*** empty log message ***

git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@306 c6295689-39f2-0310-b995-f0e70906c6a9
2002-03-13 10:48:07 +00:00 · 2002-03-13 10:48:07 +00:00 · 8efe36617c
parent e280d2f444
commit 8efe36617c
6 changed files with 225 additions and 499 deletions
--- a/7
+++ b/7
@ -1,5 +1,12 @@
 NEWS for OpenSC -- History of user visible changes

+New in 0.6.0; 2002-03-13; Juha Yrjölä:
+* Many, many new features -- too many to list here
+* New cards supported: Gemplus GPK family, TCOS 2.0, MioCOS
+* Implemented a card reader abstraction layer
+* PKCS #15 generation rewritten by Olaf Kirch. So far generation
+  is supported only on GPK and Cryptoflex.
+
 New in 0.5.0; 2002-01-24; Juha Yrjölä:
 * PKCS #15 generation support
 * PKCS #11 module almost completely rewritten
--- a/src/openssh/README
+++ b/src/openssh/README
@ -1,14 +1,10 @@
-
-Steps for your OpenSSH pleasure:
+teps for your OpenSSH pleasure:

 - Download, compile and install openssl (http://www.openssl.org)
 - Download OpenSSH 3.0.2p1 (http://www.openssh.com)
 - Apply 'openssh-3.0.2p1-patch.diff' from this directory
 - Run autoconf and autoheader
 - Run configure with the argument '--with-opensc'
- Change the hardcoded PIN to the one set on your card... =)
-  The line to modify can be found in file scard-libsc.c.
-  (This will be fixed in the future)
 - Compile and install

 - Extract a public key from your SmartCard in OpenSSH format
@ -21,7 +17,9 @@ Steps for your OpenSSH pleasure:
 With luck you should be authenticated and ready to go. If it won't work,
 try enabling debug information with the '-d' switch.

-NOTE: ssh-agent should also work.
+NOTE: PIN code is not asked by ssh when connecting. If you haven't 
+authenticated for the private key when connecting with PIN code, 
+verify the PIN with e.g. pkcs15-crypt tool. 

 --
-Juha Yrjölä <juha.yrjola@iki.fi>
+Markku Degerholm <mdegerho@cc.hut.fi>
--- a/src/openssh/openssh-3.0.2p1-patch.diff
+++ b/src/openssh/openssh-3.0.2p1-patch.diff
@ -1,6 +1,6 @@
-diff -ruN openssh-3.0.2p1/Makefile.in openssh-new/Makefile.in
--- openssh-3.0.2p1/Makefile.in	Mon Nov 12 01:34:23 2001
-+++ openssh-new/Makefile.in	Sun Dec  2 21:01:34 2001
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/Makefile.in openssh-3.0.2p1/Makefile.in
+--- openssh-3.0.2p1-orig/Makefile.in	Mon Nov 12 01:34:23 2001
+++ openssh-3.0.2p1/Makefile.in	Sun Mar 10 14:51:49 2002
@@ -46,7 +46,7 @@
 
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) $(SFTP_PROGS)
@ -10,9 +10,9 @@ diff -ruN openssh-3.0.2p1/Makefile.in openssh-new/Makefile.in
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
 
-diff -ruN openssh-3.0.2p1/acconfig.h openssh-new/acconfig.h
--- openssh-3.0.2p1/acconfig.h	Sat Nov  3 21:09:33 2001
-+++ openssh-new/acconfig.h	Sun Dec  2 21:01:34 2001
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/acconfig.h openssh-3.0.2p1/acconfig.h
+--- openssh-3.0.2p1-orig/acconfig.h	Sat Nov  3 21:09:33 2001
+++ openssh-3.0.2p1/acconfig.h	Sun Mar 10 14:51:49 2002
@@ -329,6 +329,12 @@
 /* Define if you want smartcard support */
 #undef SMARTCARD
@ -26,9 +26,12 @@ diff -ruN openssh-3.0.2p1/acconfig.h openssh-new/acconfig.h
 @BOTTOM@
 
