"The encoding of {public,private}GOSTR3410Key uses tag [CONTEXT 3] which is reserved for KEAKey.
Caused by the fact, that the specifications (pkcs15,iso) don't define a encoding for GOST,
the genericKey encoding [CONTEXT 4] from iso-7816 should be used." (Andre)
* Make the OPENSC_DEBUG environment variable work even when no
conf file is available.
https://www.opensc-project.org/opensc/ticket/388
Signed-off-by: Viktor Tarasov <viktor.tarasov@gmail.com>
According to ch.4.2 of MyEID reference manual v1.7.6 the only possible value of P2 of 'SELECT' APDU is '00'.
For this reason, when caller do not request to return 'sc_file' data,
use the non-null dummy 'sc_file' pointer in the call of iso->select_file,
and thus avoid the P2 different from '00'.
Also log calls are replaced by its short forms,
and resolved the 'trailing spaces' issues.
When OpenSC is used with a card that enforces user_consent
and the calling PKCS#11 application does not understand how
to handle the CKA_ALWAYS_AUTHENTICATE, signature operations
will fail.
OpenSC will not cache a PIN that protects a user_consent
object as one would expect.
This mods allows PINs to be cached even if protecting a
user_consent object by adding
pin_cache_ignore_user_consent = true;
option in opensc.conf.
Thunderbird is the prime example of this situation.
Mozilla has accepted mods (357025 and 613507) to support
CKA_ALWAYS_AUTHENTICATE that will appear in NSS-3.14 but
this may be some time before this version is in vendor
distribution.
In file included from pkcs15.c:30:
cardctl.h:870: error: expected specifier-qualifier-list before 'time_t'
Change-Id: I5faad5462ba6268fd7cf48a04f41e1755597ad0c
The card contains only 1 certificate, which can be used for encrypting.
But this certificate is bound with authentication key, so when decrypting,
the authentication key will be presented to check.
This commit allows to bypass the check in driver. However, it is not enough.
The users have to import the same key to "Encryption key" to help the card find
right key to work.
OpenPGP: Add log and comments.
OpenPGP: Pretend to select dummy files.
Some files are needed by pkcs15init, but not exist in OpenPGP card.
We pretend to know these dummy files to make pkcs15init successful.
Compilation error on windows:
when declaring array use explicit size, add pkcs15-openpgp.obj in Makefile.mak
OpenPGP: Some indentations need to be tab-size-independent.
OpenPGP: Check for null data when storing fingerprints.
OpenPGP: Allow to provide creation time to store (when gen/import key).
Old: Only store current time.
New: Can provide time to store, not only calculate current time.
OpenPGP: Correct setting content of pubkey blobs after key generation.
cardctl: Add definitions to support key import in OpenPGP.
OpenPGP: Add support for key import at driver level.
Correct the way to parse response data.
Updated wrong blob for pubkey info <~~ Fix.
OpenPGP: Store creation time after generating keys.
OpenPGP: Put_data: Handle the case that DO exists but its blob does not.
When checking DO before writing, relying on blobs only will miss the case that DO exists but its blob does not, when DO is non-readable.
OpenPGP: Set algorithm attributes before generating key.
OpenPGP: Add dependency of OpenSSL.
OpenPGP: Calculate and store fingerprint.
Calculate and store fingerprint after generating key.
OpenPGP: Update blob of pubkey info.
Update blob holding pubkey info after generating key.
OpenPGP: Add step to update card algorithms.
Update card algorithms after generating key. However, this step is not implemented yet, because of suspection about wrong data (see code comment).
CKA_ALWAYS_AUTHENTICATE implies CKU_CONTEXT_SPECIFIC login, but all this
key really should need is a C_Login with CKU_USER.
The historical reason for having CKA_ALWAYS_AUTHENTICATE set was to keep
Firefox/NSS from using that particular key for SSL connections. However,
starting with Firefox 8, NSS ignores Non Repudiation certificates for
SSL and that makes the CKA_ALWAYS_AUTHENTICATE workaround unnecessary.
Now that Firefox is fixed, drop the workaround in OpenSC so that
applications that follow the pkcs11 spec wouldn't have to login twice to
access the key.
For some cards some APDUs are always transmitted in a plain mode,
even if SM session is opened.
For these APDUs the 'get_sm_apdu' card's handler returns SUCCESS without wrapped APDU version.
In such cases 'transmit' is called for the plain APDU.
when freeing key object, do not throw an error if supplied key pointer is NULL;
sc_pkcs15_free_prkey() procedure should not free the supplied key pointer,
the body of this procedure is replaced by body of sc_pkcs15_erase_prkey().
staitc sc_pkcs15_erase_prkey() is not more used.
* use LOG_FUNC_CALLED() .. LOG_FUNC_RETURN for "symmetric" logging
* don't zero-fill the DO's contents but empty it
* get rid of unnecessary variables
* select parent DF after deletion (required by to ISO 7816-9)
* don't try to delete MF
Fail on idx > 0 in order to avoid the requirement to read from the DO.
The DO may be read-protected, and this might either fail or produce
wrong results.
* use LOG_FUNC_CALLED() .. LOG_FUNC_RETURN for "symmetric" logging
* update comment
* check that blob->data is defined
* fix writing new data to the correct offset
* use calloc() instead of malloc() & memset()
* align pgp_ops function pointer list
* make sure variables of type u8 do only get passed fitting data
* use LOG_FUNC_CALLED() .. LOG_FUNC_RETURN for "symmetric" logging
* leave most of the spcial casing in ADPU handling to sc_adpu_transmit()
* use SC_ADPU_CASE_1 for empty buffer (avoids special casing Lc=0)
* clean up log strings & comments
Replace the "one-trick-pony" pgp_do_iswritable() with a more generic
function returning the blob matching the passed tag.
This way we can get rid of the one-line function pgp_blob_iswritable() too.
comparisons like these can be done in the caller.
Set pin references to 0x01 - 0x03 instead of 0x81 - 0x83.
The PINs are referenced as PIN1- PIN3 (resp. PW1 - PW3) in the OpenPGP
card specification.
Technically the APDUs to verify/change the PINs contain the values OR-ed
with 0x80, but this is just a technical detail of the implementation
which the emulated file system can hide in pgp_pin_cmd().
Pros & Cons:
+ consistent PIN naming
+ no trouble entering the correct PIN names in opensc-explorer et.al.
("verify CHV1" is way better than "verify CHV129")
- manually entering the correct APDU for VERIFY is a bit more complex.
(who does this anyway, when there are better functions)
While at it, change if .. elsif ... cascade to switch statement.
Viktor Tarasov
Stef Walter
Nguyễn Hồng Quân
Doug Engert
Ludovic Rousseau
Kalev Lember
Frank Morgner
Peter Marschall