tuibuilder_pel7x64builder0
5 years ago
15 changed files with 2403 additions and 0 deletions
@ -0,0 +1,204 @@
@@ -0,0 +1,204 @@
|
||||
From 6dc118e1c3b89c50cda1998de1d62fa6fa666e60 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 3 Nov 2017 10:55:35 +0100 |
||||
Subject: [PATCH 1/3] Enable CAC ALT token card operations |
||||
|
||||
--- |
||||
src/libopensc/card-cac.c | 33 +++++++++++++++++++++++++++++++++ |
||||
1 file changed, 33 insertions(+) |
||||
|
||||
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c |
||||
index 82f5c7869..bc0a754a5 100644 |
||||
--- a/src/libopensc/card-cac.c |
||||
+++ b/src/libopensc/card-cac.c |
||||
@@ -229,6 +229,12 @@ static int cac_add_object_to_list(list_t *list, const cac_object_t *object) |
||||
#define CAC_1_RID "\xA0\x00\x00\x00\x79" |
||||
#define CAC_1_CM_AID "\xA0\x00\x00\x00\x30\x00\00" |
||||
|
||||
+static const sc_path_t cac_ACA_Path = { |
||||
+ "", 0, |
||||
+ 0,0,SC_PATH_TYPE_DF_NAME, |
||||
+ { CAC_TO_AID(CAC_1_RID "\x10\x00") } |
||||
+}; |
||||
+ |
||||
static const sc_path_t cac_CCC_Path = { |
||||
"", 0, |
||||
0,0,SC_PATH_TYPE_DF_NAME, |
||||
@@ -284,6 +290,8 @@ static const cac_object_t cac_1_objects[] = { |
||||
static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]); |
||||
|
||||
|
||||
+static int cac_select_ACA(sc_card_t *card); |
||||
+ |
||||
/* |
||||
* use the object id to find our object info on the object in our CAC-1 list |
||||
*/ |
||||
@@ -815,6 +823,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) |
||||
case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS: |
||||
return cac_final_iterator(&priv->general_list); |
||||
case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS: |
||||
+ /* select ACA to be able to verify PIN */ |
||||
+ cac_select_ACA(card); |
||||
return cac_final_iterator(&priv->pki_list); |
||||
} |
||||
|
||||
@@ -1157,6 +1167,12 @@ static int cac_select_CCC(sc_card_t *card) |
||||
return cac_select_file_by_type(card, &cac_CCC_Path, NULL, SC_CARD_TYPE_CAC_II); |
||||
} |
||||
|
||||
+/* Select ACA in non-standard location */ |
||||
+static int cac_select_ACA(sc_card_t *card) |
||||
+{ |
||||
+ return cac_select_file_by_type(card, &cac_ACA_Path, NULL, SC_CARD_TYPE_CAC_II); |
||||
+} |
||||
+ |
||||
static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, int len) |
||||
{ |
||||
if (len < 10) { |
||||
@@ -1476,6 +1492,23 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize) |
||||
} |
||||
} |
||||
|
||||
+ /* Even some ALT tokens can be missing CCC so we should try with ACA */ |
||||
+ r = cac_select_ACA(card); |
||||
+ if (r == SC_SUCCESS) { |
||||
+ r = cac_find_first_pki_applet(card, &index); |
||||
+ if (r == SC_SUCCESS) { |
||||
+ priv = cac_new_private_data(); |
||||
+ if (!priv) |
||||
+ return SC_ERROR_OUT_OF_MEMORY; |
||||
+ r = cac_populate_cac_1(card, index, priv); |
||||
+ if (r == SC_SUCCESS) { |
||||
+ card->type = SC_CARD_TYPE_CAC_II; |
||||
+ card->drv_data = priv; |
||||
+ return r; |
||||
+ } |
||||
+ } |
||||
+ } |
||||
+ |
||||
/* is this a CAC-1 specified in DoD "CAC Applet Developer Guide" version 1.0 September 2002 */ |
||||
r = cac_find_first_pki_applet(card, &index); |
||||
if (r == SC_SUCCESS) { |
||||
|
||||
From 68c52640a3eff078243fd2db627cf2d12fdd37de Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Mon, 6 Nov 2017 12:37:40 +0100 |
||||
Subject: [PATCH 2/3] Add the ACA path to the PIN structure if we have one |
||||
|
||||
--- |
||||
src/libopensc/card-cac.c | 25 +++++++++++++++++++------ |
||||
src/libopensc/cardctl.h | 1 + |
||||
src/libopensc/pkcs15-cac.c | 6 ++++++ |
||||
3 files changed, 26 insertions(+), 6 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c |
||||
index bc0a754a5..178150d35 100644 |
||||
--- a/src/libopensc/card-cac.c |
||||
+++ b/src/libopensc/card-cac.c |
||||
@@ -169,6 +169,7 @@ typedef struct cac_private_data { |
||||
cac_object_t *pki_current; /* current pki object _ctl function */ |
||||
list_t general_list; /* list of general containers */ |
||||
cac_object_t *general_current; /* current object for _ctl function */ |
||||
+ sc_path_t *aca_path; /* ACA path to be selected before pin verification */ |
||||
} cac_private_data_t; |
||||
|
||||
#define CAC_DATA(card) ((cac_private_data_t*)card->drv_data) |
||||
@@ -207,6 +208,7 @@ static void cac_free_private_data(cac_private_data_t *priv) |
||||
{ |
||||
free(priv->cac_id); |
||||
free(priv->cache_buf); |
||||
+ free(priv->aca_path); |
||||
list_destroy(&priv->pki_list); |
||||
list_destroy(&priv->general_list); |
||||
free(priv); |
||||
@@ -289,9 +291,6 @@ static const cac_object_t cac_1_objects[] = { |
||||
|
||||
static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]); |
||||
|
||||
- |
||||
-static int cac_select_ACA(sc_card_t *card); |
||||
- |
||||
/* |
||||
* use the object id to find our object info on the object in our CAC-1 list |
||||
*/ |
||||
@@ -793,11 +792,21 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri |
||||
if (priv->cac_id_len) { |
||||
serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR); |
||||
memcpy(serial->value, priv->cac_id, priv->cac_id_len); |
||||
- SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS); |
||||
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS); |
||||
} |
||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND); |
||||
} |
||||
|
||||
+static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path) |
||||
+{ |
||||
+ cac_private_data_t * priv = CAC_DATA(card); |
||||
+ |
||||
+ SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL); |
||||
+ if (priv->aca_path) { |
||||
+ *path = *priv->aca_path; |
||||
+ } |
||||
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS); |
||||
+} |
||||
|
||||
static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) |
||||
{ |
||||
@@ -810,6 +819,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) |
||||
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
||||
} |
||||
switch(cmd) { |
||||
+ case SC_CARDCTL_CAC_GET_ACA_PATH: |
||||
+ return cac_get_ACA_path(card, (sc_path_t *) ptr); |
||||
case SC_CARDCTL_GET_SERIALNR: |
||||
return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr); |
||||
case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS: |
||||
@@ -823,8 +834,6 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) |
||||
case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS: |
||||
return cac_final_iterator(&priv->general_list); |
||||
case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS: |
||||
- /* select ACA to be able to verify PIN */ |
||||
- cac_select_ACA(card); |
||||
return cac_final_iterator(&priv->pki_list); |
||||
} |
||||
|
||||
@@ -1502,6 +1511,10 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize) |
||||
return SC_ERROR_OUT_OF_MEMORY; |
||||
r = cac_populate_cac_1(card, index, priv); |
||||
if (r == SC_SUCCESS) { |
||||
+ priv->aca_path = malloc(sizeof(sc_path_t)); |
||||
+ if (!priv->aca_path) |
||||
+ return SC_ERROR_OUT_OF_MEMORY; |
||||
+ memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t)); |
||||
card->type = SC_CARD_TYPE_CAC_II; |
||||
card->drv_data = priv; |
||||
return r; |
||||
diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h |
||||
index b647b0537..b610eacc7 100644 |
||||
--- a/src/libopensc/cardctl.h |
||||
+++ b/src/libopensc/cardctl.h |
||||
@@ -220,6 +220,7 @@ enum { |
||||
SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS, |
||||
SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, |
||||
SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS, |
||||
+ SC_CARDCTL_CAC_GET_ACA_PATH, |
||||
|
||||
/* |
||||
* AuthentIC v3 |
||||
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c |
||||
index fd463a9b4..ff87a2345 100644 |
||||
--- a/src/libopensc/pkcs15-cac.c |
||||
+++ b/src/libopensc/pkcs15-cac.c |
||||
@@ -250,6 +250,12 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) |
||||
strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1); |
||||
pin_obj.flags = pins[i].obj_flags; |
||||
|
||||
+ /* get the ACA path in case it needs to be selected before PIN verify */ |
||||
+ r = sc_card_ctl(card, SC_CARDCTL_CAC_GET_ACA_PATH, &pin_info.path); |
||||
+ if (r < 0) { |
||||
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r); |
||||
+ } |
||||
+ |
||||
r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info); |
||||
if (r < 0) |
||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r); |
@ -0,0 +1,240 @@
@@ -0,0 +1,240 @@
|
||||
From bc496dfa59c1cfbc5c47c76511d5c6b7eff5cc6c Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Thu, 26 Jan 2017 17:11:24 +0100 |
||||
Subject: [PATCH 1/4] Set security context for CardOS 5.3 with p1=0x41 (as |
||||
Coolkey does) |
||||
|
||||
--- |
||||
src/libopensc/card-cardos.c | 16 +++++++++++----- |
||||
src/libopensc/cards.h | 1 + |
||||
2 files changed, 12 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c |
||||
index 0c14b32..008ce5c 100644 |
||||
--- a/src/libopensc/card-cardos.c |
||||
+++ b/src/libopensc/card-cardos.c |
||||
@@ -59,7 +59,7 @@ static struct sc_atr_table cardos_atrs[] = { |
||||
/* CardOS v5.0 */ |
||||
{ "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL}, |
||||
/* CardOS v5.3 */ |
||||
- { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL}, |
||||
+ { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL}, |
||||
{ NULL, NULL, NULL, 0, 0, NULL } |
||||
}; |
||||
|
||||
@@ -84,6 +84,8 @@ static int cardos_match_card(sc_card_t *card) |
||||
return 1; |
||||
if (card->type == SC_CARD_TYPE_CARDOS_V5_0) |
||||
return 1; |
||||
+ if (card->type == SC_CARD_TYPE_CARDOS_V5_3) |
||||
+ return 1; |
||||
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) { |
||||
int rv; |
||||
sc_apdu_t apdu; |
||||
@@ -195,7 +197,8 @@ static int cardos_init(sc_card_t *card) |
||||
|| card->type == SC_CARD_TYPE_CARDOS_M4_2B |
||||
|| card->type == SC_CARD_TYPE_CARDOS_M4_2C |
||||
|| card->type == SC_CARD_TYPE_CARDOS_M4_4 |
||||
- || card->type == SC_CARD_TYPE_CARDOS_V5_0) { |
||||
+ || card->type == SC_CARD_TYPE_CARDOS_V5_0 |
||||
+ || card->type == SC_CARD_TYPE_CARDOS_V5_3) { |
||||
rsa_2048 = 1; |
||||
card->caps |= SC_CARD_CAP_APDU_EXT; |
||||
} |
||||
@@ -230,7 +233,7 @@ static int cardos_init(sc_card_t *card) |
||||
_sc_card_add_rsa_alg(card, 2048, flags, 0); |
||||
} |
||||
|
||||
- if (card->type == SC_CARD_TYPE_CARDOS_V5_0) { |
||||
+ if (card->type >= SC_CARD_TYPE_CARDOS_V5_0) { |
||||
/* Starting with CardOS 5, the card supports PIN query commands */ |
||||
card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO; |
||||
} |
||||
@@ -249,7 +252,7 @@ static const struct sc_card_error cardos_errors[] = { |
||||
{ 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"}, |
||||
{ 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"}, |
||||
|
||||
-/* the card doesn't now thic combination of ins+cla+p1+p2 */ |
||||
+/* the card doesn't now this combination of ins+cla+p1+p2 */ |
||||
/* i.e. command will never work */ |
||||
{ 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"}, |
||||
{ 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, |
||||
@@ -781,6 +784,8 @@ cardos_set_security_env(sc_card_t *card, |
||||
if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) { |
||||
cardos_restore_security_env(card, 0x30); |
||||
apdu.p1 = 0xF1; |
||||
+ } else if (card->type == SC_CARD_TYPE_CARDOS_V5_3) { |
||||
+ apdu.p1 = 0x41; |
||||
} else { |
||||
apdu.p1 = 0x01; |
||||
} |
||||
@@ -1235,7 +1240,8 @@ cardos_logout(sc_card_t *card) |
||||
|| card->type == SC_CARD_TYPE_CARDOS_M4_2C |
||||
|| card->type == SC_CARD_TYPE_CARDOS_M4_3 |
||||
|| card->type == SC_CARD_TYPE_CARDOS_M4_4 |
||||
- || card->type == SC_CARD_TYPE_CARDOS_V5_0) { |
||||
+ || card->type == SC_CARD_TYPE_CARDOS_V5_0 |
||||
+ || card->type == SC_CARD_TYPE_CARDOS_V5_3) { |
||||
sc_apdu_t apdu; |
||||
int r; |
||||
sc_path_t path; |
||||
diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h |
||||
index d71c02f..9f8f641 100644 |
||||
--- a/src/libopensc/cards.h |
||||
+++ b/src/libopensc/cards.h |
||||
@@ -47,6 +47,7 @@ enum { |
||||
SC_CARD_TYPE_CARDOS_CIE_V1, /* Italian CIE (eID) v1 */ |
||||
SC_CARD_TYPE_CARDOS_M4_4, |
||||
SC_CARD_TYPE_CARDOS_V5_0, |
||||
+ SC_CARD_TYPE_CARDOS_V5_3, |
||||
