Hannu Honkanen
351e0d2bd6
Merge remote-tracking branch 'upstream/master' into wrapping-rebased and resolve conflicts
2018-11-02 13:42:41 +02:00
Hannu Honkanen
b35fb19ec4
Resolved conflict in pkcs15_create_secret_key
2018-11-02 13:28:51 +02:00
Peter Marschall
26025b2f5d
pkcs15-tool: list & dump cleanups
...
* when listing public keys, do not cut object labels in compact mode
* when listing private keys in compact mode, left align labels
* make hex codes at least 2 chars wide by changing "0x%X" to "0x%02X"
2018-11-01 12:25:04 +01:00
Frank Morgner
c70888f9ab
allow compilation with --disable-shared
2018-11-01 00:17:22 +01:00
Frank Morgner
54cb1099a0
fixed warnings about precision loss
2018-11-01 00:17:22 +01:00
Frank Morgner
5c7b7bb0b1
fixed minor XCode documentation warnings
2018-11-01 00:17:22 +01:00
Hannu Honkanen
f88419bc63
Removed pointless curly brackets
2018-10-31 10:36:50 +02:00
Hannu Honkanen
7bb53423a1
Code cleanup and minor corrections according to review. pkcs15-lib: Extractable keys are now marked as native. Check return value of check_key_compatibility in more explicit way to avoid misunderstandings.
2018-10-31 10:36:41 +02:00
Hannu Honkanen
90ec7123ba
Corrections and code cleanup as requested in review. Changed value to void* in sc_sec_env_param_t, because param_type defines type of the value. Fixed handling of secret key length in framework-pkcs15 and pkcs15-lib: CKA_VALUE_LEN from PKCS#11 is in bytes, PKCS#15 objects need key length in bits. Rebased on top of upstream/master and resolved merge conflicts.
2018-10-31 10:27:03 +02:00
Lars Silvén
84317f4e9d
Fixing missing call to sc_unlock.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
8ebb43d440
Removed #ifdef USE_PKCS15_INIT around __pkcs15_create_secret_key_object. This function is now used also when reading and parsing a card, not only when creating new objects.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
ec297b618f
sc_pkcs15_wrap: Fixed checking target key type. (checked partly from wrapping key)
2018-10-31 10:27:03 +02:00
Hannu Honkanen
e636b64377
Fixed: Return OK by PKCS#11 convention if NULL out buffer is provided, when caller wants to query required buffer size.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
f2c041d290
card-myeid: Removed NULL out buffer assertion to allow caller to query required buffer size.
...
mechanism.c: Bug fix to sc_pkcs11_wrap. Wrong operation was stopped in end of the function.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
287a63c704
Fixes to key wrapping and unwrapping code: Set IV correctly in symmetric unwrap. Correctly distinguish symmetric and asymmetric operation when building APDUs. Check CKA_TOKEN from the pkcs15 object in framework_pkcs15. Updated some comments.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
861d8b308b
Fixed myeid_unwrap with symmetric keys: set correct p2 and no padding indicator byte.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
4ce7e5289b
Fixed setting secret key length. CKA_VALUE_LEN comes as number of bytes, so multiply it by 8 to set correct bit length to the key file.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
eba75ead20
framework-pkcs15: set CKA_EXTRACTABLE into pkcs#15 secret key object's access flags when set. pkcs15-sec: Return needed buffer size correctly when an insufficient buffer is provided.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
f74150b53d
Proprietary attribute bits in FCP had to be adjusted due to conflicts with existing attributes. The needed changes were made to both card and OpenSC code.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
c891ad2aad
Fixed version check for key wrapping functionality. Return needed buffer size in myeid_wrap_key, if no buffer or too small buffer is provided.
2018-10-31 10:27:03 +02:00
Lars Silvén
6b8c284d3e
Fixing pointer conversion that is invalid on some architectures.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
550d4eb030
Small fixes to key wrapping and unwrapping. Handle target file ref using sc_sec_env_param type. Transmit initialization vector in symmetric key operations from PKCS#11 layer (mechanism param) to the card driver level, allow setting it in sc_set_security_env.
2018-10-31 10:27:03 +02:00
Hannu Honkanen
2487bc18d1
When creating symmetric keys, use CKK_ definitions (key type) rather than CKM_ definitions (mechanism) to specify the key type.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
7454133272
Added flags to distinguish AES ECB and CBC modes. Added SC_ALGORIHM_UNDEFINED definition to be used with CKK_GENERIC_SECRET type keys. Added sc_sec_env_param type, which can be used to define additional parameters when settings security environment. This is now used for setting IV in symmetric crypto and target EF in key wrapping/unwrapping.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
a2156da044
Fix encoding of SC_ASN1_CHOICE entry "parameters" in c_asn1_algorithm_info. Format only the selected entry of the choice.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
ae5675ca22
Fixed MSE for unwrap operation. Fixed wrong P1 when formatting APDU in myeid_unwrap_key.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
aa814fd8e8
Implemented C_Wrap into PKCS#11 interface. Added support for wrapping and unwrapping with secret keys into framework-pkcs15.c and all the way to the card driver level.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
a9ee85452e
Resolved a merge conflict. Included both changes manually.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
c217b254fc
MyEID: Initial implementation of key wrapping and unwrapping operations, and the related additions to myeid_set_security_env.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
edd48b3200
pkcs15init:
...
- Added session_object flag to sc_pkcs15init_skeyargs to enable on-card session objects.
- Corrections to handling native and extractable flags
- Allow creating an empty secret key EF for receiving an unwrapped key later.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
9d6ac01c27
pkcs15init: Handle user_consent and set new proprietary information flags in myeid_create_key().
2018-10-31 10:24:19 +02:00
Hannu Honkanen
1c09fa8a22
Handle AES algorithm. Doesn't set any flags, but check for AES is needed to avoid SC_ERROR_NOT_SUPPORTED.
2018-10-31 10:24:19 +02:00
Hannu Honkanen
7fc6c52f81
Set native=1 as default when decoding. Check supported algorithms and set PKCS#11 key type, if key supports AES.
