Use the new features of sc_asn1_put_tag introduced in OpenSC/OpenSC#314.
Additionally, a RSA private key is sent from one large buffer using either extended APDUs or chaining (in compliance to IsoApplet API version 00.05).
It is required to strip excessive zeroes returned by some Java Cards when removeing the ASN1 structural information for PKCS#11 so that the x/y can be calculated by dividing the signature length by 2. However, the leading zero may only be stripped if it is excessive (outside the field length). Otherwise generated signatures are wrong in rare cases (1 out of 256).
See: 189e998486
The IsoApplet requires the host to do the hashes with RSA. OpenSC will
add all hashes that are available in software and will not expect the
card to do the hashing.
Rework the EC key generation mechanism to send the curve parameters to
the card. In earlier versions, the applet had a copy of the curve
parameters and there was a different algorithm reference for every
curve. This is unfeasible when trying to support a larger number of
curves because of size limitations of the applet.
This commit additionally includes some refactorings that should not
change the functionality.
when deleting a private key object, overwrite its contents so the key can no longer be used.
(VTA: original commit touched to use LOG macros and add debug logs)
needed to store information about EC curve supported by card.
Primary usage is when importing/generating key to get know if particular curve is supported by card.
* Key usage required when calling C_CreateObject for public key are not used.
This adds the logic to convert from PKCS#11 attributes to PKCS#15 in the
structure that is sent to underlying _store_pubkey functions.
Pkcs15init data, used to import/generate key objects, includes twice the same EC parameters data:
- explicit 'params' data
- part of sc_pkcs15_pubkey/sc_pkcs15_prkey
Explicit 'ec-params' data is removed.
sc_pkcs15_get_object_guid() should prefer the serial number from
EF(TokenInfo) over card->serialnr because the user may override the
card's serial number with "pkcs15-init -C --serial". The card->serialnr
should be used before calling card CTL with SC_CARDCTL_GET_SERIALNR
because it might contain a cached value.
This change *should* allow cards to be used with the minidriver even if
SC_CARDCTL_GET_SERIALNR is not implemented. For example, a driver might
set card->serialnr at initialization or the user might initialize a
PKCS#15 card with its own "--serial".
See also the discussion at the mailing list:
[Opensc-devel] AT_SIGNATURE and AT_EXCHANGE Problem
b94c163 - invalid, non-tested
11881a6 -- src/libopensc/card-iasecc.c -- return from select has to be ignored,
3a92bf7 -- src/pkcs11/slot.c -- SEGFAULT issue #3733a92bf7 -- src/tools/piv-tool.c -- confirmed by author
6759c04 -- src/pkcs15init/pkcs15-lib.c -- file instantiation error has to be ignored