CK_VERSION is included into PKCS#11 data but is not specified by PKCS#15.
CK_VERSION can be provided by card's pkcs15 emulator or by the card's driver,
including the cards with the native support of pkcs#15 (and thus without pkcs15 emulator).
That's why the more general solution is to have these data included into 'sc-card' data type.
Thanks to Andreas Schwier.
http://www.opensc-project.org/pipermail/opensc-devel/2012-September/018455.html
In PKCS#11 FW, the 'certificate' FW object is used to create corresponding 'public'key' FW object
or to get some of its attributes.
Seg.fault occured when, in the same session, the related certificate was destroyed and after that
there was the attempt to get such public key attributes.
To hold the raw certificate blob in 'sc_pkcs15_cert' data use the 'sc_pkcs15_der' data type.
also:
; in 'pkcs15-cert.c' use short call of the debug messages;
; in 'destroy-object' pkcs15 framework handler take into account the multi-application cards:
-- when binding card use the application info;
-- when finalizing profile use the application ID.
Limit the number of cases when applicated re-selection of application DF to strict minimum.
I.e. only when pkcs11 login session is not locked and private key PKCS#15 object do not
contain the 'path' attribute.
Thanks to 'crank'.
https://www.opensc-project.org/opensc/ticket/439
Some pkcs11 callers (i.e. netscape) will pass in the ASN.1 encoded SEQUENCE OF SET,
while OpenSC just keeps the SET in the issuer/subject field.
Add new argument 'application-info',
that will allow to select the on-card application to by binded with.
pkcs11: use sc_pkcs15init_bind with 'AID' argument
Prototype of sc_pkcs15init_bind() has been changed to add argument with
AID of the on-card application to be binded with.
In card detection procedure bind all present applications
and create tokens for them.
Treatement of the different 'create-slots' configuration cases,
joining the objects from different applications into one slot
are previewed for the next commits.
- simplify some of framework handles: remove from it's prototype the arguments that can be derived from the other arguments;
for exemple: foo(slot, slot->card) --> foo(slot)
- add the 'application' argument to the bind, unbind and similar handles;
- preview more then one framework data attached to the pkcs11card object.
- placehold for the future 'derive' and 'can_do' handles.
'OnePIN' version of opensc-pkcs11 module is not installed.
Instead, in the 'pkcs11' section of OpenSC configuration,
there is a possibility to define in a different manner
how to create slots for the present PINs and applications.
In PKCS#11 there is no CKA_ attribute dedicated to the NON-REPUDIATION flag.
We need this flag in PKCS#15/libopensc to make dinstinction between 'signature' and 'qualified signature' key slots.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5567 c6295689-39f2-0310-b995-f0e70906c6a9
framework-pkcs15.c:1892: warning: comparison between signed and unsigned
framework-pkcs15.c:1902: warning: comparison between signed and unsigned
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5529 c6295689-39f2-0310-b995-f0e70906c6a9
EC parameters can be presented in a three forms: namedCurve, OID and implicit data.
This new data type will facilitate manipulation of ec-parameters in the OpenSC tools and library.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5386 c6295689-39f2-0310-b995-f0e70906c6a9
emulated cards. True PKCS#15 cards with EC
will need additional changes.
Main changes are in framework-pkcs15.c, mechanism.c,
padding.c, pkcs15-algo.c and pkcs15-sec.c
where switch statements for key type, and testing
of flags was modified to make it easier to add
additional key types in the future.
The code was tested using RSA and ECDSA using a PIV card
from pkcs11-tool, OpenSSL and Thunderbird with
modifications to NSS-3.12.7 to get ECDSA to sign e-mail.
Only named curves are supported for ECDSA, ECDH is still
needed. pkcs11-tool has only minimal changes need to work
with the -O option to list EC keys.
One additional line was added to pkcs15-sec.c which
should get GOSTR sign to work.
libp11 and engine do not yet have EC support.
