afda163dc6
openpgp-tool: fix typo
2018-11-06 12:41:19 +01:00
ec3830fe66
openpgp-tool: use more compatible strftime() format spec
...
Replace the Single UNIX specific shorthand %T for %H:%M:%S with the latter
to keep MingW happy.
2018-11-06 12:41:19 +01:00
85258f2951
openpgp-tool: use key type to indicate key to generate
...
Instead of only expecting a key length, and implicitly assuming RSA
as the key algorithm, introduce option --key-type to pass the key type
as a string.
When generating the key determine key algorithm and attributes based on
the key type passed.
If no key was given, default to "rsa2048".
2018-11-06 12:41:19 +01:00
c9f5e05aca
openpgp-tool: new option --key-info to display key info
2018-11-06 12:41:19 +01:00
1866c3e930
openpgp-tool: new option --card-info to display card info
2018-11-06 12:41:19 +01:00
263b945f62
md: added support for PSS
2018-11-06 12:38:57 +01:00
99a9029848
md: use constants for AlgId comparison
2018-11-06 12:38:47 +01:00
22c8204a2f
Merge remote-tracking branch 'upstream/pr/1393'
...
closes https://github.com/OpenSC/OpenSC/pull/1393
2018-11-06 10:51:24 +01:00
13c7574510
PIV: less debugging
...
- debugging pointers is useless in static log file
- removed double debugging of APDUs
2018-11-06 01:42:41 +01:00
eaed345a76
Add missing header file to the tarball
2018-11-05 09:15:20 +01:00
9342f8ad0a
padding: Fix error checking in RSA-PSS
2018-11-05 09:15:20 +01:00
0f5d73d816
framework-pkcs15.c: Add SHA224 mechanism for PKCS#1.5
2018-11-05 09:15:20 +01:00
8ccc39352a
p11test: Do not report incomplete key pairs
2018-11-05 09:15:20 +01:00
d2671ee05b
framework-pkcs15.c: Add PKCS#1 mechanisms also if SC_ALGORITHM_RSA_HASH_NONE is defined
2018-11-05 09:15:20 +01:00
7e0ef7c16c
framework-pkcs15.c: Reformat
...
* Reasonable line lengths
* Correct indentation
* Add missing SHA224 mechanism
2018-11-05 09:15:20 +01:00
7cced08a88
coolkey: Check return values from list initialization (coverity)
...
>>> CID 324484: Error handling issues (CHECKED_RETURN)
>>> Calling "list_init" without checking return value (as is done elsewhere 8 out of 9 times).
2018-11-05 09:15:20 +01:00
f276f7f8f4
coverity: Add allocation check
...
*** CID 323588: Uninitialized variables (UNINIT)
/src/libopensc/sc.c: 873 in sc_mem_secure_alloc()
2018-11-05 09:15:20 +01:00
351e0d2bd6
Merge remote-tracking branch 'upstream/master' into wrapping-rebased and resolve conflicts
2018-11-02 13:42:41 +02:00
b35fb19ec4
Resolved conflict in pkcs15_create_secret_key
2018-11-02 13:28:51 +02:00
26025b2f5d
pkcs15-tool: list & dump cleanups
...
* when listing public keys, do not cut object labels in compact mode
* when listing private keys in compact mode, left align labels
* make hex codes at least 2 chars wide by changing "0x%X" to "0x%02X"
2018-11-01 12:25:04 +01:00
c70888f9ab
allow compilation with --disable-shared
2018-11-01 00:17:22 +01:00
54cb1099a0
fixed warnings about precision loss
2018-11-01 00:17:22 +01:00
5c7b7bb0b1
fixed minor XCode documentation warnings
2018-11-01 00:17:22 +01:00
f88419bc63
Removed pointless curly brackets
2018-10-31 10:36:50 +02:00
7bb53423a1
Code cleanup and minor corrections according to review. pkcs15-lib: Extractable keys are now marked as native. Check return value of check_key_compatibility in more explicit way to avoid misunderstandings.
2018-10-31 10:36:41 +02:00
90ec7123ba
Corrections and code cleanup as requested in review. Changed value to void* in sc_sec_env_param_t, because param_type defines type of the value. Fixed handling of secret key length in framework-pkcs15 and pkcs15-lib: CKA_VALUE_LEN from PKCS#11 is in bytes, PKCS#15 objects need key length in bits. Rebased on top of upstream/master and resolved merge conflicts.
2018-10-31 10:27:03 +02:00
84317f4e9d
Fixing missing call to sc_unlock.
2018-10-31 10:27:03 +02:00
8ebb43d440
Removed #ifdef USE_PKCS15_INIT around __pkcs15_create_secret_key_object. This function is now used also when reading and parsing a card, not only when creating new objects.
2018-10-31 10:27:03 +02:00
ec297b618f
sc_pkcs15_wrap: Fixed checking target key type. (checked partly from wrapping key)
2018-10-31 10:27:03 +02:00
e636b64377
Fixed: Return OK by PKCS#11 convention if NULL out buffer is provided, when caller wants to query required buffer size.
2018-10-31 10:27:03 +02:00
f2c041d290
card-myeid: Removed NULL out buffer assertion to allow caller to query required buffer size.
...
mechanism.c: Bug fix to sc_pkcs11_wrap. Wrong operation was stopped in end of the function.
2018-10-31 10:27:03 +02:00
287a63c704
Fixes to key wrapping and unwrapping code: Set IV correctly in symmetric unwrap. Correctly distinguish symmetric and asymmetric operation when building APDUs. Check CKA_TOKEN from the pkcs15 object in framework_pkcs15. Updated some comments.
2018-10-31 10:27:03 +02:00
861d8b308b
Fixed myeid_unwrap with symmetric keys: set correct p2 and no padding indicator byte.
2018-10-31 10:27:03 +02:00
4ce7e5289b
Fixed setting secret key length. CKA_VALUE_LEN comes as number of bytes, so multiply it by 8 to set correct bit length to the key file.
2018-10-31 10:27:03 +02:00
eba75ead20
framework-pkcs15: set CKA_EXTRACTABLE into pkcs#15 secret key object's access flags when set. pkcs15-sec: Return needed buffer size correctly when an insufficient buffer is provided.
2018-10-31 10:27:03 +02:00
f74150b53d
Proprietary attribute bits in FCP had to be adjusted due to conflicts with existing attributes. The needed changes were made to both card and OpenSC code.
2018-10-31 10:27:03 +02:00
c891ad2aad
Fixed version check for key wrapping functionality. Return needed buffer size in myeid_wrap_key, if no buffer or too small buffer is provided.
2018-10-31 10:27:03 +02:00
6b8c284d3e
Fixing pointer conversion that is invalid on some architectures.
2018-10-31 10:27:03 +02:00
550d4eb030
Small fixes to key wrapping and unwrapping. Handle target file ref using sc_sec_env_param type. Transmit initialization vector in symmetric key operations from PKCS#11 layer (mechanism param) to the card driver level, allow setting it in sc_set_security_env.
2018-10-31 10:27:03 +02:00
2487bc18d1
When creating symmetric keys, use CKK_ definitions (key type) rather than CKM_ definitions (mechanism) to specify the key type.
2018-10-31 10:24:19 +02:00
7454133272
Added flags to distinguish AES ECB and CBC modes. Added SC_ALGORIHM_UNDEFINED definition to be used with CKK_GENERIC_SECRET type keys. Added sc_sec_env_param type, which can be used to define additional parameters when settings security environment. This is now used for setting IV in symmetric crypto and target EF in key wrapping/unwrapping.
2018-10-31 10:24:19 +02:00
a2156da044
Fix encoding of SC_ASN1_CHOICE entry "parameters" in c_asn1_algorithm_info. Format only the selected entry of the choice.
2018-10-31 10:24:19 +02:00
ae5675ca22
Fixed MSE for unwrap operation. Fixed wrong P1 when formatting APDU in myeid_unwrap_key.
2018-10-31 10:24:19 +02:00
aa814fd8e8
Implemented C_Wrap into PKCS#11 interface. Added support for wrapping and unwrapping with secret keys into framework-pkcs15.c and all the way to the card driver level.
2018-10-31 10:24:19 +02:00
a9ee85452e
Resolved a merge conflict. Included both changes manually.
2018-10-31 10:24:19 +02:00
c217b254fc
MyEID: Initial implementation of key wrapping and unwrapping operations, and the related additions to myeid_set_security_env.
2018-10-31 10:24:19 +02:00
edd48b3200
pkcs15init:
...
- Added session_object flag to sc_pkcs15init_skeyargs to enable on-card session objects.
- Corrections to handling native and extractable flags
- Allow creating an empty secret key EF for receiving an unwrapped key later.
2018-10-31 10:24:19 +02:00
9d6ac01c27
pkcs15init: Handle user_consent and set new proprietary information flags in myeid_create_key().
2018-10-31 10:24:19 +02:00
1c09fa8a22
Handle AES algorithm. Doesn't set any flags, but check for AES is needed to avoid SC_ERROR_NOT_SUPPORTED.
2018-10-31 10:24:19 +02:00
7fc6c52f81
Set native=1 as default when decoding. Check supported algorithms and set PKCS#11 key type, if key supports AES.