2018-10-31 10:22:16 +02:00
Hannu Honkanen
9772edc7d1
Handle -u option (x509-usage) when storing secret keys.
2018-10-31 10:22:16 +02:00
Hannu Honkanen
a10480d50e
Continued implementation of unwrap: Creation of a target key object on card to receive an unwrapped key. Setting target key path in sc_security_env_t.
2018-10-31 10:22:16 +02:00
Hannu Honkanen
5f51d5d315
Added implementation of C_UnwrapKey all the way from PKCS#11 interface to the card driver level.
...
Not yet complete, but can be run with CKA_TOKEN=FALSE set in the target object. Currently unwrapping emulated
with a decrypt operation in card-myeid.c. To be improved.
2018-10-31 10:22:16 +02:00
Jakub Jelen
e2b1fb81e0
Restore minimal CAC1 driver for legacy cards ( #1502 )
...
* Add minimal CAC1 driver for legacy cards.
It is using the same pkcs15 backend as the CAC2 cards as well as some of
the CAC2 driver methods.
The separation is made mostly for easier card matching or disabling.
2018-10-30 17:27:28 +01:00
Frank Morgner
c3bef7d527
fixed compilation with XCode 10
...
fixes https://github.com/OpenSC/OpenSC/issues/1485
2018-10-24 10:34:43 +02:00
Frank Morgner
5095e29ae3
gio: avoid unneccessary unitialization
2018-10-22 21:44:07 +02:00
Doug Engert
2fd8e278f5
pkcs11/openssl.c - add missing mechanisms fixes #1497
...
On branch pkcs11-openssl-c
Changes to be committed:
modified: ../pkcs11/openssl.c
2018-10-19 08:27:47 +02:00
Vadim Penzin
195d53b8a2
Fix division by zero in SimCList when appending to an empty list.
2018-10-16 12:10:04 +02:00
Frank Morgner
8c535c184f
removed duplicate code for adding padding
...
Fixes padding handling of SC_ALGORITHM_RSA_PAD_NONE introduced with
e5707b545e
2018-10-15 15:21:52 +02:00
Jakub Jelen
46c99e769d
ctx: Move coolkey driver up after improving the matching
...
Fixes #1483
2018-10-15 12:14:22 +02:00
Jakub Jelen
f220d0b77d
coolkey: Improve card matching to avoid mismatches in muscle
2018-10-15 12:14:22 +02:00
Jakub Jelen
55a8478ed6
cac: These functions do not have to be exposed
2018-10-15 12:14:22 +02:00
Frank Morgner
ac276b1202
starcos: fixed decipher with 2.3 ( #1496 )
...
closes https://github.com/OpenSC/OpenSC/issues/765
fixes https://github.com/OpenSC/OpenSC/issues/1495
2018-10-11 22:50:37 +02:00
Luka Logar
d517d8e18d
Fix minidriver padding
...
Commit e5707b545e
broke signing using minidriver on Windows.
More specifically changing #define SC_ALGORITHM_RSA_PAD_NONE from 0x00000000 to 0x00000001 caused a call to sc_pkcs1_encode() to fail as the padding algorithm was not specified anywhere in the CardSignData() implementation. It kind of worked as long as SC_ALGORITHM_RSA_PAD_NONE was 0x00000000, but the above mentioned commit broke this.
Now padding algorithm has to be explicitly specified, otherwise a call to sc_pkcs1_encode() will fail.
2018-10-11 12:47:48 +02:00
Peter Marschall
550665b906
OpenPGP: refactor pgp_get_card_features()
...
Use pgp_parse_alog_attr_blob() to get the algorithm attribute DO's contents.
2018-10-10 14:52:29 +02:00
Peter Marschall
8a564107a8
OpenPGP: introduce gpg_parse_algo_attr_blob()
...
Introduce a central function to parse the algorithm atributes in DOs C1 - C3.
2018-10-10 14:52:29 +02:00
Peter Marschall
248ece23c6
OpenPGP: bail out on non-RSA key generation/import
...
Also add the necessary algorithm info where necessary.
2018-10-10 14:52:29 +02:00
Peter Marschall
c2f02f72bd
OpenPGP: adapt data structures to support RSA alternatives
...
* update callers to use the adapted structures.
2018-10-10 14:52:29 +02:00
Peter Marschall
772d20969a
OpenPGP: first steps to support key types beyond RSA
...
- rename 'keytype' in some OpenPGP-specific types to 'key_id'
because they key ID was what the field was used for
- introduce field 'algorithm' in the structures above
to indicate the key's algorithm: RSA, ...
- define constant SC_OPENPGP_KEYALGO_RSA and use it
- rename constants SC_OPENPGP_KEYFORMAT_* to SC_OPENPGP_KEYFORMAT_RSA_*
because they are RSA specific
2018-10-10 14:52:29 +02:00
Peter Marschall
f1ae31aea4
OpenPGP: expose additional algorithms only with EXT_CAP_ALG_ATTR_CHANGEABLE
...
List additional algorithms & attributes as supported only when the card
supports changing the algorithms attributes DOs and exposes this by having
the EXT_CAP_ALG_ATTR_CHANGEABLE capability set.
Using different algorithms and attributes requires changing the algorithm
attributes DOs. If that is not supported - as indicated by a missing
EXT_CAP_ALG_ATTR_CHANGEABLE capability - then only those algorithms
described by the current algorithms attributes DOs' contents can be used.
In addition simplify setting the flags.
2018-10-10 14:52:29 +02:00
Peter Marschall
44d6116c59
OpenPGP: slight cleanups
...
* use variables if they are already there
* be a bit more explicit in logging
* more consistent tag format: %04X
* cleanup flag setting for _sc_card_add_rsa_alg()
2018-10-10 14:52:29 +02:00
Frank Morgner
ea6f7cfe1d
Added memory locking for secrets ( #1491 )
...
