sc_pkcs15_pubkey_from_spki_sequence() takes the ASN1 'subjectPublicKeyInfo' data
sc_pkcs15_pubkey_from_spki_fields() takes the ASN1 'subjectPublicKeyInfo' data without outter SEQUENCE tag
prototype of 'get-guid' has been changed;
valgrind issue:
Conditional jump or move depends on uninitialised value(s)
at 0x5A0159B: vfprintf (vfprintf.c:1629)
by 0x5AC04BF: __vsnprintf_chk (vsnprintf_chk.c:65)
by 0x522A665: sc_do_log_va.part.0 (stdio2.h:78)
by 0x522A819: sc_do_log (log.c:52)
by 0x529462F: piv_card_ctl (card-piv.c:1794)
by 0x5232E2F: sc_card_ctl (card.c:772)
by 0x52E561D: sc_pkcs15emu_piv_init (pkcs15-piv.c:626)
pkcs15: in pubkey-info data
* introduced new 'direct' 'raw' and 'spki' members
* removed 'encoded der data' member
* in 'read-public-key' try firstly SPKI direct value
pkcs11:
'direct' data used when getting CKA_VALUE attribute of public key
pkcs15init:
* initialize 'raw' and 'spki' direct public key value
In pkcs15-verify the value of PIN is not more validated for conformity with PIN policy,
value is only checked for maximal allowed length.
So that, no more need of 'ignore-pin-length' configuration option - now it's default behavior of common framework.
Add a missing "const" for a constant C-string
reader-pcsc.c: In function `detect_reader_features':
reader-pcsc.c:926:20: warning: initialization discards `const' qualifier from pointer target type [enabled by default]
if no valid PKCS#15 file system found
'internal' bind procedure returns 'non-supported-card' error
the same as 'syntetic' bind procedure.
this return code is used by pkcs11 framework to accept non-binded cards
some codding style issues
New data are used to support the card specific minidriver on-card files.
Beeing included into internal pkcs15 data type,
these new data are accessible at the all frameworks: emulation of pkcs15 and pkcs15init, minidriver.
the proprietary on-card data can contain the GUIDs created by proprietary MW,
these data are parsed by card driver and put into the internal pkcs15 private key data
to be accesible in the different OpenSC frameworks
existing 'guid' obejct's data replaced by the one in private-key info
New CMAP record data used by pkcs15init emulator for the cards that have
the MD specific on-card data
The name implies what the format of the returned value, a SPKI.
The support for spki as a pkcs15 format of a pubkey, is extended to
work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this.
sc_pkcs15_decode_pubkey_with_param will look for a SPKI
and attempt to use it for any algorithm, including RSA.
(RSA is the null case, as there are no algorithm parameters.)
sc_pkcs15_encode_pubkey_as_spki is exported from libopensc.
pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys
as SPKI for RSA and EC.
The pubkey->data is never a SPKI, it is the DER encoding of the
pubkey without the parameters. If an spki is needed, use the
sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki.
As in the previous set of patches, pkcs15-tool.c will output both
sc_pkcs15_decode_pubkey_with_param and its internal.
This was left for testing, and the pubkey_pem_encode should be deleted
The original ECC code in OpenSC stored the ecpointQ as a DER encoded OCTET STRING.
Shortly before 0.13.0, code changes where made to store the ecpointQ as raw data
without the DER encoding.
Only some of the code was changed to support this but not all, and the comments
that said the ecpointQ was in DER where not changed either.
Some card drivers continued to work, using the original code in all place,
while some cards failed, as they where using a mixture of original code and
0.13.0 code.
This commit fixes these problems.
The ecpointQ is stored in raw format
A new structure type sc_pkcs15_u8 is defined.
The ecpointQ are changed to use the struct sc_pkcs15_u8. This was done to avoid
the confusion of using struct sc_pkcs15_der to hold non-DER encoded data.
(There may be other uses for this too...)
Comments are change is many places.
sc_pkcs15_decode_pubkey_ec was fixed to store the raw ecpointQ correctly.
sc_pkcs15_pubkey_from_spki was change to get the sc_ec_params from the alg_id
and fix up u.ec.params. Unfortunately the OpenSC code has two places EC parameters
are stored. They can get out of sync, or there may still be code
that looks in the wrng oplace. o(TODO get it to only only place.)
