MyEID: opensc.conf - option to disable PKCS1 padding in card.

config option for MyEID:  "disable_hw_pkcs1_padding"

If user set this option to non zero, OpenSC is forced to calculate padding
in software. This will allow users to use RSA 1024 with SHA512.

doc/files/opensc.conf.5.xml.in

@@ -296,6 +296,9 @@ app <replaceable>application</replaceable> {
 							<listitem><para>
 									<literal>edo</literal>: See <xref linkend="edo"/>
 							</para></listitem>
+							<listitem><para>
+									<literal>myeid</literal>: See <xref linkend="myeid"/>
+							</para></listitem>
 							<listitem><para>
 									Any other value: Configuration block for an externally loaded card driver
 							</para></listitem>
@@ -639,6 +642,37 @@ app <replaceable>application</replaceable> {
 
 		</refsect2>
 
+		<refsect2 id="myeid">
+			<title>Configuration Options for MyEID Card</title>
+			<variablelist>
+				<varlistentry>
+					<term>
+						<option>disable_hw_pkcs1_padding = <replaceable>bool</replaceable>;</option>
+					</term>
+					<listitem><para>
+							The MyEID card can internally
+							encapsulate the data (hash code)
+							into a DigestInfo ASN.1 structure
+							according to the selected hash
+							algorithm (currently only for SHA1).
+							DigestInfo is padded to RSA key
+							modulus length according to PKCS#1
+							v1.5, block type 01h. Size of the
+							DigestInfo must not exceed 40%
+							of the RSA key modulus length. If
+							this limit is unsatisfactory (for
+							example someone needs RSA 1024
+							with SHA512), the user can disable
+							this feature. In this case, the
+							card driver will do everything
+							necessary before sending the data
+							(hash code) to the card.
+					</para></listitem>
+				</varlistentry>
+
+			</variablelist>
+		</refsect2>
+
 		<refsect2 id="npa">
 			<title>Configuration Options for German ID Card</title>
 			<variablelist>

src/libopensc/card-myeid.c

@@ -86,6 +86,7 @@ typedef struct myeid_private_data {
 	 ECDH key agreement. Note that this pointer is usually not valid
 	 after this pair of calls and must not be used elsewhere. */
 	const struct sc_security_env* sec_env;
+	int disable_hw_pkcs1_padding;
 } myeid_private_data_t;
 
 typedef struct myeid_card_caps {
@@ -166,6 +167,34 @@ myeid_select_aid(struct sc_card *card, struct sc_aid *aid, unsigned char *out, s
 	return SC_SUCCESS;
 }
 
+static int myeid_load_options(sc_context_t *ctx, myeid_private_data_t *priv)
+{
+	int r;
+	size_t i, j;
+	scconf_block **found_blocks, *block;
+
+	if (!ctx || !priv) {
+		r = SC_ERROR_INTERNAL;
+		goto err;
+	}
+	priv->disable_hw_pkcs1_padding = 0;
+	for (i = 0; ctx->conf_blocks[i]; i++) {
+		found_blocks = scconf_find_blocks(ctx->conf, ctx->conf_blocks[i],
+				"card_driver", "myeid");
+		if (!found_blocks)
+			continue;
+		for (j = 0, block = found_blocks[j]; block; j++, block = found_blocks[j]) {
+			priv->disable_hw_pkcs1_padding = scconf_get_int(block, "disable_hw_pkcs1_padding", 0);
+			sc_log(ctx,"Found config option: disable_hw_pkcs1_padding = %d\n", priv->disable_hw_pkcs1_padding);
+		}
+		free(found_blocks);
+	}
+	r = SC_SUCCESS;
+
+err:
+	return r;
+}
+
 static int myeid_init(struct sc_card *card)
 {
 	unsigned long flags = 0, ext_flags = 0;
@@ -196,6 +225,9 @@ static int myeid_init(struct sc_card *card)
 	if (!priv)
 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
 
+	rv = myeid_load_options (card->ctx, priv);
+	LOG_TEST_GOTO_ERR(card->ctx, rv, "Unable to read options from opensc.conf");
+
 	priv->card_state = SC_FILE_STATUS_CREATION;
 	card->drv_data = priv;
 
@@ -224,7 +256,9 @@ static int myeid_init(struct sc_card *card)
 	    }
 	}
 
-	flags = SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_ONBOARD_KEY_GEN;
+	flags = SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN;
+	if (priv->disable_hw_pkcs1_padding == 0)
+		flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
 	flags |= SC_ALGORITHM_RSA_HASH_NONE;
 
 	_sc_card_add_rsa_alg(card,  512, flags, 0);