* Add configure-time dependency on pcsclite (required version from comments in reader-pcsc.c)
* The functionality is already supported in PCSC-Lite
* For older PCSC-Lite versions still return CKR_FUNCTION_NOT_SUPPORTED
# closes#899
if no extensions are found, val was uninitialized.
If multiple extensions, val was not freed for non interestinf extensions.
COmments dind not have valid OID values.
On branch piv-keyusage
Changes to be committed:
modified: pkcs15-cert.c
# VTA: closes#905
This mod is for non federal issued PIV cards. It will set PKCS#11 key attributes
based on the keyUsage extension from the coresponding certificates.
This mod applies to a PIV or PIV-like card without a CHUID or without a FASC-N
or a FASC-N that startes with 9999. A federal issued PIV card will have a CHUID
object with FASC-N that does not have the agency code 9999.
If the certificate does not have keyUsage,the current defaults will be used.
This avoids backword compatability issues with cards in the field.
To take advantage of this mod, make sure certificates have keyUsage extension.
This mod applies to all keys on the card including retiered keys.
The NIST 800-73 standards specify the key usage for each key and different keys
have different PIN requirements. This mod is designed to be used with PIV-like
cards or devices.
On branch piv-keyusage
Changes to be committed:
modified: src/libopensc/pkcs15-piv.c
# squashed by VTA with:
Remove use of llu in integer literal
llu in literals is not supported in all compilers.
let the compiler expand the literal befor doing the & opetation
PKCS#11 v2.20 in not clear on the format of the public key of the other party
pased during ECDH key derivation. Some implementations (OpenSC) pass just the value
of the public key (RAW), while others (SoftHSM) pass an ASN.1 DER encoded OCTET_STRING.
PKCS$11 v2.40 points out this problem and says implementations must support the
RAW format and may also support the DER format.
To allow pkcs11-tool.c to work with ECDH derivation and using the current libSoftHSM2.so
a new parameter was added to pkcs11-tool, --derive-pass-der.
Also added to teh template fot the new key were:
CKA_SENSITIVE = false
CKA_EXTRACTABLE = true
CKA_VALUE_LEN = size of key to be derived.
OpenSC currently only support derivation of ECDH session keys, (CKA_TOKEN = false)
The derived key must be CK_KEY_TYPE = CKK_GENERIC_SECRET
Additional changes could be made to support AES or DES3 keys.
It is not clear if there is a need to support CKA_TOKEN = true which says the
derived key must be on the hardware token. For ECDH, these keys are short lived.
On branch pkcs11-tool-simple-ecdh
Changes to be committed:
modified: src/tools/pkcs11-tool.c
This implementation reads most of the data from the pkcs15 structure on card, so the objects list are greatly reduced.
This improves several pending issues:
* drop support for IAS card type
In accordance to [1] IAS card type is no longer issued since version
004.003.11 (2010-06-15) and as a legal requirement all documents have
been destroyed or declared lost.
[1] https://www.cartaodecidadao.pt/documentos/DOC_01-DCM-15_V3_CC_Controlo_Versao_2016-01-20.pdf
* fix pteid_cert_ids
The Signature and Authentication Sub CA certificates ids were wrong.
* add objects and fix flags
Add Root CA certificate.
Add data objects SOD and TRACe
Data object 'Citizen Notepad' doesn't require login to be read. Remove flags.
* Support PIN max tries and tries left report
* Properly report cards with 2048b keys.
Suggested-by: João Poupino <joao.poupino@gmail.com>
Suggested-by: André Guerreiro <andre.guerreiro@caixamagica.pt>
Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
-- closes#806
GemsafeV1 is compatible with iso7816 pin commands, including
SC_PIN_CMD_GET_INFO so it doesn't need to customize it.
Acked-by: João Poupino <joao.poupino@gmail.com>
Tested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
Remove restrictions in prkey_fixup_rsa:
/* Not thread safe, but much better than a memory leak */
/* TODO put on stack, or allocate and clear and then free */
Compute dmp1, dmp1 and/or iqmp if not in sc_pkcs15_prkey_rsa
Remove the GETBN macro that was causing problems.
Changes to be committed:
modified: src/pkcs15init/pkcs15-lib.c
-- closes#894
Author: Robert Relyea <rrelyea@redhat.com>
Coolkey driver improvements:
* Remove hardcoded list and use SimCList
* Whitespace cleanup
* Remove bogus if
* drop inline keywords
* proper path to include sys/types.h
* full name of ushort type
* condition to use compression
* proper include path
* Resolve template name conflict in Tokend
Clean up the copyright headers
-- rebased into one commit by VTA
-- closes#896
pkcs15-tool.c:1201:5: warning: no previous prototype for ‘unlink_cb’ [-Wmissing-prototypes]
int unlink_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf)
^~~~~~~~~
OpenSSL header files are used indirectly by the binaries.
Fix the compilation error:
CC base64.o
In file included from base64.c:6:
In file included from ../../src/libopensc/asn1.h:29:
In file included from ../../src/libopensc/pkcs15.h:29:
In file included from ../../src/libopensc/aux-data.h:31:
In file included from ../../src/libopensc/internal.h:44:
../../src/libopensc/sc-ossl-compat.h:30:10: fatal error: 'openssl/opensslv.h'
file not found
^
1 error generated.
1. Solved multiple epss2003
2. check expats point to prevent memory leak
3. Add new ATR for entersafe PKI card
4. declare all variables at the beginning of block
5. Solved Incorrect PIN raise wrong CKR error, no token flags change
Closes https://github.com/OpenSC/OpenSC/pull/879
This commit is based on input from https://github.com/lbschenkel
LibreSSL is based on OpenSSL 1.0.1. API.
Changes to be committed:
modified: libopensc/sc-ossl-compat.h
modified: tools/pkcs11-tool.c
modified: tools/pkcs15-init.c
modified: tools/sc-hsm-tool.c
OpenSSL-1.1.0 was released 8/25/2016
OpenSSL-1.1.0a was released 9/22/2016
https://www.openssl.org/news/openssl-1.1.0-notes.html
Changes to allow the OpenSC code base to work with OpenSSL versions from
0.9.7 to 1.1.0 with few changes.
This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch.
No attempt was made to back port any OpenSSL features. These changes
just allow an updated OpenSC code base to use what is in the various OpenSSL
releases.
A new header libopensc/sc-ossl-compat.h contains extra defines
to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements
in the source code.
The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h
has defines for the new API for use with older versions of OpenSSL.
sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC
library routines can take advantage of it. For the tools, which do not use
libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools.
The OpenSC source has been modified to use OpenSSL functions to access
hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new
functions to allocate structures which must use pointer such as
BIGNUM and EVP_CIPHER_CTX.
For backward compatability sc-ossl-compat.h now defines inline routines
to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus
the same OpenSC source code can be used with openSSL versions from
0.9.7 to 1.1.0.
Inline routines were chosen, because using macros does not work on all platforms.
Having OpenSC versions of these routines in libopensc would be a posibility,
but they are only used for older version of OpenSSL, and could be removed in
the future.
Changes to be committed:
modified: src/libopensc/card-entersafe.c
modified: src/libopensc/card-epass2003.c
modified: src/libopensc/card-gids.c
modified: src/libopensc/card-gpk.c
modified: src/libopensc/card-oberthur.c
modified: src/libopensc/card-piv.c
modified: src/libopensc/card-westcos.c
modified: src/libopensc/cwa-dnie.c
modified: src/libopensc/cwa14890.c
modified: src/libopensc/internal.h
modified: src/libopensc/p15card-helper.c
modified: src/libopensc/pkcs15-itacns.c
modified: src/libopensc/pkcs15-prkey.c
modified: src/libopensc/pkcs15-pubkey.c
new file: src/libopensc/sc-ossl-compat.h
modified: src/pkcs11/openssl.c
modified: src/pkcs15init/pkcs15-lib.c
modified: src/pkcs15init/pkcs15-oberthur-awp.c
modified: src/pkcs15init/pkcs15-oberthur.c
modified: src/pkcs15init/pkcs15-oberthur.h
modified: src/pkcs15init/pkcs15-westcos.c
modified: src/tools/cryptoflex-tool.c
modified: src/tools/gids-tool.c
modified: src/tools/netkey-tool.c
modified: src/tools/piv-tool.c
modified: src/tools/pkcs11-tool.c
modified: src/tools/pkcs15-init.c
modified: src/tools/sc-hsm-tool.c
modified: src/tools/westcos-tool.c
Commit 2f10de4f5c ("use sc_pkcs15_get_pin_info in C_GetTokenInfo")
introduced dependency of logged in state returned for session
by C_GetTokenInfo() on logged_in field of that session slot PIN.
