OpenSSL-1.1.0 was released 8/25/2016
OpenSSL-1.1.0a was released 9/22/2016
https://www.openssl.org/news/openssl-1.1.0-notes.html
Changes to allow the OpenSC code base to work with OpenSSL versions from
0.9.7 to 1.1.0 with few changes.
This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch.
No attempt was made to back port any OpenSSL features. These changes
just allow an updated OpenSC code base to use what is in the various OpenSSL
releases.
A new header libopensc/sc-ossl-compat.h contains extra defines
to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements
in the source code.
The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h
has defines for the new API for use with older versions of OpenSSL.
sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC
library routines can take advantage of it. For the tools, which do not use
libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools.
The OpenSC source has been modified to use OpenSSL functions to access
hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new
functions to allocate structures which must use pointer such as
BIGNUM and EVP_CIPHER_CTX.
For backward compatability sc-ossl-compat.h now defines inline routines
to emulate the RSA and DSA access routines in OpenSSL-1.1.0. Thus
the same OpenSC source code can be used with openSSL versions from
0.9.7 to 1.1.0.
Inline routines were chosen, because using macros does not work on all platforms.
Having OpenSC versions of these routines in libopensc would be a posibility,
but they are only used for older version of OpenSSL, and could be removed in
the future.
Changes to be committed:
modified: src/libopensc/card-entersafe.c
modified: src/libopensc/card-epass2003.c
modified: src/libopensc/card-gids.c
modified: src/libopensc/card-gpk.c
modified: src/libopensc/card-oberthur.c
modified: src/libopensc/card-piv.c
modified: src/libopensc/card-westcos.c
modified: src/libopensc/cwa-dnie.c
modified: src/libopensc/cwa14890.c
modified: src/libopensc/internal.h
modified: src/libopensc/p15card-helper.c
modified: src/libopensc/pkcs15-itacns.c
modified: src/libopensc/pkcs15-prkey.c
modified: src/libopensc/pkcs15-pubkey.c
new file: src/libopensc/sc-ossl-compat.h
modified: src/pkcs11/openssl.c
modified: src/pkcs15init/pkcs15-lib.c
modified: src/pkcs15init/pkcs15-oberthur-awp.c
modified: src/pkcs15init/pkcs15-oberthur.c
modified: src/pkcs15init/pkcs15-oberthur.h
modified: src/pkcs15init/pkcs15-westcos.c
modified: src/tools/cryptoflex-tool.c
modified: src/tools/gids-tool.c
modified: src/tools/netkey-tool.c
modified: src/tools/piv-tool.c
modified: src/tools/pkcs11-tool.c
modified: src/tools/pkcs15-init.c
modified: src/tools/sc-hsm-tool.c
modified: src/tools/westcos-tool.c
This patch fixes 3 issues which consecutively have shown up when debugging the original problem:
1 - Newer DNIe report a byte count for public certificates which is the compressed size,
while older DNIe report the uncompressed size. This resulted in short-reading the x509 certificates,
and in an error parsing. Therefore, during initialization we proceed to set path->count for
public certificates to -1. This ensures that the lenght of the certificates for reading
will be set to file-> length, which has the correct size.
2 - pkcs11-tool -t was broken for DNIe (old and new)as it tried to strip pcks11 padding
from the data to sign and OpenSC tried signatures with non-padded data
(as the card had SC_ALGORITHM_RSA_RAW).
The new algoflags (SC_ALGORITHM_RSA_HASH_NONE | SC_ALGORITHM_RSA_PAD_PKCS1) and the
removal of the strip-padding call fix the issue.
3 - The new cards won't allow setting the LE bytes when calculating the TLV, when LE equals
256. This caused an wrong SM object error response (0x69 0x88). Therefore,
we don't send the LE bytes anymore in this case.
The patch has been tested to work on the new problematic card and on another old one.
close#451
card-asepcos: removed dead code
card-authentic: removed dead code
card-belpic: removed dead code
card-epass2003: removed dead code
card-flex: removed dead code
card-gpk: removed dead code
card-oberthur: removed dead code
card-piv: removed dead code
card-setcos: removed dead code
ctbcs: removed dead code
cwa14890: removed dead code
muscle: removed dead code
pkcs15-atrust-acos: removed dead code
pkcs15-gemsafeV1: removed dead code
pkcs15-skey: removed dead code
reader-ctapi: removed dead code
framework-pkcs15: removed dead code
pkcs11-object: removed dead code
pkcs15-asepcos: removed dead code
pkcs15-cardos: removed dead code
pkcs15-jcop: removed dead code
pkcs15-lib: removed dead code
pkcs15-oberthur: removed dead code
parse: removed dead code
sclex: removed dead code
sm-card-authentic: removed dead code
sm-card-iasecc: removed dead code
sm-cwa14890: removed dead code
sm-global-platform: removed dead code
sc-test: removed dead code
pkcs11-tool: removed dead code
pkcs15-tool: removed dead code