The name implies what the format of the returned value, a SPKI.
The support for spki as a pkcs15 format of a pubkey, is extended to
work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this.
sc_pkcs15_decode_pubkey_with_param will look for a SPKI
and attempt to use it for any algorithm, including RSA.
(RSA is the null case, as there are no algorithm parameters.)
sc_pkcs15_encode_pubkey_as_spki is exported from libopensc.
pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys
as SPKI for RSA and EC.
The pubkey->data is never a SPKI, it is the DER encoding of the
pubkey without the parameters. If an spki is needed, use the
sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki.
As in the previous set of patches, pkcs15-tool.c will output both
sc_pkcs15_decode_pubkey_with_param and its internal.
This was left for testing, and the pubkey_pem_encode should be deleted
fixes a lot of warnings which pass a const buffer to the APDU's data
Note that a non-const data member is only required for sc_allocate_apdu
sc_free_apdu. They are currently used with an explicit typecast.
However, sc_allocate_apdu and sc_free_apdu both are not used once in the
entire project. One might also simply throw both functions away.
-- Both are thrown away. (VT)
'PACE' is extremely card specific protocol and has not to be ostensibly
present in the common part of OpenSC:
* currently in OpenSC there is no card driver that supports or uses this protocol;
* amazing content of the common 'sc_perform_pace' -- beside the verbose logs
the only substantial action is to call the card/reader specific handler.
According to the current sources and the pull request 83
this 'common' procedure is called by the card driver or
card specific tool/operation.
* currently the 'PACE' can be thouroghly tested only by one person (Frank Morgner),
and only using the OpenSSL patched with the PACE specific patch.
So, at least a dedicated configuration option could be introduced when comiting PACE to the common part.
* common 'sc_perfom_pace' has the same role as the 'initialize-SM' handler of the existing SM framework
and can be implemented as card specific SM, as the others cards do.
This confirmed by Frank Morgner, the author of PACE commits and nPA card driver, himself.
(https://github.com/OpenSC/OpenSC/pull/83)
Introduce some usefull define macros, error code 'inconsistent configuration'.
Introduce procedure to calculate CRC32 digest,
to be used in minidriver to calculate the 'freshness' values.
At the moment symbolic names for the on-card applications are 'generic', 'protected'.
This distinction used by pkcs11 and minidriver module to select the
'master' application in the cases when only reduced number of slots (one)
can be exposed by module (minidriver) or particular configuration (pkcs11).
Implements PC/SC interface to PACE-enabled readers defined in PC/SC
pt. 10 AMD 1 and BSI TR-03119.
PACE can be started using `sc_perform_pace`. This function currently
calls the new `perform_pace` from `struct sc_reader_operations`, if the
reader has the needed capabilities. `sc_perform_pace` could also be
extended with a stand-alone implementation of PACE (code could be
imported from here http://vsmartcard.sourceforge.net/npa/README.html).
Note that the reader's PACE capabilities are correctly determined by
calling GetReaderPACECapabilities.
OpenSC's new PACE capabilities can be tested using the `npa-tool` from
the Virtual Smart Card Architecture (see link above).
pkcs15-wrap.c can be removed. Clarified/changed the meaning of "insecure" flag to pkcs15-init tool,
which will be needed to explicitly enforce the creation of a key which does not require a PIN.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5510 c6295689-39f2-0310-b995-f0e70906c6a9
On Windows every DLL has their own file descriptor table, thus specifying
-v from any of the OpenSC tools resulted in a crash when the tool tried to override
ctx->debug_file with stderr.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5359 c6295689-39f2-0310-b995-f0e70906c6a9
It is used by cardmod to pass in pointers to the PC/SC handles
provided by the caller of cardmod. Other drivers will return
an error if this routine called.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5190 c6295689-39f2-0310-b995-f0e70906c6a9
emulated cards. True PKCS#15 cards with EC
will need additional changes.
Main changes are in framework-pkcs15.c, mechanism.c,
padding.c, pkcs15-algo.c and pkcs15-sec.c
where switch statements for key type, and testing
of flags was modified to make it easier to add
additional key types in the future.
The code was tested using RSA and ECDSA using a PIV card
from pkcs11-tool, OpenSSL and Thunderbird with
modifications to NSS-3.12.7 to get ECDSA to sign e-mail.
Only named curves are supported for ECDSA, ECDH is still
needed. pkcs11-tool has only minimal changes need to work
with the -O option to list EC keys.
One additional line was added to pkcs15-sec.c which
should get GOSTR sign to work.
libp11 and engine do not yet have EC support.
--This line, and those below, will be ignored--
M src/tools/piv-tool.c
M src/tools/pkcs11-tool.c
M src/pkcs11/framework-pkcs15.c
M src/pkcs11/mechanism.c
M src/pkcs11/pkcs11-object.c
M src/libopensc/pkcs15-prkey.c
M src/libopensc/card-piv.c
M src/libopensc/padding.c
M src/libopensc/cardctl.h
M src/libopensc/pkcs15-algo.c
M src/libopensc/libopensc.exports
M src/libopensc/pkcs15-piv.c
M src/libopensc/pkcs15-sec.c
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
Compilation fails on Mac OS X (but not on GNU/Linux):
Undefined symbols:
"_sc_pkcs15emu_postponed_load", referenced from:
-exported_symbol[s_list] command line option
ld: symbol(s) not found
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4879 c6295689-39f2-0310-b995-f0e70906c6a9
; do not pad PIN in pkcs15init. It's already done in libopensc/pkcs15-pin;
; the 'do_verify_pin()', 'sc_pkcs15init_verify_key()' and 'do_get_and_verify_secret()' are replaced by unique 'sc_pkcs15init_verify_secret()'; edit debug messages;
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4123 c6295689-39f2-0310-b995-f0e70906c6a9
* reduce to a few, supported functions.
* change all functions to take the debug level as parameter.
* use symbolic names for the debug levels.
* fix tools to pass "verbose"/"opt_debug" as ctx->debug.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4118 c6295689-39f2-0310-b995-f0e70906c6a9
Some non-pkcs15 cards protect the reading of the private objects attributes.
For the emulated pkcs15 cards, the 'init' emu-handler was the only place where pkcs15 objects could be loaded.
This handler is called before the card is binded, and so, for an application there was no 'normal' way to verify PIN and load the objects with protected attributes.
Actually it's possible to complete list of the pkcs15 objects after the emulated pkcs15 card has been binded.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4096 c6295689-39f2-0310-b995-f0e70906c6a9