giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
opensc/src/libopensc/card-piv.c

3662 lines
105 KiB
C
Raw Normal View History

add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/*
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* card-piv.c: Support for PIV-II from NIST SP800-73
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
* card-default.c: Support for cards with no driver
*
convert to utf-8. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3085 c6295689-39f2-0310-b995-f0e70906c6a9
2006-12-19 21:32:31 +00:00
* Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi>
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
* Copyright (C) 2005,2006,2007,2008,2009,2010 Douglas E. Engert <deengert@anl.gov>
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
* Copyright (C) 2016 Douglas E. Engert <deengert@gmail.com>
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
* Copyright (C) 2006, Identity Alliance, Thomas Harning <thomas.harning@identityalliance.com>
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
* Copyright (C) 2007, EMC, Russell Larner <rlarner@rsa.com>
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
honour HAVE_CONFIG_H
2015-04-22 21:55:33 +00:00
#if HAVE_CONFIG_H
Header file cleanup. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4081 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-04 08:14:36 +00:00
#include "config.h"
honour HAVE_CONFIG_H
2015-04-22 21:55:33 +00:00
#endif
Complete rewrite of OpenSC build system. 1. Build system now supports MinGW (Windows) compilation using msys and cross compilation. 2. Ability to explicitly disable and enable dependencies of the package. 3. openct, pcsc and nsplugins features are disabled by default. 4. Modified pcsc driver to use pcsc dynamically, no compile time dependency is required. 5. --enable-pcsc-lite configuration option renamed to --enable-pcsc. 6. Install opensc.conf file (as opensc.conf.new if opensc.conf exists). 7. Add--enable-doc configuration option, allow installing documentation into target. 8. Add --disable-man configuration option, allow msys mingw32 users to build from svn without extra dependencies. 9. Add export files to each library in order to export only required symbols. Windows native build may use these files instead of scanning objects' symbols. 10. Add opensc-tool --info to display some general information about the build. 11. Create compatibility library to be linked against library instread of recompiling the same source files in different places. 12. Add different win32 version resource to each class of outputs. 13. Make xsl-stylesheets location selectable. 14. Some win32 fixups. 15. Some warning fixups. 16. Many other autoconf/automake cleanups. Alon Bar-Lev svn diff -r 3315:3399 https://www.opensc-project.org/svn/opensc/branches/alonbl/mingw _M . D configure.in _M src _M src/openssh M src/openssh/Makefile.am _M src/tools M src/tools/rutoken-tool.c M src/tools/opensc-tool.c M src/tools/cardos-info.c M src/tools/pkcs15-crypt.c M src/tools/pkcs15-init.c M src/tools/piv-tool.c M src/tools/netkey-tool.c M src/tools/eidenv.c M src/tools/cryptoflex-tool.c M src/tools/util.c M src/tools/pkcs11-tool.c M src/tools/pkcs15-tool.c M src/tools/util.h M src/tools/opensc-explorer.c M src/tools/Makefile.am _M src/pkcs11 M src/pkcs11/pkcs11-global.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-display.c M src/pkcs11/pkcs11-object.c A src/pkcs11/opensc-pkcs11.exports M src/pkcs11/sc-pkcs11.h M src/pkcs11/pkcs11-spy.c M src/pkcs11/openssl.c M src/pkcs11/Makefile.am A src/pkcs11/pkcs11-spy.exports _M src/tests _M src/tests/regression M src/tests/regression/Makefile.am M src/tests/sc-test.c M src/tests/pintest.c M src/tests/Makefile.am _M src/include _M src/include/opensc M src/include/opensc/Makefile.am A src/include/opensc/svnignore M src/include/Makefile.am _M src/signer _M src/signer/npinclude M src/signer/npinclude/Makefile.am M src/signer/Makefile.am A src/signer/signer.exports _M src/common A src/common/compat_dummy.c D src/common/getopt.txt D src/common/strlcpy.c D src/common/LICENSE A src/common/compat_getopt.txt A src/common/compat_strlcpy.c A src/common/LICENSE.compat_getopt A src/common/compat_getopt.c D src/common/strlcpy.h D src/common/ChangeLog D src/common/getpass.c D src/common/my_getopt.c A src/common/compat_strlcpy.h A src/common/compat_getpass.c A src/common/compat_getopt.h A src/common/ChangeLog.compat_getopt D src/common/README.strlcpy D src/common/my_getopt.h A src/common/compat_getpass.h A src/common/README.compat_strlcpy D src/common/strlcpy.3 A src/common/README.compat_getopt D src/common/getopt.3 D src/common/README.my_getopt A src/common/compat_strlcpy.3 A src/common/compat_getopt.3 M src/common/Makefile.am M src/Makefile.am _M src/pkcs15init M src/pkcs15init/pkcs15-oberthur.c M src/pkcs15init/profile.c M src/pkcs15init/pkcs15-lib.c M src/pkcs15init/pkcs15-rutoken.c A src/pkcs15init/pkcs15init.exports M src/pkcs15init/pkcs15-gpk.c M src/pkcs15init/Makefile.am _M src/scconf M src/scconf/Makefile.am M src/scconf/parse.c A src/scconf/scconf.exports _M src/libopensc M src/libopensc/card-rutoken.c M src/libopensc/compression.c M src/libopensc/sc.c M src/libopensc/card-piv.c M src/libopensc/pkcs15-openpgp.c M src/libopensc/pkcs15-postecert.c M src/libopensc/pkcs15-tcos.c M src/libopensc/opensc-config.in M src/libopensc/reader-pcsc.c A src/libopensc/internal-winscard.h M src/libopensc/ctx.c A src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-infocamere.c M src/libopensc/internal.h M src/libopensc/pkcs15-actalis.c M src/libopensc/pkcs15-starcert.c M src/libopensc/card-oberthur.c M src/libopensc/pkcs15-atrust-acos.c M src/libopensc/p15card-helper.c D src/libopensc/part10.h M src/libopensc/ui.c M src/libopensc/card-gpk.c M src/libopensc/pkcs15-wrap.c M src/libopensc/pkcs15-gemsafeGPK.c M src/libopensc/log.c M src/libopensc/pkcs15-esteid.c M src/libopensc/pkcs15-prkey-rutoken.c M src/libopensc/log.h M src/libopensc/Makefile.am M src/libopensc/reader-openct.c _M aclocal M aclocal/Makefile.am _M win32 M win32/Makefile.am A win32/versioninfo.rc.in A win32/ltrc.inc A configure.ac _M doc _M doc/tools M doc/tools/pkcs15-profile.xml D doc/changelog.sh D doc/export-wiki.xsl _M doc/api _M doc/api/file M doc/api/man.xsl _M doc/api/asn1 _M doc/api/apps _M doc/api/init _M doc/api/types _M doc/api/card M doc/api/html.xsl _M doc/api/misc _M doc/api/util M doc/Makefile.am D doc/export-wiki.sh AM doc/nonpersistent A doc/nonpersistent/export-wiki.xsl A doc/nonpersistent/Makefile.am A doc/nonpersistent/export-wiki.sh A doc/nonpersistent/svn2cl.xsl D doc/generate-man.sh D doc/svn2cl.xsl M Makefile.am A svnignore _M etc M etc/opensc.conf.in M etc/Makefile.am D man _M solaris M solaris/Makefile git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3405 c6295689-39f2-0310-b995-f0e70906c6a9
2008-03-06 16:06:59 +00:00
fix more warnings found by gcc/sparse. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3178 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 11:07:00 +00:00
#include <ctype.h>
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
#include <fcntl.h>
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#include <limits.h>
fixed missing includes
2015-10-12 06:24:46 +00:00
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <io.h>
#else
#include <unistd.h>
#endif
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#ifdef ENABLE_OPENSSL
/* openssl only needed for card administration */
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
#include <openssl/evp.h>
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
#include <openssl/bio.h>
#include <openssl/pem.h>
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
#include <openssl/rand.h>
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
#include <openssl/rsa.h>
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
#endif /* ENABLE_OPENSSL */
Header file cleanup. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4081 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-04 08:14:36 +00:00
#include "internal.h"
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
#include "asn1.h"
#include "cardctl.h"
Complete rewrite of OpenSC build system. 1. Build system now supports MinGW (Windows) compilation using msys and cross compilation. 2. Ability to explicitly disable and enable dependencies of the package. 3. openct, pcsc and nsplugins features are disabled by default. 4. Modified pcsc driver to use pcsc dynamically, no compile time dependency is required. 5. --enable-pcsc-lite configuration option renamed to --enable-pcsc. 6. Install opensc.conf file (as opensc.conf.new if opensc.conf exists). 7. Add--enable-doc configuration option, allow installing documentation into target. 8. Add --disable-man configuration option, allow msys mingw32 users to build from svn without extra dependencies. 9. Add export files to each library in order to export only required symbols. Windows native build may use these files instead of scanning objects' symbols. 10. Add opensc-tool --info to display some general information about the build. 11. Create compatibility library to be linked against library instread of recompiling the same source files in different places. 12. Add different win32 version resource to each class of outputs. 13. Make xsl-stylesheets location selectable. 14. Some win32 fixups. 15. Some warning fixups. 16. Many other autoconf/automake cleanups. Alon Bar-Lev svn diff -r 3315:3399 https://www.opensc-project.org/svn/opensc/branches/alonbl/mingw _M . D configure.in _M src _M src/openssh M src/openssh/Makefile.am _M src/tools M src/tools/rutoken-tool.c M src/tools/opensc-tool.c M src/tools/cardos-info.c M src/tools/pkcs15-crypt.c M src/tools/pkcs15-init.c M src/tools/piv-tool.c M src/tools/netkey-tool.c M src/tools/eidenv.c M src/tools/cryptoflex-tool.c M src/tools/util.c M src/tools/pkcs11-tool.c M src/tools/pkcs15-tool.c M src/tools/util.h M src/tools/opensc-explorer.c M src/tools/Makefile.am _M src/pkcs11 M src/pkcs11/pkcs11-global.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-display.c M src/pkcs11/pkcs11-object.c A src/pkcs11/opensc-pkcs11.exports M src/pkcs11/sc-pkcs11.h M src/pkcs11/pkcs11-spy.c M src/pkcs11/openssl.c M src/pkcs11/Makefile.am A src/pkcs11/pkcs11-spy.exports _M src/tests _M src/tests/regression M src/tests/regression/Makefile.am M src/tests/sc-test.c M src/tests/pintest.c M src/tests/Makefile.am _M src/include _M src/include/opensc M src/include/opensc/Makefile.am A src/include/opensc/svnignore M src/include/Makefile.am _M src/signer _M src/signer/npinclude M src/signer/npinclude/Makefile.am M src/signer/Makefile.am A src/signer/signer.exports _M src/common A src/common/compat_dummy.c D src/common/getopt.txt D src/common/strlcpy.c D src/common/LICENSE A src/common/compat_getopt.txt A src/common/compat_strlcpy.c A src/common/LICENSE.compat_getopt A src/common/compat_getopt.c D src/common/strlcpy.h D src/common/ChangeLog D src/common/getpass.c D src/common/my_getopt.c A src/common/compat_strlcpy.h A src/common/compat_getpass.c A src/common/compat_getopt.h A src/common/ChangeLog.compat_getopt D src/common/README.strlcpy D src/common/my_getopt.h A src/common/compat_getpass.h A src/common/README.compat_strlcpy D src/common/strlcpy.3 A src/common/README.compat_getopt D src/common/getopt.3 D src/common/README.my_getopt A src/common/compat_strlcpy.3 A src/common/compat_getopt.3 M src/common/Makefile.am M src/Makefile.am _M src/pkcs15init M src/pkcs15init/pkcs15-oberthur.c M src/pkcs15init/profile.c M src/pkcs15init/pkcs15-lib.c M src/pkcs15init/pkcs15-rutoken.c A src/pkcs15init/pkcs15init.exports M src/pkcs15init/pkcs15-gpk.c M src/pkcs15init/Makefile.am _M src/scconf M src/scconf/Makefile.am M src/scconf/parse.c A src/scconf/scconf.exports _M src/libopensc M src/libopensc/card-rutoken.c M src/libopensc/compression.c M src/libopensc/sc.c M src/libopensc/card-piv.c M src/libopensc/pkcs15-openpgp.c M src/libopensc/pkcs15-postecert.c M src/libopensc/pkcs15-tcos.c M src/libopensc/opensc-config.in M src/libopensc/reader-pcsc.c A src/libopensc/internal-winscard.h M src/libopensc/ctx.c A src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-infocamere.c M src/libopensc/internal.h M src/libopensc/pkcs15-actalis.c M src/libopensc/pkcs15-starcert.c M src/libopensc/card-oberthur.c M src/libopensc/pkcs15-atrust-acos.c M src/libopensc/p15card-helper.c D src/libopensc/part10.h M src/libopensc/ui.c M src/libopensc/card-gpk.c M src/libopensc/pkcs15-wrap.c M src/libopensc/pkcs15-gemsafeGPK.c M src/libopensc/log.c M src/libopensc/pkcs15-esteid.c M src/libopensc/pkcs15-prkey-rutoken.c M src/libopensc/log.h M src/libopensc/Makefile.am M src/libopensc/reader-openct.c _M aclocal M aclocal/Makefile.am _M win32 M win32/Makefile.am A win32/versioninfo.rc.in A win32/ltrc.inc A configure.ac _M doc _M doc/tools M doc/tools/pkcs15-profile.xml D doc/changelog.sh D doc/export-wiki.xsl _M doc/api _M doc/api/file M doc/api/man.xsl _M doc/api/asn1 _M doc/api/apps _M doc/api/init _M doc/api/types _M doc/api/card M doc/api/html.xsl _M doc/api/misc _M doc/api/util M doc/Makefile.am D doc/export-wiki.sh AM doc/nonpersistent A doc/nonpersistent/export-wiki.xsl A doc/nonpersistent/Makefile.am A doc/nonpersistent/export-wiki.sh A doc/nonpersistent/svn2cl.xsl D doc/generate-man.sh D doc/svn2cl.xsl M Makefile.am A svnignore _M etc M etc/opensc.conf.in M etc/Makefile.am D man _M solaris M solaris/Makefile git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3405 c6295689-39f2-0310-b995-f0e70906c6a9
2008-03-06 16:06:59 +00:00
#ifdef ENABLE_ZLIB
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
#include "compression.h"
#endif
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
enum {
PIV_OBJ_CCC = 0,
PIV_OBJ_CHUI,
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* PIV_OBJ_UCHUI is not in new with 800-73-2 */
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV_OBJ_X509_PIV_AUTH,
PIV_OBJ_CHF,
PIV_OBJ_PI,
PIV_OBJ_CHFI,
PIV_OBJ_X509_DS,
PIV_OBJ_X509_KM,
PIV_OBJ_X509_CARD_AUTH,
PIV_OBJ_SEC_OBJ,
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
PIV_OBJ_DISCOVERY,
PIV_OBJ_HISTORY,
PIV_OBJ_RETIRED_X509_1,
PIV_OBJ_RETIRED_X509_2,
PIV_OBJ_RETIRED_X509_3,
PIV_OBJ_RETIRED_X509_4,
PIV_OBJ_RETIRED_X509_5,
PIV_OBJ_RETIRED_X509_6,
PIV_OBJ_RETIRED_X509_7,
PIV_OBJ_RETIRED_X509_8,
PIV_OBJ_RETIRED_X509_9,
PIV_OBJ_RETIRED_X509_10,
PIV_OBJ_RETIRED_X509_11,
PIV_OBJ_RETIRED_X509_12,
PIV_OBJ_RETIRED_X509_13,
PIV_OBJ_RETIRED_X509_14,
PIV_OBJ_RETIRED_X509_15,
PIV_OBJ_RETIRED_X509_16,
PIV_OBJ_RETIRED_X509_17,
PIV_OBJ_RETIRED_X509_18,
PIV_OBJ_RETIRED_X509_19,
PIV_OBJ_RETIRED_X509_20,
PIV_OBJ_IRIS_IMAGE,
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV_OBJ_9B03,
PIV_OBJ_9A06,
PIV_OBJ_9C06,
PIV_OBJ_9D06,
PIV_OBJ_9E06,
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
PIV_OBJ_8206,
PIV_OBJ_8306,
PIV_OBJ_8406,
PIV_OBJ_8506,
PIV_OBJ_8606,
PIV_OBJ_8706,
PIV_OBJ_8806,
PIV_OBJ_8906,
PIV_OBJ_8A06,
PIV_OBJ_8B06,
PIV_OBJ_8C06,
PIV_OBJ_8D06,
PIV_OBJ_8E06,
PIV_OBJ_8F06,
PIV_OBJ_9006,
PIV_OBJ_9106,
PIV_OBJ_9206,
PIV_OBJ_9306,
PIV_OBJ_9406,
PIV_OBJ_9506,
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV_OBJ_LAST_ENUM
};
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/*
* Flags in the piv_obj_cache:
* PIV_OBJ_CACHE_VALID means the data in the cache can be used.
* It might have zero length indicating that the object was not found.
* PIV_OBJ_CACHE_NOT_PRESENT means do not even try to read the object.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* These objects will only be present if the history object says
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* they are on the card, or the discovery or history object in not present.
* If the file lilsted in the history object offCardCertURL was found,
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* its certs will be read into the cache and PIV_OBJ_CACHE_VALID set
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* and PIV_OBJ_CACHE_NOT_PRESENT unset.
*/
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#define PIV_OBJ_CACHE_VALID 1
#define PIV_OBJ_CACHE_NOT_PRESENT 8
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
typedef struct piv_obj_cache {
u8* obj_data;
size_t obj_len;
u8* internal_obj_data; /* like a cert in the object */
size_t internal_obj_len;
int flags;
} piv_obj_cache_t;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
enum {
PIV_STATE_NORMAL = 0,
PIV_STATE_MATCH,
PIV_STATE_INIT
};
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
typedef struct piv_private_data {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
sc_file_t *aid_file;
int enumtag;
int selected_obj; /* The index into the piv_objects last selected */
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
int return_only_cert; /* return the cert from the object */
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
int rwb_state; /* first time -1, 0, in middle, 1 at eof */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
int operation; /* saved from set_security_env */
int algorithm; /* saved from set_security_env */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
int key_ref; /* saved from set_security_env and */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
int alg_id; /* used in decrypt, signature, derive */
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
int key_size; /* RSA: modulus_bits EC: field_length in bits */
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
u8* w_buf; /* write_binary buffer */
size_t w_buf_len; /* length of w_buff */
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
piv_obj_cache_t obj_cache[PIV_OBJ_LAST_ENUM];
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
int keysWithOnCardCerts;
int keysWithOffCardCerts;
char * offCardCertURL;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
int pin_preference; /* set from Discovery object */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
int logged_in;
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
int pstate;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
int pin_cmd_verify;
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
int context_specific;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
int pin_cmd_noparse;
unsigned int pin_cmd_verify_sw1;
unsigned int pin_cmd_verify_sw2;
int tries_left; /* SC_PIN_CMD_GET_INFO tries_left from last */
unsigned int card_issues; /* card_issues flags for this card */
int object_test_verify; /* Can test this object to set verification state of card */
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
int yubico_version; /* 3 byte version number of NEO or Yubikey4 as integer */
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
} piv_private_data_t;
#define PIV_DATA(card) ((piv_private_data_t*)card->drv_data)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
struct piv_aid {
int enumtag;
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
size_t len_short; /* min length without version */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t len_long; /* With version and other stuff */
u8 *value;
};
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/*
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
* The Generic entry should be the "A0 00 00 03 08 00 00 10 00 "
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* NIST published this on 10/6/2005
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
* 800-73-2 Part 1 now refers to version "02 00"
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* i.e. "A0 00 00 03 08 00 00 01 00 02 00".
* but we don't need the version number. but could get it from the PIX.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
*
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* 800-73-3 Part 1 now refers to "01 00" i.e. going back to 800-73-1.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* The main differences between 73-1, and 73-3 are the addition of the
* key History object and keys, as well as Discovery and Iris objects.
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
* These can be discovered by trying GET DATA
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
*/
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* all have same AID */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
static struct piv_aid piv_aids[] = {
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
{SC_CARD_TYPE_PIV_II_GENERIC, /* TODO not really card type but what PIV AID is supported */
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
9, 9, (u8 *) "\xA0\x00\x00\x03\x08\x00\x00\x10\x00" },
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{0, 9, 0, NULL }
};
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* card_issues - bugs in PIV implementations requires special handling */
#define CI_VERIFY_630X 0x00000001U /* VERIFY tries left returns 630X rather then 63CX */
#define CI_VERIFY_LC0_FAIL 0x00000002U /* VERIFY Lc=0 never returns 90 00 if PIN not needed */
/* will also test after first PIN verify if protected object can be used instead */
#define CI_CANT_USE_GETDATA_FOR_STATE 0x00000008U /* No object to test verification inplace of VERIFY Lc=0 */
#define CI_LEAKS_FILE_NOT_FOUND 0x00000010U /* GET DATA of empty object returns 6A 82 even if PIN not verified */
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
#define CI_DISCOVERY_USELESS 0x00000020U /* Discovery can not be used to query active AID */
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
#define CI_PIV_AID_LOSE_STATE 0x00000040U /* PIV AID can lose the login state run with out it*/
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
#define CI_OTHER_AID_LOSE_STATE 0x00000100U /* Other drivers match routines may reset our security state and lose AID!!! */
#define CI_NFC_EXPOSE_TOO_MUCH 0x00000200U /* PIN, crypto and objects exposed over NFS in violation of 800-73-3 */
#define CI_NO_RSA2048 0x00010000U /* does not have RSA 2048 */
#define CI_NO_EC384 0x00020000U /* does not have EC 384 */
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/*
* Flags in the piv_object:
* PIV_OBJECT_NOT_PRESENT: the presents of the object is
* indicated by the History object.
