local/etc/eac/cvc
X.509 directory: /usr/local/etc/eac/x509

Host: armv7l-unknown-linux-gnueabihf
Compiler: gcc
Preprocessor flags:
Compiler flags: -g -O2
Linker flags:
Libraries:
CRYPTO_CFLAGS:
CRYPTO_LIBS: -lcrypto

HELP2MAN: /usr/bin/help2man
GENGETOPT: /usr/bin/gengetopt

but make bails out with this:

make[4]: Entering directory 'openpace/src'

CC libeac_la-eac_util.lo
eac_util.c: In function â..Compâ..:
eac_util.c:792:25: warning: implicit declaration of function â..EC_POINT_get_affine_coordinates_GF2mâ..; did you mean â..EC_POINT_get_affine_coordinates_GFpâ..? [-Wimplicit-function-declaration]
792 | || !EC_POINT_get_affine_coordinates_GF2m(group, ecp, x, y, bn_ctx))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| EC_POINT_get_affine_coordinates_GFp
CC libeac_la-misc.lo
CC libeac_la-pace.lo

CCLD libvc.la
CCLD eactest
/usr/bin/ld: ./.libs/libeac.so: undefined reference to `EC_POINT_get_affine_coordinates_GF2m'
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:709: eactest] Error 1
make[4]: Leaving directory 'openpace/src'

what am I missing?

Python bindings broken

Expected behaviour

eac.py and chat.py should be importable.
Using Archlinux, python3.10, Openpace from master branch

Actual behaviour

python3>>> from openpace import chat File "/usr/local/lib/python3.10/site-packages/openpace/chat.py", line 47, in <module> import eac ModuleNotFoundError: No module named 'eac'

Steps to reproduce

git clone https://github.com/frankmorgner/openpace.git
./configure --enable-python
make && make install
python -c "from openpace import chat"

Affects also

virtualsmartcard

(venv) λ venv git:(6-secure-key-exchange) ✗ vicc -t nPA Traceback (most recent call last): File "/usr/local/bin/vicc", line 159, in <module> vicc = VirtualICC(args.datasetfile, args.type, hostname, args.port, File "/usr/local/lib/python3.10/site-packages/virtualsmartcard/VirtualSmartcard.py", line 439, in __init__ MF, SAM = self.cardGenerator.getCard() File "/usr/local/lib/python3.10/site-packages/virtualsmartcard/CardGenerator.py", line 684, in getCard self.generateCard() File "/usr/local/lib/python3.10/site-packages/virtualsmartcard/CardGenerator.py", line 677, in generateCard self.__generate_nPA() File "/usr/local/lib/python3.10/site-packages/virtualsmartcard/CardGenerator.py", line 152, in __generate_nPA from virtualsmartcard.cards.nPA import nPA_SAM File "/usr/local/lib/python3.10/site-packages/virtualsmartcard/cards/nPA.py", line 31, in <module> from openpace.chat import CHAT, CVC, PACE_SEC, EAC_CTX File "/usr/local/lib/python3.10/site-packages/openpace/chat.py", line 47, in <module> import eac ModuleNotFoundError: No module named 'eac'

cvc-create : Can't create a certificate using SecP curve (only Prime works)

Follow these steps:
openssl ecparam -out UTATCVCA00001.pem -name secp192k1 –genkey

rem OK

openssl pkcs8 -topk8 -nocrypt -in UTATCVCA00001.pem -outform DER -out UTATCVCA00001.pkcs8

rem OK

cvc-create --role=cvca --type=at --chr=UTATCVCA00001 --expires=160210 --issued=150210 --sign-with=UTATCVCA00001.pkcs8 --scheme=ECDSA_SHA_1

rem No error occured, infinite loop (CTRL+C to exit)

Query Regarding decoding of the certificate

Dear Frank,

We have some PKI certificates that needs to be parsed and has some minor tailoring done in the following fields:

CAR
CHR
CHAT

In the source code shared in C, this is done by the API "d2i_CVC_CERT()" for both CVC_Create and CVC_Print, which needs modifications for the certificate parsing to be right.
Can you please suggest where is the definition for the above mention API can be found.

If there is a better way to approach this problem, please suggest.

Thanks In Advance
Karthic

DV Certificate contain Domain Parameters

Expected behaviour

I have DV CSR file from another DV software. I use cvc-create with csr mode, but new DV certificate contain Domain Paremeters.
(BSI TR-03110-3 sad that DV MUST NOT contain domain parametrs).
What i do wrong? Thanks!

Steps to reproduce

Files https://drive.google.com/file/d/1UdkwhDqfUnp4eUNLpm6Eom37QB81IrU8/view?usp=sharing
NEWKEY.pkcs8 - private key for CVCA cert
BYCVBY1.cvcert - CVCA cert
BYNCESBY00B.cvreq - DV CSR file
BYNCESBY00B.cvcert - wrong DV cert

I used command: cvc-create --role=dv_domestic --type=is --csr=BYNCESBY00B.cvreq --expires=201231 --sign-with=NEWKEY.pkcs8 --scheme=ECDSA_SHA_256 --read-finger --read-iris --rid

Conflicting types for 'i2d_CVC_CERT' with OpenSSL 3.0.0

Expected behaviour

When running make no errors should be filed.

