card-piv.c
make sure the string is null terminated before passing it
to hex_to_bin routine, which expects it
pkcs15-cac.c
free cn_name on failure
pkcs11-tool.c
make sure the string is null terminated before passing it to
parse_certificate(), which expects it
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
modified: src/libopensc/pkcs15-infocamere.c
modified: src/libopensc/pkcs15-starcert.c
modified: src/pkcs15init/pkcs15-lib.c
Changed isf_acl to also need SO PIN for CREATE.
modified: src/pkcs15init/starcos.profile
* localize variables
* print errors to stderr
* release allocated resources
* return error code on error - improve non-interactive use
* do not show help on unknown commands when used non-interactively
* make 'interactive' a global variable
* set it when opensc was called with the SCRIPT argument
* document the behaviour in the manual page
Make interactive a global variable and set it in main.
When arguments are given, compare them like ambguous_match() does,
and show the matching ones only.
Add documentation of the 'help' command to the manual page.
In main loop on multiple matches, show help on matching commands only.
* most importantly: immediately return success on exact match
- this allows one command to be a prefix of another one
- it fixes the long-standing breakage between 'find' and 'find_tags'
* fail on second prefix-only match instead of waiting until the end
* check all parameters
* add comments
* inform caller on whether the match was ambiguous or there was no match
* move printing error messages to processing loopt in main()
Accept a file name as a second argument to the 'random' command
to allow storing the generated random bytes to the file given.
Forbid writing binary data to stdout in interactive mode.
* limit buffer to SC_MAX_EXT_APDU_BUFFER_SIZE
* fix buffer length calculation to correctly calculate the available space
* add length checks when parsing passed data into buffer
* consistently show ellipsis for repeatable arguments as 3 dots
* embrace alternative mandatory arguments with curly braces
* use hyphens instead of spaces within non-literal arguments
for improved alignment with the manual page