*/
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
#define PIV_OBJECT_TYPE_CERT 1
#define PIV_OBJECT_TYPE_PUBKEY 2
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#define PIV_OBJECT_NOT_PRESENT 4
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
struct piv_object {
int enumtag;
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
const char * name;
const char * oidstring;
size_t tag_len;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
u8 tag_value[3];
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
u8 containerid[2]; /* will use as relative paths for simulation */
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
int flags; /* object has some internal object like a cert */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
};
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* Must be in order, and one per enumerated PIV_OBJ */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
static const struct piv_object piv_objects[] = {
{ PIV_OBJ_CCC, "Card Capability Container",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00", 0},
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
{ PIV_OBJ_CHUI, "Card Holder Unique Identifier",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00", 0},
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
{ PIV_OBJ_X509_PIV_AUTH, "X.509 Certificate for PIV Authentication",
"2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01", PIV_OBJECT_TYPE_CERT} ,
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
{ PIV_OBJ_CHF, "Card Holder Fingerprints",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10", 0},
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
{ PIV_OBJ_PI, "Printed Information",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01", 0},
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
{ PIV_OBJ_CHFI, "Cardholder Facial Images",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30", 0},
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{ PIV_OBJ_X509_DS, "X.509 Certificate for Digital Signature",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00", PIV_OBJECT_TYPE_CERT},
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{ PIV_OBJ_X509_KM, "X.509 Certificate for Key Management",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02", PIV_OBJECT_TYPE_CERT},
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{ PIV_OBJ_X509_CARD_AUTH, "X.509 Certificate for Card Authentication",
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
"2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00", PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_SEC_OBJ, "Security Object",
"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00", 0},
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
{ PIV_OBJ_DISCOVERY, "Discovery Object",
"2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50", 0},
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
{ PIV_OBJ_HISTORY, "Key History Object",
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
"2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60", 0},
/* 800-73-3, 21 new objects, 20 history certificates */
{ PIV_OBJ_RETIRED_X509_1, "Retired X.509 Certificate for Key Management 1",
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
"2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01",
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_2, "Retired X.509 Certificate for Key Management 2",
"2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_3, "Retired X.509 Certificate for Key Management 3",
"2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_4, "Retired X.509 Certificate for Key Management 4",
"2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_5, "Retired X.509 Certificate for Key Management 5",
"2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_6, "Retired X.509 Certificate for Key Management 6",
"2.16.840.1.101.3.7.2.16.6", 3, "\x5F\xC1\x12", "\x10\x06",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_7, "Retired X.509 Certificate for Key Management 7",
"2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_8, "Retired X.509 Certificate for Key Management 8",
"2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_9, "Retired X.509 Certificate for Key Management 9",
"2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_10, "Retired X.509 Certificate for Key Management 10",
"2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_11, "Retired X.509 Certificate for Key Management 11",
"2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_12, "Retired X.509 Certificate for Key Management 12",
"2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_13, "Retired X.509 Certificate for Key Management 13",
"2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_14, "Retired X.509 Certificate for Key Management 14",
"2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_15, "Retired X.509 Certificate for Key Management 15",
"2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_16, "Retired X.509 Certificate for Key Management 16",
"2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_17, "Retired X.509 Certificate for Key Management 17",
"2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_18, "Retired X.509 Certificate for Key Management 18",
"2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_19, "Retired X.509 Certificate for Key Management 19",
"2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_RETIRED_X509_20, "Retired X.509 Certificate for Key Management 20",
"2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14",
PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT},
{ PIV_OBJ_IRIS_IMAGE, "Cardholder Iris Images",
"2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15", 0},
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* following not standard , to be used by piv-tool only for testing */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
{ PIV_OBJ_9B03, "3DES-ECB ADM",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0},
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
/* Only used when signing a cert req, usually from engine
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* after piv-tool generated the key and saved the pub key
* to a file. Note RSA key can be 1024, 2048 or 3072
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
* but still use the "9x06" name.
*/
{ PIV_OBJ_9A06, "RSA 9A Pub key from last genkey",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY},
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
{ PIV_OBJ_9C06, "Pub 9C key from last genkey",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY},
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
{ PIV_OBJ_9D06, "Pub 9D key from last genkey",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY},
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
{ PIV_OBJ_9E06, "Pub 9E key from last genkey",
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
"2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY},
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
{ PIV_OBJ_8206, "Pub 82 key ",
"2.16.840.1.101.3.7.2.9999.101", 2, "\x82\x06", "\x82\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8306, "Pub 83 key ",
"2.16.840.1.101.3.7.2.9999.102", 2, "\x83\x06", "\x83\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8406, "Pub 84 key ",
"2.16.840.1.101.3.7.2.9999.103", 2, "\x84\x06", "\x84\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8506, "Pub 85 key ",
"2.16.840.1.101.3.7.2.9999.104", 2, "\x85\x06", "\x85\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8606, "Pub 86 key ",
"2.16.840.1.101.3.7.2.9999.105", 2, "\x86\x06", "\x86\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8706, "Pub 87 key ",
"2.16.840.1.101.3.7.2.9999.106", 2, "\x87\x06", "\x87\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8806, "Pub 88 key ",
"2.16.840.1.101.3.7.2.9999.107", 2, "\x88\x06", "\x88\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8906, "Pub 89 key ",
"2.16.840.1.101.3.7.2.9999.108", 2, "\x89\x06", "\x89\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8A06, "Pub 8A key ",
"2.16.840.1.101.3.7.2.9999.109", 2, "\x8A\x06", "\x8A\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8B06, "Pub 8B key ",
"2.16.840.1.101.3.7.2.9999.110", 2, "\x8B\x06", "\x8B\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8C06, "Pub 8C key ",
"2.16.840.1.101.3.7.2.9999.111", 2, "\x8C\x06", "\x8C\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8D06, "Pub 8D key ",
"2.16.840.1.101.3.7.2.9999.112", 2, "\x8D\x06", "\x8D\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8E06, "Pub 8E key ",
"2.16.840.1.101.3.7.2.9999.113", 2, "\x8E\x06", "\x8E\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_8F06, "Pub 8F key ",
"2.16.840.1.101.3.7.2.9999.114", 2, "\x8F\x06", "\x8F\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_9006, "Pub 90 key ",
"2.16.840.1.101.3.7.2.9999.115", 2, "\x90\x06", "\x90\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_9106, "Pub 91 key ",
"2.16.840.1.101.3.7.2.9999.116", 2, "\x91\x06", "\x91\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_9206, "Pub 92 key ",
"2.16.840.1.101.3.7.2.9999.117", 2, "\x92\x06", "\x92\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_9306, "Pub 93 key ",
"2.16.840.1.101.3.7.2.9999.118", 2, "\x93\x06", "\x93\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_9406, "Pub 94 key ",
"2.16.840.1.101.3.7.2.9999.119", 2, "\x94\x06", "\x94\x06", PIV_OBJECT_TYPE_PUBKEY},
{ PIV_OBJ_9506, "Pub 95 key ",
"2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY},
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
{ PIV_OBJ_LAST_ENUM, "", "", 0, "", "", 0}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
};
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
static struct sc_card_operations piv_ops;
static struct sc_card_driver piv_drv = {
PIV: use better long name
2018-01-29 21:14:53 +00:00
"Personal Identity Verification Card",
piv: change driver's short name to 'PIV-II' closes #828
2016-07-19 13:26:32 +00:00
"PIV-II",
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
&piv_ops,
NULL, 0, NULL
};
PIV completely separate piv_match_card from piv_init In order to satisfy some concerns over the use of <card>_match_card and <card>_init, this modification will do that at the cost of additional overhead of repeating some card commands. Hopefully this commit will not be needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-02-28 19:49:14 +00:00
static int piv_match_card_continued(sc_card_t *card);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_find_obj_by_containerid(sc_card_t *card, const u8 * str)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
{
int i;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_CALLED(card->ctx);
sc_log(card->ctx, "str=0x%02X%02X\n", str[0], str[1]);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
for (i = 0; piv_objects[i].enumtag < PIV_OBJ_LAST_ENUM; i++) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if ( str[0] == piv_objects[i].containerid[0] && str[1] == piv_objects[i].containerid[1])
LOG_FUNC_RETURN(card->ctx, i);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, -1);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/*
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* If ptr == NULL, just return the size of the tag and length and data
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
* otherwise, store tag and length at **ptr, and increment
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static size_t
put_tag_and_len(unsigned int tag, size_t len, u8 **ptr)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
int i;
u8 *p;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (len < 128) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
i = 2;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
} else if (len < 256) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
i = 3;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
} else {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
i = 4;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (ptr) {
p = *ptr;
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
*p++ = (u8)tag;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
switch (i) {
case 2:
*p++ = len;
break;
case 3:
*p++ = 0x81;
*p++ = len;
break;
case 4:
*p++ = 0x82;
*p++ = (u8) (len >> 8);
*p++ = (u8) (len & 0xff);
break;
}
*ptr = p;
} else {
i += len;
}
return i;
}
/*
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* Send a command and receive data. There is always something to send.
* Used by GET DATA, PUT DATA, GENERAL AUTHENTICATE
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
* and GENERATE ASYMMETRIC KEY PAIR.
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* GET DATA may call to get the first 128 bytes to get the length from the tag.
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
*
* A caller may provide a buffer, and length to read. If not provided,
* an internal 4096 byte buffer is used, and a copy is returned to the
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* caller. that need to be freed by the caller.
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
static int piv_general_io(sc_card_t *card, int ins, int p1, int p2,
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
const u8 * sendbuf, size_t sendbuflen, u8 ** recvbuf,
size_t * recvbuflen)
{
int r;
sc_apdu_t apdu;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
u8 rbufinitbuf[4096];
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
u8 *rbuf;
size_t rbuflen;
unsigned int cla_out, tag_out;
const u8 *body;
size_t bodylen;
PIV - read just length of object to get size card-piv.c tries to read the first 8 bytes of an object to get object size so it can allocate a buffer. It then reads the whole object. apdu.c has changed over the years, and apdu.c will keep reading as long as the card returns status of 61 XX thus apdu.c will read the whole object while discarding the extra data and returning to the caller only the first part of the data. This in effect causes a double read of objects. This patch sets SC_APDU_FLAGS_NO_GET_RESP to tell apdu to stop doing the extra get-response commands thus avoiding most of the extra overhead. This in not an optimal patch as it only works with T=1 cards/readers but the patch is confined to just card-piv.c. A better patch is in the works. Fixes #462
2015-05-12 17:59:37 +00:00
int find_len = 0;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
piv_private_data_t * priv = PIV_DATA(card);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"%02x %02x %02x %"SC_FORMAT_LEN_SIZE_T"u : %"SC_FORMAT_LEN_SIZE_T"u %"SC_FORMAT_LEN_SIZE_T"u",
ins, p1, p2, sendbuflen, card->max_send_size,
card->max_recv_size);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
rbuf = rbufinitbuf;
rbuflen = sizeof(rbufinitbuf);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/* if caller provided a buffer and length */
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (recvbuf && *recvbuf && recvbuflen && *recvbuflen) {
rbuf = *recvbuf;
rbuflen = *recvbuflen;
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = sc_lock(card);
if (r != SC_SUCCESS)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
sc_format_apdu(card, &apdu,
recvbuf ? SC_APDU_CASE_4_SHORT: SC_APDU_CASE_3_SHORT,
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
ins, p1, p2);
apdu.flags |= SC_APDU_FLAGS_CHAINING;
PIV - read just length of object to get size card-piv.c tries to read the first 8 bytes of an object to get object size so it can allocate a buffer. It then reads the whole object. apdu.c has changed over the years, and apdu.c will keep reading as long as the card returns status of 61 XX thus apdu.c will read the whole object while discarding the extra data and returning to the caller only the first part of the data. This in effect causes a double read of objects. This patch sets SC_APDU_FLAGS_NO_GET_RESP to tell apdu to stop doing the extra get-response commands thus avoiding most of the extra overhead. This in not an optimal patch as it only works with T=1 cards/readers but the patch is confined to just card-piv.c. A better patch is in the works. Fixes #462
2015-05-12 17:59:37 +00:00
/* if looking for length of object, dont try and read the rest of buffer here */
if (rbuflen == 8 && card->reader->active_protocol == SC_PROTO_T1) {
apdu.flags |= SC_APDU_FLAGS_NO_GET_RESP;
find_len = 1;
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
apdu.lc = sendbuflen;
apdu.datalen = sendbuflen;
apdu.data = sendbuf;
if (recvbuf) {
apdu.resp = rbuf;
Remove max_recv_size checks git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4766 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 18:34:44 +00:00
apdu.le = (rbuflen > 256) ? 256 : rbuflen;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
apdu.resplen = rbuflen;
} else {
apdu.resp = rbuf;
apdu.le = 0;
apdu.resplen = 0;
}
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"calling sc_transmit_apdu flags=%lx le=%"SC_FORMAT_LEN_SIZE_T"u, resplen=%"SC_FORMAT_LEN_SIZE_T"u, resp=%p",
apdu.flags, apdu.le, apdu.resplen, apdu.resp);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* with new adpu.c and chaining, this actually reads the whole object */
r = sc_transmit_apdu(card, &apdu);
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"DEE r=%d apdu.resplen=%"SC_FORMAT_LEN_SIZE_T"u sw1=%02x sw2=%02x",
r, apdu.resplen, apdu.sw1, apdu.sw2);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (r < 0) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Transmit failed");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if (!(find_len && apdu.sw1 == 0x61))
PIV - read just length of object to get size card-piv.c tries to read the first 8 bytes of an object to get object size so it can allocate a buffer. It then reads the whole object. apdu.c has changed over the years, and apdu.c will keep reading as long as the card returns status of 61 XX thus apdu.c will read the whole object while discarding the extra data and returning to the caller only the first part of the data. This in effect causes a double read of objects. This patch sets SC_APDU_FLAGS_NO_GET_RESP to tell apdu to stop doing the extra get-response commands thus avoiding most of the extra overhead. This in not an optimal patch as it only works with T=1 cards/readers but the patch is confined to just card-piv.c. A better patch is in the works. Fixes #462
2015-05-12 17:59:37 +00:00
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* TODO: - DEE look later at tag vs size read too */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (r < 0) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Card returned error ");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
}
/*
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* See how much we read and make sure it is asn1
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
* if not, return 0 indicating no data found
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
*/
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
rbuflen = 0; /* in case rseplen < 3 i.e. not parseable */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* we may only be using get data to test the security status of the card, so zero length is OK */
if ( recvbuflen && recvbuf && apdu.resplen > 3 && priv->pin_cmd_noparse != 1) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*recvbuflen = 0;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* we should have all the tag data, so we have to tell sc_asn1_find_tag
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
* the buffer is bigger, so it will not produce "ASN1.tag too long!" */
body = rbuf;
fixed handling SC_ASN1_TAG_EOC from sc_asn1_read_tag We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this would also be true for a tag of 0x80 (with `class == SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output buffer to be NULL! fixes https://github.com/OpenSC/OpenSC/issues/1273
2018-03-19 14:25:14 +00:00
if (sc_asn1_read_tag(&body, 0xffff, &cla_out, &tag_out, &bodylen) != SC_SUCCESS
|| body == NULL) {
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* only early beta cards had this problem */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "***** received buffer tag MISSING ");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
body = rbuf;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* some readers/cards might return 6c 00 */
if (apdu.sw1 == 0x61 || apdu.sw2 == 0x6c )
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
bodylen = 12000;
else
bodylen = apdu.resplen;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
rbuflen = body - rbuf + bodylen;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* if using internal buffer, alloc new one */
if (rbuf == rbufinitbuf) {
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
*recvbuf = malloc(rbuflen);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (*recvbuf == NULL) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
memcpy(*recvbuf, rbuf, rbuflen); /* copy tag too */
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (recvbuflen) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*recvbuflen = rbuflen;
r = *recvbuflen;
}
err:
sc_unlock(card);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
/* Add the PIV-II operations */
/* Should use our own keydata, actually should be common to all cards */
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* RSA and EC are added. */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
static int piv_generate_key(sc_card_t *card,
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
sc_cardctl_piv_genkey_info_t *keydata)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
int r;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
u8 *rbuf = NULL;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t rbuflen = 0;
Remove dead code card-piv.c:614:2: warning: Value stored to 'buf_end' is never read buf_end = rp + buf_len; ^ ~~~~~~~~~~~~ card-piv.c:1129:3: warning: Value stored to 'r' is never read r = 0; ^ ~ card-piv.c:1478:2: warning: Value stored to 'q' is never read q = rbuf; ^ ~~~~ card-piv.c:1628:2: warning: Value stored to 'q' is never read q = rbuf; ^ ~~~~ card-piv.c:2456:4: warning: Value stored to 'certobjlen' is never read certobjlen = 0; ^ ~ git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5170 c6295689-39f2-0310-b995-f0e70906c6a9
2011-02-05 21:54:36 +00:00
u8 *p;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *tag;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
u8 tagbuf[16];
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
u8 outdata[3]; /* we could also add tag 81 for exponent */
size_t taglen, i;
size_t out_len;
size_t in_len;
unsigned int cla_out, tag_out;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
keydata->exponent = 0;
keydata->pubkey = NULL;
keydata->pubkey_len = 0;
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
keydata->ecparam = NULL; /* will show size as we only support 2 curves */
keydata->ecparam_len = 0;
keydata->ecpoint = NULL;
keydata->ecpoint_len = 0;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
out_len = 3;
outdata[0] = 0x80;
outdata[1] = 0x01;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
outdata[2] = keydata->key_algid;
switch (keydata->key_algid) {
case 0x05: keydata->key_bits = 3072; break;
case 0x06: keydata->key_bits = 1024; break;
case 0x07: keydata->key_bits = 2048; break;
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* TODO: - DEE For EC, also set the curve parameter as the OID */
case 0x11: keydata->key_bits = 0;
keydata->ecparam =0; /* we only support prime256v1 for 11 */
keydata->ecparam_len =0;
break;
case 0x14: keydata->key_bits = 0;
keydata->ecparam = 0; /* we only support secp384r1 */
keydata->ecparam_len = 0;
break;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
default:
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
p = tagbuf;
put_tag_and_len(0xAC, out_len, &p);
memcpy(p, outdata, out_len);
p+=out_len;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = piv_general_io(card, 0x47, 0x00, keydata->key_num,
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
tagbuf, p - tagbuf, &rbuf, &rbuflen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (r >= 0) {
const u8 *cp;
keydata->exponent = 0;
/* expected tag is 7f49. */
/* we will whatever tag is present */
cp = rbuf;
in_len = rbuflen;
r = sc_asn1_read_tag(&cp, rbuflen, &cla_out, &tag_out, &in_len);
fixed handling SC_ASN1_TAG_EOC from sc_asn1_read_tag We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this would also be true for a tag of 0x80 (with `class == SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output buffer to be NULL! fixes https://github.com/OpenSC/OpenSC/issues/1273
2018-03-19 14:25:14 +00:00
if (cp == NULL) {
r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (r != SC_SUCCESS) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Tag buffer not found");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/* if RSA vs EC */
if (keydata->key_bits > 0 ) {
tag = sc_asn1_find_tag(card->ctx, cp, in_len, 0x82, &taglen);
if (tag != NULL && taglen <= 4) {
keydata->exponent = 0;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
for (i = 0; i < taglen;i++)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
keydata->exponent = (keydata->exponent<<8) + tag[i];
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
tag = sc_asn1_find_tag(card->ctx, cp, in_len, 0x81, &taglen);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (tag != NULL && taglen > 0) {
keydata->pubkey = malloc(taglen);
if (keydata->pubkey == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
keydata->pubkey_len = taglen;
memcpy (keydata->pubkey, tag, taglen);
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
else { /* must be EC */
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
tag = sc_asn1_find_tag(card->ctx, cp, in_len, 0x86, &taglen);
if (tag != NULL && taglen > 0) {
keydata->ecpoint = malloc(taglen);
if (keydata->ecpoint == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
keydata->ecpoint_len = taglen;
memcpy (keydata->ecpoint, tag, taglen);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* TODO: -DEE Could add key to cache so could use engine to generate key,
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* and sign req in single operation */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = 0;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
err:
if (rbuf)
free(rbuf);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
static int piv_select_aid(sc_card_t* card, u8* aid, size_t aidlen, u8* response, size_t *responselen)
{
sc_apdu_t apdu;
int r;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_CALLED(card->ctx);
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"Got args: aid=%p, aidlen=%"SC_FORMAT_LEN_SIZE_T"u, response=%p, responselen=%"SC_FORMAT_LEN_SIZE_T"u",
aid, aidlen, response, responselen ? *responselen : 0);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
sc_format_apdu(card, &apdu,
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
response == NULL ? SC_APDU_CASE_3_SHORT : SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);
apdu.lc = aidlen;
apdu.data = aid;
apdu.datalen = aidlen;
apdu.resp = response;
card-piv: 'emulate' MF selection by selection of the PIV applet ... so that, PIV card can be used with the 'opensc-explorer' interactive tool git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5317 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-10 08:47:35 +00:00
apdu.resplen = responselen ? *responselen : 0;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
apdu.le = response == NULL ? 0 : 256; /* could be 21 for fci */
r = sc_transmit_apdu(card, &apdu);
card-piv: 'emulate' MF selection by selection of the PIV applet ... so that, PIV card can be used with the 'opensc-explorer' interactive tool git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5317 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-10 08:47:35 +00:00
if (responselen)
*responselen = apdu.resplen;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_TEST_RET(card->ctx, r, "PIV select failed");
LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* find the PIV AID on the card. If card->type already filled in,
* then look for specific AID only
* Assumes that priv may not be present
*/
static int piv_find_aid(sc_card_t * card, sc_file_t *aid_file)
{
sc_apdu_t apdu;
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
int r,i;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *tag;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t taglen;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *pix;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t pixlen;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
size_t resplen = sizeof(rbuf);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
/* first see if the default application will return a template
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* that we know about.
