* With commit facaf59, access_flags were set for most cards. A closer look
revealed that this is already done in `sc_pkcs15emu_add_rsa_prkey`.
Therefore, this removes the duplicated code for cards calling this function.
Enhance sc_asn1_put_tag to support larger tag names and larger tags.
Prior to this, sc_asn1_put_tag did only support tags with a length of at most 127 bytes and tag names of one byte.
* Add default behavior for cards using the PKCS#15 emulation layer.
Hence, this patch provide a default value for access_flags compatible with
current OpenSC's behavior while allowing compatible cards to fetch the real
value from the card (IAS-ECC and AuthentIC).
Previously, partial DF name selection was used, which is not mandatory
to implement for a JCRE. We now use the full DF name which must always
be implemented.
Note that the MUSCLE applet is deprecated and should not be used.
fixes#135
If OpenSSL is not used then the functions from card-dnie.c are not
defined and in particular dnie_match_card() is not defined.
In that case we use a fake dnie_match_card() that just returns false.
add the possibility to store public ECC keys encoded according to SPKI
EC pubkey storing: Check if params are available before copying.
pkcs15-lib.c / sc_pkcs15init_store_public_key may be called with keyargs->key.u.ec.params.value == NULL. In this case, allocating and copying the parameters will fail. Add a check to prevent this.
The same function iasecc_sm_external_authentication() was declared in
two different .h files.
In file included from ../../src/libopensc/iasecc.h:27:0,
from sm-card-iasecc.c:44:
../../src/libopensc/iasecc-sdo.h:324:5: warning: redundant redeclaration of `iasecc_sm_external_authentication' [-Wredundant-decls]
In file included from ../../src/libopensc/opensc.h:44:0,
from sm-card-iasecc.c:40:
../../src/libopensc/sm.h:352:5: note: previous declaration of `iasecc_sm_external_authentication' was here
framework-pkcs15: Duplicate public key related to private key rather than referencing the framework object
Referencing the related public key is required to return PKCS#11 attributes for a private key only available
in the public key object (i.e. CKA_MODULUS). This patch adds a copy of the public key to the private key object rather than
referencing the public key object in the framework. This prevents SEGV when the public key framework object
is deleted with C_DestroyObject, but the reference from the public key remains intact.
The bug leads to all kind of stability problems when keys are created and deleted in the same session.
The patch is in particular important if OpenSC is used with EJBCA or any other application using the
SUN PKCS#11 provider: When generating key pairs, then the public key object is eventually garbage collected
which removes the related object in the PKCS#11 module. Because there is no fixed time for this operation,
corruption occurs at random.
In a next step, the remaining related_xxx fields in sc_pkcs11_object should be revised and possibly removed.
framework: Added more error checking
card-asepcos: removed dead code
card-authentic: removed dead code
card-belpic: removed dead code
card-epass2003: removed dead code
card-flex: removed dead code
card-gpk: removed dead code
card-oberthur: removed dead code
card-piv: removed dead code
card-setcos: removed dead code
ctbcs: removed dead code
cwa14890: removed dead code
muscle: removed dead code
pkcs15-atrust-acos: removed dead code
pkcs15-gemsafeV1: removed dead code
pkcs15-skey: removed dead code
reader-ctapi: removed dead code
framework-pkcs15: removed dead code
pkcs11-object: removed dead code
pkcs15-asepcos: removed dead code
pkcs15-cardos: removed dead code
pkcs15-jcop: removed dead code
pkcs15-lib: removed dead code
pkcs15-oberthur: removed dead code
parse: removed dead code
sclex: removed dead code
sm-card-authentic: removed dead code
sm-card-iasecc: removed dead code
sm-cwa14890: removed dead code
sm-global-platform: removed dead code
sc-test: removed dead code
pkcs11-tool: removed dead code
pkcs15-tool: removed dead code
Support nonces that are not only 8 bytes in
Mutual Authenticate. Use the witness length
to determine the nonce size, thus existing
systems using 8 bytes will continue to use 8
bytes. However, with AES 256, the nonces could
be a single block size of 16 bytes or greater.
This adds algorithm IDs 0xA, 0xA, 0xC which as documented
by the NIST PIV specification is algorithms AES-128, AES-192
and AES-256 respectively.
This patch also addresses some of the hardcodes that prevented
nonces greater than the single byte TLV length tags would allow.
It was explicitly tested with AES-256 and 256 byte nonces.