 /* ******************* Shouldn't need to edit below this line ************** */
-diff -ruN openssh-3.0.2p1/configure.ac openssh-new/configure.ac
--- openssh-3.0.2p1/configure.ac	Sat Nov  3 21:09:33 2001
-+++ openssh-new/configure.ac	Sun Dec  2 21:01:34 2001
+Common subdirectories: openssh-3.0.2p1-orig/autom4te.cache and openssh-3.0.2p1/autom4te.cache
+Only in openssh-3.0.2p1-orig/: config.h.in
+Only in openssh-3.0.2p1-orig/: configure
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/configure.ac openssh-3.0.2p1/configure.ac
+--- openssh-3.0.2p1-orig/configure.ac	Sat Nov  3 21:09:33 2001
+++ openssh-3.0.2p1/configure.ac	Sun Mar 10 14:51:49 2002
@@ -1412,11 +1412,11 @@
 	AC_DEFINE(HAVE_SYS_NERR)
 fi
@ -83,10 +86,14 @@ diff -ruN openssh-3.0.2p1/configure.ac openssh-new/configure.ac
 			SCARD_MSG="yes" 
 		fi
 	]
-diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
--- openssh-3.0.2p1/scard-opensc.c	Thu Jan  1 02:00:00 1970
-+++ openssh-new/scard-opensc.c	Sun Dec  2 21:40:42 2001
-@@ -0,0 +1,463 @@
+Common subdirectories: openssh-3.0.2p1-orig/contrib and openssh-3.0.2p1/contrib
+Common subdirectories: openssh-3.0.2p1-orig/debian and openssh-3.0.2p1/debian
+Common subdirectories: openssh-3.0.2p1-orig/openbsd-compat and openssh-3.0.2p1/openbsd-compat
+Common subdirectories: openssh-3.0.2p1-orig/scard and openssh-3.0.2p1/scard
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/scard-opensc.c openssh-3.0.2p1/scard-opensc.c
+--- openssh-3.0.2p1-orig/scard-opensc.c	Thu Jan  1 02:00:00 1970
+++ openssh-3.0.2p1/scard-opensc.c	Sun Mar 10 20:26:13 2002
+@@ -0,0 +1,472 @@
 +/* libopensc support in OpenSSH -- heavily modified from scard.c
 + * 
 + * Copyright (c) 2001 Juha Yrjölä.  All rights reserved.
@ -129,7 +136,7 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +#include "xmalloc.h"
 +#include "scard.h"
 +
-+#define SC_HARDCODED_PIN "1234"
+//#define SC_HARDCODED_PIN "1234"
 +
 +#define MAX_BUF_SIZE 256
 +
@ -154,7 +161,7 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +	r = sc_establish_context(&ctx);
 +	if (r)
 +		goto err;
-+	r = sc_connect_card(ctx, sc_reader_id, &card);
+	r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card);
 +	if (r)
 +		goto err;
 +	r = sc_pkcs15_bind(card, &p15card);
@ -183,9 +190,10 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +}
 +
 +static int 
-+sc_read_pubkey(Key * k, const struct sc_pkcs15_cert_info *cinfo)
+sc_read_pubkey(Key * k, const struct sc_pkcs15_object * obj)
 +{
 +	int r;
+	struct sc_pkcs15_cert_info * cinfo = obj->data; 
 +	struct sc_pkcs15_cert *cert = NULL;
 +	struct sc_priv_data *priv = NULL;
 +	X509 *x509 = NULL;
@ -253,8 +261,10 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +{
 +	int r;
 +	struct sc_priv_data *priv;
-+	struct sc_pkcs15_prkey_info *key;
+	struct sc_pkcs15_object *key;
+#ifdef SC_HARDCODED_PIN
 +	struct sc_pkcs15_pin_info *pin;
+#endif	
 +
 +	if (padding != RSA_PKCS1_PADDING)
 +		return -1;	
@ -276,6 +286,7 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		error("Unable to find private key from SmartCard: %s", sc_strerror(r));
 +		goto err;
 +	}
+#ifdef SC_HARDCODED_PIN
 +	r = sc_pkcs15_find_pin_by_auth_id(p15card, &key->com_attr.auth_id, &pin);
 +	if (r) {
 +		error("Unable to find PIN object from SmartCard: %s", sc_strerror(r));
@ -287,11 +298,13 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		error("PIN code verification failed: %s", sc_strerror(r));
 +		goto err;
 +	}
+#endif	
 +	r = sc_pkcs15_decipher(p15card, key, from, flen, to, flen);
 +	if (r < 0) {
 +		error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));
 +		goto err;
 +	}
+	sc_close(); 
 +	return r;
 +err:
 +	sc_close();
@ -311,8 +324,10 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +{
 +	int r;
 +	struct sc_priv_data *priv;
-+	struct sc_pkcs15_prkey_info *key;
+	struct sc_pkcs15_object *key;
+#ifdef SC_HARDCODED_PIN	
 +	struct sc_pkcs15_pin_info *pin;
+#endif	
 +	
 +	priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
 +	if (priv == NULL)
@ -332,6 +347,7 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		error("Unable to find private key from SmartCard: %s", sc_strerror(r));
 +		goto err;
 +	}
+#ifdef SC_HARDCODED_PIN	
 +	r = sc_pkcs15_find_pin_by_auth_id(p15card, &key->com_attr.auth_id, &pin);
 +	if (r) {
 +		error("Unable to find PIN object from SmartCard: %s", sc_strerror(r));
@ -343,14 +359,16 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		error("PIN code verification failed: %s", sc_strerror(r));
 +		goto err;
 +	}
+#endif	
 +	/* FIXME: length of sigret correct? */
-+	r = sc_pkcs15_compute_signature(p15card, key, SC_PKCS15_HASH_SHA1,
+	r = sc_pkcs15_compute_signature(p15card, key, SC_ALGORITHM_RSA_HASH_SHA1|SC_ALGORITHM_RSA_PAD_PKCS1,
 +					m, m_len, sigret, RSA_size(rsa));
 +	if (r < 0) {
 +		error("sc_pkcs15_compute_signature() failed: %s", sc_strerror(r));
 +		goto err;
 +	}
 +	*siglen = r;
+	sc_close(); 
 +	return 1;
 +err:
 +	sc_close();
@ -468,7 +486,7 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		p15card = NULL;
 +	}
 +	if (card) {