The u.ec.params.field_length is now set in a number of places, as this is need
in many of the PKCS#11 routines.
framework-pkcs15.c will now correctly return the DER encode ecpointQ,
for the CKA_EC_POINT attribute using pubkey->data which has the DER encoding
for the ecpointQ.
framework-pkcs15.c will look for the EC parameters in either the u.ec.params.der,
or in the alg_id->params. (TODO get it to only only place.)
pkcs15-myeid.c has some comments, as it looks like the code is storing a TLV
rather then a DER encoding of the ecpointQ. With the wrong encoding PKCS#11 will
return the wrong attribute for CKA_ECDSA_PARAMS.
pkcs15-piv.c is changed so emulation of a pubkey taken from a certificate will
work correctly.
card-dnie.c:1481:2: error: too few arguments to function `sc_pkcs1_strip_01_padding'
The prototype of sc_pkcs1_strip_01_padding() changed between the patch
submission and its integration.
fixes a lot of warnings which pass a const buffer to the APDU's data
Note that a non-const data member is only required for sc_allocate_apdu
sc_free_apdu. They are currently used with an explicit typecast.
However, sc_allocate_apdu and sc_free_apdu both are not used once in the
entire project. One might also simply throw both functions away.
-- Both are thrown away. (VT)
From @geoffbeier:
(https://github.com/OpenSC/OpenSC/pull/171#issuecomment-20407132)
So it sounds like the right fix is to:
* check the return value of sc_ctx_log_to_file() and have sc_do_log_va()
return if it's anything other than SC_SUCCESS.
* Inside sc_ctx_log_to_file() make sure to set ctx->debug_file to NULL
whenever it does call fclose() on it.
* Inside sc_do_log_va() where it currently calls fclose() check
if(ctx->debug_file && ctx->debug_file != stdout &&ctx->debug_file != stderr)
* iso7816_check_sw() emits a "informational message" (from ISO7816-4 table 6)
* SW-s which are not known or not meaningful for internal API get translated
to SC_ERROR_CARD_CMD_FAILED by default, so use it also in the SW table
* Remove undefined SW-s and move generic SW-s to their sequential location.
This commit improves 8fc679bf40
New member keeps the value of the PKCS#15 DATA object.
Internal pkcs15 procedure that reads DATA object is modified
to check if requested data are already vailable in 'data-info',
an only then try to read the content of dedicated on-card file.
For some emulated PKCS#15 systems value of DATA object is kept as 'direct' value
in a proprietary attribute files and so the common read procedure could not be used.
; some efforts to unify layout of code source.
Initiated by discussion in https://github.com/OpenSC/OpenSC/pull/134 .
SC_ERROR_MEMORY_FAILURE has to be used as a resulting code of the card related operations,
and not as result of the memory allocation problems.
New 'warning' category of SC_ERRORs introduced -- SC_WARNING_xx .
Error text and SC_ERROR associated with return codes 6300 and 6200 has been changed.
EVP_CIPHER_CTX_set_padding needs to be called after EVP_EncryptInit_ex
and EVP_DecryptInit_ex, otherwise padding is re-enabled, which in turn
causes buffer overruns
In set_security_env, the algorithmInfo structure (from the TokenInfo file of
PKCS#15) is parsed to see, what algorithm IDs are supported for signature
operations.
Using the information from AlgorithmInfo set in set_security_env when
computing signatures.
Fixed incorrect order of code blocks. If neither a reference to rsa_sig nor to
rsa_pure_sig is found in AlogirthmInfo, boths methods are enabled before (and
not after) trying pure_sig
t457 (https://www.opensc-project.org/opensc/ticket/457)
For some cards that currently use the common iso-7816 operations
only SELECT with return of FCI/FCP can be applied.
In iso-7816 'select-file' handle, if 'SELECT without FCI' fails with error code 6A86,
then retry 'SELECT with FCI'. Other error code can be added.
Sorry for the 'coding style' noise.
In PukDF of PKCS#15 the public key value can be presented by 'direct value', by path or by path and reference.
For the different cards the public key can be stored in EF, internal EF or in card specific SDO (security data objects).
A new card handle allows to read out the public key from the card specific SDOs.
CK_VERSION is included into PKCS#11 data but is not specified by PKCS#15.