Actual behaviour

When running "make" on MacOS, i get the following error:
conflicting types for 'i2d_CVC_CERT'

Steps to reproduce

./configure
make

Logs

cv_cert.c:243:1: error: conflicting types for 'i2d_CVC_CERT'
IMPLEMENT_ASN1_FUNCTIONS(CVC_CERT)

OpenPACE build on Windows

I am trying to compile the OpenPACE on Windows using Linux as described on this link:

https://frankmorgner.github.io/openpace/install.html

Logs are below

https://gist.github.com/nshah2588/6ccd5e11bfda228ddfaf9944beb5bf0d#file-gistfile1-txt

OpenSSL is already installed on my Linux PC.

I am using Ubuntu 20.04 on my end.

Can you please advise what I am missing?

@frankmorgner

Request to support non standard PIN references

Expected behaviour

The library should accept non standard PIN reference numbers for at least PACE_SEC_new() and encoded_secret().

Actual behaviour

When a non-standard PIN reference number is used, the above mentioned functions bail out with an error.

I encountered this kind of error during the implementation of D-Trust Signatures Card 5 (see OpenSC/OpenSC#3131). There PACE authentication with Transport PINs (ID 0x0B and 0x0C) is used to establish a secure channel.

Steps to reproduce

Call perform_pace() from OpenSC library with a non-standard PIN reference number

struct establish_pace_channel_input pace_input;
struct establish_pace_channel_output pace_output;

memset(&pace_input, 0, sizeof pace_input);
memset(&pace_output, 0, sizeof pace_output);

pace_input.pin_id = 0x0B;
pace_input.pin = "123456";
pace_input.pin_length = 6;

perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);

like in this code:

Try the code from frankmorgner/OpenSC@80349e2.

Logs

P:17084; T:0x140737337223168 09:40:55.777 [.../opensc/src/tools/.libs/dtrust-tool] sm-eac.c:810:perform_pace: 
Encrypted nonce from MRTD (16 bytes):
1B 79 D3 21 4E DF 79 B7 58 6F BE 99 52 B9 8E 5D .y.!N.y.Xo..R..]

[ERROR] (pace_lib.c:126 ) Invalid arguments
P:17084; T:0x140737337223168 09:43:21.292 [.../opensc/src/tools/.libs/dtrust-tool] sm-eac.c:816:perform_pace: Cannot log OpenSSL error
P:17084; T:0x140737337223168 09:43:21.292 [.../opensc/src/tools/.libs/dtrust-tool] sm-eac.c:817:perform_pace: Could not encode PACE secret.
P:17084; T:0x140737337223168 09:43:21.292 [.../opensc/src/tools/.libs/dtrust-tool] sm-eac.c:996:perform_pace: returning with: -1400 (Internal error)

Apply the EAC to LDS personalization software

Hi,

I have a task to apply the EAC to our LDS personalization software. We need to apply TA, CA, AA,PACE

Im looking for the writing part of your library in which we build the securityInfos and save in the LDS.

If you can help please advice

Many thanks

help about compile on CentOS 8

I couldn't build it from source on CentOS 8. The output is as the followed,

[root@localhost openpace-1.1.1]# ./bootstrap 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /usr/bin/sed
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... (cached) /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for help2man... /usr/bin/help2man
checking for gengetopt... /usr/local/bin/gengetopt
checking for CRYPTO... yes
checking openssl/obj_mac.h usability... yes
checking openssl/obj_mac.h presence... yes
checking for openssl/obj_mac.h... yes
checking openssl/buffer.h usability... yes
checking openssl/buffer.h presence... yes
checking for openssl/buffer.h... yes
checking openssl/bio.h usability... yes
checking openssl/bio.h presence... yes
checking for openssl/bio.h... yes
checking openssl/ecdh.h usability... yes
checking openssl/ecdh.h presence... yes
checking for openssl/ecdh.h... yes
checking openssl/dh.h usability... yes
checking openssl/dh.h presence... yes
checking for openssl/dh.h... yes
checking openssl/evp.h usability... yes
checking openssl/evp.h presence... yes
checking for openssl/evp.h... yes
checking openssl/cmac.h usability... yes
checking openssl/cmac.h presence... yes
checking for openssl/cmac.h... yes
checking openssl/sha.h usability... yes
checking openssl/sha.h presence... yes
checking for openssl/sha.h... yes
checking openssl/aes.h usability... yes
checking openssl/aes.h presence... yes
checking for openssl/aes.h... yes
checking openssl/des.h usability... yes
checking openssl/des.h presence... yes
checking for openssl/des.h... yes
checking whether NID_brainpoolP512r1 is declared... yes
checking whether OPENSSL_zalloc is declared... yes
checking for OPENSSL_cleanse... yes
checking for EVP_sha256... yes
checking for RSA_set0_key... yes
checking for RSA_get0_key... yes
checking for DH_set0_key... yes
checking for DH_get0_key... yes
checking for DH_set0_pqg... yes
checking for DH_get0_pqg... yes
checking for ECDSA_SIG_set0... yes
checking for ECDSA_SIG_get0... yes
checking for ASN1_STRING_get0_data... yes
checking for EC_POINT_get_affine_coordinates... yes
checking for EC_POINT_set_affine_coordinates... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking for size_t... yes
checking for uint32_t... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for alarm... yes
checking for working mktime... yes
checking for memset... yes
checking for memcpy... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/certs/Makefile
config.status: creating src/docs/Makefile
config.status: creating src/docs/_static/Makefile
config.status: creating src/Makefile
config.status: creating bindings/Makefile
config.status: creating bindings/java/Makefile
config.status: creating bindings/python/Makefile
config.status: creating bindings/ruby/Makefile
config.status: creating bindings/go/Makefile
config.status: creating cross/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

