The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9