Vincent JARDIN
e93bd3983c
IASECC/Gemalto: add support
...
Add support for Gemalto's IAS ECC Dual ID One Cosmo using samples from:
http://cartesapuce-discount.com/fr/cartes-a-puce-ias-ecc/146-cartes-a-puce-protiva-ias-ecc-tpc.html
Some suppots were already available (ATR, init, etc.), but the
select_file was missing the proper cases.
2021-04-26 21:37:39 +02:00
Frank Morgner
3f19991556
updated NEWS
2021-04-26 18:13:43 +02:00
Frank Morgner
4ecb4b39ac
updated documentation
2021-04-26 18:13:43 +02:00
Frank Morgner
75f24d2af7
regenerated egk-tool cmdline
2021-04-26 18:13:43 +02:00
Frank Morgner
2063a1d334
silince generation of files
2021-04-26 18:13:43 +02:00
Vincent JARDIN
e3a3722ad1
IASECC/CPX: Fix SDO path
...
Some objects need to be read from a specific path.
IASECC_SDO_PRVKEY_TAG: from 3F00:0001
IASECC_SDO_CHV_TAG: from 3F00
2021-04-26 15:55:17 +02:00
Vincent JARDIN
fcd2e665fe
IASECC/CPX: fix APDU errors for SE get data
...
On a CPX, this object needs to be read from 3F00.
For instance:
$ opensc-explorer -r 2
OpenSC [3F00]> cd 0002
OpenSC [3F00/0002]> apdu 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Sending: 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Received (SW1=0x6A, SW2=0x88)
Failure: Data object not found
OpenSC [3F00/0002]> apdu 00 A4 09 04 02 3F 00
Sending: 00 A4 09 04 02 3F 00
Received (SW1=0x90, SW2=0x00)
Success!
OpenSC [3F00/0002]> apdu 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Sending: 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Received (SW1=0x90, SW2=0x00)
Success!
Currently, this patch limits to the CPX cards since I cannot know
the behaviour for the other cards. I could not find any reference
from the standard.
Fix: issue #2275
2021-04-26 15:55:17 +02:00
Vincent JARDIN
405ecfc402
IASECC: proper pkcs15init of Algo_refs
...
For some Private RSA Keys, their Algo_refs remain empty:
$ pkcs15-tool -k --verify-pin --pin 1234
Using reader with a card: ACS ACR33U-A1 3SAM ICC Reader 00 00
Private RSA Key [CPS_PRIV_SIG]
Object Flags : [0x01], private
Usage : [0x200], nonRepudiation
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 0
Access Rules : pso_cds:01;
ModLength : 2048
Key ref : 129 (0x81)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001001
MD:guid : e7aab727-f2af-e673-37bb-7d43867a6349
Private RSA Key [CPS_PRIV_AUT]
Object Flags : [0x07], private, modifiable
Usage : [0x06], decrypt, sign
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 6, 3, 4
Access Rules : pso_decrypt:01; int_auth:01;
ModLength : 2048
Key ref : 130 (0x82)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001002
MD:guid : 2b6bf284-225c-80bc-8cbe-1c791db33543
Based on Usage : [0x200], nonRepudiation the SC_PKCS15_PRKEY_USAGE_NONREPUDIATION
may be set but not the SC_PKCS15_PRKEY_USAGE_SIGN so line 801 is never tested.
Having just SC_PKCS15_PRKEY_USAGE_NONREPUDIATION set and not doing anything does not
make any sense for any card.
Suggested-by: Doug Engert <deengert@gmail.com>
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Vincent JARDIN
544aa4cc6b
IASECC/CPX: Fix up prkeyinfo/algo_ref
...
Extend the current support from 9abf8ee04c
in order to add a fixup for the CPx cards.
Since the data is not properly encoded when the card is initialized
let's re-build it for each run time from the DF.
Suggested-by: Doug Engert <deengert@gmail.com>
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Vincent JARDIN
137286858f
IASECC/CPX: enable calls thru pkcs15-iasecc.c
...
Same than Gemalto's IASECC, the CPX cards need a workaround since
the PrKey does not have its Algo_regs.
