-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 3.1.5001 #217
Comments
Hi, has anyone figured this out? |
During the development one of the pods was statically including OpenSSL3 and forcing passport scanner to also use OpenSSL3. And a problem is that if your passport have certificates with ECDSA - then you have an error during verification:
And according to ICAO all passports with ECDSA MUST use explicit curve parameters paragraph 4.1.6.3. Apparently OpenSSL is not allowing to use explicit cure parameters in v3. There is a lot of comments about that (and openssl responded with something like "you should change your ICAO standards"). Note that certificates that are using RSA is still parsed/verified no problem. Just another thing to keep in mind/test if you are going to update to v3. Would be happy to help/test with the passports I have. |
Hi @AndyQ ! First, thanks for your great work on this, it's very much appreciated. I'm in the process of trying to migrate to OpenSSL 3. I've made locally pretty much the same as you did on your branch, i.e. the bare minimum to make it compile after switching to OpenSSL 3. I have the same PACE failure. I'm going to look into this, and will share if I find a solution, but I'm wondering: maybe this issue shouldn't really be tackled by trying to fix the current code, but by rewriting it using non-deprecated APIs? Or is the issue such that it shouldn't make a difference? |
I can't reproduce the issue that @Thormeard is describing, on my side it seems like a different one. It fails like for you @AndyQ when sending the last general auth command. I've looked into it more and comparing the authentication token generation between the previous version and the OpenSSL 3 version. It seems the AES CMAC generation yields different results with the same inputs between both version, and I think this causes the error. Somehow the CMAC API (which is now deprecated) has changed and produces something different. Rather than trying to fix it, I'm trying to re-implement the AES CMAC generation by using the EVP_MAC API, as recommended in the OpenSSL 3 migration guide. Unfortunately I'm a bit stuck, the EVP_MAC_init function always fail for me, after trying all the configurations I could think of. Here is the current code:
Please note it's a draft and I'm hardcoding the cipher as in my test it's always this one, but of course it should be adapted to throw instead of returning an empty array, and to have a dynamic cipher depending on the key size. |
I agree we should be moving away from the deprecated functions - thats a lot more work than I currently have time for at the moment sadly! I'll take a look at your code above when I get a chance and see if I can see anything too. |
So turns out the AES CMAC calculation worked perfectly fine, the issue is elsewhere, probably linked to what @Thormeard posted. I'll keep investigating this, I'll let you know if I find anything else. Just in case, I did manage to convert the AES CMAC generation to the new APIs, here is the function I have locally.
|
Hello @AndyQ. I struggled with it 2 months and had to cover all of the basic components with unit tests and made a Mock of ICC to find the issue T_T. I've made the update to 3.1.300 in December of `23 and now I can confirm it works with 3.3.200. AFAIR the issue is that on version 3 (not sure about concrete version) of OpenSSL they somehow broke or changed the way how they create keys using EVP structure. In code the issue is in And of course OpenSSL missed the point in documentation as well. You need to use |
I've added a branch - OpenSSL3 which is the start of upgrading to OpenSSL 3.1.5001 (current version).
It works only on BAC at the moment, for some reason (unknown at the moment), PACE fails in step 4 when sending the auth token to the passport (invalid parameters received).
If anyone fancies taking a look and seeing if they can see what I've missed that would be great!
Note - this branch has only the bare minimum code changes to get it compiling. There has been a LOT of changes between OpenSSL1 and 3 - lots of functions have been deprecated (which I need to fix and figure out the alternatives - I think its just a migation from the low level functions to the higher level ECP_PKEY ones - as per the migration guide https://www.openssl.org/docs/man3.0/man7/migration_guide.html)
The text was updated successfully, but these errors were encountered: