Commit 2f10de4f5c ("use sc_pkcs15_get_pin_info in C_GetTokenInfo")
introduced dependency of logged in state returned for session
by C_GetTokenInfo() on logged_in field of that session slot PIN.
This field is updated by sending pin_cmd of type SC_PIN_CMD_GET_INFO to
card.
However, not all cards support such pin_cmd type (in fact, majority of
them don't). In this case logged_in field is usually left zero-initialized
which means SC_PIN_STATE_LOGGED_OUT.
With such logged_in field value C_GetTokenInfo() always returns
CKS_R{O,W}_PUBLIC_SESSION, instead of CKS_R{O,W}_USER_FUNCTIONS when
logged in.
At least Firefox (and probably other NSS-based software, too) is confused
by such value and keeps repeating PIN prompts a few times until it
ultimately considers that logging in to this slot has failed.
Fix this by initializing PIN logged_in field to SC_PIN_STATE_UNKNOWN for
cards that do not support SC_PIN_CMD_GET_INFO pin_cmd.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
"CHANGE REFERENCE DATA" (PIN change) and "RESET RETRY COUNTER"
(PIN unblock) commands in OpenPGP card have various limitations.
These also depend on whether the card is version 1.x or 2.x.
Provide helpful debug messages for user in case he is trying to do
a PIN command in a way that isn't supported by the card.
Also, take into account that version 2.x cards don't support references to
PW1-mode 2 (82) in these commands - change them to PW1 (81).
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
According to descriptions of commands "PSO: COMPUTE DIGITAL SIGNATURE",
"PSO: DECIPHER" and "INTERNAL AUTHENTICATE" in OpenPGP card spec (versions
1.1 and 2.1.1) the card adds / strips and checks PKCS#1 padding
automatically.
There is no documented way to perform raw RSA operations on this card so
SC_ALGORITHM_RSA_RAW flag shouldn't be set.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
_get_auth_object_by_name() in pkcs11/framework-pkcs15.c needs user PIN
to be the first one and then next one can be signature PIN, but OpenPGP
card had it reversed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
The code attempted to handle extensions assuming extensions were ordered. The
only extension it handled was crl's, but the handling was wrong and I didn't
find any actual use of the crl code. I've changed it to cache all the extensions
and then provided accessors functions to read a specific extension. I needed this
to read the key Usage, but the extension fetching code can work with any extension
(though the caller will need to parse the result. I also added code that parses DN
and returns a specifically requested DN component. I needed this to get the Common
Name for the certificate Subject. This gives the token a 'unique' name rather than
some generic name (like CAC-I or CAC-II). Both of these can be used to enhance the
piv support as well.
rebased by VTA
Closes#852
When sc_lock obtains a reader lock this function is called
If the card was reset the PIV AID is seletcted and logged_in is reset.
This is need for some PIV cards where the default AID is not the PIV AID
and some other process has reset the card.
closes#842
Add card_reader_lock_obtained function to sc_card_operations
During sc_lock, if card->reader->ops->lock is called, card->ops->card_reader_lock_obtained will be called.
If PCSC is being used as the reader driver, this occures just after pcsc_lock has done a SCardBeginTransaction
and our process has exclusive control over the card. The card driver can then determine if the state of the
card has changed, and take action to get the card into an acceptable state.
If card->reader->ops->lock returns SC_ERROR_CARD_RESET, indicating some other process has interefered
with the state of the card. was_reset=1 is passed to card->ops->card_reader_lock_obtained.
Some examples of actions that could be done by the card driver is to select the AID and reset logged_in.
Currently the card driver is not notified. So no default card_reader_lock_obtained is defined in iso7816.c
After card reset detected, run SM open under new transaction
Before trying to reestablish SM session or onte code that may
need to use a transaction, get the transaction that will be
used by the caller od sc_lock.
closes#837
PIN cache is not updated when PIN is verified using the PIN value from cache.
That's the case of validating PIN in 'revalidate' context.
Few source format fixes included
closes#805
A sleep(1) is added after SCARD_W_CARD_RESET as done in other parts of reader-pcsc.c
Extra debugging messages are output.
SCard routines return "LONG" which may be different then "long" on some systems
were "LONG" is 32 bits and "long" is 64 bits.
Make sure printf format of 0x%08lx has a matching "long" input variable.
This closes#816
Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some
of the issues. OpenSC developers don't have access to all the different versions of devices
or access to release notes for the devices to see when a bug was introduced and when it is fixed.
To make OpenSC code changes easier, the code is divided into four sections:
(1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR.
For the Yubico devices read their version number and log it via sc_debug.
(2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment.
See below.
(3) based on the card->type and possibly Yubico version set the priv->card_issues flags that
apply to current card or device.
(4) Implement in the code changes needed for each issue.
Other issues can be added. As more info is obtained (3) can be updated using the version
number as needed.
The card issues are:
CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX
CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after
first PIN verify if protected object can be used instead
CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0
CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified
CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID
CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3
CI_NO_RSA2048 - does not have RSA 2048
CI_NO_EC384 - does not have EC 384
The piv_card_match and piv_init interactions were cleaned up.