2018-10-31 10:22:16 +02:00
9772edc7d1
Handle -u option (x509-usage) when storing secret keys.
2018-10-31 10:22:16 +02:00
a10480d50e
Continued implementation of unwrap: Creation of a target key object on card to receive an unwrapped key. Setting target key path in sc_security_env_t.
2018-10-31 10:22:16 +02:00
5f51d5d315
Added implementation of C_UnwrapKey all the way from PKCS#11 interface to the card driver level.
...
Not yet complete, but can be run with CKA_TOKEN=FALSE set in the target object. Currently unwrapping emulated
with a decrypt operation in card-myeid.c. To be improved.
2018-10-31 10:22:16 +02:00
e2b1fb81e0
Restore minimal CAC1 driver for legacy cards ( #1502 )
...
* Add minimal CAC1 driver for legacy cards.
It is using the same pkcs15 backend as the CAC2 cards as well as some of
the CAC2 driver methods.
The separation is made mostly for easier card matching or disabling.
2018-10-30 17:27:28 +01:00
c3bef7d527
fixed compilation with XCode 10
...
fixes https://github.com/OpenSC/OpenSC/issues/1485
2018-10-24 10:34:43 +02:00
5095e29ae3
gio: avoid unneccessary unitialization
2018-10-22 21:44:07 +02:00
2fd8e278f5
pkcs11/openssl.c - add missing mechanisms fixes #1497
...
On branch pkcs11-openssl-c
Changes to be committed:
modified: ../pkcs11/openssl.c
2018-10-19 08:27:47 +02:00
195d53b8a2
Fix division by zero in SimCList when appending to an empty list.
2018-10-16 12:10:04 +02:00
8c535c184f
removed duplicate code for adding padding
...
Fixes padding handling of SC_ALGORITHM_RSA_PAD_NONE introduced with
e5707b545e
2018-10-15 15:21:52 +02:00
46c99e769d
ctx: Move coolkey driver up after improving the matching
...
Fixes #1483
2018-10-15 12:14:22 +02:00
f220d0b77d
coolkey: Improve card matching to avoid mismatches in muscle
2018-10-15 12:14:22 +02:00
55a8478ed6
cac: These functions do not have to be exposed
2018-10-15 12:14:22 +02:00
ac276b1202
starcos: fixed decipher with 2.3 ( #1496 )
...
closes https://github.com/OpenSC/OpenSC/issues/765
fixes https://github.com/OpenSC/OpenSC/issues/1495
2018-10-11 22:50:37 +02:00
d517d8e18d
Fix minidriver padding
...
Commit e5707b545e
2018-10-11 12:47:48 +02:00
550665b906
OpenPGP: refactor pgp_get_card_features()
...
Use pgp_parse_alog_attr_blob() to get the algorithm attribute DO's contents.
2018-10-10 14:52:29 +02:00
8a564107a8
OpenPGP: introduce gpg_parse_algo_attr_blob()
...
Introduce a central function to parse the algorithm atributes in DOs C1 - C3.
2018-10-10 14:52:29 +02:00
248ece23c6
OpenPGP: bail out on non-RSA key generation/import
...
Also add the necessary algorithm info where necessary.
2018-10-10 14:52:29 +02:00
c2f02f72bd
OpenPGP: adapt data structures to support RSA alternatives
...
* update callers to use the adapted structures.
2018-10-10 14:52:29 +02:00
772d20969a
OpenPGP: first steps to support key types beyond RSA
...
- rename 'keytype' in some OpenPGP-specific types to 'key_id'
because they key ID was what the field was used for
- introduce field 'algorithm' in the structures above
to indicate the key's algorithm: RSA, ...
- define constant SC_OPENPGP_KEYALGO_RSA and use it
- rename constants SC_OPENPGP_KEYFORMAT_* to SC_OPENPGP_KEYFORMAT_RSA_*
because they are RSA specific
2018-10-10 14:52:29 +02:00
f1ae31aea4
OpenPGP: expose additional algorithms only with EXT_CAP_ALG_ATTR_CHANGEABLE
...
List additional algorithms & attributes as supported only when the card
supports changing the algorithms attributes DOs and exposes this by having
the EXT_CAP_ALG_ATTR_CHANGEABLE capability set.
Using different algorithms and attributes requires changing the algorithm
attributes DOs. If that is not supported - as indicated by a missing
EXT_CAP_ALG_ATTR_CHANGEABLE capability - then only those algorithms
described by the current algorithms attributes DOs' contents can be used.
In addition simplify setting the flags.
2018-10-10 14:52:29 +02:00
44d6116c59
OpenPGP: slight cleanups
...