CK_VERSION can be provided by card's pkcs15 emulator or by the card's driver,
including the cards with the native support of pkcs#15 (and thus without pkcs15 emulator).
That's why the more general solution is to have these data included into 'sc-card' data type.
Thanks to Andreas Schwier.
http://www.opensc-project.org/pipermail/opensc-devel/2012-September/018455.html
In PKCS#11 FW, the 'certificate' FW object is used to create corresponding 'public'key' FW object
or to get some of its attributes.
Seg.fault occured when, in the same session, the related certificate was destroyed and after that
there was the attempt to get such public key attributes.
To hold the raw certificate blob in 'sc_pkcs15_cert' data use the 'sc_pkcs15_der' data type.
also:
; in 'pkcs15-cert.c' use short call of the debug messages;
; in 'destroy-object' pkcs15 framework handler take into account the multi-application cards:
-- when binding card use the application info;
-- when finalizing profile use the application ID.
Fix autoreconf warnings:
$ autoreconf -vis -Wall
[...]
src/common/Makefile.am:12: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/libopensc/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/minidriver/Makefile.am:15: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/pkcs11/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/pkcs15init/Makefile.am:36: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/scconf/Makefile.am:12: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/sm/Makefile.am:8: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/tests/Makefile.am:9: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/tools/Makefile.am:15: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
'PACE' is extremely card specific protocol and has not to be ostensibly
present in the common part of OpenSC:
* currently in OpenSC there is no card driver that supports or uses this protocol;
* amazing content of the common 'sc_perform_pace' -- beside the verbose logs
the only substantial action is to call the card/reader specific handler.
According to the current sources and the pull request 83
this 'common' procedure is called by the card driver or
card specific tool/operation.
* currently the 'PACE' can be thouroghly tested only by one person (Frank Morgner),
and only using the OpenSSL patched with the PACE specific patch.
So, at least a dedicated configuration option could be introduced when comiting PACE to the common part.
* common 'sc_perfom_pace' has the same role as the 'initialize-SM' handler of the existing SM framework
and can be implemented as card specific SM, as the others cards do.
This confirmed by Frank Morgner, the author of PACE commits and nPA card driver, himself.
(https://github.com/OpenSC/OpenSC/pull/83)
If tlvblock is not stored then the value is lost and the allocated
mempry is leaked.
Coverity: Resource leak (RESOURCE_LEAK)
Calling allocation function "pgp_build_tlv" on "tlvblock".
Coverity: Missing break in switch (MISSING_BREAK)
"A break statement was missing. The case SC_PKCS15_TYPE_PRKEY_EC was then
managed as a SC_PKCS15_TYPE_PRKEY_DSA" (Ludovic Rousseau)
"the break here has no sense, because LOG_TEST_RET will always return SC_ERROR_NOT_SUPPORTED before"
(Frank Morgner https://github.com/OpenSC/OpenSC/pull/85)
'break' is kept to satisfy coverity.
Fixed issues in pkcs11-tool/test_signature is card has RSA and ECDSA keys
Fixed bug in sc_pkcs11_signature_size that returns the wrong ECDSA signature size
Limit the number of cases when applicated re-selection of application DF to strict minimum.
I.e. only when pkcs11 login session is not locked and private key PKCS#15 object do not
contain the 'path' attribute.
"The encoding of {public,private}GOSTR3410Key uses tag [CONTEXT 3] which is reserved for KEAKey.
Caused by the fact, that the specifications (pkcs15,iso) don't define a encoding for GOST,
the genericKey encoding [CONTEXT 4] from iso-7816 should be used." (Andre)
* Make the OPENSC_DEBUG environment variable work even when no
conf file is available.
https://www.opensc-project.org/opensc/ticket/388
Signed-off-by: Viktor Tarasov <viktor.tarasov@gmail.com>
According to ch.4.2 of MyEID reference manual v1.7.6 the only possible value of P2 of 'SELECT' APDU is '00'.
For this reason, when caller do not request to return 'sc_file' data,
use the non-null dummy 'sc_file' pointer in the call of iso->select_file,
and thus avoid the P2 different from '00'.
Also log calls are replaced by its short forms,
and resolved the 'trailing spaces' issues.
When OpenSC is used with a card that enforces user_consent
and the calling PKCS#11 application does not understand how
to handle the CKA_ALWAYS_AUTHENTICATE, signature operations
will fail.