--This line, and those below, will be ignored--
M src/tools/piv-tool.c
M src/tools/pkcs11-tool.c
M src/pkcs11/framework-pkcs15.c
M src/pkcs11/mechanism.c
M src/pkcs11/pkcs11-object.c
M src/libopensc/pkcs15-prkey.c
M src/libopensc/card-piv.c
M src/libopensc/padding.c
M src/libopensc/cardctl.h
M src/libopensc/pkcs15-algo.c
M src/libopensc/libopensc.exports
M src/libopensc/pkcs15-piv.c
M src/libopensc/pkcs15-sec.c
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
* check for out of memory conditions
* register SHA256 as well
* key generation depends on onboard key generation capabilities, not OpenSSL
Further adjustments are needed.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4894 c6295689-39f2-0310-b995-f0e70906c6a9
spy segfaulted if CKU_CONTEXT_SPECIFIC was used,
pkcs11-session was reseting the userType before calling
framework. Framework will now see CKU_CONTEXT_SPECIFIC
and use slot->login_user to determine which PIN was used
to create the original session, and will send the PIN
to the card. It does not treats CKU_CONTEXT_SPECIFIC
as a full login, only a reassertion of the PIN.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4880 c6295689-39f2-0310-b995-f0e70906c6a9
pkcs15.c: object search continues with normal processing, even if enumeration of some files failed
pkcs15.h: obsolete prototype removed
pkcs15-syn.c: now obsolete function sc_pkcs15emu_postponed_load removed
fixes: #266
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4877 c6295689-39f2-0310-b995-f0e70906c6a9
sc_pkcs15_cert now has pointer to sc_pkcs15_pubkey, allowing it to
be removed and used separatly.
sc_pkcs15_pubkey now has pointer to sc_algorithm_id to faclitate
addition of other key algorithms and their parameters.
Various code changes to free these structures and references
to the structures have been changed.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4805 c6295689-39f2-0310-b995-f0e70906c6a9
Assuming the driver has correctly set max_tries to 1 then PKCS#11 is very clear about it:
"""
True if supplying an incorrect user PIN will it to become locked.
"""
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4687 c6295689-39f2-0310-b995-f0e70906c6a9
Support for importing cleartext keys is left untouched, but all transparent key generation by either opensc-pkcs11.so or pkcs15-init is removed, to make the operation with cleartext keys visible to the user and his explicit wish.
OpenSC is a PKCS#11 library for accessing keys protected by a smart card. Key material in software is not protected by smart cards and can leave a false sense of security to the user.
http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013877.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4646 c6295689-39f2-0310-b995-f0e70906c6a9
From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety
" Casting and type safety
malloc returns a void pointer (void *), which indicates that it is a
pointer to a region of unknown data type. One may "cast" (see type
conversion) this pointer to a specific type, as in
int *ptr = (int*)malloc(10 * sizeof (int));
When using C, this is considered bad practice; it is redundant under the
C standard. Moreover, putting in a cast may mask failure to include the
header stdlib.h, in which the prototype for malloc is found. In the
absence of a prototype for malloc, the C compiler will assume that
malloc returns an int, and will issue a warning in a context such as the
above, provided the error is not masked by a cast. On certain
architectures and data models (such as LP64 on 64 bit systems, where
long and pointers are 64 bit and int is 32 bit), this error can actually
result in undefined behavior, as the implicitly declared malloc returns
a 32 bit value whereas the actually defined function returns a 64 bit
value. Depending on calling conventions and memory layout, this may
result in stack smashing.
The returned pointer need not be explicitly cast to a more specific
pointer type, since ANSI C defines an implicit conversion between the
void pointer type and other pointers to objects. An explicit cast of
malloc's return value is sometimes performed because malloc originally
returned a char *, but this cast is unnecessary in standard C
code.[4][5] Omitting the cast, however, creates an incompatibility with
C++, which does require it.
The lack of a specific pointer type returned from malloc is type-unsafe
behaviour: malloc allocates based on byte count but not on type. This
distinguishes it from the C++ new operator that returns a pointer whose
type relies on the operand. (see C Type Safety). "
See also
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
* reduce to a few, supported functions.
* change all functions to take the debug level as parameter.
* use symbolic names for the debug levels.
* fix tools to pass "verbose"/"opt_debug" as ctx->debug.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
In fact, the middleware of the manufacturer of the gemalto (axalto, gemplus) cards
reports the CKA_ID of CA certificates as '0'.
But it's not true for the others middlewares (Oberthur), NSS (afais) and PKCS#11 standard.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4095 c6295689-39f2-0310-b995-f0e70906c6a9
*** glibc detected *** invalid pointer: 0x00007fff9e9f7670 ***
Program received signal SIGABRT, Aborted.