Changes to be committed:
modified: card-piv.c
modified: cards.h
- IAS/ECC has the category indicator byte in EF.ATR, which is a
violation of ISO 7816-4, where it is only allowed in the historical
bytes of ATR. Removing the IAS/ECC specific modification of EF.ATR
allows reading ISO complient EF.ATR again.
- IAS/ECC parsing should still be successfull. We now always try to
check for ISO7816_TAG_II_STATUS_SW ignoring the category indicator
byte
introduced paramter to signal back the login state
- used for the pin command SC_PIN_CMD_GET_INFO
- implemented in accordance to ISO 7816-4; all other implementations
are currently set to an unknown login state
implemented and exporeted sc_pkcs15_get_pin_info
use sc_pkcs15_get_pin_info in C_GetTokenInfo
C_GetSessionInfo: Check whether a logout was done
Closes https://github.com/OpenSC/OpenSC/pull/624
rebased by @viktorTarasov
`sm_incr_ssc` performed an out of bounds write when `ssc` is bigger than
255. The local variable `ii` needs to be decremented instead of
incremented in the `for`-loop.
This was introduced in d30cd83a, wheras The previous implementation did
actually decrement `ii`, see d30cd83ad4
Fixes https://github.com/OpenSC/OpenSC/issues/785
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
Based on the paragraph from PKCS#11 MECHANISMS V2.30: 6.3.1 EC Signatures:
If the length of the hash value is larger than the bit length of n, only
the leftmost bits of the hash up to the length of n will be used. Any
truncation is done by the token.
This is affecting NIST PIV Test cards with non-hashed mechanisms.
@mouse07410 has asked for it in
https://github.com/OpenSC/OpenSC/issues/688#issuecomment-219433611
VTA: I do not see the difference (if the other arguments are properly used),
but assume that @mouse07410 has it's own valid reasons
Also included the few coding style touches.
Avoid having problems with sc_hex_to_bin when called from sc_pkcs15_format_id
both for id and auth_id numbers
Changes to be committed:
modified: pkcs15-piv.c
default values of reader's max send/receive sizes correspond to only short APDU supported;
these values can be overwritten by reader itself with the proper value of dwMaxAPDUDataSize from TLV properties,
or with the corresponding options in OpenSC configuration.
resolves issue #735
This is a cleaner fix for #720 which take part of #721 and #730
A driver private struct is used which allow to remove all globals which might changed base on the token in use.
With very long labels it is unable identify which PIN Firefox is asking.
PKCS11 label is 32 char's and it gets truncated.
Current format "LABEL (PIN1)"
New format "PIN1: LABEL"
simclist.h is changed to either accept a predefined inline and/or
predefined restrict macro or tests for known compilers and sets
simclist_inline and simclist_restrict with the approprate keyword
for the compiler being used or defines them as blank.
The logic used is based on code in OpenSSL-1.1 e_os2.h
For example, "configure" could define inline and/or restrict.
But OpenSC is built on other platforms without a config.h and thus
changes to simclist.h are still needed.
simclist.c is changed by replacing inline with simclist_inline
and restrict with simclist_restrict.
The one and only use of inline in card-dnie.c is removed as there
is no need to have the function inline. This avoids any inline issues.
If inline is needed in other OpenSC code or in card-dnie.c,
simclist_inline could be used.
(Another option is to just remove all inline and restrict keywords
from OpenSC code.)
Changes to be committed:
modified: src/common/simclist.c
modified: src/common/simclist.h
modified: src/libopensc/card-dnie.c
3 bytes is the size of SC_ASN1_TAG_MASK used when composing
the asn1 templates with 'struct sc_asn1_entry'.
With this limitation maximal supported ASN.1 tag number is 2^^14-1 .
Fixed 'dead-code' coverity-scan issue.
Close#707
sm-card-iasecc.c: In function ‘sm_iasecc_get_apdu_delete_file’:
sm-card-iasecc.c:188:25: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
unsigned int file_id = (unsigned int)sm_info->cmd_data;
^
iasecc-sm.c:697:22: warning: cast to 'void *' from smaller integer type
'unsigned int' [-Wint-to-void-pointer-cast]
sm_info->cmd_data = (void *)file_id;
^
der-pcsc.c:1101:11: warning: comparison of integers of different signs:
'LONG' (aka 'int') and 'unsigned int' [-Wsign-compare]
if (rv == SCARD_E_NO_SERVICE) {
~~ ^ ~~~~~~~~~~~~~~~~~~
pkcs11-spy.c:259:49: warning: format specifies type 'long' but the argument has
type 'int' [-Wformat]
fprintf(spy_output, "%s.%03ld\n", time_string, tv.tv_usec / 1000);
~~~~~ ^~~~~~~~~~~~~~~~~
%03d
penpgp-tool.c:367:9: warning: comparison of integers of different signs: 'int'
and 'unsigned int' [-Wsign-compare]
if (r != count) {
~ ^ ~~~~~
Remove 3 casts
Add 1 cast
Fix a format problem
opensc-explorer.c:1727:8: warning: comparison of integers of different signs:
'int' and 'size_t' (aka 'unsigned long') [-Wsign-compare]
if(r > len) {
~ ^ ~~~
log.c:94:87: warning: format specifies type 'long' but the argument has type
'int' [-Wformat]
...%03ld ", (unsigned long)pthread_self(), time_string, tv.tv_usec / 1000);
~~~~~ ^~~~~~~~~~~~~~~~~
%03d
Simplify create tokens rules, no need to manipulate applications in
'pkcs11' configuration part,
applications can be enabled/disabled on the 'pkcs15' one.
