Use names that are specific to EAC, not the German ID card (nPA),
because Protocol and Commands are defined by BSI TR-03110 and ICAO.
Functions that are nPA specific are moved to card-npa.h.
RutokenS returns data with little endian byte order, due to this
fact token wouldn't work with standard function. So function for
parsing fcp from little endian data was inplemented.
The maximum length for sending and receiving data can now be found in DO
7F66. For now, we just use the default values for short/extended length
capabiliites.
PKI-Applets may not be active if the card has been reset or unpowered.
The SELECT command used to activate the applet, is identical to the one
used during card matching or initialization.
Some "unfriendly" cards return SW 90 00 to any instruction including
the ACA file selection and therefore they are identified as CAC card.
To avoid this, we will try to read the assumed ACA file and we will
mark the card as matched only if we will read something from that file.
We do not parse the content yet.
To avoid infinite loop on "unfriendly" cards, we assume that
read data instruction always returns some data. It it does not,
we can safely assume the file is not there or it is not the card
we are looking for.
Windows/macOS (minidriver/tokend) handle the authentication status and
perform an explicit logout on shutdown. PKCS#11 standard requires a
session for logging into the card; when closing the session we perform
an explicit logout. Hence, the authentication status should be reset
even if not performing a reset on disconnect.
partially implements https://github.com/OpenSC/OpenSC/issues/1215
Refactored OpenPGP code so that future versions of the card will be
accessed using the logic for OpenPGP V2. We hope that backward
compatibility of the standard will keep the new versions functional.
CardDeleteContext may be called at any time, interrupting any ongoing
operation with the same PCARD_DATA. This leads to a race condition when
CardDeleteContext deletes, for example, the sc_context_t which the
interrupted call still wants to access. We have seen and fixed this
problem in https://github.com/OpenSC/OpenSC/issues/973 specifically for
the PIN entry process, however, it also applies to all other calls to
the md.
The new implementation removes the need for global data in the md.
* Avoid GCC 7 warnings with -Werror
-Werror=implicit-fallthrough=
libopensc/card-incrypto34.c
not sure if this is a bug or intention
libopensc/card-rutoken.c
most probably intention
libopensc/card-westcos.c
remove bogus if so the compile is not confused
I will fill a separate bug to gcc probably
pkcs15init/pkcs15-iasecc.c
Simplify the log and avoid compiler confusion
sm/sm-common.c
explicit fallthrough
tools/pkcs11-tool.c
use explicit fallthrough comment
tools/pkcs15-init.c
The fallthrough is obvious here
-Werror=format-truncation=
libopensc/pkcs15-itacns.c
use explicit string lengths
pkcs11/framework-pkcs15.c
calculate the truncation
tests/pintest.c
avoid sprintf
tools/pkcs15-crypt.c
avoid sprintf
tools/pkcs15-init.c
calculate the truncation
- fixed printing tags on multiple bytes
- align indenting with raw tags
- use OpenSSL's human readable OID database
- only print the canonical names for universal tags
When building without OpenPACE there are two unused variables in
sc_hsm_init() that cause compiler to emit warnings about them.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
In minidriver before performing a card operation we currently check whether
the supplied card handles have changed.
If they did the card in reader might have been changed so we reinitialize
it.
However, in few places in reinitialization call path an error returned by
some operation would leave the context in an inconsistent state.
So let's walk through this path to make sure that functions there will exit
cleanly if an error happens.
Also, make sure that all card operations that actually do something have
the necessary check call in the first place and also that they all
consistently check whether VENDOR_SPECIFIC pointer is not NULL before
dereferencing it.
This is a cleanup part of "Keep track of card resets by other contexts in
minidriver" (that is, it does not include the actual reset handling code
introduced by that commit), simplified.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Many cards need multiple PINs to work correctly since different on-card
keys are secured by different PINs (this is true for for example OpenPGP
card).
Smart Card Minidriver API has supported such cards since version 6.02
(Vista+).
Use the same method as PKCS#11 driver does to discover user and sign PINs,
for consistency.
However, if there is a default container on card we'll make sure that its
PIN is an user PIN and if there is no default container we'll mark the one
with the user PIN as default.
All other PINs securing containers on card are added as next PINs, up to
MD_MAX_PINS.
Use this opportunity to also fix two cases where a pointer-to-DWORD
variable was passed as pointer-to-size_t parameter to
md_dialog_perform_pin_operation() - they are of different size on Win64.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
This will help when p11-kit is usead and wil allow for additional
CK*_* things to be defined that have a much better chance of being
unique.
OR in "OSC" to any CK*_VENDOR_DEFINED thing.
with #define SC_VENDOR_DEFINED 0x4F534300 /* OSC */
This follows Netscapes convention of doing the same but
using: #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */
The current 2 defines CKA_* are for internal attributes.
On branch OSC_VENDOR_DEFINED
Changes to be committed:
modified: pkcs11-opensc.h
* Add missing SHA224 RSA algorithms
* Fix wrong replacement in pkcs11-tool manual page
* Add MGF and PSS_PARAMS definitions in PKCS#11 header file
* Inspect PSS signature parameters in pkcs11-spy
* Enable RSA-PSS signatures in pkcs11-tool
* Added short names to RSA-PSS methods
* Reintroduce portable NORETURN indication for functions and use it to avoid compilers complaining
Use the ASN.1 decoder's SC_ASN1_BIT_FIELD decoder to properly decode
into a machine word. As _bitstring_extension is used only for the OID
2.5.29.15 by all callers, which is at most 9 bits wide, this is a
reasonable thing to do.