- fixed printing tags on multiple bytes
- align indenting with raw tags
- use OpenSSL's human readable OID database
- only print the canonical names for universal tags
When building without OpenPACE there are two unused variables in
sc_hsm_init() that cause compiler to emit warnings about them.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
In minidriver before performing a card operation we currently check whether
the supplied card handles have changed.
If they did the card in reader might have been changed so we reinitialize
it.
However, in few places in reinitialization call path an error returned by
some operation would leave the context in an inconsistent state.
So let's walk through this path to make sure that functions there will exit
cleanly if an error happens.
Also, make sure that all card operations that actually do something have
the necessary check call in the first place and also that they all
consistently check whether VENDOR_SPECIFIC pointer is not NULL before
dereferencing it.
This is a cleanup part of "Keep track of card resets by other contexts in
minidriver" (that is, it does not include the actual reset handling code
introduced by that commit), simplified.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Many cards need multiple PINs to work correctly since different on-card
keys are secured by different PINs (this is true for for example OpenPGP
card).
Smart Card Minidriver API has supported such cards since version 6.02
(Vista+).
Use the same method as PKCS#11 driver does to discover user and sign PINs,
for consistency.
However, if there is a default container on card we'll make sure that its
PIN is an user PIN and if there is no default container we'll mark the one
with the user PIN as default.
All other PINs securing containers on card are added as next PINs, up to
MD_MAX_PINS.
Use this opportunity to also fix two cases where a pointer-to-DWORD
variable was passed as pointer-to-size_t parameter to
md_dialog_perform_pin_operation() - they are of different size on Win64.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
This will help when p11-kit is usead and wil allow for additional
CK*_* things to be defined that have a much better chance of being
unique.
OR in "OSC" to any CK*_VENDOR_DEFINED thing.
with #define SC_VENDOR_DEFINED 0x4F534300 /* OSC */
This follows Netscapes convention of doing the same but
using: #define NSSCK_VENDOR_NSS 0x4E534350 /* NSCP */
The current 2 defines CKA_* are for internal attributes.
On branch OSC_VENDOR_DEFINED
Changes to be committed:
modified: pkcs11-opensc.h
* Add missing SHA224 RSA algorithms
* Fix wrong replacement in pkcs11-tool manual page
* Add MGF and PSS_PARAMS definitions in PKCS#11 header file
* Inspect PSS signature parameters in pkcs11-spy
* Enable RSA-PSS signatures in pkcs11-tool
* Added short names to RSA-PSS methods
* Reintroduce portable NORETURN indication for functions and use it to avoid compilers complaining
Use the ASN.1 decoder's SC_ASN1_BIT_FIELD decoder to properly decode
into a machine word. As _bitstring_extension is used only for the OID
2.5.29.15 by all callers, which is at most 9 bits wide, this is a
reasonable thing to do.
Note, that there are a number of card drivers that still use
`sc_read_binary` in the wrong way. Unfortunately, I don't have the time
to go through all of them.
Fixes https://github.com/OpenSC/OpenSC/issues/1112
* Support for new MinInt agent card
This card uses the same ATR as the existing card, but the applet installed
does not have the same AID. This card actually works exactly as the
IASECC_SAGEM.
Unify iasecc_init for AMOS/SAGEM and MI cards
* cac: Make the retransmitted APDU valid by restoring the resplen
* cac: Check SWs for all the APDUs and report the errors to underlying layers
* cac: Fallback from CACv1 to CACv2 when CACv1 instruction is not recognized
for the lack of other pointers how to recongnize them
* avoid goto
- use UI framework
- timeout progressbar is running backwards
- cancelling is disabled by default
- removes card specific UI strings, use opensc.conf for that instead
- icon can be loaded by file
Pressing the cancel button in the PIN pad dialog should not close the
dialog. The application will still wait for the request to complete
even if the dialog is gone. Instead, we tell the user to press the
cancel butten on the PIN pad if the reader does not support SCardCancel.
When the dialog is shown in a separate thread and the user removes the
card, both, the thread for the pin pad operation and the main thread
are trying to access the card and context handles. Even worse, the main
thread deletes the context handle, which may result in a segmentation
fault for the thread with the pin pad operation.