Signed-off-by: William Roberts <w2.roberts@samsung.com>
In old implementation, the DOs which their access is restricted by
PIN (like DOs 0101 -> 0104) were excluded from the fake filesystem,
leading to that we cannot read their data later, even if we verified PIN.
Contact cards have ATR-s, contactless not. Only contact
cards should be broken so that they answer 0x9000 to application
selection, so this should be failsafe.
I had some ideas on how to improve the experience for JavaCards
but that path did not get implemented further and my approach now
is very different.
While it would be nice if OpenSC (command line) detected
somehow blank JavaCard-s and informed the user that steps a-b-c
should be taken to make use of it, it doesn't really fit in.
sc_pkcs15_pubkey_from_spki_sequence() takes the ASN1 'subjectPublicKeyInfo' data
sc_pkcs15_pubkey_from_spki_fields() takes the ASN1 'subjectPublicKeyInfo' data without outter SEQUENCE tag
prototype of 'get-guid' has been changed;
valgrind issue:
Conditional jump or move depends on uninitialised value(s)
at 0x5A0159B: vfprintf (vfprintf.c:1629)
by 0x5AC04BF: __vsnprintf_chk (vsnprintf_chk.c:65)
by 0x522A665: sc_do_log_va.part.0 (stdio2.h:78)
by 0x522A819: sc_do_log (log.c:52)
by 0x529462F: piv_card_ctl (card-piv.c:1794)
by 0x5232E2F: sc_card_ctl (card.c:772)
by 0x52E561D: sc_pkcs15emu_piv_init (pkcs15-piv.c:626)
pkcs15: in pubkey-info data
* introduced new 'direct' 'raw' and 'spki' members
* removed 'encoded der data' member
* in 'read-public-key' try firstly SPKI direct value
pkcs11:
'direct' data used when getting CKA_VALUE attribute of public key
pkcs15init:
* initialize 'raw' and 'spki' direct public key value
In pkcs15-verify the value of PIN is not more validated for conformity with PIN policy,
value is only checked for maximal allowed length.
So that, no more need of 'ignore-pin-length' configuration option - now it's default behavior of common framework.
Add a missing "const" for a constant C-string
reader-pcsc.c: In function `detect_reader_features':
reader-pcsc.c:926:20: warning: initialization discards `const' qualifier from pointer target type [enabled by default]
if no valid PKCS#15 file system found
'internal' bind procedure returns 'non-supported-card' error
the same as 'syntetic' bind procedure.
this return code is used by pkcs11 framework to accept non-binded cards
some codding style issues
New data are used to support the card specific minidriver on-card files.
Beeing included into internal pkcs15 data type,
these new data are accessible at the all frameworks: emulation of pkcs15 and pkcs15init, minidriver.
the proprietary on-card data can contain the GUIDs created by proprietary MW,
these data are parsed by card driver and put into the internal pkcs15 private key data
to be accesible in the different OpenSC frameworks
existing 'guid' obejct's data replaced by the one in private-key info
New CMAP record data used by pkcs15init emulator for the cards that have
the MD specific on-card data
The name implies what the format of the returned value, a SPKI.
The support for spki as a pkcs15 format of a pubkey, is extended to
work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this.
sc_pkcs15_decode_pubkey_with_param will look for a SPKI
and attempt to use it for any algorithm, including RSA.
(RSA is the null case, as there are no algorithm parameters.)
sc_pkcs15_encode_pubkey_as_spki is exported from libopensc.
pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys
as SPKI for RSA and EC.
The pubkey->data is never a SPKI, it is the DER encoding of the
pubkey without the parameters. If an spki is needed, use the
sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki.
As in the previous set of patches, pkcs15-tool.c will output both
sc_pkcs15_decode_pubkey_with_param and its internal.
This was left for testing, and the pubkey_pem_encode should be deleted
The original ECC code in OpenSC stored the ecpointQ as a DER encoded OCTET STRING.
Shortly before 0.13.0, code changes where made to store the ecpointQ as raw data
without the DER encoding.
Only some of the code was changed to support this but not all, and the comments
that said the ecpointQ was in DER where not changed either.
Some card drivers continued to work, using the original code in all place,
while some cards failed, as they where using a mixture of original code and
0.13.0 code.
This commit fixes these problems.
The ecpointQ is stored in raw format
A new structure type sc_pkcs15_u8 is defined.
