Jakub Jelen
9a5a008093
pkcs15-tool: Update the logic to make it more clear for some dumb static analyzers
2021-07-15 09:51:59 +02:00
Jakub Jelen
d34e84c78d
eidenv: Avoid memory leak
2021-07-15 09:51:59 +02:00
Alessio Di Mauro
2f94a6b155
pkcs11-tool: allow setting CKA_EXTRACTABLE during keypair generation
...
Section 4.9 of the PKCS#11 v2.40 specification [1], mentions
CKA_EXTRACTABLE as a valid attribute for Private Key objects. However,
when calling "pkcs11-tool" with the "--exportable" option, the
attribute is not set as part of the private key template.
[1]: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os-complete.html
2021-06-23 15:29:29 +02:00
Doug Engert
aebebac432
p11test: Use OPTIONAL_OPENSSL_CFLAGS
...
Needed if building with OpenSSL in non stanard location.
Changes to be committed:
modified: src/tests/p11test/Makefile.am
2021-06-11 05:28:07 -05:00
Frank Morgner
c42792c216
Merge pull request #2343 from Jakuje/ossl3v1
...
Working subset of #2337 (OpenSSL 3.0)
2021-06-07 14:38:30 +02:00
Stephan Mühlstrasser
151583ce26
C_Initialize() must copy CK_C_INITIALIZE_ARGS
...
C_Initialize() must make a copy of the function pointers supplied
via pInitArgs, as the PKCS#11 specification makes no guarantee that
the pInitArgs pointer is allowed to be dereferenced after C_Initialize()
returns.
Fixes issue #2170 .
2021-06-07 12:44:07 +02:00
Jakub Jelen
9be6dc6606
pkcs11: Update the version to 3.0 (unused anywhere though)
2021-06-02 15:46:00 +02:00
Jakub Jelen
9d1a214340
pkcs11: Undefine internal typedef and remove its usage
2021-06-02 15:46:00 +02:00
Jakub Jelen
fc2fecc80e
Use const types for RSA and EC_KEY
...
These are anyway not supposed to be modified even in older versions of
openssl.
Visible when building with -Wno-deprecated-declarations
2021-06-02 15:46:00 +02:00
Jakub Jelen
ffd6e2a576
p11test: Expect DERIVE to be set on both private and public key
...
Basically reverts part of 485b6cf
, which turned out to be wrong.
Alternative to #2292
2021-05-31 15:36:29 +02:00
Jaime Hablutzel
465375bda2
Fixing command-line option names in error messages
2021-05-26 10:41:30 +02:00
Jakub Jelen
33426df3ff
p11test: Do not return on warnings for (X)EDDSA keys
2021-05-24 11:25:53 +02:00
Jakub Jelen
8e4134841d
p11test: Add new mechanisms from softhsm
2021-05-24 11:25:53 +02:00
Jakub Jelen
a8a4bddfad
p11test: Debug level from commandline
...
This replaces the debug level defined at build time with -NDEBUG,
which turned out to be quite confusing.
Fixes #2304
2021-05-24 11:25:53 +02:00
Jakub Jelen
a69ab7c70c
tests: Fix context for the asn1 test
2021-05-24 11:25:53 +02:00
Jakub Jelen
fd96d2c960
Do not use deprecated ERR_load_ERR_strings() with OpenSSL 3.0
2021-05-24 11:25:53 +02:00
Jakub Jelen
1b92501ef9
sm: Rewrite to use non-deprecated OpenSSL 3.0 API
2021-05-24 11:25:53 +02:00
Jakub Jelen
07f5e63abf
tests: verify secure messaging functions work as expected
2021-05-24 11:25:53 +02:00
Jakub Jelen
e4cf0e7b39
Basic unit test for secure messaging functions
2021-05-24 11:25:53 +02:00
Jakub Jelen
0b45e78e4f
idprime: Fix RSA-PKCS mechanism with hashing on card
2021-05-24 10:42:08 +02:00
Yaroslav Isakov
fc08818f6f
OpenPGP: Fix read/write certs with Ed25519/X25519 public key
...
Proper Ed25519/X25519 certs have pubkey algo with OID 1.3.101.112/110, according to
RFC8410. This commit add these OIDs, and also fixes pubkey parsing/creation - according
to the same RFC, it's just a bytestring, without ASN.1 wrapping.
Also, according to the same RFC, EDDSA/X25519 MUST not have params, even empty.
2021-05-21 14:37:30 +02:00
Yaroslav Isakov
23dc52c903
Fixed OpenPGP logic for comparing OIDs
...
It's better to leave oid comparison as it was before, and drop trailing
zero byte after it, when reading from token.
