powerel7
/
tui
2
0
Fork 0
Code Issues Pull Requests Releases Activity

opensc package update 

Signed-off-by: tuibuilder_pel7x64builder0 <tuibuilder@powerel.org>
master
tuibuilder_pel7x64builder0 2018-12-30 23:31:00 +01:00
parent 4576096a2d
commit 70151c938d
15 changed files with 2403 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
SOURCES/opensc-0.16.0-cac-alt.patch Normal file
View File

@ -0,0 +1,204 @@
From 6dc118e1c3b89c50cda1998de1d62fa6fa666e60 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 3 Nov 2017 10:55:35 +0100
Subject: [PATCH 1/3] Enable CAC ALT token card operations

---
src/libopensc/card-cac.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 82f5c7869..bc0a754a5 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -229,6 +229,12 @@ static int cac_add_object_to_list(list_t *list, const cac_object_t *object)
#define CAC_1_RID "\xA0\x00\x00\x00\x79"
#define CAC_1_CM_AID "\xA0\x00\x00\x00\x30\x00\00"
+static const sc_path_t cac_ACA_Path = {
+ "", 0,
+ 0,0,SC_PATH_TYPE_DF_NAME,
+ { CAC_TO_AID(CAC_1_RID "\x10\x00") }
+};
+
static const sc_path_t cac_CCC_Path = {
"", 0,
0,0,SC_PATH_TYPE_DF_NAME,
@@ -284,6 +290,8 @@ static const cac_object_t cac_1_objects[] = {
static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
+static int cac_select_ACA(sc_card_t *card);
+
/*
* use the object id to find our object info on the object in our CAC-1 list
*/
@@ -815,6 +823,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
return cac_final_iterator(&priv->general_list);
case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
+ /* select ACA to be able to verify PIN */
+ cac_select_ACA(card);
return cac_final_iterator(&priv->pki_list);
}
@@ -1157,6 +1167,12 @@ static int cac_select_CCC(sc_card_t *card)
return cac_select_file_by_type(card, &cac_CCC_Path, NULL, SC_CARD_TYPE_CAC_II);
}
+/* Select ACA in non-standard location */
+static int cac_select_ACA(sc_card_t *card)
+{
+ return cac_select_file_by_type(card, &cac_ACA_Path, NULL, SC_CARD_TYPE_CAC_II);
+}
+
static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, int len)
{
if (len < 10) {
@@ -1476,6 +1492,23 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
}
}
+ /* Even some ALT tokens can be missing CCC so we should try with ACA */
+ r = cac_select_ACA(card);
+ if (r == SC_SUCCESS) {
+ r = cac_find_first_pki_applet(card, &index);
+ if (r == SC_SUCCESS) {
+ priv = cac_new_private_data();
+ if (!priv)
+ return SC_ERROR_OUT_OF_MEMORY;
+ r = cac_populate_cac_1(card, index, priv);
+ if (r == SC_SUCCESS) {
+ card->type = SC_CARD_TYPE_CAC_II;
+ card->drv_data = priv;
+ return r;
+ }
+ }
+ }
+
/* is this a CAC-1 specified in DoD "CAC Applet Developer Guide" version 1.0 September 2002 */
r = cac_find_first_pki_applet(card, &index);
if (r == SC_SUCCESS) {

From 68c52640a3eff078243fd2db627cf2d12fdd37de Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Nov 2017 12:37:40 +0100
Subject: [PATCH 2/3] Add the ACA path to the PIN structure if we have one

---
src/libopensc/card-cac.c | 25 +++++++++++++++++++------
src/libopensc/cardctl.h | 1 +
src/libopensc/pkcs15-cac.c | 6 ++++++
3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index bc0a754a5..178150d35 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -169,6 +169,7 @@ typedef struct cac_private_data {
cac_object_t *pki_current; /* current pki object _ctl function */
list_t general_list; /* list of general containers */
cac_object_t *general_current; /* current object for _ctl function */
+ sc_path_t *aca_path; /* ACA path to be selected before pin verification */
} cac_private_data_t;
#define CAC_DATA(card) ((cac_private_data_t*)card->drv_data)
@@ -207,6 +208,7 @@ static void cac_free_private_data(cac_private_data_t *priv)
{
free(priv->cac_id);
free(priv->cache_buf);
+ free(priv->aca_path);
list_destroy(&priv->pki_list);
list_destroy(&priv->general_list);
free(priv);
@@ -289,9 +291,6 @@ static const cac_object_t cac_1_objects[] = {
static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
-
-static int cac_select_ACA(sc_card_t *card);
-
/*
* use the object id to find our object info on the object in our CAC-1 list
*/
@@ -793,11 +792,21 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri
if (priv->cac_id_len) {
serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR);
memcpy(serial->value, priv->cac_id, priv->cac_id_len);
- SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
}
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
}
+static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path)
+{
+ cac_private_data_t * priv = CAC_DATA(card);
+
+ SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
+ if (priv->aca_path) {
+ *path = *priv->aca_path;
+ }
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+}
static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
{
@@ -810,6 +819,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
}
switch(cmd) {
+ case SC_CARDCTL_CAC_GET_ACA_PATH:
+ return cac_get_ACA_path(card, (sc_path_t *) ptr);
case SC_CARDCTL_GET_SERIALNR:
return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr);
case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS:
@@ -823,8 +834,6 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
return cac_final_iterator(&priv->general_list);
case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
- /* select ACA to be able to verify PIN */
- cac_select_ACA(card);
return cac_final_iterator(&priv->pki_list);
}
@@ -1502,6 +1511,10 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
return SC_ERROR_OUT_OF_MEMORY;
r = cac_populate_cac_1(card, index, priv);
if (r == SC_SUCCESS) {
+ priv->aca_path = malloc(sizeof(sc_path_t));
+ if (!priv->aca_path)
+ return SC_ERROR_OUT_OF_MEMORY;
+ memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t));
card->type = SC_CARD_TYPE_CAC_II;
card->drv_data = priv;
return r;
diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
index b647b0537..b610eacc7 100644
--- a/src/libopensc/cardctl.h
+++ b/src/libopensc/cardctl.h
@@ -220,6 +220,7 @@ enum {
SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS,
SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT,
SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS,
+ SC_CARDCTL_CAC_GET_ACA_PATH,
/*
* AuthentIC v3
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index fd463a9b4..ff87a2345 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -250,6 +250,12 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
pin_obj.flags = pins[i].obj_flags;
+ /* get the ACA path in case it needs to be selected before PIN verify */
+ r = sc_card_ctl(card, SC_CARDCTL_CAC_GET_ACA_PATH, &pin_info.path);
+ if (r < 0) {
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+ }
+
r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);
if (r < 0)
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);

