emulated cards. True PKCS#15 cards with EC
will need additional changes.
Main changes are in framework-pkcs15.c, mechanism.c,
padding.c, pkcs15-algo.c and pkcs15-sec.c
where switch statements for key type, and testing
of flags was modified to make it easier to add
additional key types in the future.
The code was tested using RSA and ECDSA using a PIV card
from pkcs11-tool, OpenSSL and Thunderbird with
modifications to NSS-3.12.7 to get ECDSA to sign e-mail.
Only named curves are supported for ECDSA, ECDH is still
needed. pkcs11-tool has only minimal changes need to work
with the -O option to list EC keys.
One additional line was added to pkcs15-sec.c which
should get GOSTR sign to work.
libp11 and engine do not yet have EC support.
--This line, and those below, will be ignored--
M src/tools/piv-tool.c
M src/tools/pkcs11-tool.c
M src/pkcs11/framework-pkcs15.c
M src/pkcs11/mechanism.c
M src/pkcs11/pkcs11-object.c
M src/libopensc/pkcs15-prkey.c
M src/libopensc/card-piv.c
M src/libopensc/padding.c
M src/libopensc/cardctl.h
M src/libopensc/pkcs15-algo.c
M src/libopensc/libopensc.exports
M src/libopensc/pkcs15-piv.c
M src/libopensc/pkcs15-sec.c
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
* check for out of memory conditions
* register SHA256 as well
* key generation depends on onboard key generation capabilities, not OpenSSL
Further adjustments are needed.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4894 c6295689-39f2-0310-b995-f0e70906c6a9
spy segfaulted if CKU_CONTEXT_SPECIFIC was used,
pkcs11-session was reseting the userType before calling
framework. Framework will now see CKU_CONTEXT_SPECIFIC
and use slot->login_user to determine which PIN was used
to create the original session, and will send the PIN
to the card. It does not treats CKU_CONTEXT_SPECIFIC
as a full login, only a reassertion of the PIN.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4880 c6295689-39f2-0310-b995-f0e70906c6a9
pkcs15.c: object search continues with normal processing, even if enumeration of some files failed
pkcs15.h: obsolete prototype removed
pkcs15-syn.c: now obsolete function sc_pkcs15emu_postponed_load removed
fixes: #266
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4877 c6295689-39f2-0310-b995-f0e70906c6a9
sc_pkcs15_cert now has pointer to sc_pkcs15_pubkey, allowing it to
be removed and used separatly.
sc_pkcs15_pubkey now has pointer to sc_algorithm_id to faclitate
addition of other key algorithms and their parameters.
Various code changes to free these structures and references
to the structures have been changed.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4805 c6295689-39f2-0310-b995-f0e70906c6a9
Assuming the driver has correctly set max_tries to 1 then PKCS#11 is very clear about it:
"""
True if supplying an incorrect user PIN will it to become locked.
"""
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4687 c6295689-39f2-0310-b995-f0e70906c6a9
Support for importing cleartext keys is left untouched, but all transparent key generation by either opensc-pkcs11.so or pkcs15-init is removed, to make the operation with cleartext keys visible to the user and his explicit wish.
OpenSC is a PKCS#11 library for accessing keys protected by a smart card. Key material in software is not protected by smart cards and can leave a false sense of security to the user.
http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013877.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4646 c6295689-39f2-0310-b995-f0e70906c6a9
From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety
" Casting and type safety
malloc returns a void pointer (void *), which indicates that it is a
pointer to a region of unknown data type. One may "cast" (see type
conversion) this pointer to a specific type, as in
int *ptr = (int*)malloc(10 * sizeof (int));
When using C, this is considered bad practice; it is redundant under the
C standard. Moreover, putting in a cast may mask failure to include the
header stdlib.h, in which the prototype for malloc is found. In the
absence of a prototype for malloc, the C compiler will assume that
malloc returns an int, and will issue a warning in a context such as the
above, provided the error is not masked by a cast. On certain
architectures and data models (such as LP64 on 64 bit systems, where
long and pointers are 64 bit and int is 32 bit), this error can actually
result in undefined behavior, as the implicitly declared malloc returns
a 32 bit value whereas the actually defined function returns a 64 bit
value. Depending on calling conventions and memory layout, this may
result in stack smashing.
