Make CardOS 5.3 working with OpenSC (#1003)

* Set security context for CardOS 5.3 with p1=0x41 (as Coolkey does)

* Do not emulate signatures in CardOS 5.3

Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the
actual implementation in cardos_compute_signature().

It might be bogus also in previous version, but I don't have a way
to verify against these cards.

* Do not advertise RSA-X-509 mechanism for CardOS 5.3 (card strips padding)

src/libopensc/card-cardos.c

@@ -59,7 +59,7 @@ static struct sc_atr_table cardos_atrs[] = {
 	/* CardOS v5.0 */
 	{ "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
 	/* CardOS v5.3 */
-	{ "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
+	{ "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL},
 	{ NULL, NULL, NULL, 0, 0, NULL }
 };
 
@@ -84,6 +84,8 @@ static int cardos_match_card(sc_card_t *card)
 		return 1;
 	if (card->type == SC_CARD_TYPE_CARDOS_V5_0)
 		return 1;
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_3)
+		return 1;
 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
 		int rv;
 		sc_apdu_t apdu;
@@ -175,11 +177,15 @@ static int cardos_init(sc_card_t *card)
 	card->cla = 0x00;
 
 	/* Set up algorithm info. */
-	flags = SC_ALGORITHM_NEED_USAGE
-		| SC_ALGORITHM_RSA_RAW
-		| SC_ALGORITHM_RSA_HASH_NONE
+	flags = SC_ALGORITHM_RSA_HASH_NONE
 		| SC_ALGORITHM_ONBOARD_KEY_GEN
 		;
+	if (card->type != SC_CARD_TYPE_CARDOS_V5_3)
+		flags |= SC_ALGORITHM_RSA_RAW
+			| SC_ALGORITHM_NEED_USAGE;
+	else
+		flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
+
 	_sc_card_add_rsa_alg(card,  512, flags, 0);
 	_sc_card_add_rsa_alg(card,  768, flags, 0);
 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
@@ -195,7 +201,8 @@ static int cardos_init(sc_card_t *card)
 		|| card->type == SC_CARD_TYPE_CARDOS_M4_2B
 		|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
 		|| card->type == SC_CARD_TYPE_CARDOS_M4_4
-		|| card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_0
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
 		rsa_2048 = 1;
 		card->caps |= SC_CARD_CAP_APDU_EXT;
 	}
@@ -230,7 +237,8 @@ static int cardos_init(sc_card_t *card)
 		_sc_card_add_rsa_alg(card, 2048, flags, 0);
 	}
 
-	if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+	if (card->type == SC_CARD_TYPE_CARDOS_V5_0
+		|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
 		/* Starting with CardOS 5, the card supports PIN query commands */
 		card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;
 	}
@@ -249,7 +257,7 @@ static const struct sc_card_error cardos_errors[] = {
 { 0x6f82, SC_ERROR_CARD_CMD_FAILED,	"not enough memory in xram"}, 
 { 0x6f84, SC_ERROR_CARD_CMD_FAILED,	"general protection fault"}, 
 
-/* the card doesn't now thic combination of ins+cla+p1+p2 */
+/* the card doesn't know this combination of ins+cla+p1+p2 */
 /* i.e. command will never work */
 { 0x6881, SC_ERROR_NO_CARD_SUPPORT,	"logical channel not supported"}, 
 { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, 
@@ -781,6 +789,8 @@ cardos_set_security_env(sc_card_t *card,
 	if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) {
 		cardos_restore_security_env(card, 0x30);
 		apdu.p1 = 0xF1;
+	} else if (card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+		apdu.p1 = 0x41;
 	} else {
 		apdu.p1 = 0x01;
 	}
@@ -1239,7 +1249,8 @@ cardos_logout(sc_card_t *card)
 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_3
 		   	|| card->type == SC_CARD_TYPE_CARDOS_M4_4
-			|| card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+			|| card->type == SC_CARD_TYPE_CARDOS_V5_0
+			|| card->type == SC_CARD_TYPE_CARDOS_V5_3) {
 		sc_apdu_t apdu;
 		int       r;
 		sc_path_t path;

src/libopensc/cards.h

@@ -47,6 +47,7 @@ enum {
 	SC_CARD_TYPE_CARDOS_CIE_V1, /* Italian CIE (eID) v1 */
 	SC_CARD_TYPE_CARDOS_M4_4,
 	SC_CARD_TYPE_CARDOS_V5_0,
+	SC_CARD_TYPE_CARDOS_V5_3,
 
 	/* flex/cyberflex drivers */
 	SC_CARD_TYPE_FLEX_BASE = 2000,