Not yet complete, but can be run with CKA_TOKEN=FALSE set in the target object. Currently unwrapping emulated
with a decrypt operation in card-myeid.c. To be improved.
Don't pretend that we're capable of performing memory locking. The
implementation of that, `sc_mem_alloc_secure()` (also removed), was
almost unused anyway.
Use names that are specific to EAC, not the German ID card (nPA),
because Protocol and Commands are defined by BSI TR-03110 and ICAO.
Functions that are nPA specific are moved to card-npa.h.
As defined in BSI TR-03119 to issue SCardTransmit (with Uses
Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT).
It allows using a very basic PC/SC reader driver without special support
for PIN verification or modification (such as the default CCID driver on
Windows).
Also gets IFD vendor information via escape commands.
PC/SC's Get Uid command is now only triggered if enable_escape = true;
was set by the user to allow disabling wrapped commands on broken
readers (see https://github.com/OpenSC/OpenSC/issues/810)
(Imported libcardnpa from https://github.com/frankmorgner/vsmartcard)
- Added generic SM implementation of ISO/IEC 7816-8
- Added implementation of extended access control as defined by
- BSI TR-03110
- ICAO Doc 9303
- ISO/IEC 7501
- Added tool for German ID card (and other EAC tokens)
- renamed folder libsm to sm
introduced paramter to signal back the login state
- used for the pin command SC_PIN_CMD_GET_INFO
- implemented in accordance to ISO 7816-4; all other implementations
are currently set to an unknown login state
implemented and exporeted sc_pkcs15_get_pin_info
use sc_pkcs15_get_pin_info in C_GetTokenInfo
C_GetSessionInfo: Check whether a logout was done
Closes https://github.com/OpenSC/OpenSC/pull/624
rebased by @viktorTarasov
framework-pkcs15: Duplicate public key related to private key rather than referencing the framework object
Referencing the related public key is required to return PKCS#11 attributes for a private key only available
in the public key object (i.e. CKA_MODULUS). This patch adds a copy of the public key to the private key object rather than
referencing the public key object in the framework. This prevents SEGV when the public key framework object
is deleted with C_DestroyObject, but the reference from the public key remains intact.
The bug leads to all kind of stability problems when keys are created and deleted in the same session.
The patch is in particular important if OpenSC is used with EJBCA or any other application using the
SUN PKCS#11 provider: When generating key pairs, then the public key object is eventually garbage collected
which removes the related object in the PKCS#11 module. Because there is no fixed time for this operation,
corruption occurs at random.
In a next step, the remaining related_xxx fields in sc_pkcs11_object should be revised and possibly removed.
framework: Added more error checking
The name implies what the format of the returned value, a SPKI.
The support for spki as a pkcs15 format of a pubkey, is extended to
work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this.
sc_pkcs15_decode_pubkey_with_param will look for a SPKI
and attempt to use it for any algorithm, including RSA.
(RSA is the null case, as there are no algorithm parameters.)
sc_pkcs15_encode_pubkey_as_spki is exported from libopensc.
pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys
as SPKI for RSA and EC.
The pubkey->data is never a SPKI, it is the DER encoding of the
pubkey without the parameters. If an spki is needed, use the
sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki.
As in the previous set of patches, pkcs15-tool.c will output both
sc_pkcs15_decode_pubkey_with_param and its internal.
This was left for testing, and the pubkey_pem_encode should be deleted
fixes a lot of warnings which pass a const buffer to the APDU's data
Note that a non-const data member is only required for sc_allocate_apdu
sc_free_apdu. They are currently used with an explicit typecast.
However, sc_allocate_apdu and sc_free_apdu both are not used once in the
entire project. One might also simply throw both functions away.
-- Both are thrown away. (VT)
'PACE' is extremely card specific protocol and has not to be ostensibly
present in the common part of OpenSC:
* currently in OpenSC there is no card driver that supports or uses this protocol;
* amazing content of the common 'sc_perform_pace' -- beside the verbose logs
the only substantial action is to call the card/reader specific handler.
According to the current sources and the pull request 83
this 'common' procedure is called by the card driver or
card specific tool/operation.
* currently the 'PACE' can be thouroghly tested only by one person (Frank Morgner),
and only using the OpenSSL patched with the PACE specific patch.
So, at least a dedicated configuration option could be introduced when comiting PACE to the common part.
* common 'sc_perfom_pace' has the same role as the 'initialize-SM' handler of the existing SM framework
and can be implemented as card specific SM, as the others cards do.
This confirmed by Frank Morgner, the author of PACE commits and nPA card driver, himself.
(https://github.com/OpenSC/OpenSC/pull/83)
Introduce some usefull define macros, error code 'inconsistent configuration'.
Introduce procedure to calculate CRC32 digest,
to be used in minidriver to calculate the 'freshness' values.
At the moment symbolic names for the on-card applications are 'generic', 'protected'.
This distinction used by pkcs11 and minidriver module to select the
'master' application in the cases when only reduced number of slots (one)
can be exposed by module (minidriver) or particular configuration (pkcs11).
Frank Morgner
Hannu Honkanen
Timo Teräs
Jakuje
Frank Morgner
Viktor Tarasov
LE TOUX Vincent
Andreas Schwier