sc_pkcs15_encode_pubkey_as_spki replaces sc_pkcs15_encode_pubkey_with_param.

The name implies what the format of the returned value, a SPKI.

The support for spki as a pkcs15 format of a pubkey, is extended to
work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this.

sc_pkcs15_decode_pubkey_with_param will look for a SPKI
and attempt to use it for any algorithm, including RSA.
(RSA is the null case, as there are no algorithm parameters.)

sc_pkcs15_encode_pubkey_as_spki is exported from libopensc.

pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys
as SPKI for RSA and EC.

The pubkey->data is never a SPKI, it is the DER encoding of the
pubkey without the parameters.  If an spki is needed, use the
sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki.

As in the previous set of patches, pkcs15-tool.c will output both
sc_pkcs15_decode_pubkey_with_param and its internal.
This was left for testing, and the pubkey_pem_encode should be deleted

src/libopensc/libopensc.exports

@@ -163,6 +163,7 @@ sc_pkcs15_encode_pubkey_dsa
 sc_pkcs15_encode_pubkey_rsa
 sc_pkcs15_encode_pubkey_ec
 sc_pkcs15_encode_pubkey_gostr3410
+sc_pkcs15_encode_pubkey_as_spki
 sc_pkcs15_encode_pukdf_entry
 sc_pkcs15_encode_tokeninfo
 sc_pkcs15_encode_unusedspace

src/libopensc/pkcs15-piv.c

@@ -879,6 +879,10 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
 			if (r < 0) 
 				continue;
 
+			/* Lets also try another method. */
+			sc_pkcs15_encode_pubkey_as_spki(card->ctx,p15_key, 
+				&pubkey_obj.content.value, &pubkey_obj.content.len);
+			
 			/* Only get here if no cert, and the the above found the
 			 * pub key file (actually the SPKI version). This only 
 			 * happens when trying initializing a card and have set 
@@ -911,7 +915,9 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
 			p15_key = NULL;
 		}
 		else if (ckis[i].pubkey_from_cert && ckis[i].pubkey_from_cert->data.value) {
-		    sc_der_copy(&pubkey_obj.content, &ckis[i].pubkey_from_cert->data);
+		    sc_pkcs15_encode_pubkey_as_spki(card->ctx,ckis[i].pubkey_from_cert,
+				&pubkey_obj.content.value, &pubkey_obj.content.len);
+//		    sc_der_copy(&pubkey_obj.content, &ckis[i].pubkey_from_cert->data);
 		    pubkey_obj.emulated = ckis[i].pubkey_from_cert;
 		}
 

src/libopensc/pkcs15-pubkey.c

@@ -36,9 +36,9 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
-	#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
-	#include <openssl/ec.h>
+#include <openssl/ec.h>
-	#endif
+#endif
 #endif
 #endif
 
@@ -141,7 +141,7 @@ static const struct sc_asn1_entry c_asn1_pubkey_choice[C_ASN1_PUBKEY_CHOICE_SIZE
 		{ "publicDSAKey", SC_ASN1_PKCS15_OBJECT, 2 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
 		{ "publicGOSTR3410Key", SC_ASN1_PKCS15_OBJECT, 4 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
 		{ "publicECKey", SC_ASN1_PKCS15_OBJECT, 0 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
-/*TODO: -DEE not clear EC is needed here  as look like it is for pukdf */
+		/*TODO: -DEE not clear EC is needed here  as look like it is for pukdf */
 		{ NULL, 0, 0, 0, NULL, NULL }
 };
 
@@ -681,46 +681,67 @@ static const struct sc_asn1_entry       c_asn1_spki_key[] = {
 		{ NULL, 0, 0, 0, NULL, NULL }
 };
 
+/*
+ * Encode a pubkey as a SPKI, useful for pkcs15-tool, and for PKCS#15 files. 
+ */
 
 int
-sc_pkcs15_encode_pubkey_ec_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey,
+sc_pkcs15_encode_pubkey_as_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey,
 		u8 **buf, size_t *len)
 {
 	int r;
 	struct sc_asn1_entry  asn1_spki_key[2],
 	asn1_spki_key_items[3];
+	struct sc_pkcs15_u8 pkey;
 	size_t key_len;
 
-	key_len = pubkey->u.ec.ecpointQ.len * 8;
+	pkey.value =  NULL;
+	pkey.len = 0;
 
+	switch (pubkey->algorithm) {
+	case SC_ALGORITHM_EC:
+		/*
+		 * most keys, but not EC have only one encoding.
+		 * For a SPKI, the ecpoint is placed directly in the
+		 * BIT STRING
+		 */
+
+		key_len = pubkey->u.ec.ecpointQ.len * 8;
+		pkey.value = pubkey->u.ec.ecpointQ.value;
+		pkey.len = 0; /* flag as do not delete */
+		/* TODO make sure algorithm params are available*/
+		/* if not can we copy them from the u.ec */
+		r = 0;
+		break;
+	case SC_ALGORITHM_GOSTR3410:
+		/* TODO is this needed?  does it cause mem leak? */
+		pubkey->alg_id->params = &pubkey->u.gostr3410.params;
+		r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len);
+		key_len = pkey.len * 8;
+		break;
+	default:
+		r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len);
+		key_len = pkey.len * 8;
+		break;
+	}
+
+	if (r == 0) {
 		sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key);
 		sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items);
 		sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1);
 		sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1);
-	sc_format_asn1_entry(asn1_spki_key_items + 1, pubkey->u.ec.ecpointQ.value, &key_len, 1);
+		sc_format_asn1_entry(asn1_spki_key_items + 1, pkey.value, &key_len, 1);
 