- themable in the sense of using OS native design
- user messages on PIN pad dialog are identical to Base CSP, which still displays the dialog for PIN entry if no PIN pad is available
- adds progress bar to dialog
- Uses Smartcard icon extracted from DDORes.dll
- requires windows vista/windows server 2008 or above
tools/pkcs15-tool.c:
Dead assignment: Value stored to 'c' is never read
tools/pkcs11-tool.c:
Dead assignment: Value stored to 'n' is never read
Dead assignment: Value stored to 'rv' is never read
libopensc/card-cac.c:
Dead assignemnt: Value stored to 'tl_head_len' is never read
Dead increment: Value stored to 'outp' is never read
common/libpkcs11.c:
Memory leak in case of C_UnloadModule() fails
libopensc/pkcs15-pubkey.c:
Potential memory leaks
pkcs11/mechanism.c:
Potential memory leak
pkcs11/framework-pkcs15.c:
Potential memory leaks
Dereference of null pointer
Dead assignments
tools/sc-hsm-tool.c:
Function call argument is an uninitialized value
Dead assignment: Value stored to 'r' is never read
libopensc/card-openpgp.c:
Dead assignment: ignoring the errors in case of sc_pkcs15_encode_pubkey() failed
libopensc/pkcs15-cac.c:
Dead assignments: ignoring return values
libopensc/pkcs15-coolkey.c:
Dead assignments: ignoring return values
libopensc/card-sc-hsm.c:
Dereference of undefined pointer value: Properly check the file allocation
pkcs11/slot.c:
Dead assignment
pkcs15init/pkcs15-cflex.c:
Dereference of null pointer
Uninitialized argument values
MyEID does not support RAW RSA signature for 2048 bit key.
(Source: MyEID reference manual 2.1.4)
This hack uses decipher operation for calculating
RAW 2048 bit signature.
* Simplify CardOS 5.0 support (removing explicit 5.3 marker since the behavior should be the same)
* Restore RSA_PKCS signatures functionality
Closes https://github.com/OpenSC/OpenSC/pull/1079
Quoting from PKCS#11:
The CKA_ALWAYS_AUTHENTICATE attribute can be used to force re-authentication (i.e. force the user to provide a PIN) for each use of a private key. “Use” in this case means a cryptographic operation such as sign or decrypt. This attribute may only be set to CK_TRUE when CKA_PRIVATE is also CK_TRUE.
Re-authentication occurs by calling C_Login with userType set to CKU_CONTEXT_SPECIFIC immediately after a cryptographic operation using the key has been initiated (e.g. after C_SignInit).
Closes https://github.com/OpenSC/OpenSC/pull/1066
Calculating intrinsic key would probably be not wise, because
it would leak out information about the secret key. Try to
generate globally unique IDs just by using a random one.
- fixes decoding of SecretKeyAttributes
- adds support for algorithmReferences
- adds support for algIndependentKeys (PKCS#15 Generic keys)
- implements encoding of SKDF
- don't use private data on card matching
- instead, return 1 for every known ATR and only select the applet if the ATR is unknown.
- card initialization always selects the applet.
Advantage: decouples memeory management in matching from initializing the card.
Disadvantage: Applet is selected twice in case of an unknown ATR (once for matching and a second time for initializing the card).
Fixes https://github.com/OpenSC/OpenSC/issues/1042
- eac: allow CA without EF.CardSecurity
- sc-hsm: implemented CA based on document PKI
- sc-hsm: adds receive limit for SoC card
- introduces dedicated card type for SoC card
- md: integrate card's PIN pad capabilities
- installer: added SC-HSM SoC card to registry
- pkcs15-tool: Added support for PIN entry on card
- change/unblock PIN: add support for PIN entry on card
- added OpenPACE to macOS build
- travis-ci: install gengetopt/help2man via brew
- sc-hsm: Cache EF.C_DevAut
- sc-hsm: Prevent unnecessary applet selection and state resets
- sc-hsm: added support for session pin
- sc-hsm: avoid multiple AID selection
- sc-hsm: Use the information from match_card for all subsequent selections of the applet
- sc-hsm: cache optional files as empty files (Decoding the files will reveal that they were not existing prior caching. This avoids selecting the file though we have already tried to cache the file before.)
- use dedicated directory for CVC trust anchors
- appveyor: added OpenPACE to windows build
regression of 45a7ea9737075b5901fe7a5d65ed898733140315:
due to the change in the linkage, the symbols should be found in
opensc.dll instead of the static support libraries.
Add code to support OpenSSL initialization correctly when using OpenSSL-1.1
Tested with OpenSSL-1.1.0c and OpenSSL-1.1.0e.
Changes to be committed:
modified: src/tools/piv-tool.c
Communication defined by ISO/IEC 14443 is identical to T=1, so make
sure we connect in the right mode to the card so that the constructed
APDUs can be handled by the card.