The returned pointer need not be explicitly cast to a more specific
pointer type, since ANSI C defines an implicit conversion between the
void pointer type and other pointers to objects. An explicit cast of
malloc's return value is sometimes performed because malloc originally
returned a char *, but this cast is unnecessary in standard C
code.[4][5] Omitting the cast, however, creates an incompatibility with
C++, which does require it.
The lack of a specific pointer type returned from malloc is type-unsafe
behaviour: malloc allocates based on byte count but not on type. This
distinguishes it from the C++ new operator that returns a pointer whose
type relies on the operand. (see C Type Safety). "
See also
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
* reduce to a few, supported functions.
* change all functions to take the debug level as parameter.
* use symbolic names for the debug levels.
* fix tools to pass "verbose"/"opt_debug" as ctx->debug.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
In fact, the middleware of the manufacturer of the gemalto (axalto, gemplus) cards
reports the CKA_ID of CA certificates as '0'.
But it's not true for the others middlewares (Oberthur), NSS (afais) and PKCS#11 standard.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4095 c6295689-39f2-0310-b995-f0e70906c6a9
*** glibc detected *** invalid pointer: 0x00007fff9e9f7670 ***
Program received signal SIGABRT, Aborted.
0x00007f971d0a8ea5 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007f971d0a8ea5 in raise () from /lib64/libc.so.6
#1 0x00007f971d0aaab3 in abort () from /lib64/libc.so.6
#2 0x00007f971d0e7d58 in __libc_message () from /lib64/libc.so.6
#3 0x00007f971d0ed7e8 in malloc_printerr () from /lib64/libc.so.6
#4 0x00007f971d0efda6 in free () from /lib64/libc.so.6
#5 0x0000000000410f5c in pkcs15_gen_keypair (p11card=0x72aec0, slot=<value optimized out>,
pMechanism=<value optimized out>, pPubTpl=<value optimized out>, ulPubCnt=<value optimized out>,
pPrivTpl=<value optimized out>, ulPrivCnt=6, phPubKey=0x7fff9e9f7e50, phPrivKey=0x7fff9e9f7e58)
at framework-pkcs15.c:1763 /* see opensc-0.11.13 */
#6 0x0000000000409a6e in C_GenerateKeyPair
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4032 c6295689-39f2-0310-b995-f0e70906c6a9
(In function 'pkcs15_add_object': warning: unused parameter 'pHandle')
Example (C_CreateObject):
Breakpoint 3, C_CreateObject (hSession=134587040, pTemplate=0x8049160, ulCount=5, phObject=0xbff55560)
at pkcs11-object.c:57
57 rv = sc_pkcs11_lock();
(gdb) x/x phObject
0xbff55560: 0xffffffff
(gdb) finish
0xb7f5c6c0 17:15:09.969 [opensc-pkcs11] framework-pkcs15.c:657:pkcs15_add_object: Setting object handle of 0x0 to 0x805ab80
Run till exit from #0 C_CreateObject (hSession=134587040, pTemplate=0x8049160, ulCount=5,
phObject=0xbff55560) at pkcs11-object.c:57
0x080487a4 in main ()
Value returned is $1 = 0
(gdb) x/x 0xbff55560
0xbff55560: 0xffffffff
(gdb) c
Continuing.
Breakpoint 4, C_DestroyObject (hSession=134587040, hObject=4294967295) at pkcs11-object.c:106
106 rv = sc_pkcs11_lock();
(gdb) p/x hObject
$2 = 0xffffffff
(gdb) finish
Run till exit from #0 C_DestroyObject (hSession=134587040, hObject=4294967295) at pkcs11-object.c:106
0xb7f5c6c0 17:15:56.581 [opensc-pkcs11] pkcs11-object.c:110:C_DestroyObject: C_DestroyObject(hSession=0x805a2a0, hObject=0xffffffff)
0x080487cb in main ()
Value returned is $3 = 130
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3944 c6295689-39f2-0310-b995-f0e70906c6a9
- slots, sessions and objects are kept as lists.