240
SOURCES/opensc-0.16.0-cardos.patch Normal file
View File

@ -0,0 +1,240 @@
From bc496dfa59c1cfbc5c47c76511d5c6b7eff5cc6c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 26 Jan 2017 17:11:24 +0100
Subject: [PATCH 1/4] Set security context for CardOS 5.3 with p1=0x41 (as
Coolkey does)

---
src/libopensc/card-cardos.c | 16 +++++++++++-----
src/libopensc/cards.h | 1 +
2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index 0c14b32..008ce5c 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -59,7 +59,7 @@ static struct sc_atr_table cardos_atrs[] = {
/* CardOS v5.0 */
{ "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
/* CardOS v5.3 */
- { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL},
+ { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL},
{ NULL, NULL, NULL, 0, 0, NULL }
};
@@ -84,6 +84,8 @@ static int cardos_match_card(sc_card_t *card)
return 1;
if (card->type == SC_CARD_TYPE_CARDOS_V5_0)
return 1;
+ if (card->type == SC_CARD_TYPE_CARDOS_V5_3)
+ return 1;
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
int rv;
sc_apdu_t apdu;
@@ -195,7 +197,8 @@ static int cardos_init(sc_card_t *card)
|| card->type == SC_CARD_TYPE_CARDOS_M4_2B
|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
|| card->type == SC_CARD_TYPE_CARDOS_M4_4
- || card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+ || card->type == SC_CARD_TYPE_CARDOS_V5_0
+ || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
rsa_2048 = 1;
card->caps |= SC_CARD_CAP_APDU_EXT;
}
@@ -230,7 +233,7 @@ static int cardos_init(sc_card_t *card)
_sc_card_add_rsa_alg(card, 2048, flags, 0);
}
- if (card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+ if (card->type >= SC_CARD_TYPE_CARDOS_V5_0) {
/* Starting with CardOS 5, the card supports PIN query commands */
card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO;
}
@@ -249,7 +252,7 @@ static const struct sc_card_error cardos_errors[] = {
{ 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"},
{ 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"},
-/* the card doesn't now thic combination of ins+cla+p1+p2 */
+/* the card doesn't now this combination of ins+cla+p1+p2 */
/* i.e. command will never work */
{ 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"},
{ 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"},
@@ -781,6 +784,8 @@ cardos_set_security_env(sc_card_t *card,
if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) {
cardos_restore_security_env(card, 0x30);
apdu.p1 = 0xF1;
+ } else if (card->type == SC_CARD_TYPE_CARDOS_V5_3) {
+ apdu.p1 = 0x41;
} else {
apdu.p1 = 0x01;
}
@@ -1235,7 +1240,8 @@ cardos_logout(sc_card_t *card)
|| card->type == SC_CARD_TYPE_CARDOS_M4_2C
|| card->type == SC_CARD_TYPE_CARDOS_M4_3
|| card->type == SC_CARD_TYPE_CARDOS_M4_4
- || card->type == SC_CARD_TYPE_CARDOS_V5_0) {
+ || card->type == SC_CARD_TYPE_CARDOS_V5_0
+ || card->type == SC_CARD_TYPE_CARDOS_V5_3) {
sc_apdu_t apdu;
int r;
sc_path_t path;
diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
index d71c02f..9f8f641 100644
--- a/src/libopensc/cards.h
+++ b/src/libopensc/cards.h
@@ -47,6 +47,7 @@ enum {
SC_CARD_TYPE_CARDOS_CIE_V1, /* Italian CIE (eID) v1 */
SC_CARD_TYPE_CARDOS_M4_4,
SC_CARD_TYPE_CARDOS_V5_0,
+ SC_CARD_TYPE_CARDOS_V5_3,
/* flex/cyberflex drivers */
SC_CARD_TYPE_FLEX_BASE = 2000,
--
2.9.3


From 5dec534cf07e45ffb0209a53d6145022ecd9259a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 30 Jan 2017 14:33:05 +0100
Subject: [PATCH 2/4] Do not emulate signatures in CardOS 5.3

Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the
actual implementation in cardos_compute_signature().

It might be bogus also in previous version, but I don't have a way
to verify against these cards.
---
src/libopensc/card-cardos.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index 008ce5c..a21e67a 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -177,11 +177,13 @@ static int cardos_init(sc_card_t *card)
card->cla = 0x00;
/* Set up algorithm info. */
- flags = SC_ALGORITHM_NEED_USAGE
- | SC_ALGORITHM_RSA_RAW
+ flags = SC_ALGORITHM_RSA_RAW
| SC_ALGORITHM_RSA_HASH_NONE
| SC_ALGORITHM_ONBOARD_KEY_GEN
;
+ if (card->type != SC_CARD_TYPE_CARDOS_V5_3)
+ flags |= SC_ALGORITHM_NEED_USAGE;
+
_sc_card_add_rsa_alg(card, 512, flags, 0);
_sc_card_add_rsa_alg(card, 768, flags, 0);
_sc_card_add_rsa_alg(card, 1024, flags, 0);
@@ -252,7 +254,7 @@ static const struct sc_card_error cardos_errors[] = {
{ 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"},
{ 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"},
-/* the card doesn't now this combination of ins+cla+p1+p2 */
+/* the card doesn't know this combination of ins+cla+p1+p2 */
/* i.e. command will never work */
{ 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"},
{ 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"},
--
2.9.3