-+		sc_disconnect_card(card);
+		sc_disconnect_card(card, 0);
 +		card = NULL;
 +	}
 +	if (ctx) {
@ -482,7 +500,8 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +{
 +	Key *k = NULL, **keys = NULL;
 +	struct sc_pkcs15_id cert_id;
-+	struct sc_pkcs15_cert_info *cinfo;
+#define MAX_OBJECTS 32		
+	struct sc_pkcs15_object * cinfo[MAX_OBJECTS];
 +	char *buf = xstrdup(id), *p;
 +	int r, i, key_count = 0, real_count = 0;
 +
@ -501,12 +520,13 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		goto err;
 +	}
 +	if (cert_id.len) {
-+		r = sc_pkcs15_find_cert_by_id(p15card, &cert_id, &cinfo);
+		r = sc_pkcs15_find_cert_by_id(p15card, &cert_id, &cinfo[0]);
 +		if (r < 0)
 +			goto err;
 +		key_count = 1;
-+	} else {
-+		r = sc_pkcs15_enum_certificates(p15card);
+	} else 
+	{
+		r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509, cinfo, MAX_OBJECTS);
 +		if (r == 0) {
 +			log("No certificates found on smartcard");
 +			r = -1;
@ -522,10 +542,7 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +		k = key_new(KEY_RSA);
 +		if (k == NULL)
 +			break;
-+		if (cert_id.len)
-+			r = sc_read_pubkey(k, cinfo);
-+		else
-+			r = sc_read_pubkey(k, &p15card->cert_info[i]);
+		r = sc_read_pubkey(k, cinfo[i]);
 +		if (r) {
 +			error("sc_read_pubkey failed: %s", sc_strerror(r));
 +			key_free(k);
@ -542,7 +559,6 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +	}
 +	keys[real_count] = NULL;
 +	sc_close();
-+
 +	return keys;
 +err:
 +	sc_close();
@ -550,9 +566,9 @@ diff -ruN openssh-3.0.2p1/scard-opensc.c openssh-new/scard-opensc.c
 +}
 +
 +#endif /* OPENSC */
-diff -ruN openssh-3.0.2p1/scard-sectok.c openssh-new/scard-sectok.c
--- openssh-3.0.2p1/scard-sectok.c	Thu Jan  1 02:00:00 1970
-+++ openssh-new/scard-sectok.c	Sun Dec  2 21:01:34 2001
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/scard-sectok.c openssh-3.0.2p1/scard-sectok.c
+--- openssh-3.0.2p1-orig/scard-sectok.c	Thu Jan  1 02:00:00 1970
+++ openssh-3.0.2p1/scard-sectok.c	Sun Mar 10 14:51:49 2002
@@ -0,0 +1,389 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@ -943,384 +959,10 @@ diff -ruN openssh-3.0.2p1/scard-sectok.c openssh-new/scard-sectok.c
 +	return keys;
 +}
 +#endif /* SECTOK */
-diff -ruN openssh-3.0.2p1/scard.c openssh-new/scard.c
--- openssh-3.0.2p1/scard.c	Fri Sep 28 12:51:54 2001
-+++ openssh-new/scard.c	Thu Jan  1 02:00:00 1970
-@@ -1,371 +0,0 @@
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#ifdef SMARTCARD
-RCSID("$OpenBSD: scard.c,v 1.15 2001/09/28 09:49:31 djm Exp $");
-
-#include <openssl/engine.h>
-#include <sectok.h>
-
-#include "key.h"
-#include "log.h"
-#include "xmalloc.h"
-#include "scard.h"
-
-#define CLA_SSH 0x05
-#define INS_DECRYPT 0x10
-#define INS_GET_KEYLENGTH 0x20
-#define INS_GET_PUBKEY 0x30
-#define INS_GET_RESPONSE 0xc0
-
-#define MAX_BUF_SIZE 256
-
-static int sc_fd = -1;
-static char *sc_reader_id = NULL;
-static int cla = 0x00;	/* class */
-
-/* interface to libsectok */
-
-static int 
-sc_open(void)
-{
-	int sw;
-
-	if (sc_fd >= 0)
-		return sc_fd;
-
-	sc_fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw);
-	if (sc_fd < 0) {
-		error("sectok_open failed: %s", sectok_get_sw(sw));
-		return SCARD_ERROR_FAIL;
-	}
-	if (! sectok_cardpresent(sc_fd)) {
-		debug("smartcard in reader %s not present, skipping",
-		    sc_reader_id);
-		sc_close();
-		return SCARD_ERROR_NOCARD;
-	}
-	if (sectok_reset(sc_fd, 0, NULL, &sw) <= 0) {
-		error("sectok_reset failed: %s", sectok_get_sw(sw));
-		sc_fd = -1;
-		return SCARD_ERROR_FAIL;
-	}
-	if ((cla = cyberflex_inq_class(sc_fd)) < 0)
-		cla = 0;
-
-	debug("sc_open ok %d", sc_fd);
-	return sc_fd;
-}
-
-static int 
-sc_enable_applet(void)
-{
-	static u_char aid[] = {0xfc, 0x53, 0x73, 0x68, 0x2e, 0x62, 0x69, 0x6e};
-	int sw = 0;
-
-	/* select applet id */
-	sectok_apdu(sc_fd, cla, 0xa4, 0x04, 0, sizeof aid, aid, 0, NULL, &sw);
-	if (!sectok_swOK(sw)) {
-		error("sectok_apdu failed: %s", sectok_get_sw(sw));
-		sc_close();
-		return -1;
-	}
-	return 0;
-}
-
-static int 
-sc_init(void)
-{
-	int status;
-
-	status = sc_open();
-	if (status == SCARD_ERROR_NOCARD) {
-		return SCARD_ERROR_NOCARD;
-	}
-	if (status < 0 ) {
-		error("sc_open failed");
-		return status;
-	}
-	if (sc_enable_applet() < 0) {
-		error("sc_enable_applet failed");
-		return SCARD_ERROR_APPLET;
-	}
-	return 0;
-}
-
-static int 
-sc_read_pubkey(Key * k)
-{
-	u_char buf[2], *n;
-	char *p;
-	int len, sw, status = -1;
-
-	len = sw = 0;
-	n = NULL;
-
-	if (sc_fd < 0) {
-		status = sc_init();
-		if (status < 0 )
-			goto err;
-	}
-
-	/* get key size */
-	sectok_apdu(sc_fd, CLA_SSH, INS_GET_KEYLENGTH, 0, 0, 0, NULL,
-	     sizeof(buf), buf, &sw);
-	if (!sectok_swOK(sw)) {
-		error("could not obtain key length: %s", sectok_get_sw(sw));
-		goto err;
-	}
-	len = (buf[0] << 8) | buf[1];
-	len /= 8;
-	debug("INS_GET_KEYLENGTH: len %d sw %s", len, sectok_get_sw(sw));
-
-	n = xmalloc(len);
-	/* get n */
-	sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
-	if (!sectok_swOK(sw)) {
-		error("could not obtain public key: %s", sectok_get_sw(sw));
-		goto err;
