Call the tools to be tested with option '--help' to avoid
triggering automatic actions when no option is given.
Exampleswhy the old behaviour is bad:
- opensc-notify: blocks the build
- opensc-explorer: tries to open the card
* get rid of hard-coded markup like e.g. { ... | ... } or [ ... ]
in favour of DocBook's proper tags
* use tags better matching the purpose,
e.g. use <filename class"directory"> instead of <command> for directories
* improve consistency in <replaceable>s
Instead ogf blindly using "%lu", use "%"SC_FORMAT_LEN_SIZE_T"u"
to cope with the various implementations.
This fixes a bug introduced in commit 20b1d829
Instead of simply searching for a trigger byte with the risk of
getting garbage, correctly parse historical bytes from ATR as well
as the "historical bytes" DO as compact TLV structures.
In addition
- prepare for additional data used in OpenPGP cards 3.x
- ignore [per the spec] chaining capability fo OpenPGP cards 1.x
This is also done in the official AusweisApp2 and avoids confusion with
other tokens that also have an EF.CardAccess and are capable of
verifying the PIN via PACE.
Fixes https://github.com/OpenSC/OpenSC/issues/1360
Let sc_get_challenge() do sc_lock() and loop through the card driver's
get_challenge() until enough bytes were collected. The card driver's
get_challenge() now returns the number of bytes collected (less or equal
than requested) or an error code.
- Allow more code re-use.
- PIV driver now uses ASN.1 parser for reading the random bytes
sc_pkcs15_verify_pin say:
/* if pin cache is disabled, we can get here with no PIN data.
* in this case, to avoid error or unnecessary pin prompting on pinpad,
* check if the PIN has been already verified and the access condition
* is still open on card.
*/
It then call sc_pkcs15_get_pin_info
A context specific login is used in PKCS#11 to force the user
to enter the PIN again and a verify command be sent to the card.
(Actually it could be a different value for the PINi depending on the card)
sc_pkcs15_get_pin_info will then call the card driver, but does not
say why it is testing the login status.sc_pkcs15_get_pin_info may return
SC_PIN_STATE_LOGGED_IN=1 and sc_pkcs15_verify_pin will then skip sending
the actual verify command to the card via _sc_pkcs15_verify_pin
To avoid this, sc_pkcs15_get_pin_info will set data.pin_type = pin_info->auth_method;
In the case of a context specific login, this is SC_AC_CONTEXT_SPECIFIC
and the card driver can take action and can return SC_PIN_STATE_LOGGED_IN=0
so the verify will be done.
The PIV driver card-piv.c does this. Other drivers could do something similar.
Date: MOn May 21 20:40:00 2018 -0500
On branch History-fixes
Changes to be committed:
modified: card-piv.c
modified: pkcs15-pin.c
If a PIV card does not have or support a Discovery Object and
is known to lose the login state when the PIV AID is selected,
nothing was done in piv_card_reader_lock_obtained.
If was_reset > 0 select the PIV AID to at least get the
PIV AID selected.
For other cards either reading the Discovery a object and/or
selecting the PIV AID will make sure the PIV AID is selected.
If multiple applications are using the card, this will allow
the first one to select the AID, and any others that handle
a reset will not cause interference wit the first.
On branch History-fixes
Changes to be committed:
modified: card-piv.c
&& is replaced by || in the test of valid key references
for retired keys found in the Historic object.
For retired keys, the user_consent flag was being set by default.
Thus a C_Login(CKU_CONTEXT_SPECIFIC) would be required.
NIST 800-73 only requires PIN_Always on the Sign Key.
To extend the usefullnes of "retired keys" on non government
issued PIV-like cards, code had already been added
to use the certificate keyUsage flags to override the NIST
defined key usage flags. The NONREPUDATION flag is now used
to set the user_consent flag.
So rather then always requiring C_Login(CKU_CONTEXT_SPECIFIC)
for any retured key, the code only requires it for non government
cards where teh certificate has NONREPUDATION.
Changes to be committed:
modified: card-piv.c
modified: pkcs15-piv.c
* Previously, it was dependent on ATR blocks, but it did
not allow enrolling various types of cards without knowning
their ATR in advance.
* Improved documnetation for this option in configuration files
Resolves: #1265
- add macro PACKAGE_VERSION_REVISION dealt with in bootstrap.ci
- restrict to those macros only that are mangled by bootstrap.ci
- update comments on the file's purpose and the processes around it
Do not blindly override already defined variables or macros with
outdated values by including version.m4
This makes sure the definitions of variables or macros defined earlier
in configure.ac remain intact; e.g. it keeps the macro PRODUCT_BUGREPORT
set to the GitHub URL instead of pointing to a SourceForge mail address.
Using the forced-driver prevents parsing of additional constructions
in configuration files (for example flags based on ATRs). This
implementation replaces transparently the existing list defined in
card_drivers.
Resolves: #1266
The following errors occured during a compilation using gcc 8:
In function »gids_create_file.constprop«,
inserted by »gids_save_certificate.isra.8« beicard-gids.c:1548:7:
card-gids.c:465:2: Error: »strncpy« output may be truncated copying 8 bytes from a string of length 8 [-Werror=stringop-truncation]
strncpy(record->filename, filename, 8);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkcs15-oberthur.c: In function »sc_pkcs15emu_oberthur_add_prvkey«:
pkcs15-oberthur.c:741:5: Error: »strncpy« output may be truncated copying 254 bytes from a string of length 254 [-Werror=stringop-truncation]
strncpy(kobj.label, objs[ii]->label, sizeof(kobj.label) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* reader-pcsc: Do not temporarily set SC_READER_REMOVED on all readers
Fixes#1324.
* reader-cryptotokenkit: Do not temporarily set SC_READER_REMOVED on all readers
See #1324.
It was used to make pkcs11-tool work with vendor defined PKCS#11
modules. If this behavior is still desired, pass the define
ZERO_CKAID_FOR_CA_CERTS during the build
Don't pretend that we're capable of performing memory locking. The
implementation of that, `sc_mem_alloc_secure()` (also removed), was
almost unused anyway.
Peter Marschall
Frank Morgner
rmartinc
Doug Engert
Jakub Jelen
Jakub Jelen
Alon Bar-Lev
Florian Bezdeka
David Ward