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
r = piv_select_aid(card, piv_aids[0].value, piv_aids[0].len_short, rbuf, &resplen);
if (r >= 0 && resplen > 2 ) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
tag = sc_asn1_find_tag(card->ctx, rbuf, resplen, 0x61, &taglen);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (tag != NULL) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
pix = sc_asn1_find_tag(card->ctx, tag, taglen, 0x4F, &pixlen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (pix != NULL ) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "found PIX");
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Douglas E. Engert wrote: The attached change to card-piv.c is need to recognize a valid PIV card applet. All of the previous test cards would return in response to a SELECT the full AID where as they should have returned the the PIX portion of the AID. The newest test cards are now doing this correctly. This change will recognize either as a PIV applet. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2885 c6295689-39f2-0310-b995-f0e70906c6a9
2006-04-11 20:50:13 +00:00
/* early cards returned full AID, rather then just the pix */
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
for (i = 0; piv_aids[i].len_long != 0; i++) {
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if ((pixlen >= 6 && memcmp(pix, piv_aids[i].value + 5,
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
piv_aids[i].len_long - 5 ) == 0)
Douglas E. Engert wrote: The attached change to card-piv.c is need to recognize a valid PIV card applet. All of the previous test cards would return in response to a SELECT the full AID where as they should have returned the the PIX portion of the AID. The newest test cards are now doing this correctly. This change will recognize either as a PIV applet. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2885 c6295689-39f2-0310-b995-f0e70906c6a9
2006-04-11 20:50:13 +00:00
|| ((pixlen >= piv_aids[i].len_short &&
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
memcmp(pix, piv_aids[i].value,
Douglas E. Engert wrote: The attached change to card-piv.c is need to recognize a valid PIV card applet. All of the previous test cards would return in response to a SELECT the full AID where as they should have returned the the PIX portion of the AID. The newest test cards are now doing this correctly. This change will recognize either as a PIV applet. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2885 c6295689-39f2-0310-b995-f0e70906c6a9
2006-04-11 20:50:13 +00:00
piv_aids[i].len_short) == 0))) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (card->type > SC_CARD_TYPE_PIV_II_BASE &&
card->type < SC_CARD_TYPE_PIV_II_BASE+1000 &&
card->type == piv_aids[i].enumtag) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, i);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
} else {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, i);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
}
}
}
}
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* for testing, we can force the use of a specific AID
* by using the card= parameter in conf file
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
for (i = 0; piv_aids[i].len_long != 0; i++) {
if (card->type > SC_CARD_TYPE_PIV_II_BASE &&
card->type < SC_CARD_TYPE_PIV_II_BASE+1000 &&
card->type != piv_aids[i].enumtag) {
continue;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);
apdu.lc = piv_aids[i].len_long;
apdu.data = piv_aids[i].value;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
apdu.datalen = apdu.lc;
apdu.resp = rbuf;
apdu.resplen = sizeof(rbuf);
apdu.le = 256;
r = sc_transmit_apdu(card, &apdu);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
if (r) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if (card->type != 0 && card->type == piv_aids[i].enumtag)
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
LOG_FUNC_RETURN(card->ctx, (r < 0)? r: i);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
continue;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if ( apdu.resplen == 0 && r == 0) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* could be the MSU card */
continue; /* other cards will return a FCI */
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (apdu.resp[0] != 0x6f || apdu.resp[1] > apdu.resplen - 2 )
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NO_CARD_SUPPORT);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
card->ops->process_fci(card, aid_file, apdu.resp+2, apdu.resp[1]);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, i);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NO_CARD_SUPPORT);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
* Read a DER encoded object from a file. Allocate and return the buf.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* Used to read the file defined in offCardCertURL from a cache.
* Also used for testing of History and Discovery objects from a file
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* when testing with a card that does not support these new objects.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
*/
static int piv_read_obj_from_file(sc_card_t * card, char * filename,
u8 **buf, size_t *buf_len)
{
int r;
int f = -1;
size_t len;
u8 tagbuf[16];
size_t rbuflen;
const u8 * body;
unsigned int cla_out, tag_out;
size_t bodylen;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
*buf = NULL;
*buf_len = 0;
f = open(filename, O_RDONLY);
if (f < 0) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Unable to load PIV off card file: \"%s\"",filename);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
goto err;
}
void issues with ssize_t See r5135 and r5195 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5207 c6295689-39f2-0310-b995-f0e70906c6a9
2011-02-17 14:50:33 +00:00
len = read(f, tagbuf, sizeof(tagbuf)); /* get tag and length */
if (len < 2 || len > sizeof(tagbuf)) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Problem with \"%s\"",filename);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_DATA_OBJECT_NOT_FOUND;
goto err;
}
body = tagbuf;
fixed handling SC_ASN1_TAG_EOC from sc_asn1_read_tag We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this would also be true for a tag of 0x80 (with `class == SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output buffer to be NULL! fixes https://github.com/OpenSC/OpenSC/issues/1273
2018-03-19 14:25:14 +00:00
if (sc_asn1_read_tag(&body, 0xfffff, &cla_out, &tag_out, &bodylen) != SC_SUCCESS
|| body == NULL) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "DER problem");
r = SC_ERROR_INVALID_ASN1_OBJECT;
goto err;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
rbuflen = body - tagbuf + bodylen;
*buf = malloc(rbuflen);
if (!*buf) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
memcpy(*buf, tagbuf, len); /* copy first or only part */
if (rbuflen > len) {
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
len = read(f, *buf + sizeof(tagbuf), rbuflen - sizeof(tagbuf)); /* read rest */
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (len != rbuflen - sizeof(tagbuf)) {
r = SC_ERROR_INVALID_ASN1_OBJECT;
free (*buf);
*buf = NULL;
goto err;
}
}
r = rbuflen;
*buf_len = rbuflen;
err:
if (f >= 0)
close(f);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* the tag is the PIV_OBJ_* */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_get_data(sc_card_t * card, int enumtag, u8 **buf, size_t *buf_len)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
u8 *p;
int r = 0;
u8 tagbuf[8];
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
size_t tag_len;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "#%d", enumtag);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
sc_lock(card); /* do check len and get data in same transaction */
style: // -> /* */ git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4412 c6295689-39f2-0310-b995-f0e70906c6a9
2010-06-11 07:35:45 +00:00
/* assert(enumtag >= 0 && enumtag < PIV_OBJ_LAST_ENUM); */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
tag_len = piv_objects[enumtag].tag_len;
p = tagbuf;
put_tag_and_len(0x5c, tag_len, &p);
memcpy(p, piv_objects[enumtag].tag_value, tag_len);
p += tag_len;
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if (*buf_len == 1 && *buf == NULL) { /* we need to get the length */
u8 rbufinitbuf[8]; /* tag of 53 with 82 xx xx will fit in 4 */
u8 *rbuf;
size_t rbuflen;
size_t bodylen;
unsigned int cla_out, tag_out;
const u8 *body;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "get len of #%d", enumtag);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
rbuf = rbufinitbuf;
rbuflen = sizeof(rbufinitbuf);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = piv_general_io(card, 0xCB, 0x3F, 0xFF, tagbuf, p - tagbuf, &rbuf, &rbuflen);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if (r > 0) {
body = rbuf;
fixed handling SC_ASN1_TAG_EOC from sc_asn1_read_tag We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this would also be true for a tag of 0x80 (with `class == SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output buffer to be NULL! fixes https://github.com/OpenSC/OpenSC/issues/1273
2018-03-19 14:25:14 +00:00
if (sc_asn1_read_tag(&body, 0xffff, &cla_out, &tag_out, &bodylen) != SC_SUCCESS
|| body == NULL) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "***** received buffer tag MISSING ");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
}
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
*buf_len = r;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
} else if ( r == 0 ) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
} else {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
}
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"buffer for #%d *buf=0x%p len=%"SC_FORMAT_LEN_SIZE_T"u",
enumtag, *buf, *buf_len);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if (*buf == NULL && *buf_len > 0) {
Do not cast the return value of malloc(3) and calloc(3) From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety " Casting and type safety malloc returns a void pointer (void *), which indicates that it is a pointer to a region of unknown data type. One may "cast" (see type conversion) this pointer to a specific type, as in int *ptr = (int*)malloc(10 * sizeof (int)); When using C, this is considered bad practice; it is redundant under the C standard. Moreover, putting in a cast may mask failure to include the header stdlib.h, in which the prototype for malloc is found. In the absence of a prototype for malloc, the C compiler will assume that malloc returns an int, and will issue a warning in a context such as the above, provided the error is not masked by a cast. On certain architectures and data models (such as LP64 on 64 bit systems, where long and pointers are 64 bit and int is 32 bit), this error can actually result in undefined behavior, as the implicitly declared malloc returns a 32 bit value whereas the actually defined function returns a 64 bit value. Depending on calling conventions and memory layout, this may result in stack smashing. The returned pointer need not be explicitly cast to a more specific pointer type, since ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of malloc's return value is sometimes performed because malloc originally returned a char *, but this cast is unnecessary in standard C code.[4][5] Omitting the cast, however, creates an incompatibility with C++, which does require it. The lack of a specific pointer type returned from malloc is type-unsafe behaviour: malloc allocates based on byte count but not on type. This distinguishes it from the C++ new operator that returns a pointer whose type relies on the operand. (see C Type Safety). " See also http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
*buf = malloc(*buf_len);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if (*buf == NULL ) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = piv_general_io(card, 0xCB, 0x3F, 0xFF, tagbuf, p - tagbuf, buf, buf_len);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
err:
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
sc_unlock(card);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_get_cached_data(sc_card_t * card, int enumtag, u8 **buf, size_t *buf_len)
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
int r;
u8 *rbuf = NULL;
size_t rbuflen;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "#%d", enumtag);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
assert(enumtag >= 0 && enumtag < PIV_OBJ_LAST_ENUM);
/* see if we have it cached */
if (priv->obj_cache[enumtag].flags & PIV_OBJ_CACHE_VALID) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"found #%d %p:%"SC_FORMAT_LEN_SIZE_T"u %p:%"SC_FORMAT_LEN_SIZE_T"u",
enumtag,
priv->obj_cache[enumtag].obj_data,
priv->obj_cache[enumtag].obj_len,
priv->obj_cache[enumtag].internal_obj_data,
priv->obj_cache[enumtag].internal_obj_len);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (priv->obj_cache[enumtag].obj_len == 0) {
r = SC_ERROR_FILE_NOT_FOUND;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "#%d found but len=0", enumtag);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
goto err;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
*buf = priv->obj_cache[enumtag].obj_data;
*buf_len = priv->obj_cache[enumtag].obj_len;
r = *buf_len;
goto ok;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* If we know it can not be on the card i.e. History object
* has been read, and we know what other certs may or
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* may not be on the card. We can avoid extra overhead
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
*/
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (priv->obj_cache[enumtag].flags & PIV_OBJ_CACHE_NOT_PRESENT) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "no_obj #%d", enumtag);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* Not cached, try to get it, piv_get_data will allocate a buf */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "get #%d", enumtag);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
rbuflen = 1;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = piv_get_data(card, enumtag, &rbuf, &rbuflen);
if (r > 0) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
priv->obj_cache[enumtag].flags |= PIV_OBJ_CACHE_VALID;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
priv->obj_cache[enumtag].obj_len = r;
priv->obj_cache[enumtag].obj_data = rbuf;
*buf = rbuf;
*buf_len = r;
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"added #%d %p:%"SC_FORMAT_LEN_SIZE_T"u %p:%"SC_FORMAT_LEN_SIZE_T"u",
enumtag,
priv->obj_cache[enumtag].obj_data,
priv->obj_cache[enumtag].obj_len,
priv->obj_cache[enumtag].internal_obj_data,
priv->obj_cache[enumtag].internal_obj_len);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
} else if (r == 0 || r == SC_ERROR_FILE_NOT_FOUND) {
r = SC_ERROR_FILE_NOT_FOUND;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
priv->obj_cache[enumtag].flags |= PIV_OBJ_CACHE_VALID;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
priv->obj_cache[enumtag].obj_len = 0;
} else if ( r < 0) {
goto err;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
ok:
err:
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_cache_internal_data(sc_card_t *card, int enumtag)
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8* tag;
const u8* body;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
size_t taglen;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
size_t bodylen;
int compressed = 0;
/* if already cached */
if (priv->obj_cache[enumtag].internal_obj_data && priv->obj_cache[enumtag].internal_obj_len) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"#%d found internal %p:%"SC_FORMAT_LEN_SIZE_T"u",
enumtag,
priv->obj_cache[enumtag].internal_obj_data,
priv->obj_cache[enumtag].internal_obj_len);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
body = sc_asn1_find_tag(card->ctx,
priv->obj_cache[enumtag].obj_data,
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
priv->obj_cache[enumtag].obj_len,
0x53, &bodylen);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (body == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* get the certificate out */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (piv_objects[enumtag].flags & PIV_OBJECT_TYPE_CERT) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
tag = sc_asn1_find_tag(card->ctx, body, bodylen, 0x71, &taglen);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* 800-72-1 not clear if this is 80 or 01 Sent comment to NIST for 800-72-2 */
Use correct bit when writing PIV certificate object with gzipped certificate NIST 800-73 clarified the CertInfo flag for gzipped certificate is 0x01 piv-tool was writting 0x80. OpenSC card-piv.c continues to accept both.
2014-11-08 01:49:36 +00:00
/* 800-73-3 says it is 01, keep dual test so old cards still work */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if (tag && (((*tag) & 0x80) || ((*tag) & 0x01)))
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
compressed = 1;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
tag = sc_asn1_find_tag(card->ctx, body, bodylen, 0x70, &taglen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (tag == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (taglen == 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if(compressed) {
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
#ifdef ENABLE_ZLIB
size_t len;
u8* newBuf = NULL;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if(SC_SUCCESS != sc_decompress_alloc(&newBuf, &len, tag, taglen, COMPRESSION_AUTO))
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
priv->obj_cache[enumtag].internal_obj_data = newBuf;
priv->obj_cache[enumtag].internal_obj_len = len;
#else
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "PIV compression not supported, no zlib");
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
#endif
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
else {
Do not cast the return value of malloc(3) and calloc(3) From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety " Casting and type safety malloc returns a void pointer (void *), which indicates that it is a pointer to a region of unknown data type. One may "cast" (see type conversion) this pointer to a specific type, as in int *ptr = (int*)malloc(10 * sizeof (int)); When using C, this is considered bad practice; it is redundant under the C standard. Moreover, putting in a cast may mask failure to include the header stdlib.h, in which the prototype for malloc is found. In the absence of a prototype for malloc, the C compiler will assume that malloc returns an int, and will issue a warning in a context such as the above, provided the error is not masked by a cast. On certain architectures and data models (such as LP64 on 64 bit systems, where long and pointers are 64 bit and int is 32 bit), this error can actually result in undefined behavior, as the implicitly declared malloc returns a 32 bit value whereas the actually defined function returns a 64 bit value. Depending on calling conventions and memory layout, this may result in stack smashing. The returned pointer need not be explicitly cast to a more specific pointer type, since ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of malloc's return value is sometimes performed because malloc originally returned a char *, but this cast is unnecessary in standard C code.[4][5] Omitting the cast, however, creates an incompatibility with C++, which does require it. The lack of a specific pointer type returned from malloc is type-unsafe behaviour: malloc allocates based on byte count but not on type. This distinguishes it from the C++ new operator that returns a pointer whose type relies on the operand. (see C Type Safety). " See also http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
if (!(priv->obj_cache[enumtag].internal_obj_data = malloc(taglen)))
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
memcpy(priv->obj_cache[enumtag].internal_obj_data, tag, taglen);
priv->obj_cache[enumtag].internal_obj_len = taglen;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* convert pub key to internal */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* TODO: -DEE need to fix ... would only be used if we cache the pub key, but we don't today */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
else if (piv_objects[enumtag].flags & PIV_OBJECT_TYPE_PUBKEY) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
tag = sc_asn1_find_tag(card->ctx, body, bodylen, *body, &taglen);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (tag == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (taglen == 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
Do not cast the return value of malloc(3) and calloc(3) From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety " Casting and type safety malloc returns a void pointer (void *), which indicates that it is a pointer to a region of unknown data type. One may "cast" (see type conversion) this pointer to a specific type, as in int *ptr = (int*)malloc(10 * sizeof (int)); When using C, this is considered bad practice; it is redundant under the C standard. Moreover, putting in a cast may mask failure to include the header stdlib.h, in which the prototype for malloc is found. In the absence of a prototype for malloc, the C compiler will assume that malloc returns an int, and will issue a warning in a context such as the above, provided the error is not masked by a cast. On certain architectures and data models (such as LP64 on 64 bit systems, where long and pointers are 64 bit and int is 32 bit), this error can actually result in undefined behavior, as the implicitly declared malloc returns a 32 bit value whereas the actually defined function returns a 64 bit value. Depending on calling conventions and memory layout, this may result in stack smashing. The returned pointer need not be explicitly cast to a more specific pointer type, since ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of malloc's return value is sometimes performed because malloc originally returned a char *, but this cast is unnecessary in standard C code.[4][5] Omitting the cast, however, creates an incompatibility with C++, which does require it. The lack of a specific pointer type returned from malloc is type-unsafe behaviour: malloc allocates based on byte count but not on type. This distinguishes it from the C++ new operator that returns a pointer whose type relies on the operand. (see C Type Safety). " See also http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
if (!(priv->obj_cache[enumtag].internal_obj_data = malloc(taglen)))
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
memcpy(priv->obj_cache[enumtag].internal_obj_data, tag, taglen);
priv->obj_cache[enumtag].internal_obj_len = taglen;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
else {
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx, "added #%d internal %p:%"SC_FORMAT_LEN_SIZE_T"u",
enumtag,
priv->obj_cache[enumtag].internal_obj_data,
priv->obj_cache[enumtag].internal_obj_len);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
* Callers of this may be expecting a certificate,
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* select file will have saved the object type for us
* as well as set that we want the cert from the object.
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_read_binary(sc_card_t *card, unsigned int idx, unsigned char *buf, size_t count, unsigned long flags)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
int enumtag;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
int r;
u8 *rbuf = NULL;
size_t rbuflen = 0;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *body;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t bodylen;
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (priv->selected_obj < 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
enumtag = piv_objects[priv->selected_obj].enumtag;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (priv->rwb_state == -1) {
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = piv_get_cached_data(card, enumtag, &rbuf, &rbuflen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (r >=0) {
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* an object with no data will be considered not found */
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/* Discovery tag = 0x73, all others are 0x53 */
if (!rbuf || rbuf[0] == 0x00 || ((rbuf[0]&0xDF) == 0x53 && rbuf[1] == 0x00)) {
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
}
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"DEE rbuf=%p,rbuflen=%"SC_FORMAT_LEN_SIZE_T"u,",
rbuf, rbuflen);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
body = sc_asn1_find_tag(card->ctx, rbuf, rbuflen, rbuf[0], &bodylen);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (body == NULL) {
/* if missing, assume its the body */
/* DEE bug in the beta card */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, " ***** tag 0x53 MISSING");
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
}
if (bodylen > body - rbuf + rbuflen) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
" ***** tag length > then data: %"SC_FORMAT_LEN_SIZE_T"u>%"SC_FORMAT_LEN_PTRDIFF_T"u+%"SC_FORMAT_LEN_SIZE_T"u",
bodylen, body - rbuf, rbuflen);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
}
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
/* if cached obj has internal interesting data (cert or pub key) */
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (priv->return_only_cert || piv_objects[enumtag].flags & PIV_OBJECT_TYPE_PUBKEY) {
r = piv_cache_internal_data(card, enumtag);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (r < 0)
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
priv->rwb_state = 0;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
}
if (priv->return_only_cert || piv_objects[enumtag].flags & PIV_OBJECT_TYPE_PUBKEY) {
rbuf = priv->obj_cache[enumtag].internal_obj_data;
rbuflen = priv->obj_cache[enumtag].internal_obj_len;
} else {
rbuf = priv->obj_cache[enumtag].obj_data;
rbuflen = priv->obj_cache[enumtag].obj_len;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* rbuf rbuflen has pointer and length to cached data */
if ( rbuflen < idx + count)
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
count = rbuflen - idx;
Fix indentation for readability
2015-09-18 00:03:44 +00:00
if (count <= 0) {
r = 0;
priv->rwb_state = 1;
} else {
memcpy(buf, rbuf + idx, count);
r = count;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
Douglas E. Engert wrote: The attached change to card-piv.c is need to recognize a valid PIV card applet. All of the previous test cards would return in response to a SELECT the full AID where as they should have returned the the PIX portion of the AID. The newest test cards are now doing this correctly. This change will recognize either as a PIV applet. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2885 c6295689-39f2-0310-b995-f0e70906c6a9
2006-04-11 20:50:13 +00:00
err:
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/*
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* the tag is the PIV_OBJ_*
* The buf should have the 0x53 tag+len+tags and data
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_put_data(sc_card_t *card, int tag, const u8 *buf, size_t buf_len)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
int r;
u8 * sbuf;
size_t sbuflen;
u8 * p;
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
size_t tag_len;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
tag_len = piv_objects[tag].tag_len;
sbuflen = put_tag_and_len(0x5c, tag_len, NULL) + buf_len;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (!(sbuf = malloc(sbuflen)))
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
p = sbuf;
put_tag_and_len(0x5c, tag_len, &p);
memcpy(p, piv_objects[tag].tag_value, tag_len);
p += tag_len;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
memcpy(p, buf, buf_len);
p += buf_len;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = piv_general_io(card, 0xDB, 0x3F, 0xFF, sbuf, p - sbuf, NULL, NULL);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (sbuf)
free(sbuf);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_write_certificate(sc_card_t *card, const u8* buf, size_t count, unsigned long flags)
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
int enumtag;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
int r = SC_SUCCESS;
u8 *sbuf = NULL;
u8 *p;
size_t sbuflen;
size_t taglen;
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx, "DEE cert len=%"SC_FORMAT_LEN_SIZE_T"u", count);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
taglen = put_tag_and_len(0x70, count, NULL)
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
+ put_tag_and_len(0x71, 1, NULL)
+ put_tag_and_len(0xFE, 0, NULL);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
sbuflen = put_tag_and_len(0x53, taglen, NULL);
Do not cast the return value of malloc(3) and calloc(3) From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety " Casting and type safety malloc returns a void pointer (void *), which indicates that it is a pointer to a region of unknown data type. One may "cast" (see type conversion) this pointer to a specific type, as in int *ptr = (int*)malloc(10 * sizeof (int)); When using C, this is considered bad practice; it is redundant under the C standard. Moreover, putting in a cast may mask failure to include the header stdlib.h, in which the prototype for malloc is found. In the absence of a prototype for malloc, the C compiler will assume that malloc returns an int, and will issue a warning in a context such as the above, provided the error is not masked by a cast. On certain architectures and data models (such as LP64 on 64 bit systems, where long and pointers are 64 bit and int is 32 bit), this error can actually result in undefined behavior, as the implicitly declared malloc returns a 32 bit value whereas the actually defined function returns a 64 bit value. Depending on calling conventions and memory layout, this may result in stack smashing. The returned pointer need not be explicitly cast to a more specific pointer type, since ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of malloc's return value is sometimes performed because malloc originally returned a char *, but this cast is unnecessary in standard C code.[4][5] Omitting the cast, however, creates an incompatibility with C++, which does require it. The lack of a specific pointer type returned from malloc is type-unsafe behaviour: malloc allocates based on byte count but not on type. This distinguishes it from the C++ new operator that returns a pointer whose type relies on the operand. (see C Type Safety). " See also http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
sbuf = malloc(sbuflen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (sbuf == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
p = sbuf;
put_tag_and_len(0x53, taglen, &p);
put_tag_and_len(0x70, count, &p);
memcpy(p, buf, count);
p += count;
put_tag_and_len(0x71, 1, &p);
Use correct bit when writing PIV certificate object with gzipped certificate NIST 800-73 clarified the CertInfo flag for gzipped certificate is 0x01 piv-tool was writting 0x80. OpenSC card-piv.c continues to accept both.