openpace 1.1.1 has been configured with following options:

Libraries:               /usr/local/lib
CVC directory:           /usr/local/etc/eac/cvc
X.509 directory:         /usr/local/etc/eac/x509

Host:                    x86_64-pc-linux-gnu
Compiler:                gcc
Preprocessor flags:      
Compiler flags:          -g -O2
Linker flags:            
Libraries:               
CRYPTO_CFLAGS:           
CRYPTO_LIBS:             -lcrypto 

HELP2MAN:                /usr/bin/help2man
GENGETOPT:               /usr/local/bin/gengetopt

Install patched OpenSSL: no
GIT:                     
OPENSSL_CONFIGURE_FLAGS: 

SWIG:                    
Python Bindings:         no
PYTHON:                  
Java Bindings:           no
JAVA_CFLAGS:             
JAVACFLAGS:              
Ruby Bindings:           no
RUBY:                    
Go Bindings:             no
gccgo:                   
GCCGOFLAGS:              
SWIGGOPARAMS:            -intgosize 32

make  all-recursive
make[1]: Entering directory '/root/openpace-1.1.1'
Making all in src
make[2]: Entering directory '/root/openpace-1.1.1/src'
/usr/local/bin/gengetopt --file-name=cvc-create-cmdline --output-dir=. < cvc-create.ggo
/usr/local/bin/gengetopt --file-name=cvc-print-cmdline --output-dir=. < cvc-print.ggo
make  all-recursive
make[3]: Entering directory '/root/openpace-1.1.1/src'
Making all in docs
make[4]: Entering directory '/root/openpace-1.1.1/src/docs'
Making all in _static
make[5]: Entering directory '/root/openpace-1.1.1/src/docs/_static'
make[5]: Nothing to be done for 'all'.
make[5]: Leaving directory '/root/openpace-1.1.1/src/docs/_static'
make[5]: Entering directory '/root/openpace-1.1.1/src/docs'
make[5]: Nothing to be done for 'all-am'.
make[5]: Leaving directory '/root/openpace-1.1.1/src/docs'
make[4]: Leaving directory '/root/openpace-1.1.1/src/docs'
Making all in certs
make[4]: Entering directory '/root/openpace-1.1.1/src/certs'
make[4]: Nothing to be done for 'all'.
make[4]: Leaving directory '/root/openpace-1.1.1/src/certs'
make[4]: Entering directory '/root/openpace-1.1.1/src'
  CC       eactest-eactest.o
  CC       eactest-ssl_compat.o
  CC       libeac_la-ca_lib.lo
  CC       libeac_la-cv_cert.lo
  CC       libeac_la-cvc_lookup.lo
  CC       libeac_la-x509_lookup.lo
  CC       libeac_la-eac_asn1.lo
  CC       libeac_la-eac.lo
  CC       libeac_la-eac_ca.lo
  CC       libeac_la-eac_dh.lo
  CC       libeac_la-eac_ecdh.lo
  CC       libeac_la-eac_kdf.lo
  CC       libeac_la-eac_lib.lo
  CC       libeac_la-eac_print.lo
  CC       libeac_la-eac_util.lo
  CC       libeac_la-misc.lo
  CC       libeac_la-pace.lo
  CC       libeac_la-pace_lib.lo
  CC       libeac_la-pace_mappings.lo
  CC       libeac_la-ri.lo
  CC       libeac_la-ri_lib.lo
  CC       libeac_la-ta.lo
  CC       libeac_la-ta_lib.lo
  CC       libeac_la-objects.lo
  CC       libeac_la-ssl_compat.lo
  CCLD     libeac.la
  CC       vc.lo
  CCLD     libvc.la
  CCLD     eactest
  CC       cvc_print-cvc-print.o
  CC       cvc_print-read_file.o
  CC       cvc_print-cvc-print-cmdline.o
  CCLD     cvc-print
  CC       cvc_create-cvc-create.o
  CC       cvc_create-read_file.o
  CC       cvc_create-cvc-create-cmdline.o
  CCLD     cvc-create
  CC       example-example.o
  CCLD     example
make -C . cvc-create
make[5]: Entering directory '/root/openpace-1.1.1/src'
make[5]: 'cvc-create' is up to date.
make[5]: Leaving directory '/root/openpace-1.1.1/src'
/usr/bin/help2man \
        --output=cvc-create.1 \
        --no-info \
        --source='OpenPACE 1.1.1' \
        ./cvc-create
make -C . cvc-print
make[5]: Entering directory '/root/openpace-1.1.1/src'
make[5]: 'cvc-print' is up to date.
make[5]: Leaving directory '/root/openpace-1.1.1/src'
/usr/bin/help2man \
        --output=cvc-print.1 \
        --no-info \
        --source='OpenPACE 1.1.1' \
        ./cvc-print
make[4]: Leaving directory '/root/openpace-1.1.1/src'
make[3]: Leaving directory '/root/openpace-1.1.1/src'
make[2]: Leaving directory '/root/openpace-1.1.1/src'
Making all in cross
make[2]: Entering directory '/root/openpace-1.1.1/cross'
Use `make win` to cross compile for Windows
Use `make android` to cross compile for Android
Use `make emscripten` to cross compile for Javascript
Use `make osx` to compile a mulit arch package on Mac OS X
make[2]: Leaving directory '/root/openpace-1.1.1/cross'
Making all in bindings
make[2]: Entering directory '/root/openpace-1.1.1/bindings'
make[3]: Entering directory '/root/openpace-1.1.1/bindings'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/root/openpace-1.1.1/bindings'
make[2]: Leaving directory '/root/openpace-1.1.1/bindings'
make[2]: Entering directory '/root/openpace-1.1.1'
make[2]: Leaving directory '/root/openpace-1.1.1'
make[1]: Leaving directory '/root/openpace-1.1.1'
Parsing capabilities:
[ERROR] (eac_asn1.c:387 ) Could not decode standardized domain parameter
139789035939648:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:418:
  EF.CardSecurity             
    Error in eactest.c:3585:test_ef_cardsecurity_parsing
[ERROR] (eac_asn1.c:387 ) Could not decode standardized domain parameter
139789035939648:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:418:
  EF.CardAccess               
    Error in eactest.c:3634:test_ef_cardaccess_parsing
[ERROR] (eac_asn1.c:387 ) Could not decode standardized domain parameter
139789035939648:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:418:
.
    Error in eactest.c:3634:test_ef_cardaccess_parsing
[ERROR] (eac_asn1.c:387 ) Could not decode standardized domain parameter
139789035939648:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:418:

    Error in eactest.c:3634:test_ef_cardaccess_parsing
  Card Verifiable Certificate ............................................EAC worked examples:
[ERROR] (eac_asn1.c:387 ) Could not decode standardized domain parameter
139789035939648:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:418:
  Testing Std. DP 13 with id-PACE-ECDH-GM-AES-CBC-CMAC-128 
    Error in eactest.c:3060:static_eac_test
free(): double free detected in tcache 2
./bootstrap: line 34: 3389023 Aborted                 (core dumped) src/eactest

[root@localhost openpace-1.1.1]# uname -a
Linux localhost 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost openpace-1.1.1]# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl --disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver --enable-gnu-indirect-function --enable-cet --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)

openpace build fails in appveyor during opensc CI

Expected behaviour

The build in appveyor should pass

Actual behaviour

Fails:

c:\openpace-win32\src\objects.c(60) : warning C4717: 'EAC_OBJ_nid2ln': recursive on all control paths, function will cause runtime stack overflow
c:\openpace-win32\src\objects.c(68) : warning C4717: 'EAC_OBJ_obj2nid': recursive on all control paths, function will cause runtime stack overflow
c:\openpace-win32\src\objects.c(64) : warning C4717: 'EAC_OBJ_nid2sn': recursive on all control paths, function will cause runtime stack overflow
c:\openpace-win32\src\objects.c(80) : warning C4717: 'EAC_OBJ_sn2nid': recursive on all control paths, function will cause runtime stack overflow
c:\openpace-win32\src\objects.c(76) : warning C4717: 'EAC_OBJ_ln2nid': recursive on all control paths, function will cause runtime stack overflow
c:\openpace-win32\src\objects.c(72) : warning C4717: 'EAC_OBJ_txt2nid': recursive on all control paths, function will cause runtime stack overflow

https://ci.appveyor.com/project/frankmorgner/opensc-na513/builds/47246369/job/lku9lvyir7rh2nr2

Steps to reproduce

Run openpace build in appveyor

Logs

OpenPace with PKCS11 HSM

Hello,

Is there any way to use OpenPace with PrivateKey on PKCS11 HSM.
Thanks.

Do you have plan to add BAC part?