When caching a PIN in memory or using an OpenSSL private key this data should not be swapped to disk.
2018-10-10 14:52:01 +02:00
gabrielmuller
6bf67f7917
onepin option also needs PIN to CREATE
...
I previously changed the default option but forgot to make the same change for onepin.
2018-10-08 21:35:23 +02:00
Peter Marschall
a8db9cb4f0
openpgp-tool: harmonize error messages
...
* use symbolic constants for errors & success
* use util_error() to show errors
* print error messages to stderr
2018-10-04 09:41:31 +02:00
Peter Marschall
e4a0b09968
openpgp-tool: remove unnecessary variable
...
* 'opt_keylen' was only set, but never used => remove
* passing the key length is not an action => do not mark it as such
2018-10-04 09:41:31 +02:00
Jakub Jelen
a5daaaff0c
piv-tool: Error checking
2018-10-01 23:07:34 +02:00
Jakub Jelen
ef724e1e57
pkcs15-authentic: Do not confuse static analyzers
2018-10-01 23:07:34 +02:00
Jakub Jelen
52959df9f6
pkcs15-oberthur: Avoid memory leaks on failures
2018-10-01 23:07:34 +02:00
Jakub Jelen
a1dfdbbdbc
pkcs15-oberthur-awp: Do not confuse cppcheck
2018-10-01 23:07:34 +02:00
Jakub Jelen
e920ef8eb8
opensc-explorer: Make static analyzers happy
2018-10-01 23:07:34 +02:00
Jakub Jelen
16c5a352a4
piv-tool: Avoid memory leaks on realloc failure
2018-10-01 23:07:34 +02:00
Jakub Jelen
9a690a96e0
sc-hsm-tool: Avoid memory leak
2018-10-01 23:07:34 +02:00
Jakub Jelen
bce43e6855
Remove dead code
2018-10-01 23:07:34 +02:00
Jakub Jelen
74105300bf
card-iasecc: Avoid memory leaks on failure
2018-10-01 23:07:34 +02:00
Jakub Jelen
674e5e8b3d
ctx: Require dll parameter otherwise we are leaking it
2018-10-01 23:07:34 +02:00
Jakub Jelen
a85a4a8b48
pkcs15-authentic: Avoid memory leak on failure
2018-10-01 23:07:34 +02:00
Jakub Jelen
65e1cd2df7
muscle: Check return values
2018-10-01 23:07:34 +02:00
Jakub Jelen
a2ab2071bb
piv: Check return value of sc_lock()
2018-10-01 23:07:34 +02:00
Jakub Jelen
b8133c2545
pkcs15-myeid: Return value checking
2018-10-01 23:07:34 +02:00
Jakub Jelen
8e0078a6f9
pkcs15-myeid: Do not confuse coverity with potential double-free
2018-10-01 23:07:34 +02:00
Jakub Jelen
e5da6b66b9
iso7816: Replace asserts with explicit length checks to make coverity happy
2018-10-01 23:07:34 +02:00
Jakub Jelen
b9e33a3c64
Coverity warnings
...
card-piv.c
make sure the string is null terminated before passing it
to hex_to_bin routine, which expects it
pkcs15-cac.c
free cn_name on failure
pkcs11-tool.c
make sure the string is null terminated before passing it to
parse_certificate(), which expects it
2018-10-01 23:07:34 +02:00
Raul Metsma
83b188c950
Remove long expired EstEID 1.0/1.1 card support
...
Signed-off-by: Raul Metsma <raul@metsma.ee>
2018-09-30 21:25:13 +02:00
Jakub Jelen
e456e609a6
Avoid memory leaks during verification
2018-09-30 21:23:27 +02:00
Jakub Jelen
424d828627
slot: Switch cleanup steps to avoid segfaults on errors
...
and some more sanity checking
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
Jakub Jelen
9a853176b8
pkcs11-tool: Support for signature verification
...
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
Nicholas Wilson
e5707b545e
Add support for PSS padding to RSA signatures
...
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
Jakub Jelen
be2cc38565
p11test: Add missing CKM_SHA224_RSA_PKCS_PSS
...
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
Gabriel Müller
551fcccb90
Changed outdated "STARCOS SPK 2.3" name to "STARCOS".
...
modified: src/libopensc/pkcs15-infocamere.c
modified: src/libopensc/pkcs15-starcert.c
modified: src/pkcs15init/pkcs15-lib.c
Changed isf_acl to also need SO PIN for CREATE.
modified: src/pkcs15init/starcos.profile
2018-09-28 16:50:39 +02:00
Frank Morgner
496a9b571d
fixed error handling
2018-09-25 12:13:57 +02:00
Frank Morgner
0ae825f8d9
fixed error checking
...
closes https://github.com/OpenSC/OpenSC/pull/1343
2018-09-25 11:09:07 +02:00
konstantinpersidskiy
0c3412bb37
Fix C_SetAttributeValue for CKA_VALUE for data obj
2018-09-25 10:51:10 +02:00
konstantinpersidskiy
ccdb314d49
Fix C_GetAttributeValue for attr with 0 length
2018-09-25 10:51:10 +02:00
konstantinpersidskiy
c9d6c30a83
Fix data object with empty value creation
2018-09-25 10:51:10 +02:00
Peter Marschall
3cc2670f3e
opensc-explorer: avoid warnings on readline-less builds
2018-09-24 00:03:13 +02:00
Peter Marschall
14a31a3c42
opensc-explorer: refactor main()
...
* localize variables
* print errors to stderr
* release allocated resources
* return error code on error - improve non-interactive use
* do not show help on unknown commands when used non-interactively
2018-09-24 00:03:13 +02:00
Peter Marschall
9616ad4d94
opensc-explorer: fix&clarify handling of interactive mode
...
* make 'interactive' a global variable
* set it when opensc was called with the SCRIPT argument
* document the behaviour in the manual page
Make interactive a global variable and set it in main.
2018-09-24 00:03:13 +02:00
Peter Marschall
c5679bfe39
opensc-explorer: refactor read_cmdline()
...