The ecpointQ are changed to use the struct sc_pkcs15_u8. This was done to avoid
the confusion of using struct sc_pkcs15_der to hold non-DER encoded data.
(There may be other uses for this too...)
Comments are change is many places.
sc_pkcs15_decode_pubkey_ec was fixed to store the raw ecpointQ correctly.
sc_pkcs15_pubkey_from_spki was change to get the sc_ec_params from the alg_id
and fix up u.ec.params. Unfortunately the OpenSC code has two places EC parameters
are stored. They can get out of sync, or there may still be code
that looks in the wrng oplace. o(TODO get it to only only place.)
The u.ec.params.field_length is now set in a number of places, as this is need
in many of the PKCS#11 routines.
framework-pkcs15.c will now correctly return the DER encode ecpointQ,
for the CKA_EC_POINT attribute using pubkey->data which has the DER encoding
for the ecpointQ.
framework-pkcs15.c will look for the EC parameters in either the u.ec.params.der,
or in the alg_id->params. (TODO get it to only only place.)
pkcs15-myeid.c has some comments, as it looks like the code is storing a TLV
rather then a DER encoding of the ecpointQ. With the wrong encoding PKCS#11 will
return the wrong attribute for CKA_ECDSA_PARAMS.
pkcs15-piv.c is changed so emulation of a pubkey taken from a certificate will
work correctly.
card-dnie.c:1481:2: error: too few arguments to function `sc_pkcs1_strip_01_padding'
The prototype of sc_pkcs1_strip_01_padding() changed between the patch
submission and its integration.
fixes a lot of warnings which pass a const buffer to the APDU's data
Note that a non-const data member is only required for sc_allocate_apdu
sc_free_apdu. They are currently used with an explicit typecast.
However, sc_allocate_apdu and sc_free_apdu both are not used once in the
entire project. One might also simply throw both functions away.
-- Both are thrown away. (VT)
From @geoffbeier:
(https://github.com/OpenSC/OpenSC/pull/171#issuecomment-20407132)
So it sounds like the right fix is to:
* check the return value of sc_ctx_log_to_file() and have sc_do_log_va()
return if it's anything other than SC_SUCCESS.
* Inside sc_ctx_log_to_file() make sure to set ctx->debug_file to NULL
whenever it does call fclose() on it.
* Inside sc_do_log_va() where it currently calls fclose() check
if(ctx->debug_file && ctx->debug_file != stdout &&ctx->debug_file != stderr)
* iso7816_check_sw() emits a "informational message" (from ISO7816-4 table 6)
* SW-s which are not known or not meaningful for internal API get translated
to SC_ERROR_CARD_CMD_FAILED by default, so use it also in the SW table
* Remove undefined SW-s and move generic SW-s to their sequential location.
This commit improves 8fc679bf40
New member keeps the value of the PKCS#15 DATA object.
Internal pkcs15 procedure that reads DATA object is modified
to check if requested data are already vailable in 'data-info',
an only then try to read the content of dedicated on-card file.
For some emulated PKCS#15 systems value of DATA object is kept as 'direct' value
in a proprietary attribute files and so the common read procedure could not be used.
; some efforts to unify layout of code source.
Initiated by discussion in https://github.com/OpenSC/OpenSC/pull/134 .
SC_ERROR_MEMORY_FAILURE has to be used as a resulting code of the card related operations,
and not as result of the memory allocation problems.
New 'warning' category of SC_ERRORs introduced -- SC_WARNING_xx .
Error text and SC_ERROR associated with return codes 6300 and 6200 has been changed.
EVP_CIPHER_CTX_set_padding needs to be called after EVP_EncryptInit_ex
and EVP_DecryptInit_ex, otherwise padding is re-enabled, which in turn
causes buffer overruns
In set_security_env, the algorithmInfo structure (from the TokenInfo file of
PKCS#15) is parsed to see, what algorithm IDs are supported for signature
operations.
Using the information from AlgorithmInfo set in set_security_env when
computing signatures.
Fixed incorrect order of code blocks. If neither a reference to rsa_sig nor to
rsa_pure_sig is found in AlogirthmInfo, boths methods are enabled before (and
not after) trying pure_sig
t457 (https://www.opensc-project.org/opensc/ticket/457)
For some cards that currently use the common iso-7816 operations
only SELECT with return of FCI/FCP can be applied.
