... as reported by coverity scan.
p11cards are freed by emptying the virtual slots. virtual slots are
creatd with the framework's create_tokens. Hence, we need to free
p11card if no tokens were created.
I am using a somewhat modified version of IsoApplet. Up till now it worked fine. However recently I stumbled upon a web site that
forces a client cert auth with RSA-PSS. And (at least on windows, using minidriver) it didn't work. It looks to me, that it's a bug
in the PSS support code in minidriver, as I cannot find any place where a MGF1 padding scheme is specified. And since none is specified
signing fails. This patch fixes this. It assumes, that the same hash is used for hashing and padding.
This fixes a problem reported in Nitrokey forum at
https://support.nitrokey.com/t/veracrypt-encryption-with-nitrokey-error/2872
as inability to save the VeraCrypt's keyfile onto the token
after deleting an existing one, unless the PKCS11 is reinitialized.
Reason: commit cbc53b9 "OpenPGP: Support write certificate for Gnuk"
introduced a condition on getting the blob handle, which is surplus
(the pgp_find_blob() function actually does that) and prevents
the blob refresh upon deletion, breaking the logic introduced
earlier in commit 9e04ae4 and causing the higher-level effect reported.
While at it, corrected comments to actually reflect the flow logic.
Tested on Fedora 33 using the repro steps from the forum and Nitrokey Pro.
Signed-off-by: alt3r 3go <alt3r.3go@protonmail.com>
Option --use-locking has C_Initialize pass in parameters with the
CKF_OS_LOCKING_OK to tell module to use threads. The default is it passes NULL
which says threads are not needed.
The following is not designed to be used by the general user. There are for debugging
and test scripts and only compiled if the system has threads.
Option --test-threads <arg> can be passed multiple times. Each one starts a thread.
<arg> is a list of 2 byte commands seperated by ":". The thread will execute these.
Current commands are:
IN - C_Initialize(NULL)
IL - C_Initialize with CKF_OS_LOCKING_OK
Pn - Pause for n seconds
GI - C_GetInfo
SL - C_GetSlotList
Tn - C_GetTokenInfo from slot_index n
These are just enough calls to see if threads are working in the module.
Output is written to stderr.
Changes to be committed:
modified: doc/tools/pkcs11-tool.1.xml
modified: src/tools/Makefile.am
modified: src/tools/pkcs11-tool.c