2021-05-20 11:11:05 +02:00
Yaroslav Isakov
29410c170e
Make OpenPGP curves to be a pointer to OpenPGP 3.4 curves list
2021-05-20 11:11:05 +02:00
Yaroslav Isakov
f356d301b9
Enable ed25519/curve25519 support for Yubikey 5
2021-05-20 11:11:05 +02:00
Doug Engert
f1bc07dec1
Fix piv-tool on wondows
...
fopen needs "rb" for fopen in two places
fixes #2338
On branch piv-tool-windows
Changes to be committed:
modified: piv-tool.c
2021-05-20 10:37:31 +02:00
Doug Engert
8dfafe4fc2
Fix 2340 pkcs15-sec.c wrong test
...
if (obj->type == SC_PKCS15_TYPE_PRKEY_RSA) { is the correct test.
2021-05-17 15:00:26 +02:00
Vincent JARDIN
5256bc3d3d
tests: minidriver using T0 or T1
...
Some cards should be used with T0 and some others with T1. Let's support
both.
Fix: issue #2326
2021-05-17 12:06:12 +02:00
Vincent JARDIN
180737d1b6
tests: minidriver runtime PINCODE
...
Let's define an environment MINIDRIVER_PIN=1234 in order to be able
to reuse the tests with any cards.
usage:
(cmd) set MINIDRIVER_PIN=1234
When the PIN code is not defined, let's skip the tests since it may runs
the number of trials out of the max attempts.
Moreover, some cards may have many roles, but the tests are designed for
the ROLE_USER, so let's enforce only the ROLE_USER.
Fix: issue #2326
2021-05-17 12:06:12 +02:00
Georgi Kirichkov
ca01d2c5e2
Code style changes
2021-05-11 11:44:39 +02:00
Georgi Kirichkov
5ae0ef4f41
Sets card->name for IDPrime v3 and v4 cards
2021-05-11 11:44:39 +02:00
Georgi Kirichkov
072c64aaed
Adds Gemalto IDPrime v4
2021-05-11 11:44:39 +02:00
Alon Bar-Lev
35a8a1d7e1
pkcs11.h: avoid C++ comments
2021-05-07 23:59:12 +02:00
Jakub Jelen
613b56ee55
Add correct prefix on the clang-tidy commandline
2021-05-05 14:22:58 +02:00
Jakub Jelen
d0b847c6cf
tests: Remove files after disclean
2021-05-05 14:22:58 +02:00
divinehawk
98663528cf
pkcs15-tool: Write data objects in binary mode
2021-05-03 11:48:28 +02:00
ihsinme
50eaa6bf57
fix possible access outside the array.
...
if 5000 bytes are read, then at the end of the array we will write zero beyond its boundaries, damaging the stack.
Here's a simple solution. if you see the need to increase the array itself, let me know.
2021-05-03 11:47:51 +02:00
Frank Morgner
32004e74ce
added missing files to distribution
2021-05-01 01:42:11 +02:00
Anton Logachev
570fc56c47
Remove the SC_SEC_ENV_FILE_REF_PRESENT flag for Rutoken ECP cards
...
Rutoken ECP cards have no default SE file. Previous cards ignored
MSE with restoring default SE, but new cards don't. This requires
SC_SEC_ENV_FILE_REF_PRESENT to be removed from env flags.
2021-04-29 23:03:32 +02:00
Doug Engert
19611682bd
Fix for #2283 C_Sign fails ECDSA when card can do HASH on card
...
Do not truncate ECDSA input to size of key if card or driver will do HASH.
On branch Fix_for_2283_ECDSA
Changes to be committed:
modified: src/libopensc/pkcs15-sec.c
2021-04-27 10:50:00 +02:00
Vincent JARDIN
a21bcf4b41
IASECC/Gemalto: register application
...
Register application for Gemalto Dual ID ONE Cosmo.
2021-04-26 21:37:39 +02:00
Vincent JARDIN
e93bd3983c
IASECC/Gemalto: add support
...
Add support for Gemalto's IAS ECC Dual ID One Cosmo using samples from:
http://cartesapuce-discount.com/fr/cartes-a-puce-ias-ecc/146-cartes-a-puce-protiva-ias-ecc-tpc.html
Some suppots were already available (ATR, init, etc.), but the
select_file was missing the proper cases.
2021-04-26 21:37:39 +02:00
Frank Morgner
75f24d2af7
regenerated egk-tool cmdline
2021-04-26 18:13:43 +02:00
Frank Morgner
2063a1d334
silince generation of files
2021-04-26 18:13:43 +02:00
Vincent JARDIN
e3a3722ad1
IASECC/CPX: Fix SDO path
...
Some objects need to be read from a specific path.
