card-piv.c was not selecting the PIV AID correctly from piv_find_aid.
This cause a CAC card that also has the PIV application to fail a VERIFY command
of the pin would use a VERIFY APDU P2 where P2 for PIV is 80, but for CAC was 00.
A CAC card could work if the caller requested the serial number of the card
which did call piv_select_aid. All the OpenSC tools, minidriver and
PKCS#11 do this, but Tokend does not.
This is a partial fix for https://github.com/OpenSC/OpenSC/issues/570.
Tokend in later MacOS versions still has other issues.
A more complete solution is needed for cards with multiple applications.
I do not have a CAC card or MAC to do any testing.
Thanks to https://github.com/mouse07410 who has a CAC card, and a Mac,
and has tested this fix.
This adds support for the Yubikey NEO. I'm not sure whether it breaks
the specification, or follows some other version of the spec, but in my
testing it returns SW1=0x63, SW2=0x0N for N PIN tries remaining.
Ignoring the top nibble seems a harmless change to the behaviour to
support this device.
card-piv.c tries to read the first 8 bytes of an object to get object size
so it can allocate a buffer. It then reads the whole object. apdu.c has changed
over the years, and apdu.c will keep reading as long as the card returns
status of 61 XX thus apdu.c will read the whole object while discarding
the extra data and returning to the caller only the first part of the data.
This in effect causes a double read of objects.
This patch sets SC_APDU_FLAGS_NO_GET_RESP to tell apdu to stop doing the
extra get-response commands thus avoiding most of the extra overhead.
This in not an optimal patch as it only works with T=1 cards/readers
but the patch is confined to just card-piv.c.
A better patch is in the works.
Fixes#462
Prior to 066132327c71300188aa66180fde2fb3d90c5140, CKM_ECDH1_DERIVE and
CKM_ECDH1_COFACTOR_DERIVE were always registered for cards that support
SC_ALGORITHM_ECDSA_RAW.
The mentioned commit changed this behavior, so that the ECDH mechanisms
are only registered for cards that set the SC_ALGORITHM_ECDH_CDH_RAW
capability flag.
To keep the existing behavior for the cards, they need to set this flag
in the card driver.
needed to store information about EC curve supported by card.
Primary usage is when importing/generating key to get know if particular curve is supported by card.
card-asepcos: removed dead code
card-authentic: removed dead code
card-belpic: removed dead code
card-epass2003: removed dead code
card-flex: removed dead code
card-gpk: removed dead code
card-oberthur: removed dead code
card-piv: removed dead code
card-setcos: removed dead code
ctbcs: removed dead code
cwa14890: removed dead code
muscle: removed dead code
pkcs15-atrust-acos: removed dead code
pkcs15-gemsafeV1: removed dead code
pkcs15-skey: removed dead code
reader-ctapi: removed dead code
framework-pkcs15: removed dead code
pkcs11-object: removed dead code
pkcs15-asepcos: removed dead code
pkcs15-cardos: removed dead code
pkcs15-jcop: removed dead code
pkcs15-lib: removed dead code
pkcs15-oberthur: removed dead code
parse: removed dead code
sclex: removed dead code
sm-card-authentic: removed dead code
sm-card-iasecc: removed dead code
sm-cwa14890: removed dead code
sm-global-platform: removed dead code
sc-test: removed dead code
pkcs11-tool: removed dead code
pkcs15-tool: removed dead code
Support nonces that are not only 8 bytes in
Mutual Authenticate. Use the witness length
to determine the nonce size, thus existing
systems using 8 bytes will continue to use 8
bytes. However, with AES 256, the nonces could
be a single block size of 16 bytes or greater.
This adds algorithm IDs 0xA, 0xA, 0xC which as documented
by the NIST PIV specification is algorithms AES-128, AES-192
and AES-256 respectively.
This patch also addresses some of the hardcodes that prevented
nonces greater than the single byte TLV length tags would allow.
It was explicitly tested with AES-256 and 256 byte nonces.
Signed-off-by: William Roberts <w2.roberts@samsung.com>
prototype of 'get-guid' has been changed;
valgrind issue:
Conditional jump or move depends on uninitialised value(s)
at 0x5A0159B: vfprintf (vfprintf.c:1629)
by 0x5AC04BF: __vsnprintf_chk (vsnprintf_chk.c:65)
by 0x522A665: sc_do_log_va.part.0 (stdio2.h:78)
by 0x522A819: sc_do_log (log.c:52)
by 0x529462F: piv_card_ctl (card-piv.c:1794)
by 0x5232E2F: sc_card_ctl (card.c:772)
by 0x52E561D: sc_pkcs15emu_piv_init (pkcs15-piv.c:626)
card-piv.c: In function 'piv_write_binary':
card-piv.c:1364: warning: signed and unsigned type in conditional expression
count is a size_t and must be casted in an int since the fucntion
returns an int.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5461 c6295689-39f2-0310-b995-f0e70906c6a9
... when serial number was asked for the first time.