-	}
-
-	debug("INS_GET_KEYLENGTH: sw %s", sectok_get_sw(sw));
-
-	if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
-		error("c_read_pubkey: BN_bin2bn failed");
-		goto err;
-	}
-
-	/* currently the java applet just stores 'n' */
-	if (!BN_set_word(k->rsa->e, 35)) {
-		error("c_read_pubkey: BN_set_word(e, 35) failed");
-		goto err;
-	}
-
-	status = 0;
-	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
-	debug("fingerprint %d %s", key_size(k), p);
-	xfree(p);
-
-err:
-	if (n != NULL)
-		xfree(n);
-	sc_close();
-	return status;
-}
-
-/* private key operations */
-
-static int
-sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, int padding)
-{
-	u_char *padded = NULL;
-	int sw, len, olen, status = -1;
-
-	debug("sc_private_decrypt called");
-
-	olen = len = sw = 0;
-	if (sc_fd < 0) {
-		status = sc_init();
-		if (status < 0 )
-			goto err;
-	}
-	if (padding != RSA_PKCS1_PADDING)
-		goto err;
-
-	len = BN_num_bytes(rsa->n);
-	padded = xmalloc(len);
-
-	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, 0, NULL, &sw);
-	if (!sectok_swOK(sw)) {
-		error("sc_private_decrypt: INS_DECRYPT failed: %s",
-		    sectok_get_sw(sw));
-		goto err;
-	}
-	sectok_apdu(sc_fd, CLA_SSH, INS_GET_RESPONSE, 0, 0, 0, NULL,
-	     len, padded, &sw);
-	if (!sectok_swOK(sw)) {
-		error("sc_private_decrypt: INS_GET_RESPONSE failed: %s",
-		    sectok_get_sw(sw));
-		goto err;
-	}
-	olen = RSA_padding_check_PKCS1_type_2(to, len, padded + 1, len - 1,
-	    len);
-err:
-	if (padded)
-		xfree(padded);
-	sc_close();
-	return (olen >= 0 ? olen : status);
-}
-
-static int
-sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa, int padding)
-{
-	u_char *padded = NULL;
-	int sw, len, status = -1;
-
-	len = sw = 0;
-	if (sc_fd < 0) {
-		status = sc_init();
-		if (status < 0 )
-			goto err;
-	}
-	if (padding != RSA_PKCS1_PADDING)
-		goto err;
-
-	debug("sc_private_encrypt called");
-	len = BN_num_bytes(rsa->n);
-	padded = xmalloc(len);
-
-	if (RSA_padding_add_PKCS1_type_1(padded, len, from, flen) <= 0) {
-		error("RSA_padding_add_PKCS1_type_1 failed");
-		goto err;
-	}
-	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, 0, NULL, &sw);
-	if (!sectok_swOK(sw)) {
-		error("sc_private_decrypt: INS_DECRYPT failed: %s",
-		    sectok_get_sw(sw));
-		goto err;
-	}
-	sectok_apdu(sc_fd, CLA_SSH, INS_GET_RESPONSE, 0, 0, 0, NULL,
-	     len, to, &sw);
-	if (!sectok_swOK(sw)) {
-		error("sc_private_decrypt: INS_GET_RESPONSE failed: %s",
-		    sectok_get_sw(sw));
-		goto err;
-	}
-err:
-	if (padded)
-		xfree(padded);
-	sc_close();
-	return (len >= 0 ? len : status);
-}
-
-/* called on free */
-
-static int (*orig_finish)(RSA *rsa) = NULL;
-
-static int
-sc_finish(RSA *rsa)
-{
-	if (orig_finish)
-		orig_finish(rsa);
-	sc_close();
-	return 1;
-}
-
-
-/* engine for overloading private key operations */
-
-static ENGINE *smart_engine = NULL;
-static RSA_METHOD smart_rsa =
-{
-	"sectok",
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	0,
-	NULL,
-};
-
-ENGINE *
-sc_get_engine(void)
-{
-	RSA_METHOD *def;
-
-	def = RSA_get_default_openssl_method();
-
-	/* overload */
-	smart_rsa.rsa_priv_enc	= sc_private_encrypt;
-	smart_rsa.rsa_priv_dec	= sc_private_decrypt;
-
-	/* save original */
-	orig_finish		= def->finish;
-	smart_rsa.finish	= sc_finish;
-
-	/* just use the OpenSSL version */
-	smart_rsa.rsa_pub_enc   = def->rsa_pub_enc;
-	smart_rsa.rsa_pub_dec   = def->rsa_pub_dec;
-	smart_rsa.rsa_mod_exp	= def->rsa_mod_exp;
-	smart_rsa.bn_mod_exp	= def->bn_mod_exp;
-	smart_rsa.init		= def->init;
-	smart_rsa.flags		= def->flags;
-	smart_rsa.app_data	= def->app_data;
-	smart_rsa.rsa_sign	= def->rsa_sign;
-	smart_rsa.rsa_verify	= def->rsa_verify;
-
-	smart_engine = ENGINE_new();
-
-	ENGINE_set_id(smart_engine, "sectok");
-	ENGINE_set_name(smart_engine, "libsectok");
-	ENGINE_set_RSA(smart_engine, &smart_rsa);
-	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
-	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
-	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
-	ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
-
-	return smart_engine;
-}
-
-void
-sc_close(void)
-{
-	if (sc_fd >= 0) {
-		sectok_close(sc_fd);
-		sc_fd = -1;
-	}
-}
-
-Key *
-sc_get_key(const char *id)
-{
-	Key *k;
-	int status;
-
-	if (sc_reader_id != NULL)
-		xfree(sc_reader_id);
-	sc_reader_id = xstrdup(id);
-
-	k = key_new(KEY_RSA);
-	if (k == NULL) {
-		return NULL;
-	}
-	status = sc_read_pubkey(k);
-	if (status == SCARD_ERROR_NOCARD) {
-		key_free(k);
-		return NULL;
-	}
-	if (status < 0 ) {
-		error("sc_read_pubkey failed");
-		key_free(k);
-		return NULL;
-	}
-	return k;
-}
-#endif /* SMARTCARD */
-diff -ruN openssh-3.0.2p1/scard.h openssh-new/scard.h
--- openssh-3.0.2p1/scard.h	Tue Aug  7 00:35:52 2001
-+++ openssh-new/scard.h	Sun Dec  2 21:01:34 2001
+Only in openssh-3.0.2p1-orig/: scard.c
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/scard.h openssh-3.0.2p1/scard.h
+--- openssh-3.0.2p1-orig/scard.h	Tue Aug  7 00:35:52 2001
+++ openssh-3.0.2p1/scard.h	Sun Mar 10 14:51:49 2002
@@ -24,17 +24,19 @@
 
