giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pkcs11: no more 'hacked' mode and 'onepin' module version 

'OnePIN' version of opensc-pkcs11 module is not installed.
Instead, in the 'pkcs11' section of OpenSC configuration,
there is a possibility to define in a different manner
how to create slots for the present PINs and applications.
This commit is contained in:
Viktor Tarasov 2012-05-21 19:19:38 +02:00
parent 4b745f51af
commit d1cf65754b
9 changed files with 74 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
etc/opensc.conf.in
View File

@ -209,14 +209,14 @@ app default {
# PIV cards need an entry similar to this one:
# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
# name = "PIV-II";
# driver = "piv";
# driver = "piv";
# }
# Estonian ID card and Micardo driver sometimes only play together with T=0
# In theory only the 'cold' ATR should be specified, as T=0 will
# be the preferred protocol once you boot it up with T=0, but be
# paranoid.
#
#
# Warm ATR v1
card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
force_protocol = t0;
@ -262,7 +262,7 @@ app default {
card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
force_protocol = t0;
}
# IAS/ECC cards
#card_atr 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00 {
# type = 25001;
@ -318,7 +318,7 @@ app default {
#
# Default: no
# try_emulation_first = yes;
# Enable builtin emulators.
# Default: yes
# enable_builtin_emulation = no;
@ -381,19 +381,19 @@ app opensc-pkcs11 {
# (which may be possible because you have already authenticated
# with the card). This setting is not very secure.
#
# Also, if your card is not locked, you can enconter problems
# due to limitation of the OpenSC framework, that still is not
# Also, if your card is not locked, you can enconter problems
# due to limitation of the OpenSC framework, that still is not
# thoroughly tested in the multi threads environment.
#
# Your settings will be more secure if you choose to lock your
# card. Nevertheless this behavior is a known violation of PKCS#11
# specification. Now once one application has started using your
# card with C_Login, no other application can use it, until
# the first is done and calls C_Logout or C_Finalize. In the case
# of many PKCS#11 application this does not happen until you exit
# Your settings will be more secure if you choose to lock your
# card. Nevertheless this behavior is a known violation of PKCS#11
# specification. Now once one application has started using your
# card with C_Login, no other application can use it, until
# the first is done and calls C_Logout or C_Finalize. In the case
# of many PKCS#11 application this does not happen until you exit
# the application.
# Thus it is impossible to use several smart card aware applications
# at the same time, e.g. you cannot run both Firefox and Thunderbird at
# Thus it is impossible to use several smart card aware applications
# at the same time, e.g. you cannot run both Firefox and Thunderbird at
# the same time, if both are configured to use your smart card.
#
# Default: false
@ -424,8 +424,8 @@ app opensc-pkcs11 {
# create_puk_slot = true;
# Report as 'zero' the CKA_ID attribute of CA certificate
# For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus)
# card reports as '0' the CKA_ID of CA cartificates.
# For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus)
# card reports as '0' the CKA_ID of CA cartificates.
# Maybe someone else will need it. (Would be nice to know who and what for -- VTA)
#
# Default: false
@ -437,6 +437,27 @@ app opensc-pkcs11 {
#
# Default: empty
# ignored_readers = "CardMan 1021", "SPR 532";
# Symbolic names of PINs for which slots are created
# Card can contain more then one PINs or more then one on-card application with
# its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be
# created for all of them. Many slots could be ennoying for some of widely used application,
# like FireFox. This configuration parameter allows to select the PINs or on-card application
# for which PKCS#11 slot will be created.
# Actually recognised following symbolic names:
# 'user', 'sign', 'application', all
# Only PINs initialised, non-SoPIN, non-unblocking are associated with symbolic name.
# 'user' is identified as first global or first local PIN.
# 'sign' is identified as second PIN: first local, second global or second local.
# 'application' slot created for each on-card application,
# even if they use a common global PIN.
# 'all' slot created for all non-sopin, non-unblocking PINs,
# optionally for PUK (see option 'create_puk_slot')
#
# Default: all
# create_slots_for_pins = "user,sign";
# create_slots_for_pins = application;
# create_slots_for_pins = "application,sign";
}
}
@ -458,8 +479,8 @@ app tokend {
# XXX: remove cardmod pseudodriver
app cardmod {
# cardmod app name use special pcsc reader subset
# fix options for this reader driver here.
# cardmod app name use special pcsc reader subset
# fix options for this reader driver here.
reader_driver cardmod {
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)