BAC is out of date . But it still exist. Can you add BAC part ?

make fails on call help2man for "./src/cvc-create" root cause openssl libraries not found

Since my SLES 11 SP3 host has often too old package versions to build all the tools, I switched to Ubuntu Server 14.04.
But new operating system, new luck :-)

Short request:
Please add in configure.ac some automated setup of LD_LIBRARY_PATH

Long Story:
Building of eIDClientCore and vsmartcard was fine without any fighting, but the make Job of openpace breaks now during generating the man page of cvc-create.
help2man: can't get `--help' info from ./cvc-create

It's "simply" because at runtime the cvc-create binary failes with:
error while loading shared librries: libcrypto.so.1.1.0: cannot open shared object file: No such file or directory

Background of my Ubuntu host:
My system has the original openssl 1.0.1f Installation, according to "openssl version" Output.
The libcrypto.so libraries found on the system is
/usr/lib/x86_64-linux-gnu/libcrypto.so -- pointing to --> /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
So only 1.0.0 version is there.

But build path of openpace contains below the own openSSL path (due to --enable-openssl-install) after openSSL compilation the required libraries.
With using of LD_LIBRARY_PATH the cvc-create call works
"env LD_LIBRARY_PATH=./src/openssl .src/cvc-create"

Please add some automated Setup, that in case of --enable-openssl-install flag the generated libs are used.

Installation process fails to locate install-sh

Expected behaviour

The make install step, should install the library as expected.

Actual behaviour

The make install step fails with the following error:

...
make[2]: Nothing to be done for 'install-exec-am'.
/usr/bin/install -c -d /usr/local/share/doc/openpace
cd ./docs && find . -type d -exec ./install-sh -c -d "/usr/local/share/doc/openpace/{}" \;
find: ./install-sh: No such file or directory
find: ./install-sh: No such file or directory
find: ./install-sh: No such file or directory
...

Steps to reproduce

Setup a docker container as described in #51
Clone and build the library. Run make-install afterwards.
Observe that the installation process fails, because (from my understanding), the Makefile has trouble locating the install-sh script.

Logs

The logs showcase the error. Ignore the PWD print statements (I inserted them trying to debug the problem):
err.log

configure: error: Need OpenSSL with SHA-256 support

Hi,

I'm trying to compile OpenPACE on Ubuntu 14.04 64bit.

Configure throws: "Need OpenSSL with SHA-256 support". I have installed OpenSSL 1.0.2. it does support SHA256 (at least I can generate SHA256 hashes).

Any suggestions how I could workaround this?

Cheers
K

Sample project for Android Studio

Hi,

I wish you a very good 2016 year (postulate: you read that beginning of 2016)
I am trying to deploy Open PACE on Android Studio and I have come with this project so far : https://github.com/jmailing/openpace_android_studio_test
I am compiling for Android then copying all of the libraries in a .jar file.
Unfortunately, I get this error message:
java.lang.UnsatisfiedLinkError: dlopen failed: could not load library "libcrypto.so.1.0.0" needed by "libeac.so"; caused by library "libcrypto.so.1.0.0" not found
Does someone know:

whether I should try to do a static compilation of openpace and the other libraries (is it painful for someone with no experience of makefiles ?)
whether there is a trick so that Android takes all of the files included in the .jar into consideration and not only the .so files ?

Thank you for any piece of information !

OpenPACE mac compilation

I try to compile OpenPACE in macos 10.10, this is the terminal output after trying to build the configure file (btw, I have libtool and glibtool installed):

Diegos-MacBook-Pro:openpace dlavila$ autoreconf --verbose --install
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /opt/local/bin/autoconf
autoreconf: running: /opt/local/bin/autoheader
autoreconf: running: automake --add-missing --copy --no-force
configure.ac:15: installing './compile'
configure.ac:9: installing './install-sh'
configure.ac:9: installing './missing'
bindings/go/Makefile.am:14: error: Libtool library used but 'LIBTOOL' is undefined
bindings/go/Makefile.am:14: The usual way to define 'LIBTOOL' is to add 'LT_INIT'
bindings/go/Makefile.am:14: to 'configure.ac' and run 'aclocal' and 'autoconf' again.
bindings/go/Makefile.am:14: If 'LT_INIT' is in 'configure.ac', make sure
bindings/go/Makefile.am:14: its definition is in aclocal's search path.
bindings/go/Makefile.am: installing './depcomp'
bindings/java/Makefile.am:50: error: Libtool library used but 'LIBTOOL' is undefined
bindings/java/Makefile.am:50: The usual way to define 'LIBTOOL' is to add 'LT_INIT'
bindings/java/Makefile.am:50: to 'configure.ac' and run 'aclocal' and 'autoconf' again.
bindings/java/Makefile.am:50: If 'LT_INIT' is in 'configure.ac', make sure
bindings/java/Makefile.am:50: its definition is in aclocal's search path.
src/Makefile.am:34: error: Libtool library used but 'LIBTOOL' is undefined
src/Makefile.am:34: The usual way to define 'LIBTOOL' is to add 'LT_INIT'
src/Makefile.am:34: to 'configure.ac' and run 'aclocal' and 'autoconf' again.
src/Makefile.am:34: If 'LT_INIT' is in 'configure.ac', make sure
src/Makefile.am:34: its definition is in aclocal's search path.
autoreconf: automake failed with exit status: 1

Problems compiling openpace under alpine linux

Expected behaviour

It should compile without any errors.