 /* $OpenBSD: scard.h,v 1.6 2001/08/01 22:03:33 markus Exp $ */
@ -1345,9 +987,14 @@ diff -ruN openssh-3.0.2p1/scard.h openssh-new/scard.h
 void	 sc_close(void);
 
 #endif
-diff -ruN openssh-3.0.2p1/ssh-agent.c openssh-new/ssh-agent.c
--- openssh-3.0.2p1/ssh-agent.c	Tue Aug  7 01:06:35 2001
-+++ openssh-new/ssh-agent.c	Sun Dec  2 21:01:34 2001
+Only in openssh-3.0.2p1-orig/: scp.0
+Only in openssh-3.0.2p1-orig/: sftp-server.0
+Only in openssh-3.0.2p1-orig/: sftp.0
+Only in openssh-3.0.2p1-orig/: ssh-add.0
+Only in openssh-3.0.2p1-orig/: ssh-agent.0
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/ssh-agent.c openssh-3.0.2p1/ssh-agent.c
+--- openssh-3.0.2p1-orig/ssh-agent.c	Tue Aug  7 01:06:35 2001
+++ openssh-3.0.2p1/ssh-agent.c	Sun Mar 10 14:51:49 2002
@@ -57,7 +57,6 @@
 #include "log.h"
 
