* consistently use term "Invalid key ID; must be 1, 2, or 3" in error messages
about invalid key IDs instead of various alternatives.
* use error type SC_ERROR_INVALID_ARGUMENTS instead of SC_ERROR_INVALID_DATA
when the key_id was passed to the respective function
* harmonize the checks to consistently use 'key_id < ... || key_id > ...'
In addition, initialize a variable to keep clang & compilers on OSX happy.
Combine sequences
sc_log(..., "...");
LOG_FUNC_RETURN(...);
where c_log() prints a constant string
by
LOG_TEST_RET(..., "...");
This change results in shorter, more concise code as well as
better harmonized error messages.
Don't terminate the messages with a period, because they are going to end up
as the first argument to a format string of the form "%s: ...".
I.e. they will be part of a longer string and terminated by a colon anyway.
When card->sm_ctx.ops.free_sm_apdu gets called in sc_sm_single_transmit
with a prior transmission error, then `sm_encrypt` still tries to
decrypt the response and hence, accesses the previously uninitialized
`resp`.
Use defined symbolic names for well-known DOs to copy data to a correctly
defined buffer 'apdu_data' using ulong2bebytes() instead of relying on
"magic" constants and C's string semantic.
Also use 'sizeof(apdu_data)' instead of additional magic constants.
Use defined symbolic names for well-known DOs to copy data to a correctly
defined buffer 'data' using ulong2bebytes() instead of relying on
"magic" constants and C's string semantic.
Also use 'sizeof(data)' instead of strange strlen() calculations.
Use defined symbolic names for well-known DOs to copy data to a correctly
defined buffer 'data' using ulong2bebytes() instead of relying on
"magic" constants.
Random data from PIV card is obtained using GENERAL AUTHENTICATE command
for a request of a Challenge from the card. "00 87 00 9B 04 7C 02 81 00"
Usually 8 bytes are returned.
NIST 800-73-3_PART2, "A.1 Authentication of the PIV Card Application Administrator"
"Table 11. Authentication of PIV Card Application Administrator" shows an example of
how to do this.
Some cards (one I have: 3b:7d:96:00:00:80:31:80:65:b0:83:11:17:d6:83:00:90:00)
will not allow 2 of these commands in a row. (Maybe assuming command is only
used as in Table 11 and is expecting the second command.)
Code was added to card-piv.c so if "6A 80" is returned, try the command one more time.
For any other GENERAL AUTHENTICATE failure, SC_ERROR_NOT_SUPPORTED is returned.
piv_get_challenge may be called within a loop from sc_get_challenge if more random
data is needed thus causing the the 2 commands to sent in a row.
On branch piv-improved-matching
Changes to be committed:
modified: card-piv.c
Not all PIV applets are the same. Different versions of NIST 800-73 and improperly implemented
or not implemented required features of NIST 800-73 cases problems. Have a look at the card_issues
listed in card-piv.c. The PIV driver has tried to detect the differences based on clues found in
the ATR historical bytes and vendor version numbers for some cards.
At the same time it has tried to support the possibility there are multiple applets
on a card that the user may want to use at the same time from different applications.
This has lead to some detection problems with Dual CAC/PIV cards. The same cards
sold by the vendor may have only a PIV applet that may not be the same PIV applet that
is on the Dual PIV/CAC cards.
http://www.cac.mil/Portals/53/Documents/CAC-utilziation-and-variation-matrix-v2.03-20May2016.doc
defines a number of official CAC cards in active service. A table of the ATRs for these is now used
to detect these cards. The PIV version of the CCC is also read to see if any CAC PKI objects
are defined in the CCC, indicating it is a Dual CAC/PIV, even if the ATR is not listed.
A more conservative approach to try and handle multiple applets on a card is used. Based
on issues with the implementation of the PIV applet this may not be possible to do.
So for many cards no additional detection will be done at the start of every transaction,
and the login state can not be detected correctly.
ATRs for PIVKEY are also in the match table, as these cards have a log of issues.
Other PIV cards in the future or not yet tested may not be covered properly by this patch.
Extra debugging was added with "PIV_MATCH" to help with these other cards.
With "debug = 7;", `grep PIV_MATCH opensc-debug.log` can be used to see how a card
type and card_issues are derived.
On branch piv-improved-matching
Changes to be committed:
modified: card-piv.c
modified: cards.h
Same information is printed a few line below in same function, the only
difference is that there it takes care of case when label is NULL pointer
unlike this line
secondly, every function call to cosm_write_tokeninfo() in this file
passes label=NULL, and then it tries to print a null pointer
Fixes errors like
src/libopensc/log.h:48:47: error: '%s' directive argument is null
[-Werror=format-overflow=]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Frank Morgner
Peter Marschall
Jakub Jelen
Doug Engert
Khem Raj