OpenSC will not cache a PIN that protects a user_consent
object as one would expect.
This mods allows PINs to be cached even if protecting a
user_consent object by adding
pin_cache_ignore_user_consent = true;
option in opensc.conf.
Thunderbird is the prime example of this situation.
Mozilla has accepted mods (357025 and 613507) to support
CKA_ALWAYS_AUTHENTICATE that will appear in NSS-3.14 but
this may be some time before this version is in vendor
distribution.
In file included from pkcs15.c:30:
cardctl.h:870: error: expected specifier-qualifier-list before 'time_t'
Change-Id: I5faad5462ba6268fd7cf48a04f41e1755597ad0c
The card contains only 1 certificate, which can be used for encrypting.
But this certificate is bound with authentication key, so when decrypting,
the authentication key will be presented to check.
This commit allows to bypass the check in driver. However, it is not enough.
The users have to import the same key to "Encryption key" to help the card find
right key to work.
OpenPGP: Add log and comments.
OpenPGP: Pretend to select dummy files.
Some files are needed by pkcs15init, but not exist in OpenPGP card.
We pretend to know these dummy files to make pkcs15init successful.
Compilation error on windows:
when declaring array use explicit size, add pkcs15-openpgp.obj in Makefile.mak
OpenPGP: Some indentations need to be tab-size-independent.
OpenPGP: Check for null data when storing fingerprints.
OpenPGP: Allow to provide creation time to store (when gen/import key).
Old: Only store current time.
New: Can provide time to store, not only calculate current time.
OpenPGP: Correct setting content of pubkey blobs after key generation.
cardctl: Add definitions to support key import in OpenPGP.
OpenPGP: Add support for key import at driver level.
Correct the way to parse response data.
Updated wrong blob for pubkey info <~~ Fix.
OpenPGP: Store creation time after generating keys.
OpenPGP: Put_data: Handle the case that DO exists but its blob does not.
When checking DO before writing, relying on blobs only will miss the case that DO exists but its blob does not, when DO is non-readable.
OpenPGP: Set algorithm attributes before generating key.
OpenPGP: Add dependency of OpenSSL.
OpenPGP: Calculate and store fingerprint.
Calculate and store fingerprint after generating key.
OpenPGP: Update blob of pubkey info.
Update blob holding pubkey info after generating key.
OpenPGP: Add step to update card algorithms.
Update card algorithms after generating key. However, this step is not implemented yet, because of suspection about wrong data (see code comment).
CKA_ALWAYS_AUTHENTICATE implies CKU_CONTEXT_SPECIFIC login, but all this
key really should need is a C_Login with CKU_USER.
The historical reason for having CKA_ALWAYS_AUTHENTICATE set was to keep
Firefox/NSS from using that particular key for SSL connections. However,
starting with Firefox 8, NSS ignores Non Repudiation certificates for
SSL and that makes the CKA_ALWAYS_AUTHENTICATE workaround unnecessary.
Now that Firefox is fixed, drop the workaround in OpenSC so that
applications that follow the pkcs11 spec wouldn't have to login twice to
access the key.
For some cards some APDUs are always transmitted in a plain mode,
even if SM session is opened.
For these APDUs the 'get_sm_apdu' card's handler returns SUCCESS without wrapped APDU version.
In such cases 'transmit' is called for the plain APDU.
when freeing key object, do not throw an error if supplied key pointer is NULL;
sc_pkcs15_free_prkey() procedure should not free the supplied key pointer,
the body of this procedure is replaced by body of sc_pkcs15_erase_prkey().
staitc sc_pkcs15_erase_prkey() is not more used.
* use LOG_FUNC_CALLED() .. LOG_FUNC_RETURN for "symmetric" logging
* don't zero-fill the DO's contents but empty it
* get rid of unnecessary variables
* select parent DF after deletion (required by to ISO 7816-9)
* don't try to delete MF
Fail on idx > 0 in order to avoid the requirement to read from the DO.
The DO may be read-protected, and this might either fail or produce
wrong results.