|
||||
/* flex/cyberflex drivers */ |
||||
SC_CARD_TYPE_FLEX_BASE = 2000, |
||||
-- |
||||
2.9.3 |
||||
|
||||
|
||||
From 5dec534cf07e45ffb0209a53d6145022ecd9259a Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Mon, 30 Jan 2017 14:33:05 +0100 |
||||
Subject: [PATCH 2/4] Do not emulate signatures in CardOS 5.3 |
||||
|
||||
Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the |
||||
actual implementation in cardos_compute_signature(). |
||||
|
||||
It might be bogus also in previous version, but I don't have a way |
||||
to verify against these cards. |
||||
--- |
||||
src/libopensc/card-cardos.c | 8 +++++--- |
||||
1 file changed, 5 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c |
||||
index 008ce5c..a21e67a 100644 |
||||
--- a/src/libopensc/card-cardos.c |
||||
+++ b/src/libopensc/card-cardos.c |
||||
@@ -177,11 +177,13 @@ static int cardos_init(sc_card_t *card) |
||||
card->cla = 0x00; |
||||
|
||||
/* Set up algorithm info. */ |
||||
- flags = SC_ALGORITHM_NEED_USAGE |
||||
- | SC_ALGORITHM_RSA_RAW |
||||
+ flags = SC_ALGORITHM_RSA_RAW |
||||
| SC_ALGORITHM_RSA_HASH_NONE |
||||
| SC_ALGORITHM_ONBOARD_KEY_GEN |
||||
; |
||||
+ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) |
||||
+ flags |= SC_ALGORITHM_NEED_USAGE; |
||||
+ |
||||
_sc_card_add_rsa_alg(card, 512, flags, 0); |
||||
_sc_card_add_rsa_alg(card, 768, flags, 0); |
||||
_sc_card_add_rsa_alg(card, 1024, flags, 0); |
||||
@@ -252,7 +254,7 @@ static const struct sc_card_error cardos_errors[] = { |
||||
{ 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"}, |
||||
{ 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"}, |
||||
|
||||
-/* the card doesn't now this combination of ins+cla+p1+p2 */ |
||||
+/* the card doesn't know this combination of ins+cla+p1+p2 */ |
||||
/* i.e. command will never work */ |
||||
{ 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"}, |
||||
{ 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, |
||||
-- |
||||
2.9.3 |
||||
|
||||
|
||||
From 057197c7abf29715a2b7793045c35adf2a34dc17 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 10 Mar 2017 16:37:43 +0100 |
||||
Subject: [PATCH 3/4] Hack for returning the padding back in CardOS 5.3 |
||||
|
||||
--- |
||||
src/libopensc/card-cardos.c | 25 +++++++++++++++++++++++++ |
||||
1 file changed, 25 insertions(+) |
||||
|
||||
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c |
||||
index a21e67a..39ec4ac 100644 |
||||
--- a/src/libopensc/card-cardos.c |
||||
+++ b/src/libopensc/card-cardos.c |
||||
@@ -979,6 +979,30 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen, |
||||
} |
||||
|
||||
static int |
||||
+cardos_decipher(struct sc_card *card, |
||||
+ const u8 * crgram, size_t crgram_len, |
||||
+ u8 * out, size_t outlen) |
||||
+{ |
||||
+ int r; |
||||
+ u8 *tmp = NULL; |
||||
+ size_t tmp_len = crgram_len; |
||||
+ |
||||
+ assert(card != NULL && crgram != NULL && out != NULL); |
||||
+ LOG_FUNC_CALLED(card->ctx); |
||||
+ |
||||
+ tmp = malloc(tmp_len); |
||||
+ r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len); |
||||
+ |
||||
+ /* add bogus padding, because the card removes it */ |
||||
+ if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, |
||||
+ tmp, r, out, &outlen, crgram_len) != SC_SUCCESS) |
||||
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
||||
+ out[1] = 0x02; /* this is encryption-padding */ |
||||
+ |
||||
+ LOG_FUNC_RETURN(card->ctx, outlen); |
||||
+} |
||||
+ |
||||
+static int |
||||
cardos_lifecycle_get(sc_card_t *card, int *mode) |
||||
{ |
||||
sc_apdu_t apdu; |
||||
@@ -1278,6 +1302,7 @@ static struct sc_card_driver * sc_get_driver(void) |
||||
cardos_ops.set_security_env = cardos_set_security_env; |
||||
cardos_ops.restore_security_env = cardos_restore_security_env; |
||||
cardos_ops.compute_signature = cardos_compute_signature; |
||||
+ cardos_ops.decipher = cardos_decipher; |
||||
|
||||
cardos_ops.list_files = cardos_list_files; |
||||
cardos_ops.check_sw = cardos_check_sw; |
||||
-- |
||||
2.9.3 |
||||
|
||||
|
||||
From 515f761f5564e91302ce672d30a24d6e6738e349 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Mon, 13 Mar 2017 15:15:48 +0100 |
||||
Subject: [PATCH 4/4] With older cards, use iso decipher |
||||
|
||||
--- |
||||
src/libopensc/card-cardos.c | 16 ++++++++++++++-- |
||||
1 file changed, 14 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c |
||||
index 39ec4ac..d479065 100644 |
||||
--- a/src/libopensc/card-cardos.c |
||||
+++ b/src/libopensc/card-cardos.c |
||||
@@ -992,10 +992,22 @@ cardos_decipher(struct sc_card *card, |
||||
|
||||
tmp = malloc(tmp_len); |
||||
r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len); |
||||
+ if (r < 0) |
||||
+ LOG_FUNC_RETURN(card->ctx, r); |
||||
+ |
||||
+ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) { |
||||
+ /* XXX */ |
||||
+ memcpy(out, tmp, tmp_len); |
||||
+ outlen = tmp_len; |
||||
+ free(tmp); |
||||
+ LOG_FUNC_RETURN(card->ctx, r); |
||||
+ } |
||||
|
||||
/* add bogus padding, because the card removes it */ |
||||
- if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, |
||||
- tmp, r, out, &outlen, crgram_len) != SC_SUCCESS) |
||||
+ r = sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, |
||||
+ tmp, r, out, &outlen, crgram_len); |
||||
+ free(tmp); |
||||
+ if (r != SC_SUCCESS) |
||||
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
||||
out[1] = 0x02; /* this is encryption-padding */ |
||||
|
||||
-- |
||||
2.9.3 |
||||
|
@ -0,0 +1,126 @@
@@ -0,0 +1,126 @@
|
||||
From 60dbebf511cf6112e5fc2c3549ce38881847b121 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Tue, 22 Aug 2017 10:46:26 +0200 |
||||
Subject: [PATCH] Parse the ECC parameters from TokenInfo (CHOICE in |
||||
AlgorithmInfo) |
||||
|
||||
Fixes #1134 |
||||
--- |
||||
src/libopensc/opensc.h | 1 + |
||||
src/libopensc/pkcs15.c | 40 +++++++++++++++++++++++++++++++++------- |
||||
2 files changed, 34 insertions(+), 7 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h |
||||
index f81f27e3a..688c14003 100644 |
||||
--- a/src/libopensc/opensc.h |
||||
+++ b/src/libopensc/opensc.h |
||||
@@ -163,6 +163,7 @@ extern "C" { |
||||
struct sc_supported_algo_info { |
||||
unsigned int reference; |
||||
unsigned int mechanism; |
||||
+ struct sc_object_id *parameters; /* OID for ECC, NULL for RSA */ |
||||
unsigned int operations; |
||||
struct sc_object_id algo_id; |
||||
unsigned int algo_ref; |
||||
diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c |
||||
index 05fe03061..ba99c8af9 100644 |
||||
--- a/src/libopensc/pkcs15.c |
||||
+++ b/src/libopensc/pkcs15.c |
||||
@@ -50,13 +50,19 @@ static const struct sc_asn1_entry c_asn1_twlabel[] = { |
||||
static const struct sc_asn1_entry c_asn1_algorithm_info[7] = { |
||||
{ "reference", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, |
||||
{ "algorithmPKCS#11", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, |
||||
- { "parameters", SC_ASN1_NULL, SC_ASN1_TAG_NULL, 0, NULL, NULL }, |
||||
+ { "parameters", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, |
||||
{ "supportedOperations",SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL }, |
||||
{ "objId", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT, SC_ASN1_OPTIONAL, NULL, NULL }, |
||||
{ "algRef", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, |
||||
{ NULL, 0, 0, 0, NULL, NULL } |
||||
}; |
||||
|
||||
+static const struct sc_asn1_entry c_asn1_algorithm_info_parameters[3] = { |
||||
+ { "PKCS15RSAParameters",SC_ASN1_NULL, SC_ASN1_TAG_NULL, 0, NULL, NULL }, |
||||
+ { "PKCS15ECParameters", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT, 0, NULL, NULL }, |
||||
+ { NULL, 0, 0, 0, NULL, NULL } |
||||
+}; |
||||
+ |
||||
/* |
||||
* in src/libopensc/types.h SC_MAX_SUPPORTED_ALGORITHMS defined as 8 |
||||
*/ |
||||
@@ -134,9 +140,11 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx, |
||||
u8 preferred_language[3]; |
||||
size_t lang_length = sizeof(preferred_language); |
||||
struct sc_asn1_entry asn1_supported_algorithms[SC_MAX_SUPPORTED_ALGORITHMS + 1], |
||||
- asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7]; |
||||
+ asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7], |
||||
+ asn1_algo_infos_parameters[SC_MAX_SUPPORTED_ALGORITHMS][3]; |
||||
size_t reference_len = sizeof(ti->supported_algos[0].reference); |
||||
size_t mechanism_len = sizeof(ti->supported_algos[0].mechanism); |
||||
+ size_t parameter_len = sizeof(ti->supported_algos[0].parameters); |
||||
size_t operations_len = sizeof(ti->supported_algos[0].operations); |
||||
size_t algo_ref_len = sizeof(ti->supported_algos[0].algo_ref); |
||||
|
||||
@@ -152,14 +160,22 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx, |
||||
sc_format_asn1_entry(asn1_twlabel, label, &label_len, 0); |
||||
sc_copy_asn1_entry(c_asn1_profile_indication, asn1_profile_indication); |
||||
|
||||
- for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++) |
||||
+ for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++) { |
||||
sc_copy_asn1_entry(c_asn1_algorithm_info, asn1_algo_infos[ii]); |
||||
+ sc_copy_asn1_entry(c_asn1_algorithm_info_parameters, |
||||
+ asn1_algo_infos_parameters[ii]); |
||||
+ } |
||||
sc_copy_asn1_entry(c_asn1_supported_algorithms, asn1_supported_algorithms); |
||||
|
||||
for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++) { |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 0, &ti->supported_algos[ii].reference, &reference_len, 0); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 1, &ti->supported_algos[ii].mechanism, &mechanism_len, 0); |
||||
- sc_format_asn1_entry(asn1_algo_infos[ii] + 2, NULL, NULL, 0); |
||||
+ sc_format_asn1_entry(asn1_algo_infos[ii] + 2, |
||||
+ asn1_algo_infos_parameters[ii], NULL, 0); |
||||
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 0, |
||||
+ NULL, NULL, 0); |
||||
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 1, |
||||
+ &ti->supported_algos[ii].parameters, ¶meter_len, 0); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 3, &ti->supported_algos[ii].operations, &operations_len, 0); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 4, &ti->supported_algos[ii].algo_id, NULL, 1); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 5, &ti->supported_algos[ii].algo_ref, &algo_ref_len, 0); |
||||
@@ -270,9 +286,11 @@ sc_pkcs15_encode_tokeninfo(sc_context_t *ctx, sc_pkcs15_tokeninfo_t *ti, |
||||
struct sc_asn1_entry asn1_toki_attrs[C_ASN1_TOKI_ATTRS_SIZE]; |
||||
struct sc_asn1_entry asn1_tokeninfo[2]; |
||||
struct sc_asn1_entry asn1_supported_algorithms[SC_MAX_SUPPORTED_ALGORITHMS + 1], |
||||
- asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7]; |
||||
+ asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7], |
||||
+ asn1_algo_infos_parameters[SC_MAX_SUPPORTED_ALGORITHMS][3]; |
||||
size_t reference_len = sizeof(ti->supported_algos[0].reference); |
||||
size_t mechanism_len = sizeof(ti->supported_algos[0].mechanism); |
||||
+ size_t parameter_len = sizeof(ti->supported_algos[0].parameters); |
||||
size_t operations_len = sizeof(ti->supported_algos[0].operations); |
||||
size_t algo_ref_len = sizeof(ti->supported_algos[0].algo_ref); |
||||
struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; |
||||
@@ -283,14 +301,22 @@ sc_pkcs15_encode_tokeninfo(sc_context_t *ctx, sc_pkcs15_tokeninfo_t *ti, |
||||
sc_copy_asn1_entry(c_asn1_last_update, asn1_last_update); |
||||
sc_copy_asn1_entry(c_asn1_profile_indication, asn1_profile_indication); |
||||
|
||||
- for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++) |
||||
+ for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++) { |
||||
sc_copy_asn1_entry(c_asn1_algorithm_info, asn1_algo_infos[ii]); |
||||
+ sc_copy_asn1_entry(c_asn1_algorithm_info_parameters, |
||||
+ asn1_algo_infos_parameters[ii]); |
||||
+ } |
||||
sc_copy_asn1_entry(c_asn1_supported_algorithms, asn1_supported_algorithms); |
||||
|
||||
for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++) { |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 0, &ti->supported_algos[ii].reference, &reference_len, 1); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 1, &ti->supported_algos[ii].mechanism, &mechanism_len, 1); |
||||
- sc_format_asn1_entry(asn1_algo_infos[ii] + 2, NULL, NULL, 0); |
||||
+ sc_format_asn1_entry(asn1_algo_infos[ii] + 2, |
||||
+ asn1_algo_infos_parameters[ii], NULL, 0); |
||||
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 0, |
||||
+ NULL, NULL, 0); |
||||
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 1, |
||||
+ &ti->supported_algos[ii].parameters, ¶meter_len, 0); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 3, &ti->supported_algos[ii].operations, &operations_len, 1); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 4, &ti->supported_algos[ii].algo_id, NULL, 1); |
||||
sc_format_asn1_entry(asn1_algo_infos[ii] + 5, &ti->supported_algos[ii].algo_ref, &algo_ref_len, 1); |
||||
|
@ -0,0 +1,68 @@
@@ -0,0 +1,68 @@
|
||||
From a4b6b9630eb2ee684bbf1560a93b3075c7eb58ab Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Tue, 4 Jul 2017 14:25:50 +0200 |
||||
Subject: [PATCH] [coolkey] Copy labels from certificate objects to the keys |
||||
|
||||
--- |
||||
src/libopensc/pkcs15-coolkey.c | 33 ++++++++++++++++++++++++++++++++- |
||||
1 file changed, 32 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c |
||||
index 5064a0f4f..a5f457acd 100644 |
||||
--- a/src/libopensc/pkcs15-coolkey.c |
||||
+++ b/src/libopensc/pkcs15-coolkey.c |
||||
@@ -484,7 +484,7 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) |
||||
sc_card_t *card = p15card->card; |
||||
sc_serial_number_t serial; |
||||
int count; |
||||
- |
||||
+ struct sc_pkcs15_object *obj; |
||||
|
||||
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
||||
|
||||
@@ -558,6 +558,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) |
||||
|
||||
|
||||
memset(&obj_obj, 0, sizeof(obj_obj)); |
||||
+ /* coolkey applets have label only on the certificates, |
||||
+ * but we should copy it also to the keys maching the same ID */ |
||||
coolkey_get_attribute_bytes(card, &coolkey_obj, CKA_LABEL, (u8 *)obj_obj.label, &len, sizeof(obj_obj.label)); |
||||
coolkey_get_flags(card, &coolkey_obj, &obj_obj.flags); |
||||
if (obj_obj.flags & SC_PKCS15_CO_FLAG_PRIVATE) { |
||||
@@ -677,6 +679,35 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) |
||||
} |
||||
r = (card->ops->card_ctl)(card, SC_CARDCTL_COOLKEY_FINAL_GET_OBJECTS, &count); |
||||
|
||||
+ /* Iterate over all the created objects and fill missing labels */ |
||||
+ for (obj = p15card->obj_list; obj != NULL; obj = obj->next) { |
||||
+ struct sc_pkcs15_id *id = NULL; |
||||
+ struct sc_pkcs15_object *cert_object; |
||||
+ |
||||
+ /* label non-empty -- do not overwrite */ |
||||
+ if (obj->label[0] != '\0') |
||||
+ continue; |
||||
+ |
||||
+ switch (obj->type & SC_PKCS15_TYPE_CLASS_MASK) { |
||||
+ case SC_PKCS15_TYPE_PUBKEY: |
||||
+ id = &((struct sc_pkcs15_pubkey_info *)obj->data)->id; |
||||
+ break; |
||||
+ case SC_PKCS15_TYPE_PRKEY: |
||||
+ id = &((struct sc_pkcs15_prkey_info *)obj->data)->id; |
||||
+ break; |
||||
+ default: |
||||
+ /* We do not care about other objects */ |
||||
+ continue; |
||||
+ } |
||||
+ r = sc_pkcs15_find_cert_by_id(p15card, id, &cert_object); |
||||
+ if (r != 0) |
||||
+ continue; |
||||
+ |
||||
+ sc_log(card->ctx, "Copy label \"%s\" from cert to key object", |
||||
+ cert_object->label); |
||||
+ memcpy(obj->label, cert_object->label, SC_PKCS15_MAX_LABEL_SIZE); |
||||
+ } |
||||
+ |
||||
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
||||
} |
||||
|
||||
|
@ -0,0 +1,643 @@
@@ -0,0 +1,643 @@
|
||||
From 15163e6212aaf6b2dd5d7b432e5b13ca39496110 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Tue, 28 Feb 2017 16:12:31 +0100 |
||||
Subject: [PATCH 1/3] Coverity fixes for: |
||||
|
||||
card-cac.c |
||||
* CLANG_WARNING: The left operand of '<' is a garbage value |
||||
card-coolkey.c |
||||
* CLANG_WARNING: overwriting variable |
||||
* CPPCHECK_WARNING: memory leak / overwrite variable |
||||
* CLANG_WARNING: null pointer dereference |
||||
* UNUSED_VALUE: unused return value |
||||
card-gids.c |
||||
* CLANG_WARNING: Branch condition evaluates to a garbage value |
||||
* SIZEOF_MISMATCH: suspicious_sizeof |
||||
card-myeid.c |
||||
* RESOURCE_LEAK: Variable "buf" going out of scope leaks the storage it points to. |
||||
* CLANG_WARNING: overwriting variable |
||||
* (rewrite not to confuse coverity) |
||||
pkcs15-cac.c |
||||
* RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to. |
||||
pkcs15-coolkey.c |
||||
* UNUSED_VALUE: unused return value |
||||
pkcs15-piv.c |
||||
* RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to. |
||||
pkcs15-sc-hsm.c |
||||
* DEADCODE |
||||
pkcs11/framework-pkcs15.c |
||||
* RESOURCE_LEAK: Variable "p15_cert" going out of scope leaks the storage it points to. |
||||
pkcs15init/pkcs15-lib.c |
||||
* CLANG_WARNING: Assigned value is garbage or undefined |
||||
pkcs15init/pkcs15-myeid.c |
||||
* UNREACHABLE: Probably wrong placement of code block |
||||
tests/p15dump.c |
||||
* IDENTICAL_BRANCHES |
||||
pkcs15-init.c |
||||
* CLANG_WARNING: Potential leak of memory pointed to by 'args.der_encoded.value' |
||||
pkcs15-tool.c |
||||
* RESOURCE_LEAK: Variable "cert" going out of scope leaks the storage it points to. |
||||
* MISSING_BREAK: The above case falls through to this one. |
||||
sc-hsm-tool.c |
||||
* CLANG_WARNING: Potential leak of memory pointed to by 'sp' |
||||
westcos-tool.c |
||||
* FORWARD_NULL: Passing null pointer "pin" to "unlock_pin", which dereferences it. |
||||
* (rewrite not to confuse coverity) |
||||
--- |
||||
src/libopensc/card-cac.c | 2 +- |
||||
src/libopensc/card-coolkey.c | 7 +++++-- |
||||
src/libopensc/card-entersafe.c | 2 +- |
||||
src/libopensc/card-gids.c | 7 ++++++- |
||||
src/libopensc/card-myeid.c | 20 ++++++++++++-------- |
||||
src/libopensc/iso7816.c | 1 + |
||||
src/libopensc/pkcs15-cac.c | 5 ++++- |
||||
src/libopensc/pkcs15-coolkey.c | 2 ++ |
||||
src/libopensc/pkcs15-piv.c | 3 ++- |
||||
src/libopensc/pkcs15-sc-hsm.c | 6 ++---- |
||||
src/pkcs11/framework-pkcs15.c | 7 ++++++- |
||||
src/pkcs15init/pkcs15-lib.c | 2 +- |
||||
src/pkcs15init/pkcs15-myeid.c | 4 ++-- |
||||
src/tests/p15dump.c | 3 +-- |
||||
src/tools/pkcs15-init.c | 4 +++- |
||||
src/tools/pkcs15-tool.c | 11 ++++++++--- |
||||
src/tools/sc-hsm-tool.c | 2 ++ |
||||
src/tools/westcos-tool.c | 6 +++--- |
||||
18 files changed, 62 insertions(+), 32 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c |
||||
index d5f8585..788fb52 100644 |
||||
--- a/src/libopensc/card-cac.c |
||||
+++ b/src/libopensc/card-cac.c |
||||
@@ -467,7 +467,7 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l |
||||
size_t left = 0; |
||||
size_t len, next_len; |
||||
sc_apdu_t apdu; |
||||
- int r; |
||||
+ int r = SC_SUCCESS; |
||||
|
||||
|
||||
/* get the size */ |
||||
diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c |
||||
index c44febe..7672028 100644 |
||||
--- a/src/libopensc/card-coolkey.c |
||||
+++ b/src/libopensc/card-coolkey.c |
||||
@@ -1369,7 +1369,7 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj) |
||||
{ |
||||
int r; |
||||
size_t buf_len = obj->length; |
||||
- u8 *new_obj_data = malloc(buf_len); |
||||
+ u8 *new_obj_data = NULL; |
||||
sc_cardctl_coolkey_object_t *obj_entry; |
||||
coolkey_private_data_t * priv = COOLKEY_DATA(card); |
||||
|
||||
@@ -1413,7 +1413,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut |
||||
const u8 *obj = attribute->object->data; |
||||
const u8 *attr = NULL; |
||||
size_t buf_len = attribute->object->length; |
||||
- coolkey_object_header_t *object_head = (coolkey_object_header_t *)obj; |
||||
+ coolkey_object_header_t *object_head; |
||||
int attribute_count,i; |
||||
attribute->attribute_data_type = SC_CARDCTL_COOLKEY_ATTR_TYPE_STRING; |
||||
attribute->attribute_length = 0; |
||||
@@ -1434,6 +1434,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut |
||||
if (buf_len <= sizeof(coolkey_v0_object_header_t)) { |
||||
return SC_ERROR_CORRUPTED_DATA; |
||||
} |
||||
+ object_head = (coolkey_object_header_t *)obj; |
||||
object_record_type = object_head->record_type; |
||||
/* make sure it's a type we recognize */ |
||||
if ((object_record_type != COOLKEY_V1_OBJECT) && (object_record_type != COOLKEY_V0_OBJECT)) { |
||||
@@ -2183,6 +2184,8 @@ static int coolkey_initialize(sc_card_t *card) |
||||
continue; |
||||
} |
||||
r = coolkey_add_object(priv, object_id, NULL, object_len, 0); |
||||
+ if (r != SC_SUCCESS) |
||||
+ sc_log(card->ctx, "coolkey_add_object() returned %d", r); |
||||
|
||||
} |
||||
if (r != SC_ERROR_FILE_END_REACHED) { |
||||
diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c |
||||
index 6e18252..1fe4102 100644 |
||||
--- a/src/libopensc/card-entersafe.c |
||||
+++ b/src/libopensc/card-entersafe.c |
||||
@@ -487,7 +487,7 @@ static int entersafe_select_fid(sc_card_t *card, |
||||
sc_file_t **file_out) |
||||
{ |
||||
int r; |
||||
- sc_file_t *file=0; |
||||
+ sc_file_t *file = NULL; |
||||
sc_path_t path; |
||||
|
||||
memset(&path, 0, sizeof(sc_path_t)); |
||||
diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c |
||||
index 51db9af..4db09f5 100644 |
||||
--- a/src/libopensc/card-gids.c |
||||
+++ b/src/libopensc/card-gids.c |
||||
@@ -668,6 +668,7 @@ static int gids_get_crypto_identifier_from_key_ref(sc_card_t *card, const unsign |
||||
if (index >= recordsnum) { |
||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS); |
||||
} |
||||
+ *cryptoidentifier = 0x00; /* initialize to zero */ |
||||
if (records[index].wKeyExchangeKeySizeBits == 1024 || records[index].wSigKeySizeBits == 1024) { |
||||
*cryptoidentifier = GIDS_RSA_1024_IDENTIFIER; |
||||
return SC_SUCCESS; |
||||
@@ -878,12 +879,16 @@ static int gids_read_public_key (struct sc_card *card , unsigned int algorithm, |
||||
if (keydata != NULL) { |
||||
rsa_key.modulus.data = (u8*) keydata; |
||||
rsa_key.modulus.len = len; |
||||
+ } else { |
||||
+ rsa_key.modulus.len = 0; |
||||
} |
||||
|
||||
keydata = sc_asn1_find_tag(card->ctx, keytemplate, tlen, GIDS_PUBKEY_TAG_EXPONENT, &len); |
||||
if (keydata != NULL) { |
||||
rsa_key.exponent.data = (u8*) keydata; |
||||
rsa_key.exponent.len = len; |
||||
+ } else { |
||||
+ rsa_key.exponent.len = 0; |
||||
} |
||||
|
||||
if (rsa_key.exponent.len && rsa_key.modulus.len) { |
||||
@@ -1453,7 +1458,7 @@ static int gids_import_key(sc_card_t *card, sc_pkcs15_object_t *object, sc_pkcs1 |
||||
SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r, "unable to put the private key - key greater than 2048 bits ?"); |
||||
r = SC_SUCCESS; |
||||
err: |
||||
- sc_mem_clear(buffer, sizeof(buffer)); |
||||
+ sc_mem_clear(buffer, buflen); |
||||
LOG_FUNC_RETURN(card->ctx, r); |
||||
} |
||||
|
||||
diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c |
||||
index 0e75486..65c108f 100644 |
||||
--- a/src/libopensc/card-myeid.c |
||||
+++ b/src/libopensc/card-myeid.c |
||||
@@ -846,20 +846,24 @@ myeid_convert_ec_signature(struct sc_context *ctx, size_t s_len, unsigned char * |
||||
if (sig_len != (datalen - len_size - 1)) /* validate size of the DER structure */ |
||||
return SC_ERROR_INVALID_DATA; |
||||
|
||||
- buf = calloc(1, (s_len + 7)/8*2); |
||||
+ /* test&fail early */ |
||||
+ buflen = (s_len + 7)/8*2; |
||||
+ if (buflen > datalen) |
||||
+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); |
||||
+ |
||||
+ buf = calloc(1, buflen); |
||||
if (!buf) |
||||
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); |
||||
- buflen = (s_len + 7)/8*2; |
||||
|
||||
r = sc_asn1_sig_value_sequence_to_rs(ctx, data, datalen, buf, buflen); |
||||
- if (r < 0) |
||||
+ if (r < 0) { |
||||
free(buf); |
||||
- LOG_TEST_RET(ctx, r, "Failed to cenvert Sig-Value to the raw RS format"); |
||||
- |
||||
- if (buflen > datalen) |
||||
- LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); |
||||
+ sc_log(ctx, "Failed to convert Sig-Value to the raw RS format"); |
||||
+ return r; |
||||
+ } |
||||
|
||||
memmove(data, buf, buflen); |
||||
+ free(buf); |
||||
return buflen; |
||||
} |
||||
|
||||
@@ -868,7 +872,7 @@ static int |
||||
myeid_compute_signature(struct sc_card *card, const u8 * data, size_t datalen, |
||||
u8 * out, size_t outlen) |
||||
{ |
||||
- struct sc_context *ctx = card->ctx; |
||||
+ struct sc_context *ctx; |
||||
struct sc_apdu apdu; |
||||