* add comments
* simplify #ifdef logic
* increase commandline buffer in non-interactive / non-readline case
2018-09-24 00:03:13 +02:00
Peter Marschall
ca9538761b
opensc-explorer: refactor parse_cmdline()
...
* add comments
* always terminate argv[] with a NULL element
* fail if number of arguments is too large
2018-09-24 00:03:13 +02:00
Peter Marschall
c9db3f7385
opensc-explorer: allow arguments for 'help'
...
When arguments are given, compare them like ambguous_match() does,
and show the matching ones only.
Add documentation of the 'help' command to the manual page.
In main loop on multiple matches, show help on matching commands only.
2018-09-24 00:03:13 +02:00
Peter Marschall
c817be8faa
opensc-explorer: refactor ambiguous_match()
...
* most importantly: immediately return success on exact match
- this allows one command to be a prefix of another one
- it fixes the long-standing breakage between 'find' and 'find_tags'
* fail on second prefix-only match instead of waiting until the end
* check all parameters
* add comments
* inform caller on whether the match was ambiguous or there was no match
* move printing error messages to processing loopt in main()
2018-09-24 00:03:13 +02:00
Peter Marschall
593a90f64e
opensc-explorer: write error messages to stderr
...
Clarify the distinction between error messages and status messages or prompts.
Prepare for better non-interactive support.
2018-09-24 00:03:13 +02:00
Peter Marschall
77297f7965
opensc-explorer: check length of argument to option --mf
...
* fail when it is too long
* replace a magic numerical constant
2018-09-24 00:03:13 +02:00
Peter Marschall
9d501766b4
opensc-explorer: extend 'random' to allow writing to a file
...
Accept a file name as a second argument to the 'random' command
to allow storing the generated random bytes to the file given.
Forbid writing binary data to stdout in interactive mode.
2018-09-24 00:03:13 +02:00
Peter Marschall
7a4a9f1951
opensc-explorer: refactor do_put() slightly
...
Avoid misunderstandings by renaming a variable that refers to an
input file handle from 'outf' to 'inf'.
2018-09-24 00:03:13 +02:00
Peter Marschall
1245b617d1
opensc-explorer: refactor do_apdu() slightly
...
* limit buffer to SC_MAX_EXT_APDU_BUFFER_SIZE
* fix buffer length calculation to correctly calculate the available space
* add length checks when parsing passed data into buffer
2018-09-24 00:03:13 +02:00
Peter Marschall
58da74bc32
opensc-explorer: refactor do_put_data() slightly
...
* increase input buffer size
* avoid magic number
* notify caller on error details when parsing fails
2018-09-24 00:03:13 +02:00
Peter Marschall
aed4b00145
opensc-explorer: harmonize display of command arguments
...
* consistently show ellipsis for repeatable arguments as 3 dots
* embrace alternative mandatory arguments with curly braces
* use hyphens instead of spaces within non-literal arguments
for improved alignment with the manual page
2018-09-24 00:03:13 +02:00
Peter Marschall
c69f10c2ab
opensc-explorer: add command 'pin_info'
...
Get information on a PIN or key from the card via sc_pin_cmd()'s
SC_PIN_CMD_GET_INFO functionality.
2018-09-24 00:03:13 +02:00
Jakub Jelen
9d44adbc4e
Missing header release tarball
2018-09-14 22:39:57 +02:00
Frank Morgner
00d1501ae6
pkcs11: fail in C_CreateObject/C_DestroyObject if write protected
2018-09-14 08:23:08 +02:00
Frank Morgner
129946ca96
pkcs11: CKF_WRITE_PROTECTED based on card's read_only flag
...
uses `md_read_only` as `read_only` for both, PKCS#11 and Minidriver
2018-09-14 08:23:08 +02:00
Frank Morgner
db4ed9f4a2
export _sc_match_atr_block
2018-09-14 08:23:08 +02:00
Frank Morgner
e36c1468e5
md: derive md_read_only from PKCS#15 profile
2018-09-14 08:23:08 +02:00
Priit Laes
1f06a76b1a
openssl: Bump openssl requirement to 0.9.8
2018-09-14 08:21:40 +02:00
Frank Morgner
3750d70106
pgp: detect gnuk with newer fw
...
closes https://github.com/OpenSC/OpenSC/issues/1475
2018-09-13 13:46:27 +02:00
Frank Morgner
66fe060363
fixed gcc 8 compiler waring
...
closes https://github.com/OpenSC/OpenSC/pull/1474
2018-09-12 13:10:06 +02:00
Raul Metsma
430a9b3f5a
Commit c463985fed
broke EstEID PIN verify
...
Signed-off-by: Raul Metsma <raul@metsma.ee>
2018-09-12 12:30:05 +02:00
Alon Bar-Lev
d8a2a7bf88
reader-ctapi: ctapi_connect: remove unused variable
...
from day 1 return value of _sc_parse_atr was ignored.
2018-09-09 14:55:28 +02:00
alex-nitrokey
083c18045e
Make deciphering with AUT-key possible for OpenPGP Card >v3.2 ( fixes #1352 ) ( #1446 )
2018-09-06 10:57:23 +02:00
alex-nitrokey
748234b7cc
Fix SM algorithm in extended capabilities
2018-09-05 23:42:14 +02:00
Frank Morgner
39bd1ddd58
fixed wrong condition
...
fixes https://github.com/OpenSC/OpenSC/issues/1465
2018-09-04 13:51:40 +02:00
alex-nitrokey
b572b383b2
Add supported algorithms for OpenPGP Card ( Fixes #1432 ) ( #1442 )
2018-08-31 14:38:14 +02:00
asc
2b60a0db0f
Add support for SmartCard-HSM 4K (V3.0)
2018-08-31 13:42:44 +02:00
Frank Morgner
db438f61c1
ias/ecc: fixed GET CHALLENGE
2018-08-24 13:59:03 +02:00
Frank Morgner
94f9fdf145
ias/ecc: fixed card detection
...
regression of 439a95f2d
2018-08-24 13:51:15 +02:00
Frank Morgner
5daec17e32
ias/ecc: ignore missing serial on card initialization
...
fixes problem in card detection introduced in
50b000047c
2018-08-24 13:50:53 +02:00
Raul Metsma
336b282324
Reuse gp_select_aid
...