15
src/pkcs11/Makefile.am
View File

@ -4,7 +4,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
EXTRA_DIST = Makefile.mak
dist_noinst_SCRIPTS = opensc_pkcs11_install.js
lib_LTLIBRARIES = opensc-pkcs11.la pkcs11-spy.la onepin-opensc-pkcs11.la
lib_LTLIBRARIES = opensc-pkcs11.la pkcs11-spy.la
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(PTHREAD_CFLAGS)
INCLUDES = -I$(top_srcdir)/src
@ -20,18 +20,12 @@ OPENSC_PKCS11_LIBS = \
$(top_builddir)/src/common/libcompat.la \
$(OPTIONAL_OPENSSL_LIBS) $(PTHREAD_LIBS)
opensc_pkcs11_la_SOURCES = $(OPENSC_PKCS11_SRC) $(OPENSC_PKCS11_INC) hack-disabled.c
opensc_pkcs11_la_SOURCES = $(OPENSC_PKCS11_SRC) $(OPENSC_PKCS11_INC)
opensc_pkcs11_la_LIBADD = $(OPENSC_PKCS11_LIBS)
opensc_pkcs11_la_LDFLAGS = $(AM_LDFLAGS) \
-export-symbols "$(srcdir)/opensc-pkcs11.exports" \
-module -shared -avoid-version -no-undefined
onepin_opensc_pkcs11_la_SOURCES = $(OPENSC_PKCS11_SRC) $(OPENSC_PKCS11_INC) hack-enabled.c
onepin_opensc_pkcs11_la_LIBADD = $(OPENSC_PKCS11_LIBS)
onepin_opensc_pkcs11_la_LDFLAGS = $(AM_LDFLAGS) \
-export-symbols "$(srcdir)/opensc-pkcs11.exports" \
-module -shared -avoid-version -no-undefined
pkcs11_spy_la_SOURCES = pkcs11-spy.c pkcs11-display.c pkcs11-display.h pkcs11-spy.exports
pkcs11_spy_la_LIBADD = \
$(top_builddir)/src/common/libpkcs11.la \
@ -43,7 +37,6 @@ pkcs11_spy_la_LDFLAGS = $(AM_LDFLAGS) \
if WIN32
opensc_pkcs11_la_SOURCES += $(top_builddir)/win32/versioninfo.rc
onepin_opensc_pkcs11_la_SOURCES += $(top_builddir)/win32/versioninfo.rc
pkcs11_spy_la_SOURCES += $(top_builddir)/win32/versioninfo.rc
endif
@ -59,7 +52,7 @@ pkcs11-jar: jar-dir
if WIN32
install-exec-hook:
$(mkdir_p) "$(DESTDIR)$(libdir)"
for l in opensc-pkcs11.dll onepin-opensc-pkcs11.dll pkcs11-spy.dll; do \
for l in opensc-pkcs11.dll pkcs11-spy.dll; do \
mv "$(DESTDIR)$(libdir)/$$l" "$(DESTDIR)$(bindir)/$$l"; \
done
else
@ -71,7 +64,7 @@ PKCS11_SUFFIX=.so
endif
install-exec-hook:
$(mkdir_p) "$(DESTDIR)$(pkcs11dir)"
for l in opensc-pkcs11$(PKCS11_SUFFIX) onepin-opensc-pkcs11$(PKCS11_SUFFIX) pkcs11-spy$(PKCS11_SUFFIX); do \
for l in opensc-pkcs11$(PKCS11_SUFFIX) pkcs11-spy$(PKCS11_SUFFIX); do \
rm -f "$(DESTDIR)$(pkcs11dir)/$$l"; \
$(LN_S) ../$$l "$(DESTDIR)$(pkcs11dir)/$$l"; \
done

