the proprietary on-card data can contain the GUIDs created by proprietary MW,
these data are parsed by card driver and put into the internal pkcs15 private key data
to be accesible in the different OpenSC frameworks
existing 'guid' obejct's data replaced by the one in private-key info
New CMAP record data used by pkcs15init emulator for the cards that have
the MD specific on-card data
The name implies what the format of the returned value, a SPKI.
The support for spki as a pkcs15 format of a pubkey, is extended to
work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this.
sc_pkcs15_decode_pubkey_with_param will look for a SPKI
and attempt to use it for any algorithm, including RSA.
(RSA is the null case, as there are no algorithm parameters.)
sc_pkcs15_encode_pubkey_as_spki is exported from libopensc.
pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys
as SPKI for RSA and EC.
The pubkey->data is never a SPKI, it is the DER encoding of the
pubkey without the parameters. If an spki is needed, use the
sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki.
As in the previous set of patches, pkcs15-tool.c will output both
sc_pkcs15_decode_pubkey_with_param and its internal.
This was left for testing, and the pubkey_pem_encode should be deleted
0x9B is defined as the Card Management Key, and probably shouldn't be
regenerated. 0x9E is the Card Authentication key which is what you
should be generating keys for. This also brings piv-tool in line with
the documentation that states 0x9A, 0x9C, 0x9D and 0x9E are the proper
keyIds to use.
All the other option values are initialized to NULL, so do the same to
opt_auth_id.
(Although, as they're all static globals, they should be set to 0 at
runtime anyway, I think...)
Signed-Off-By: Anthony Foiani <anthony.foiani@gmail.com>
It seems that this suffered some copy and paste damage at some point.
Change so that we check each return value immediately after the API
call.
Signed-Off-By: Anthony Foiani <anthony.foiani@gmail.com>
To hold the raw certificate blob in 'sc_pkcs15_cert' data use the 'sc_pkcs15_der' data type.
also:
; in 'pkcs15-cert.c' use short call of the debug messages;
; in 'destroy-object' pkcs15 framework handler take into account the multi-application cards:
-- when binding card use the application info;
-- when finalizing profile use the application ID.
Fix autoreconf warnings:
$ autoreconf -vis -Wall
[...]
src/common/Makefile.am:12: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/libopensc/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/minidriver/Makefile.am:15: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/pkcs11/Makefile.am:10: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/pkcs15init/Makefile.am:36: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/scconf/Makefile.am:12: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/sm/Makefile.am:8: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/tests/Makefile.am:9: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
src/tools/Makefile.am:15: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
in previous version
first of all the 'reader' option's value was converted to hexadecimal form,
used as ATR value
and all present readers where scanned to find the inserted card with such ATR.
Only after this the 'reader' option was used as reader's number or reader's name.
Currently in use the 'hex-to-bin' procedure accepts for conversion one digit,
and so even if the 'reader' option value is one digit,
the useless search over all present readers take place.
In the current version the order of checks if kept (ATR, reader's number, reader's name),
but enforced the validity check of ATR, presented by 'reader' option.
Also the option is accepted as reader's number only if the 'entire' option's string can be converted to integer.
Thanks to 'jbwisemo' for cooperation.
https://www.opensc-project.org/opensc/ticket/404
'PACE' is extremely card specific protocol and has not to be ostensibly
present in the common part of OpenSC:
* currently in OpenSC there is no card driver that supports or uses this protocol;
* amazing content of the common 'sc_perform_pace' -- beside the verbose logs
the only substantial action is to call the card/reader specific handler.
According to the current sources and the pull request 83
this 'common' procedure is called by the card driver or
card specific tool/operation.
* currently the 'PACE' can be thouroghly tested only by one person (Frank Morgner),
and only using the OpenSSL patched with the PACE specific patch.
So, at least a dedicated configuration option could be introduced when comiting PACE to the common part.
* common 'sc_perfom_pace' has the same role as the 'initialize-SM' handler of the existing SM framework
and can be implemented as card specific SM, as the others cards do.
This confirmed by Frank Morgner, the author of PACE commits and nPA card driver, himself.
(https://github.com/OpenSC/OpenSC/pull/83)
Fixed issues in pkcs11-tool/test_signature is card has RSA and ECDSA keys
Fixed bug in sc_pkcs11_signature_size that returns the wrong ECDSA signature size
Limit the number of cases when applicated re-selection of application DF to strict minimum.
I.e. only when pkcs11 login session is not locked and private key PKCS#15 object do not
contain the 'path' attribute.
Thanks to 'crank'.
https://www.opensc-project.org/opensc/ticket/439
Some pkcs11 callers (i.e. netscape) will pass in the ASN.1 encoded SEQUENCE OF SET,
while OpenSC just keeps the SET in the issuer/subject field.
Harmonize the allowed PIN length in CHANGE & UNBLOCK with the one in VERIFY,
making sure they are large enough for OpenPGP, which allows up ro 32 characters,
and giving additional security margin for other cards.
In VERIFY, allow the user to enter the PIN unteractively if it was not given
on the command line, and if the card reader does not support PIN input.
If it was not given on the command line and the card reader supports PIN input,
then the bahaviour is unchanged: enter PIN via card reader.
openpgp-tool: PIN verfication support.
openpgp-tool: Add notification in case of error.
openpgp-tool: Add manual for key generation and PIN verification.
