Some cards can provide supported algorithms in tokenInfo
which contain ECDSA OID, and PKCS11 mechanism
Don't know how many Algo_refs were actually read,
and a ref of 0 may be valid. print at least one Algo_refs.
Print the mechanism from PKCS11, and print operations
Use the $(top_srcdir)/src/pkcs11/pkcs11-display.c on Unix
Use the $(TOPDIR)\src\pkcs11\pkcs11-display.obj on Windows
pkcs15.tool.c treat ECDSA OID as inline
pkcs15-tool prints PKCS11 mechanisms using pkcs11-display.c
Automake now warns that the default will change, in the future
so "[subdir-objects]" is added to configure.ac
Changes to be committed:
modified: configure.ac
modified: src/tools/Makefile.am
modified: src/tools/Makefile.mak
modified: src/tools/pkcs15-tool.c
In tests, make sute test data is either padded, or "zero" padded
so size if data <= modlen - 11. The smallest pad in 11 bytes,
00 | NN | PS | 00. PS is at least 8 bytes.
"zero" padding has N = 00, PS >= 8 byte of 00.
On branch cardos-5.3
Changes to be committed:
modified: tools/pkcs11-tool.c
always should be used, even if a PIN pad reader is used. PIN must only
be fetched from the PIN pad reader if the corresponding parameter is
null.
Before this commit PIN was always fetch from the reader if the PIN could
be fetched from the reader.
The 'pkcs11-tool has also been updated. Before parameters was never
taken from the command line if a PID pad reader was used. Now PINs from
the command line is always used but if not existing the PIN is fetched
from the reader if a reader with a PIN pad is used, otherwise the user
is prompted for PIN(s) from the CLI.
- If readers are attatched, the new reader is probed for a card to check
if a notification needs to be sent
- removal of readers are not notified to the user, we assume that PC/SC
sends the correct card removal event
- The list of readers to be monitored is adjusted once a reader (dis)appears
- On macOS, without PnP notification, we always check for new/removed
readers with SCardListReaders
- fixes interrupt handling in opensc-notify on Unix
fixes https://github.com/OpenSC/OpenSC/issues/1874
* replace magic magic number used as potentially too small buffer size
by SC_MAX_EXT_APDU_RESP_SIZE
* start error message with upper-case letter
* return 0 on success
* bug fix: pass correct buffer length to sc_update_record()
* bug fix: report correct number of bytes written
* bug fix: check for offs to be small enough
* replace magic magic number used as potentially too small buffer size
by SC_MAX_EXT_APDU_DATA_SIZE
* remove print() statement that looks suspiciously like a leftover from debugging
* start error messages with upper-case letters
* use sc_strerror(r) instead of plain numeric r in error messages
* fix spaces before opening curly braces
* replace magic magic number used as potentially too small buffer size
by SC_MAX_EXT_APDU_DATA_SIZE
* remove print() statement that looks suspiciously like a leftover from debugging
* start error messages with upper-case letters
* use sc_strerror(r) instead of plain numeric r in error message
* fix spaces before opening curly braces
* replace magic magic number used as potentially too small buffer size
by SC_MAX_EXT_APDU_RESP_SIZE
* replace magic number for filename by SC_MAX_PATH_STRING_SIZE
* start error messages with upper-case letters
* use braces after sizeof, i.e. sizeof(X) instead of sizeof X
* fix indentation
* determine DO ID/tag the same way as do_find_tags()
* start error message with upper-case letter
* use sc_strerror(r) instead of plain numeric r in error message
* adapt size of buffer to SC_MAX_EXT_APDU_DATA_SIZE
* determine DO ID/tag the same way as do_find_tags()
* replace magic magic number used as potentially too small buffer size
by SC_MAX_EXT_APDU_RESP_SIZE
* change buffer type from unsigned char to u8 for consistency with
do_put_data() & do_find_tags()
* give ID/tag of DO in error message
* open target file in binary mode
* set default values for variables at declaration time
* replace magic number used as potentially too small buffer size
by SC_MAX_EXT_APDU_RESP_SIZE
* use braces after sizeof, i.e. sizeof(X) instead of sizeof X
* set default values for variables at declaration time
* use sizeof(fid) instead of magic number
* use braces after sizeof, i.e. sizeof(X) instead of sizeof X
* start error message with upper-case letter
* rename from read_and_util_print_binary_file(); adapt callers
* use large enough buffer size SC_MAX_EXT_APDU_RESP_SIZE
instead of potentially too small magic number
* fix spaces before opening curly braces
* avoid special casing SC_CARD_TYPE_BELPIC_EID: a successful read
of an empty file is still a success, even if nothing can get printed
* do not fail on SC_FILE_TYPE_UNKNOWN: be more flexible w.r.t accepting
unknown file types when the preceding card operations succeeded
* fix spaces before opening curly braces
* distinguish between Internal and Working EFs
* add information optionally available in sc_file_t
- record_count
- record_length
- type_attr
* align all labelled values
Replace magic numbers, used as size of PIN-type buffers,
with the symbolic constant SC_MAX_PIN_SIZE, fixing
- readability / understandability
- too small sizes (e.g. for GnuPG cards)
* OpenPGP v3 increased the size for private DOs. Adapt to it.
