2F01 is:
./opensc-explorer -r 0
OpenSC [3F00]> cat 2F01
00000000: 80 43 01 B8 46 04 04 B0 EC C1 47 03 94 01 80 4F .C..F.....G....O
00000010: 08 80 25 00 00 01 FF 01 00 E0 10 02 02 01 04 02 ..%.............
00000020: 02 01 04 02 02 01 00 02 02 01 00 78 08 06 06 2B ...........x...+
00000030: 81 22 F8 78 02 82 02 90 00 .".x.....
so the ASN1 decoder gets confused because it assumes that two bytes are
needed before getting the first tag 43/ISO7816_TAG_II_CARD_SERVICE.
In order to avoid such confusion, whenever the content of the EF.ATR/2F01 starts
with ISO7816_II_CATEGORY_TLV, we skip the first byte in order to parse
the ASN1 payload.
Fix: issue #2220
The previous commit was over simplified. According to the known
mechanism, we should have the following scope:
./pkcs11-tool --module ../lib/onepin-opensc-pkcs11.so -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
RSA-PKCS-PSS, keySize={512,2048}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
SHA256-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
do not use the default flags yet:
_sc_card_add_rsa_alg(card, 1024, IASECC_CARD_DEFAULT_FLAGS, 0x10001);
_sc_card_add_rsa_alg(card, 2048, IASECC_CARD_DEFAULT_FLAGS, 0x10001);
_sc_card_add_rsa_alg(card, 512, IASECC_CARD_DEFAULT_FLAGS, 0x10001);
Contactless specific behaviour shall be added later on.
Depending on the "lifecycle" of the file, we may omit the authentication
operation. Typically if the card is in initialization or creation state,
the access control mechanism is inactive. If authentification can be
skiped, the card driver is responsible for setting the "acl_inactive"
variable in sc_file structure.
This made most of the applications crashing in Fedora 34 when
smart card was plugged in.
The suggested patch makes the code path more obvious for gcc to
handle.
https://bugzilla.redhat.com/show_bug.cgi?id=1930652
card-opennpgp.c and pkcs15-openpgp.c have a strang way of
using sc_object_id_t to store what they call a binary_oid
or oid_binary. It is used to convert the EC curve asn1
returned in the cxdata.
This code uses asn1_decode_object_id to use sc_object_id_t
as used in the rest of the code.
The code and ec_curve tabes in card-openpgp.c where not changed.
pkcs15-openpgp.c was channge si to can use:
algorithm_info = sc_card_find_ec_alg(card, 0, &oid);
to retried the key_length to add to the pubkey and prkey entries.
The EC and EDDSA needs (i.e. field_length) to run.
On branch eddsa
Your branch is up to date with 'Jakuje/eddsa'.
Changes to be committed:
modified: card.c
modified: pkcs15-openpgp.c
The Ed25519 implementation in SoftHSM is now broken /non-interoperable. After fixing that,
the interoperability tests should work with this script:
* SoftHSMv2#528: Avoid creating duplicate mechanisms
* SoftHSMv2#522: Fix advertised min and max mechanism sizes according to final PKCS#11 3.0 specification
* SoftHSMv2#526: Adjust EDDSA code to return valid EC_PARAMS according to the final PKCS #11 3.0 specification
Since 09a594d bringing ECC support to openPGP card, it did not count
with GNUK. This adds exception for GNUK to unbreak ECC signatures
as GNUK presents BCD version < 3.