From 057197c7abf29715a2b7793045c35adf2a34dc17 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 10 Mar 2017 16:37:43 +0100
Subject: [PATCH 3/4] Hack for returning the padding back in CardOS 5.3

---
src/libopensc/card-cardos.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)

diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index a21e67a..39ec4ac 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -979,6 +979,30 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen,
}
static int
+cardos_decipher(struct sc_card *card,
+ const u8 * crgram, size_t crgram_len,
+ u8 * out, size_t outlen)
+{
+ int r;
+ u8 *tmp = NULL;
+ size_t tmp_len = crgram_len;
+
+ assert(card != NULL && crgram != NULL && out != NULL);
+ LOG_FUNC_CALLED(card->ctx);
+
+ tmp = malloc(tmp_len);
+ r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len);
+
+ /* add bogus padding, because the card removes it */
+ if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1,
+ tmp, r, out, &outlen, crgram_len) != SC_SUCCESS)
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
+ out[1] = 0x02; /* this is encryption-padding */
+
+ LOG_FUNC_RETURN(card->ctx, outlen);
+}
+
+static int
cardos_lifecycle_get(sc_card_t *card, int *mode)
{
sc_apdu_t apdu;
@@ -1278,6 +1302,7 @@ static struct sc_card_driver * sc_get_driver(void)
cardos_ops.set_security_env = cardos_set_security_env;
cardos_ops.restore_security_env = cardos_restore_security_env;
cardos_ops.compute_signature = cardos_compute_signature;
+ cardos_ops.decipher = cardos_decipher;
cardos_ops.list_files = cardos_list_files;
cardos_ops.check_sw = cardos_check_sw;
--
2.9.3


From 515f761f5564e91302ce672d30a24d6e6738e349 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 13 Mar 2017 15:15:48 +0100
Subject: [PATCH 4/4] With older cards, use iso decipher

---
src/libopensc/card-cardos.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index 39ec4ac..d479065 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -992,10 +992,22 @@ cardos_decipher(struct sc_card *card,
tmp = malloc(tmp_len);
r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len);
+ if (r < 0)
+ LOG_FUNC_RETURN(card->ctx, r);
+
+ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) {
+ /* XXX */
+ memcpy(out, tmp, tmp_len);
+ outlen = tmp_len;
+ free(tmp);
+ LOG_FUNC_RETURN(card->ctx, r);
+ }
/* add bogus padding, because the card removes it */
- if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1,
- tmp, r, out, &outlen, crgram_len) != SC_SUCCESS)
+ r = sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1,
+ tmp, r, out, &outlen, crgram_len);
+ free(tmp);
+ if (r != SC_SUCCESS)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
out[1] = 0x02; /* this is encryption-padding */
--
2.9.3

126
SOURCES/opensc-0.16.0-cardos5.patch Normal file
View File

@ -0,0 +1,126 @@
From 60dbebf511cf6112e5fc2c3549ce38881847b121 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 22 Aug 2017 10:46:26 +0200
Subject: [PATCH] Parse the ECC parameters from TokenInfo (CHOICE in
AlgorithmInfo)