Fix the possibility to expose only 'sign' PIN
The EPO hands this card out to attorneys and inventors to authenticate
with their online services. The applet on the card seems to be identical
to the one on Swedish eID cards.
Ludovic Rousseau's list identifies the card as Gemalto IDClassic 340.
Gemalto Classic Client identifies the card as GemSAFE V3.
Previously the EPO was using a GemSAFE V1 card, its ATR was added with
81bbddfc24 ("card-gemsafeV1: Add a GemSafe V1 ATR").
Add new PKI Card ATR into OpenSC support, all of these ATR using same
PKI Applet. and the ATR/JAVA CARD is provided by Feitian.
More information, please check www.javacardos.com
Fixes a memory leak in `entersafe_select_fid`
Closes https://github.com/OpenSC/OpenSC/pull/625
Make universal mask for choose input format from PEM or DER.
Input file at PEM may be contain at start:
"-----BEGIN RSA PRIVATE KEY-----"
or
"-----BEGIN PRIVATE KEY-----"
Make universal properties at RSF-files. Additional Miller-Rabin tests
aren't needed for 'Rutoken ECP' and for 'Rutoken ECP 2.0'
fixes https://github.com/OpenSC/OpenSC/issues/648 :
'Incorrect parameters in APDU' at 'Rutoken ECP 2.0' when 'pkcs15-init -G
rsa/1024 ...'
GemSAFE V1 cards support signing 36 bytes of free form data.
When signing a hash, the hash must be prepended by the DigestInfo
header. The PKCS#1 padding is done on the card. The 36 bytes limit
is sufficient for MD5 (16 + 18 bytes for the header), SHA1 and
RIPEMD160 (both use 20 + 15 bytes for the header) and MD5_SHA1
(16 + 20 bytes, no header). The algorithm reference ("cryptographic
mechanism reference" in ISO 7816 parlance) for signing free form data
is 0x12.
GemSAFE V3 cards changed the algorithm reference for signing free
form data to 0x02. In addition, they gained the ability to sign SHA256.
Since SHA256 exceeds the 36 bytes limit (32 + 19 bytes for the header),
it must be sent to the card *without* DigestInfo header. The header
will be prepended by the card and it is instructed to do so by sending
algorithm reference 0x42.
This scheme is also supported for SHA1, the algorithm reference is
0x12 in this case. However using this is not necessary as SHA1 fits
within the 36 bytes limit, including the header.
Supporting SHA256 is straightforward, we just add it to the flags
before adding the RSA algorithms. When sc_pkcs15_compute_signature()
calls sc_get_encoding_flags(), the input will be "iFlags 0x202, card
capabilities 0x8000021A" and the output will be "pad flags 0x0, secure
algorithm flags 0x202". I.e. the hash is neither prepended by the
DigestInfo header nor PKCS#1 padded and the hash algorithm is passed
to gemsafe_set_security_env() which can send the appropriate algorithm
reference 0x42 to the card.
However there's a catch: Once we add SHA256 to the flags, PKCS#11
applications will be unable to use the other hashes like SHA1 or
RIPEMD160. That's because register_mechanisms() checks if the card
supports no hashes, and if so, adds all of them:
if (!(rsa_flags & SC_ALGORITHM_RSA_HASHES)) {
rsa_flags |= SC_ALGORITHM_RSA_HASHES;
}
We cannot add these missing hashes to the flags like we did with SHA256
because like SHA256, they would be sent to the card *without* DigestInfo
header. What we want is to send all hashes *with* DigestInfo header,
*except* for SHA256.
We can achieve that by registering a fake RSA algorithm which includes
the missing hashes in its flags. This fake algorithm is never used
because sc_card_find_rsa_alg() searches the algorithm list in-order
and we register the fake algorithm *after* the real algorithms.
The fake algorithm persuades register_mechanisms() to register the
missing hashes because it ORs the flags of all RSA algorithms together:
num = card->algorithm_count;
while (num--) {
switch (alg_info->algorithm) {
case SC_ALGORITHM_RSA:
rsa_flags |= alg_info->flags;
break;
}
}
So when signing e.g. a RIPEMD160 hash and sc_pkcs15_compute_signature()
calls sc_get_encoding_flags(), the input will be "iFlags 0x102, card
capabilities 0x8000021A" and the output will be "pad flags 0x100, secure
algorithm flags 0x2". This will result in the hash being prepended by
the DigestInfo header, which is what we want.