This field is updated by sending pin_cmd of type SC_PIN_CMD_GET_INFO to
card.
However, not all cards support such pin_cmd type (in fact, majority of
them don't). In this case logged_in field is usually left zero-initialized
which means SC_PIN_STATE_LOGGED_OUT.
With such logged_in field value C_GetTokenInfo() always returns
CKS_R{O,W}_PUBLIC_SESSION, instead of CKS_R{O,W}_USER_FUNCTIONS when
logged in.
At least Firefox (and probably other NSS-based software, too) is confused
by such value and keeps repeating PIN prompts a few times until it
ultimately considers that logging in to this slot has failed.
Fix this by initializing PIN logged_in field to SC_PIN_STATE_UNKNOWN for
cards that do not support SC_PIN_CMD_GET_INFO pin_cmd.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
"CHANGE REFERENCE DATA" (PIN change) and "RESET RETRY COUNTER"
(PIN unblock) commands in OpenPGP card have various limitations.
These also depend on whether the card is version 1.x or 2.x.
Provide helpful debug messages for user in case he is trying to do
a PIN command in a way that isn't supported by the card.
Also, take into account that version 2.x cards don't support references to
PW1-mode 2 (82) in these commands - change them to PW1 (81).
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
According to descriptions of commands "PSO: COMPUTE DIGITAL SIGNATURE",
"PSO: DECIPHER" and "INTERNAL AUTHENTICATE" in OpenPGP card spec (versions
1.1 and 2.1.1) the card adds / strips and checks PKCS#1 padding
automatically.
There is no documented way to perform raw RSA operations on this card so
SC_ALGORITHM_RSA_RAW flag shouldn't be set.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
_get_auth_object_by_name() in pkcs11/framework-pkcs15.c needs user PIN
to be the first one and then next one can be signature PIN, but OpenPGP
card had it reversed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
The code attempted to handle extensions assuming extensions were ordered. The
only extension it handled was crl's, but the handling was wrong and I didn't
find any actual use of the crl code. I've changed it to cache all the extensions
and then provided accessors functions to read a specific extension. I needed this
to read the key Usage, but the extension fetching code can work with any extension
(though the caller will need to parse the result. I also added code that parses DN
and returns a specifically requested DN component. I needed this to get the Common
Name for the certificate Subject. This gives the token a 'unique' name rather than
some generic name (like CAC-I or CAC-II). Both of these can be used to enhance the
piv support as well.
rebased by VTA
Closes#852
When sc_lock obtains a reader lock this function is called
If the card was reset the PIV AID is seletcted and logged_in is reset.
This is need for some PIV cards where the default AID is not the PIV AID
and some other process has reset the card.
closes#842
Add card_reader_lock_obtained function to sc_card_operations
During sc_lock, if card->reader->ops->lock is called, card->ops->card_reader_lock_obtained will be called.
If PCSC is being used as the reader driver, this occures just after pcsc_lock has done a SCardBeginTransaction
and our process has exclusive control over the card. The card driver can then determine if the state of the
card has changed, and take action to get the card into an acceptable state.
If card->reader->ops->lock returns SC_ERROR_CARD_RESET, indicating some other process has interefered
with the state of the card. was_reset=1 is passed to card->ops->card_reader_lock_obtained.
Some examples of actions that could be done by the card driver is to select the AID and reset logged_in.
Currently the card driver is not notified. So no default card_reader_lock_obtained is defined in iso7816.c
After card reset detected, run SM open under new transaction
Before trying to reestablish SM session or onte code that may
need to use a transaction, get the transaction that will be
used by the caller od sc_lock.
closes#837
PIN cache is not updated when PIN is verified using the PIN value from cache.
That's the case of validating PIN in 'revalidate' context.
Few source format fixes included
closes#805
A sleep(1) is added after SCARD_W_CARD_RESET as done in other parts of reader-pcsc.c
Extra debugging messages are output.
SCard routines return "LONG" which may be different then "long" on some systems
were "LONG" is 32 bits and "long" is 64 bits.