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; |
||||
u8 sbuf[SC_MAX_APDU_BUFFER_SIZE]; |
||||
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c |
||||
index 296cf69..2539d1c 100644 |
||||
--- a/src/libopensc/iso7816.c |
||||
+++ b/src/libopensc/iso7816.c |
||||
@@ -392,6 +392,7 @@ iso7816_process_fci(struct sc_card *card, struct sc_file *file, |
||||
sc_log(ctx, " type: %s", type); |
||||
sc_log(ctx, " EF structure: %d", byte & 0x07); |
||||
sc_log(ctx, " tag 0x82: 0x%02x", byte); |
||||
+ /* FIXME: check return value? */ |
||||
sc_file_set_type_attr(file, &byte, 1); |
||||
} |
||||
} |
||||
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c |
||||
index 4894fe4..e0fa50b 100644 |
||||
--- a/src/libopensc/pkcs15-cac.c |
||||
+++ b/src/libopensc/pkcs15-cac.c |
||||
@@ -292,7 +292,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) |
||||
struct sc_pkcs15_object pubkey_obj; |
||||
struct sc_pkcs15_object prkey_obj; |
||||
sc_pkcs15_der_t cert_der; |
||||
- sc_pkcs15_cert_t *cert_out; |
||||
+ sc_pkcs15_cert_t *cert_out = NULL; |
||||
|
||||
r = (card->ops->card_ctl)(card, SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, &obj_info); |
||||
|
||||
@@ -352,12 +352,14 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) |
||||
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); |
||||
if (r < 0 || cert_out->key == NULL) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} |
||||
|
||||
r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info); |
||||
if (r < 0) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, " Failed to add cert obj r=%d",r); |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} |
||||
/* set the token name to the name of the CN of the first certificate */ |
||||
@@ -393,6 +395,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) |
||||
usage, pubkey_info.usage, prkey_info.usage); |
||||
if (cert_out->key->algorithm != SC_ALGORITHM_RSA) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"unsupported key.algorithm %d", cert_out->key->algorithm); |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} else { |
||||
pubkey_info.modulus_length = cert_out->key->u.rsa.modulus.len * 8; |
||||
diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c |
||||
index 487be19..de4920b 100644 |
||||
--- a/src/libopensc/pkcs15-coolkey.c |
||||
+++ b/src/libopensc/pkcs15-coolkey.c |
||||
@@ -667,6 +667,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) |
||||
} |
||||
|
||||
r = sc_pkcs15emu_object_add(p15card, obj_type, &obj_obj, obj_info); |
||||
+ if (r != SC_SUCCESS) |
||||
+ sc_log(card->ctx, "sc_pkcs15emu_object_add() returned %d", r); |
||||
fail: |
||||
if (key) { sc_pkcs15_free_pubkey(key); } |
||||
|
||||
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c |
||||
index bf72df0..5bd0fdf 100644 |
||||
--- a/src/libopensc/pkcs15-piv.c |
||||
+++ b/src/libopensc/pkcs15-piv.c |
||||
@@ -710,7 +710,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
struct sc_pkcs15_cert_info cert_info; |
||||
struct sc_pkcs15_object cert_obj; |
||||
sc_pkcs15_der_t cert_der; |
||||
- sc_pkcs15_cert_t *cert_out; |
||||
+ sc_pkcs15_cert_t *cert_out = NULL; |
||||
|
||||
ckis[i].cert_found = 0; |
||||
ckis[i].key_alg = -1; |
||||
@@ -761,6 +761,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); |
||||
if (r < 0 || cert_out->key == NULL) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} |
||||
/* |
||||
diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c |
||||
index 938ea9d..3f6b6e4 100644 |
||||
--- a/src/libopensc/pkcs15-sc-hsm.c |
||||
+++ b/src/libopensc/pkcs15-sc-hsm.c |
||||
@@ -460,6 +460,7 @@ static int sc_pkcs15emu_sc_hsm_get_ec_public_key(struct sc_context *ctx, sc_cvc_ |
||||
memcpy(pubkey->u.ec.params.der.value, ecp->der.value, ecp->der.len); |
||||
pubkey->u.ec.params.der.len = ecp->der.len; |
||||
|
||||
+ /* FIXME: check return value? */ |
||||
sc_pkcs15_fix_ec_parameters(ctx, &pubkey->u.ec.params); |
||||
|
||||
return SC_SUCCESS; |
||||
@@ -627,11 +628,8 @@ static int sc_pkcs15emu_sc_hsm_add_prkd(sc_pkcs15_card_t * p15card, u8 keyid) { |
||||
|
||||
len = sizeof efbin; |
||||
r = read_file(p15card, fid, efbin, &len); |
||||
- LOG_TEST_RET(card->ctx, r, "Could not read EF"); |
||||
|
||||
- if (r < 0) { |
||||
- return SC_SUCCESS; |
||||
- } |
||||
+ LOG_TEST_RET(card->ctx, r, "Could not read EF"); |
||||
|
||||
if (efbin[0] == 0x67) { /* Decode CSR and create public key object */ |
||||
sc_pkcs15emu_sc_hsm_add_pubkey(p15card, efbin, len, key_info, prkd.label); |
||||
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c |
||||
index 0c89d47..732e1e5 100644 |
||||
--- a/src/pkcs11/framework-pkcs15.c |
||||
+++ b/src/pkcs11/framework-pkcs15.c |
||||
@@ -571,8 +571,11 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj |
||||
/* Certificate object */ |
||||
rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object, |
||||
cert, &pkcs15_cert_ops, sizeof(struct pkcs15_cert_object)); |
||||
- if (rv < 0) |
||||
+ if (rv < 0) { |
||||
+ if (p15_cert != NULL) |
||||
+ sc_pkcs15_free_certificate(p15_cert); |
||||
return rv; |
||||
+ } |
||||
|
||||
object->cert_info = p15_info; |
||||
object->cert_data = p15_cert; |
||||
@@ -643,6 +646,8 @@ __pkcs15_create_pubkey_object(struct pkcs15_fw_data *fw_data, |
||||
object->pub_data = p15_key; |
||||
if (p15_key && object->pub_info->modulus_length == 0 && p15_key->algorithm == SC_ALGORITHM_RSA) |
||||
object->pub_info->modulus_length = 8 * p15_key->u.rsa.modulus.len; |
||||
+ } else if (pubkey->emulated && (fw_data->p15_card->flags & SC_PKCS15_CARD_FLAG_EMULATED)) { |
||||
+ sc_pkcs15_free_pubkey(p15_key); |
||||
} |
||||
|
||||
if (pubkey_object != NULL) |
||||
diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c |
||||
index c2fc2df..d1558e2 100644 |
||||
--- a/src/pkcs15init/pkcs15-lib.c |
||||
+++ b/src/pkcs15init/pkcs15-lib.c |
||||
@@ -760,7 +760,7 @@ sc_pkcs15init_add_app(struct sc_card *card, struct sc_profile *profile, |
||||
struct sc_pkcs15_object *pin_obj = NULL; |
||||
struct sc_app_info *app; |
||||
struct sc_file *df = profile->df_info->file; |
||||
- int r; |
||||
+ int r = SC_SUCCESS; |
||||
|
||||
LOG_FUNC_CALLED(ctx); |
||||
p15card->card = card; |
||||
diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c |
||||
index 9ed515d..6c93545 100644 |
||||
--- a/src/pkcs15init/pkcs15-myeid.c |
||||
+++ b/src/pkcs15init/pkcs15-myeid.c |
||||
@@ -510,10 +510,10 @@ myeid_store_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card, |
||||
keybits = key_info->field_length; |
||||
else |
||||
key_info->field_length = keybits; |
||||
- break; |
||||
- |
||||
+ |
||||
if (sc_card_find_ec_alg(p15card->card, keybits, &prkey->u.ec.params.id) == NULL) |
||||
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unsupported algorithm or key size"); |
||||
+ break; |
||||
default: |
||||
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Store key failed: Unsupported key type"); |
||||
break; |
||||
diff --git a/src/tests/p15dump.c b/src/tests/p15dump.c |
||||
index 17ab86b..da8b4a3 100644 |
||||
--- a/src/tests/p15dump.c |
||||
+++ b/src/tests/p15dump.c |
||||
@@ -30,8 +30,7 @@ static int dump_objects(const char *what, int type) |
||||
printf("failed.\n"); |
||||
fprintf(stderr, "Error enumerating %s: %s\n", |
||||
what, sc_strerror(count)); |
||||
- if (SC_SUCCESS != sc_unlock(card)) |
||||
- return 1; |
||||
+ sc_unlock(card); |
||||
return 1; |
||||
} |
||||
if (count == 0) { |
||||
diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c |
||||
index a1b183d..a4fb1a9 100644 |
||||
--- a/src/tools/pkcs15-init.c |
||||
+++ b/src/tools/pkcs15-init.c |
||||
@@ -1318,8 +1318,10 @@ do_store_data_object(struct sc_profile *profile) |
||||
args.der_encoded.value = data; |
||||
args.der_encoded.len = datalen; |
||||
r = sc_lock(p15card->card); |
||||
- if (r < 0) |
||||
+ if (r < 0) { |
||||
+ free(data); |
||||
return r; |
||||
+ } |
||||
r = sc_pkcs15init_store_data_object(p15card, profile, &args, NULL); |
||||
sc_unlock(p15card->card); |
||||
} |
||||
diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c |
||||
index 092b9d9..e146753 100644 |
||||
--- a/src/tools/pkcs15-tool.c |
||||
+++ b/src/tools/pkcs15-tool.c |
||||
@@ -793,15 +793,18 @@ static int read_public_key(void) |
||||
|
||||
if (r == SC_ERROR_OBJECT_NOT_FOUND) { |
||||
fprintf(stderr, "Public key with ID '%s' not found.\n", opt_pubkey); |
||||
- return 2; |
||||
+ r = 2; |
||||
+ goto out; |
||||
} |
||||
if (r < 0) { |
||||
fprintf(stderr, "Public key enumeration failed: %s\n", sc_strerror(r)); |
||||
- return 1; |
||||
+ r = 1; |
||||
+ goto out; |
||||
} |
||||
if (!pubkey) { |
||||
fprintf(stderr, "Public key not available\n"); |
||||
- return 1; |
||||
+ r = 1; |
||||
+ goto out; |
||||
} |
||||
|
||||
r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len); |
||||
@@ -813,6 +816,7 @@ static int read_public_key(void) |
||||
free(pem_key.value); |
||||
} |
||||
|
||||
+out: |
||||
if (cert) |
||||
sc_pkcs15_free_certificate(cert); |
||||
else if (pubkey) |
||||
@@ -2097,6 +2101,7 @@ int main(int argc, char * const argv[]) |
||||
break; |
||||
case OPT_USE_PINPAD_DEPRECATED: |
||||
fprintf(stderr, "'--no-prompt' is deprecated , use '--use-pinpad' instead.\n"); |
||||
+ /* fallthrough */ |
||||
case OPT_USE_PINPAD: |
||||
opt_use_pinpad = 1; |
||||
break; |
||||
diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c |
||||
index cce855f..029d991 100644 |
||||
--- a/src/tools/sc-hsm-tool.c |
||||
+++ b/src/tools/sc-hsm-tool.c |
||||
@@ -697,6 +697,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas |
||||
memset(inbuf, 0, sizeof(inbuf)); |
||||
if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) { |
||||
fprintf(stderr, "Input aborted\n"); |
||||
+ free(shares); |
||||
return -1; |
||||
} |
||||
p = (sp->x); |
||||
@@ -706,6 +707,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas |
||||
memset(inbuf, 0, sizeof(inbuf)); |
||||
if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) { |
||||
fprintf(stderr, "Input aborted\n"); |
||||
+ free(shares); |
||||
return -1; |
||||
} |
||||
binlen = 64; |
||||
diff --git a/src/tools/westcos-tool.c b/src/tools/westcos-tool.c |
||||
index 29b75dd..ff3d5e6 100644 |
||||
--- a/src/tools/westcos-tool.c |
||||
+++ b/src/tools/westcos-tool.c |
||||
@@ -91,8 +91,6 @@ static int finalize = 0; |
||||
static int install_pin = 0; |
||||
static int overwrite = 0; |
||||
|
||||
-static const char *pin = NULL; |
||||
-static const char *puk = NULL; |
||||
static char *cert = NULL; |
||||
|
||||
static int keylen = 0; |
||||
@@ -260,7 +258,7 @@ static int unlock_pin(sc_card_t *card, |
||||
} |
||||
else |
||||
{ |
||||
- if(pin == NULL || puk == NULL) |
||||
+ if(pin_value == NULL || puk_value == NULL) |
||||
{ |
||||
return SC_ERROR_INVALID_ARGUMENTS; |
||||
} |
||||
@@ -372,6 +370,8 @@ int main(int argc, char *argv[]) |
||||
RSA *rsa = NULL; |
||||
BIGNUM *bn = NULL; |
||||
BIO *mem = NULL; |
||||
+ static const char *pin = NULL; |
||||
+ static const char *puk = NULL; |
||||
|
||||
while (1) |
||||
{ |
||||
|
||||
From e73b2ad2e01cbcc3fdee471ce9692ab95a83b8a0 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Wed, 1 Mar 2017 09:45:17 +0100 |
||||
Subject: [PATCH 2/3] Sanitize call to sc_pkcs15_free_certificate() |
||||
|
||||
--- |
||||
src/libopensc/pkcs15-cac.c | 3 ++- |
||||
1 file changed, 2 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c |
||||
index e0fa50b..61c6430 100644 |
||||
--- a/src/libopensc/pkcs15-cac.c |
||||
+++ b/src/libopensc/pkcs15-cac.c |
||||
@@ -352,7 +352,8 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) |
||||
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); |
||||
if (r < 0 || cert_out->key == NULL) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); |
||||
- sc_pkcs15_free_certificate(cert_out); |
||||
+ if (cert_out != NULL) |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} |
||||
|
||||
|
||||
From bdf452210f7fdbefe91df910025142b2e48b8ebc Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Wed, 1 Mar 2017 15:23:17 +0100 |
||||
Subject: [PATCH 3/3] Sanitize call to sc_pkcs15_free_certificate() in PIV too |
||||
|
||||
--- |
||||
src/libopensc/pkcs15-piv.c | 3 ++- |
||||
1 file changed, 2 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c |