* use variables if they are already there
* be a bit more explicit in logging
* more consistent tag format: %04X
* cleanup flag setting for _sc_card_add_rsa_alg()
2018-10-10 14:52:29 +02:00
ea6f7cfe1d
Added memory locking for secrets ( #1491 )
...
When caching a PIN in memory or using an OpenSSL private key this data should not be swapped to disk.
2018-10-10 14:52:01 +02:00
6bf67f7917
onepin option also needs PIN to CREATE
...
I previously changed the default option but forgot to make the same change for onepin.
2018-10-08 21:35:23 +02:00
a8db9cb4f0
openpgp-tool: harmonize error messages
...
* use symbolic constants for errors & success
* use util_error() to show errors
* print error messages to stderr
2018-10-04 09:41:31 +02:00
e4a0b09968
openpgp-tool: remove unnecessary variable
...
* 'opt_keylen' was only set, but never used => remove
* passing the key length is not an action => do not mark it as such
2018-10-04 09:41:31 +02:00
a5daaaff0c
piv-tool: Error checking
2018-10-01 23:07:34 +02:00
ef724e1e57
pkcs15-authentic: Do not confuse static analyzers
2018-10-01 23:07:34 +02:00
52959df9f6
pkcs15-oberthur: Avoid memory leaks on failures
2018-10-01 23:07:34 +02:00
a1dfdbbdbc
pkcs15-oberthur-awp: Do not confuse cppcheck
2018-10-01 23:07:34 +02:00
e920ef8eb8
opensc-explorer: Make static analyzers happy
2018-10-01 23:07:34 +02:00
16c5a352a4
piv-tool: Avoid memory leaks on realloc failure
2018-10-01 23:07:34 +02:00
9a690a96e0
sc-hsm-tool: Avoid memory leak
2018-10-01 23:07:34 +02:00
bce43e6855
Remove dead code
2018-10-01 23:07:34 +02:00
74105300bf
card-iasecc: Avoid memory leaks on failure
2018-10-01 23:07:34 +02:00
674e5e8b3d
ctx: Require dll parameter otherwise we are leaking it
2018-10-01 23:07:34 +02:00
a85a4a8b48
pkcs15-authentic: Avoid memory leak on failure
2018-10-01 23:07:34 +02:00
65e1cd2df7
muscle: Check return values
2018-10-01 23:07:34 +02:00
a2ab2071bb
piv: Check return value of sc_lock()
2018-10-01 23:07:34 +02:00
b8133c2545
pkcs15-myeid: Return value checking
2018-10-01 23:07:34 +02:00
8e0078a6f9
pkcs15-myeid: Do not confuse coverity with potential double-free
2018-10-01 23:07:34 +02:00
e5da6b66b9
iso7816: Replace asserts with explicit length checks to make coverity happy
2018-10-01 23:07:34 +02:00
b9e33a3c64
Coverity warnings
...
card-piv.c
make sure the string is null terminated before passing it
to hex_to_bin routine, which expects it
pkcs15-cac.c
free cn_name on failure
pkcs11-tool.c
make sure the string is null terminated before passing it to
parse_certificate(), which expects it
2018-10-01 23:07:34 +02:00
83b188c950
Remove long expired EstEID 1.0/1.1 card support
...
Signed-off-by: Raul Metsma <raul@metsma.ee>
2018-09-30 21:25:13 +02:00
e456e609a6
Avoid memory leaks during verification
2018-09-30 21:23:27 +02:00
424d828627
slot: Switch cleanup steps to avoid segfaults on errors
...
and some more sanity checking
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
9a853176b8
pkcs11-tool: Support for signature verification
...
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
e5707b545e
Add support for PSS padding to RSA signatures
...
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
be2cc38565
p11test: Add missing CKM_SHA224_RSA_PKCS_PSS
...
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2018-09-30 21:23:27 +02:00
551fcccb90
Changed outdated "STARCOS SPK 2.3" name to "STARCOS".
...
modified: src/libopensc/pkcs15-infocamere.c
modified: src/libopensc/pkcs15-starcert.c
modified: src/pkcs15init/pkcs15-lib.c
Changed isf_acl to also need SO PIN for CREATE.
modified: src/pkcs15init/starcos.profile
2018-09-28 16:50:39 +02:00
496a9b571d
fixed error handling
2018-09-25 12:13:57 +02:00
Peter Marschall
Frank Morgner
Jakub Jelen
Hannu Honkanen
Lars Silvén
Lars Silvén
Jakub Jelen
Doug Engert
Vadim Penzin
Luka Logar
gabrielmuller
Raul Metsma
Nicholas Wilson