Make sure printf format of 0x%08lx has a matching "long" input variable.
This closes#816
Not all PIV cards follow the NIST 800-73-3 standard. This commit is designed to address some
of the issues. OpenSC developers don't have access to all the different versions of devices
or access to release notes for the devices to see when a bug was introduced and when it is fixed.
To make OpenSC code changes easier, the code is divided into four sections:
(1) Identify the card/token as best possible by looking at the "Historical bytes" in the ATR.
For the Yubico devices read their version number and log it via sc_debug.
(2) Define the card_issues CI_* defines in card-piv.c. There are 8 of them at the moment.
See below.
(3) based on the card->type and possibly Yubico version set the priv->card_issues flags that
apply to current card or device.
(4) Implement in the code changes needed for each issue.
Other issues can be added. As more info is obtained (3) can be updated using the version
number as needed.
The card issues are:
CI_VERIFY_630X - VERIFY "tries left" returns 630X rather then 63CX
CI_VERIFY_LC0_FAIL - VERIFY Lc=0 never returns 90 00 if PIN not needed. Will also test after
first PIN verify if protected object can be used instead
CI_CANT_USE_GETDATA_FOR_STATE - No object to test verification in place of VERIFY Lc=0
CI_LEAKS_FILE_NOT_FOUND - GET DATA of empty object returns 6A 82 even if PIN not verified
CI_OTHER_AID_LOSE_STATE - Other drivers match routines may reset our security state and lose AID
CI_NFC_EXPOSE_TOO_MUCH - PIN, crypto and objects exposed over NFS in violation of 800-73-3
CI_NO_RSA2048 - does not have RSA 2048
CI_NO_EC384 - does not have EC 384
The piv_card_match and piv_init interactions were cleaned up.
Changes to be committed:
modified: card-piv.c
modified: cards.h
- IAS/ECC has the category indicator byte in EF.ATR, which is a
violation of ISO 7816-4, where it is only allowed in the historical
bytes of ATR. Removing the IAS/ECC specific modification of EF.ATR
allows reading ISO complient EF.ATR again.
- IAS/ECC parsing should still be successfull. We now always try to
check for ISO7816_TAG_II_STATUS_SW ignoring the category indicator
byte
introduced paramter to signal back the login state
- used for the pin command SC_PIN_CMD_GET_INFO
- implemented in accordance to ISO 7816-4; all other implementations
are currently set to an unknown login state
implemented and exporeted sc_pkcs15_get_pin_info
use sc_pkcs15_get_pin_info in C_GetTokenInfo
C_GetSessionInfo: Check whether a logout was done
Closes https://github.com/OpenSC/OpenSC/pull/624
rebased by @viktorTarasov
`sm_incr_ssc` performed an out of bounds write when `ssc` is bigger than
255. The local variable `ii` needs to be decremented instead of
incremented in the `for`-loop.
This was introduced in d30cd83a, wheras The previous implementation did
actually decrement `ii`, see d30cd83ad4
Fixes https://github.com/OpenSC/OpenSC/issues/785
========================================
rebased by VTA -- commits are forged to one,
excluding the following chunk
(reason -- if not explicitely indicated, the mechanism has to be found out using the mechanism flags):
@@ -1713,8 +1713,9 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
int ii;
if (!opt_mechanism_used)
+ opt_mechanism = CKM_EC_KEY_PAIR_GEN;
if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
- util_fatal("Generate EC key mechanism not supported\n");
+ util_warn("Generate EC key mechanism not listed as supported");
for (ii=0; ec_curve_infos[ii].name; ii++) {
if (!strcmp(ec_curve_infos[ii].name, type + 3))
will close PR #747
Frank Morgner
Pieter Naaijkens
Nuno Goncalves
Jakub Jelen
Leonardo Brondani Schenkel
ricky
Doug Engert
Nikos Mavrogiannopoulos
Ludovic Rousseau
Ludovic Rousseau
Feitian Technologies
Jakuje
Viktor Tarasov
Remy
Nikos Mavrogiannopoulos
CardContact Systems GmbH
Ian Young
Raul Metsma
Maciej S. Szmigiero
Sid-Ali TEIR
Hannu Honkanen
carblue
HAMANO Tsukasa
Nguyễn Hồng Quân
David von Oheimb
vletoux