Signed-off-by: Raul Metsma <raul@metsma.ee>
2018-08-23 20:37:38 +02:00
Doug Engert
719ec39b3e
Use sc_asn1_read_tag to read first tag of partially block ( #1454 )
...
Sc_asn1_read_tag can return SC_ERROR_ASN1_END_OF_CONTENTS
which indicates the tag and length are OK, but any value
is not completely contained in the buffer supplied. card-piv.c
can use this when reading just the beginning of a object to
determine the size of a buffer needed to hold the object.
2018-08-23 20:35:24 +02:00
Frank Morgner
97f0a341b0
fixed typo
2018-08-23 10:14:25 +02:00
Frank Morgner
70c4813f30
fixed Dereference before null check
2018-08-23 09:59:45 +02:00
Frank Morgner
67fbf15741
fixed NULL dereference
2018-08-23 09:51:04 +02:00
Priit Laes
45f407c021
Mark driver-specific global sc_atr_table structures as const
...
As most of the drivers do not modify these, we can mark them as const.
Two drivers that we cannot convert are dnie and masktech.
section size
.data 35232 -> 25472
.data.rel.ro 36928 -> 46688
2018-08-22 22:50:30 +02:00
Priit Laes
2eae5e70f5
Mark atr table argument as const in match_atr_table and _sc_match_atr functions
...
This allows us to mark driver-specific atr tables as constants.
2018-08-22 22:50:30 +02:00
Frank Morgner
fcd719d30f
Merge pull request #1447 from Jakuje/x41sec-merge
...
Security issues idefnitifed by fuzzing. For more information, see the blog post:
https://www.x41-dsec.de/lab/blog/smartcards/
2018-08-20 15:11:51 +02:00
Frank Morgner
ff8ec86f26
avoid looping forever in GET CHALLENGE
...
fixes https://github.com/OpenSC/OpenSC/issues/1440
2018-08-20 14:37:20 +02:00
Frank Morgner
fcf00e66cd
Starcos: added ATR for 2nd gen. eGK
...
fixes https://github.com/OpenSC/OpenSC/issues/1451
2018-08-20 14:27:02 +02:00
Jakub Jelen
5ec26573da
coolkey: Do not overflow allocated buffer
2018-08-14 16:13:22 +02:00
Jakub Jelen
79c0dbaa4e
cac: Avoid OOB reads for inconsistent TLV structures
2018-08-14 16:13:22 +02:00
Frank Morgner
50b000047c
ias/ecc: disable iccsn parsing
...
if someone wants to implement this with memory bounds checking, please
raise your hands
2018-08-14 16:13:22 +02:00
Frank Morgner
0b44793900
tcos: use ISO7816 fci parser
2018-08-14 16:13:22 +02:00
Frank Morgner
30fe0ad453
pgp: fixed integer underflow
2018-08-14 16:13:22 +02:00
Frank Morgner
92a98cb3bb
mcrd: converted assert to proper error handling
2018-08-14 16:13:22 +02:00
Frank Morgner
78f0055338
fixed uninitialized use of variable
2018-08-14 16:13:22 +02:00
Frank Morgner
03628449b7
iasecc: fixed unbound recursion
2018-08-14 16:13:22 +02:00
Frank Morgner
5807368ed4
fixed bad memory access
2018-08-14 16:13:22 +02:00
Doug Engert
384626533e
PIV Security Changes
...
Add return code if "out" is smaller then received data.
Remove extra blanks.
2018-08-14 16:13:22 +02:00
Doug Engert
3e5a9a42c3
Remove in PIV driver need for aid_file
...
Remove aid_file and aidfile variables in card-piv.c. These are not needed
as piv_select_aid parses the returned data from a SELECT AID command.
In response to e-mail from X41 group on 6/11/2018.
On branch x41-piv-2
Changes to be committed:
modified: card-piv.c
2018-08-14 16:13:22 +02:00
Jakub Jelen
d5d15105dd
cac: Ignore end of content errors ( #7 )
...
The CAC buffers are split to separate TL and V buffers so we need to ignore this error
2018-08-14 15:50:13 +02:00
Frank Morgner
83f45cda2a
Added bounds checking to sc_simpletlv_read_tag()
...
- Logic is identical to sc_asn1_read_tag()
- Fixes out of bounds access e.g. in cac_parse_CCC
2018-08-14 15:50:13 +02:00
Frank Morgner
ffe38fd87f
sc_asn1_read_tag: fixed tracking of consumed bytes
...
fixes return buffers that are outside the allocated memory space
2018-08-14 15:50:13 +02:00
Frank Morgner
360e95d45a
fixed out of bounds writes
...
Thanks to Eric Sesterhenn from X41 D-SEC GmbH
for reporting the problems.
2018-08-14 15:50:13 +02:00
Frank Morgner
8fe377e93b
fixed out of bounds reads
...
Thanks to Eric Sesterhenn from X41 D-SEC GmbH
for reporting and suggesting security fixes.
2018-08-14 15:50:13 +02:00
Frank Morgner
f66ceab4bb
fixed typo
...
fixes https://github.com/OpenSC/OpenSC/issues/1443
2018-08-09 15:50:51 +02:00
Frank Morgner
9294058d5c
fixed requesting DWORD with sc_ctx_win32_get_config_value
...
the length of the value is not determined by strlen()
2018-08-05 11:35:12 +02:00
Frank Morgner
cd557df54d
md: change semantics of cancelling the PIN pad prompt
...
md_pinpad_dlg_allow_cancel now defines whether or not the user is asked
before verifying the PIN on the PIN pad. This can be denied without
interaction with the PIN pad. A checkbox in the dialog allows the user
to change this setting, which is saved in the registry by the path of
the process.