2014-11-08 01:49:36 +00:00
/* Use 01 as per NIST 800-73-3 */
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
*p++ = (flags)? 0x01:0x00; /* certinfo, i.e. gzipped? */
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
put_tag_and_len(0xFE,0,&p); /* LRC tag */
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx, "DEE buf %p len %"SC_FORMAT_LEN_PTRDIFF_T"u %"SC_FORMAT_LEN_SIZE_T"u",
sbuf, p - sbuf, sbuflen);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
enumtag = piv_objects[priv->selected_obj].enumtag;
r = piv_put_data(card, enumtag, sbuf, sbuflen);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
if (sbuf)
free(sbuf);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
* For certs we need to add the 0x53 tag and other specific tags,
* and call the piv_put_data
* Note: the select file will have saved the object type for us
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
* Write is used by piv-tool, so we will use flags:
* length << 8 | 8bits:
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* object xxxx0000
* uncompressed cert xxx00001
* compressed cert xxx10001
* pubkey xxxx0010
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
*
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
* to indicate we are writing a cert and if is compressed
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* or if we are writing a pubkey in to the cache.
* if its not a cert or pubkey its an object.
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
*
* Therefore when idx=0, we will get the length of the object
* and allocate a buffer, so we can support partial writes.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* When the last chuck of the data is sent, we will write it.
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
static int piv_write_binary(sc_card_t *card, unsigned int idx,
const u8 *buf, size_t count, unsigned long flags)
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
int r;
int enumtag;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_CALLED(card->ctx);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (priv->selected_obj < 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
enumtag = piv_objects[priv->selected_obj].enumtag;
if (priv->rwb_state == 1) /* trying to write at end */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (priv->rwb_state == -1) {
/* if cached, remove old entry */
if (priv->obj_cache[enumtag].flags & PIV_OBJ_CACHE_VALID) {
priv->obj_cache[enumtag].flags = 0;
if (priv->obj_cache[enumtag].obj_data) {
free(priv->obj_cache[enumtag].obj_data);
priv->obj_cache[enumtag].obj_data = NULL;
priv->obj_cache[enumtag].obj_len = 0;
}
if (priv->obj_cache[enumtag].internal_obj_data) {
free(priv->obj_cache[enumtag].internal_obj_data);
priv->obj_cache[enumtag].internal_obj_data = NULL;
priv->obj_cache[enumtag].internal_obj_len = 0;
}
}
if (idx != 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NO_CARD_SUPPORT);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
priv->w_buf_len = flags>>8;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (priv->w_buf_len == 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
Do not cast the return value of malloc(3) and calloc(3) From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety " Casting and type safety malloc returns a void pointer (void *), which indicates that it is a pointer to a region of unknown data type. One may "cast" (see type conversion) this pointer to a specific type, as in int *ptr = (int*)malloc(10 * sizeof (int)); When using C, this is considered bad practice; it is redundant under the C standard. Moreover, putting in a cast may mask failure to include the header stdlib.h, in which the prototype for malloc is found. In the absence of a prototype for malloc, the C compiler will assume that malloc returns an int, and will issue a warning in a context such as the above, provided the error is not masked by a cast. On certain architectures and data models (such as LP64 on 64 bit systems, where long and pointers are 64 bit and int is 32 bit), this error can actually result in undefined behavior, as the implicitly declared malloc returns a 32 bit value whereas the actually defined function returns a 64 bit value. Depending on calling conventions and memory layout, this may result in stack smashing. The returned pointer need not be explicitly cast to a more specific pointer type, since ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of malloc's return value is sometimes performed because malloc originally returned a char *, but this cast is unnecessary in standard C code.[4][5] Omitting the cast, however, creates an incompatibility with C++, which does require it. The lack of a specific pointer type returned from malloc is type-unsafe behaviour: malloc allocates based on byte count but not on type. This distinguishes it from the C++ new operator that returns a pointer whose type relies on the operand. (see C Type Safety). " See also http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
priv->w_buf = malloc(priv->w_buf_len);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
priv-> rwb_state = 0;
}
/* on each pass make sure we have w_buf */
if (priv->w_buf == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (idx + count > priv->w_buf_len)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
memcpy(priv->w_buf + idx, buf, count); /* copy one chunk */
/* if this was not the last chunk, return to get rest */
if (idx + count < priv->w_buf_len)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, count);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
priv-> rwb_state = 1; /* at end of object */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
switch (flags & 0x0f) {
case 1:
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = piv_write_certificate(card, priv->w_buf, priv->w_buf_len, flags & 0x10);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
break;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
case 2: /* pubkey to be added to cache, it should have 0x53 and 0x99 tags. */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
/* TODO: -DEE this is not fully implemented and not used */
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
r = priv->w_buf_len;
break;
default:
r = piv_put_data(card, enumtag, priv->w_buf, priv->w_buf_len);
break;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
}
/* if it worked, will cache it */
if (r >= 0 && priv->w_buf) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
priv->obj_cache[enumtag].flags |= PIV_OBJ_CACHE_VALID;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
priv->obj_cache[enumtag].obj_data = priv->w_buf;
priv->obj_cache[enumtag].obj_len = priv->w_buf_len;
} else {
if (priv->w_buf)
free(priv->w_buf);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
priv->w_buf = NULL;
priv->w_buf_len = 0;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, (r < 0)? r : (int)count);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
/*
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
* Card initialization is NOT standard.
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* Some cards use mutual or external authentication using 3des or aes key. We
* will read in the key from a file either binary or hex encoded.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* This is only needed during initialization/personalization of the card
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
#ifdef ENABLE_OPENSSL
static const EVP_CIPHER *get_cipher_for_algo(int alg_id)
{
switch (alg_id) {
case 0x0: return EVP_des_ede3_ecb();
case 0x1: return EVP_des_ede3_ecb(); /* 2TDES */
case 0x3: return EVP_des_ede3_ecb();
case 0x8: return EVP_aes_128_ecb();
case 0xA: return EVP_aes_192_ecb();
case 0xC: return EVP_aes_256_ecb();
default: return NULL;
}
}
static int get_keylen(unsigned int alg_id, size_t *size)
{
switch(alg_id) {
case 0x01: *size = 192/8; /* 2TDES still has 3 single des keys phase out by 12/31/2010 */
break;
case 0x00:
case 0x03: *size = 192/8;
break;
case 0x08: *size = 128/8;
break;
case 0x0A: *size = 192/8;
break;
case 0x0C: *size = 256/8;
break;
default:
return SC_ERROR_INVALID_ARGUMENTS;
}
return SC_SUCCESS;
}
static int piv_get_key(sc_card_t *card, unsigned int alg_id, u8 **key, size_t *len)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
int r;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
size_t fsize;
FILE *f = NULL;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
char * keyfilename = NULL;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
size_t expected_keylen;
size_t keylen;
u8 * keybuf = NULL;
u8 * tkey = NULL;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
keyfilename = (char *)getenv("PIV_EXT_AUTH_KEY");
if (keyfilename == NULL) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx,
"Unable to get PIV_EXT_AUTH_KEY=(null) for general_external_authenticate");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = get_keylen(alg_id, &expected_keylen);
if(r) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid cipher selector, none found for: %02x", alg_id);
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
f = fopen(keyfilename, "rb");
if (!f) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, " Unable to load key from file\n");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_FILE_NOT_FOUND;
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
Checks on errors for ftell and fseek
2015-09-17 18:40:02 +00:00
if (0 > fseek(f, 0L, SEEK_END))
r = SC_ERROR_INTERNAL;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
fsize = ftell(f);
Checks on errors for ftell and fseek
2015-09-17 18:40:02 +00:00
if (0 > (long) fsize)
r = SC_ERROR_INTERNAL;
if (0 > fseek(f, 0L, SEEK_SET))
r = SC_ERROR_INTERNAL;
if(r) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not read %s\n", keyfilename);
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
keybuf = malloc(fsize+1); /* if not binary, need null to make it a string */
if (!keybuf) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, " Unable to allocate key memory");
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
keybuf[fsize] = 0x00; /* in case it is text need null */
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
if (fread(keybuf, 1, fsize, f) != fsize) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, " Unable to read key\n");
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = SC_ERROR_WRONG_LENGTH;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
tkey = malloc(expected_keylen);
if (!tkey) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, " Unable to allocate key memory");
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
if (fsize == expected_keylen) { /* it must be binary */
memcpy(tkey, keybuf, expected_keylen);
} else {
/* if the key-length is larger then binary length, we assume hex encoded */
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Treating key as hex-encoded!\n");
sc_right_trim(keybuf, fsize);
keylen = expected_keylen;
r = sc_hex_to_bin((char *)keybuf, tkey, &keylen);
if (keylen !=expected_keylen || r != 0 ) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Error formatting key\n");
if (r == 0)
r = SC_ERROR_INCOMPATIBLE_KEY;
goto err;
}
}
*key = tkey;
tkey = NULL;
*len = expected_keylen;
r = SC_SUCCESS;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
err:
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
if (f)
fclose(f);
if (keybuf) {
free(keybuf);
}
if (tkey) {
free(tkey);
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
return r;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Fixes warnings about unused variables/functions
2015-09-17 19:50:19 +00:00
#endif
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/*
* will only deal with 3des for now
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
* assumptions include:
* size of encrypted data is same as unencrypted
* challenges, nonces etc from card are less then 114 (keeps tags simple)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
static int piv_general_mutual_authenticate(sc_card_t *card,
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
unsigned int key_ref, unsigned int alg_id)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
int r;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#ifdef ENABLE_OPENSSL
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
int N;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
int locked = 0;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
u8 *rbuf = NULL;
size_t rbuflen;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
u8 *nonce = NULL;
size_t nonce_len;
u8 *p;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
u8 *key = NULL;
size_t keylen;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
u8 *plain_text = NULL;
size_t plain_text_len = 0;
u8 *tmp;
size_t tmplen, tmplen2;
u8 *built = NULL;
size_t built_len;
const u8 *body = NULL;
size_t body_len;
const u8 *witness_data = NULL;
size_t witness_len;
const u8 *challenge_response = NULL;
size_t challenge_response_len;
u8 *decrypted_reponse = NULL;
size_t decrypted_reponse_len;
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
EVP_CIPHER_CTX * ctx = NULL;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
u8 sbuf[255];
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
const EVP_CIPHER *cipher;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
cipher = get_cipher_for_algo(alg_id);
if(!cipher) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid cipher selector, none found for: %02x\n", alg_id);
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = piv_get_key(card, alg_id, &key, &keylen);
if (r) {
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Error getting General Auth key\n");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = sc_lock(card);
Add brackets in card-piv.c
2015-02-16 16:43:19 +00:00
if (r != SC_SUCCESS) {
Fix-up changes caused by Coverity scan piv-tool.c add /* fall through */ to avoif false warning card-piv.c - clean up if sc_lock fails.
2015-02-11 19:39:59 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "sc_lock failed\n");
goto err; /* cleanup */
Add brackets in card-piv.c
2015-02-16 16:43:19 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
locked = 1;
p = sbuf;
*p++ = 0x7C;
*p++ = 0x02;
*p++ = 0x80;
*p++ = 0x00;
/* get the encrypted nonce */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = piv_general_io(card, 0x87, alg_id, key_ref, sbuf, p - sbuf, &rbuf, &rbuflen);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (r < 0) goto err;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* Remove the encompassing outer TLV of 0x7C and get the data */
body = sc_asn1_find_tag(card->ctx, rbuf,
r, 0x7C, &body_len);
if (!body) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid Witness Data response of NULL\n");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
}
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* Get the witness data indicated by the TAG 0x80 */
witness_data = sc_asn1_find_tag(card->ctx, body,
body_len, 0x80, &witness_len);
if (!witness_len) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid Challenge Data none found in TLV\n");
r = SC_ERROR_INVALID_DATA;
goto err;
}
/* Allocate an output buffer for openssl */
plain_text = malloc(witness_len);
if (!plain_text) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not allocate buffer for plain text\n");
r = SC_ERROR_INTERNAL;
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
/* decrypt the data from the card */
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (!EVP_DecryptInit(ctx, cipher, key, NULL)) {
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
/* may fail if des parity of key is wrong. depends on OpenSSL options */
r = SC_ERROR_INTERNAL;
goto err;
}
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
EVP_CIPHER_CTX_set_padding(ctx,0);
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
p = plain_text;
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (!EVP_DecryptUpdate(ctx, p, &N, witness_data, witness_len)) {
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
plain_text_len = tmplen = N;
p += tmplen;
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if(!EVP_DecryptFinal(ctx, p, &N)) {
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
tmplen = N;
plain_text_len += tmplen;
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
if (plain_text_len != witness_len) {
Print size_t variables on properly on Windows OpenSC used SUSv3 "z" printf length modifier for printing size_t variables, however this modifier is not available on Windows ("I" must be used instead), at least for now. Introduce SC_FORMAT_LEN_SIZE_T define for that purpose and convert existing code to use it when printing size_t variables. This define can't go into libopensc/internal.h since tools use it, too. Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2016-09-28 17:35:13 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
"Encrypted and decrypted lengths do not match: %"SC_FORMAT_LEN_SIZE_T"u:%"SC_FORMAT_LEN_SIZE_T"u\n",
witness_len, plain_text_len);
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* Build a response to the card of:
* [GEN AUTH][ 80<decrypted witness>81 <challenge> ]
* Start by computing the nonce for <challenge> the
* nonce length should match the witness length of
* the card.
*/
nonce = malloc(witness_len);
if(!nonce) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
"OOM allocating nonce (%"SC_FORMAT_LEN_SIZE_T"u : %"SC_FORMAT_LEN_SIZE_T"u)\n",
witness_len, plain_text_len);
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
nonce_len = witness_len;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
r = RAND_bytes(nonce, witness_len);
if(!r) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
"Generating random for nonce (%"SC_FORMAT_LEN_SIZE_T"u : %"SC_FORMAT_LEN_SIZE_T"u)\n",
witness_len, plain_text_len);
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
/* nonce for challenge */
tmplen = put_tag_and_len(0x81, witness_len, NULL);
/* plain text witness keep a length separate for the 0x7C tag */
tmplen += put_tag_and_len(0x80, witness_len, NULL);
tmplen2 = tmplen;
/* outside 7C tag with 81:80 as innards */
tmplen = put_tag_and_len(0x7C, tmplen, NULL);
built_len = tmplen;
/* Build the response buffer */
p = built = malloc(built_len);
if(!built) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "OOM Building witness response and challenge\n");
r = SC_ERROR_INTERNAL;
goto err;
}
p = built;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* Start with the 7C Tag */
put_tag_and_len(0x7C, tmplen2, &p);
/* Add the DECRYPTED witness, tag 0x80 */
put_tag_and_len(0x80, witness_len, &p);
memcpy(p, plain_text, witness_len);
p += witness_len;
/* Add the challenge, tag 0x81 */
put_tag_and_len(0x81, witness_len, &p);
memcpy(p, nonce, witness_len);
/* Don't leak rbuf from above */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
free(rbuf);
rbuf = NULL;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* Send constructed data */
r = piv_general_io(card, 0x87, alg_id, key_ref, built,built_len, &rbuf, &rbuflen);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (r < 0) goto err;
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* Remove the encompassing outer TLV of 0x7C and get the data */
body = sc_asn1_find_tag(card->ctx, rbuf,
r, 0x7C, &body_len);
if(!body) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not find outer tag 0x7C in response");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
/* SP800-73 not clear if 80 or 82 */
challenge_response = sc_asn1_find_tag(card->ctx, body,
body_len, 0x82, &challenge_response_len);
if(!challenge_response) {
challenge_response = sc_asn1_find_tag(card->ctx, body,
body_len, 0x80, &challenge_response_len);
if(!challenge_response) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not find tag 0x82 or 0x80 in response");
r = SC_ERROR_INVALID_DATA;
goto err;
}
}
/* Decrypt challenge and check against nonce */
decrypted_reponse = malloc(challenge_response_len);
if(!decrypted_reponse) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "OOM Allocating decryption buffer");
r = SC_ERROR_INVALID_DATA;
goto err;
}
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
EVP_CIPHER_CTX_cleanup(ctx);
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (!EVP_DecryptInit(ctx, cipher, key, NULL)) {
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
EVP_CIPHER_CTX_set_padding(ctx,0);
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
tmp = decrypted_reponse;
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (!EVP_DecryptUpdate(ctx, tmp, &N, challenge_response, challenge_response_len)) {
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
decrypted_reponse_len = tmplen = N;
tmp += tmplen;
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if(!EVP_DecryptFinal(ctx, tmp, &N)) {
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
tmplen = N;
decrypted_reponse_len += tmplen;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
if (decrypted_reponse_len != nonce_len || memcmp(nonce, decrypted_reponse, nonce_len) != 0) {
Print size_t variables on properly on Windows OpenSC used SUSv3 "z" printf length modifier for printing size_t variables, however this modifier is not available on Windows ("I" must be used instead), at least for now. Introduce SC_FORMAT_LEN_SIZE_T define for that purpose and convert existing code to use it when printing size_t variables. This define can't go into libopensc/internal.h since tools use it, too. Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2016-09-28 17:35:13 +00:00
sc_log(card->ctx,
"mutual authentication failed, card returned wrong value %"SC_FORMAT_LEN_SIZE_T"u:%"SC_FORMAT_LEN_SIZE_T"u",
decrypted_reponse_len, nonce_len);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_DECRYPT_FAILED;
goto err;
}
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
r = SC_SUCCESS;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
err:
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (ctx)
EVP_CIPHER_CTX_free(ctx);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (locked)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
sc_unlock(card);
if (rbuf)
free(rbuf);
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
if (decrypted_reponse)
free(decrypted_reponse);
if (built)
free(built);
if (plain_text)
free(plain_text);
if (nonce)
free(nonce);
if (key)
free(key);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#else
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "OpenSSL Required");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_NOT_SUPPORTED;
#endif /* ENABLE_OPENSSL */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/* Currently only used for card administration */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
static int piv_general_external_authenticate(sc_card_t *card,
fix some warnings git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2858 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-23 18:43:14 +00:00
unsigned int key_ref, unsigned int alg_id)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
int r;
#ifdef ENABLE_OPENSSL
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
int tmplen;
int outlen;
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
int locked = 0;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
u8 *p;
u8 *rbuf = NULL;
u8 *key = NULL;
u8 *cypher_text = NULL;
u8 *output_buf = NULL;
const u8 *body = NULL;
const u8 *challenge_data = NULL;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t rbuflen;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
size_t body_len;
size_t output_len;
size_t challenge_len;
size_t keylen = 0;
size_t cypher_text_len = 0;
u8 sbuf[255];
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
EVP_CIPHER_CTX * ctx = NULL;
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
const EVP_CIPHER *cipher;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Selected cipher for algorithm id: %02x\n", alg_id);
cipher = get_cipher_for_algo(alg_id);
if(!cipher) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid cipher selector, none found for: %02x\n", alg_id);
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = piv_get_key(card, alg_id, &key, &keylen);
if (r) {
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Error getting General Auth key\n");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
goto err;
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = sc_lock(card);
Add brackets in card-piv.c
2015-02-16 16:43:19 +00:00
if (r != SC_SUCCESS) {
Fix-up changes caused by Coverity scan piv-tool.c add /* fall through */ to avoif false warning card-piv.c - clean up if sc_lock fails.
2015-02-11 19:39:59 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "sc_lock failed\n");
goto err; /* cleanup */
Add brackets in card-piv.c
2015-02-16 16:43:19 +00:00
}
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
locked = 1;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
p = sbuf;
*p++ = 0x7C;
*p++ = 0x02;
*p++ = 0x81;
*p++ = 0x00;
/* get a challenge */
card-pin: make working 'external authenticate' ... 'key-ref' and 'algo' arguments of the piv_general_external_authenticate() function were not used git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5315 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-09 19:26:34 +00:00
r = piv_general_io(card, 0x87, alg_id, key_ref, sbuf, p - sbuf, &rbuf, &rbuflen);
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Error getting Challenge\n");
goto err;
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
/*
* the value here corresponds with the response size, so we use this
* to alloc the response buffer, rather than re-computing it.