We get:
pkcs15-tool -k --verify-pin --pin 1234
Using reader with a card: ACS ACR33U-A1 3SAM ICC Reader 00 00
Private RSA Key [CPS_PRIV_SIG]
Object Flags : [0x01], private
Usage : [0x200], nonRepudiation
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 0
Access Rules : pso_cds:01;
ModLength : 2048
Key ref : 129 (0x81)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001001
MD:guid : e7aab727-f2af-e673-37bb-7d43867a6349
Private RSA Key [CPS_PRIV_AUT]
Object Flags : [0x07], private, modifiable
Usage : [0x06], decrypt, sign
Access Flags : [0x0D], sensitive, alwaysSensitive, neverExtract
Algo_refs : 0
Access Rules : pso_decrypt:01; int_auth:01;
ModLength : 2048
Key ref : 130 (0x82)
Native : yes
Path : e828bd080f8025000001ff0010::
Auth ID : 01
ID : e828bd080f8025000001ff001002
MD:guid : 2b6bf284-225c-80bc-8cbe-1c791db33543
We need to get Algo_regs to be set to something that is not 0.
Fix: issue #2267
2021-04-26 15:52:09 +02:00
Vincent JARDIN
39b4472f38
IASECC/CPX: export pkcs15init for missing features
...
Some cards, such as the CPX are missing features that should
have been initialized using:
iasecc_pkcs15_encode_supported_algos()
Let's export this function in order to build a fixup when the DF
should be parsed.
When OPENSSL is missing, an error should be rised since this
workaround for the CPX cards cannot work. It means that
any environments that use the CPX cards must be compiled with
ENABLE_OPENSSL.
Suggested-by: Doug Engert <deengert@gmail.com>
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Vincent JARDIN
396cbc46cf
IASECC/CPX: set default flags
...
The CPX has the standard capabilities of the IASECC standard.
Let's be carefull with memory leakage, see the
previous commit 83162c5c8
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Frank Morgner
4912f05701
use OpenPACE 1.1.1
2021-04-25 12:03:52 +02:00
Peter Marschall
344ac0abe6
iasec: use proper printf format specifiers for size_t
...
Do not hard-code the printf format specifier for size_t: use the macro instead.
This fixes compliation on 32-bit architectures.
2021-04-20 14:26:37 +02:00
Jakub Jelen
d6ec00c870
cardos: Add ATR for CardOS 5.4
...
Hopefully fixes #2296
2021-04-15 17:59:31 +02:00
Peter Popovec
dd48facd38
travis CI: testsuite fix (tests/test-pkcs11-tool-allowed-mechanisms.sh)
...
Ubuntu (focal) softhsm2 workaround - mechanism listing incorrect
2021-04-14 11:02:58 +02:00
Peter Popovec
7d274a0d72
travis-ci: Try to run the tests on Ubuntu 20 (Focal Fossa)
2021-04-14 11:02:58 +02:00
Jakub Jelen
ef17b3fb89
tests: Fix comparison for osx
2021-04-13 21:58:47 +02:00
Jakub Jelen
cae5c71f90
oberthur: Handle 1B OIDs
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32807
2021-04-13 21:58:47 +02:00
Jakub Jelen
4b3c6dec07
.travis: Fail if tests fail
2021-04-13 21:58:47 +02:00
Frank Morgner
991bb8a141
add CPDK include flags
2021-04-08 15:15:46 +02:00
Frank Morgner
a83069b89f
updated to Microsoft Cryptographic Provider Development Kit (CPDK) Version 8.0
2021-04-08 11:25:08 +02:00
Carsten Blüggel
edb7ed25e4
pkcs11-tool: disable wrap/unwrap test until OpenSC#1796 is resolved
2021-04-07 10:25:54 +02:00
Frank Morgner
545e47b29e
preparation for 0.22.0
2021-04-06 13:42:50 +02:00
Vincent JARDIN
1a3666364d
IASECC/CPX: Avoid APDU Incorrect Parameters
...
Without this patch, we would get from the logs:
Outgoing APDU (18 bytes):
00 A4 04 00 0D E8 28 BD 08 0F 80 25 00 00 01 FF ......(....%....
00 10 ..
[opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
[opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
6A 86 j.
[opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
[opensc-pkcs11] apdu.c:537:sc_transmit: returning with: 0 (Success)
[opensc-pkcs11] card.c:523:sc_unlock: called
[opensc-pkcs11] iso7816.c:128:iso7816_check_sw: Incorrect parameters P1-P2
[opensc-pkcs11] card-iasecc.c:1064:iasecc_select_file: Warning: SC_ERROR_INCORRECT_PARAMETERS for SC_PATH_TYPE_DF_NAME, try again with P2=0x0C
[opensc-pkcs11] apdu.c:548:sc_transmit_apdu: called
[opensc-pkcs11] card.c:473:sc_lock: called
[opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
[opensc-pkcs11] apdu.c:515:sc_transmit: called
[opensc-pkcs11] apdu.c:363:sc_single_transmit: called
[opensc-pkcs11] apdu.c:367:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:C, data(13) 0x7fff4b339b20
[opensc-pkcs11] reader-pcsc.c:323:pcsc_transmit: reader 'Ingenico TL TELIUM (25005334) 00 02'
[opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (18 bytes):
00 A4 04 0C 0D E8 28 BD 08 0F 80 25 00 00 01 FF ......(....%....
00 10 ..
[opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
[opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
90 00 ..
Let's align it with the behaviour of the other IASECC cards.
2021-04-01 11:11:33 +02:00
Vincent JARDIN
0df0f80b55
IASECC: log any APDU Incorrect parameters
...
From the logs, we can detect many 6A 86 (Incorrect P1 or P2 paremeters).
A deeper analysis will be required, but the best option to check them
is to start emitting any Warning for such events.
2021-04-01 11:11:33 +02:00
Philip Prindeville
b9c0addf88
update configure.ac to be less noisy
...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2021-04-01 11:09:22 +02:00
yehj
c3c5f2d518
Add criteria to check if card capability SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH is available
...
The code segment checks the response to determine if the
SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH is available.
From the APDU manual of the sc-hsm, there's one status word:
SC_ERROR_REF_DATA_NOT_USABLE(0x6984) that should also be taken into account.
2021-04-01 10:29:33 +02:00
Frank Morgner
83162c5c87
fixed memory leak
...
fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32324
sc_enum_apps() causes card->cache.current_ef to be allocated for
IAS/ECC, but not freed if any other error occurs during initialization.
since sc_enum_apps() is called anyway during PKCS#15 initialization.
Having this at the card driver level (instead of the PKCS#15 level) is
not needed.
2021-03-24 23:27:01 +01:00
Frank Morgner
ce0d409205
Avoid accessing Uninitialized scalar variable
...
regression of c581d1b26
coverity scan CID 367545
2021-03-24 23:27:01 +01:00
Jakub Jelen
7114fb71b5
coolkey: Initialize potentially uninitialized memory
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28855
2021-03-24 16:25:08 +01:00
Jakub Jelen
9cc942fd47
framework-pkcs15: Fix PKCS#11 semantics while encoding EC pubkey params
2021-03-24 16:25:08 +01:00
Jakub Jelen
7d0abdc192
p11test: Remove unnecessary spaces in JSON output
2021-03-24 16:25:08 +01:00
Jakub Jelen
370eda4bd8
framework-pkcs15: Avoid strict aliasing issues
2021-03-24 16:25:08 +01:00
Frank Morgner
5f9085fedb
Merge pull request #1960 from Jakuje/eddsa
...
Add support for (X)EdDSA keys in OpenPGP driver
2021-03-22 15:36:59 +01:00
Marco Trevisan (Treviño)
845eac4250
pkcs11-global: Obey to the tokenPresent parameter on C_GetSlotList
...
Since commit dba0f56
the tokenPresent parameter is ignored in case the
slot has been already seen.
This breaks the API expectations as we may return a slot that has no
token inserted.
So, only consider the SC_PKCS11_SLOT_FLAG_SEEN if tokenPresent is false
2021-03-22 15:35:55 +01:00
Vincent JARDIN
40e9a9c830
pkcs15: log HSM capabilities (can_do)
...
Some Smartcards have some capabilities (for instance the IASECC)
that can influence the can_do cases. In order to track them, it
is useful to log any checks.
2021-03-22 13:15:12 +01:00
Vincent JARDIN
b18234a7d9
iasecc: Fix ACLs support when length is 6 ( #2264 )
...
* IASECC: offset is a size_t
Let's use a size_t for the offset in order to have a proper logic
along with the related arithmetics.
Fix: part if issue #2262
Suggested-by: Frank Morgner <frankmorgner@gmail.com>
* iasecc: Fix ACLs support when length is 6
ACLs with length < 6 are allowed, depending on the mask of the offset 0.