This change fixes the progress bar to match the actual configured
timout. The progressbar now fills instead of running empty, which seemed
less frightening for most users.
This change also fixes some copy/paste errors in the documentation of
opensc.conf(5).
2018-08-05 11:35:12 +02:00
Frank Morgner
da40c61d13
npa/sc-hsm: don't call EAC_cleanup()
...
In Minidriver, when the DLL is called in multiple threads, this can
lead to a deinitialization of OpenSSL's OIDs in one thread making them
unavailable from other threads of the same process. As result, CVCs
cannot be veriefied anymore during chip authentication.
2018-08-05 11:35:12 +02:00
Frank Morgner
79fb808adf
opensc-notify: localize exit menu entry
2018-08-05 11:35:12 +02:00
Frank Morgner
0f1fdb7872
opensc-notify: add Exit button to tray icon
2018-08-05 11:35:12 +02:00
Frank Morgner
4a3a3e5df2
opensc-notify: implement win32 message dispatching
2018-08-05 11:35:12 +02:00
Jakub Jelen
2190bb927c
Drop support for CAC 1
...
This removes code related to the old CAC 1 specification, while
preserving the CAC 2 functionality including CAC Alt token detection
for the tokens without CCC or ACA.
The detection based on SELECT APPLET APDU is improved to require also
the READ BUFFER APDU working, which should fail on misbehaving Java cards.
2018-08-03 01:51:44 +02:00
Jakub Jelen
f097d88b3a
coolkey: Drop bogus ;
2018-08-03 01:50:05 +02:00
Jakub Jelen
8e8193f8f5
coolkey: Unbreak get_challenge with correct instruction code
2018-08-03 01:50:05 +02:00
Raul Metsma
dfe932d00d
OMNIKEY 3x21 and 6121 Smart Card Reader are not pinpad readers
...
macOS 10.13 ships with ccid driver 1.4.27 (fixed in 1.4.29) and this version identifies these readers wrongly as pinpad readers.
Signed-off-by: Raul Metsma <raul@metsma.ee>
2018-07-28 13:42:20 +02:00
Frank Morgner
4de0d06a93
use single quotes for passing define
...
makes sure that the shell doesn't evaluate parts of the define
2018-07-17 14:49:27 +02:00
Frank Morgner
a0b6643fa7
Use hard coded default SM module (path)
...
- avoids the need to set this default in opensc.conf
- fixes loading of (unknown) local library
- removes some unused defines from config.h
2018-07-17 14:49:27 +02:00
Frank Morgner
e226ad265a
Removed unused option `hide_empty_tokens`
2018-07-17 14:49:27 +02:00
Frank Morgner
47ee3a3978
added manual page opensc.conf(5)
...
splits the HTML documentation into files.html and tools.html
2018-07-17 14:49:27 +02:00
Frank Morgner
16275c2683
fixed memory leak
2018-07-17 13:31:14 +02:00
Frank Morgner
3042a39705
removed unused variable
2018-07-17 13:16:06 +02:00
Doug Engert
fbc9ff84bc
Some cards may return short RSA signatures without leading zero bytes.
...
Add leading zeros to RSA signature so it is the size of modulus.
Return modulus length.
Changes to be committed:
modified: src/libopensc/pkcs15-sec.c
2018-07-11 22:30:50 +02:00
Jakub Jelen
1eaae6526b
pkcs15-tool: Build with current gcc
...
The argument to strncpy is not the length of the target buffer,
but the source one (excluding the null byte, which will be
copied anyway).
2018-07-11 10:48:10 +02:00
Jakub Jelen
e9314adf4b
Testsuite also depends on openssl, use correct variables for linking
2018-07-11 10:48:10 +02:00
Jakub Jelen
7c8ed4dc03
Correct name in the automake
2018-07-11 10:48:10 +02:00
Jakub Jelen
3a7a1ba31f
Do not fail if we found unknown tag or the count does not match
...
* The HID tokens present such undocumented tags
2018-07-11 10:48:10 +02:00
Jakub Jelen
bf3382d4d9
Standardize logging and include also AID
2018-07-11 10:48:10 +02:00
Jakub Jelen
3480d9fc99
Log also information about unitialized slots with correct labels
2018-07-11 10:48:10 +02:00
Jakub Jelen
1c2a7f8dd2
HID Alt tokens have the other bunch of slots in other undocumented AID
2018-07-11 10:48:10 +02:00
Peter Marschall
1eb8391b4a
OpenPGP: slightly re-factor pgp_get_card_features()
...
* length checks where needed
* more & better comments
2018-07-11 10:47:39 +02:00
Peter Marschall
7332a37abb
OpenPGP: add serial number to card name
2018-07-11 10:47:39 +02:00
Peter Marschall
6d6efa2ded
OpenPGP: fix FIXME in pgp_new_blob()
...
Form a correct path instead ofmusising an array of 2 u8's.
Perform proper error checking.
2018-07-11 10:47:39 +02:00
Peter Marschall
215fcdad15
OpenPGP: include detailed version into card name
...
... for "standard" OpenPGP cards.
This gives more detailed information to the user on the detailed specs
the card adheres to.
In addition it fixes a long-standing annoyance that every standard 2.x
card matching the v2.0 ATR was announced as CryptoStick 1.2.
This ATR is not only used in the CryptoStick 1.2, but also also in
ZeitControl cards as well as NitroKeys, ...
2018-07-11 10:47:39 +02:00
Peter Marschall
2e1b47a79a
OpenPGP: improve get_full_pgp_aid()'s parameter checking
2018-07-11 10:47:39 +02:00
Peter Marschall
2a7a6a62fa
OpenPGP: limit scope of variable
2018-07-11 10:47:39 +02:00
Peter Marschall
15125b03ab
OpenPGP: use LOG_FUNC_CALLED & LOG_FUNC_RETURN symmetrically
...