12
src/pkcs11/Makefile.mak
View File

@ -1,6 +1,5 @@
TOPDIR = ..\..
TARGET0 = onepin-opensc-pkcs11.dll
TARGET1 = opensc-pkcs11.dll
TARGET3 = pkcs11-spy.dll
@ -15,18 +14,11 @@ all: $(TOPDIR)\win32\versioninfo.res $(TARGET0) $(TARGET1) $(TARGET3)
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
$(TARGET0): $(OBJECTS) hack-enabled.obj ..\libopensc\opensc_a.lib ..\pkcs15init\pkcs15init.lib
$(TARGET1): $(OBJECTS) ..\libopensc\opensc_a.lib ..\pkcs15init\pkcs15init.lib
echo LIBRARY $* > $*.def
echo EXPORTS >> $*.def
type opensc-pkcs11.exports >> $*.def
link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$(TARGET0) $(OBJECTS) hack-enabled.obj ..\libopensc\opensc_a.lib ..\pkcs15init\pkcs15init.lib $(OPENSSL_LIB) gdi32.lib
if EXIST $(TARGET0).manifest mt -manifest $(TARGET0).manifest -outputresource:$(TARGET0);2
$(TARGET1): $(OBJECTS) hack-disabled.obj ..\libopensc\opensc_a.lib ..\pkcs15init\pkcs15init.lib
echo LIBRARY $* > $*.def
echo EXPORTS >> $*.def
type opensc-pkcs11.exports >> $*.def
link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$(TARGET1) $(OBJECTS) hack-disabled.obj ..\libopensc\opensc_a.lib ..\pkcs15init\pkcs15init.lib $(OPENSSL_LIB) gdi32.lib
link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$(TARGET1) $(OBJECTS) ..\libopensc\opensc_a.lib ..\pkcs15init\pkcs15init.lib $(OPENSSL_LIB) gdi32.lib
if EXIST $(TARGET1).manifest mt -manifest $(TARGET1).manifest -outputresource:$(TARGET1);2
$(TARGET3): $(OBJECTS3) ..\libopensc\opensc.lib

12
src/pkcs11/framework-pkcs15.c
View File

@ -29,8 +29,6 @@
#include "pkcs15init/pkcs15-init.h"
#endif
extern int hack_enabled;
struct pkcs15_slot_data {
struct sc_pkcs15_object *auth_obj;
};
@ -946,7 +944,7 @@ static CK_RV pkcs15_create_tokens(struct sc_pkcs11_card *p11card)
/* Match up related keys and certificates */
pkcs15_bind_related_objects(fw_data);
if (hack_enabled)
if (sc_pkcs11_conf.create_slots_flags & SC_PKCS11_SLOT_FOR_PIN_USER)
auth_count = 1;
for (i = 0; i < auth_count; i++) {
@ -962,8 +960,8 @@ static CK_RV pkcs15_create_tokens(struct sc_pkcs11_card *p11card)
if ((pin_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) != 0)
continue;
/* Ignore unblocking pins for hacked module */
if (hack_enabled && (pin_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_UNBLOCKING_PIN) != 0)
/* Ignore unblocking PINs if there is only one authentication object */
if (auth_count == 1 && (pin_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_UNBLOCKING_PIN) != 0)
continue;
/* Ignore unblocking pins */
@ -1018,8 +1016,8 @@ static CK_RV pkcs15_create_tokens(struct sc_pkcs11_card *p11card)
/* Add all the remaining objects */
for (j = 0; j < fw_data->num_objects; j++) {
struct pkcs15_any_object *obj = fw_data->objects[j];
/* We only have one pin and only the things related to it. */
if (hack_enabled)
/* We only have one PIN and only the things related to it. */
if (sc_pkcs11_conf.create_slots_flags & SC_PKCS11_SLOT_FOR_PIN_USER)
break;
if (!(obj->base.flags & SC_PKCS11_OBJECT_SEEN)) {

2
src/pkcs11/hack-disabled.c
View File

@ -1,2 +0,0 @@
extern int hack_enabled;
int hack_enabled = 0;

2
src/pkcs11/hack-enabled.c
View File

@ -1,2 +0,0 @@
extern int hack_enabled;
int hack_enabled = 1;