For instance, when the offset 0 is 0x7B, then length can be up to 7
when the offset 0 is 0x7A, the loop was never performing any access to
the acls[7] thanks to:
if (!(mask & acls[0]))
continue;
However, the oss-fuzz tools cannot guess such behavior. So let's have a
robust boundary check.
Fix: issue #2262
Fix: ae1cf0be90
'Prevent stack buffer overflow when empty ACL is returned'
Co-authored-by: Vincent JARDIN <vjardin@free.fr>
Co-authored-by: Frank Morgner <frankmorgner@gmail.com>
2021-03-22 13:08:28 +01:00
Jakub Jelen
5d4daf6c92
oberthur: One more overlooked buffer overflow
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32202
2021-03-21 09:53:13 +01:00
Jakub Jelen
715c17c469
oberthur: Fix memory leaks
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
2021-03-18 13:18:10 +01:00
Jakub Jelen
d5dea2dd1b
tests: Investigate test failure on bionic
2021-03-18 09:58:21 +01:00
Jakub Jelen
16b7c60fd3
Fix more issues with strict aliasing reported by gcc v8
...
Thanks popoves for reporting this issue
2021-03-18 09:58:21 +01:00
Frank Morgner
05648b0604
oberthur: fixed Heap-buffer-overflow
...
fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
2021-03-18 09:56:46 +01:00
Vincent JARDIN
fc0df4e5d5
IASECC/CPX: revert removal of 3F00 from the path
...
Few years ago, the commit 03628449b7
did squash the 3F00nnnn path to nnnn. For instance, 3F002F00
becomes 2F00. It is an issue such as:
00000200 [139681798813440] APDU: 00 A4 09 04 02 2F 00
00029790 [139681798813440] SW: 6A 82
Fix: issue #2231
2021-03-17 10:58:20 +01:00
Vincent JARDIN
76507508d7
IASECC/CPX: code factorization
...
There are two flavours of CPX cards:
- contact mode,
- contactless mode
2021-03-17 10:58:20 +01:00
Vincent JARDIN
4119b2c3e7
ASN1 lax bit string decoding
...
Some ASN1 objects stored on some smartcards (for instance the
IASECC/CPX ones) do not comply strictly with the rules
8.6.2.3 and 8.6.2.3 from the ITU.
Since these rules are not some strict ones, let's have a loose
decoding option that can be displayed by the command:
opensc-explorer
asn1 7001 # for instance
Fix: issue #2224
2021-03-17 10:58:20 +01:00
Vincent JARDIN
b508349010
IASECC/CPX: opensc-explorer asn1 EF.ATR parsing
...
Let's the advance users be able to parse the ASN1 contant
for any offset.
OpenSC [3F00]> asn1 2F01 0
Error in decoding.
OpenSC [3F00]> asn1 2F01 1
43 Application 3 (1 byte): decode error, : B8 .
46 Application 6 (4 bytes): decode error: 04 B0 EC C1 ....
47 Application 7 (3 bytes): 94 01 80 ...
4F Application 15 (8 bytes): 80 25 00 00 01 FF 01 00 .%......
E0 Private 0 (16 bytes)
02 INTEGER (2 bytes): 260
02 INTEGER (2 bytes): 260
02 INTEGER (2 bytes): 256
02 INTEGER (2 bytes): 256
78 Application 24 (8 bytes)
06 OBJECT IDENTIFIER (6 bytes): 1.3.162.15480.2
82 Context 2 (2 bytes): 36864: 90 00 ..
Fix: issue #2220
2021-03-17 10:58:20 +01:00
Vincent JARDIN
20f359ea04
IASECC/CPX: SC_PATH_TYPE_FILE_ID, wrong APDU
...
For SC_PATH_TYPE_FILE_ID, P2 should be 0x04, if not,
then we get the following errors:
[opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (7 bytes):
00 A4 02 00 02 A0 01 .......
[opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
[opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
6A 86 j.
[opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
[opensc-pkcs11] apdu.c:535:sc_transmit: returning with: 0 (Success)
[opensc-pkcs11] card.c:523:sc_unlock: called
[opensc-pkcs11] iso7816.c:128:iso7816_check_sw: Incorrect parameters P1-P2
[opensc-pkcs11] card-iasecc.c:1107:iasecc_select_file: iasecc_select_file() check SW failed: -1205 (Incorrect parameters in APDU)
[opensc-pkcs11] card.c:866:sc_select_file: 'SELECT' error: -1205 (Incorrect parameters in APDU)
when running:
./pkcs11-tool --test --login --pin abcd
2021-03-17 10:58:20 +01:00
Vincent JARDIN
c581d1b26f
IASECC/CPX: opensc-explorer asn1 of EF.ATR objects
...