||||
index 5bd0fdf..f6b6742 100644 |
||||
--- a/src/libopensc/pkcs15-piv.c |
||||
+++ b/src/libopensc/pkcs15-piv.c |
||||
@@ -761,7 +761,8 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); |
||||
if (r < 0 || cert_out->key == NULL) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); |
||||
- sc_pkcs15_free_certificate(cert_out); |
||||
+ if (cert_out != NULL) |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} |
||||
/* |
||||
From 389ffe590986c6ed42fa810874a52a51bac3ca26 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Thu, 23 Mar 2017 12:16:46 +0100 |
||||
Subject: [PATCH 1/3] Coverity: FORWARD_NULL -- copy&paste error |
||||
|
||||
--- |
||||
src/tools/gids-tool.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/tools/gids-tool.c b/src/tools/gids-tool.c |
||||
index 029c53f..84073b6 100644 |
||||
--- a/src/tools/gids-tool.c |
||||
+++ b/src/tools/gids-tool.c |
||||
@@ -277,7 +277,7 @@ static int changeAdminKey(sc_card_t* card, const char *so_pin, const char* new_k |
||||
|
||||
if (new_key == NULL) { |
||||
printf("Enter new admin key (48 hexadecimal characters) : "); |
||||
- util_getpass(&_so_pin, NULL, stdin); |
||||
+ util_getpass(&_new_key, NULL, stdin); |
||||
printf("\n"); |
||||
} else { |
||||
_new_key = (char *)new_key; |
||||
-- |
||||
2.9.3 |
||||
|
||||
|
||||
From 1133efa4fe4d9a0267486cadbd3f6d144c584645 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Thu, 23 Mar 2017 15:14:35 +0100 |
||||
Subject: [PATCH 2/3] CLANG_WARNING: Call to 'malloc' has an allocation size of |
||||
0 bytes |
||||
|
||||
--- |
||||
src/scconf/scconf.c | 2 ++ |
||||
1 file changed, 2 insertions(+) |
||||
|
||||
diff --git a/src/scconf/scconf.c b/src/scconf/scconf.c |
||||
index 7fcc301..678df3e 100644 |
||||
--- a/src/scconf/scconf.c |
||||
+++ b/src/scconf/scconf.c |
||||
@@ -411,6 +411,8 @@ char *scconf_list_strdup(const scconf_list * list, const char *filler) |
||||
if (filler) { |
||||
len += scconf_list_array_length(list) * (strlen(filler) + 1); |
||||
} |
||||
+ if (len == 0) |
||||
+ return NULL; |
||||
buf = malloc(len); |
||||
if (!buf) { |
||||
return NULL; |
||||
-- |
||||
2.9.3 |
||||
|
||||
|
||||
From f82bc2008d58348cafcbba30623fcb55dab5cb3a Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Thu, 23 Mar 2017 15:46:42 +0100 |
||||
Subject: [PATCH 3/3] Avoid malloc with 0 argument |
||||
|
||||
--- |
||||
src/libopensc/card-cac.c | 7 +++++-- |
||||
1 file changed, 5 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c |
||||
index 788fb52..6a5b5af 100644 |
||||
--- a/src/libopensc/card-cac.c |
||||
+++ b/src/libopensc/card-cac.c |
||||
@@ -670,12 +670,12 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx, |
||||
r = sc_decompress_alloc(&priv->cache_buf, &priv->cache_buf_len, |
||||
cert_ptr, cert_len, COMPRESSION_AUTO); |
||||
#else |
||||
- sc_log(card->ctx, "PIV compression not supported, no zlib"); |
||||
+ sc_log(card->ctx, "CAC compression not supported, no zlib"); |
||||
r = SC_ERROR_NOT_SUPPORTED; |
||||
#endif |
||||
if (r) |
||||
goto done; |
||||
- } else { |
||||
+ } else if (cert_len > 0) { |
||||
priv->cache_buf = malloc(cert_len); |
||||
if (priv->cache_buf == NULL) { |
||||
r = SC_ERROR_OUT_OF_MEMORY; |
||||
@@ -683,6 +683,9 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx, |
||||
} |
||||
priv->cache_buf_len = cert_len; |
||||
memcpy(priv->cache_buf, cert_ptr, cert_len); |
||||
+ } else { |
||||
+ sc_log(card->ctx, "Can't read zero-length certificate"); |
||||
+ goto done; |
||||
} |
||||
break; |
||||
default: |
||||
-- |
||||
2.9.3 |
||||
|
||||
|
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
From ea4baf50d57a7a41164fedcd1b10fdb0438305c5 Mon Sep 17 00:00:00 2001 |
||||
From: AnthonyA <ascanio.alba7@gmail.com> |
||||
Date: Mon, 19 Mar 2018 15:58:21 +0800 |
||||
Subject: [PATCH] pkcs11-tool: make ECPoint behaviour standards compliant by |
||||
default |
||||
|
||||
Fixes #1286. The behaviour of pkcs11-tool will follow the standard - |
||||
send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will |
||||
write plain bytes. |
||||
--- |
||||
src/tools/pkcs11-tool.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c |
||||
index 876bba2dc..63e5c5f7f 100644 |
||||
--- a/src/tools/pkcs11-tool.c |
||||
+++ b/src/tools/pkcs11-tool.c |
||||
@@ -2632,7 +2632,7 @@ parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost) |
||||
header_len = point-gost->public.value; |
||||
memcpy(point, buf, point_len); |
||||
gost->public.len = header_len+point_len; |
||||
-#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding |
||||
+#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding |
||||
gost->public.len -= header_len; |
||||
gost->public.value += header_len; |
||||
#endif |
||||
|
@ -0,0 +1,50 @@
@@ -0,0 +1,50 @@
|
||||
From 74885fb1c174468cc0a505cd7404e228d465efd8 Mon Sep 17 00:00:00 2001 |
||||
From: AnthonyA <ascanio.alba7@gmail.com> |
||||
Date: Tue, 27 Mar 2018 00:48:05 +0000 |
||||
Subject: [PATCH] pkcs11-tool: allow mechanism to be specified in hexadecimal |
||||
|
||||
To support vendor mechanisms, let -m accept hexadecimal strings, |
||||
e.g., -m 0x80001234 |
||||
--- |
||||
doc/tools/pkcs11-tool.1.xml | 3 ++- |
||||
src/tools/pkcs11-tool.c | 5 ++++- |
||||
2 files changed, 6 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml |
||||
index f8d638b45..e78570b10 100644 |
||||
--- a/doc/tools/pkcs11-tool.1.xml |
||||
+++ b/doc/tools/pkcs11-tool.1.xml |
||||
@@ -231,7 +231,8 @@ |
||||
</term> |
||||
<listitem><para>Use the specified <replaceable>mechanism</replaceable> |
||||
for token operations. See <option>-M</option> for a list |
||||
- of mechanisms supported by your token.</para></listitem> |
||||
+ of mechanisms supported by your token. The mechanism can also be specified in |
||||
+ hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem> |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c |
||||
index 63e5c5f7f..484c019d8 100644 |
||||
--- a/src/tools/pkcs11-tool.c |
||||
+++ b/src/tools/pkcs11-tool.c |
||||
@@ -234,7 +234,7 @@ static const char *option_help[] = { |
||||
"Hash some data", |
||||
"Derive a secret key using another key and some data", |
||||
"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations", |
||||
- "Specify mechanism (use -M for a list of supported mechanisms)", |
||||
+ "Specify mechanism (use -M for a list of supported mechanisms), or by hexadecimal, e.g., 0x80001234", |
||||
|
||||
"Log into the token first", |
||||
"Specify login type ('so', 'user', 'context-specific'; default:'user')", |
||||
@@ -6076,6 +6076,9 @@ static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *name) |
||||
{ |
||||
struct mech_info *mi; |
||||
|
||||
+ if (strncasecmp("0x", name, 2) == 0) { |
||||
+ return strtoul(name, NULL, 0); |
||||
+ } |
||||
for (mi = p11_mechanisms; mi->name; mi++) { |
||||
if (!strcasecmp(mi->name, name) |
||||
|| (mi->short_name && !strcasecmp(mi->short_name, name))) |
||||
|
@ -0,0 +1,62 @@
@@ -0,0 +1,62 @@
|
||||
From 645f678af24fc1e0f1559e0384f57f8fd35836b4 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 21 Jul 2017 11:30:47 +0200 |
||||
Subject: [PATCH 1/4] cac: Make the retransmitted APDU valid by restoring the |
||||
resplen |
||||
|
||||
--- |
||||
src/libopensc/card-cac.c | 1 + |
||||
1 file changed, 1 insertion(+) |
||||
|
||||
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c |
||||
index ed15ba0a8..47f9aaf0c 100644 |
||||
--- a/src/libopensc/card-cac.c |
||||
+++ b/src/libopensc/card-cac.c |
||||
@@ -1106,6 +1106,7 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc |
||||
r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
||||
if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86) { |
||||
apdu.p2 = 0x00; |
||||
+ apdu.resplen = sizeof(buf); |
||||
if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS) |
||||
r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
||||
} |
||||
|
||||
From a57407a5257b24edf313a4839c523a19cd8b0dc5 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 21 Jul 2017 13:09:14 +0200 |
||||
Subject: [PATCH 2/4] cac: Check SWs for all the APDUs and report the errors to |
||||
underlying layers |
||||
|
||||
--- |
||||
src/libopensc/card-cac.c | 4 +--- |
||||
1 file changed, 1 insertion(+), 3 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c |
||||
index 47f9aaf0c..f3b64a33d 100644 |
||||
--- a/src/libopensc/card-cac.c |
||||
+++ b/src/libopensc/card-cac.c |
||||
@@ -390,9 +390,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2, |
||||
goto err; |
||||
} |
||||
|
||||
- if (apdu.sw1 == 0x61) { |
||||
- r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
||||
- } |
||||
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
||||
|
||||
if (r < 0) { |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error "); |
||||
diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c |
||||
--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old 2017-12-19 10:39:08.662925868 +0100 |
||||
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c 2017-12-19 10:39:58.665293224 +0100 |
||||
@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card |
||||
if (r < 0) { |
||||
goto fail; |
||||
} |
||||
+ if (len == 0) { |
||||
+ r = SC_ERROR_FILE_NOT_FOUND; |
||||
+ goto fail; |
||||
+ } |
||||
} |
||||
*out_len = size; |
||||
*out_buf = out; |
@ -0,0 +1,137 @@
@@ -0,0 +1,137 @@
|
||||
From 066fdce95a3a58e312f52c4e14536b4b3a4f5e26 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Tue, 9 May 2017 16:46:16 +0200 |
||||
Subject: [PATCH 1/3] If the underlying PKCS#15 structure does not provide |
||||
label for a certificate, try to use DN from the certificate. |
||||
|
||||
--- |
||||
src/libopensc/libopensc.exports | 1 + |
||||
src/pkcs11/framework-pkcs15.c | 31 +++++++++++++++++++++++++++++++ |
||||
2 files changed, 32 insertions(+) |
||||
|
||||
diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports |
||||
index 18f80374f..36cf57023 100644 |
||||
--- a/src/libopensc/libopensc.exports |
||||
+++ b/src/libopensc/libopensc.exports |
||||
@@ -208,6 +208,7 @@ sc_pkcs15_free_prkey_info |
||||
sc_pkcs15_free_pubkey |
||||
sc_pkcs15_free_pubkey_info |
||||
sc_pkcs15_get_application_by_type |
||||
+sc_pkcs15_get_name_from_dn |
||||
sc_pkcs15_get_object_guid |
||||
sc_pkcs15_get_object_id |
||||
sc_pkcs15_get_objects |
||||
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c |
||||
index 42c509356..f9063c8cc 100644 |
||||
--- a/src/pkcs11/framework-pkcs15.c |
||||
+++ b/src/pkcs11/framework-pkcs15.c |
||||
@@ -553,6 +553,30 @@ public_key_created(struct pkcs15_fw_data *fw_data, const struct sc_pkcs15_id *id |
||||
return SC_ERROR_OBJECT_NOT_FOUND; |
||||
} |
||||
|
||||
+static void |
||||
+pkcs15_cert_extract_label(struct pkcs15_cert_object *cert) |
||||
+{ |
||||
+ if (!cert || !cert->cert_p15obj || !cert->cert_data) |
||||
+ return; |
||||
+ |
||||
+ sc_log(context, "pkcs15_cert_extract_label() called. Current label: %s", cert->cert_p15obj->label); |
||||
+ |
||||
+ /* if we didn't get a label, set one based on the CN */ |
||||
+ if (*cert->cert_p15obj->label == '\0') { /* can't be NULL -- static array */ |
||||
+ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }}; |
||||
+ u8 *cn_name = NULL; |
||||
+ size_t cn_len = 0; |
||||
+ int rv = sc_pkcs15_get_name_from_dn(context, |
||||
+ cert->cert_data->subject, cert->cert_data->subject_len, |
||||
+ &cn_oid, &cn_name, &cn_len); |
||||
+ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name); |
||||
+ if (rv == SC_SUCCESS) { |
||||
+ memcpy(cert->cert_p15obj->label, cn_name, cn_len); |
||||
+ cert->cert_p15obj->label[cn_len] = '\0'; |
||||
+ } |
||||
+ free(cn_name); |
||||
+ } |
||||
+} |
||||
|
||||
static int |
||||
__pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_object *cert, |
||||
@@ -606,6 +627,9 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj |
||||
obj2->pub_genfrom = object; |
||||
object->cert_pubkey = obj2; |
||||
|
||||
+ /* Find missing labels for certificate */ |
||||
+ pkcs15_cert_extract_label(object); |
||||
+ |
||||
if (cert_object != NULL) |
||||
*cert_object = (struct pkcs15_any_object *) object; |
||||
|
||||
@@ -877,6 +901,9 @@ check_cert_data_read(struct pkcs15_fw_data *fw_data, struct pkcs15_cert_object * |