Actual behaviour

It doesnt compile. (See details below)

Steps to reproduce

Setup a dockerfile with the following content:

FROM alpine:latest

WORKDIR /app

# Install general dependencies etc
RUN apk add python3
RUN python3 -m ensurepip
RUN apk add g++
RUN apk add git
RUN apk add gcc

# Install openpace
RUN apk add autoconf
RUN apk add automake
RUN apk add libtool
RUN apk add file
RUN apk add help2man
RUN apk add gengetopt
RUN apk add make
RUN apk add openssl
RUN apk add openssl-dev

RUN cd /app && git clone -b master https://github.com/frankmorgner/openpace.git
RUN cd openpace && autoreconf --verbose --install && ./configure --enable-openssl-install && make && make install

# Port configurations
EXPOSE 5000

Build the docker image
The following error occurs during the compilation stage:

...
make[4]: Entering directory '/app/openpace/src'
  CC       eactest-eactest.o
In file included from eactest.c:51:
misc.h:111:7: error: unknown type name 'ECDH_METHOD'
  111 | const ECDH_METHOD *ECDH_OpenSSL_Point(void);
      |       ^~~~~~~~~~~
ssl_compat.h:51:7: error: expected declaration specifiers or '...' before string constant
   51 | void *OPENSSL_zalloc(size_t num);
      |       ^~~~~~~~~~~~~~
ssl_compat.h:51:7: error: expected declaration specifiers or '...' before numeric constant
   51 | void *OPENSSL_zalloc(size_t num);
      |       ^~~~~~~~~~~~~~
make[4]: Leaving directory '/app/openpace/src'
...

Error in eac_ecdh.c line 91: NID_brainpoolP512r1 selected instead of NID_brainpoolP320r1

Expected behaviour

In PACE step 3a (example.c line 47):
pcd_mapping_data = PACE_STEP3A_generate_mapping_data(pcd_ctx);

I expect that if the protocol ID is 14 (as it currently is in Dutch passports), a 320 bits key would be generated with NID_brainpoolP320r1.
(see https://www.icao.int/Security/FAL/TRIP/Documents/TR%20-%20Supplemental%20Access%20Control%20V1.1.pdf page 34)

Actual behaviour

Instead of 320 bits, a 512 bits key is generated. If you look at line 90/91 in eac_ecdh.c you see this
case 14:
tmp = EC_KEY_new_by_curve_name(NID_brainpoolP512r1);

I think that should be:
case 14:
tmp = EC_KEY_new_by_curve_name(NID_brainpoolP320r1);

Links to pre-compiled binaries does not work

Expected behaviour

On the page https://frankmorgner.github.io/openpace/install.htm, when clicking the links for Win32 or Win64 pre-compiled binaries it should download a zip-filen with the pre-compiled binaries for windows.

Actual behaviour

An error is received from the server:

<Error>
<Code>BlobNotFound</Code>
<Message>
The specified blob does not exist. RequestId:a546a908-701e-00e7-516f-74aae9000000 Time:2018-11-04T18:53:20.0000378Z
</Message>
</Error>

Steps to reproduce

Click the link.
Get the error message.

openpace does not work in fedora environment

I have composed a SPEC file to build for fedora environment suitable RPM packages.
While doing so I guess, I have spotted some builddir artefacts that "make install" is dropping in (see openpace.spec section cleanup BUILDROOT for reference).
The SPEC file is far from perfect, but it builds usable RPM packages without errors.

With the packages installed eactest ist crashing (see eactest.log for reference).
opensc is rebuild with npa-tool support, but npa-tool is erroring out with the same [ERROR] ... lines as eactest.
As I do not know the propper use of this tools till now it is maybe an user fault.

make win: mention mingw-w64-tools and gcc-mingw-w64 package in doc/install.txt.in

Please mention in your newly extended install instruction the usage of mingw packages on the Linux host, where compilation is done.

To be able to start the cross compilation for Windows, it is required to install the mingw-w64-tools package on the Linux host to have the gendef tool available.
Trying make win will fail with /usr/bin/ld: cannot find -lws2_32 and Google did not highlight the simple solution:
Furthermore the gcc-mingw-w64 package is required to have the libws2_32.a file installed on the Linux host.
Now, this prerequisite should be done.

Question about public key domain parameters in CVCA certificates

The TR-03110 and TR-03111 are a bit vague when it comes to the expected encoding of the public key domain parameters. Specifically for secp521r1 curve, one of the coefficients (b) has a leftmost byte equal to '00' and it is not clear to me if this leftmost '00' byte shall be kept or removed.