Fixes #1134
---
src/libopensc/opensc.h | 1 +
src/libopensc/pkcs15.c | 40 +++++++++++++++++++++++++++++++++-------
2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
index f81f27e3a..688c14003 100644
--- a/src/libopensc/opensc.h
+++ b/src/libopensc/opensc.h
@@ -163,6 +163,7 @@ extern "C" {
struct sc_supported_algo_info {
unsigned int reference;
unsigned int mechanism;
+ struct sc_object_id *parameters; /* OID for ECC, NULL for RSA */
unsigned int operations;
struct sc_object_id algo_id;
unsigned int algo_ref;
diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c
index 05fe03061..ba99c8af9 100644
--- a/src/libopensc/pkcs15.c
+++ b/src/libopensc/pkcs15.c
@@ -50,13 +50,19 @@ static const struct sc_asn1_entry c_asn1_twlabel[] = {
static const struct sc_asn1_entry c_asn1_algorithm_info[7] = {
{ "reference", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL },
{ "algorithmPKCS#11", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL },
- { "parameters", SC_ASN1_NULL, SC_ASN1_TAG_NULL, 0, NULL, NULL },
+ { "parameters", SC_ASN1_CHOICE, 0, 0, NULL, NULL },
{ "supportedOperations",SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL },
{ "objId", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT, SC_ASN1_OPTIONAL, NULL, NULL },
{ "algRef", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL },
{ NULL, 0, 0, 0, NULL, NULL }
};
+static const struct sc_asn1_entry c_asn1_algorithm_info_parameters[3] = {
+ { "PKCS15RSAParameters",SC_ASN1_NULL, SC_ASN1_TAG_NULL, 0, NULL, NULL },
+ { "PKCS15ECParameters", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT, 0, NULL, NULL },
+ { NULL, 0, 0, 0, NULL, NULL }
+};
+
/*
* in src/libopensc/types.h SC_MAX_SUPPORTED_ALGORITHMS defined as 8
*/
@@ -134,9 +140,11 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx,
u8 preferred_language[3];
size_t lang_length = sizeof(preferred_language);
struct sc_asn1_entry asn1_supported_algorithms[SC_MAX_SUPPORTED_ALGORITHMS + 1],
- asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7];
+ asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7],
+ asn1_algo_infos_parameters[SC_MAX_SUPPORTED_ALGORITHMS][3];
size_t reference_len = sizeof(ti->supported_algos[0].reference);
size_t mechanism_len = sizeof(ti->supported_algos[0].mechanism);
+ size_t parameter_len = sizeof(ti->supported_algos[0].parameters);
size_t operations_len = sizeof(ti->supported_algos[0].operations);
size_t algo_ref_len = sizeof(ti->supported_algos[0].algo_ref);
@@ -152,14 +160,22 @@ int sc_pkcs15_parse_tokeninfo(sc_context_t *ctx,
sc_format_asn1_entry(asn1_twlabel, label, &label_len, 0);
sc_copy_asn1_entry(c_asn1_profile_indication, asn1_profile_indication);
- for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++)
+ for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++) {
sc_copy_asn1_entry(c_asn1_algorithm_info, asn1_algo_infos[ii]);
+ sc_copy_asn1_entry(c_asn1_algorithm_info_parameters,
+ asn1_algo_infos_parameters[ii]);
+ }
sc_copy_asn1_entry(c_asn1_supported_algorithms, asn1_supported_algorithms);
for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS; ii++) {
sc_format_asn1_entry(asn1_algo_infos[ii] + 0, &ti->supported_algos[ii].reference, &reference_len, 0);
sc_format_asn1_entry(asn1_algo_infos[ii] + 1, &ti->supported_algos[ii].mechanism, &mechanism_len, 0);
- sc_format_asn1_entry(asn1_algo_infos[ii] + 2, NULL, NULL, 0);
+ sc_format_asn1_entry(asn1_algo_infos[ii] + 2,
+ asn1_algo_infos_parameters[ii], NULL, 0);
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 0,
+ NULL, NULL, 0);
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 1,
+ &ti->supported_algos[ii].parameters, &parameter_len, 0);
sc_format_asn1_entry(asn1_algo_infos[ii] + 3, &ti->supported_algos[ii].operations, &operations_len, 0);
sc_format_asn1_entry(asn1_algo_infos[ii] + 4, &ti->supported_algos[ii].algo_id, NULL, 1);
sc_format_asn1_entry(asn1_algo_infos[ii] + 5, &ti->supported_algos[ii].algo_ref, &algo_ref_len, 0);
@@ -270,9 +286,11 @@ sc_pkcs15_encode_tokeninfo(sc_context_t *ctx, sc_pkcs15_tokeninfo_t *ti,
struct sc_asn1_entry asn1_toki_attrs[C_ASN1_TOKI_ATTRS_SIZE];
struct sc_asn1_entry asn1_tokeninfo[2];
struct sc_asn1_entry asn1_supported_algorithms[SC_MAX_SUPPORTED_ALGORITHMS + 1],
- asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7];
+ asn1_algo_infos[SC_MAX_SUPPORTED_ALGORITHMS][7],
+ asn1_algo_infos_parameters[SC_MAX_SUPPORTED_ALGORITHMS][3];
size_t reference_len = sizeof(ti->supported_algos[0].reference);
size_t mechanism_len = sizeof(ti->supported_algos[0].mechanism);
+ size_t parameter_len = sizeof(ti->supported_algos[0].parameters);
size_t operations_len = sizeof(ti->supported_algos[0].operations);
size_t algo_ref_len = sizeof(ti->supported_algos[0].algo_ref);
struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
@@ -283,14 +301,22 @@ sc_pkcs15_encode_tokeninfo(sc_context_t *ctx, sc_pkcs15_tokeninfo_t *ti,
sc_copy_asn1_entry(c_asn1_last_update, asn1_last_update);
sc_copy_asn1_entry(c_asn1_profile_indication, asn1_profile_indication);
- for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++)
+ for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++) {
sc_copy_asn1_entry(c_asn1_algorithm_info, asn1_algo_infos[ii]);
+ sc_copy_asn1_entry(c_asn1_algorithm_info_parameters,
+ asn1_algo_infos_parameters[ii]);
+ }
sc_copy_asn1_entry(c_asn1_supported_algorithms, asn1_supported_algorithms);
for (ii=0; ii<SC_MAX_SUPPORTED_ALGORITHMS && ti->supported_algos[ii].reference; ii++) {
sc_format_asn1_entry(asn1_algo_infos[ii] + 0, &ti->supported_algos[ii].reference, &reference_len, 1);
sc_format_asn1_entry(asn1_algo_infos[ii] + 1, &ti->supported_algos[ii].mechanism, &mechanism_len, 1);
- sc_format_asn1_entry(asn1_algo_infos[ii] + 2, NULL, NULL, 0);
+ sc_format_asn1_entry(asn1_algo_infos[ii] + 2,
+ asn1_algo_infos_parameters[ii], NULL, 0);
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 0,
+ NULL, NULL, 0);
+ sc_format_asn1_entry(asn1_algo_infos_parameters[ii] + 1,
+ &ti->supported_algos[ii].parameters, &parameter_len, 0);
sc_format_asn1_entry(asn1_algo_infos[ii] + 3, &ti->supported_algos[ii].operations, &operations_len, 1);
sc_format_asn1_entry(asn1_algo_infos[ii] + 4, &ti->supported_algos[ii].algo_id, NULL, 1);
sc_format_asn1_entry(asn1_algo_infos[ii] + 5, &ti->supported_algos[ii].algo_ref, &algo_ref_len, 1);

68
SOURCES/opensc-0.16.0-coolkey-labels.patch Normal file
View File

@ -0,0 +1,68 @@
From a4b6b9630eb2ee684bbf1560a93b3075c7eb58ab Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 4 Jul 2017 14:25:50 +0200
Subject: [PATCH] [coolkey] Copy labels from certificate objects to the keys