To help debugging,
- replace plain return's after LOG_FUNC_CALLED()
has been called with LOG_FUNC_RETURN()
- use LOG_FUNC_CALLED() & LOG_FUNC_RETURN() pairs more often
2018-07-11 10:47:39 +02:00
Peter Marschall
fcecd1bdd2
OpenPGP: update comments on function use: ABI or internal
2018-07-11 10:47:39 +02:00
Peter Marschall
0d6be5db26
OpenPGP: define & set LCS (lifecycle support) as extended capability
...
Use it in pgp_erase_card() to slightly simplify the code.
2018-07-11 10:47:39 +02:00
Peter Marschall
3af54b2fe0
OpenPGP: harmonize some comments
2018-07-11 10:47:39 +02:00
Peter Marschall
3a59b0a182
OpenPGP: parse "extended length info" DO 7f66 on init
2018-07-11 10:47:39 +02:00
Peter Marschall
f73005791c
OpenPGP: improve parsing of extended capabilities
2018-07-11 10:47:39 +02:00
Peter Marschall
dea5fd9551
OpenPGP: add new DOs introduced with OpenPGP card spec v3.0 & v3.3
...
For some files spec states CONSTRUCTED, but we treat them as SIMPLE,
because we only need parts of their contents.
2018-07-11 10:47:39 +02:00
Peter Marschall
9dbdf42e9e
OpenPGP: update references to specifications
2018-07-11 10:47:39 +02:00
Peter Marschall
14cd6ee39e
OpenPGP: clarify meaning of padding byte in pgp_decipher()
2018-07-11 10:47:39 +02:00
Peter Marschall
4323a3d37c
OpenPGP: add new DO D5 introduced with OpenPGP card spec v2.1
...
... and make it accessible for v2.1+ cards
2018-07-11 10:47:39 +02:00
Peter Marschall
4ec37adea8
OpenPGP: extend manufacturer list in pkcs15-openpgp.c
2018-07-11 10:46:56 +02:00
Eugene Bright
332535c544
Workaround subject and issuer fields overflow
...
Structure `x509cert_info` fields `subject` and `issuer`
are doubled in size up to 512 bytes.
We have to use dynamic memory allocation
to completely overcome the issue.
Relates to OpenSC/OpenSC#1412 .
2018-07-11 10:13:14 +02:00
Frank Morgner
2c0d1b9ab0
reset sc_card_t during card detection
...
fixes https://github.com/OpenSC/OpenSC/issues/1417
2018-07-11 10:12:42 +02:00
asc
6f8bfc399b
Fix usage indicator for PSS
2018-07-11 10:07:28 +02:00
asc
6e0689638c
Add checking for supported CKM_RSA_PKCS_PSS combinations
2018-07-11 10:07:28 +02:00
Leif Erik Wagner
e2f0e367b1
Implement RSA PSS for GoID / SmartCard-HSM
2018-07-11 10:07:28 +02:00
Peter Marschall
99fa4f4a57
pkcs15-tool: harmonize non-short output for -C, -D,
...
Make sure to have an empty line between information printed for individual
objects, but not in short mode.
This makes output of -D and -C more consistent.
2018-07-11 10:05:30 +02:00
Gianfranco Costamagna
a6b4605b86
card-piv.c: initialize variable to fix a ppc64el build failure
...
This fixes a build failure with optimized ppc64el and new gcc builds
card-piv.c: In function ‘piv_validate_general_authentication.isra.3’:
card-piv.c:2390:9: error: ‘rbuflen’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
body = sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x7c, &bodylen);
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2018-07-11 09:54:51 +02:00
Frank Morgner
88de66bb13
fixed `make distcheck`
2018-07-04 18:12:58 +02:00
Stanislav Brabec
4db9db7403
Add GenericName to the desktop file
...
Add optional GenericName to org.opensc.notify.desktop. GenericName is
recently widely used for menu rendering in desktop environments.
2018-07-04 09:50:07 +02:00
Jakub Jelen
155ecc11f3
Adjust the p11test readme after merge
...
Resolves : #1415
2018-07-04 09:46:43 +02:00
Frank Morgner
452e1d3b96
fixed used of uninitialized return value
2018-06-30 01:17:57 +02:00
Frank Morgner
b3e3ab61c0
avoid integer underflow
2018-06-29 17:14:55 +02:00
Frank Morgner
971dac2f78
unignore result
2018-06-29 17:14:55 +02:00
Frank Morgner
6184c1fbab
avoid out of bounds read
2018-06-29 17:14:55 +02:00
Frank Morgner
03c5280626
avoid NULL dereference
2018-06-29 17:14:55 +02:00
Frank Morgner
ed0d829eab
removed unused check
2018-06-29 17:14:55 +02:00
Frank Morgner
259b7ec41c
check return value
2018-06-29 17:14:55 +02:00
Frank Morgner
c026f37677
warn about error in sc_enumerate_apps
2018-06-29 17:14:55 +02:00
Frank Morgner
6819759946
fixed memory leak
2018-06-29 17:14:55 +02:00
Frank Morgner
5f39d7ab74
use correct length of binary ATR
2018-06-29 17:14:55 +02:00
Frank Morgner
0e9565754c
avoid uninitialized output after sc_file_dup
2018-06-29 17:14:55 +02:00
Alon Bar-Lev
31cbf83738
build: support >=libressl-2.7
2018-06-28 08:58:07 +02:00
Peter Marschall
0603c3b7fc
iso7816: fix typo in previous commit
2018-06-24 10:34:49 +03:00
Peter Marschall
2818e0f703
iso7816: update & extend error codes
...
While at it, do some space policing.
2018-06-24 10:34:49 +03:00
Frank Morgner
1ca1a024df
card-npa: fixed memory leak
...
fixes https://github.com/OpenSC/OpenSC/issues/1396
2018-06-22 09:23:00 +02:00
Frank Morgner
d831076974
opensc-notify: use generic icon
...
fixes https://github.com/OpenSC/OpenSC/issues/1402
2018-06-22 08:52:49 +02:00
Peter Popovec
5dcea4440e
pkcs15-tool: added support for reading NIST ssh keys
...