||||
if (!obj2->pub_data) |
||||
rv = sc_pkcs15_pubkey_from_cert(context, &cert->cert_data->data, &obj2->pub_data); |
||||
|
||||
+ /* Find missing labels for certificate */ |
||||
+ pkcs15_cert_extract_label(cert); |
||||
+ |
||||
/* now that we have the cert and pub key, lets see if we can bind anything else */ |
||||
pkcs15_bind_related_objects(fw_data); |
||||
|
||||
@@ -3165,6 +3192,10 @@ pkcs15_cert_get_attribute(struct sc_pkcs11_session *session, void *object, CK_AT |
||||
*(CK_BBOOL*)attr->pValue = FALSE; |
||||
break; |
||||
case CKA_LABEL: |
||||
+ if (check_cert_data_read(fw_data, cert) != 0) { |
||||
+ attr->ulValueLen = 0; |
||||
+ return CKR_OK; |
||||
+ } |
||||
len = strnlen(cert->cert_p15obj->label, sizeof cert->cert_p15obj->label); |
||||
check_attribute_buffer(attr, len); |
||||
memcpy(attr->pValue, cert->cert_p15obj->label, len); |
||||
|
||||
From 4d8b75c1f0a901d661ed00b29175e2fdaee940ca Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 19 May 2017 17:52:09 +0200 |
||||
Subject: [PATCH 2/3] Properly check bounds for long DNs |
||||
|
||||
--- |
||||
src/pkcs11/framework-pkcs15.c | 3 ++- |
||||
1 file changed, 2 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c |
||||
index f9063c8cc..863ad02a1 100644 |
||||
--- a/src/pkcs11/framework-pkcs15.c |
||||
+++ b/src/pkcs11/framework-pkcs15.c |
||||
@@ -566,8 +566,9 @@ pkcs15_cert_extract_label(struct pkcs15_cert_object *cert) |
||||
int rv = sc_pkcs15_get_name_from_dn(context, |
||||
cert->cert_data->subject, cert->cert_data->subject_len, |
||||
&cn_oid, &cn_name, &cn_len); |
||||
- sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name); |
||||
if (rv == SC_SUCCESS) { |
||||
+ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name); |
||||
+ cn_len = MIN(cn_len, SC_PKCS15_MAX_LABEL_SIZE-1); |
||||
memcpy(cert->cert_p15obj->label, cn_name, cn_len); |
||||
cert->cert_p15obj->label[cn_len] = '\0'; |
||||
} |
||||
|
||||
From 4621251bbff5cc1df826aa7fdc2aa7dfbae3c8ab Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Mon, 22 May 2017 09:46:56 +0200 |
||||
Subject: [PATCH 3/3] Missing include |
||||
|
||||
--- |
||||
src/pkcs11/framework-pkcs15.c | 1 + |
||||
1 file changed, 1 insertion(+) |
||||
|
||||
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c |
||||
index 863ad02a1..ce890b7a1 100644 |
||||
--- a/src/pkcs11/framework-pkcs15.c |
||||
+++ b/src/pkcs11/framework-pkcs15.c |
||||
@@ -22,6 +22,7 @@ |
||||
#include <stdlib.h> |
||||
#include <string.h> |
||||
#include "libopensc/log.h" |
||||
+#include "libopensc/internal.h" |
||||
#include "libopensc/asn1.h" |
||||
#include "libopensc/cardctl.h" |
||||
#include "common/compat_strnlen.h" |
||||
|
@ -0,0 +1,59 @@
@@ -0,0 +1,59 @@
|
||||
From 6b36a341c372f3dcec13c5ddee52fdb907a255a9 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Wed, 12 Apr 2017 17:42:54 +0200 |
||||
Subject: [PATCH 1/2] Make sure the lock is released when returning |
||||
|
||||
--- |
||||
src/pkcs11/framework-pkcs15.c | 12 ++++++++---- |
||||
1 file changed, 8 insertions(+), 4 deletions(-) |
||||
|
||||
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c |
||||
index 2f78a63..3441b99 100644 |
||||
--- a/src/pkcs11/framework-pkcs15.c |
||||
+++ b/src/pkcs11/framework-pkcs15.c |
||||
@@ -487,12 +487,16 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) |
||||
goto out; |
||||
} |
||||
|
||||
- if (slot->p11card == NULL) |
||||
- return CKR_TOKEN_NOT_PRESENT; |
||||
+ if (slot->p11card == NULL) { |
||||
+ rv = CKR_TOKEN_NOT_PRESENT; |
||||
+ goto out; |
||||
+ } |
||||
|
||||
fw_data = (struct pkcs15_fw_data *) slot->p11card->fws_data[slot->fw_data_idx]; |
||||
- if (!fw_data) |
||||
- return sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); |
||||
+ if (!fw_data) { |
||||
+ rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); |
||||
+ goto out; |
||||
+ } |
||||
p15card = fw_data->p15_card; |
||||
|
||||
/* User PIN flags are cleared before re-calculation */ |
||||
|
||||
From 8e8f0ffdcc959f9dd7ea9036aea887917e961bd1 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Wed, 12 Apr 2017 17:43:32 +0200 |
||||
Subject: [PATCH 2/2] pkcs11-tool: Do not use unitialized data when |
||||
C_GetTokenInfo() failed |
||||
|
||||
--- |
||||
src/tools/pkcs11-tool.c | 3 +++ |
||||
1 file changed, 3 insertions(+) |
||||
|
||||
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c |
||||
index ef5d2a6..555029d 100644 |
||||
--- a/src/tools/pkcs11-tool.c |
||||
+++ b/src/tools/pkcs11-tool.c |
||||
@@ -1105,6 +1105,9 @@ static void show_token(CK_SLOT_ID slot) |
||||
if (rv == CKR_TOKEN_NOT_RECOGNIZED) { |
||||
printf(" (token not recognized)\n"); |
||||
return; |
||||
+ } else if (rv != CKR_OK) { |
||||
+ printf("C_GetTokenInfo() failed: rv = %s\n", CKR2Str(rv)); |
||||
+ return; |
||||
} |
||||
if (!(info.flags & CKF_TOKEN_INITIALIZED) && (!verbose)) { |
||||
printf(" token state: uninitialized\n"); |
@ -0,0 +1,13 @@
@@ -0,0 +1,13 @@
|
||||
diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in.pinpad OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in |
||||
--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in.pinpad 2018-05-28 14:30:05.605085241 +0200 |
||||
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in 2018-05-28 14:31:00.963495548 +0200 |
||||
@@ -101,7 +101,8 @@ app default { |
||||
# |
||||
# Enable pinpad if detected (PC/SC v2.0.2 Part 10) |
||||
# Default: true |
||||
- # enable_pinpad = false; |
||||
+ # RHEL 7.6: Disabled by default, because of many broken readers |
||||
+ enable_pinpad = false; |
||||
# |
||||
# Use specific pcsc provider. |
||||
# Default: @DEFAULT_PCSC_PROVIDER@ |
@ -0,0 +1,121 @@
@@ -0,0 +1,121 @@
|
||||
From bac1ced89dde5780ecb5014b3887e4fd81c7d81c Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 18 Aug 2017 13:49:57 +0200 |
||||
Subject: [PATCH 1/3] Use shorter PIN name for default PIN to accomodate Card |
||||
Holder name in future |
||||
|
||||
--- |
||||
src/libopensc/pkcs15-piv.c | 4 ++-- |
||||
1 file changed, 2 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c |
||||
index d38d7ba73..7f9015dcc 100644 |
||||
--- a/src/libopensc/pkcs15-piv.c |
||||
+++ b/src/libopensc/pkcs15-piv.c |
||||
@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
}; |
||||
|
||||
static const pindata pins[] = { |
||||
- { "01", "PIV Card Holder pin", "", 0x80, |
||||
+ { "01", "PIN", "", 0x80, |
||||
/* label, flag and ref will change if using global pin */ |
||||
SC_PKCS15_PIN_TYPE_ASCII_NUMERIC, |
||||
8, 4, 8, |
||||
@@ -932,7 +932,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
pin_info.attrs.pin.reference = pin_ref; |
||||
pin_info.attrs.pin.flags &= ~SC_PKCS15_PIN_FLAG_LOCAL; |
||||
label = "Global PIN"; |
||||
- } |
||||
+ } |
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label); |
||||
strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1); |
||||
pin_obj.flags = pins[i].obj_flags; |
||||
|
||||
From 74b070128c27e24aa67db041a049a9eee5dddcd6 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Fri, 18 Aug 2017 14:18:00 +0200 |
||||
Subject: [PATCH 2/3] Get cardholder name from the first certificate |
||||
|
||||
--- |
||||
src/libopensc/pkcs15-piv.c | 24 +++++++++++++++++++++++- |
||||
1 file changed, 23 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c |
||||
index 7f9015dcc..6f3c9199d 100644 |
||||
--- a/src/libopensc/pkcs15-piv.c |
||||
+++ b/src/libopensc/pkcs15-piv.c |
||||
@@ -613,7 +613,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
char buf[SC_MAX_SERIALNR * 2 + 1]; |
||||
common_key_info ckis[PIV_NUM_CERTS_AND_KEYS]; |
||||
int follows_nist_fascn = 0; |
||||
- |
||||
+ char *token_name = NULL; |
||||
|
||||
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
||||
|
||||
@@ -765,6 +765,30 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) |
||||
sc_pkcs15_free_certificate(cert_out); |
||||
continue; |
||||
} |
||||
+ |
||||
+ /* set the token name to the name of the CN of the first certificate */ |
||||
+ if (!token_name) { |
||||
+ u8 * cn_name = NULL; |
||||
+ size_t cn_len = 0; |
||||
+ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }}; |
||||
+ r = sc_pkcs15_get_name_from_dn(card->ctx, cert_out->subject, |
||||
+ cert_out->subject_len, &cn_oid, &cn_name, &cn_len); |
||||
+ if (r == SC_SUCCESS) { |
||||
+ token_name = malloc (cn_len+1); |
||||
+ if (!token_name) { |
||||
+ sc_pkcs15_free_certificate(cert_out); |
||||
+ free(cn_name); |
||||
+ SC_FUNC_RETURN(card->ctx, |
||||
+ SC_ERROR_OUT_OF_MEMORY, r); |
||||
+ } |
||||
+ memcpy(token_name, cn_name, cn_len); |
||||
+ free(cn_name); |
||||
+ token_name[cn_len] = 0; |
||||
+ free(p15card->tokeninfo->label); |
||||
+ p15card->tokeninfo->label = token_name; |
||||
+ } |
||||
+ } |
||||
+ |
||||
/* |
||||
* get keyUsage if present save in ckis[i] |
||||
* Will only use it if this in a non FED issued card |
||||
|
||||
From 78c2b7b970a8c2d841552926a7f4c386c31abeb8 Mon Sep 17 00:00:00 2001 |
||||
From: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Mon, 21 Aug 2017 13:43:08 +0200 |
||||
Subject: [PATCH 3/3] Do not add non-informative PIN to the token label |
||||
|
||||
--- |
||||
src/pkcs11/framework-pkcs15.c | 4 +++- |
||||
1 file changed, 3 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c |
||||
index 5b3cb32e5..8ded1125b 100644 |
||||
--- a/src/pkcs11/framework-pkcs15.c |
||||
+++ b/src/pkcs11/framework-pkcs15.c |
||||
@@ -1024,6 +1024,7 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot, |
||||
struct sc_pkcs15_auth_info *pin_info = NULL; |
||||
char label[64]; |
||||
|
||||
+ sc_log(context, "Called"); |
||||
pkcs15_init_token_info(p15card, &slot->token_info); |
||||
slot->token_info.flags |= CKF_TOKEN_INITIALIZED; |
||||
if (auth != NULL) |
||||
@@ -1048,9 +1049,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot, |
||||
pin_info = NULL; |
||||
} |
||||
else { |
||||
- if (auth->label[0]) |
||||
+ if (auth->label[0] && strncmp(auth->label, "PIN", 4) != 0) |
||||
snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label); |
||||
else |
||||
+ /* The PIN label is empty or says just non-useful "PIN" */ |
||||
snprintf(label, sizeof(label), "%s", p15card->tokeninfo->label); |
||||
slot->token_info.flags |= CKF_LOGIN_REQUIRED; |
||||
} |
||||
|
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
commit 602279acecb9aaff1154ac1e2993562741a57281 |
||||
Author: Jakub Jelen <jjelen@redhat.com> |
||||
Date: Tue Jan 2 11:08:31 2018 +0100 |
||||
|
||||
Skip correctly two bytes after reading 2b size |
||||
|
||||
diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c |
||||
index f526a1cd..ab0401b5 100644 |
||||
--- a/src/libopensc/simpletlv.c |
||||
+++ b/src/libopensc/simpletlv.c |
||||
@@ -90,8 +90,9 @@ sc_simpletlv_read_tag(u8 **buf, size_t buflen, u8 *tag_out, size_t *taglen) |
||||
*taglen = 0; |
||||
return SC_ERROR_INVALID_ARGUMENTS; |
||||
} |
||||
+ /* skip two bytes (the size) */ |
||||
len = lebytes2ushort(p); |
||||
- p++; |
||||
+ p+=2; |
||||
} |
||||
*taglen = len; |
||||
*buf = p; |
@ -0,0 +1,77 @@
@@ -0,0 +1,77 @@
|
||||
#!/bin/sh |
||||
|
||||
# Paths, names and functions definitions |
||||
NSSDB="/etc/pki/nssdb/" |
||||
COOLKEY_NAME="CoolKey PKCS #11 Module" |
||||
COOLKEY_LIBRARY="libcoolkeypk11.so" |
||||
OPENSC_NAME="OpenSC PKCS #11 Module" |
||||
OPENSC_LIBRARY="opensc-pkcs11.so" |
||||
|
||||
add_module() { |
||||
NAME="$1" |
||||
LIBRARY="$2" |
||||
modutil -add "$NAME" -dbdir "$NSSDB" -libfile "$LIBRARY" |
||||
} |
||||
remove_module() { |
||||
NAME="$1" |
||||
modutil -delete "$NAME" -dbdir "$NSSDB" -force |
||||
} |
||||
|
||||
# Parse arguments. If wrong, print usage |
||||
TARGET="$1" |
||||
if [ "$TARGET" = "" ]; then |
||||
# Print currently installed module |
||||
PRINT_CURRENT="1" |
||||
elif [ "$TARGET" = "opensc" ] || [ "$TARGET" = "coolkey" ]; then |
||||
: # Correct arguments |
||||
else |
||||
echo "Simple tool to switch between OpenSC and Coolkey PKCS#11 modules in main NSS DB." |
||||
echo "Usage: $0 [coolkey|opensc]" |
||||
echo " [coolkey|opensc] says which of the modules should be used." |
||||
echo " The other one will be removed from database." |
||||
echo |
||||
echo " If there is no argument specified, prints the current module in NSS DB" |
