While trying to setup an OpenSC context, the global_locking
and detect cards, it is possible that multiple threads may
call C_Initialize. The current code tries to prevent this using
"if (context == NULL)" but this is not a mutex, and
multiple threads may endup overwrite contexts and global locking and
cause additional problems, with pcsc and segfault.
FireFox appears to do this see #2032
The PR adds a mutex or Critical section to make sure only one
thread creates the context sets the global_locking and does
the initial detect cards, etc.
This allows the global_lock (if requested) to be setup
which is then used for other calls.
All but the first call to C_Initialize will return with CKR_OK,
others will return CKR_CRYPTOKI_ALREADY_INITIALIZED.
Date: Mon Jan 11 12:47:12 2021 -0600
Changes to be committed:
modified: src/pkcs11/pkcs11-global.c
The --signature-format openssl in pkcs11-tool does the correct
operation to convert the OpenSSL formated signature to rs for PKCS11
This commit modifies pkcs11/openssl.c to convert back to sequence
for EVP_VerifyFinal
Without this mod the signature file was passed unmodified to
PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard.
On branch ECDSA-flags
Changes to be committed:
modified: openssl.c
This PR is based on discussion with @popovec in
https://github.com/OpenSC/OpenSC/issues/2181
and https://github.com/OpenSC/OpenSC/pull/2187
which was cherry-picked as 5e5300816c8
This has been tested with PIV, MyEID and Smartcard-HSM.
with ECDSA keys.
The main fixes include :
- Setting "flags" in card drivers
- added code to sc_pkcs15-compute-signature for handle ECDSA with hashes
- code in framework-pkcs15.c
Signatures made by pkcs11-tool -sigm verify with openssl
but pkcs11-tool --verify does not work with ECDSA but does with RSA
I suspect it has to do with:
and some then creating the wrong PKCS11 mechanisms
It should work with the epass2003 which does hashes in the driver.
CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way.
We need to use sc_pkcs11_register_sign_and_hash_mechanism ()
for CKM_ECDSA_SHA1.
This fix also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c
Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512)
CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
Fix various spelling errors, mostly in comments but also in texts displayed.
Errors found & interactively fixed using 'codespell', with additional manual
checks after the fixes.
before 14e396273 sc_wait_for_event() only notified in case of a new
reader, but didn't add it to the internal list of readers. That's why
PKCS#11 needed to bail out early in this case (and the application had
to call C_WaitForSlotEvent a second time to actually get the related
slot). Since sc_wait_for_event() can now handle insertion correctly, we
can now immediately check (and reset) the events on the slots.
always should be used, even if a PIN pad reader is used. PIN must only
be fetched from the PIN pad reader if the corresponding parameter is
null.
Before this commit PIN was always fetch from the reader if the PIN could
be fetched from the reader.
The 'pkcs11-tool has also been updated. Before parameters was never
taken from the command line if a PID pad reader was used. Now PINs from
the command line is always used but if not existing the PIN is fetched
from the reader if a reader with a PIN pad is used, otherwise the user
is prompted for PIN(s) from the CLI.
C_SetPIN modifies the PIN of the user that is currently logged in, or
the CKU_USER PIN if the session is not logged in. ....
This was not true for "if the session is not logged in" before this fix.
- when listing the slots, we don't have a hotplug slot anymore with
slot->reader == NULL. Instead, we're now using this state for any left
over slots when a reader is removed. So we don't need to include this in
the slot list
- when listing the slots, we need to remember which slots the
application has seen already, to not shrink the list of slots (which is
allowed in PKCS#11 v2.2, but NSS can't handle this)
Macro DEBUG_VSS and routine _debug_virtual_slots were added.
DEBUG_VSS(slot, "printf like format string" [,args...]) will print the virtual_slots
to the opensc-debug.log showing were it was called from.
If slot is not NULL and found in the table it will be highlighted
with an "*".
In gdb: call _debug_virtual_slots(slot) can be used along with
another window to tail opensc-debug.log
On branch PKCS11-SLOTS-2
Date: Fri Feb 21 08:19:37 2020 -0600
Changes to be committed:
modified: src/pkcs11/sc-pkcs11.h
modified: src/pkcs11/slot.c
OpenSC PKCS11 now retains slots even when the reader is removed.
It can do this because existing OpenSC reader handling in ctx.c,
reader-pcsc.c and PC/SC allow OpenSC to do this.
This simplifies the code, and allow a reader to be reinserted
and use the existing slot. This matching is actually done
in reader-pcsc.c because PC/SC returns the unique ids based on
the OS reader names. This is then used as the manufacturerID
By not deleting slots the slot list can only increase which is a
restriction of Firefox. It does not fix all the Firefox issues, but
it does not go into a loop, when all the readers are removed.
The defaults in opensc.conf for max-virtual-readers and slots-per-card
allow for 4 different readers used during one session.
On branch PKCS11-SLOTS-3
Changes to be committed:
modified: sc-pkcs11.h
modified: slot.c