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card.
Only 256, 384 and 521 field lengths are supported (same as allowed in
ssh-keygen -t ecdsa). Issue #803 is partialy fixed by this patch.
Openssh PKCS11 interface patches for ECC are now available, please check
https://bugzilla.mindrot.org/show_bug.cgi?id=2474
2018-06-21 15:26:15 +02:00
Jakub Jelen
1f352d4c6d
muscle: Properly clean up the applet memory footprint
2018-06-21 12:48:57 +02:00
Jakub Jelen
5b3da5d462
cac: Missing memory cleanup
2018-06-21 12:48:57 +02:00
Jakub Jelen
2682741293
cac: Avoid segfaults from get_challenge()
2018-06-21 12:48:57 +02:00
Jakub Jelen
f392d7426f
Utilize autoconf variables for cmocka usage
2018-06-21 12:48:57 +02:00
Frank Morgner
9c2afad417
fixed copy/paste error
2018-06-20 00:56:01 +02:00
Frank Morgner
8b3f5b7d97
epass2003: fixed logical error
2018-06-19 23:24:36 +02:00
Frank Morgner
9150d92447
fixed out of bounds access
2018-06-19 23:22:00 +02:00
Frank Morgner
d8cdf66d3d
fixed memory leak
2018-06-19 23:15:29 +02:00
ytoku
63ed8d7368
gids: file selection via gids_select_file
2018-06-19 08:00:01 +02:00
ytoku
46c0bbd803
gids: use file id instead of path in gids_delete_key_file
2018-06-19 08:00:01 +02:00
ytoku
ab16228e26
gids: fix gids_delete_cert
2018-06-14 14:05:45 +02:00
asc
31941bc3d9
sc-hsm: Ensure that applet returns version information ( Fix #1377 )
2018-06-11 22:51:45 +02:00
Peter Marschall
7c99adaaa6
PIV: limit scope of some variables
2018-06-11 22:37:42 +02:00
Peter Marschall
f2ba0ad9be
PIV: refactor to use sc_compacttlv_find_tag()
2018-06-11 22:37:42 +02:00
Jakub Jelen
40b02b2582
Namespace the function name, update comment
2018-06-11 22:31:44 +02:00
Jakub Jelen
50b5eb3b69
Allow using up to 16 certificates
2018-06-11 22:31:44 +02:00
Jakub Jelen
9dda83e48e
cac: Verbose logging, avoid OOB reads
2018-06-11 22:31:44 +02:00
Jakub Jelen
930d457304
Log bad length buffers
2018-06-11 22:31:44 +02:00
Jakub Jelen
298afb072e
Properly check length also of the applet entry
2018-06-11 22:31:44 +02:00
Jakub Jelen
f27ee858c2
Carefully check the length of the buffers before accessing them.
...
The lengths are static and based on the GCS-IS 2.1 specification
2018-06-11 22:31:44 +02:00
Jakub Jelen
a73b3d549b
Address review comments:
...
* Refactor cac_properties_t structure to make its creation more readable
* Avoid manual allocation in cac_get_acr() and clean up bogus pointers
* Avoid bogus comments
* Properly check lengths of retrieved values
2018-06-11 22:31:44 +02:00
Jakub Jelen
aacac57230
Another note/todo about PINs on uninitialized cards
2018-06-11 22:31:44 +02:00
Jakub Jelen
d24c23ac0c
Use applet properties to recognize buffer formats
...
Previously, the code handled all the data objects as SimpleTLV,
which caused invalid encoding when we tried to merge TL + V buffers
into single PKCS#15 buffers.
This change is using GET PROPERTIES APDU after applet selection
to explore objects, figure out encoding and check the status of
PKI objects initialization to avoid reading them.
2018-06-11 22:31:44 +02:00
Jakub Jelen
450cff470a
Inspect the Alt tokens through the ACA applet
...
The previous solution was just guessing AIDs of the PKI objects
and trying if they answer.
This solution is inspecting card based on the Service Applet Table
(listing all the applets on the card) and using GET PROPERTIES APDU
listing all the available OIDs of the applet.
This was successfully tested with standard CAC card
(with different ACA AID) and uninitialized HID Alt tokens with empty
certificates slots.
2018-06-11 22:31:44 +02:00
Jakub Jelen
ee7b6f4035
cac: Log unknown tags
2018-06-11 22:31:44 +02:00
Jakub Jelen
cde06a499c
Use correct AID and Object ID
2018-06-11 22:31:44 +02:00
Jakub Jelen
2138d5fe32
One more todo based on the testing with a new libcacard
2018-06-11 22:31:44 +02:00
Jakub Jelen
426914674c
Unbreak encoding last tag in the data objects
2018-06-11 22:31:44 +02:00
Jakub Jelen
5b420318d4
Allocate private data outside and avoid memory leaks
2018-06-11 22:31:44 +02:00
Jakub Jelen
92df907681
Typo, clean up comments, dump more useful information from CCC
2018-06-11 22:31:44 +02:00
Jakub Jelen
52451ac438
card-cac.c: Dump also the MSCUID
2018-06-11 22:31:44 +02:00
asc
335c242ce0
Filter certificates other than CKC_X_509
2018-06-08 08:28:37 +02:00
Jakub Jelen
89a8e0cb64
Avoid memory leaks from the failed card detections
2018-06-08 08:26:49 +02:00
Andreas Kemnade
23706635a8
cardos: create pin in mf
...
If cardos cards are initialized by other software and there is a pinref
without the msb set, also the pin verify works without that bit set.
This patch changes pin initialisation so that the pin is created in mf
which has the effect that pin verify works without | 0x80 to the
pin ref.
Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
2018-06-08 08:23:37 +02:00
Laurent Bigonville
694822554e
dnie: Consider that everything not APPLE or WIN32 is "linux"
...
This should fix the FTBFS on architectures like kfreebsd
Fixes : #1366
2018-06-08 08:22:58 +02:00