18
src/pkcs11/misc.c
View File

@ -283,6 +283,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
{
scconf_block *conf_block = NULL;
char *unblock_style = NULL;
char *create_slots_for_pins = NULL, *op, *tmp;
/* Set defaults */
conf->plug_and_play = 1;
@ -293,6 +294,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
conf->pin_unblock_style = SC_PKCS11_PIN_UNBLOCK_NOT_ALLOWED;
conf->create_puk_slot = 0;
conf->zero_ckaid_for_ca_certs = 0;
conf->create_slots_flags = 0;
conf_block = sc_get_conf_block(ctx, "pkcs11", NULL, 1);
if (!conf_block)
@ -316,6 +318,22 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
conf->create_puk_slot = scconf_get_bool(conf_block, "create_puk_slot", conf->create_puk_slot);
conf->zero_ckaid_for_ca_certs = scconf_get_bool(conf_block, "zero_ckaid_for_ca_certs", conf->zero_ckaid_for_ca_certs);
create_slots_for_pins = (char *)scconf_get_str(conf_block, "create_slots_for_pins", "all");
tmp = strdup(create_slots_for_pins);
op = strtok(tmp, " ,");
while (op) {
if (!strcmp(op, "user"))
conf->create_slots_flags |= SC_PKCS11_SLOT_FOR_PIN_USER;
else if (!strcmp(op, "sign"))
conf->create_slots_flags |= SC_PKCS11_SLOT_FOR_PIN_SIGN;
else if (!strcmp(op, "application"))
conf->create_slots_flags |= SC_PKCS11_SLOT_FOR_APPLICATION;
else if (!strcmp(op, "all"))
conf->create_slots_flags |= SC_PKCS11_SLOT_CREATE_ALL;
op = strtok(NULL, " ,");
}
free(tmp);
sc_log(ctx, "PKCS#11 options: plug_and_play=%d max_virtual_slots=%d slots_per_card=%d "
"hide_empty_tokens=%d lock_login=%d pin_unblock_style=%d zero_ckaid_for_ca_certs=%d",
conf->plug_and_play, conf->max_virtual_slots, conf->slots_per_card,

6
src/pkcs11/sc-pkcs11.h
View File

@ -51,6 +51,11 @@ extern "C" {
#define SC_PKCS11_PIN_UNBLOCK_SCONTEXT_SETPIN 2
#define SC_PKCS11_PIN_UNBLOCK_SO_LOGGED_INITPIN 3
#define SC_PKCS11_SLOT_FOR_PIN_USER 1
#define SC_PKCS11_SLOT_FOR_PIN_SIGN 2
#define SC_PKCS11_SLOT_FOR_APPLICATION 4
#define SC_PKCS11_SLOT_CREATE_ALL 8
extern void *C_LoadModule(const char *name, CK_FUNCTION_LIST_PTR_PTR);
extern CK_RV C_UnloadModule(void *module);
@ -80,6 +85,7 @@ struct sc_pkcs11_config {
unsigned int pin_unblock_style;
unsigned int create_puk_slot;
unsigned int zero_ckaid_for_ca_certs;
unsigned int create_slots_flags;
};
/*

4
win32/OpenSC.wxs.in
View File

@ -46,9 +46,6 @@
<Directory Id="TARGETDIR" Name="SourceDir">
<!-- Install critical DLL-s to system folder. NB! Id-s can not contain "-" characters! -->
<Directory Id="$(var.PlatformSystemFolder)" Name=".">
<Component Id="onepin_opensc_pkcs11.dll" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\pkcs11\onepin-opensc-pkcs11.dll" Vital="yes"/>
</Component>
<Component Id="opensc_pkcs11.dll" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\pkcs11\opensc-pkcs11.dll" Vital="yes"/>
</Component>
@ -152,7 +149,6 @@
<ComponentRef Id="opensc.conf"/>
</Feature>
<Feature Id="OpenSC_pkcs11" Level="1" Title="OpenSC PKCS#11 module" Description="PKCS#11 module usd by most open source and cross-platform software (like Firefox, Putty, TrueCrypt, OpenVPN etc)" TypicalDefault="install">
<ComponentRef Id="onepin_opensc_pkcs11.dll"/>
<ComponentRef Id="opensc_pkcs11.dll"/>
</Feature>
<!-- Minidriver is only installed if selected via Custom install (level == 4) -->