- change the way slots, cards and readers are managed.
- re-implement C_WaitForSlotEvent(/C_Finalize) as written in PCKS#11 v2.20, canceling pending blocking calls.
- implement a "virtual hotplug slot" with a floating slot id to keep NSS working with C_WaitForSlotEvent with a new reader.
NSS does not call C_GetSlotList(NULL) to re-fetch the list of available slots if C_WaitForSlotEvent returns an event in an already known slot ID.
By changing the ID of a slot whenever a reader attached NSS/Firefox can be tricked into recognizing new readers when waiting for events with C_WaitForSlotEvent.
- change (possibly break something) sc_to_cryptoki_error() to not have side-effects
- Implement CKU_CONTEXT_SPECIFIC in C_Login to implement CKA_ALWAYS_AUTHENTICATE (keys with user consent)
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3935 c6295689-39f2-0310-b995-f0e70906c6a9
One of the three unblock methods can be activated from the 'opensc-pkcs11' section of opensc.conf:
- C_SetPin() in the unlogged sesssion;
- C_SetPin() in the CKU_SPECIFIC_CONTEXT session;
- C_InitPin() in CKU_SO session (inspired by Pierre Ossman).
-- This last one works, for a while, only for the pkcs15 cards without SOPIN auth object.
For the pkcs15 cards with SOPIN, this method will be useful for the cards
that do not have then modes '00' and '01' of ISO command 'RESET RETRY COUNTER'.
Test commands:
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --unlock-pin --puk "123456" --new-pin "9999"
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --unlock-pin -l --login-type context-specific --puk "123456" --new-pin "9999"
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --init-pin -l --new-pin "9999"
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3901 c6295689-39f2-0310-b995-f0e70906c6a9
- Correctly report Cryptoki version if v2.20 is used.
- Consistently report no version for hardware/software we know no version information about.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3627 c6295689-39f2-0310-b995-f0e70906c6a9
1. Build system now supports MinGW (Windows) compilation using msys and cross compilation.
2. Ability to explicitly disable and enable dependencies of the package.
3. openct, pcsc and nsplugins features are disabled by default.
4. Modified pcsc driver to use pcsc dynamically, no compile time dependency is required.
5. --enable-pcsc-lite configuration option renamed to --enable-pcsc.
6. Install opensc.conf file (as opensc.conf.new if opensc.conf exists).
7. Add--enable-doc configuration option, allow installing documentation into target.
8. Add --disable-man configuration option, allow msys mingw32 users to
build from svn without extra dependencies.
9. Add export files to each library in order to export only required symbols.
Windows native build may use these files instead of scanning objects' symbols.
10. Add opensc-tool --info to display some general information about the build.
11. Create compatibility library to be linked against library instread of recompiling the
same source files in different places.
12. Add different win32 version resource to each class of outputs.
13. Make xsl-stylesheets location selectable.
14. Some win32 fixups.
15. Some warning fixups.
16. Many other autoconf/automake cleanups.
Alon Bar-Lev
svn diff -r 3315:3399 https://www.opensc-project.org/svn/opensc/branches/alonbl/mingw
_M .