@ -1532,9 +1179,10 @@ diff -ruN openssh-3.0.2p1/ssh-agent.c openssh-new/ssh-agent.c
 	buffer_put_int(&e->output, 1);
 	buffer_put_char(&e->output,
 	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-diff -ruN openssh-3.0.2p1/ssh-keygen.c openssh-new/ssh-keygen.c
--- openssh-3.0.2p1/ssh-keygen.c	Mon Nov 12 01:52:44 2001
-+++ openssh-new/ssh-keygen.c	Sun Dec  2 21:01:34 2001
+Only in openssh-3.0.2p1-orig/: ssh-keygen.0
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/ssh-keygen.c openssh-3.0.2p1/ssh-keygen.c
+--- openssh-3.0.2p1-orig/ssh-keygen.c	Mon Nov 12 01:52:44 2001
+++ openssh-3.0.2p1/ssh-keygen.c	Sun Mar 10 14:51:49 2002
@@ -29,8 +29,9 @@
 #include "readpass.h"
 
@ -1576,9 +1224,11 @@ diff -ruN openssh-3.0.2p1/ssh-keygen.c openssh-new/ssh-keygen.c
 #endif /* SMARTCARD */
 
 static void
-diff -ruN openssh-3.0.2p1/ssh.c openssh-new/ssh.c
--- openssh-3.0.2p1/ssh.c	Mon Nov 12 01:52:04 2001
-+++ openssh-new/ssh.c	Sun Dec  2 21:28:50 2001
+Only in openssh-3.0.2p1-orig/: ssh-keyscan.0
+Only in openssh-3.0.2p1-orig/: ssh.0
+diff -u --unidirectional-new-file openssh-3.0.2p1-orig/ssh.c openssh-3.0.2p1/ssh.c
+--- openssh-3.0.2p1-orig/ssh.c	Sun Mar 10 20:31:12 2002
+++ openssh-3.0.2p1/ssh.c	Sun Mar 10 18:55:29 2002
@@ -70,7 +70,6 @@
 #include "sshtty.h"
 
@ -1587,7 +1237,7 @@ diff -ruN openssh-3.0.2p1/ssh.c openssh-new/ssh.c
 #include "scard.h"
 #endif
 
-@@ -1178,39 +1177,37 @@
+@@ -1183,39 +1182,38 @@
 	char *filename;
 	Key *public;
 	int i = 0;
@ -1644,11 +1294,12 @@ diff -ruN openssh-3.0.2p1/ssh.c openssh-new/ssh.c
 +			}
 +		}
 +		memmove(&options.identity_files[key_count],
-+			&options.identity_files[0], key_count * sizeof(char *));
+			&options.identity_files[0], options.num_identity_files * sizeof(char *));
 +		for (i = 0; keys[i] != NULL && i < key_count; i++) {
 +			options.identity_keys[i] = keys[i];
 +			options.identity_files[i] = xstrdup("smartcard rsa key");
 +		}
+		//debug("identity files before=%i, smartcard keys=%i", options.num_identity_files, key_count); 
 +		options.num_identity_files += key_count;
 +		xfree(keys);
 	}
@ -1656,3 +1307,4 @@ diff -ruN openssh-3.0.2p1/ssh.c openssh-new/ssh.c
 #endif /* SMARTCARD */
 	for (; i < options.num_identity_files; i++) {
 		filename = tilde_expand_filename(options.identity_files[i],
+Only in openssh-3.0.2p1-orig/: sshd.0
--- a/src/tools/miocos.profile
+++ b/src/tools/miocos.profile
@ -4,54 +4,84 @@
 CardInfo
 	Label		"OpenSC Card"
 	Manufacturer	"OpenSC Project"
-	MinPinLength	4
+	MinPinLength	1
 	MaxPinLength	8
 	PinEncoding	ascii-numeric
+	PinPadChar	0x00
 	PrKeyAccessFlags RSA 0x1D
-	PrKeyAccessFlags DSA 0x12