||||
exit 255 |
||||
fi |
||||
|
||||
if [ ! -x /usr/bin/modutil ]; then |
||||
echo "The modutil is not installed. Please install package nss-util" |
||||
exit 255 |
||||
fi |
||||
|
||||
# Find the current library in NSS DB |
||||
CURRENT="" # none |
||||
LIBS=$(modutil -rawlist -dbdir "$NSSDB" | grep "^library=") |
||||
if echo "$LIBS" | grep "$COOLKEY_NAME" > /dev/null; then |
||||
CURRENT="coolkey" |
||||
fi |
||||
if echo "$LIBS" | grep "$OPENSC_NAME" > /dev/null; then |
||||
if [ -n "$CURRENT" ]; then |
||||
CURRENT="opensc coolkey" |
||||
echo "There are both modules in NSS DB, which is not recommended." |
||||
echo "I will remove the other." |
||||
else |
||||
CURRENT="opensc" |
||||
fi |
||||
fi |
||||
|
||||
if [ "$PRINT_CURRENT" = "1" ]; then |
||||
echo "$CURRENT" |
||||
exit 0 |
||||
fi |
||||
|
||||
# Do we need to change something? |
||||
if [ "$CURRENT" = "$TARGET" ]; then |
||||
echo "The requested module is already in the NSS DB" |
||||
exit 0 |
||||
fi |
||||
|
||||
# Do the actual change |
||||
if [ "$TARGET" = "opensc" ]; then |
||||
add_module "$OPENSC_NAME" "$OPENSC_LIBRARY" |
||||
remove_module "$COOLKEY_NAME" |
||||
fi |
||||
if [ "$TARGET" = "coolkey" ]; then |
||||
add_module "$COOLKEY_NAME" "$COOLKEY_LIBRARY" |
||||
remove_module "$OPENSC_NAME" |
||||
fi |
@ -0,0 +1,555 @@
@@ -0,0 +1,555 @@
|
||||
%global commit0 777e2a3751e3f6d53f056c98e9e20e42af674fb1 |
||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) |
||||
|
||||
Name: opensc |
||||
Version: 0.16.0 |
||||
Release: 10.20170227git%{shortcommit0}%{?dist} |
||||
Summary: Smart card library and applications |
||||
|
||||
Group: System Environment/Libraries |
||||
License: LGPLv2+ |
||||
URL: https://github.com/OpenSC/OpenSC/wiki |
||||
Source0: https://github.com/OpenSC/OpenSC/archive/%{commit0}.zip#/%{name}-%{version}-git%{shortcommit0}.zip |
||||
Source1: opensc.module |
||||
Source2: pkcs11-switch.sh |
||||
Patch0: opensc-0.16.0-coverity.patch |
||||
Patch1: opensc-0.16.0-cardos.patch |
||||
Patch2: opensc-0.16.0-lock.patch |
||||
# Use label from certificate DN if there is none (#1448555) |
||||
Patch3: opensc-0.16.0-labels-from-dn.patch |
||||
# Use Cardholder name in the token label (#1449740) |
||||
Patch4: opensc-0.16.0-piv-cardholder-name.patch |
||||
# Avoid infinite loop when reading CAC cards (#1473335) |
||||
Patch5: opensc-0.16.0-infinite-loop.patch |
||||
# Workaround for CAC Alt tokens (#1473418) |
||||
Patch6: opensc-0.16.0-cac-alt.patch |
||||
# Copy labels from certificate (#1448555) |
||||
Patch7: opensc-0.16.0-coolkey-labels.patch |
||||
# Properly parse multi-byte length (#1473418) |
||||
Patch8: opensc-0.16.0-simpletlv.patch |
||||
# Disable pinpad by default (#1547117, #1547744) |
||||
Patch9: opensc-0.16.0-pinpad.patch |
||||
# https://github.com/OpenSC/OpenSC/commit/74885fb |
||||
Patch10: opensc-0.16.0-hexadecimal-mechanism.patch |
||||
# https://github.com/OpenSC/OpenSC/commit/ea4baf5 |
||||
Patch11: opensc-0.16.0-ecdsa-ec-point.patch |
||||
# https://github.com/OpenSC/OpenSC/commit/60dbebf |
||||
Patch12: opensc-0.16.0-cardos5.patch |
||||
|
||||
BuildRequires: pcsc-lite-devel |
||||
BuildRequires: readline-devel |
||||
BuildRequires: openssl-devel |
||||
BuildRequires: /usr/bin/xsltproc |
||||
BuildRequires: docbook-style-xsl |
||||
BuildRequires: autoconf automake libtool |
||||
Requires: pcsc-lite-libs%{?_isa} |
||||
Requires: pcsc-lite |
||||
Obsoletes: mozilla-opensc-signer < 0.12.0 |
||||
Obsoletes: opensc-devel < 0.12.0 |
||||
|
||||
%description |
||||
OpenSC provides a set of libraries and utilities to work with smart cards. Its |
||||
main focus is on cards that support cryptographic operations, and facilitate |
||||
their use in security applications such as authentication, mail encryption and |
||||
digital signatures. OpenSC implements the PKCS#11 API so applications |
||||
supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On |
||||
the card OpenSC implements the PKCS#15 standard and aims to be compatible with |
||||
every software/card that does so, too. |
||||
|
||||
|
||||
%prep |
||||
%setup -q -n OpenSC-%{commit0} |
||||
%patch0 -p1 -b .coverity |
||||
%patch1 -p1 -b .cardos |
||||
%patch2 -p1 -b .lock |
||||
%patch3 -p1 -b .label |
||||
%patch4 -p1 -b .cardholder |
||||
%patch5 -p1 -b .infinite |
||||
%patch6 -p1 -b .cac-alt |
||||
%patch7 -p1 -b .coolkey-labels |
||||
%patch8 -p1 -b .simpletlv |
||||
%patch9 -p1 -b .pinpad |
||||
%patch10 -p1 -b .hex-mech |
||||
%patch11 -p1 -b .ec-point |
||||
%patch12 -p1 -b .cardos5 |
||||
|
||||
cp -p src/pkcs15init/README ./README.pkcs15init |
||||
cp -p src/scconf/README.scconf . |
||||
# No {_libdir} here to avoid multilib conflicts; it's just an example |
||||
sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.in |
||||
|
||||
|
||||
%build |
||||
autoreconf -fvi |
||||
sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in |
||||
sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths |
||||
%configure --disable-static \ |
||||
--disable-assert \ |
||||
--enable-pcsc \ |
||||
--enable-sm \ |
||||
--with-pcsc-provider=libpcsclite.so.1 |
||||
make %{?_smp_mflags} V=1 |
||||
|
||||
|
||||
%install |
||||
make install DESTDIR=$RPM_BUILD_ROOT |
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf |
||||
install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf |
||||
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module |
||||
install -Dpm 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/pkcs11-switch |
||||
# use NEWS file timestamp as reference for configuration file |
||||
touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf |
||||
|
||||
find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" | xargs rm |
||||
|
||||
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc |
||||
|
||||
# Upstream considers libopensc API internal and no longer ships |
||||
# public headers and pkgconfig files. |
||||
# Remove the symlink as nothing is supposed to link against libopensc. |
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so |
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so |
||||
%if 0%{?rhel} |
||||
rm -rf %{buildroot}%{_sysconfdir}/bash_completion.d/ |
||||
%endif |
||||
|
||||
|
||||
%post -p /sbin/ldconfig |
||||
|
||||
%postun -p /sbin/ldconfig |
||||
|
||||
|
||||
%files |
||||
%defattr(-,root,root,-) |
||||
%doc COPYING NEWS README* |
||||
|
||||
%if ! 0%{?rhel} |
||||
%{_sysconfdir}/bash_completion.d/* |
||||
%endif |
||||
|
||||
%config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf |
||||
%{_datadir}/p11-kit/modules/opensc.module |
||||
%{_bindir}/cardos-tool |
||||
%{_bindir}/cryptoflex-tool |
||||
%{_bindir}/eidenv |
||||
%{_bindir}/iasecc-tool |
||||
%{_bindir}/gids-tool |
||||
%{_bindir}/netkey-tool |
||||
%{_bindir}/openpgp-tool |
||||
%{_bindir}/opensc-explorer |
||||
%{_bindir}/opensc-tool |
||||
%{_bindir}/piv-tool |
||||
%{_bindir}/pkcs11-tool |
||||
%{_bindir}/pkcs11-switch |
||||
%{_bindir}/pkcs15-crypt |
||||
%{_bindir}/pkcs15-init |
||||
%{_bindir}/pkcs15-tool |
||||
%{_bindir}/sc-hsm-tool |
||||
%{_bindir}/dnie-tool |
||||
%{_bindir}/westcos-tool |
||||
%{_libdir}/lib*.so.* |
||||
%{_libdir}/opensc-pkcs11.so |
||||
%{_libdir}/pkcs11-spy.so |
||||
%{_libdir}/onepin-opensc-pkcs11.so |
||||
%{_libdir}/pkgconfig/*.pc |
||||
%%dir %{_libdir}/pkcs11 |
||||
%{_libdir}/pkcs11/opensc-pkcs11.so |
||||
%{_libdir}/pkcs11/onepin-opensc-pkcs11.so |
||||
%{_libdir}/pkcs11/pkcs11-spy.so |
||||
%{_datadir}/opensc/ |
||||
%{_mandir}/man1/cardos-tool.1* |
||||
%{_mandir}/man1/cryptoflex-tool.1* |
||||
%{_mandir}/man1/eidenv.1* |
||||
%{_mandir}/man1/gids-tool.1* |
||||
%{_mandir}/man1/iasecc-tool.1* |
||||
%{_mandir}/man1/netkey-tool.1* |
||||
%{_mandir}/man1/openpgp-tool.1* |
||||
%{_mandir}/man1/opensc-explorer.* |
||||
%{_mandir}/man1/opensc-tool.1* |
||||
%{_mandir}/man1/piv-tool.1* |
||||
%{_mandir}/man1/pkcs11-tool.1* |
||||
%{_mandir}/man1/pkcs15-crypt.1* |
||||
%{_mandir}/man1/pkcs15-init.1* |
||||
%{_mandir}/man1/pkcs15-tool.1* |
||||
%{_mandir}/man1/sc-hsm-tool.1* |
||||
%{_mandir}/man1/westcos-tool.1* |
||||
%{_mandir}/man1/dnie-tool.1* |
||||
%{_mandir}/man5/*.5* |
||||
|
||||
|
||||
%changelog |
||||
* Tue Jul 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-10.20170227git |
||||
- Improve support for ECC-enabled CardOS 5.3 card (#1562277) |
||||
|
||||
* Tue Jun 19 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-9.20170227git |
||||
- make ECPoint behavior standards compliant by default (#1562572) |
||||
- allow mechanism to be specified in hexadecimal (#1562572) |
||||
- Disable pinpad by default (#1547117, #1547744) |
||||
|
||||
* Wed Jan 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-8.20170227git |
||||
- Copy labels from certificate (#1448555) |
||||
- Avoid infinite loop in CAC driver when reading non-CAC cards (#1473335) |
||||
- Properly parse Simple TLV structures in CAC driver (#1473418) |
||||
|
||||
* Tue Nov 07 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-7.20170227git |
||||
- Fix issues reported by Coverity |
||||
- Use upstream accepted fix for CAC Alt tokens (#1473418) |
||||
|
||||
* Fri Nov 03 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-6.20170227git |
||||
- Use label from certificate DN if there is none (#1448555) |
||||
- Use Cardholder name in the token label (#1449740) |
||||
- Avoid infinite loop when reading CAC cards (#1473335) |
||||
- Workaround for CAC Alt tokens (#1473418) |
||||
|
||||
* Thu May 18 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-5.20170227git |
||||
- Add missing pkcs11-switch script |
||||
|
||||
* Thu Apr 13 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-4.20170227git |
||||
- Release aquired lock for uninitialized ASEPCOS cards (#1376090) |
||||
|
||||
* Thu Mar 23 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-3.20170227git |
||||
- Fix more issues identified by Coverity scan |
||||
|
||||
* Thu Mar 23 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-2.20170227git |
||||
- Add support for CardOS 5.3 |
||||
- Fix coverity issues |
||||
- Provide simple tool to swith PKCS#11 library in NSS DB |
||||
|
||||
* Tue Jan 10 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-1.20170110git |
||||
- Rebase to OpenSC master with support for CAC cards (#1373164) |
||||
|
||||
* Thu Feb 25 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.14.0-2 |
||||
- Export PKCS#11 symbols from spy library (#1283305) |
||||
|
||||
* Thu Apr 23 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.14.0-1 |
||||
- Updated to opensc 0.14.0 |
||||
|
||||
* Fri Mar 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-9 |
||||
- Configuration file includes arch to allow it operate under multilib |
||||
|
||||
* Mon Mar 10 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-8 |
||||
- Ensure that variables are in scope when used (#1062307) |
||||
|
||||
* Tue Feb 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-7 |
||||
- Corrected path of opensc.module (#1060034) |
||||
|
||||
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.13.0-6 |
||||
- Mass rebuild 2014-01-24 |
||||
|
||||
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.13.0-5 |
||||
- Mass rebuild 2013-12-27 |
||||
|
||||
* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.13.0-4 |
||||
- Use the standard name format for p11-kit module configs |
||||
- Put the p11-kit module config is the system location |
||||
|
||||
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.0-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild |
||||
|
||||
* Sun Jan 13 2013 Kalev Lember <kalevlember@gmail.com> - 0.13.0-2 |
||||
- Backport an upstream patch for fixing pkcs15 cert length calculation |
||||
|
||||
* Thu Jan 03 2013 Milan Broz <mbroz@redhat.com> - 0.13.0-1 |
||||
- Update to 0.13.0 (#890770) |
||||
- Remove no longer provided onepin-opensc-pkcs11.so. |
||||
- Add iasecc-tool, openpgp-tool and sc-hsm-tool. |
||||
|
||||
* Fri Jul 27 2012 Tomas Mraz <tmraz@redhat.com> - 0.12.2-6 |
||||
- Add a configuration file for p11-kit (#840504) |
||||
|
||||
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-5 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild |
||||
|
||||
* Sun Mar 4 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.12.2-4 |
||||
- Add patch for dso |
||||
|
||||
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild |
||||
|
||||
* Wed Aug 17 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.2-2 |
||||
- Rebuilt to fix trailing slashes in filelist from rpmbuild bug |
||||
|
||||
* Tue Jul 19 2011 Kalev Lember <kalevlember@gmail.com> - 0.12.2-1 |
||||
- Update to 0.12.2 (#722659) |
||||
|
||||
* Wed May 18 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.1-1 |
||||
- Update to 0.12.1 (#705743) |
||||
- Removed BR libtool-ltdl-devel to build with glibc's libdl instead |
||||
|
||||
* Tue Apr 12 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.0-4 |
||||
- drop multilib conflicting and duplicated doc file (#695368) |
||||
|
||||
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.0-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
||||
|
||||
* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-2 |
||||
- Disabled asserts |
||||
|
||||
* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-1 |
||||
- Update to 0.12.0 |
||||
- Removed and obsoleted mozilla-opensc-signer and opensc-devel subpackages |
||||
- Dropped patches which are now upstreamed |
||||
- It is no longer possible to build in both pcsc-lite and openct support, |
||||
so opensc now gets built exclusively with pcsc-lite. |
||||
|
||||
* Tue Dec 21 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-6 |
||||
- fix buffer overflow on rogue card serial numbers |
||||
|
||||
* Tue Oct 19 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-5 |
||||
- own the _libdir/pkcs11 subdirectory (#644527) |
||||
|
||||
* Tue Sep 7 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-4 |
||||
- fix build with new pcsc-lite |
||||
|
||||
* Wed Aug 11 2010 Rex Dieter <rdieter@fedoraproject.org> - 0.11.13-3 |
||||
- build against libassuan1 (f14+) |
||||
|
||||
* Wed Jun 9 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-2 |
||||
- replace file dependency (#601943) |
||||
|
||||
* Tue Feb 16 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.13-1 |
||||
- new upstream version |
||||
|
||||
* Sun Feb 14 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.12-2 |
||||
- Added patch to fix linking with the new --no-add-needed default (#564758) |
||||
|
||||
* Mon Dec 21 2009 Kalev Lember <kalev@smartlink.ee> - 0.11.12-1 |
||||
- new upstream version |
||||
- replaced %%define with %%global |
||||
- BR clean up from items not applicable to current Fedora releases |
||||
|
||||
* Tue Dec 8 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 0.11.11-2 |
||||
- Explicitly BR libassuan-static in accordance with the Packaging |
||||
Guidelines (libassuan-devel is still static-only). |
||||
|
||||
* Thu Nov 19 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.11-1 |
||||
- new upstream version |
||||
|
||||
* Tue Sep 29 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-2 |
||||
- fix multilib conflict in the configuration file (#526269) |
||||
|
||||
* Wed Sep 09 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-1 |
||||
- new upstream version |
||||
|
||||
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-5 |
||||
- rebuilt with new openssl |
||||
|
||||
* Mon Jul 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-4 |
||||
- Depend on specific arch of pcsc-lite-libs (reported by Kalev Lember) |
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.8-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild |
||||
|
||||
* Mon Jun 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-2 |
||||
- Rebuilt with new openct |
||||
|
||||
* Mon May 11 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-1 |
||||
- new upstream version - fixes security issue |
||||
|
||||
* Fri Feb 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.7-1 |
||||
- new upstream version - fixes CVE-2009-0368 |
||||
|
||||
* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.6-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
||||
|
||||
* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.6-2 |
||||
- Add explicit requires for pcsc-lite-libs. Dlopen libpcsclite with the full |
||||
soname. |
||||
|
||||
* Tue Sep 2 2008 Tomas Mraz <tmraz@redhat.com> - 0.11.6-1 |
||||
- Update to latest upstream, fixes CVE-2008-2235 |
||||
|
||||
* Thu Apr 10 2008 Hans de Goede <j.w.r.degoede@hhs.nl> - 0.11.4-5 |
||||
- BuildRequire libassuan-devel instead of libassuan-static (bz 441812) |
||||
|
||||
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.11.4-4 |
||||
- Autorebuild for GCC 4.3 |
||||
|
||||
* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 0.11.4-3 |
||||
- Rebuild for deps |
||||
|
||||
* Wed Dec 5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-2 |
||||
- Rebuild. |
||||
|
||||
* Mon Sep 10 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-1 |
||||
- 0.11.4. |
||||
|
||||
* Mon Aug 20 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-0.1.rc1 |
||||
- 0.11.4-rc1, pkcs11-tool usage message fix applied upstream. |
||||
- License: LGPLv2+ |
||||
|
||||
* Thu Jul 26 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-2 |
||||
- Fix pkcs11-tool usage message crash (#249702). |
||||
|
||||
* Tue Jul 17 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-1 |
||||
- 0.11.3. |
||||
|
||||
* Sat Jun 30 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre2 |
||||
- 0.11.3-pre2. |
||||
|
||||
* Thu Jun 21 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre1 |
||||
- 0.11.3-pre1. |
||||
|
||||
* Sun May 6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-2 |
||||
- Add explicit build dependency on ncurses-devel. |
||||
|
||||
* Sat May 5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-1 |
||||
- 0.11.2. |
||||
|
||||
* Tue Apr 24 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc2 |
||||
- 0.11.2-rc2. |
||||
|
||||
* Fri Mar 23 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc1 |
||||
- 0.11.2-rc1. |
||||
|
||||
* Thu Mar 15 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre6 |
||||
- 0.11.2-pre6. |
||||
|
||||
* Tue Mar 6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre4 |
||||
- 0.11.2-pre4. |
||||
- Require pinentry-gui instead of the pinentry executable in signer. |
||||
|
||||
* Sun Dec 3 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.1.pre3 |
||||
- 0.11.2-pre3. |
||||
- Build with new libassuan. |
||||
- Don't run autotools during build. |
||||
- Adjust to readline/termcap/ncurses changes. |
||||
|
||||
* Sat Oct 14 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-6 |
||||
- Rebuild with new libassuan. |
||||
|
||||
* Sun Oct 8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-5 |
||||
- Rebuild with new libassuan. |
||||
|
||||
* Mon Oct 2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-4 |
||||
- Rebuild. |
||||
|
||||
* Tue Sep 26 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-3 |
||||
- Rebuild with new libassuan. |
||||
|
||||
* Sat Sep 2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-2 |
||||
- Rebuild. |
||||
|
||||
* Wed May 31 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-1 |
||||
- 0.11.1. |
||||
- Avoid some multilib conflicts. |
||||
|
||||
* Sun May 7 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-2 |
||||
- Sync example paths in openct.conf with ctapi-common. |
||||
- Update URL. |
||||
|
||||
* Thu May 4 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-1 |
||||
- 0.11.0. |
||||
|
||||
* Thu Apr 27 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc2 |
||||
- 0.11.0-rc2. |
||||
|
||||
* Sat Apr 22 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc1 |
||||
- 0.11.0-rc1. |
||||
|
||||
* Mon Mar 6 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-3 |
||||
- Rebuild. |
||||
|
||||
* Wed Feb 15 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-2 |
||||
- Avoid standard rpaths on lib64 archs. |
||||
|
||||
* Sun Jan 8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-1 |
||||
- 0.10.1. |
||||
|
||||
* Wed Nov 9 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-1 |
||||
- 0.10.0. |
||||
- Adapt to modularized X.Org. |
||||
|
||||
* Wed Oct 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc2 |
||||
- 0.10.0-rc2. |
||||
- Install signer plugin only to plugin dir. |
||||
|
||||
* Sat Oct 22 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc1 |
||||
- 0.10.0-rc1. |
||||
|
||||
* Wed Oct 19 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.beta2.rc1 |
||||
- 0.10.0-beta2-rc1. |
||||
- Specfile cleanups. |
||||
|
||||
* Tue Apr 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.6-2 |
||||
- 0.9.6, build patch applied upstream. |
||||
- Package summary and description improvements. |
||||
- Drop explicit openct dependency. |
||||
|
||||
* Fri Mar 18 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-3 |
||||
- Fix FC4 build. |
||||
- Rename opensc-pam to pam_opensc per package naming guidelines. |
||||
|
||||
* Wed Feb 9 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.9.4-2 |
||||
- Substitute hardcoded 'lib' in OpenSSL checks for multi-lib platforms. |
||||
- Use --with-plugin-dir instead of --with-plugin-path (fixes x86_64). |
||||
|
||||
* Thu Feb 3 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-1 |
||||
- Drop unnecessary Epochs, pre-FC1 compat cruft, and no longer relevant |
||||
--with(out) rpmbuild options. |
||||
- Exclude *.la. |
||||
|
||||
* Wed Nov 3 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.4-0.fdr.1 |
||||
- Update to 0.9.4, parallel build patch applied upstream. |
||||
- Patch to fix library paths and LDFLAGS. |
||||
- Don't require mozilla, but the plugin dir in signer. |
||||
- Build with dependency tracking disabled. |
||||
|
||||
* Tue Jul 27 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.2 |
||||
- Building the signer plugin can be disabled with "--without signer". |
||||
Thanks to Fritz Elfert for the idea. |
||||
- Update description. |
||||
|
||||
* Sun Jul 25 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.1 |
||||
- Update to 0.9.2, old patches applied upstream. |
||||
- Add patch to fix parallel builds. |
||||
- Convert man pages to UTF-8. |
||||
|
||||
* Thu Jul 22 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.1-0.fdr.1 |
||||
- Update to 0.9.1 (preview). |
||||
|
||||
* Thu Jul 1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.0-0.fdr.0.1.alpha |
||||
- Update to 0.9.0-alpha. |
||||
|
||||
* Sat May 1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.8 |
||||
- Rebuild with libassuan 0.6.5. |
||||
|
||||
* Sat Jan 31 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.7 |
||||
- Rebuild with libassuan 0.6.3. |
||||
- Add gdm example to PAM quickstart. |
||||
|
||||
* Mon Jan 19 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.6 |
||||
- Use /%%{_lib} instead of hardcoding /lib. |
||||
|
||||
* Sat Dec 20 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.5 |
||||
- Split PAM support into a subpackage. |
||||
- Rebuild with libassuan 0.6.2. |
||||
|
||||
* Sun Nov 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.4 |
||||
- Rebuild with libassuan 0.6.1. |
||||
- Include PAM quickstart doc snippet. |
||||
|
||||
* Fri Nov 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.3 |
||||
- Require OpenCT. |
||||
|
||||
* Fri Oct 17 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.2 |
||||
- Install example config files as documentation. |
||||
|
||||
* Tue Oct 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.1 |
||||
- Update to 0.8.1. |
||||
|
||||
* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.2 |
||||
- Signer can be built with oldssl too. |
||||
|
||||
* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.1 |
||||
- Update to 0.8.0. |
||||
|
||||
* Wed Jul 30 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.2.cvs20030730 |
||||
- Update to 20030730. |
||||
- Clean up %%docs. |
||||
- Include *.la (uses ltdl). |
||||
- Own the %%{_libdir}/pkcs11 directory. |
||||
- Disable signer; assuan has disappeared from the tarball :( |
||||
|
||||
* Fri May 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.1.rc1 |
||||
- First build. |
Loading…
Reference in new issue