D configure.in
_M src
_M src/openssh
M src/openssh/Makefile.am
_M src/tools
M src/tools/rutoken-tool.c
M src/tools/opensc-tool.c
M src/tools/cardos-info.c
M src/tools/pkcs15-crypt.c
M src/tools/pkcs15-init.c
M src/tools/piv-tool.c
M src/tools/netkey-tool.c
M src/tools/eidenv.c
M src/tools/cryptoflex-tool.c
M src/tools/util.c
M src/tools/pkcs11-tool.c
M src/tools/pkcs15-tool.c
M src/tools/util.h
M src/tools/opensc-explorer.c
M src/tools/Makefile.am
_M src/pkcs11
M src/pkcs11/pkcs11-global.c
M src/pkcs11/framework-pkcs15.c
M src/pkcs11/mechanism.c
M src/pkcs11/pkcs11-display.c
M src/pkcs11/pkcs11-object.c
A src/pkcs11/opensc-pkcs11.exports
M src/pkcs11/sc-pkcs11.h
M src/pkcs11/pkcs11-spy.c
M src/pkcs11/openssl.c
M src/pkcs11/Makefile.am
A src/pkcs11/pkcs11-spy.exports
_M src/tests
_M src/tests/regression
M src/tests/regression/Makefile.am
M src/tests/sc-test.c
M src/tests/pintest.c
M src/tests/Makefile.am
_M src/include
_M src/include/opensc
M src/include/opensc/Makefile.am
A src/include/opensc/svnignore
M src/include/Makefile.am
_M src/signer
_M src/signer/npinclude
M src/signer/npinclude/Makefile.am
M src/signer/Makefile.am
A src/signer/signer.exports
_M src/common
A src/common/compat_dummy.c
D src/common/getopt.txt
D src/common/strlcpy.c
D src/common/LICENSE
A src/common/compat_getopt.txt
A src/common/compat_strlcpy.c
A src/common/LICENSE.compat_getopt
A src/common/compat_getopt.c
D src/common/strlcpy.h
D src/common/ChangeLog
D src/common/getpass.c
D src/common/my_getopt.c
A src/common/compat_strlcpy.h
A src/common/compat_getpass.c
A src/common/compat_getopt.h
A src/common/ChangeLog.compat_getopt
D src/common/README.strlcpy
D src/common/my_getopt.h
A src/common/compat_getpass.h
A src/common/README.compat_strlcpy
D src/common/strlcpy.3
A src/common/README.compat_getopt
D src/common/getopt.3
D src/common/README.my_getopt
A src/common/compat_strlcpy.3
A src/common/compat_getopt.3
M src/common/Makefile.am
M src/Makefile.am
_M src/pkcs15init
M src/pkcs15init/pkcs15-oberthur.c
M src/pkcs15init/profile.c
M src/pkcs15init/pkcs15-lib.c
M src/pkcs15init/pkcs15-rutoken.c
A src/pkcs15init/pkcs15init.exports
M src/pkcs15init/pkcs15-gpk.c
M src/pkcs15init/Makefile.am
_M src/scconf
M src/scconf/Makefile.am
M src/scconf/parse.c
A src/scconf/scconf.exports
_M src/libopensc
M src/libopensc/card-rutoken.c
M src/libopensc/compression.c
M src/libopensc/sc.c
M src/libopensc/card-piv.c
M src/libopensc/pkcs15-openpgp.c
M src/libopensc/pkcs15-postecert.c
M src/libopensc/pkcs15-tcos.c
M src/libopensc/opensc-config.in
M src/libopensc/reader-pcsc.c
A src/libopensc/internal-winscard.h
M src/libopensc/ctx.c
A src/libopensc/libopensc.exports
M src/libopensc/pkcs15-piv.c
M src/libopensc/pkcs15-infocamere.c
M src/libopensc/internal.h
M src/libopensc/pkcs15-actalis.c
M src/libopensc/pkcs15-starcert.c
M src/libopensc/card-oberthur.c
M src/libopensc/pkcs15-atrust-acos.c
M src/libopensc/p15card-helper.c
D src/libopensc/part10.h
M src/libopensc/ui.c
M src/libopensc/card-gpk.c
M src/libopensc/pkcs15-wrap.c
M src/libopensc/pkcs15-gemsafeGPK.c
M src/libopensc/log.c
M src/libopensc/pkcs15-esteid.c
M src/libopensc/pkcs15-prkey-rutoken.c
M src/libopensc/log.h
M src/libopensc/Makefile.am
M src/libopensc/reader-openct.c
_M aclocal
M aclocal/Makefile.am
_M win32
M win32/Makefile.am
A win32/versioninfo.rc.in
A win32/ltrc.inc
A configure.ac
_M doc
_M doc/tools
M doc/tools/pkcs15-profile.xml
D doc/changelog.sh
D doc/export-wiki.xsl
_M doc/api
_M doc/api/file
M doc/api/man.xsl
_M doc/api/asn1
_M doc/api/apps