---
src/libopensc/pkcs15-coolkey.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c
index 5064a0f4f..a5f457acd 100644
--- a/src/libopensc/pkcs15-coolkey.c
+++ b/src/libopensc/pkcs15-coolkey.c
@@ -484,7 +484,7 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
sc_card_t *card = p15card->card;
sc_serial_number_t serial;
int count;
-
+ struct sc_pkcs15_object *obj;
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
@@ -558,6 +558,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
memset(&obj_obj, 0, sizeof(obj_obj));
+ /* coolkey applets have label only on the certificates,
+ * but we should copy it also to the keys maching the same ID */
coolkey_get_attribute_bytes(card, &coolkey_obj, CKA_LABEL, (u8 *)obj_obj.label, &len, sizeof(obj_obj.label));
coolkey_get_flags(card, &coolkey_obj, &obj_obj.flags);
if (obj_obj.flags & SC_PKCS15_CO_FLAG_PRIVATE) {
@@ -677,6 +679,35 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
}
r = (card->ops->card_ctl)(card, SC_CARDCTL_COOLKEY_FINAL_GET_OBJECTS, &count);
+ /* Iterate over all the created objects and fill missing labels */
+ for (obj = p15card->obj_list; obj != NULL; obj = obj->next) {
+ struct sc_pkcs15_id *id = NULL;
+ struct sc_pkcs15_object *cert_object;
+
+ /* label non-empty -- do not overwrite */
+ if (obj->label[0] != '\0')
+ continue;
+
+ switch (obj->type & SC_PKCS15_TYPE_CLASS_MASK) {
+ case SC_PKCS15_TYPE_PUBKEY:
+ id = &((struct sc_pkcs15_pubkey_info *)obj->data)->id;
+ break;
+ case SC_PKCS15_TYPE_PRKEY:
+ id = &((struct sc_pkcs15_prkey_info *)obj->data)->id;
+ break;
+ default:
+ /* We do not care about other objects */
+ continue;
+ }
+ r = sc_pkcs15_find_cert_by_id(p15card, id, &cert_object);
+ if (r != 0)
+ continue;
+
+ sc_log(card->ctx, "Copy label \"%s\" from cert to key object",
+ cert_object->label);
+ memcpy(obj->label, cert_object->label, SC_PKCS15_MAX_LABEL_SIZE);
+ }
+
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}

643
SOURCES/opensc-0.16.0-coverity.patch Normal file
View File

@ -0,0 +1,643 @@
From 15163e6212aaf6b2dd5d7b432e5b13ca39496110 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 28 Feb 2017 16:12:31 +0100
Subject: [PATCH 1/3] Coverity fixes for:

card-cac.c
* CLANG_WARNING: The left operand of '<' is a garbage value
card-coolkey.c
* CLANG_WARNING: overwriting variable
* CPPCHECK_WARNING: memory leak / overwrite variable
* CLANG_WARNING: null pointer dereference
* UNUSED_VALUE: unused return value
card-gids.c
* CLANG_WARNING: Branch condition evaluates to a garbage value
* SIZEOF_MISMATCH: suspicious_sizeof
card-myeid.c
* RESOURCE_LEAK: Variable "buf" going out of scope leaks the storage it points to.
* CLANG_WARNING: overwriting variable
* (rewrite not to confuse coverity)
pkcs15-cac.c
* RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to.
pkcs15-coolkey.c
* UNUSED_VALUE: unused return value
pkcs15-piv.c
* RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to.
pkcs15-sc-hsm.c
* DEADCODE
pkcs11/framework-pkcs15.c
* RESOURCE_LEAK: Variable "p15_cert" going out of scope leaks the storage it points to.
pkcs15init/pkcs15-lib.c
* CLANG_WARNING: Assigned value is garbage or undefined
pkcs15init/pkcs15-myeid.c
* UNREACHABLE: Probably wrong placement of code block
tests/p15dump.c
* IDENTICAL_BRANCHES
pkcs15-init.c
* CLANG_WARNING: Potential leak of memory pointed to by 'args.der_encoded.value'
pkcs15-tool.c
* RESOURCE_LEAK: Variable "cert" going out of scope leaks the storage it points to.
* MISSING_BREAK: The above case falls through to this one.
sc-hsm-tool.c
* CLANG_WARNING: Potential leak of memory pointed to by 'sp'
westcos-tool.c
* FORWARD_NULL: Passing null pointer "pin" to "unlock_pin", which dereferences it.
* (rewrite not to confuse coverity)
---
src/libopensc/card-cac.c | 2 +-
src/libopensc/card-coolkey.c | 7 +++++--
src/libopensc/card-entersafe.c | 2 +-
src/libopensc/card-gids.c | 7 ++++++-
src/libopensc/card-myeid.c | 20 ++++++++++++--------
src/libopensc/iso7816.c | 1 +
src/libopensc/pkcs15-cac.c | 5 ++++-
src/libopensc/pkcs15-coolkey.c | 2 ++
src/libopensc/pkcs15-piv.c | 3 ++-
src/libopensc/pkcs15-sc-hsm.c | 6 ++----
src/pkcs11/framework-pkcs15.c | 7 ++++++-
src/pkcs15init/pkcs15-lib.c | 2 +-
src/pkcs15init/pkcs15-myeid.c | 4 ++--
src/tests/p15dump.c | 3 +--
src/tools/pkcs15-init.c | 4 +++-
src/tools/pkcs15-tool.c | 11 ++++++++---
src/tools/sc-hsm-tool.c | 2 ++
src/tools/westcos-tool.c | 6 +++---
18 files changed, 62 insertions(+), 32 deletions(-)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index d5f8585..788fb52 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -467,7 +467,7 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
size_t left = 0;
size_t len, next_len;
sc_apdu_t apdu;
- int r;
+ int r = SC_SUCCESS;
/* get the size */
diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
index c44febe..7672028 100644
--- a/src/libopensc/card-coolkey.c
+++ b/src/libopensc/card-coolkey.c
@@ -1369,7 +1369,7 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj)
{
int r;
size_t buf_len = obj->length;
- u8 *new_obj_data = malloc(buf_len);
+ u8 *new_obj_data = NULL;
sc_cardctl_coolkey_object_t *obj_entry;
coolkey_private_data_t * priv = COOLKEY_DATA(card);
@@ -1413,7 +1413,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
const u8 *obj = attribute->object->data;
const u8 *attr = NULL;
size_t buf_len = attribute->object->length;
- coolkey_object_header_t *object_head = (coolkey_object_header_t *)obj;
+ coolkey_object_header_t *object_head;
int attribute_count,i;
attribute->attribute_data_type = SC_CARDCTL_COOLKEY_ATTR_TYPE_STRING;
attribute->attribute_length = 0;
@@ -1434,6 +1434,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut
if (buf_len <= sizeof(coolkey_v0_object_header_t)) {
return SC_ERROR_CORRUPTED_DATA;
}
+ object_head = (coolkey_object_header_t *)obj;
object_record_type = object_head->record_type;
/* make sure it's a type we recognize */
if ((object_record_type != COOLKEY_V1_OBJECT) && (object_record_type != COOLKEY_V0_OBJECT)) {
@@ -2183,6 +2184,8 @@ static int coolkey_initialize(sc_card_t *card)
continue;
}
r = coolkey_add_object(priv, object_id, NULL, object_len, 0);
+ if (r != SC_SUCCESS)
+ sc_log(card->ctx, "coolkey_add_object() returned %d", r);
}
if (r != SC_ERROR_FILE_END_REACHED) {
diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c
index 6e18252..1fe4102 100644
--- a/src/libopensc/card-entersafe.c
+++ b/src/libopensc/card-entersafe.c
@@ -487,7 +487,7 @@ static int entersafe_select_fid(sc_card_t *card,
sc_file_t **file_out)
{
int r;
- sc_file_t *file=0;
+ sc_file_t *file = NULL;
sc_path_t path;
memset(&path, 0, sizeof(sc_path_t));
diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c
index 51db9af..4db09f5 100644
--- a/src/libopensc/card-gids.c
+++ b/src/libopensc/card-gids.c
@@ -668,6 +668,7 @@ static int gids_get_crypto_identifier_from_key_ref(sc_card_t *card, const unsign
if (index >= recordsnum) {
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS);
}
+ *cryptoidentifier = 0x00; /* initialize to zero */
if (records[index].wKeyExchangeKeySizeBits == 1024 || records[index].wSigKeySizeBits == 1024) {
*cryptoidentifier = GIDS_RSA_1024_IDENTIFIER;
return SC_SUCCESS;
@@ -878,12 +879,16 @@ static int gids_read_public_key (struct sc_card *card , unsigned int algorithm,
if (keydata != NULL) {
rsa_key.modulus.data = (u8*) keydata;
rsa_key.modulus.len = len;
+ } else {
+ rsa_key.modulus.len = 0;
}
keydata = sc_asn1_find_tag(card->ctx, keytemplate, tlen, GIDS_PUBKEY_TAG_EXPONENT, &len);
if (keydata != NULL) {
rsa_key.exponent.data = (u8*) keydata;
rsa_key.exponent.len = len;
+ } else {
+ rsa_key.exponent.len = 0;
}
if (rsa_key.exponent.len && rsa_key.modulus.len) {
@@ -1453,7 +1458,7 @@ static int gids_import_key(sc_card_t *card, sc_pkcs15_object_t *object, sc_pkcs1
SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r, "unable to put the private key - key greater than 2048 bits ?");
r = SC_SUCCESS;
err:
- sc_mem_clear(buffer, sizeof(buffer));
+ sc_mem_clear(buffer, buflen);
LOG_FUNC_RETURN(card->ctx, r);
}
diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
index 0e75486..65c108f 100644
--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
@@ -846,20 +846,24 @@ myeid_convert_ec_signature(struct sc_context *ctx, size_t s_len, unsigned char *
if (sig_len != (datalen - len_size - 1)) /* validate size of the DER structure */
return SC_ERROR_INVALID_DATA;
- buf = calloc(1, (s_len + 7)/8*2);
+ /* test&fail early */
+ buflen = (s_len + 7)/8*2;
+ if (buflen > datalen)
+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
+ buf = calloc(1, buflen);
if (!buf)
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
- buflen = (s_len + 7)/8*2;
r = sc_asn1_sig_value_sequence_to_rs(ctx, data, datalen, buf, buflen);
- if (r < 0)
+ if (r < 0) {
free(buf);
- LOG_TEST_RET(ctx, r, "Failed to cenvert Sig-Value to the raw RS format");
-
- if (buflen > datalen)
- LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ sc_log(ctx, "Failed to convert Sig-Value to the raw RS format");
+ return r;
+ }
memmove(data, buf, buflen);
+ free(buf);
return buflen;
}
@@ -868,7 +872,7 @@ static int
myeid_compute_signature(struct sc_card *card, const u8 * data, size_t datalen,
u8 * out, size_t outlen)
{
- struct sc_context *ctx = card->ctx;
+ struct sc_context *ctx;
struct sc_apdu apdu;
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
u8 sbuf[SC_MAX_APDU_BUFFER_SIZE];
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
index 296cf69..2539d1c 100644
--- a/src/libopensc/iso7816.c
+++ b/src/libopensc/iso7816.c
@@ -392,6 +392,7 @@ iso7816_process_fci(struct sc_card *card, struct sc_file *file,
sc_log(ctx, " type: %s", type);
sc_log(ctx, " EF structure: %d", byte & 0x07);
sc_log(ctx, " tag 0x82: 0x%02x", byte);
+ /* FIXME: check return value? */
sc_file_set_type_attr(file, &byte, 1);
}
}
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index 4894fe4..e0fa50b 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -292,7 +292,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
struct sc_pkcs15_object pubkey_obj;
struct sc_pkcs15_object prkey_obj;
sc_pkcs15_der_t cert_der;
- sc_pkcs15_cert_t *cert_out;
+ sc_pkcs15_cert_t *cert_out = NULL;
r = (card->ops->card_ctl)(card, SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, &obj_info);