-	# This is the secure messaging key required for
-	# creating files in the MF
-	# Key		PRO 0x0001 "=TEST KEYTEST KEY"
-
-# Note: many commands use the short file ID (i.e. the lower 5 bits
-# of the FID) so you must be careful when picking FIDs for the
-# public key and PIN files.
-
-# Currently we do not support PIN files that can be updated
-# by CHV2. Far too messy.
-EF pinfile
-	FileID		0000
-	Structure	0x21	# GPK specific
-	RecordLength	8
-	Size		32
-	ACL		*=NEVER
-
-# Private key files.
-# GPK private key files will never let you read the private key
-# part, so it's okay to set READ=NONE. What's more, we need
-# read access so we're able to update the file.
-EF template-private-key
-	FileID		0006	# This is the base FileID
-	Structure	0x2C	# GPK specific
-	ACL		*=NEVER READ=NONE UPDATE=CHV2 WRITE=CHV2
-
-EF template-public-key
-	FileID		8000
+EF pinfile-chv1
+	Path		3F000000
 	Structure	transparent
+	Size		20
 	ACL		*=NONE

-# CVH1. 7 attempts for the PIN, and 3 for the PUK
-# Reference 0x8 means "PIN0 in the local EFsc" in GPK parlance
-PIN CHV1
-	File		pinfile
-	Reference	0x8
-	Attempts	7 3
+EF pinfile-chv2
+	Parent		PKCS15-AppDF
+	FileID		5002
+	Size		23
+	ACL		*=NONE

-# CVH2. 7 attempts for the PIN, and 3 for the PUK
-# Reference 0xA means "PIN2 in the local EFsc" in GPK parlance
+EF template-private-key-1
+	Parent		PKCS15-AppDF
+	FileID		4B01
+	Size		330
+	ACL		*=NONE CRYPTO=CHV1
+
+EF template-private-key-2
+	Parent		PKCS15-AppDF
+	FileID		4B02
+	Size		330
+	ACL		*=NONE CRYPTO=CHV2
+
+EF template-public-key-1
+	Parent		PKCS15-AppDF
+	FileID		5201
+	Structure	transparent
+	ACL		*=NONE READ=NONE
+
+EF template-public-key-2
+	Parent		PKCS15-AppDF
+	FileID		5202
+	Structure	transparent
+	ACL		*=NONE READ=NONE
+
+EF PKCS15-DIR
+	ACL		*=NEVER READ=NONE UPDATE=CHV1
+
+EF PKCS15-ODF
+	ACL		*=NEVER READ=NONE UPDATE=CHV1
+
+EF PKCS15-AODF
+	ACL		*=NEVER READ=NONE UPDATE=CHV1
+
+EF PKCS15-PrKDF
+	ACL		*=NEVER READ=NONE UPDATE=CHV1
+
+EF PKCS15-PuKDF
+	ACL		*=NEVER READ=NONE UPDATE=CHV1
+
+EF PKCS15-CDF
+	ACL		*=NEVER READ=NONE UPDATE=CHV1
+
+# CHV1. 3 attempts for the PIN, and 10 for the PUK
+PIN CHV1
+	File		pinfile-chv1
+	Reference	0x01
+	Attempts	3 10
+
+# CHV2. 3 attempts for the PIN, and 10 for the PUK
 PIN CHV2
-	File		pinfile
-	Reference	0xA
-	Attempts	7 3
-	Offset		16
+	File		pinfile-chv2
+	Reference	0x02
+	Attempts	3 10
+
+PrivateKey AuthKey
+	Reference	0x01
+	Index		1
+	File		template-private-key-1
+
+PrivateKey SignKey
+	Reference	0x02
+	Index		1
+	File		template-private-key-2
--- a/src/tools/pkcs15-cflex.c
+++ b/src/tools/pkcs15-cflex.c
@ -45,13 +45,13 @@ static int cflex_update_pin(struct sc_card *card, struct pin_info *info)