_M doc/api/init
_M doc/api/types
_M doc/api/card
M doc/api/html.xsl
_M doc/api/misc
_M doc/api/util
M doc/Makefile.am
D doc/export-wiki.sh
AM doc/nonpersistent
A doc/nonpersistent/export-wiki.xsl
A doc/nonpersistent/Makefile.am
A doc/nonpersistent/export-wiki.sh
A doc/nonpersistent/svn2cl.xsl
D doc/generate-man.sh
D doc/svn2cl.xsl
M Makefile.am
A svnignore
_M etc
M etc/opensc.conf.in
M etc/Makefile.am
D man
_M solaris
M solaris/Makefile
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3405 c6295689-39f2-0310-b995-f0e70906c6a9
add support for reading, writing and deleting private (require cache_pins) and
public data objects in PKCS11. updated the pkcs11-tool and fixed a few
bugs in the code. Tested on an aladdin etoken.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3176 c6295689-39f2-0310-b995-f0e70906c6a9
Looking at framework-pkcs11.c, it looks like there is a bug in the handling of
auth_count, if there is more then one pin, and one of the pins is a
SC_PKCS15_PIN_FLAG_SO_PIN.
The for loop at line 767 will add a slot for each non SO_PIN or UNBLOCKING_PIN.
But at line 812, the auth_count is still set to the number of pins, even though
the SO_PIN did not cause a new slot to be allocated and thus the test of
hide_empty_tokens will not be used.
With the attached patch, I can get the expected behavior when hide_empty_tokens
= yes in the opensc.conf from pkcs11-tool -L, pkcs11-tool -O and pkcs11-tool -O
-l
There is only 1 slot allocated, the pkcs11-tool -O shows all the public
objects, and pkcs11-tool -O -l (after PIN) shows all the objects, and Heimdal
PKINIT still runs.
I still think that if two or more slots need to be allocated for multiple auth
pins, then all the public objects should be added to each. I have an additional
mod for this too.
Since the cards I am working with only have 1 pin, the attached mods works for
me. Note it looks like the pkcs15-openpgp.c might also be affected by this
change as it defines two pins an auth pin and a SO_PIN, much like the PIV card
does.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3175 c6295689-39f2-0310-b995-f0e70906c6a9
pubkey or from apubkey to a privkey object. But it does not copy the
modulus_len.
This patch will look at pub_info->modulus_len and prv_info->modulus_len and
copy the modulus_len while copying the modulus. This will be used with the
pkcs15-piv code when it creates pub and priv objects, as it has no way other
then from the certificates to know the modulus_len.
By Douglas E. Engert.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3171 c6295689-39f2-0310-b995-f0e70906c6a9
void sc_mem_clear(void *ptr, size_t len);
to clear a memory buffer. If OpenSSL is used this function
is a wrapper for OPENSSL_cleanse, otherwise memset is currenlty used.
Use this function to clear memory buffers with sensitive content.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2601 c6295689-39f2-0310-b995-f0e70906c6a9
Jochen Friedrich)
- Fixed one bug in sc_copy_asn1_entry(), one in
sc_pkcs15init_add_object() and one in pkcs15-crypt
(patches also by Jochen)
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@609 c6295689-39f2-0310-b995-f0e70906c6a9
- Implemented a generic ATR matching helper function
- Made signing much smarter (should even work now)
- Added info about supported crypto algorithms to struct sc_card
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@276 c6295689-39f2-0310-b995-f0e70906c6a9
andre
dengert
martin
viktor.tarasov
ludovic.rousseau
aj
s
alonbl
nils
sth
bert
aet
okir
fabled
jey