The PKCS#11 Usage Guide, at least up to v2.40, says that calling
C_Initialize() in the child after fork is "considered to be good
Cryptoki programming practice, since it can prevent the existence of
dangling duplicate resources that were created at the time of the fork()
call."
(It neglects to mention that doing so in the child of a multi-threaded
process is a clear violation of POSIX, mind you. Not to mention being
utterly pointless if all you're going to do in the child is exec something
else anyway.)
Regardless of the sagacity of this recommendation, we need to cope when
it happens. Historically, we've been quite bad at that. Let's add a test
to pkcs11-tool in the hope it'll help...
Fixes#464
card-piv.c tries to read the first 8 bytes of an object to get object size
so it can allocate a buffer. It then reads the whole object. apdu.c has changed
over the years, and apdu.c will keep reading as long as the card returns
status of 61 XX thus apdu.c will read the whole object while discarding
the extra data and returning to the caller only the first part of the data.
This in effect causes a double read of objects.
This patch sets SC_APDU_FLAGS_NO_GET_RESP to tell apdu to stop doing the
extra get-response commands thus avoiding most of the extra overhead.
This in not an optimal patch as it only works with T=1 cards/readers
but the patch is confined to just card-piv.c.
A better patch is in the works.
Fixes#462
* factorize the code from CardAuthenticatePIN into CardAuthenticateEx
* allows authentication with the PINPAD without a UI
minidriver: fix some code analysis warnings
Improve the error code when the user cancel the operation ("The operation was canceled by the user" instead of "invalid parameter")
Signed-off-by: vletoux <vincent.letoux@gmail.com>
Prior to 066132327c71300188aa66180fde2fb3d90c5140, CKM_ECDH1_DERIVE and
CKM_ECDH1_COFACTOR_DERIVE were always registered for cards that support
SC_ALGORITHM_ECDSA_RAW.
The mentioned commit changed this behavior, so that the ECDH mechanisms
are only registered for cards that set the SC_ALGORITHM_ECDH_CDH_RAW
capability flag.
To keep the existing behavior for the cards, they need to set this flag
in the card driver.
Prior to this commit, all hashes registered for RSA or other key types were
registered for ECDSA as well.
register ECDH mechanism only when supported by card
ECDH should only be registered if the card driver sets the
SC_ALGORITHM_ECDH_CDH_RAW flag.
register software PKCS#1 (1.5) padding only when RAW RSA is supported by card
If OpenSC supports PSS/OAEP padding or other padding mechanisms in
future, and there would be a card that enforces hardware PSS/OAEP
padding, the PKCS#1 v1.5 padding mechanism should not be registered.