0x00007f971d0a8ea5 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007f971d0a8ea5 in raise () from /lib64/libc.so.6
#1 0x00007f971d0aaab3 in abort () from /lib64/libc.so.6
#2 0x00007f971d0e7d58 in __libc_message () from /lib64/libc.so.6
#3 0x00007f971d0ed7e8 in malloc_printerr () from /lib64/libc.so.6
#4 0x00007f971d0efda6 in free () from /lib64/libc.so.6
#5 0x0000000000410f5c in pkcs15_gen_keypair (p11card=0x72aec0, slot=<value optimized out>,
pMechanism=<value optimized out>, pPubTpl=<value optimized out>, ulPubCnt=<value optimized out>,
pPrivTpl=<value optimized out>, ulPrivCnt=6, phPubKey=0x7fff9e9f7e50, phPrivKey=0x7fff9e9f7e58)
at framework-pkcs15.c:1763 /* see opensc-0.11.13 */
#6 0x0000000000409a6e in C_GenerateKeyPair
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4032 c6295689-39f2-0310-b995-f0e70906c6a9
(In function 'pkcs15_add_object': warning: unused parameter 'pHandle')
Example (C_CreateObject):
Breakpoint 3, C_CreateObject (hSession=134587040, pTemplate=0x8049160, ulCount=5, phObject=0xbff55560)
at pkcs11-object.c:57
57 rv = sc_pkcs11_lock();
(gdb) x/x phObject
0xbff55560: 0xffffffff
(gdb) finish
0xb7f5c6c0 17:15:09.969 [opensc-pkcs11] framework-pkcs15.c:657:pkcs15_add_object: Setting object handle of 0x0 to 0x805ab80
Run till exit from #0 C_CreateObject (hSession=134587040, pTemplate=0x8049160, ulCount=5,
phObject=0xbff55560) at pkcs11-object.c:57
0x080487a4 in main ()
Value returned is $1 = 0
(gdb) x/x 0xbff55560
0xbff55560: 0xffffffff
(gdb) c
Continuing.
Breakpoint 4, C_DestroyObject (hSession=134587040, hObject=4294967295) at pkcs11-object.c:106
106 rv = sc_pkcs11_lock();
(gdb) p/x hObject
$2 = 0xffffffff
(gdb) finish
Run till exit from #0 C_DestroyObject (hSession=134587040, hObject=4294967295) at pkcs11-object.c:106
0xb7f5c6c0 17:15:56.581 [opensc-pkcs11] pkcs11-object.c:110:C_DestroyObject: C_DestroyObject(hSession=0x805a2a0, hObject=0xffffffff)
0x080487cb in main ()
Value returned is $3 = 130
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3944 c6295689-39f2-0310-b995-f0e70906c6a9
- slots, sessions and objects are kept as lists.
- change the way slots, cards and readers are managed.
- re-implement C_WaitForSlotEvent(/C_Finalize) as written in PCKS#11 v2.20, canceling pending blocking calls.
- implement a "virtual hotplug slot" with a floating slot id to keep NSS working with C_WaitForSlotEvent with a new reader.
NSS does not call C_GetSlotList(NULL) to re-fetch the list of available slots if C_WaitForSlotEvent returns an event in an already known slot ID.
By changing the ID of a slot whenever a reader attached NSS/Firefox can be tricked into recognizing new readers when waiting for events with C_WaitForSlotEvent.
- change (possibly break something) sc_to_cryptoki_error() to not have side-effects
- Implement CKU_CONTEXT_SPECIFIC in C_Login to implement CKA_ALWAYS_AUTHENTICATE (keys with user consent)
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3935 c6295689-39f2-0310-b995-f0e70906c6a9
One of the three unblock methods can be activated from the 'opensc-pkcs11' section of opensc.conf:
- C_SetPin() in the unlogged sesssion;
- C_SetPin() in the CKU_SPECIFIC_CONTEXT session;
- C_InitPin() in CKU_SO session (inspired by Pierre Ossman).
-- This last one works, for a while, only for the pkcs15 cards without SOPIN auth object.
For the pkcs15 cards with SOPIN, this method will be useful for the cards
that do not have then modes '00' and '01' of ISO command 'RESET RETRY COUNTER'.
Test commands:
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --unlock-pin --puk "123456" --new-pin "9999"
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --unlock-pin -l --login-type context-specific --puk "123456" --new-pin "9999"
# pkcs11-tool --module ./opensc-pkcs11.so --slot 0 --init-pin -l --new-pin "9999"
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3901 c6295689-39f2-0310-b995-f0e70906c6a9
Viktor Tarasov
Andreas Schwier
Mathias Brossard
vtarasov
andre
martin
dengert
viktor.tarasov
ludovic.rousseau
aj
s