The code to send the APDU to the piv card when using
piv-tool -s xx:xx:xx... was inadvertently removed
on 2011-04-26 02:29:53 by: 1cdb3fa971
APDU parsing: switch to Frank Morgner's implementation
The missing code is replaced.
The -s option is infrequently used, so the problem
was not spotted earlier.
New operations:
- 'erase-application' -- erase on-card application indicated by it's AID;
- 'update-lastupdate' -- parse tokenInfo, set 'lastUpdate' value to the current date and write back tokenInfo content;
- 'ignore-ca-certificates' -- when importing PKCS#12 ignore all CA certificates;
When reading and printing file content, do not read it by small chunks,
but read an entire file.
It allows to verify how card driver reads the data of maximal size
that is allowed for one transaction ('max_recv_size').
* change order of long & short option names: letters first, then the long names
Effect: nicely aligned short and long option names in the help text
* more space between option names and explanation
Effect: better readability on long options
* print "Options:" header only if there is at least one non-hidden options
Effect: nicer output when all options are hidden
* only show printable, non-space short options letters
Effect: no control codes printed to terminal
* get rid of a temporary variable
improvements to opensc-explorer & new tool openpgp-tool
Usefull improvement: probably could be used in automated tests.
I follow Ludovic and attract your attention onto the necessity, in the nearest future,
to supply the doc/man for the tool newly introduced.
Without it the build of OpenSC package will simply not be possible.
Add new argument 'application-info',
that will allow to select the on-card application to by binded with.
pkcs11: use sc_pkcs15init_bind with 'AID' argument
Prototype of sc_pkcs15init_bind() has been changed to add argument with
AID of the on-card application to be binded with.
Add 'echo' command that simply displays its arguments.
With the recently committed script interpreter feature and this echo command,
nice litte scripts can be written, like e.g.
$ cat opengpg-userinfo
#!/usr/bin/opensc-explorer
cd 0065
echo Name:
cat 005B
echo Language:
cat 5F2D
echo Gender:
cat 5F35
quit
If the system libraries are set before the locally built libraries,
libtool will pick the system copy of OpenSC instead of the local one,
and that can make cross-builds fail badly.
This patch is already applied in Gentoo for proper building.
This seems the right thing to do, when you look at the initial commit which added the flags in do_generate_key and the ticket
http://www.opensc-project.org/opensc/ticket/198
Currently when storing a key, the accessflags are not set
* add new function path_to_filename() that converts a path into
filename, and returns a static buffer to it
* convert all occurrences where file names get generated
to using this function
Signed-off-by: Peter Marschall <peter@adpm.de>
Use the easier to read & shorter expression
path->type = (is_id) ? SC_PATH_TYPE_FILE_ID : SC_PATH_TYPE_PATH;
nstead of the longer, but equivalent if () .. else construction.
Signed-off-by: Peter Marschall <peter@adpm.de>
* allow double-quoted strings besides hexdata in ADPU generation
* detect errors in parameter parsing
* use utility function to print bytes sent,
fixing an error that only showed parts of the APDU wheni
it was generated from multiple arguments
Signed-off-by: Peter Marschall <peter@adpm.de>
Simplify argument handling in do_change() and do_unblock(),
making the functions shorter and deasier to understand.,
Signed-off-by: Peter Marschall <peter@adpm.de>
The variables "in_str" in do_update_binary() & do_update_record()
do not serve a purpose: use argv[x] directly & remove them.
Signed-off-by: Peter Marschall <peter@adpm.de>
Convert arg_to_path() to using the standard sc_hex_to_binary() instead of
the local hex2binary().
While at it, return erros on failed conversions.
Signed-off-by: Peter Marschall <peter@adpm.de>
Update do_update_record() to use parse_string_or_hexdata() instead of the old
hex2binary().
This change allows to use double-quoted strings in the "update_record" command.
Signed-off-by: Peter Marschall <peter@adpm.de>
do_update_binary() and do_update_record() expect a fixed number of parameters
each: adapt the checks for argc so that they do the right thing.
Signed-off-by: Peter Marschall <peter@adpm.de>
* add new function parse_string_or_hexdata() that parses
a double-quoted string or a hex-data string (e.g: AA:BB:CC)
into a buffer
* use parse_string_or_hexdata() wherever strings or hexdata
gets parsed into a buffer
Signed-off-by: Peter Marschall <peter@adpm.de>
* extend cmds struct by a new element args for a description of the arguments
* use args in help texts
* new function usage() for centralited dispaly of usage info
* harmonize argument strings for usage / help texts
* re-sort cmd list shown in help texts
* add function "help" to cwallow asking for for help
* space-police
Signed-off-by: Peter Marschall <peter@adpm.de>
Nguyễn Hồng Quân
Andreas Schwier
Viktor Tarasov
Henrik Andersson
Frank Morgner
Nikos Mavrogiannopoulos
Ludovic Rousseau
Ludovic Rousseau
Charles Bancroft
JP Szikora
Jean-Pierre Szikora
German Blanco
Martin Paljak
Frank Thater
mescheryakov1
Anthony Foiani
sjoblomt
Peter Marschall
Nguyễn Hồng Quân
Doug Engert
Diego Elio Pettenò
Alon Bar-Lev
Robbert Müller