*/
output_len = r;
/* Remove the encompassing outer TLV of 0x7C and get the data */
body = sc_asn1_find_tag(card->ctx, rbuf,
r, 0x7C, &body_len);
if (!body) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid Challenge Data response of NULL\n");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
/* Get the challenge data indicated by the TAG 0x81 */
challenge_data = sc_asn1_find_tag(card->ctx, body,
body_len, 0x81, &challenge_len);
if (!challenge_data) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid Challenge Data none found in TLV\n");
r = SC_ERROR_INVALID_DATA;
goto err;
}
/* Store this to sanity check that plaintext length and cyphertext lengths match */
/* TODO is this required */
tmplen = challenge_len;
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
/* Encrypt the challenge with the secret */
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (!EVP_EncryptInit(ctx, cipher, key, NULL)) {
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Encrypt fail\n");
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
cypher_text = malloc(challenge_len);
if (!cypher_text) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not allocate buffer for cipher text\n");
r = SC_ERROR_INTERNAL;
goto err;
}
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
EVP_CIPHER_CTX_set_padding(ctx,0);
if (!EVP_EncryptUpdate(ctx, cypher_text, &outlen, challenge_data, challenge_len)) {
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Encrypt update fail\n");
r = SC_ERROR_INTERNAL;
goto err;
}
cypher_text_len += outlen;
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (!EVP_EncryptFinal(ctx, cypher_text + cypher_text_len, &outlen)) {
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Final fail\n");
use EVP API for DES encryption git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3106 c6295689-39f2-0310-b995-f0e70906c6a9
2007-01-08 20:19:10 +00:00
r = SC_ERROR_INTERNAL;
goto err;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
cypher_text_len += outlen;
/*
* Actually perform the sanity check on lengths plaintext length vs
* encrypted length
*/
if (cypher_text_len != (size_t)tmplen) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Length test fail\n");
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
output_buf = malloc(output_len);
if(!output_buf) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not allocate output buffer: %s\n",
strerror(errno));
r = SC_ERROR_INTERNAL;
goto err;
}
p = output_buf;
/*
* Build: 7C<len>[82<len><challenge>]
* Start off by capturing the data of the response:
* - 82<len><encrypted challenege response>
* Build the outside TLV (7C)
* Advance past that tag + len
* Build the body (82)
* memcopy the body past the 7C<len> portion
* Transmit
*/
tmplen = put_tag_and_len(0x82, cypher_text_len, NULL);
tmplen = put_tag_and_len(0x7C, tmplen, &p);
/* Build the 0x82 TLV and append to the 7C<len> tag */
tmplen += put_tag_and_len(0x82, cypher_text_len, &p);
Remove hardcodes from Mutual Authenticate Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
2014-09-02 19:16:53 +00:00
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
memcpy(p, cypher_text, cypher_text_len);
p += cypher_text_len;
tmplen += cypher_text_len;
/* Sanity check the lengths again */
if(output_len != (size_t)tmplen) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Allocated and computed lengths do not match! "
Print size_t variables on properly on Windows OpenSC used SUSv3 "z" printf length modifier for printing size_t variables, however this modifier is not available on Windows ("I" must be used instead), at least for now. Introduce SC_FORMAT_LEN_SIZE_T define for that purpose and convert existing code to use it when printing size_t variables. This define can't go into libopensc/internal.h since tools use it, too. Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2016-09-28 17:35:13 +00:00
"Expected %"SC_FORMAT_LEN_SIZE_T"d, found: %d\n", output_len, tmplen);
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
r = SC_ERROR_INTERNAL;
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
r = piv_general_io(card, 0x87, alg_id, key_ref, output_buf, output_len, NULL, NULL);
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Got response challenge\n");
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
err:
Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC OpenSSL-1.1.0 was released 8/25/2016 OpenSSL-1.1.0a was released 9/22/2016 https://www.openssl.org/news/openssl-1.1.0-notes.html Changes to allow the OpenSC code base to work with OpenSSL versions from 0.9.7 to 1.1.0 with few changes. This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch. No attempt was made to back port any OpenSSL features. These changes just allow an updated OpenSC code base to use what is in the various OpenSSL releases. A new header libopensc/sc-ossl-compat.h contains extra defines to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements in the source code. The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h has defines for the new API for use with older versions of OpenSSL. sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC library routines can take advantage of it. For the tools, which do not use libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools. The OpenSC source has been modified to use OpenSSL functions to access hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new functions to allocate structures which must use pointer such as BIGNUM and EVP_CIPHER_CTX. For backward compatability sc-ossl-compat.h now defines inline routines to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus the same OpenSC source code can be used with openSSL versions from 0.9.7 to 1.1.0. Inline routines were chosen, because using macros does not work on all platforms. Having OpenSC versions of these routines in libopensc would be a posibility, but they are only used for older version of OpenSSL, and could be removed in the future. Changes to be committed: modified: src/libopensc/card-entersafe.c modified: src/libopensc/card-epass2003.c modified: src/libopensc/card-gids.c modified: src/libopensc/card-gpk.c modified: src/libopensc/card-oberthur.c modified: src/libopensc/card-piv.c modified: src/libopensc/card-westcos.c modified: src/libopensc/cwa-dnie.c modified: src/libopensc/cwa14890.c modified: src/libopensc/internal.h modified: src/libopensc/p15card-helper.c modified: src/libopensc/pkcs15-itacns.c modified: src/libopensc/pkcs15-prkey.c modified: src/libopensc/pkcs15-pubkey.c new file: src/libopensc/sc-ossl-compat.h modified: src/pkcs11/openssl.c modified: src/pkcs15init/pkcs15-lib.c modified: src/pkcs15init/pkcs15-oberthur-awp.c modified: src/pkcs15init/pkcs15-oberthur.c modified: src/pkcs15init/pkcs15-oberthur.h modified: src/pkcs15init/pkcs15-westcos.c modified: src/tools/cryptoflex-tool.c modified: src/tools/gids-tool.c modified: src/tools/netkey-tool.c modified: src/tools/piv-tool.c modified: src/tools/pkcs11-tool.c modified: src/tools/pkcs15-init.c modified: src/tools/sc-hsm-tool.c modified: src/tools/westcos-tool.c
2016-01-06 14:40:59 +00:00
if (ctx)
EVP_CIPHER_CTX_free(ctx);
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
if (locked)
sc_unlock(card);
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
if (key) {
sc_mem_clear(key, keylen);
free(key);
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (rbuf)
free(rbuf);
Add AES support for PIV General Authenticate This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <w2.roberts@samsung.com>
2014-07-08 20:52:48 +00:00
if (cypher_text)
free(cypher_text);
if (output_buf)
free(output_buf);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#else
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "OpenSSL Required");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_NOT_SUPPORTED;
#endif /* ENABLE_OPENSSL */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_get_serial_nr_from_CHUI(sc_card_t* card, sc_serial_number_t* serial)
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
{
int r;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
int i;
u8 gbits;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
u8 *rbuf = NULL;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *body;
const u8 *fascn;
const u8 *guid;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
size_t rbuflen = 0, bodylen, fascnlen, guidlen;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
card-piv: store serial number into the 'serialnr' member of sc_card structure ... ... when serial number was asked for the first time. Then return the stored value for the every next request of serial number. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5348 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-16 17:35:56 +00:00
if (card->serialnr.len) {
*serial = card->serialnr;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
card-piv: store serial number into the 'serialnr' member of sc_card structure ... ... when serial number was asked for the first time. Then return the stored value for the every next request of serial number. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5348 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-16 17:35:56 +00:00
}
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/*
* 800-73-3 Part 1 and CIO Council docs say for PIV Compatible cards
* the FASC-N Agency code should be 9999 and there should be a GUID
* based on RFC 4122. If GUID present and not zero
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
* we will use the GUID as the serial number.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
*/
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = piv_get_cached_data(card, PIV_OBJ_CHUI, &rbuf, &rbuflen);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_TEST_RET(card->ctx, r, "Failure retrieving CHUI");
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
r = SC_ERROR_INTERNAL;
if (rbuflen != 0) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
body = sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x53, &bodylen); /* Pass the outer wrapper asn1 */
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
if (body != NULL && bodylen != 0) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
fascn = sc_asn1_find_tag(card->ctx, body, bodylen, 0x30, &fascnlen); /* Find the FASC-N data */
guid = sc_asn1_find_tag(card->ctx, body, bodylen, 0x34, &guidlen);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
gbits = 0; /* if guid is valid, gbits will not be zero */
if (guid && guidlen == 16) {
for (i = 0; i < 16; i++) {
gbits = gbits | guid[i]; /* if all are zero, gbits will be zero */
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"fascn=%p,fascnlen=%"SC_FORMAT_LEN_SIZE_T"u,guid=%p,guidlen=%"SC_FORMAT_LEN_SIZE_T"u,gbits=%2.2x",
fascn, fascnlen, guid, guidlen, gbits);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (fascn && fascnlen == 25) {
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
/* test if guid and the fascn starts with ;9999 (in ISO 4bit + parity code) */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (!(gbits && fascn[0] == 0xD4 && fascn[1] == 0xE7
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
&& fascn[2] == 0x39 && (fascn[3] | 0x7F) == 0xFF)) {
serial->len = fascnlen < SC_MAX_SERIALNR ? fascnlen : SC_MAX_SERIALNR;
memcpy (serial->value, fascn, serial->len);
r = SC_SUCCESS;
gbits = 0; /* set to skip using guid below */
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (guid && gbits) {
serial->len = guidlen < SC_MAX_SERIALNR ? guidlen : SC_MAX_SERIALNR;
memcpy (serial->value, guid, serial->len);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
r = SC_SUCCESS;
}
}
}
card-piv: store serial number into the 'serialnr' member of sc_card structure ... ... when serial number was asked for the first time. Then return the stored value for the every next request of serial number. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5348 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-16 17:35:56 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
card->serialnr = *serial;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/*
* If the object can not be present on the card, because the History
* object is not present or the History object says its not present,
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* return 1. If object may be present return 0.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* Cuts down on overhead, by not showing non existent objects to pkcs11
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* The path for the object is passed in and the first 2 bytes are used.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* Note: If the History or Discovery object is not found the
* PIV_OBJ_CACHE_NOT_PRESENT is set, as older cards do not have these.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* pkcs15-piv.c calls this via cardctl.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
*/
static int piv_is_object_present(sc_card_t *card, u8 *ptr)
{
piv_private_data_t * priv = PIV_DATA(card);
int r = 0;
int enumtag;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
enumtag = piv_find_obj_by_containerid(card, ptr);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (enumtag >= 0 && priv->obj_cache[enumtag].flags & PIV_OBJ_CACHE_NOT_PRESENT)
r = 1;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
/*
* NIST 800-73-3 allows the default pin to be the PIV application 0x80
* or the global pin for the card 0x00. Look at Discovery object to get this.
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* called by pkcs15-piv.c via cardctl when setting up the pins.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
*/
static int piv_get_pin_preference(sc_card_t *card, int *ptr)
{
piv_private_data_t * priv = PIV_DATA(card);
*ptr = priv->pin_preference;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
static int piv_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
{
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
piv_private_data_t * priv = PIV_DATA(card);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
u8 * opts; /* A or M, key_ref, alg_id */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV: fix segfault and valgrind issue prototype of 'get-guid' has been changed; valgrind issue: Conditional jump or move depends on uninitialised value(s) at 0x5A0159B: vfprintf (vfprintf.c:1629) by 0x5AC04BF: __vsnprintf_chk (vsnprintf_chk.c:65) by 0x522A665: sc_do_log_va.part.0 (stdio2.h:78) by 0x522A819: sc_do_log (log.c:52) by 0x529462F: piv_card_ctl (card-piv.c:1794) by 0x5232E2F: sc_card_ctl (card.c:772) by 0x52E561D: sc_pkcs15emu_piv_init (pkcs15-piv.c:626)
2014-02-09 12:24:51 +00:00
LOG_FUNC_CALLED(card->ctx);
sc_log(card->ctx, "cmd=%ld ptr=%p", cmd, ptr);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (priv == NULL) {
PIV: fix segfault and valgrind issue prototype of 'get-guid' has been changed; valgrind issue: Conditional jump or move depends on uninitialised value(s) at 0x5A0159B: vfprintf (vfprintf.c:1629) by 0x5AC04BF: __vsnprintf_chk (vsnprintf_chk.c:65) by 0x522A665: sc_do_log_va.part.0 (stdio2.h:78) by 0x522A819: sc_do_log (log.c:52) by 0x529462F: piv_card_ctl (card-piv.c:1794) by 0x5232E2F: sc_card_ctl (card.c:772) by 0x52E561D: sc_pkcs15emu_piv_init (pkcs15-piv.c:626)
2014-02-09 12:24:51 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
switch(cmd) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
case SC_CARDCTL_PIV_AUTHENTICATE:
opts = (u8 *)ptr;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
switch (*opts) {
case 'A':
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
return piv_general_external_authenticate(card,
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*(opts+1), *(opts+2));
break;
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
case 'M':
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
return piv_general_mutual_authenticate(card,
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*(opts+1), *(opts+2));
break;
}
break;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
case SC_CARDCTL_PIV_GENERATE_KEY:
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
return piv_generate_key(card,
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
(sc_cardctl_piv_genkey_info_t *) ptr);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
break;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
case SC_CARDCTL_GET_SERIALNR:
return piv_get_serial_nr_from_CHUI(card, (sc_serial_number_t *) ptr);
break;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
case SC_CARDCTL_PIV_PIN_PREFERENCE:
return piv_get_pin_preference(card, ptr);
break;
case SC_CARDCTL_PIV_OBJECT_PRESENT:
return piv_is_object_present(card, ptr);
break;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: fix segfault and valgrind issue prototype of 'get-guid' has been changed; valgrind issue: Conditional jump or move depends on uninitialised value(s) at 0x5A0159B: vfprintf (vfprintf.c:1629) by 0x5AC04BF: __vsnprintf_chk (vsnprintf_chk.c:65) by 0x522A665: sc_do_log_va.part.0 (stdio2.h:78) by 0x522A819: sc_do_log (log.c:52) by 0x529462F: piv_card_ctl (card-piv.c:1794) by 0x5232E2F: sc_card_ctl (card.c:772) by 0x52E561D: sc_pkcs15emu_piv_init (pkcs15-piv.c:626)
2014-02-09 12:24:51 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
static int piv_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
{
u8 sbuf[16];
u8 *rbuf = NULL;
size_t rbuflen = 0;
u8 *p, *q;
int r;
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx, "challenge len=%"SC_FORMAT_LEN_SIZE_T"u", len);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
don't ignore errors
2015-01-28 03:45:08 +00:00
r = sc_lock(card);
if (r != SC_SUCCESS)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
p = sbuf;
*p++ = 0x7c;
*p++ = 0x02;
*p++ = 0x81;
*p++ = 0x00;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* assuming 8 byte response ? */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* should take what the card returns */
while (len > 0) {
size_t n = len > 8 ? 8 : len;
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
/* NIST 800-73-3 says use 9B, previous versions used 00 */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = piv_general_io(card, 0x87, 0x00, 0x9B, sbuf, p - sbuf, &rbuf, &rbuflen);
if (r < 0) {
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
sc_unlock(card);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
q = rbuf;
if ( (*q++ != 0x7C)
|| (*q++ != rbuflen - 2)
|| (*q++ != 0x81)
|| (*q++ != rbuflen - 4)) {
r = SC_ERROR_INVALID_DATA;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
sc_unlock(card);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
memcpy(rnd, q, n);
len -= n;
rnd += n;
free(rbuf);
rbuf = NULL;
}
don't ignore errors
2015-01-28 03:45:08 +00:00
r = sc_unlock(card);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_set_security_env(sc_card_t *card, const sc_security_env_t *env, int se_num)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
int r = 0;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"flags=%08lx op=%d alg=%d algf=%08x algr=%08x kr0=%02x, krfl=%"SC_FORMAT_LEN_SIZE_T"u",
env->flags, env->operation, env->algorithm, env->algorithm_flags,
env->algorithm_ref, env->key_ref[0], env->key_ref_len);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
priv->operation = env->operation;
priv->algorithm = env->algorithm;
if (env->algorithm == SC_ALGORITHM_RSA) {
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
priv->alg_id = 0x06; /* Say it is RSA, set 5, 6, 7 later */
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
} else if (env->algorithm == SC_ALGORITHM_EC) {
if (env->flags & SC_SEC_ENV_ALG_REF_PRESENT) {
switch (env->algorithm_ref) {
case 256:
priv->alg_id = 0x11; /* Say it is EC 256 */
priv->key_size = 256;
break;
case 384:
priv->alg_id = 0x14;
priv->key_size = 384;
break;
default:
r = SC_ERROR_NO_CARD_SUPPORT;
}
} else
r = SC_ERROR_NO_CARD_SUPPORT;
} else
r = SC_ERROR_NO_CARD_SUPPORT;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
priv->key_ref = env->key_ref[0];
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
static int piv_restore_security_env(sc_card_t *card, int se_num)
{
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_CALLED(card->ctx);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
static int piv_validate_general_authentication(sc_card_t *card,
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
const u8 * data, size_t datalen,
u8 * out, size_t outlen)
{
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
piv_private_data_t * priv = PIV_DATA(card);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
int r;
u8 *p;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *tag;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t taglen;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 *body;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
size_t bodylen;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
unsigned int real_alg_id;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
u8 sbuf[4096]; /* needs work. for 3072 keys, needs 384+10 or so */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
u8 *rbuf = NULL;
Reselect PKI-Applets after card reset PKI-Applets may not be active if the card has been reset or unpowered. The SELECT command used to activate the applet, is identical to the one used during card matching or initialization.
2018-01-16 20:03:30 +00:00
size_t rbuflen;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* should assume large send data */
p = sbuf;
put_tag_and_len(0x7c, (2 + put_tag_and_len(0, datalen, NULL)) , &p);
put_tag_and_len(0x82, 0, &p);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (priv->operation == SC_SEC_OPERATION_DERIVE
&& priv->algorithm == SC_ALGORITHM_EC)
put_tag_and_len(0x85, datalen, &p);
else
put_tag_and_len(0x81, datalen, &p);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
memcpy(p, data, datalen);
p += datalen;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
* alg_id=06 is a place holder for all RSA keys.
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* Derive the real alg_id based on the size of the
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* the data, as we are always using raw mode.
* Non RSA keys needs some work in thia area.
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
*/
real_alg_id = priv->alg_id;
if (priv->alg_id == 0x06) {
switch (datalen) {
case 128: real_alg_id = 0x06; break;
case 256: real_alg_id = 0x07; break;
case 384: real_alg_id = 0x05; break;
default:
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NO_CARD_SUPPORT);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
}
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* EC alg_id was already set */
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = piv_general_io(card, 0x87, real_alg_id, priv->key_ref,
sbuf, p - sbuf, &rbuf, &rbuflen);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if ( r >= 0) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
body = sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x7c, &bodylen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (body) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
tag = sc_asn1_find_tag(card->ctx, body, bodylen, 0x82, &taglen);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (tag) {
memcpy(out, tag, taglen);
r = taglen;
}
} else
r = SC_ERROR_INVALID_DATA;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (rbuf)
free(rbuf);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_compute_signature(sc_card_t *card, const u8 * data, size_t datalen,
u8 * out, size_t outlen)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
piv_private_data_t * priv = PIV_DATA(card);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
int r;
int i;
fixed compiler warnings (partially submitted) Signed-off-by: Frank Morgner <morgner@informatik.hu-berlin.de> PR-222: commit https://github.com/frankmorgner/OpenSC/commit/0b567dbaa83741675497a76d867645675f57262c partially submitted by Viktor Tarasov
2014-02-25 08:07:09 +00:00
size_t nLen;
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
u8 rbuf[128]; /* For EC conversions 384 will fit */
size_t rbuflen = sizeof(rbuf);
const u8 * body;
size_t bodylen;
const u8 * tag;
size_t taglen;
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* The PIV returns a DER SEQUENCE{INTEGER, INTEGER}
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
* Which may have leading 00 to force positive
* TODO: -DEE should check if PKCS15 want the same
* But PKCS11 just wants 2* filed_length in bytes
* So we have to strip out the integers
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* if present and pad on left if too short.
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
*/
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if (priv->alg_id == 0x11 || priv->alg_id == 0x14 ) {
nLen = (priv->key_size + 7) / 8;
if (outlen < 2*nLen) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
" output too small for EC signature %"SC_FORMAT_LEN_SIZE_T"u < %"SC_FORMAT_LEN_SIZE_T"u",
outlen, 2 * nLen);
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
}
memset(out, 0, outlen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
r = piv_validate_general_authentication(card, data, datalen, rbuf, rbuflen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (r < 0)
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
goto err;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if ( r >= 0) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
body = sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x30, &bodylen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
for (i = 0; i<2; i++) {
if (body) {
tag = sc_asn1_find_tag(card->ctx, body, bodylen, 0x02, &taglen);
if (tag) {
bodylen -= taglen - (tag - body);
body = tag + taglen;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
if (taglen > nLen) { /* drop leading 00 if present */
if (*tag != 0x00) {
r = SC_ERROR_INVALID_DATA;
goto err;
}
tag++;
taglen--;
}
memcpy(out + nLen*i + nLen - taglen , tag, taglen);
} else {
r = SC_ERROR_INVALID_DATA;
goto err;
}
} else {
r = SC_ERROR_INVALID_DATA;
goto err;
}
}
r = 2 * nLen;
}
} else { /* RSA is all set */
r = piv_validate_general_authentication(card, data, datalen, out, outlen);
}
err:
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_decipher(sc_card_t *card, const u8 * data, size_t datalen, u8 * out, size_t outlen)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, piv_validate_general_authentication(card, data, datalen, out, outlen));
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
/*
* the PIV-II does not always support files, but we will simulate
* files and reading/writing using get/put_data
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* The path is the containerID number
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
* We can use this to determine the type of data requested, like a cert
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* or pub key.
* We only support write from the piv_tool with file_out==NULL
* All other requests should be to read.
* Only if file_out != null, will we read to get length.
