Instead of only expecting a key length, and implicitly assuming RSA
as the key algorithm, introduce option --key-type to pass the key type
as a string.
When generating the key determine key algorithm and attributes based on
the key type passed.
If no key was given, default to "rsa2048".
* make 'interactive' a global variable
* set it when opensc was called with the SCRIPT argument
* document the behaviour in the manual page
Make interactive a global variable and set it in main.
When arguments are given, compare them like ambguous_match() does,
and show the matching ones only.
Add documentation of the 'help' command to the manual page.
In main loop on multiple matches, show help on matching commands only.
Accept a file name as a second argument to the 'random' command
to allow storing the generated random bytes to the file given.
Forbid writing binary data to stdout in interactive mode.
md_pinpad_dlg_allow_cancel now defines whether or not the user is asked
before verifying the PIN on the PIN pad. This can be denied without
interaction with the PIN pad. A checkbox in the dialog allows the user
to change this setting, which is saved in the registry by the path of
the process.
This change fixes the progress bar to match the actual configured
timout. The progressbar now fills instead of running empty, which seemed
less frightening for most users.
This change also fixes some copy/paste errors in the documentation of
opensc.conf(5).
Recent versions of bash is leaving /etc/bash_completion.d. The correct
directory is specified by pkg-config --variable completionsdir
bash-completion.
Fixes https://github.com/OpenSC/OpenSC/issues/1403
Call the tools to be tested with option '--help' to avoid
triggering automatic actions when no option is given.
Exampleswhy the old behaviour is bad:
- opensc-notify: blocks the build
- opensc-explorer: tries to open the card
* get rid of hard-coded markup like e.g. { ... | ... } or [ ... ]
in favour of DocBook's proper tags
* use tags better matching the purpose,
e.g. use <filename class"directory"> instead of <command> for directories
* improve consistency in <replaceable>s
This allows us to generate templates also for arguments expecting
files (input, output) or PKCS#11 modules. The general ideal was
already implemented, but never completed.
* Add missing SHA224 RSA algorithms
* Fix wrong replacement in pkcs11-tool manual page
* Add MGF and PSS_PARAMS definitions in PKCS#11 header file
* Inspect PSS signature parameters in pkcs11-spy
* Enable RSA-PSS signatures in pkcs11-tool
* Added short names to RSA-PSS methods
* Reintroduce portable NORETURN indication for functions and use it to avoid compilers complaining
Add "--reset" parameter with optional argument to opensc-tool which
resets a card in reader. Both cold or warm resets are possible
(cold is default).
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
* pkcs11-tool: Add feature to get random data.
Getting random data is an essential part of the PKCS11 API.
This patch provides a new command line parameter to get
random data from the pkcs11-tool.
Tested with a Yubikey (PIV applet) and the following command line:
$ pkcs11-tool --slot=0 --generate-random=128 | hexdump -C
00000000 0c 35 85 2e 85 68 ab ce e8 56 b3 f6 f3 33 e6 37 |.5...h...V...3.7|
00000010 12 10 eb fd 8a 1e 75 b7 3f 4d fa 61 8f ab d8 bf |......u.?M.a....|
00000020 f7 2c 7d ba 07 a5 45 6e a7 85 1c 47 3b 46 01 2c |.,}...En...G;F.,|
00000030 79 18 6e 51 4d c4 ae 20 37 37 1d 7b 7e b0 d5 18 |y.nQM.. 77.{~...|
00000040 ef a4 3c 09 91 68 db dd 2a a8 fc b9 34 06 2a ee |..<..h..*...4.*.|
00000050 5a 86 55 54 11 1f ef 4e 07 73 79 27 0a e4 58 cf |Z.UT...N.sy'..X.|
00000060 f4 bd bc 2f ad 27 b1 a7 a4 fa c7 1a 7b 31 de a3 |.../.'......{1..|
00000070 e8 dc 85 28 18 82 00 45 3c f8 eb 48 a4 20 e4 3b |...(...E<..H. .;|
00000080
Signed-off-by: Christoph Müllner <christophm30@gmail.com>
* pkcs11-tool: Add documenation for --generate-random.
Signed-off-by: Christoph Müllner <christophm30@gmail.com>
* pkcs15-init,pkcs15-tool: reword --no-prompt to --use-pinpad (close#944)
Wording was confusing for a novice user. Old option is mantained as an alias,
but will print to stderr a deprecation warning.
Deprecation related code is all marked with deprecated word to easy future removal.
Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
* pkcs15-init,pkcs15-tool: document --use-pinpad
Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
Unnecessarily strict regex was failing for some unknown reason on OS X. Easier to just relax the regex than understand what's wrong (and then relax the regex).
Fixes#782
Add a comment field to the ssh key output if a label is set on the key. Add RFC4716 compliant key output for the new breed of modern (mobile) SSH clients.
VTA: use short form of log call in iso7816
Experienced a problem with dnie-tool where I would receive a warning with the content of /etc/bash_completion.d/dnie-tool.
The cause of the error was a missing case label which in turn was caused by the formatting of the dnie-tool.1.xml.
Options were formatted like <term><option--xarg, -x</option></term> which were not handled by the sed regular expression in the makefiles.
Modified the dnie-tool.1.xml file to be consistent with the other doc files and to generate the dnie-tool file correctly.
This generates the scripts that lets bash do completion per specific tool.
It gets the options from the documentation XML files that are also the
source for the man pages and HTML.
'PACE' is extremely card specific protocol and has not to be ostensibly
present in the common part of OpenSC:
* currently in OpenSC there is no card driver that supports or uses this protocol;
* amazing content of the common 'sc_perform_pace' -- beside the verbose logs
the only substantial action is to call the card/reader specific handler.
According to the current sources and the pull request 83
this 'common' procedure is called by the card driver or
card specific tool/operation.
* currently the 'PACE' can be thouroghly tested only by one person (Frank Morgner),
and only using the OpenSSL patched with the PACE specific patch.
So, at least a dedicated configuration option could be introduced when comiting PACE to the common part.
* common 'sc_perfom_pace' has the same role as the 'initialize-SM' handler of the existing SM framework
and can be implemented as card specific SM, as the others cards do.
This confirmed by Frank Morgner, the author of PACE commits and nPA card driver, himself.
(https://github.com/OpenSC/OpenSC/pull/83)
'Id' option in the pkcs15-init commands to import/generate a new key
is deprecated. Better s to let the MW to derive an identifier from
the key material.
In VERIFY, allow the user to enter the PIN unteractively if it was not given
on the command line, and if the card reader does not support PIN input.
If it was not given on the command line and the card reader supports PIN input,
then the bahaviour is unchanged: enter PIN via card reader.
openpgp-tool: PIN verfication support.
openpgp-tool: Add notification in case of error.
openpgp-tool: Add manual for key generation and PIN verification.