@@ -352,12 +352,14 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
if (r < 0 || cert_out->key == NULL) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
+ sc_pkcs15_free_certificate(cert_out);
continue;
}
r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, " Failed to add cert obj r=%d",r);
+ sc_pkcs15_free_certificate(cert_out);
continue;
}
/* set the token name to the name of the CN of the first certificate */
@@ -393,6 +395,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
usage, pubkey_info.usage, prkey_info.usage);
if (cert_out->key->algorithm != SC_ALGORITHM_RSA) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"unsupported key.algorithm %d", cert_out->key->algorithm);
+ sc_pkcs15_free_certificate(cert_out);
continue;
} else {
pubkey_info.modulus_length = cert_out->key->u.rsa.modulus.len * 8;
diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c
index 487be19..de4920b 100644
--- a/src/libopensc/pkcs15-coolkey.c
+++ b/src/libopensc/pkcs15-coolkey.c
@@ -667,6 +667,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
}
r = sc_pkcs15emu_object_add(p15card, obj_type, &obj_obj, obj_info);
+ if (r != SC_SUCCESS)
+ sc_log(card->ctx, "sc_pkcs15emu_object_add() returned %d", r);
fail:
if (key) { sc_pkcs15_free_pubkey(key); }
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index bf72df0..5bd0fdf 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -710,7 +710,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
struct sc_pkcs15_cert_info cert_info;
struct sc_pkcs15_object cert_obj;
sc_pkcs15_der_t cert_der;
- sc_pkcs15_cert_t *cert_out;
+ sc_pkcs15_cert_t *cert_out = NULL;
ckis[i].cert_found = 0;
ckis[i].key_alg = -1;
@@ -761,6 +761,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
if (r < 0 || cert_out->key == NULL) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
+ sc_pkcs15_free_certificate(cert_out);
continue;
}
/*
diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c
index 938ea9d..3f6b6e4 100644
--- a/src/libopensc/pkcs15-sc-hsm.c
+++ b/src/libopensc/pkcs15-sc-hsm.c
@@ -460,6 +460,7 @@ static int sc_pkcs15emu_sc_hsm_get_ec_public_key(struct sc_context *ctx, sc_cvc_
memcpy(pubkey->u.ec.params.der.value, ecp->der.value, ecp->der.len);
pubkey->u.ec.params.der.len = ecp->der.len;
+ /* FIXME: check return value? */
sc_pkcs15_fix_ec_parameters(ctx, &pubkey->u.ec.params);
return SC_SUCCESS;
@@ -627,11 +628,8 @@ static int sc_pkcs15emu_sc_hsm_add_prkd(sc_pkcs15_card_t * p15card, u8 keyid) {
len = sizeof efbin;
r = read_file(p15card, fid, efbin, &len);
- LOG_TEST_RET(card->ctx, r, "Could not read EF");
- if (r < 0) {
- return SC_SUCCESS;
- }
+ LOG_TEST_RET(card->ctx, r, "Could not read EF");
if (efbin[0] == 0x67) { /* Decode CSR and create public key object */
sc_pkcs15emu_sc_hsm_add_pubkey(p15card, efbin, len, key_info, prkd.label);
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 0c89d47..732e1e5 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -571,8 +571,11 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj
/* Certificate object */
rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object,
cert, &pkcs15_cert_ops, sizeof(struct pkcs15_cert_object));
- if (rv < 0)
+ if (rv < 0) {
+ if (p15_cert != NULL)
+ sc_pkcs15_free_certificate(p15_cert);
return rv;
+ }
object->cert_info = p15_info;
object->cert_data = p15_cert;
@@ -643,6 +646,8 @@ __pkcs15_create_pubkey_object(struct pkcs15_fw_data *fw_data,
object->pub_data = p15_key;
if (p15_key && object->pub_info->modulus_length == 0 && p15_key->algorithm == SC_ALGORITHM_RSA)
object->pub_info->modulus_length = 8 * p15_key->u.rsa.modulus.len;
+ } else if (pubkey->emulated && (fw_data->p15_card->flags & SC_PKCS15_CARD_FLAG_EMULATED)) {
+ sc_pkcs15_free_pubkey(p15_key);
}
if (pubkey_object != NULL)
diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
index c2fc2df..d1558e2 100644
--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
@@ -760,7 +760,7 @@ sc_pkcs15init_add_app(struct sc_card *card, struct sc_profile *profile,
struct sc_pkcs15_object *pin_obj = NULL;
struct sc_app_info *app;
struct sc_file *df = profile->df_info->file;
- int r;
+ int r = SC_SUCCESS;
LOG_FUNC_CALLED(ctx);
p15card->card = card;
diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c
index 9ed515d..6c93545 100644
--- a/src/pkcs15init/pkcs15-myeid.c
+++ b/src/pkcs15init/pkcs15-myeid.c
@@ -510,10 +510,10 @@ myeid_store_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
keybits = key_info->field_length;
else
key_info->field_length = keybits;
- break;
-
+
if (sc_card_find_ec_alg(p15card->card, keybits, &prkey->u.ec.params.id) == NULL)
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unsupported algorithm or key size");
+ break;
default:
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Store key failed: Unsupported key type");
break;
diff --git a/src/tests/p15dump.c b/src/tests/p15dump.c
index 17ab86b..da8b4a3 100644
--- a/src/tests/p15dump.c
+++ b/src/tests/p15dump.c
@@ -30,8 +30,7 @@ static int dump_objects(const char *what, int type)
printf("failed.\n");
fprintf(stderr, "Error enumerating %s: %s\n",
what, sc_strerror(count));
- if (SC_SUCCESS != sc_unlock(card))
- return 1;
+ sc_unlock(card);
return 1;
}
if (count == 0) {
diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c
index a1b183d..a4fb1a9 100644
--- a/src/tools/pkcs15-init.c
+++ b/src/tools/pkcs15-init.c
@@ -1318,8 +1318,10 @@ do_store_data_object(struct sc_profile *profile)
args.der_encoded.value = data;
args.der_encoded.len = datalen;
r = sc_lock(p15card->card);
- if (r < 0)
+ if (r < 0) {
+ free(data);
return r;
+ }
r = sc_pkcs15init_store_data_object(p15card, profile, &args, NULL);
sc_unlock(p15card->card);
}
diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c
index 092b9d9..e146753 100644
--- a/src/tools/pkcs15-tool.c
+++ b/src/tools/pkcs15-tool.c
@@ -793,15 +793,18 @@ static int read_public_key(void)
if (r == SC_ERROR_OBJECT_NOT_FOUND) {
fprintf(stderr, "Public key with ID '%s' not found.\n", opt_pubkey);
- return 2;
+ r = 2;
+ goto out;
}
if (r < 0) {
fprintf(stderr, "Public key enumeration failed: %s\n", sc_strerror(r));
- return 1;
+ r = 1;
+ goto out;
}
if (!pubkey) {
fprintf(stderr, "Public key not available\n");
- return 1;
+ r = 1;
+ goto out;
}
r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len);
@@ -813,6 +816,7 @@ static int read_public_key(void)
free(pem_key.value);
}
+out:
if (cert)
sc_pkcs15_free_certificate(cert);
else if (pubkey)
@@ -2097,6 +2101,7 @@ int main(int argc, char * const argv[])
break;
case OPT_USE_PINPAD_DEPRECATED:
fprintf(stderr, "'--no-prompt' is deprecated , use '--use-pinpad' instead.\n");
+ /* fallthrough */
case OPT_USE_PINPAD:
opt_use_pinpad = 1;
break;
diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c
index cce855f..029d991 100644
--- a/src/tools/sc-hsm-tool.c
+++ b/src/tools/sc-hsm-tool.c
@@ -697,6 +697,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas
memset(inbuf, 0, sizeof(inbuf));
if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) {
fprintf(stderr, "Input aborted\n");
+ free(shares);
return -1;
}
p = (sp->x);
@@ -706,6 +707,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas
memset(inbuf, 0, sizeof(inbuf));
if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) {
fprintf(stderr, "Input aborted\n");
+ free(shares);
return -1;
}
binlen = 64;
diff --git a/src/tools/westcos-tool.c b/src/tools/westcos-tool.c
index 29b75dd..ff3d5e6 100644
--- a/src/tools/westcos-tool.c
+++ b/src/tools/westcos-tool.c
@@ -91,8 +91,6 @@ static int finalize = 0;
static int install_pin = 0;
static int overwrite = 0;
-static const char *pin = NULL;
-static const char *puk = NULL;
static char *cert = NULL;
static int keylen = 0;
@@ -260,7 +258,7 @@ static int unlock_pin(sc_card_t *card,
}
else
{
- if(pin == NULL || puk == NULL)
+ if(pin_value == NULL || puk_value == NULL)
{
return SC_ERROR_INVALID_ARGUMENTS;
}
@@ -372,6 +370,8 @@ int main(int argc, char *argv[])
RSA *rsa = NULL;
BIGNUM *bn = NULL;
BIO *mem = NULL;
+ static const char *pin = NULL;
+ static const char *puk = NULL;
while (1)
{