* use LOG_FUNC_CALLED() .. LOG_FUNC_RETURN for "symmetric" logging
* update comment
* check that blob->data is defined
* fix writing new data to the correct offset
* use calloc() instead of malloc() & memset()
* align pgp_ops function pointer list
* make sure variables of type u8 do only get passed fitting data
* use LOG_FUNC_CALLED() .. LOG_FUNC_RETURN for "symmetric" logging
* leave most of the spcial casing in ADPU handling to sc_adpu_transmit()
* use SC_ADPU_CASE_1 for empty buffer (avoids special casing Lc=0)
* clean up log strings & comments
Replace the "one-trick-pony" pgp_do_iswritable() with a more generic
function returning the blob matching the passed tag.
This way we can get rid of the one-line function pgp_blob_iswritable() too.
comparisons like these can be done in the caller.
Set pin references to 0x01 - 0x03 instead of 0x81 - 0x83.
The PINs are referenced as PIN1- PIN3 (resp. PW1 - PW3) in the OpenPGP
card specification.
Technically the APDUs to verify/change the PINs contain the values OR-ed
with 0x80, but this is just a technical detail of the implementation
which the emulated file system can hide in pgp_pin_cmd().
Pros & Cons:
+ consistent PIN naming
+ no trouble entering the correct PIN names in opensc-explorer et.al.
("verify CHV1" is way better than "verify CHV129")
- manually entering the correct APDU for VERIFY is a bit more complex.
(who does this anyway, when there are better functions)
While at it, change if .. elsif ... cascade to switch statement.
Decode/encode 'subjectName' attribute from the 'CommonPubkeyAttributes'
Use macros for the size of the asn1_entry tables.
Use short call form for debug messages.
Procedure to convert the pkcs15 public key to EVP_PKEY type key.
Coding style issues.
Decoding/encoding of the 'algReference' attribute from the 'CommonKeyAttributes'.
Use macros for the size of the asn1_entry tables.
Use short call form for debug messages.
Procedure to deduce from certificate the attributes of private key PKCS#15 object.
Procedure to convert the pkcs15 private key to EVP_PKEY type key.
Coding style issues.
* parse more extened capabilities & features into a private enum
* for v2.0 cards, always parse the "historical bytes" DO
reason: ATR may be static and thus cannot reflect the state
PKCS#15 spec v1.1 says:
TokenInfo.version: This field contains the number of the particular version
of this specification the application is based upon. For this version of this
document, the value of version shall be 0 (v1).
Thanks to Martin Paljak for the finding.
To be used in windows:
"In Windows, file handles can not be shared between DLL-s, each DLL has a separate file handle table.
For that reason reopen debug file before every debug message."
sc_context_repair() procedure from Hunter William
"Workaround some threading and data lifetime issues when card handle changes and need to re-associate card"
http://www.opensc-project.org/pipermail/opensc-devel/2011-December/017445.html
Introduce some usefull define macros, error code 'inconsistent configuration'.
Introduce procedure to calculate CRC32 digest,
to be used in minidriver to calculate the 'freshness' values.
At the moment symbolic names for the on-card applications are 'generic', 'protected'.
This distinction used by pkcs11 and minidriver module to select the
'master' application in the cases when only reduced number of slots (one)
can be exposed by module (minidriver) or particular configuration (pkcs11).
Determine data for sc_pkcs15_card's tokeninfo structure
from sc_pkcs15_card's card structure.
This makes sure the two stay consistent as much as possible.
new commands for opensc-explorer and bugfix for iso7816 driver
- opensc-explorer: new find command:
tested; nice, useful feature.
- opensc-explorer: pace:
no means to test -- accepted.
- iso driver:
really bug, thanks.
Implements PC/SC interface to PACE-enabled readers defined in PC/SC
pt. 10 AMD 1 and BSI TR-03119.
PACE can be started using `sc_perform_pace`. This function currently
calls the new `perform_pace` from `struct sc_reader_operations`, if the
reader has the needed capabilities. `sc_perform_pace` could also be
extended with a stand-alone implementation of PACE (code could be
imported from here http://vsmartcard.sourceforge.net/npa/README.html).
Note that the reader's PACE capabilities are correctly determined by
calling GetReaderPACECapabilities.
OpenSC's new PACE capabilities can be tested using the `npa-tool` from
the Virtual Smart Card Architecture (see link above).
* Print out warning when mlock fails, and continue.
* The warning required a ctx to be passed in, so that means
changing a few function signatures.
https://www.opensc-project.org/opensc/ticket/389
Specify the path of the Address PIN for IAS-based cards in order to properly
read the Citizen Address Data object. Remove the "Citizen Data" object
association with the Address PIN, as it incorrectly describes the card layout.
http://www.opensc-project.org/opensc/ticket/400.