Then return the stored value for the every next request of serial number.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5348 c6295689-39f2-0310-b995-f0e70906c6a9
card-piv.c:179: warning: 'oid_prime256v1' defined but not used
card-piv.c:180: warning: 'oid_secp384r1' defined but not used
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5260 c6295689-39f2-0310-b995-f0e70906c6a9
card-piv.c:614:2: warning: Value stored to 'buf_end' is never read
buf_end = rp + buf_len;
^ ~~~~~~~~~~~~
card-piv.c:1129:3: warning: Value stored to 'r' is never read
r = 0;
^ ~
card-piv.c:1478:2: warning: Value stored to 'q' is never read
q = rbuf;
^ ~~~~
card-piv.c:1628:2: warning: Value stored to 'q' is never read
q = rbuf;
^ ~~~~
card-piv.c:2456:4: warning: Value stored to 'certobjlen' is never read
certobjlen = 0;
^ ~
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5170 c6295689-39f2-0310-b995-f0e70906c6a9
emulated cards. True PKCS#15 cards with EC
will need additional changes.
Main changes are in framework-pkcs15.c, mechanism.c,
padding.c, pkcs15-algo.c and pkcs15-sec.c
where switch statements for key type, and testing
of flags was modified to make it easier to add
additional key types in the future.
The code was tested using RSA and ECDSA using a PIV card
from pkcs11-tool, OpenSSL and Thunderbird with
modifications to NSS-3.12.7 to get ECDSA to sign e-mail.
Only named curves are supported for ECDSA, ECDH is still
needed. pkcs11-tool has only minimal changes need to work
with the -O option to list EC keys.
One additional line was added to pkcs15-sec.c which
should get GOSTR sign to work.
libp11 and engine do not yet have EC support.
--This line, and those below, will be ignored--
M src/tools/piv-tool.c
M src/tools/pkcs11-tool.c
M src/pkcs11/framework-pkcs15.c
M src/pkcs11/mechanism.c
M src/pkcs11/pkcs11-object.c
M src/libopensc/pkcs15-prkey.c
M src/libopensc/card-piv.c
M src/libopensc/padding.c
M src/libopensc/cardctl.h
M src/libopensc/pkcs15-algo.c
M src/libopensc/libopensc.exports
M src/libopensc/pkcs15-piv.c
M src/libopensc/pkcs15-sec.c
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4904 c6295689-39f2-0310-b995-f0e70906c6a9
sc_pkcs15_cert now has pointer to sc_pkcs15_pubkey, allowing it to
be removed and used separatly.
sc_pkcs15_pubkey now has pointer to sc_algorithm_id to faclitate
addition of other key algorithms and their parameters.
Various code changes to free these structures and references
to the structures have been changed.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4805 c6295689-39f2-0310-b995-f0e70906c6a9
PIV driver client can build and run without OpenSSL,
(admin functions and piv-tool still need OpenSSL)
define PIV specific ctrl codes and structures.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4767 c6295689-39f2-0310-b995-f0e70906c6a9
From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety
" Casting and type safety
malloc returns a void pointer (void *), which indicates that it is a
pointer to a region of unknown data type. One may "cast" (see type
conversion) this pointer to a specific type, as in
int *ptr = (int*)malloc(10 * sizeof (int));
When using C, this is considered bad practice; it is redundant under the
C standard. Moreover, putting in a cast may mask failure to include the
header stdlib.h, in which the prototype for malloc is found. In the
absence of a prototype for malloc, the C compiler will assume that
malloc returns an int, and will issue a warning in a context such as the
above, provided the error is not masked by a cast. On certain
architectures and data models (such as LP64 on 64 bit systems, where
long and pointers are 64 bit and int is 32 bit), this error can actually
result in undefined behavior, as the implicitly declared malloc returns
a 32 bit value whereas the actually defined function returns a 64 bit
value. Depending on calling conventions and memory layout, this may
result in stack smashing.
The returned pointer need not be explicitly cast to a more specific
pointer type, since ANSI C defines an implicit conversion between the
void pointer type and other pointers to objects. An explicit cast of
malloc's return value is sometimes performed because malloc originally
returned a char *, but this cast is unnecessary in standard C
code.[4][5] Omitting the cast, however, creates an incompatibility with
C++, which does require it.
The lack of a specific pointer type returned from malloc is type-unsafe
behaviour: malloc allocates based on byte count but not on type. This
distinguishes it from the C++ new operator that returns a pointer whose
type relies on the operand. (see C Type Safety). "
See also
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9