* Use the symbolic constant from the refactored OpenPGP driver
instead of relying on magic numbers.
- remove command line option '--card-driver';
- instead force driver 'dnie' and fail if card is not a DNIe card
- overhaul option parsing
- remove unused variable 'long_optind'
- bail out with usage message on all unknown/unhandled args
- correctly terminate option parsing (no infinite loop)
- slight refactoring
- avoid magic constant '0x0f'
- make variable 'tries_left' more local
- move dependent code into if block
- remove command line option '--card-driver';
- instead force driver 'cardos' and fail if card is not a CardOS card
- overhaul option parsing
- remove unused variable 'long_optind'
- bail out with usage message on all unknown/unhandled args
- correctly terminate option parsing (no infinite loop)
- remove command line option '--card-driver';
- instead force driver 'PIV-II' and fail if card is not a PIV card
- overhaul option parsing
- remove unused variable 'long_optind'
- make work option '--reader' ( "r:" was missing in the optstring!!!)
- bail out with usage message on all unknown/unhandled args
- correctly terminate option parsing (no infinite loop)
Rename option '--driver' to '--card-driver' for increased consistency.
In addition, extend it the same way opensc-explorer was extended. I.e.
treat the question mark given as argument to option '--card-driver'
special: list all available drivers instead of stupidly bailing out.
In contrast to opensc-tool and opensc-explorer, which are card-agnostic,
I am not sure whether the option '--card-driver' makes sense on this
card-specific tool.
Extend cardos-tool the same way opensc-explorer was extended. I.e.
treat the question mark given as argument to option '--card-driver'
special: list all available drivers instead of stupidly bailing out.
In contrast to opensc-tool and opensc-explorer, which are card-agnostic,
I am not sure whether the option '--card-driver' makes sense on this
card-specific tool.
Extend piv-tool the same way opensc-explorer was extended. I.e.
treat the question mark given as argument to option '--card-driver'
special: list all available drivers instead of stupidly bailing out.
In contrast to opensc-tool and opensc-explorer, which are card-agnostic,
I am not sure whether the option '--card-driver' makes sense on this
card-specific tool.
Extend opensc-tool the same way opensc-explorer was extended. I.e.
treat the question mark given as argument to option '--card-driver'
special: list all available drivers instead of stupidly bailing out.
Make opensc-explorer a bit more user friendly by treating the question mark
given as argument to option '--card-driver' special: list all available
drivers instead of stupidly bailing out.
Fixes
error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation]
if(cipher)
^
../../../git/src/libopensc/card-entersafe.c:369:2: note: previous statement is here
if(sbuf)
^
Before the output looked like this, if a public key was not found:
```
testing key 1 (IDKey2)
RSA-X-509: OK
RSA-PKCS: OK
testing key 2 (IDKey3)
couldn't find the corresponding pubkey for validation
couldn't find the corresponding pubkey for validation
RSA-X-509: RSA-PKCS: testing key 3 (IDKey4)
couldn't find the corresponding pubkey for validation
couldn't find the corresponding pubkey for validation
```
Now:
```
testing key 1 (IDKey2)
RSA-X-509: OK
RSA-PKCS: OK
testing key 2 (IDKey3) -- can't find corresponding public key, skipping
testing key 3 (IDKey4) -- can't find corresponding public key, skipping
```
Before it was a bit confusing, e.g.:
```
testing key 1 (2048 bits, label=IDKey2) with 1 signature mechanism
RSA-X-509: OK
couldn't find the corresponding pubkey
testing key 2 (0 bits, label=IDKey3) with 1 signature mechanism -- can't be used to sign/verify, skipping: can't obtain modulus
```
The error message in line 3 is for IDKey3 and not for IDKey2.
With this patch the output is aligned with `test_verify`:
```
testing key 1 (IDKey2) with 1 mechanism
RSA-X-509: OK
testing key 2 (IDKey3) with 1 mechanism -- can't find corresponding public key, skipping
```
* pkcs11-register: Fixed detection of already registered OpenSC
Anny configuration of onepin-opensc-pkcs11.so and opensc-pkcs11.so
should be enough to skip registering the default module again.
* Use onepin module for generic NSS DB
fixes https://github.com/OpenSC/OpenSC/issues/1818
May have the disadvantage that some other programs that use NSS don't
see the signature keys. However, we currently only know for sure that
Chromium is using the generic NSS DB.
opensc-tool: for options --version, --list-readers, -D, etc. we do not
need to connect card/reader. This removes unnecessary error messages
if card is not present in card reader or if reader is not available.
util.c: use symbolic error codes, pass error codes to caller without change.
Option -r is used in other opensc tools to specify card reader. pkcs15-tool
uses -r to specify cerfificate. This fix intorduces warning message if -r
is used, and for future versions of pkcs15-tool -r is used to specify
reader.
Jakub Jelen
Doug Engert
Frank Morgner
Vladimir Panteleev
Lars Silvén
Peter Marschall
carblue
Priit Laes
Khem Raj
Julian Strobl
Peter Popovec
Raul Metsma
Andreas Kemnade
alegon01
Dmitriy Fortinskiy