In iso-7816 'select-file' handle, if 'SELECT without FCI' fails with error code 6A86,
then retry 'SELECT with FCI'. Other error code can be added.
Sorry for the 'coding style' noise.
In PukDF of PKCS#15 the public key value can be presented by 'direct value', by path or by path and reference.
For the different cards the public key can be stored in EF, internal EF or in card specific SDO (security data objects).
A new card handle allows to read out the public key from the card specific SDOs.
CK_VERSION is included into PKCS#11 data but is not specified by PKCS#15.
CK_VERSION can be provided by card's pkcs15 emulator or by the card's driver,
including the cards with the native support of pkcs#15 (and thus without pkcs15 emulator).
That's why the more general solution is to have these data included into 'sc-card' data type.
Thanks to Andreas Schwier.
http://www.opensc-project.org/pipermail/opensc-devel/2012-September/018455.html
In PKCS#11 FW, the 'certificate' FW object is used to create corresponding 'public'key' FW object
or to get some of its attributes.
Seg.fault occured when, in the same session, the related certificate was destroyed and after that
there was the attempt to get such public key attributes.
To hold the raw certificate blob in 'sc_pkcs15_cert' data use the 'sc_pkcs15_der' data type.
also:
; in 'pkcs15-cert.c' use short call of the debug messages;
; in 'destroy-object' pkcs15 framework handler take into account the multi-application cards:
-- when binding card use the application info;
-- when finalizing profile use the application ID.
Fix autoreconf warnings:
$ autoreconf -vis -Wall
[...]
src/common/Makefile.am:12: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/libopensc/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/minidriver/Makefile.am:15: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/pkcs11/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/pkcs15init/Makefile.am:36: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/scconf/Makefile.am:12: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/sm/Makefile.am:8: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/tests/Makefile.am:9: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/tools/Makefile.am:15: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
'PACE' is extremely card specific protocol and has not to be ostensibly
present in the common part of OpenSC:
* currently in OpenSC there is no card driver that supports or uses this protocol;
* amazing content of the common 'sc_perform_pace' -- beside the verbose logs
the only substantial action is to call the card/reader specific handler.
According to the current sources and the pull request 83
this 'common' procedure is called by the card driver or
card specific tool/operation.
* currently the 'PACE' can be thouroghly tested only by one person (Frank Morgner),
and only using the OpenSSL patched with the PACE specific patch.
So, at least a dedicated configuration option could be introduced when comiting PACE to the common part.
* common 'sc_perfom_pace' has the same role as the 'initialize-SM' handler of the existing SM framework
and can be implemented as card specific SM, as the others cards do.
This confirmed by Frank Morgner, the author of PACE commits and nPA card driver, himself.
(https://github.com/OpenSC/OpenSC/pull/83)
If tlvblock is not stored then the value is lost and the allocated
mempry is leaked.
Coverity: Resource leak (RESOURCE_LEAK)
Calling allocation function "pgp_build_tlv" on "tlvblock".
Coverity: Missing break in switch (MISSING_BREAK)
"A break statement was missing. The case SC_PKCS15_TYPE_PRKEY_EC was then
managed as a SC_PKCS15_TYPE_PRKEY_DSA" (Ludovic Rousseau)
"the break here has no sense, because LOG_TEST_RET will always return SC_ERROR_NOT_SUPPORTED before"
(Frank Morgner https://github.com/OpenSC/OpenSC/pull/85)
'break' is kept to satisfy coverity.
Fixed issues in pkcs11-tool/test_signature is card has RSA and ECDSA keys
Fixed bug in sc_pkcs11_signature_size that returns the wrong ECDSA signature size
Frank Morgner
Joachim Bauch
Thomas Calderon
Philip Wendland
Nguyễn Hồng Quân
germanblanco
george
Doug Engert
resoli
emRoberto Resoli/em
Andreas Schwier
Shaun Schutte
Ludovic Rousseau
Ludovic Rousseau
andbil
William Roberts
Nikos Mavrogiannopoulos
Viktor Tarasov
Martin Paljak
Raul Metsma
Doug Engert
Jonathan Süssemilch Poulain
Rainer Metsvahi
Raul Metsma
Tim Taylor
JP Szikora
entersafe
Jean-Pierre Szikora
João Poupino
Dirk-Willem van Gulik
Zbigniew Halas
Ondrej Mikle
mtausig
blumentopf
sjoblomt
Frank Thater