The cvc-create does actually suppress the leftmost '00' byte, so the resulting CVCA certificate looks like this:

7F21 [ APPLICATION 33 ] IMPLICIT SEQUENCE SIZE( 772 )
  7F4E [ APPLICATION 78 ] IMPLICIT SEQUENCE SIZE( 633 )
    5F29 [ APPLICATION 41 ] SIZE( 1 )
      0000  00                                               .
    42 [ APPLICATION 2 ] SIZE( 13 )
      0000  5A 5A 41 54 43 56 43 41 30 30 30 30 31           ZZATCVCA00001
    7F49 [ APPLICATION 73 ] IMPLICIT SEQUENCE SIZE( 558 )
      OBJECT IDENTIFIER = { id-TA-ECDSA-SHA-512 }
      81 [ CONTEXT 1 ] SIZE( 66 )
        0000  01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0040  FF FF                                            ..
      82 [ CONTEXT 2 ] SIZE( 66 )
        0000  01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0030  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0040  FF FC                                            ..
      83 [ CONTEXT 3 ] SIZE( 65 )
        0000  51 95 3E B9 61 8E 1C 9A 1F 92 9A 21 A0 B6 85 40  Q.>.a......!...@
        0010  EE A2 DA 72 5B 99 B3 15 F3 B8 B4 89 91 8E F1 09  ...r[...........
        0020  E1 56 19 39 51 EC 7E 93 7B 16 52 C0 BD 3B B1 BF  .V.9Q.~.{.R..;..
        0030  07 35 73 DF 88 3D 2C 34 F1 EF 45 1F D4 6B 50 3F  .5s..=,4..E..kP?
        0040  00                                               .
      84 [ CONTEXT 4 ] SIZE( 133 )
        0000  04 00 C6 85 8E 06 B7 04 04 E9 CD 9E 3E CB 66 23  ............>.f#
        0010  95 B4 42 9C 64 81 39 05 3F B5 21 F8 28 AF 60 6B  ..B.d.9.?.!.(.`k
        0020  4D 3D BA A1 4B 5E 77 EF E7 59 28 FE 1D C1 27 A2  M=..K^w..Y(...'.
        0030  FF A8 DE 33 48 B3 C1 85 6A 42 9B F9 7E 7E 31 C2  ...3H...jB..~~1.
        0040  E5 BD 66 01 18 39 29 6A 78 9A 3B C0 04 5C 8A 5F  ..f..9)jx.;..\._
        0050  B4 2C 7D 1B D9 98 F5 44 49 57 9B 44 68 17 AF BD  .,}....DIW.Dh...
        0060  17 27 3E 66 2C 97 EE 72 99 5E F4 26 40 C5 50 B9  .'>f,..r.^.&@.P.
        0070  01 3F AD 07 61 35 3C 70 86 A2 72 C2 40 88 BE 94  .?..a5<p..r.@...
        0080  76 9F D1 66 50                                   v..fP
      85 [ CONTEXT 5 ] SIZE( 66 )
        0000  01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
        0020  FF FA 51 86 87 83 BF 2F 96 6B 7F CC 01 48 F7 09  ..Q..../.k...H..
        0030  A5 D0 3B B5 C9 B8 89 9C 47 AE BB 6F B7 1E 91 38  ..;.....G..o...8
        0040  64 09                                            d.
      86 [ CONTEXT 6 ] SIZE( 133 )
        0000  04 00 1E B1 92 42 1E A6 AC 71 08 FC 52 67 29 94  .....B...q..Rg).
        0010  37 CB 92 66 C3 8E C3 4F 75 30 40 7D 12 A0 3F 8F  7..f...Ou0@}..?.
        0020  FB F3 47 A2 29 C0 A5 54 6C 62 A1 62 56 E2 57 75  ..G.)..Tlb.bV.Wu
        0030  78 19 5E 86 A6 3A CC 6F 8E 3B A4 04 E8 54 B6 3A  x.^..:.o.;...T.:
        0040  90 40 EB 00 23 94 DD 7D 3E 34 62 4E 37 BE 04 86  .@..#..}>4bN7...
        0050  A8 04 A6 D9 07 0C C7 5F CA 20 28 8F E9 87 CA 5C  ......._. (....\
        0060  6C 5A D9 56 C8 67 06 3C E1 E4 27 F1 FD 1D E9 72  lZ.V.g.<..'....r
        0070  9C 2D 79 73 7E FA 5F EB 77 57 86 A0 63 4C A6 90  .-ys~._.wW..cL..
        0080  D7 EC 34 92 E0                                   ..4..
      87 [ CONTEXT 7 ] SIZE( 1 )
        0000  01                                               .
    5F20 [ APPLICATION 32 ] SIZE( 13 )
      0000  5A 5A 41 54 43 56 43 41 30 30 30 30 31           ZZATCVCA00001
    7F4C [ APPLICATION 76 ] IMPLICIT SEQUENCE SIZE( 14 )
      OBJECT IDENTIFIER = { id-IS }
      53 [ APPLICATION 19 ] SIZE( 1 )
        0000  C3                                               .
    5F25 [ APPLICATION 37 ] SIZE( 6 )
      0000  02 02 01 00 02 02                                ......
    5F24 [ APPLICATION 36 ] SIZE( 6 )
      0000  02 03 01 00 02 02                                ......
  5F37 [ APPLICATION 55 ] SIZE( 130 )
    0000  22 42 55 65 83 7C 81 38 4D F2 B3 23 56 AD 8F 8C  "BUe.|.8M..#V...
    0010  16 0B 71 CB CE 9C E3 9F AC 89 84 5C 33 81 24 84  ..q........\3.$.
    0020  F3 67 D8 51 C3 0F 2C A9 3A AF 27 C3 FF 2B 0C 4F  .g.Q..,.:.'..+.O
    0030  6F DC 06 43 ED 1F C9 A2 82 AC DB 7C 89 D8 1D 5C  o..C.......|...\
    0040  49 6F C4 43 55 82 13 72 DB 88 72 54 AE B3 6F F6  Io.CU..r..rT..o.
    0050  5F F5 7C E4 54 32 0B CB E0 8E 28 37 43 EB ED 9E  _.|.T2....(7C...
    0060  78 23 14 AE 39 DE 40 63 DD 40 6C C5 79 B0 98 B6  x#..9.@[email protected]...
    0070  0E C1 69 61 0F 46 7A 24 E3 34 29 BE 5D F6 22 5E  ..ia.Fz$.4).]."^
    0080  34 AB                                            4.