IASECC_SDO_PRVKEY_TAG: from 3F00:0001
IASECC_SDO_CHV_TAG: from 3F00
2021-04-26 15:55:17 +02:00
Vincent JARDIN
fcd2e665fe
IASECC/CPX: fix APDU errors for SE get data
...
On a CPX, this object needs to be read from 3F00.
For instance:
$ opensc-explorer -r 2
OpenSC [3F00]> cd 0002
OpenSC [3F00/0002]> apdu 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Sending: 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Received (SW1=0x6A, SW2=0x88)
Failure: Data object not found
OpenSC [3F00/0002]> apdu 00 A4 09 04 02 3F 00
Sending: 00 A4 09 04 02 3F 00
Received (SW1=0x90, SW2=0x00)
Success!
OpenSC [3F00/0002]> apdu 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Sending: 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Received (SW1=0x90, SW2=0x00)
Success!
Currently, this patch limits to the CPX cards since I cannot know
the behaviour for the other cards. I could not find any reference
from the standard.
Fix: issue #2275
2021-04-26 15:55:17 +02:00
Vincent JARDIN
405ecfc402
IASECC: proper pkcs15init of Algo_refs
...
For some Private RSA Keys, their Algo_refs remain empty:
$ pkcs15-tool -k --verify-pin --pin 1234
Using reader with a card: ACS ACR33U-A1 3SAM ICC Reader 00 00
Private RSA Key [CPS_PRIV_SIG]
Object Flags : [0x01], private
Usage : [0x200], nonRepudiation
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 0
Access Rules : pso_cds:01;
ModLength : 2048
Key ref : 129 (0x81)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001001
MD:guid : e7aab727-f2af-e673-37bb-7d43867a6349
Private RSA Key [CPS_PRIV_AUT]
Object Flags : [0x07], private, modifiable
Usage : [0x06], decrypt, sign
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 6, 3, 4
Access Rules : pso_decrypt:01; int_auth:01;
ModLength : 2048
Key ref : 130 (0x82)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001002
MD:guid : 2b6bf284-225c-80bc-8cbe-1c791db33543
Based on Usage : [0x200], nonRepudiation the SC_PKCS15_PRKEY_USAGE_NONREPUDIATION
may be set but not the SC_PKCS15_PRKEY_USAGE_SIGN so line 801 is never tested.
Having just SC_PKCS15_PRKEY_USAGE_NONREPUDIATION set and not doing anything does not
make any sense for any card.
Suggested-by: Doug Engert <deengert@gmail.com>
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Vincent JARDIN
544aa4cc6b
IASECC/CPX: Fix up prkeyinfo/algo_ref
...
Extend the current support from 9abf8ee04c
in order to add a fixup for the CPx cards.
Since the data is not properly encoded when the card is initialized
let's re-build it for each run time from the DF.
Suggested-by: Doug Engert <deengert@gmail.com>
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Vincent JARDIN
137286858f
IASECC/CPX: enable calls thru pkcs15-iasecc.c
...
Same than Gemalto's IASECC, the CPX cards need a workaround since
the PrKey does not have its Algo_regs.
We get:
pkcs15-tool -k --verify-pin --pin 1234
Using reader with a card: ACS ACR33U-A1 3SAM ICC Reader 00 00
Private RSA Key [CPS_PRIV_SIG]
Object Flags : [0x01], private
Usage : [0x200], nonRepudiation
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 0
Access Rules : pso_cds:01;
ModLength : 2048
Key ref : 129 (0x81)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001001
MD:guid : e7aab727-f2af-e673-37bb-7d43867a6349
Private RSA Key [CPS_PRIV_AUT]
Object Flags : [0x07], private, modifiable
Usage : [0x06], decrypt, sign
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 0
Access Rules : pso_decrypt:01; int_auth:01;
ModLength : 2048
Key ref : 130 (0x82)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001002
MD:guid : 2b6bf284-225c-80bc-8cbe-1c791db33543
We need to get Algo_regs to be set to something that is not 0.
Fix: issue #2267
2021-04-26 15:52:09 +02:00
Vincent JARDIN
39b4472f38
IASECC/CPX: export pkcs15init for missing features
...
Some cards, such as the CPX are missing features that should
have been initialized using:
iasecc_pkcs15_encode_supported_algos()
Let's export this function in order to build a fixup when the DF
should be parsed.
When OPENSSL is missing, an error should be rised since this
workaround for the CPX cards cannot work. It means that
any environments that use the CPX cards must be compiled with
ENABLE_OPENSSL.
Suggested-by: Doug Engert <deengert@gmail.com>
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Vincent JARDIN
396cbc46cf
IASECC/CPX: set default flags
...
The CPX has the standard capabilities of the IASECC standard.
Let's be carefull with memory leakage, see the
previous commit 83162c5c8
Fix: issue #2270
2021-04-26 15:52:09 +02:00