 		r =  sc_asn1_encode(ctx, asn1_spki_key, buf, len);
+	}
+
+	if (pkey.len && pkey.value)
+		free(pkey.value);
 
 	return r;
 }
 
 
-/*
- * Encode public key in a format that preserves key parameter
- *
- * EC key are encoded as Subject Public Key Info per RFC5280
- */
-int
-sc_pkcs15_encode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
-		u8 **buf, size_t *len)
-{
-	if (key->algorithm != SC_ALGORITHM_EC)
-		return sc_pkcs15_encode_pubkey(ctx, key, buf, len);
-	else
-		return sc_pkcs15_encode_pubkey_ec_spki(ctx, key, buf, len);
-}
-
-
 int
 sc_pkcs15_decode_pubkey(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
 		const u8 *buf, size_t len)
@@ -745,8 +766,10 @@ int
 sc_pkcs15_decode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
 		const u8 *buf, size_t len)
 {
-	if ((key->algorithm == SC_ALGORITHM_EC) && (*buf == 0x30)) {
+	/* We assume all algrothims allow SPKI  which starts with a sequence*/
-		// Decode EC Public Key from SPKI
+
+	if (*buf == 0x30) {
+		/* Decode  Public Key from SPKI */
 		return sc_pkcs15_copy_pubkey_from_spki_object(ctx, buf, len, key);
 	} else {
 		key->data.value = (u8 *)buf;
@@ -1025,7 +1048,7 @@ sc_pkcs15_read_der_file(sc_context_t *ctx, char * filename,
 	*buf = rbuf;
 	rbuf = NULL;
 	r = rbuflen;
-out:
+	out:
 	if (rbuf)
 		free(rbuf);
 	if (f > 0)
@@ -1132,7 +1155,7 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey,
 	pubkey = NULL;
 	return 0;
 
-err:
+	err:
 	if (pubkey)
 		free(pubkey);
 	if (pk.value)

src/libopensc/pkcs15.h

@@ -690,7 +690,7 @@ int sc_pkcs15_decode_pubkey(struct sc_context *,
 		struct sc_pkcs15_pubkey *, const u8 *, size_t);
 int sc_pkcs15_encode_pubkey(struct sc_context *,
 		struct sc_pkcs15_pubkey *, u8 **, size_t *);
-int sc_pkcs15_encode_pubkey_with_param(struct sc_context *,
+int sc_pkcs15_encode_pubkey_as_spki(struct sc_context *,
 		struct sc_pkcs15_pubkey *, u8 **, size_t *);
 void sc_pkcs15_erase_pubkey(struct sc_pkcs15_pubkey *);
 void sc_pkcs15_free_pubkey(struct sc_pkcs15_pubkey *);

src/pkcs15init/pkcs15-lib.c

@@ -1552,7 +1552,7 @@ sc_pkcs15init_store_public_key(struct sc_pkcs15_card *p15card,
 
 	/* DER encode public key components */
 	/* EC key are encoded as SPKI to preserve domain parameter */
-	r = sc_pkcs15_encode_pubkey_with_param(p15card->card->ctx, &key, &object->content.value, &object->content.len);
+	r = sc_pkcs15_encode_pubkey_as_spki(p15card->card->ctx, &key, &object->content.value, &object->content.len);
 	LOG_TEST_RET(ctx, r, "Encode public key error");
 
 	/* Now create key file and store key */

src/pkcs15init/pkcs15-sc-hsm.c

@@ -341,6 +341,14 @@ static int sc_hsm_decode_gakp_rsa(struct sc_pkcs15_card *p15card,
 	}
 
 	pubkey->algorithm = SC_ALGORITHM_RSA;
+
+	pubkey->alg_id = (struct sc_algorithm_id *)calloc(1, sizeof(struct sc_algorithm_id));
+	if (!pubkey->alg_id) {
+		LOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_OUT_OF_MEMORY);
+	}
+
+	pubkey->alg_id->algorithm = SC_ALGORITHM_RSA;
+
 	pubkey->u.rsa.modulus.len	= cvc->primeOrModuluslen;
 	pubkey->u.rsa.modulus.data	= malloc(pubkey->u.rsa.modulus.len);
 	pubkey->u.rsa.exponent.len	= sizeof(pubexp);

src/tools/pkcs15-tool.c

@@ -639,6 +639,9 @@ static int read_public_key(void)
 	sc_pkcs15_cert_t *cert = NULL;
 	sc_pkcs15_der_t pem_key;
 
+	pem_key.value = NULL;
+	pem_key.len = 0;
+
 	id.len = SC_PKCS15_MAX_ID_SIZE;
 	sc_pkcs15_hex_string_to_id(opt_pubkey, &id);
 
@@ -674,6 +677,17 @@ static int read_public_key(void)
 		return 1;
 	}
 
+	fprintf(stderr, "Using sc_pkcs15_encode_pubkey_as_spki:\n");
+	r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len);
+	if (r < 0) {
+		fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r));
+		r = 1;
+	} else {
+		r = print_pem_object("PUBLIC KEY", pem_key.value, pem_key.len);
+		free(pem_key.value);
+	}
+
+	fprintf(stderr, "Using pubkey_pem_encode:\n");
 	r = pubkey_pem_encode(pubkey, &pubkey->data, &pem_key);
 	if (r < 0) {
 		fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r));