Change-Id: I7ca81d6d15c5e2b137ff3c9a40b7471eb2fad55c
../../src/libopensc/cardctl.h:231:30: warning: comma at end of enumerator list
../../src/libopensc/cardctl.h:629:13: warning: comma at end of enumerator list
The code that treated a timeout as success was never reached, because the
surrounding if eliminated the possibility of entering the block when the return code
from SCardGetStatusChange was SCARD_E_TIMEOUT.
Issue found by Coverity Scan.
Some pinpads do not support PIN size less than 4 or greater than 8.
PC/SC v2 part 10 allows to ask the driver/reader for the supported
values. This avoids to have the SECURE PIN CCID command rejected by the
reader.
This should fix OpenSC ticket #361 "card-entersafe should ask the pinpad
reader for the maximum pin size"
The timeout parameter of SCardGetStatusChange() is a DWORD (unsigned
int). An int timeout parameter was used instead.
The problem happens on 64-bits architectures where DWORD is 64-bits long
and int is only 32-bits long. The sign extension C mechanism transforms
the PC/SC value INFINITE into -1 instead of 4294967295.
See http://www.opensc-project.org/pipermail/opensc-devel/2011-June/016831.html
"Kobil KAAN Advanced Reader, "waiting for card" timeout"
Remove links pointing to the blob to be deleted from other blobs in the
blob tree structure, so that removing a subordinate blob does not hurt
its parent or siblings.
Signed-off-by: Peter Marschall <peter@adpm.de>
* get file as parameter & fail if it is NULL
* allow parent to be NULL
* do not rely on DO info to be passed as parameter,
search it yourself using the global DO info list for the card.
* infer file type automatically from DO info matching the file ID.
Signed-off-by: Peter Marschall <peter@adpm.de>
DO FF is a "catch-all" DO that returns all the infos contained in the other
DOs in one hierarchy.
It is hence duplicate and not necessary.
Signed-off-by: Peter Marschall <peter@adpm.de>
Also include forgotten DO C3 in keylength calculation.
It contains the parameters for the authentication key.
Signed-off-by: Peter Marschall <peter@adpm.de>
can be loaded at ADMINISTRATION life cycle phase to change
the behavior of the VERIFY command in regard to return codes.
When that package is loaded, the PIN can be created with this
"verifyRC" flag in cardos.profile if the return code must be
ISO7816-4 compliant (63Cx with x being the value of the remaining
retry counter when required verification has failed).
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5558 c6295689-39f2-0310-b995-f0e70906c6a9
If 'serialNumber' attribute is absent in the 'TokenInfo' data,
in the parsed data, this attribute will be set to the value of the card's serial.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5547 c6295689-39f2-0310-b995-f0e70906c6a9
pkcs15-wrap.c can be removed. Clarified/changed the meaning of "insecure" flag to pkcs15-init tool,
which will be needed to explicitly enforce the creation of a key which does not require a PIN.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5510 c6295689-39f2-0310-b995-f0e70906c6a9
card-openpgp.c:584: warning: comparison between signed and unsigned
card-openpgp.c: In function ‘pgp_card_ctl’:
card-openpgp.c:1036: warning: unused variable ‘priv’
card-openpgp.c: In function ‘pgp_init’:
card-openpgp.c:272: warning: ‘child’ may be used uninitialized in this function
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5504 c6295689-39f2-0310-b995-f0e70906c6a9
Rewrite bebyte conversion functions:
* check whether the buffer passed is non-NULL
* for conversions to bebytes, return the buffer passed
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5498 c6295689-39f2-0310-b995-f0e70906c6a9
Use ushort2bebytes instead of calculating the mapping to IDs ourselves.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5497 c6295689-39f2-0310-b995-f0e70906c6a9
Instead of jumping out of the loop when the correct child is found,
and checking afterwards again if we found the correct object,
do everything directly in the loop and return from there.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5496 c6295689-39f2-0310-b995-f0e70906c6a9
Extend pgp_get_card_features() to get card's flags & supported algorithms
from the card:
* get algorith values from "algorithm attributes" DOs 0x00c1 - 0x00c3
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5495 c6295689-39f2-0310-b995-f0e70906c6a9
Extend pgp_get_card_features() with these features:
* get SC_CARD_CAP_RNG capability from "extended capabilities" DO 0x00c0
* for OpenPGP 2.0 cards get max_send_size / max_recv_size values
from "extended capabilities" DI 0x00c0
* get max_pin_len from "CHV status bytes" DO 0x00c4
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5494 c6295689-39f2-0310-b995-f0e70906c6a9
Add a new function pgp_get_card_features() to get the card's capabilities,
algorithms, features, ... instead of doing it all in pgp_init():
* get SC_CARD_CAP_APDU_EXT capability from ATR
* for openPGP 2.0 cards, if not found in ATR,
get SC_CARD_CAP_APDU_EXT capability from "historical bytes" DO 0x5f52
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5493 c6295689-39f2-0310-b995-f0e70906c6a9
In pgp_read_blob(), check if the pointer to the function we want to call
is defined.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5492 c6295689-39f2-0310-b995-f0e70906c6a9
Have separate copies of pgp_objects[] data elements specific to the card's
version, and extend these structures with additional information:
* Some spec changes cannot be compatibly expressed in one common
simple data structure without making it too complex.