But the TR-3111 refers to ISO/IEC 7816-8 and that says in Table 3 that the coefficient b shall e encoded on "z" bytes (in this context 66). The TR-03111 mentions the guide deviates from 7816, but only in encoding of points (mandating uncompressed representation including the 04 indicator).

I have some other tools to generate the CVCA certs and those use a fixed length and thus have the b coefficient with the leftmost zero included.

While the text of TR-03111 mentions the type of the domain parameters which are integers is Integer, but for the secp256r1 curve there are no additional '00' bytes to avoid interpreting the INTEGER value as negative, so I personally would consider the 7816-8 encoding with a fixed number of octets shall be used.

Should this be considered a bug? Should the domain parameter encoding have a fixed number of octets as specified in 7816-8 Table 3?

What is the correct encoding for the secp521r1 domain parameters?

Generating RSA cert chains

Hello
Using the following steps :

generate CV private key :
openssl pkcs8 -topk8 -nocrypt -in D:\OTATCVCA00001.pem -outform DER -out D:\OTATCVCA00001.pkcs8
=> ok
generate self signed cv-cert :
cvc-create --role=cvca --type=at --chr=OTATCVCA00001 --expires=160210 --issued=150210 --sign-with="D:\OTATCVCA00001.pkcs8" --scheme=RSA_v1_5_SHA_1 --write-dg17 --write-dg18 --write-dg19 --write-dg20 --write-dg21 --read-dg1 --read-dg2 --read-dg3 --read-dg4 --read-dg5 --read-dg6 --read-dg7 --read-dg8 --read-dg9 --read-dg10 --read-dg11 --read-dg12 --read-dg13 --read-dg14 --read-dg15 --read-dg16 --read-dg17 --read-dg18 --read-dg19 --install-qual-cert --install-cert --pin-management --can-allowed --privileged --rid --verify-community --verify-age
=> ok
generate dv-cert signed by cv, with autogenerated dv private key :

Is it possible to compile OpenPACE with mbed TLS?

I would like to use OpenPACE on an embedded platform which doesn't have OpenSSL and porting OpenSSL to it needs too much effort. As far as I know mbed TLS has all featueres that OpenSSL, would it be possible to compile OpenPACE with it?

[1] https://tls.mbed.org/

GPL license when used with OpenSC

I have a question wrt. licensing

OpenPACE is GPL-licensed
OpenSC is using the LGPL license

OpenSC is configured to use OpenPACE as a dependency per https://github.com/OpenSC/OpenSC/blob/219c6cc49464c627c7741a2c17171d7f61fa536c/win32/Make.rules.mak#L117

My understanding is that when this happens the GPL would likely apply to the entire combination of OpenSC and OpenPACE.

Would it be possible to consider some alternative license for OpenPACE when used in OpenSC such as the LGPL or a GPL with linking exception such that OpenSC LGPL continues to apply?

@frankmorgner ping: I understand that you might be the primary maintainer of both tools
@Jakuje ping

Thank you for your kind consideration and this fine tool!

frankmorgner / openpace Goto Github PK

openpace's Introduction

OpenPACE - Cryptographic library for EAC version 2

License

Tested Platforms

openpace's People

Contributors

Stargazers

Watchers

Forkers

openpace's Issues

Expected behaviour

Expected behaviour

Actual behaviour

Steps to reproduce

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Affects also

rem OK

rem OK

rem No error occured, infinite loop (CTRL+C to exit)

Expected behaviour

Steps to reproduce

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Logs

Expected behaviour

Actual behaviour

Steps to reproduce

Expected behaviour

Actual behaviour

Expected behaviour

Actual behaviour

Steps to reproduce

Recommend Projects

Recommend Topics

Recommend Org

Jobs