From 1adbb3fae7d7cef08816a30eef7d84cdb03dd373 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
 <quannguyen@mbm.vn>
Date: Wed, 8 Aug 2012 10:12:11 +0700
Subject: [PATCH] OpenPGP: Set write access more restrictive for pubkey blobs.

marschap: "The WRITE_ALWAYS ACL tells anyone can write to this file at any time."
---
 src/libopensc/card-openpgp.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
index aaf18a7c..bb253c7b 100644
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -192,11 +192,11 @@ static struct do_info		pgp1_objects[] = {	/* OpenPGP card spec 1.1 */
 	{ 0x5f50, SIMPLE,      READ_ALWAYS | WRITE_PIN3,  sc_get_data,        sc_put_data },
 	{ 0x7f49, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER, NULL,               NULL        },
 	{ 0xa400, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER,  pgp_get_pubkey,     NULL        },
-	{ 0xa401, SIMPLE,      READ_ALWAYS | WRITE_ALWAYS, pgp_get_pubkey_pem, NULL        },
+	{ 0xa401, SIMPLE,      READ_ALWAYS | WRITE_PIN3, pgp_get_pubkey_pem, NULL        },
 	{ 0xb600, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER,  pgp_get_pubkey,     NULL        },
-	{ 0xb601, SIMPLE,      READ_ALWAYS | WRITE_ALWAYS, pgp_get_pubkey_pem, NULL        },
+	{ 0xb601, SIMPLE,      READ_ALWAYS | WRITE_PIN3, pgp_get_pubkey_pem, NULL        },
 	{ 0xb800, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER,  pgp_get_pubkey,     NULL        },
-	{ 0xb801, SIMPLE,      READ_ALWAYS | WRITE_ALWAYS, pgp_get_pubkey_pem, NULL        },
+	{ 0xb801, SIMPLE,      READ_ALWAYS | WRITE_PIN3, pgp_get_pubkey_pem, NULL        },
 	{ 0, 0, 0, NULL, NULL },
 };
 
@@ -251,12 +251,12 @@ static struct do_info		pgp2_objects[] = {	/* OpenPGP card spec 2.0 */
 	{ 0xa400, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER, pgp_get_pubkey,     NULL        },
 	/* The 0xA401, 0xB601, 0xB801 are just symbolic, it does not represent any real DO.
 	 * However, their R/W access condition may block the process of importing key in pkcs15init.
-	 * So we set their accesses condition as ALWAYS. */
-	{ 0xa401, SIMPLE,      READ_ALWAYS | WRITE_ALWAYS, pgp_get_pubkey_pem, NULL        },
+	 * So we set their accesses condition as WRITE_PIN3 (writable). */
+	{ 0xa401, SIMPLE,      READ_ALWAYS | WRITE_PIN3, pgp_get_pubkey_pem, NULL        },
 	{ 0xb600, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER,  pgp_get_pubkey,     NULL        },
-	{ 0xb601, SIMPLE,      READ_ALWAYS | WRITE_ALWAYS, pgp_get_pubkey_pem, NULL        },
+	{ 0xb601, SIMPLE,      READ_ALWAYS | WRITE_PIN3, pgp_get_pubkey_pem, NULL        },
 	{ 0xb800, CONSTRUCTED, READ_ALWAYS | WRITE_NEVER,  pgp_get_pubkey,     NULL        },
-	{ 0xb801, SIMPLE,      READ_ALWAYS | WRITE_ALWAYS, pgp_get_pubkey_pem, NULL        },
+	{ 0xb801, SIMPLE,      READ_ALWAYS | WRITE_PIN3, pgp_get_pubkey_pem, NULL        },
 	{ 0, 0, 0, NULL, NULL },
 };