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
*/
static int piv_select_file(sc_card_t *card, const sc_path_t *in_path,
sc_file_t **file_out)
{
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
piv_private_data_t * priv = PIV_DATA(card);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
int r;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
int i;
const u8 *path;
int pathlen;
sc_file_t *file = NULL;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
u8 * rbuf = NULL;
size_t rbuflen = 0;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
path = in_path->value;
pathlen = in_path->len;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
/* only support single EF in current application */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
/*
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* PIV emulates files, and only does so because sc_pkcs15_* uses
Do not expose access to PIV emulated files from utilities PIV cards uses get/put data not select file and read_binary. To allow access via pkcs15 emulation card-piv.c emulates select_file and read_binary but only when used with the path as created by the piv emulation. There are no MF.DIR or ED.DIR files. opensc-tool and opensc-explorer will not work with this emulation. Patch removes code that caused problems with opensc-tooland opensc-explorer.
2015-10-14 20:04:34 +00:00
* select_file and read_binary. The emulation adds path emulated structures
* so piv_select_file will find it.
* there is no dir. Only direct access to emulated files
* thus opensc-tool and opensc-explorer can not read the emulated files
*/
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
card-piv: 'emulate' MF selection by selection of the PIV applet ... so that, PIV card can be used with the 'opensc-explorer' interactive tool git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5317 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-10 08:47:35 +00:00
if (memcmp(path, "\x3F\x00", 2) == 0) {
Do not expose access to PIV emulated files from utilities PIV cards uses get/put data not select file and read_binary. To allow access via pkcs15 emulation card-piv.c emulates select_file and read_binary but only when used with the path as created by the piv emulation. There are no MF.DIR or ED.DIR files. opensc-tool and opensc-explorer will not work with this emulation. Patch removes code that caused problems with opensc-tooland opensc-explorer.
2015-10-14 20:04:34 +00:00
if (pathlen > 2) {
card-piv: 'emulate' MF selection by selection of the PIV applet ... so that, PIV card can be used with the 'opensc-explorer' interactive tool git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5317 c6295689-39f2-0310-b995-f0e70906c6a9
2011-04-10 08:47:35 +00:00
path += 2;
pathlen -= 2;
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
i = piv_find_obj_by_containerid(card, path);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (i < 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
/*
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* pkcs15 will use a 2 byte path or a 4 byte path
* with cece added to path to request only the cert from the cert obj
patch from Douglas E. Engert for bug #165 git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3292 c6295689-39f2-0310-b995-f0e70906c6a9
2007-11-09 08:35:23 +00:00
* PIV "Container ID" is used as the path, and are two bytes long
*/
priv->return_only_cert = (pathlen == 4 && path[2] == 0xce && path[3] == 0xce);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
priv->selected_obj = i;
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
priv->rwb_state = -1;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* make it look like the file was found. */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* We don't want to read it now unless we need the length */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (file_out) {
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* we need to read it now, to get length into cache */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = piv_get_cached_data(card, i, &rbuf, &rbuflen);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (r < 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
/* get the cert or the pub key out and into the cache too */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (priv->return_only_cert || piv_objects[i].flags & PIV_OBJECT_TYPE_PUBKEY) {
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
r = piv_cache_internal_data(card, i);
if (r < 0)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
file = sc_file_new();
if (file == NULL)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
file->path = *in_path;
/* this could be like the FCI */
file->type = SC_FILE_TYPE_DF;
file->shareable = 0;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
file->ef_structure = 0;
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (priv->return_only_cert)
file->size = priv->obj_cache[i].internal_obj_len;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
else
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
file->size = priv->obj_cache[i].obj_len;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
file->id = (piv_objects[i].containerid[0]<<8) + piv_objects[i].containerid[1];
*file_out = file;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
static int piv_parse_discovery(sc_card_t *card, u8 * rbuf, size_t rbuflen, int aid_only)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
{
piv_private_data_t * priv = PIV_DATA(card);
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
int r = 0;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
const u8 * body;
size_t bodylen;
const u8 * aid;
size_t aidlen;
const u8 * pinp;
size_t pinplen;
unsigned int cla_out, tag_out;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (rbuflen != 0) {
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
body = rbuf;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if ((r = sc_asn1_read_tag(&body, rbuflen, &cla_out, &tag_out, &bodylen)) != SC_SUCCESS) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "DER problem %d",r);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = SC_ERROR_INVALID_ASN1_OBJECT;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
goto err;
}
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"Discovery 0x%2.2x 0x%2.2x %p:%"SC_FORMAT_LEN_SIZE_T"u",
cla_out, tag_out, body, bodylen);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if ( cla_out+tag_out == 0x7E && body != NULL && bodylen != 0) {
aidlen = 0;
aid = sc_asn1_find_tag(card->ctx, body, bodylen, 0x4F, &aidlen);
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx, "Discovery aid=%p:%"SC_FORMAT_LEN_SIZE_T"u",
aid, aidlen);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if (aid == NULL || aidlen < piv_aids[0].len_short ||
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
memcmp(aid,piv_aids[0].value,piv_aids[0].len_short) != 0) { /*TODO look at long */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Discovery object not PIV");
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
r = SC_ERROR_INVALID_CARD; /* This is an error */
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
goto err;
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
if (aid_only == 0) {
pinp = sc_asn1_find_tag(card->ctx, body, bodylen, 0x5F2F, &pinplen);
sc_log(card->ctx,
"Discovery pinp=%p:%"SC_FORMAT_LEN_SIZE_T"u",
pinp, pinplen);
if (pinp && pinplen == 2) {
sc_log(card->ctx, "Discovery pinp flags=0x%2.2x 0x%2.2x",*pinp, *(pinp+1));
r = SC_SUCCESS;
if (*pinp == 0x60 && *(pinp+1) == 0x20) { /* use Global pin */
sc_log(card->ctx, "Pin Preference - Global");
priv->pin_preference = 0x00;
}
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
}
}
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
err:
LOG_FUNC_RETURN(card->ctx, r);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/* normal way to get the discovery object via cache */
static int piv_process_discovery(sc_card_t *card)
{
int r;
u8 * rbuf = NULL;
size_t rbuflen = 0;
r = piv_get_cached_data(card, PIV_OBJ_DISCOVERY, &rbuf, &rbuflen);
/* Note rbuf and rbuflen are now pointers into cache */
if (r < 0)
goto err;
sc_log(card->ctx, "Discovery = %p:%"SC_FORMAT_LEN_SIZE_T"u", rbuf,
rbuflen);
/* the object is now cached, see what we have */
r = piv_parse_discovery(card, rbuf, rbuflen, 0);
err:
LOG_FUNC_RETURN(card->ctx, r);
}
static int piv_find_discovery(sc_card_t *card)
{
int r = 0;
u8 rbuf[256];
size_t rbuflen = sizeof(rbuf);
u8 * arbuf = rbuf;
piv_private_data_t * priv = PIV_DATA(card);
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
/*
* During piv_match or piv_card_reader_lock_obtained,
* we use the discovery object to test if card present, and
* if PIV AID is active. So we can not use the cache
*/
/* If not valid, read, cache and test */
if (!(priv->obj_cache[PIV_OBJ_DISCOVERY].flags & PIV_OBJ_CACHE_VALID)) {
r = piv_process_discovery(card);
} else {
/* if already in cache,force read */
r = piv_get_data(card, PIV_OBJ_DISCOVERY, &arbuf, &rbuflen);
if (r >= 0)
/* make sure it is PIV AID */
r = piv_parse_discovery(card, rbuf, rbuflen, 1);
}
LOG_FUNC_RETURN(card->ctx, r);
}
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/*
* The history object lists what retired keys and certs are on the card
* or listed in the offCardCertURL. The user may have read the offCardURL file,
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* ahead of time, and if so will use it for the certs listed.
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
* TODO: -DEE
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* If the offCardCertURL is not cached by the user, should we wget it here?
* Its may be out of scope to have OpenSC read the URL.
*/
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_process_history(sc_card_t *card)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
{
piv_private_data_t * priv = PIV_DATA(card);
int r;
int i;
int enumtag;
u8 * rbuf = NULL;
size_t rbuflen = 0;
const u8 * body;
size_t bodylen;
const u8 * num;
size_t numlen;
const u8 * url = NULL;
size_t urllen;
u8 * ocfhfbuf = NULL;
unsigned int cla_out, tag_out;
size_t ocfhflen;
const u8 * seq;
const u8 * seqtag;
size_t seqlen;
const u8 * keyref;
size_t keyreflen;
const u8 * cert;
size_t certlen;
size_t certobjlen, i2;
u8 * certobj;
u8 * cp;
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
r = piv_get_cached_data(card, PIV_OBJ_HISTORY, &rbuf, &rbuflen);
if (r == SC_ERROR_FILE_NOT_FOUND)
r = 0; /* OK if not found */
if (r <= 0) {
priv->obj_cache[PIV_OBJ_HISTORY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
goto err; /* no file, must be pre 800-73-3 card and not on card */
}
/* the object is now cached, see what we have */
if (rbuflen != 0) {
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
body = rbuf;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if ((r = sc_asn1_read_tag(&body, rbuflen, &cla_out, &tag_out, &bodylen)) != SC_SUCCESS) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "DER problem %d",r);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
r = SC_ERROR_INVALID_ASN1_OBJECT;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
goto err;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
if ( cla_out+tag_out == 0x53 && body != NULL && bodylen != 0) {
numlen = 0;
num = sc_asn1_find_tag(card->ctx, body, bodylen, 0xC1, &numlen);
if (num) {
if (numlen != 1 || *num > PIV_OBJ_RETIRED_X509_20-PIV_OBJ_RETIRED_X509_1+1) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_INTERNAL; /* TODO some other error */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
goto err;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
priv->keysWithOnCardCerts = *num;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
numlen = 0;
num = sc_asn1_find_tag(card->ctx, body, bodylen, 0xC2, &numlen);
if (num) {
if (numlen != 1 || *num > PIV_OBJ_RETIRED_X509_20-PIV_OBJ_RETIRED_X509_1+1) {
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_INTERNAL; /* TODO some other error */
goto err;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
priv->keysWithOffCardCerts = *num;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
url = sc_asn1_find_tag(card->ctx, body, bodylen, 0xF3, &urllen);
if (url) {
priv->offCardCertURL = calloc(1,urllen+1);
if (priv->offCardCertURL == NULL)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
memcpy(priv->offCardCertURL, url, urllen);
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
else {
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
sc_log(card->ctx, "Problem with History object\n");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
goto err;
}
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "History on=%d off=%d URL=%s",
priv->keysWithOnCardCerts, priv->keysWithOffCardCerts,
priv->offCardCertURL ? priv->offCardCertURL:"NONE");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/* now mark what objects are on the card */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
for (i=0; i<priv->keysWithOnCardCerts; i++)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
priv->obj_cache[PIV_OBJ_RETIRED_X509_1+i].flags &= ~PIV_OBJ_CACHE_NOT_PRESENT;
/*
* If user has gotten copy of the file from the offCardCertsURL,
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* we will read in and add the certs to the cache as listed on
* the card. some of the certs may be on the card as well.
*
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* Get file name from url. verify that the filename is valid
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
* The URL ends in a SHA1 string. We will use this as the filename
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* in the directory used for the PKCS15 cache
*/
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = 0;
if (priv->offCardCertURL) {
char * fp;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
char filename[PATH_MAX];
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (strncmp("http://", priv->offCardCertURL, 7)) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
/* find the last / so we have the filename part */
fp = strrchr(priv->offCardCertURL + 7,'/');
if (fp == NULL) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = SC_ERROR_INVALID_DATA;
goto err;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
}
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
fp++;
/* Use the same directory as used for other OpenSC cached items */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = sc_get_cache_dir(card->ctx, filename, sizeof(filename) - strlen(fp) - 2);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (r != SC_SUCCESS)
goto err;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
#ifdef _WIN32
strcat(filename,"\\");
#else
strcat(filename,"/");
#endif
strcat(filename,fp);
r = piv_read_obj_from_file(card, filename,
&ocfhfbuf, &ocfhflen);
if (r == SC_ERROR_FILE_NOT_FOUND) {
r = 0;
goto err;
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
* Its a seq of seq of a key ref and cert
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
*/
body = ocfhfbuf;
if (sc_asn1_read_tag(&body, ocfhflen, &cla_out,
fixed handling SC_ASN1_TAG_EOC from sc_asn1_read_tag We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this would also be true for a tag of 0x80 (with `class == SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output buffer to be NULL! fixes https://github.com/OpenSC/OpenSC/issues/1273
2018-03-19 14:25:14 +00:00
&tag_out, &bodylen) != SC_SUCCESS
|| cla_out+tag_out != 0x30) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "DER problem");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_INVALID_ASN1_OBJECT;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
goto err;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
seq = body;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
while (bodylen > 0) {
seqtag = seq;
if (sc_asn1_read_tag(&seq, bodylen, &cla_out,
fixed handling SC_ASN1_TAG_EOC from sc_asn1_read_tag We can't check for `tag == SC_ASN1_TAG_EOC` directly, because this would also be true for a tag of 0x80 (with `class == SC_ASN1_CLASS_CONSTRUCTED`). So what we do is we check for the output buffer to be NULL! fixes https://github.com/OpenSC/OpenSC/issues/1273
2018-03-19 14:25:14 +00:00
&tag_out, &seqlen) != SC_SUCCESS
|| cla_out+tag_out != 0x30) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "DER problem");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_INVALID_ASN1_OBJECT;
goto err;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
keyref = sc_asn1_find_tag(card->ctx, seq, seqlen, 0x04, &keyreflen);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
if (!keyref || keyreflen != 1 ||
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
(*keyref < 0x82 && *keyref > 0x95)) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "DER problem");
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
r = SC_ERROR_INVALID_ASN1_OBJECT;
goto err;
}
cert = keyref + keyreflen;
certlen = seqlen - (cert - seq);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
enumtag = PIV_OBJ_RETIRED_X509_1 + *keyref - 0x82;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
/* now add the cert like another object */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
i2 = put_tag_and_len(0x70,certlen, NULL)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
+ put_tag_and_len(0x71, 1, NULL)
+ put_tag_and_len(0xFE, 0, NULL);
certobjlen = put_tag_and_len(0x53, i2, NULL);
certobj = malloc(certobjlen);
if (certobj == NULL) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
cp = certobj;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
put_tag_and_len(0x53, i2, &cp);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
put_tag_and_len(0x70,certlen, &cp);
memcpy(cp, cert, certlen);
cp += certlen;
put_tag_and_len(0x71, 1,&cp);
*cp++ = 0x00;
put_tag_and_len(0xFE, 0, &cp);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
priv->obj_cache[enumtag].obj_data = certobj;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
priv->obj_cache[enumtag].obj_len = certobjlen;
priv->obj_cache[enumtag].flags |= PIV_OBJ_CACHE_VALID;
priv->obj_cache[enumtag].flags &= ~PIV_OBJ_CACHE_NOT_PRESENT;
r = piv_cache_internal_data(card, enumtag);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "got internal r=%d",r);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
certobj = NULL;
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"Added from off card file #%d %p:%"SC_FORMAT_LEN_SIZE_T"u 0x%02X",
enumtag,
priv->obj_cache[enumtag].obj_data,
priv->obj_cache[enumtag].obj_len, *keyref);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
bodylen -= (seqlen + seq - seqtag);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
seq += seqlen;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
}
err:
if (ocfhfbuf)
free(ocfhfbuf);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_finish(sc_card_t *card)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
piv_private_data_t * priv = PIV_DATA(card);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
int i;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
cleanup of the debug code: * reduce to a few, supported functions. * change all functions to take the debug level as parameter. * use symbolic names for the debug levels. * fix tools to pass "verbose"/"opt_debug" as ctx->debug. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-15 12:17:13 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (priv) {
NULL parameter check moved to sc_file_free() This fixes numerous issues where the check is *not* performed, and also simplifies the code.
2017-01-05 19:21:44 +00:00
sc_file_free(priv->aid_file);
Updated piv driver by Douglas E. Engert: the PIV driver no longer need to set the card max_*_size parameters to get around emulating read_binary and write_binary. It can now handle partial reads and writes. The assumptions for write_binary are that the first chuck will have idx = 0, and the last chunk will write the last byte. The flags parameter will contain the total length. The only write_binary operations are done when initializing a card, and this is only done from piv-tool.c which was modified to pass in the length and other flags. Piv-tool continues to be a primative test tool for inializing test cards. But it has been expanded to be able to write other objects on test cards. The serial number of a PIV card is obtained from the CHUID object if present which has a FASC-N which is an ID number created by the issuer. Normally PIV cards are issued the U.S. Federal government But there are ways to use the same cards with a non government CA. This is then be referred to as PIV Compatible. In this case, the FASC-N should start with an agency code = 9999 and an RFC 4122 GUID should be present in the CHUID. If this is the case, the GUID is used as the serial number. Windows 7 comes with a PIV card card driver, but to get it use one of these card the CHUID is required. (piv-tool can now write one. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3998 c6295689-39f2-0310-b995-f0e70906c6a9
2010-02-05 06:16:37 +00:00
if (priv->w_buf)
free(priv->w_buf);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if (priv->offCardCertURL)
free(priv->offCardCertURL);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
for (i = 0; i < PIV_OBJ_LAST_ENUM - 1; i++) {
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"DEE freeing #%d, 0x%02x %p:%"SC_FORMAT_LEN_SIZE_T"u %p:%"SC_FORMAT_LEN_SIZE_T"u",
i, priv->obj_cache[i].flags,
priv->obj_cache[i].obj_data,
priv->obj_cache[i].obj_len,
priv->obj_cache[i].internal_obj_data,
priv->obj_cache[i].internal_obj_len);
Douglas E. Engert: major update for the PIV smartcard. The major issue is with getting the length of an object or the cert contained in an object. The PIV card does not have a directory on the card, So the previous version tried to put off as long as possible the reading of objects for performance so as to avoid having to read objects that would not be used. The first standard, NIST 800-73, set maximum sizes for objects. 800-73-2 removed this for certificates. A certificate object can contain a certificate which might be compressed. The only way to get the length of the compressed certificate is to decompress it. Thus the decompressed certificate could be larger then the container object, so even if the PIV card had a directory, one would still need to decompress the certificate to find its length. OpenSC sc_read_binary will use the length obtained by using sc_select_file(...,&file_out), and thus the lengths must be determined in sc_select_file. Change are to card-piv.c and pkcs15-piv.c and include: * The old cache code which was not working was removed. * New cache code was added which caches all object read from the card * If an object has a cert, the cert is decompressed and also cached. * As part of reading an object the first 8 bytes are read and this is then used to allocate a large buffer to read in the object. * If pkcs15 or pkcs11 asks about a certificate, the cert object will be read, and the cert decompressed, to get the actual length. * If piv_select_file is called with the file_out != NULL the object will be read to get the length If called with NULL it will not be read. * The enumeration of the objects now starts with 0. * sc_ctx_suppress_errors_on and off are used to avoid file not found messages which are are a by product of not having a directory. * "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c had conflicting paths, as NIST 800-72-1 had two tables with different paths. The enumtag for it in card-piv.c was also wrong. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
if (priv->obj_cache[i].obj_data)
free(priv->obj_cache[i].obj_data);
if (priv->obj_cache[i].internal_obj_data)
free(priv->obj_cache[i].internal_obj_data);
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
free(priv);
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
card->drv_data = NULL; /* priv */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
return 0;
}
static int piv_match_card(sc_card_t *card)
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
{
PIV completely separate piv_match_card from piv_init In order to satisfy some concerns over the use of <card>_match_card and <card>_init, this modification will do that at the cost of additional overhead of repeating some card commands. Hopefully this commit will not be needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-02-28 19:49:14 +00:00
int r = 0;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
/* piv_match_card may be called with card->type, set by opensc.conf */
/* user provide card type must be one we know */
switch (card->type) {
case -1:
case SC_CARD_TYPE_PIV_II_GENERIC:
case SC_CARD_TYPE_PIV_II_HIST:
case SC_CARD_TYPE_PIV_II_NEO:
case SC_CARD_TYPE_PIV_II_YUBIKEY4:
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
case SC_CARD_TYPE_PIV_II_GI_DE:
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
break;
default:
return 0; /* can not handle the card */
}
/* its one we know, or we can test for it in piv_init */
PIV completely separate piv_match_card from piv_init In order to satisfy some concerns over the use of <card>_match_card and <card>_init, this modification will do that at the cost of additional overhead of repeating some card commands. Hopefully this commit will not be needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-02-28 19:49:14 +00:00
/*
* We will call piv_match_card_continued here then
* again in piv_init to avoid any issues with passing
* anything from piv_match_card
* to piv_init as had been done in the past
*/
r = piv_match_card_continued(card);
if (r == 1) {
/* clean up what we left in card */
sc_unlock(card);
piv_finish(card);
}
return r;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
}
static int piv_match_card_continued(sc_card_t *card)
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
{
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
int i, i7e, k;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
size_t j;
u8 *p, *pe;
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
sc_file_t aidfile;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
int type = -1;
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
piv_private_data_t *priv = NULL;
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
int saved_type = card->type;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
full piv update by Thomas harning Jr. and David E. Engert, adding compression etc. Also enables opensc to be compiled with and without zlib support. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3125 c6295689-39f2-0310-b995-f0e70906c6a9
2007-03-10 10:46:32 +00:00
/* Since we send an APDU, the card's logout function may be called...
* however it may be in dirty memory */
card->ops->logout = NULL;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* piv_match_card may be called with card->type, set by opensc.conf */
/* user provide card type must be one we know */
switch (card->type) {
case -1:
case SC_CARD_TYPE_PIV_II_GENERIC:
case SC_CARD_TYPE_PIV_II_HIST:
case SC_CARD_TYPE_PIV_II_NEO:
case SC_CARD_TYPE_PIV_II_YUBIKEY4:
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
case SC_CARD_TYPE_PIV_II_GI_DE:
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
type = card->type;
break;
default:
return 0; /* can not handle the card */
}
if (type == -1) {
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/*
*try to identify card by ATR or historical data in ATR
* currently all PIV card will respond to piv_find_aid
* the same. But in future may need to know card type first,
* so do it here.
*/
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if (card->reader->atr_info.hist_bytes != NULL) {
if (card->reader->atr_info.hist_bytes_len == 8 &&
!(memcmp(card->reader->atr_info.hist_bytes, "Yubikey4", 8))) {
type = SC_CARD_TYPE_PIV_II_YUBIKEY4;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
else if (card->reader->atr_info.hist_bytes_len >= 7 &&
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
!(memcmp(card->reader->atr_info.hist_bytes, "Yubikey", 7))) {
type = SC_CARD_TYPE_PIV_II_NEO;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
}
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
/*
* https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1239.pdf
* lists 2 ATRS with historical bytes:
* 73 66 74 65 2D 63 64 30 38 30
* 73 66 74 65 20 63 64 31 34 34
* will check for 73 66 74 65
*/
else if (card->reader->atr_info.hist_bytes_len >= 4 &&
!(memcmp(card->reader->atr_info.hist_bytes, "sfte", 4))) {
type = SC_CARD_TYPE_PIV_II_GI_DE;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
else if (card->reader->atr_info.hist_bytes[0] == 0x80u) { /* compact TLV */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
p = card->reader->atr_info.hist_bytes;
pe = p + card->reader->atr_info.hist_bytes_len;
p++; /* skip 0x80u byte */
while (p < pe && type == -1) {
j = *p & 0x0fu; /* length */
if ((*p++ & 0xf0u) == 0xf0u) { /*looking for 15 */
if ((p + j) <= pe) {
for (k = 0; piv_aids[k].len_long != 0; k++) {
if (j == piv_aids[k].len_long
&& !memcmp(p, piv_aids[k].value,j)) {
type = SC_CARD_TYPE_PIV_II_HIST;
break;
}
}
}
}
p += j;
}
}
}
if (type == -1)
type = SC_CARD_TYPE_PIV_II_GENERIC;
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/* allocate and init basic fields */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
Do not cast the return value of malloc(3) and calloc(3) From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety " Casting and type safety malloc returns a void pointer (void *), which indicates that it is a pointer to a region of unknown data type. One may "cast" (see type conversion) this pointer to a specific type, as in int *ptr = (int*)malloc(10 * sizeof (int)); When using C, this is considered bad practice; it is redundant under the C standard. Moreover, putting in a cast may mask failure to include the header stdlib.h, in which the prototype for malloc is found. In the absence of a prototype for malloc, the C compiler will assume that malloc returns an int, and will issue a warning in a context such as the above, provided the error is not masked by a cast. On certain architectures and data models (such as LP64 on 64 bit systems, where long and pointers are 64 bit and int is 32 bit), this error can actually result in undefined behavior, as the implicitly declared malloc returns a 32 bit value whereas the actually defined function returns a 64 bit value. Depending on calling conventions and memory layout, this may result in stack smashing. The returned pointer need not be explicitly cast to a more specific pointer type, since ANSI C defines an implicit conversion between the void pointer type and other pointers to objects. An explicit cast of malloc's return value is sometimes performed because malloc originally returned a char *, but this cast is unnecessary in standard C code.[4][5] Omitting the cast, however, creates an incompatibility with C++, which does require it. The lack of a specific pointer type returned from malloc is type-unsafe behaviour: malloc allocates based on byte count but not on type. This distinguishes it from the C++ new operator that returns a pointer whose type relies on the operand. (see C Type Safety). " See also http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
priv = calloc(1, sizeof(piv_private_data_t));
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
if (!priv)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if (card->type == -1)
card->type = type;
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
card->drv_data = priv; /* will free if no match, or pass on to piv_init */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
priv->aid_file = sc_file_new();
priv->selected_obj = -1;
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
priv->pin_preference = 0x80; /* 800-73-3 part 1, table 3 */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
priv->logged_in = SC_PIN_STATE_UNKNOWN;
priv->tries_left = 10; /* will assume OK at start */
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
priv->pstate = PIV_STATE_MATCH;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
/* Some objects will only be present if History object says so */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
for (i=0; i < PIV_OBJ_LAST_ENUM -1; i++)
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
if(piv_objects[i].flags & PIV_OBJECT_NOT_PRESENT)
priv->obj_cache[i].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
sc_lock(card);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/*
* detect if active AID is PIV. NIST 800-73 says Only one PIV application per card
* and PIV must be the default application
* This can avoid doing doing a select_aid and losing the login state on some cards
* We may get interference on some cards by other drivers trying SELECT_AID before
* we get to see if PIV application is still active.
* putting PIV driver first might help.
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
* This may fail if the wrong AID is active
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
*/
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
i = piv_find_discovery(card);
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
if (i < 0) {
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
/* Detect by selecting applet */
i = piv_find_aid(card, &aidfile);
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
}
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
if (i >= 0) {
/*
* We now know PIV AID is active, test DISCOVERY object
* Some CAC cards with PIV don't support DISCOVERY and return
* SC_ERROR_INCORRECT_PARAMETERS. Any error other then
* SC_ERROR_FILE_NOT_FOUND means we cannot use discovery
* to test for active AID.
*/
i7e = piv_find_discovery(card);
if (i7e != 0 && i7e != SC_ERROR_FILE_NOT_FOUND) {
priv->card_issues |= CI_DISCOVERY_USELESS;
priv->obj_cache[PIV_OBJ_DISCOVERY].flags |= PIV_OBJ_CACHE_NOT_PRESENT;
}
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
if (i < 0) {
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
/* don't match. Does not have a PIV applet. */
sc_unlock(card);
PIV completely separate piv_match_card from piv_init In order to satisfy some concerns over the use of <card>_match_card and <card>_init, this modification will do that at the cost of additional overhead of repeating some card commands. Hopefully this commit will not be needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-02-28 19:49:14 +00:00
piv_finish(card);
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
card->type = saved_type;
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
return 0;
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
}
PIV completely separate piv_match_card from piv_init In order to satisfy some concerns over the use of <card>_match_card and <card>_init, this modification will do that at the cost of additional overhead of repeating some card commands. Hopefully this commit will not be needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-02-28 19:49:14 +00:00
/* Matched, caller will use or free priv and sc_lock as needed */
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
priv->pstate=PIV_STATE_INIT;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
return 1; /* match */
}
static int piv_init(sc_card_t *card)
{
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
int r = 0;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
piv_private_data_t * priv = NULL;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
sc_apdu_t apdu;
unsigned long flags;
unsigned long ext_flags;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
u8 yubico_version_buf[3];
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
/* continue the matching get a lock and the priv */
r = piv_match_card_continued(card);
if (r != 1) {
sc_log(card->ctx,"piv_match_card_continued failed");
piv_finish(card);
/* tell sc_connect_card to try other drivers */
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_CARD);
}
priv = PIV_DATA(card);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
/* can not force the PIV driver to use non-PIV cards as tested in piv_card_match_continued */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if (!priv || card->type == -1)
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_CARD);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
Fix log messages format and parameter issues flagged by GCC Since "Add GCC format checking attributes to log functions" commit GCC warns us about problems with format strings and their arguments provided to OpenSC message logging functions. This commit fixes all cases where GCC warned about incorrect format on 64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled). Well, almost all since on mingw GCC does not recognize "ll" size specifier (present at least since Visual Studio 2005, also in mingw own CRT) so these (few) warnings about it remain. In most cases format size specifier for size_t type was missing (usually size was left at default int level, with is different on 64-bit x86). Some formats had too few / too many arguments. In some cases pointers were printed as integers. Some long variables were missing "l" prefix (especially with regard to %x format). Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-14 19:02:30 +00:00
sc_log(card->ctx,
"Max send = %"SC_FORMAT_LEN_SIZE_T"u recv = %"SC_FORMAT_LEN_SIZE_T"u card->type = %d",
card->max_send_size, card->max_recv_size, card->type);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
card->cla = 0x00;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if(card->name == NULL)
PIV: use better long name
2018-01-29 21:14:53 +00:00
card->name = card->driver->name;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/*
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* Set card_issues based on card type either set by piv_match_card or by opensc.conf
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
*/
switch(card->type) {
case SC_CARD_TYPE_PIV_II_NEO:
case SC_CARD_TYPE_PIV_II_YUBIKEY4:
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xFD, 0x00, 0x00);
apdu.lc = 0;
apdu.data = NULL;
apdu.datalen = 0;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
apdu.resp = yubico_version_buf;
apdu.resplen = sizeof(yubico_version_buf);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
apdu.le = apdu.resplen;
r = sc_transmit_apdu(card, &apdu);
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
priv->yubico_version = (yubico_version_buf[0]<<16) | (yubico_version_buf[1] <<8) | yubico_version_buf[2];
sc_log(card->ctx, "Yubico card->type=%d, r=0x%08x version=0x%08x", card->type, r, priv->yubico_version);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
break;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
/*
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
* Set card_issues flags based card->type and version numbers if available.
*
* YubiKey NEO, Yubikey 4 and other devices with PIV applets, have compliance
* issues with the NIST 800-73-3 specs. The OpenSC developers do not have
* access to all the different devices or versions of the devices.
* Vendor and user input is welcome on any compliance issues.
*
* For the Yubico devices The assumption is also made that if a bug is
* fixed in a Yubico version that means it is fixed on both NEO and Yubikey 4.
*
* The flags CI_CANT_USE_GETDATA_FOR_STATE and CI_DISCOVERY_USELESS
* may be set earlier or later then in the following code.
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
*/
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
switch(card->type) {
case SC_CARD_TYPE_PIV_II_NEO:
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
priv->card_issues |= CI_NO_EC384
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
| CI_VERIFY_630X
| CI_OTHER_AID_LOSE_STATE
| CI_LEAKS_FILE_NOT_FOUND
| CI_NFC_EXPOSE_TOO_MUCH;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
if (priv->yubico_version < 0x00040302)
Yubico PIV application fixed CI_VERIFY_LC0_FAIL in version 4.3.2 Also add PIV card types to sc_pkcs15_is_emulation_only On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/pkcs15-syn.c
2018-01-29 01:15:40 +00:00
priv->card_issues |= CI_VERIFY_LC0_FAIL;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
break;
case SC_CARD_TYPE_PIV_II_YUBIKEY4:
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
priv->card_issues |= CI_OTHER_AID_LOSE_STATE
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
| CI_LEAKS_FILE_NOT_FOUND;
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
if (priv->yubico_version < 0x00040302)
Yubico PIV application fixed CI_VERIFY_LC0_FAIL in version 4.3.2 Also add PIV card types to sc_pkcs15_is_emulation_only On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/pkcs15-syn.c
2018-01-29 01:15:40 +00:00
priv->card_issues |= CI_VERIFY_LC0_FAIL;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
break;
case SC_CARD_TYPE_PIV_II_HIST:
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
priv->card_issues |= 0;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
break;
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
case SC_CARD_TYPE_PIV_II_GI_DE:
priv->card_issues |= CI_VERIFY_LC0_FAIL
| CI_PIV_AID_LOSE_STATE
| CI_OTHER_AID_LOSE_STATE;;
/* TODO may need more research */
break;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
case SC_CARD_TYPE_PIV_II_GENERIC:
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
priv->card_issues |= CI_VERIFY_LC0_FAIL
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
| CI_OTHER_AID_LOSE_STATE;
Yubico PIV application fixed CI_VERIFY_LC0_FAIL in version 4.3.2 Also add PIV card types to sc_pkcs15_is_emulation_only On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/pkcs15-syn.c
2018-01-29 01:15:40 +00:00
/* TODO may need more research */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
break;
default:
priv->card_issues = 0; /* opensc.conf may have it wrong, continue anyway */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Unknown PIV card->type %d", card->type);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
card->type = SC_CARD_TYPE_PIV_II_BASE;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "PIV card-type=%d card_issues=0x%08x", card->type, priv->card_issues);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
piv: logout place holder Until a full logout function can be implemented, return SC_ERROR_NOT_SUPPORTED closes #832
2016-07-24 18:37:46 +00:00
priv->enumtag = piv_aids[0].enumtag;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/* PKCS#11 may try to generate session keys, and get confused
* if SC_ALGORITHM_ONBOARD_KEY_GEN is present
* piv-tool can still do this, just don't tell PKCS#11
*/
flags = SC_ALGORITHM_RSA_RAW;
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
_sc_card_add_rsa_alg(card, 1024, flags, 0); /* mandatory */
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
_sc_card_add_rsa_alg(card, 2048, flags, 0); /* optional */
_sc_card_add_rsa_alg(card, 3072, flags, 0); /* optional */
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
register CKM_ECDSA and CKM_ECDSA_SHA1 depending on card capabilities fix #429
2015-05-08 18:41:47 +00:00
flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
Modifications to support EC and ECDSA for emulated cards. True PKCS#15 cards with EC will need additional changes. Main changes are in framework-pkcs15.c, mechanism.c, padding.c, pkcs15-algo.c and pkcs15-sec.c where switch statements for key type, and testing of flags was modified to make it easier to add additional key types in the future. The code was tested using RSA and ECDSA using a PIV card from pkcs11-tool, OpenSSL and Thunderbird with modifications to NSS-3.12.7 to get ECDSA to sign e-mail. Only named curves are supported for ECDSA, ECDH is still needed. pkcs11-tool has only minimal changes need to work with the -O option to list EC keys. One additional line was added to pkcs15-sec.c which should get GOSTR sign to work. libp11 and engine do not yet have EC support. --This line, and those below, will be ignored-- M src/tools/piv-tool.c M src/tools/pkcs11-tool.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-object.c M src/libopensc/pkcs15-prkey.c M src/libopensc/card-piv.c M src/libopensc/padding.c M src/libopensc/cardctl.h M src/libopensc/pkcs15-algo.c M src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-sec.c git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
2010-12-01 20:08:42 +00:00
introduce EC curve OID into algorithm info data needed to store information about EC curve supported by card. Primary usage is when importing/generating key to get know if particular curve is supported by card.
2015-02-14 16:47:59 +00:00
_sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if (!(priv->card_issues & CI_NO_EC384))
_sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL);
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* TODO may turn off SC_CARD_CAP_ISO7816_PIN_INFO later */
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
card->caps |= SC_CARD_CAP_RNG | SC_CARD_CAP_ISO7816_PIN_INFO;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
/*
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
* 800-73-3 cards may have a history object and/or a discovery object
* We want to process them now as this has information on what
* keys and certs the card has and how the pin might be used.
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* If they fail, ignore it there are optional and introduced in
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
* NIST 800-73-3 and NIST 800-73-2 so some older cards may
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* not handle the request.
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
*/
fixed dead assignment
2017-10-31 09:12:12 +00:00
piv_process_history(card);
PIV support for NIST 800-73-3 objects, PIV driver client can build and run without OpenSSL, (admin functions and piv-tool still need OpenSSL) define PIV specific ctrl codes and structures. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
2010-09-24 20:37:22 +00:00
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
piv_process_discovery(card);
fixed dead assignment
2017-10-31 09:12:12 +00:00
Requested changed to not rely on success *_match_card being followed by *_init As requested and as the alternative solution see: https://github.com/OpenSC/OpenSC/pull/1256#issuecomment-365319444 In order to not pass a card lock and the card->drv_data from piv_match_card piv_match_card is split in 2 parts. the piv_match_card_continued is called from piv_init. piv_init may now return with SC_ERROR_INVALID_CARD to single to sc_connect_card to look for additional drivers. Cosmetic change to indicate neo_version is really a Yubico version. Change wording on the comments when setting card_issues. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-13 21:54:38 +00:00
r = 0;
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
priv->pstate=PIV_STATE_NORMAL;
sc_unlock(card) ; /* obtained in piv_match */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
}
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
static int piv_check_sw(struct sc_card *card, unsigned int sw1, unsigned int sw2)
{
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
int r;
piv_private_data_t * priv = PIV_DATA(card);
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* may be called before piv_init has allocated priv */
if (priv) {
/* need to save sw1 and sw2 if trying to determine card_state from pin_cmd */
if (priv->pin_cmd_verify) {
priv->pin_cmd_verify_sw1 = sw1;
priv->pin_cmd_verify_sw2 = sw2;
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
} else {
/* a command has completed and it is not verify */
/* If we are in a context_specific sequence, unlock */
if (priv->context_specific) {
sc_log(card->ctx,"Clearing CONTEXT_SPECIFIC lock");
priv->context_specific = 0;
sc_unlock(card);
}
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
}
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if (priv->card_issues & CI_VERIFY_630X) {
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
/* Handle the Yubikey NEO or any other PIV card which returns in response to a verify
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
* 63 0X rather than 63 CX indicate the number of remaining PIN retries.
* Perhaps they misread the spec and thought 0xCX meant "clear" or "don't care", not a literal 0xC!
*/
if (priv->pin_cmd_verify && sw1 == 0x63U) {
priv->pin_cmd_verify_sw2 |= 0xC0U; /* make it easier to test in other code */
if ((sw2 & ~0x0fU) == 0x00U) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "Verification failed (remaining tries: %d)", (sw2 & 0x0f));
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
return SC_ERROR_PIN_CODE_INCORRECT;
/* this is what the iso_check_sw returns for 63 C0 */
}
}
}
}
r = iso_drv->ops->check_sw(card, sw1, sw2);
return r;
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_check_protected_objects(sc_card_t *card)
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
{
int r = 0;
int i;
piv_private_data_t * priv = PIV_DATA(card);
u8 buf[8]; /* tag of 53 with 82 xx xx will fit in 4 */
u8 * rbuf;
size_t buf_len;
static int protected_objects[] = {PIV_OBJ_PI, PIV_OBJ_CHF, PIV_OBJ_IRIS_IMAGE};
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_CALLED(card->ctx);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/*
* routine only called from piv_pin_cmd after verify lc=0 did not return 90 00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* We will test for a protected object using GET DATA.
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
*
* Based on observations, of cards using the GET DATA APDU,
* SC_ERROR_SECURITY_STATUS_NOT_SATISFIED means the PIN not verified,
* SC_SUCCESS means PIN has been verified even if it has length 0
* SC_ERROR_FILE_NOT_FOUND (which is the bug) does not tell us anything
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* about the state of the PIN and we will try the next object.
*
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
* If we can't determine the security state from this process,
* set card_issues CI_CANT_USE_GETDATA_FOR_STATE
* and return SC_ERROR_PIN_CODE_INCORRECT
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* The circumvention is to add a dummy Printed Info object in the card.
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* so we will have an object to test.
*
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
* We save the object's number to use in the future.
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
*
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
*/
if (priv->object_test_verify == 0) {
for (i = 0; i < (int)(sizeof(protected_objects)/sizeof(int)); i++) {
buf_len = sizeof(buf);
priv->pin_cmd_noparse = 1; /* tell piv_general_io dont need to parse at all. */
rbuf = buf;
r = piv_get_data(card, protected_objects[i], &rbuf, &buf_len);
priv->pin_cmd_noparse = 0;
/* TODO may need to check sw1 and sw2 to see what really happened */
if (r >= 0 || r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
/* we can use this object next time if needed */
priv->object_test_verify = protected_objects[i];
break;
}
}
if (priv->object_test_verify == 0) {
/*
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
* none of the objects returned acceptable sw1, sw2
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
*/
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "No protected objects found, setting CI_CANT_USE_GETDATA_FOR_STATE");
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
priv->card_issues |= CI_CANT_USE_GETDATA_FOR_STATE;
r = SC_ERROR_PIN_CODE_INCORRECT;
}
} else {
/* use the one object we found earlier. Test is security status has changed */
buf_len = sizeof(buf);
priv->pin_cmd_noparse = 1; /* tell piv_general_io dont need to parse at all. */
rbuf = buf;
r = piv_get_data(card, priv->object_test_verify, &rbuf, &buf_len);
priv->pin_cmd_noparse = 0;
}
if (r == SC_ERROR_FILE_NOT_FOUND)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = SC_ERROR_PIN_CODE_INCORRECT;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
else if (r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
r = SC_ERROR_PIN_CODE_INCORRECT;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
else if (r > 0)
r = SC_SUCCESS;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "object_test_verify=%d, card_issues = 0x%08x", priv->object_test_verify, priv->card_issues);
LOG_FUNC_RETURN(card->ctx, r);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
}
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
static int
piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
{
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
int r = 0;
piv_private_data_t * priv = PIV_DATA(card);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
/* Extra validation of (new) PIN during a PIN change request, to
* ensure it's not outside the FIPS 201 4.1.6.1 (numeric only) and
* FIPS 140-2 (6 character minimum) requirements.
*/
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "piv_pin_cmd tries_left=%d, logged_in=%d", priv->tries_left, priv->logged_in);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
if (data->cmd == SC_PIN_CMD_CHANGE) {
int i = 0;
if (data->pin2.len < 6) {
return SC_ERROR_INVALID_PIN_LENGTH;
}
for(i=0; i < data->pin2.len; ++i) {
if (!isdigit(data->pin2.data[i])) {
return SC_ERROR_INVALID_DATA;
}
}
}
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
priv->pin_cmd_verify_sw1 = 0x00U;
if (data->cmd == SC_PIN_CMD_GET_INFO) { /* fill in what we think it should be */
data->pin1.logged_in = priv->logged_in;
data->pin1.tries_left = priv->tries_left;
if (tries_left)
*tries_left = priv->tries_left;
card-piv: Fix Thunderbird and SC_PIN_CMD_GET_INFO Fixes https://github.com/OpenSC/OpenSC/issues/1071 Closes https://github.com/OpenSC/OpenSC/pull/1072
2017-06-21 08:43:52 +00:00
if (priv->logged_in == SC_PIN_STATE_LOGGED_IN) {
/* Avoid status requests when the user is logged in to handle NIST
* 800-73-4 Part 2:
* The PKI cryptographic function (see Table 4b) is protected with
* a PIN Always or OCC Always access rule. In other words, the
* PIN or OCC data must be submitted and verified every time
* immediately before a digital signature key operation. This
* ensures cardholder participation every time the private key is
* used for digital signature generation */
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
}
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
/*
* If this was for a CKU_CONTEXT_SPECFIC login, lock the card one more time.
* to avoid any interference from other applications.
* Sc_unlock will be called at a later time after the next card command
* that should be a crypto operation. If its not then it is a error by the
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* calling application.
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
*/
if (data->cmd == SC_PIN_CMD_VERIFY && data->pin_type == SC_AC_CONTEXT_SPECIFIC) {
priv->context_specific = 1;
sc_log(card->ctx,"Starting CONTEXT_SPECIFIC verify");
sc_lock(card);
}
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
priv->pin_cmd_verify = 1; /* tell piv_check_sw its a verify to save sw1, sw2 */
r = iso_drv->ops->pin_cmd(card, data, tries_left);
priv->pin_cmd_verify = 0;
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
/* if verify failed, release the lock */
if (data->cmd == SC_PIN_CMD_VERIFY && r < 0 && priv->context_specific) {
sc_log(card->ctx,"Clearing CONTEXT_SPECIFIC");
priv->context_specific = 0;
sc_unlock(card);
}
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* if access to applet is know to be reset by other driver we select_aid and try again */
if ( priv->card_issues & CI_OTHER_AID_LOSE_STATE && priv->pin_cmd_verify_sw1 == 0x6DU) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "AID may be lost doing piv_find_aid and retry pin_cmd");
fixed dead assignment
2017-10-31 09:12:12 +00:00
piv_find_aid(card, priv->aid_file); /* return not tested */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
priv->pin_cmd_verify = 1; /* tell piv_check_sw its a verify to save sw1, sw2 */
r = iso_drv->ops->pin_cmd(card, data, tries_left);
priv->pin_cmd_verify = 0;
}
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
/* If verify worked, we are logged_in */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
if (data->cmd == SC_PIN_CMD_VERIFY) {
if (r >= 0)
priv->logged_in = SC_PIN_STATE_LOGGED_IN;
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
else
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
priv->logged_in = SC_PIN_STATE_LOGGED_OUT;
}
/* Some cards never return 90 00 for SC_PIN_CMD_GET_INFO even if the card state is verified */
/* PR 797 has changed the return codes from pin_cmd, and added a data->pin1.logged_in flag */
if (data->cmd == SC_PIN_CMD_GET_INFO) {
if (priv->card_issues & CI_CANT_USE_GETDATA_FOR_STATE) {
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "CI_CANT_USE_GETDATA_FOR_STATE set, assume logged_in=%d", priv->logged_in);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
data->pin1.logged_in = priv->logged_in; /* use what ever we saw last */
} else if (priv->card_issues & CI_VERIFY_LC0_FAIL
&& priv->pin_cmd_verify_sw1 == 0x63U ) { /* can not use modified return codes from iso->drv->pin_cmd */
/* try another method, looking at a protected object this may require adding one of these to NEO */
r = piv_check_protected_objects(card);
if (r == SC_SUCCESS)
data->pin1.logged_in = SC_PIN_STATE_LOGGED_IN;
else if (r == SC_ERROR_PIN_CODE_INCORRECT) {
if (priv->card_issues & CI_CANT_USE_GETDATA_FOR_STATE) { /* we still can not determine login state */
data->pin1.logged_in = priv->logged_in; /* may have be set from SC_PIN_CMD_VERIFY */
/* TODO a reset may have logged us out. need to detect resets */
} else {
data->pin1.logged_in = SC_PIN_STATE_LOGGED_OUT;
}
r = SC_SUCCESS;
}
}
priv->logged_in = data->pin1.logged_in;
priv->tries_left = data->pin1.tries_left;
}
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
sc_log(card->ctx, "piv_pin_cmd tries_left=%d, logged_in=%d",priv->tries_left, priv->logged_in);
LOG_FUNC_RETURN(card->ctx, r);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
}
static int piv_logout(sc_card_t *card)
{
piv: logout place holder Until a full logout function can be implemented, return SC_ERROR_NOT_SUPPORTED closes #832
2016-07-24 18:37:46 +00:00
int r = SC_ERROR_NOT_SUPPORTED; /* TODO Some PIV cards may support a logout */
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* piv_private_data_t * priv = PIV_DATA(card); */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_CALLED(card->ctx);
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
/* TODO 800-73-3 does not define a logout, 800-73-4 does */
piv: coding style, use short log calls
2016-07-24 18:38:53 +00:00
LOG_FUNC_RETURN(card->ctx, r);
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/*
* Called when a sc_lock gets a reader lock and PCSC SCardBeginTransaction
* If SCardBeginTransaction may pass back tha a card reset was seen since
* the last transaction completed.
* There may have been one or more resets, by other card drivers in different
* processes, and they may have taken action already
* and changed the AID and or may have sent a VERIFY with PIN
* So test the state of the card.
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
* this is very similar to what the piv_match routine does,
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
*/
piv: add a piv_card_reader_lock_obtained function When sc_lock obtains a reader lock this function is called If the card was reset the PIV AID is seletcted and logged_in is reset. This is need for some PIV cards where the default AID is not the PIV AID and some other process has reset the card. closes #842
2016-07-30 13:52:36 +00:00
static int piv_card_reader_lock_obtained(sc_card_t *card, int was_reset)
{
int r = 0;
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
u8 temp[256];
piv: add a piv_card_reader_lock_obtained function When sc_lock obtains a reader lock this function is called If the card was reset the PIV AID is seletcted and logged_in is reset. This is need for some PIV cards where the default AID is not the PIV AID and some other process has reset the card. closes #842
2016-07-30 13:52:36 +00:00
size_t templen = sizeof(temp);
piv_private_data_t * priv = PIV_DATA(card); /* may be null */
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/* We have a PCSC transaction and sc_lock */
if (priv == NULL || priv->pstate == PIV_STATE_MATCH) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
priv ? "PIV_STATE_MATCH" : "priv==NULL");
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
r = 0; /* do nothing, piv_match will take care of it */
goto err;
piv: add a piv_card_reader_lock_obtained function When sc_lock obtains a reader lock this function is called If the card was reset the PIV AID is seletcted and logged_in is reset. This is need for some PIV cards where the default AID is not the PIV AID and some other process has reset the card. closes #842
2016-07-30 13:52:36 +00:00
}
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
/* can we detect and then select the PIV AID without losing the login state? */
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
if ((priv->card_issues & CI_DISCOVERY_USELESS)
&& (priv->card_issues & CI_PIV_AID_LOSE_STATE)) {
fix typos Mass-typo fixing, almost exclusively in comments and text strings. While at it also fixed a few (very few) grammar errors.
2018-04-14 17:38:34 +00:00
r = 0; /* do nothing, hope card was not interfered with */
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
goto err;
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/* make sure our application is active */
Inform pkcs15 and card drivers of PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC)" Framework-pkcs15.c will now set pin_info->auth_method to SC_AC_CONTEXT_SPECIFIC iso7816.c iso7816_build_pin_apdu treats this the same as SC_AC_CHV card-piv.c piv_pin_cmd sets priv->xcontext_specific=1 and calls sc_lock before the verify command. If the verify fails sc_unlock is called. Later after the next card command returns, if priv->context_specific==1 piv_check_sw will call sc_unlock as the application may not have requested the crypto but some other command. Some additional calls to sc_lock and sc_unlock have been added to make sure PIV internal command sequences including the crypto command ('87') and any get responses are always protected by a lock. This guarantees the card is locked for verify and the next command which should be the crypto operation. The PIV card also inforces this restriction on the card. This is based on suggestions in: ://github.com/OpenSC/OpenSC/pull/1256#issuecomment-361975751 On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c modified: src/libopensc/iso7816.c modified: src/libopensc/types.h modified: src/pkcs11/framework-pkcs15.c
2018-02-01 15:04:10 +00:00
/* first see if AID is active AID by reading discovery object '7E' */
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
/* If not try selecting AID */
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
/* but if x card does not support DISCOVERY object we can not use it */
if (priv->card_issues & CI_DISCOVERY_USELESS) {
r = SC_ERROR_NO_CARD_SUPPORT;
} else {
r = piv_find_discovery(card);
}
Various PIV changes Some ActivIdentity CAC/PIV cards lose the login state when selecting the PIV AID SC_CARD_TYPE_PIV_II_CAC and CI_PIV_AID_LOSE_STATE were added so piv_card_reader_lock_obtained will try and do a SELECT PIV AID. card->type is reset to its original value if piv_match_card_continued fails to match a card as PIV. pkcs15-piv.c now uses sc_card_ctl which checks card->ops->card_ctl for NULL. closes https://github.com/OpenSC/OpenSC/pull/1307 fixes https://github.com/OpenSC/OpenSC/issues/1297
2018-03-31 13:46:29 +00:00
if (r < 0) {
if (!(priv->card_issues & CI_PIV_AID_LOSE_STATE)) {
r = piv_select_aid(card, piv_aids[0].value, piv_aids[0].len_short, temp, &templen);
} else {
r = 0; /* cant do anything with this card, hope there was no interference */
}
}
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
if (r < 0) /* bad error return will show up in sc_lock as error*/
goto err;
if (was_reset > 0)
priv->logged_in = SC_PIN_STATE_UNKNOWN;
Some CAC / PIV cards do not support Discovery Object Some CAC card return '6A80` Incorrect parameters in APDU when trying to read the Discovery object. If it fails other then not found, then we can not use the Discovery object to test for the active AID. The test is done in piv_match_card just after doing a SELECT AID for the PIV. and set CI_DISCOVERY_USELESS if needed. piv_card_reader_lock_obtained will then not use the Discovery object. Some older PIV cards, prior to the introduction of the PIV Discovery and History objects, may get errors trying to read them. Ignore these errors too. Remove comment and remove code to check verify Lc=0 as requested in: https://github.com/OpenSC/OpenSC/pull/1256#pullrequestreview-96124443 They can easily be added back in. On branch piv-aid-discovery Changes to be committed: modified: src/libopensc/card-piv.c
2018-02-09 02:08:43 +00:00
r = 0;
PIV detection of AID using Discovery Object before doing select AID Many OpenSC drivers try and detect during match if the card supports their AID by doing a SELECT FILE for the AID. But this can cause problems with cards such as Yubico that do not ignore SELECT AID commands for applications they do not support. Other cards may have the same problems. Selecting the wrong AID can also lose the security state. The card-piv.c will now uses the GET DATA to read the PIV Discovery Object '7E' which is a ISO standard template that will contain the AID of the currently active application. The driver will then double check that the template is for the PIV application. If the template contains the PIV AID, then no SELECT AID is done. PIV standards say there can only be one PIV application on a card. PIV standards also say PIV must be the the default application, but Yubico does not follow this. The command fails only then will a SELECT AID be done. Thus this can avoid the Yubico problem. This logic is used in both "match" and in the piv_card_reader_lock_obtained routine. Additional logic was in piv_card_reader_lock_obtained was added to handle when the card reset was received by some other program. Multiple programs may be trying to use the PIV application on the card, and thus multiple programs will all receive that the card was reset. The first program to receive the card was reset will do all of the above logic, and may leave the card in a state will cause other programs to not have to do much at all. The intent of all of this is to avoid sending extra commands to the card including SELECT AID that could change the card state when not needed. On branch piv-aid-discovery Changes to be committed: modified: card-piv.c
2018-01-29 16:37:47 +00:00
err:
piv: add a piv_card_reader_lock_obtained function When sc_lock obtains a reader lock this function is called If the card was reset the PIV AID is seletcted and logged_in is reset. This is need for some PIV cards where the default AID is not the PIV AID and some other process has reset the card. closes #842
2016-07-30 13:52:36 +00:00
LOG_FUNC_RETURN(card->ctx, r);
}
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
static struct sc_card_driver * sc_get_driver(void)
{
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
piv_ops = *iso_drv->ops;
piv_ops.match_card = piv_match_card;
piv_ops.init = piv_init;
piv_ops.finish = piv_finish;
PIV: pickup card driver from the SM branch ... where it was tested by Douglas.
2012-05-30 17:40:05 +00:00
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv_ops.select_file = piv_select_file; /* must use get/put, could emulate? */
piv_ops.get_challenge = piv_get_challenge;
PIV and PIV-Want-To-Be Issues Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some of the issues. OpenSC developers don't have access to all the different versions of devices or access to release notes for the devices to see when a bug was introduced and when it is fixed. To make OpenSC code changes easier, the code is divided into four sections: (1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR. For the Yubico devices read their version number and log it via sc_debug. (2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment. See below. (3) based on the card->type and possibly Yubico version set the priv->card_issues flags that apply to current card or device. (4) Implement in the code changes needed for each issue. Other issues can be added. As more info is obtained (3) can be updated using the version number as needed. The card issues are: CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after first PIN verify if protected object can be used instead CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0 CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3 CI_NO_RSA2048 - does not have RSA 2048 CI_NO_EC384 - does not have EC 384 The piv_card_match and piv_init interactions were cleaned up. Changes to be committed: modified: card-piv.c modified: cards.h
2016-07-04 19:44:29 +00:00
piv_ops.logout = piv_logout;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv_ops.read_binary = piv_read_binary;
piv_ops.write_binary = piv_write_binary;
piv_ops.set_security_env = piv_set_security_env;
piv_ops.restore_security_env = piv_restore_security_env;
piv_ops.compute_signature = piv_compute_signature;
piv_ops.decipher = piv_decipher;
Leniently interpret the ISO7816 return codes in card-piv.c This adds support for the Yubikey NEO. I'm not sure whether it breaks the specification, or follows some other version of the spec, but in my testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining. Ignoring the top nibble seems a harmless change to the behaviour to support this device.
2015-08-23 21:33:50 +00:00
piv_ops.check_sw = piv_check_sw;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
piv_ops.card_ctl = piv_card_ctl;
Douglas E. Engert: Major improvments in the PIV card modules: * OpenSC-0.11.2 only supported RSA 1K keys, the patch supports RSA 2K and 3K keys. * The FASC-N in the CHUID object is used as the card serial number. * A PIV card may have additional objects. These can now be read by pkcs11-tool and pkcs15-tool. * The p15card-helper.c module is no longer used. The code to call the sc_pkcs15emu_* routines has been moved back into pkcs15-piv.c and uses existing OpenSC routines to parse the certificate to find the modulus_len. * pkcs15-piv.c will now get the modulus_len from the certificates to store into the emulated prvkey an pubkey objects as they are being created using the sc_pkcs15emu_* routines. * The caching code that was added to card-piv.c in 0.11.2 is disabled, as pkcs15-piv.c will cache the certificate using existing OpenSC routines. * piv-tool will now print a serial number. * The key-usage bits for prvkey and pubkey objects are set in pkcs15-piv.c * The PIV "9E" key was added. It is not a private object, and can be used without a PIN. It is used with the "Certificate for Card Authenticaiton". * When used with the OpenSSL engine to generate a certificate request, the public key saved by piv-tool during a "generate asymmetric key pair" card command can be read from a file pointed at by the environment variable PIV_9*_KEY. Where * is A, C, D or E. * In the card_atr section of opensc.conf, flags = 20; can be used to only show the PIV Authentication cert. This feature was in 0.11.1 but was dropped in 0.11.2 when the p15card-helper.c was introduced. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3174 c6295689-39f2-0310-b995-f0e70906c6a9
2007-06-21 07:07:49 +00:00
piv_ops.pin_cmd = piv_pin_cmd;
piv: add a piv_card_reader_lock_obtained function When sc_lock obtains a reader lock this function is called If the card was reset the PIV AID is seletcted and logged_in is reset. This is need for some PIV cards where the default AID is not the PIV AID and some other process has reset the card. closes #842
2016-07-30 13:52:36 +00:00
piv_ops.card_reader_lock_obtained = piv_card_reader_lock_obtained;
add initial PIV card support; patch supplied by Douglas E. Engert <deengert@anl.gov> git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2842 c6295689-39f2-0310-b995-f0e70906c6a9
2006-02-14 22:09:10 +00:00
return &piv_drv;
}
#if 1
struct sc_card_driver * sc_get_piv_driver(void)
{
return sc_get_driver();
}
#endif
Complete rewrite of OpenSC build system. 1. Build system now supports MinGW (Windows) compilation using msys and cross compilation. 2. Ability to explicitly disable and enable dependencies of the package. 3. openct, pcsc and nsplugins features are disabled by default. 4. Modified pcsc driver to use pcsc dynamically, no compile time dependency is required. 5. --enable-pcsc-lite configuration option renamed to --enable-pcsc. 6. Install opensc.conf file (as opensc.conf.new if opensc.conf exists). 7. Add--enable-doc configuration option, allow installing documentation into target. 8. Add --disable-man configuration option, allow msys mingw32 users to build from svn without extra dependencies. 9. Add export files to each library in order to export only required symbols. Windows native build may use these files instead of scanning objects' symbols. 10. Add opensc-tool --info to display some general information about the build. 11. Create compatibility library to be linked against library instread of recompiling the same source files in different places. 12. Add different win32 version resource to each class of outputs. 13. Make xsl-stylesheets location selectable. 14. Some win32 fixups. 15. Some warning fixups. 16. Many other autoconf/automake cleanups. Alon Bar-Lev svn diff -r 3315:3399 https://www.opensc-project.org/svn/opensc/branches/alonbl/mingw _M . D configure.in _M src _M src/openssh M src/openssh/Makefile.am _M src/tools M src/tools/rutoken-tool.c M src/tools/opensc-tool.c M src/tools/cardos-info.c M src/tools/pkcs15-crypt.c M src/tools/pkcs15-init.c M src/tools/piv-tool.c M src/tools/netkey-tool.c M src/tools/eidenv.c M src/tools/cryptoflex-tool.c M src/tools/util.c M src/tools/pkcs11-tool.c M src/tools/pkcs15-tool.c M src/tools/util.h M src/tools/opensc-explorer.c M src/tools/Makefile.am _M src/pkcs11 M src/pkcs11/pkcs11-global.c M src/pkcs11/framework-pkcs15.c M src/pkcs11/mechanism.c M src/pkcs11/pkcs11-display.c M src/pkcs11/pkcs11-object.c A src/pkcs11/opensc-pkcs11.exports M src/pkcs11/sc-pkcs11.h M src/pkcs11/pkcs11-spy.c M src/pkcs11/openssl.c M src/pkcs11/Makefile.am A src/pkcs11/pkcs11-spy.exports _M src/tests _M src/tests/regression M src/tests/regression/Makefile.am M src/tests/sc-test.c M src/tests/pintest.c M src/tests/Makefile.am _M src/include _M src/include/opensc M src/include/opensc/Makefile.am A src/include/opensc/svnignore M src/include/Makefile.am _M src/signer _M src/signer/npinclude M src/signer/npinclude/Makefile.am M src/signer/Makefile.am A src/signer/signer.exports _M src/common A src/common/compat_dummy.c D src/common/getopt.txt D src/common/strlcpy.c D src/common/LICENSE A src/common/compat_getopt.txt A src/common/compat_strlcpy.c A src/common/LICENSE.compat_getopt A src/common/compat_getopt.c D src/common/strlcpy.h D src/common/ChangeLog D src/common/getpass.c D src/common/my_getopt.c A src/common/compat_strlcpy.h A src/common/compat_getpass.c A src/common/compat_getopt.h A src/common/ChangeLog.compat_getopt D src/common/README.strlcpy D src/common/my_getopt.h A src/common/compat_getpass.h A src/common/README.compat_strlcpy D src/common/strlcpy.3 A src/common/README.compat_getopt D src/common/getopt.3 D src/common/README.my_getopt A src/common/compat_strlcpy.3 A src/common/compat_getopt.3 M src/common/Makefile.am M src/Makefile.am _M src/pkcs15init M src/pkcs15init/pkcs15-oberthur.c M src/pkcs15init/profile.c M src/pkcs15init/pkcs15-lib.c M src/pkcs15init/pkcs15-rutoken.c A src/pkcs15init/pkcs15init.exports M src/pkcs15init/pkcs15-gpk.c M src/pkcs15init/Makefile.am _M src/scconf M src/scconf/Makefile.am M src/scconf/parse.c A src/scconf/scconf.exports _M src/libopensc M src/libopensc/card-rutoken.c M src/libopensc/compression.c M src/libopensc/sc.c M src/libopensc/card-piv.c M src/libopensc/pkcs15-openpgp.c M src/libopensc/pkcs15-postecert.c M src/libopensc/pkcs15-tcos.c M src/libopensc/opensc-config.in M src/libopensc/reader-pcsc.c A src/libopensc/internal-winscard.h M src/libopensc/ctx.c A src/libopensc/libopensc.exports M src/libopensc/pkcs15-piv.c M src/libopensc/pkcs15-infocamere.c M src/libopensc/internal.h M src/libopensc/pkcs15-actalis.c M src/libopensc/pkcs15-starcert.c M src/libopensc/card-oberthur.c M src/libopensc/pkcs15-atrust-acos.c M src/libopensc/p15card-helper.c D src/libopensc/part10.h M src/libopensc/ui.c M src/libopensc/card-gpk.c M src/libopensc/pkcs15-wrap.c M src/libopensc/pkcs15-gemsafeGPK.c M src/libopensc/log.c M src/libopensc/pkcs15-esteid.c M src/libopensc/pkcs15-prkey-rutoken.c M src/libopensc/log.h M src/libopensc/Makefile.am M src/libopensc/reader-openct.c _M aclocal M aclocal/Makefile.am _M win32 M win32/Makefile.am A win32/versioninfo.rc.in A win32/ltrc.inc A configure.ac _M doc _M doc/tools M doc/tools/pkcs15-profile.xml D doc/changelog.sh D doc/export-wiki.xsl _M doc/api _M doc/api/file M doc/api/man.xsl _M doc/api/asn1 _M doc/api/apps _M doc/api/init _M doc/api/types _M doc/api/card M doc/api/html.xsl _M doc/api/misc _M doc/api/util M doc/Makefile.am D doc/export-wiki.sh AM doc/nonpersistent A doc/nonpersistent/export-wiki.xsl A doc/nonpersistent/Makefile.am A doc/nonpersistent/export-wiki.sh A doc/nonpersistent/svn2cl.xsl D doc/generate-man.sh D doc/svn2cl.xsl M Makefile.am A svnignore _M etc M etc/opensc.conf.in M etc/Makefile.am D man _M solaris M solaris/Makefile git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3405 c6295689-39f2-0310-b995-f0e70906c6a9
2008-03-06 16:06:59 +00:00