 	memset(p, 0xFF, 3);
 	p += 3;
-	memset(p, '-', 8);
+	memset(p, info->pkcs15.pad_char, 8);
 	strncpy((char *) p, info->secret[0], 8);
 	p += 8;
 	*p++ = info->attempt[0];
 	*p++ = info->attempt[0];
-	memset(p, '-', 8);
-	strncpy((char *) p, info->secret[0], 8);
+	memset(p, info->pkcs15.pad_char, 8);
+	strncpy((char *) p, info->secret[1], 8);
 	p += 8;
 	*p++ = info->attempt[1];
 	*p++ = info->attempt[1];
--- a/src/tools/pkcs15-miocos.c
+++ b/src/tools/pkcs15-miocos.c
@ -28,15 +28,73 @@
 #include "pkcs15-init.h"
 #include "util.h"

+static int miocos_update_pin(struct sc_card *card, struct pin_info *info)
+{
+	u8		buffer[20], *p = buffer;
+	int		r;
+	size_t		len;
+
+	if (!info->attempt[1]) {
+		error("PUK code needed.");
+		return SC_ERROR_INVALID_ARGUMENTS;
+	}
+	info->attempt[0] &= 0x0f;
+	*p++ = (info->attempt[0] << 8) | info->attempt[0];
+	*p++ = 0xFF;
+	memset(p, info->pkcs15.pad_char, 8);
+	strncpy((char *) p, info->secret[0], 8);
+	p += 8;
+	info->attempt[1] &= 0x0f;
+	*p++ = (info->attempt[1] << 8) | info->attempt[1];
+	*p++ = 0xFF;
+	strncpy((char *) p, info->secret[1], 8);
+	p += 8;
+	len = 20;
+
+	r = sc_update_binary(card, 0, buffer, len, 0);
+	if (r < 0)
+		return r;
+	return 0;
+}
+
+static int miocos_store_pin(struct sc_profile *profile, struct sc_card *card,
+			   struct pin_info *info)
+{
+	struct sc_file	*pinfile;
+	int		r;
+
+	sc_file_dup(&pinfile, info->file->file);
+
+	card->ctx->log_errors = 0;
+	r = sc_select_file(card, &pinfile->path, NULL);
+	card->ctx->log_errors = 1;
+	pinfile->type = SC_FILE_TYPE_INTERNAL_EF;
+	pinfile->ef_structure = 0;
+	if (r == SC_ERROR_FILE_NOT_FOUND) {
+		/* Now create the file */
+		if ((r = sc_pkcs15init_create_file(profile, pinfile)) < 0)
+			goto out;
+		/* The PIN EF is automatically selected */
+	} else if (r < 0)
+		goto out;
+
+	/* If messing with the PIN file requires any sort of
+	 * authentication, send it to the card now */
+	if ((r = sc_pkcs15init_authenticate(profile, pinfile, SC_AC_OP_UPDATE)) < 0)
+		goto out;
+
+	r = miocos_update_pin(card, info);
+
+out:	sc_file_free(pinfile);
+	return r;
+}
+
 /*
 * Initialize the Application DF and store the PINs
- *
 */
 static int miocos_init_app(struct sc_profile *profile, struct sc_card *card)
 {
-#if 0
 	struct pin_info	*pin1, *pin2;
-	int		lockit = 0;

 	pin1 = sc_profile_find_pin(profile, "CHV1");
 	pin2 = sc_profile_find_pin(profile, "CHV2");
@ -44,36 +102,17 @@ static int miocos_init_app(struct sc_profile *profile, struct sc_card *card)
 		fprintf(stderr, "No CHV1 defined\n");
 		return 1;
 	}
-
-	/* XXX TODO:
-	 * if the CHV2 pin file is required to create files
-	 * in the application DF, create that file first */
-
 	/* Create the application DF */
-	if (do_create_file(profile, profile->df_info.file))
+	if (sc_pkcs15init_create_file(profile, profile->df_info.file))
 		return 1;

-	/* Store CHV2 */
-	lockit = 0;
 	if (pin2) {
-		if (gpk_store_pin(profile, card, pin2, &lockit))
+		if (miocos_store_pin(profile, card, pin2))
 			return 1;
-		/* If both PINs reside in the same file, don't lock
-		 * it yet. */
-		if (pin1->file != pin2->file && lockit) {
-			if (gpk_lock_pinfile(profile, card, pin2->file->file))
-				return 1;
-			lockit = 0;
-		}
 	}
+	if (miocos_store_pin(profile, card, pin1))
+		return 1;

-	/* Store CHV1 */
-	if (gpk_store_pin(profile, card, pin1, &lockit))
-		return 1;
-	
-	if (lockit && gpk_lock_pinfile(profile, card, pin2->file->file))
-		return 1;
-#endif
 	return 0;
 }