* depending on specification version, only deal with those DOs
that are legal within that version
* add information or read & write access conditions
* add information for non-toplevel and/or write-only DOs
* use symbolic names for constants
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5491 c6295689-39f2-0310-b995-f0e70906c6a9
Re-structure pgp_finish() for easier reading.
While at it, check for priv != NULL before free()ing it.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5486 c6295689-39f2-0310-b995-f0e70906c6a9
Instrument functions used in the card operations table pgp_ops[]
with log macros to ease debugging.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5485 c6295689-39f2-0310-b995-f0e70906c6a9
Write a short comment at the beginning of each function,
shortly sketching what the function does.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5484 c6295689-39f2-0310-b995-f0e70906c6a9
The element size in struct do_info is never used. Get rid of it.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5483 c6295689-39f2-0310-b995-f0e70906c6a9
Implement card_ctl(), crrently restricted only to SC_CARDCTL_GET_SERIALNR.
The card's serial number is copied from the respective bytes in the AID.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5482 c6295689-39f2-0310-b995-f0e70906c6a9
free() the memory already reserved when the file identifying the OpenPGP
application fails & reset the pointers in the card strcuture back to NULL.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5481 c6295689-39f2-0310-b995-f0e70906c6a9
Depending on the card's capabilities and the necessity (requested response
size > 256) allow extended APDUs in all functions talking to the card.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5480 c6295689-39f2-0310-b995-f0e70906c6a9
adapt pgp_get_pubkey() and pgp_read_blob() to make use of the information
about the "extended Lc/Le" capabilities.
This allows reading OpenPGP Card v2.0 keys!
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5479 c6295689-39f2-0310-b995-f0e70906c6a9
According to OpenPGP card specs 1.1 & 2.0 historical bytes in the ATR
indicate capabilities:
* bit 0x40 of the 3rd byte of the compact-TLV entry with TL 0x73 tells
whether the card supports extended Lc/Le fields in APDUs.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5478 c6295689-39f2-0310-b995-f0e70906c6a9
Detect and react on out of memory errors in pgp_new_blob() and its callers.
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5477 c6295689-39f2-0310-b995-f0e70906c6a9
* NULL-ify freed data pointer
* avoid unnecessary malloc() calls
* cope with malloc() errors
* do not rely on blob->file for be set
Signed-off-by: Peter Marschall <peter@adpm.de>
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5474 c6295689-39f2-0310-b995-f0e70906c6a9
Viktor Tarasov
Martin Paljak
Doug Engert
Andreas Schwier
Ludovic Rousseau
Jonathan Süssemilch Poulain
Rainer Metsvahi
Raul Metsma
Tim Taylor
Frank Morgner
Ludovic Rousseau
JP Szikora
entersafe
German Blanco
Jean-Pierre Szikora
João Poupino
Dirk-Willem van Gulik
Zbigniew Halas
Ondrej Mikle
mtausig
blumentopf
sjoblomt
Frank Thater
Stef Walter
Nguyễn Hồng Quân
Kalev Lember
Peter Marschall
Nguyễn Hồng Quân
Alon Bar-Lev
Ludovic Rousseau
vtarasov
andre
jps
martin
pk