Workaround the parsing of EF.ATR objects, for instance:
./opensc-explorer -r 0
OpenSC [3F00]> cat 2F01
00000000: 80 43 01 B8 46 04 04 B0 EC C1 47 03 94 01 80 4F .C..F.....G....O
00000010: 08 80 25 00 00 01 FF 01 00 E0 10 02 02 01 04 02 ..%.............
00000020: 02 01 04 02 02 01 00 02 02 01 00 78 08 06 06 2B ...........x...+
00000030: 81 22 F8 78 02 82 02 90 00 .".x.....
OpenSC [3F00]> info 2F01
Working Elementary File ID 2F01, SFI E8
File path: 3F00/2F01
File size: 57 bytes
EF structure: Transparent
ACL for READ: NONE
ACL for UPDATE: SecOx45
ACL for DELETE: SecOx45
ACL for WRITE: N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE: N/A
ACL for LIST FILES: N/A
ACL for CRYPTO: N/A
Type attributes: 01
Life cycle: Operational, activated
In order to avoid adding an offset of 1 for such objects on some
OpenSC [3F00]> asn1 2F01 1
specific cards, then, we get:
OpenSC [3F00]> asn1 2F01
80 Context 0 (0 bytes)
43 Application 3 (1 byte): decode error: B8 .
46 Application 6 (4 bytes): decode error: 04 B0 EC C1 ....
47 Application 7 (3 bytes): 94 01 80 ...
4F Application 15 (8 bytes): 80 25 00 00 01 FF 01 00 .%......
E0 Private 0 (16 bytes)
02 INTEGER (2 bytes): 260
02 INTEGER (2 bytes): 260
02 INTEGER (2 bytes): 256
02 INTEGER (2 bytes): 256
78 Application 24 (8 bytes)
06 OBJECT IDENTIFIER (6 bytes): 1.3.162.15480.2
82 Context 2 (2 bytes): 36864: 90 00 ..
OpenSC [3F00]>
which means:
ef-atr.c:49:sc_parse_ef_atr_content: EF.ATR: card service 0xB8
ef-atr.c:59:sc_parse_ef_atr_content: EF.ATR: Pre-Issuing data '04B0ECC1'
ef-atr.c:67:sc_parse_ef_atr_content: EF.ATR: DF selection 94, unit_size 1, card caps 80
ef-atr.c:95:sc_parse_ef_atr_content: EF.ATR: AID '8025000001FF0100'
ef-atr.c:106:sc_parse_ef_atr_content: EF.ATR: Issuer data '02020104020201040202010002020100'
ef-atr.c:111:sc_parse_ef_atr_content: EF.ATR: DER encoded OID 06062B8122F87802
ef-atr.c:114:sc_parse_ef_atr_content: EF.ATR: OID 2B8122F87802
ef-atr.c:123:sc_parse_ef_atr_content: EF.ATR: status word 0x9000
Fix: issue #2220
2021-03-17 10:58:20 +01:00
Vincent JARDIN
fd83e885f7
IASECC/CPX: parse EF.ATR from ASN1 2F01 object
...
2F01 is:
./opensc-explorer -r 0
OpenSC [3F00]> cat 2F01
00000000: 80 43 01 B8 46 04 04 B0 EC C1 47 03 94 01 80 4F .C..F.....G....O
00000010: 08 80 25 00 00 01 FF 01 00 E0 10 02 02 01 04 02 ..%.............
00000020: 02 01 04 02 02 01 00 02 02 01 00 78 08 06 06 2B ...........x...+
00000030: 81 22 F8 78 02 82 02 90 00 .".x.....
so the ASN1 decoder gets confused because it assumes that two bytes are
needed before getting the first tag 43/ISO7816_TAG_II_CARD_SERVICE.
In order to avoid such confusion, whenever the content of the EF.ATR/2F01 starts
with ISO7816_II_CATEGORY_TLV, we skip the first byte in order to parse
the ASN1 payload.
Fix: issue #2220
2021-03-17 10:58:20 +01:00