From e73b2ad2e01cbcc3fdee471ce9692ab95a83b8a0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2017 09:45:17 +0100
Subject: [PATCH 2/3] Sanitize call to sc_pkcs15_free_certificate()

---
src/libopensc/pkcs15-cac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index e0fa50b..61c6430 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -352,7 +352,8 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
if (r < 0 || cert_out->key == NULL) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
- sc_pkcs15_free_certificate(cert_out);
+ if (cert_out != NULL)
+ sc_pkcs15_free_certificate(cert_out);
continue;
}

From bdf452210f7fdbefe91df910025142b2e48b8ebc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 1 Mar 2017 15:23:17 +0100
Subject: [PATCH 3/3] Sanitize call to sc_pkcs15_free_certificate() in PIV too

---
src/libopensc/pkcs15-piv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index 5bd0fdf..f6b6742 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -761,7 +761,8 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out);
if (r < 0 || cert_out->key == NULL) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r);
- sc_pkcs15_free_certificate(cert_out);
+ if (cert_out != NULL)
+ sc_pkcs15_free_certificate(cert_out);
continue;
}
/*
From 389ffe590986c6ed42fa810874a52a51bac3ca26 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 23 Mar 2017 12:16:46 +0100
Subject: [PATCH 1/3] Coverity: FORWARD_NULL -- copy&paste error

---
src/tools/gids-tool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/gids-tool.c b/src/tools/gids-tool.c
index 029c53f..84073b6 100644
--- a/src/tools/gids-tool.c
+++ b/src/tools/gids-tool.c
@@ -277,7 +277,7 @@ static int changeAdminKey(sc_card_t* card, const char *so_pin, const char* new_k
if (new_key == NULL) {
printf("Enter new admin key (48 hexadecimal characters) : ");
- util_getpass(&_so_pin, NULL, stdin);
+ util_getpass(&_new_key, NULL, stdin);
printf("\n");
} else {
_new_key = (char *)new_key;
--
2.9.3


From 1133efa4fe4d9a0267486cadbd3f6d144c584645 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 23 Mar 2017 15:14:35 +0100
Subject: [PATCH 2/3] CLANG_WARNING: Call to 'malloc' has an allocation size of
0 bytes

---
src/scconf/scconf.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/src/scconf/scconf.c b/src/scconf/scconf.c
index 7fcc301..678df3e 100644
--- a/src/scconf/scconf.c
+++ b/src/scconf/scconf.c
@@ -411,6 +411,8 @@ char *scconf_list_strdup(const scconf_list * list, const char *filler)
if (filler) {
len += scconf_list_array_length(list) * (strlen(filler) + 1);
}
+ if (len == 0)
+ return NULL;
buf = malloc(len);
if (!buf) {
return NULL;
--
2.9.3


From f82bc2008d58348cafcbba30623fcb55dab5cb3a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 23 Mar 2017 15:46:42 +0100
Subject: [PATCH 3/3] Avoid malloc with 0 argument

---
src/libopensc/card-cac.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 788fb52..6a5b5af 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -670,12 +670,12 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
r = sc_decompress_alloc(&priv->cache_buf, &priv->cache_buf_len,
cert_ptr, cert_len, COMPRESSION_AUTO);
#else
- sc_log(card->ctx, "PIV compression not supported, no zlib");
+ sc_log(card->ctx, "CAC compression not supported, no zlib");
r = SC_ERROR_NOT_SUPPORTED;
#endif
if (r)
goto done;
- } else {
+ } else if (cert_len > 0) {
priv->cache_buf = malloc(cert_len);
if (priv->cache_buf == NULL) {
r = SC_ERROR_OUT_OF_MEMORY;
@@ -683,6 +683,9 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
}
priv->cache_buf_len = cert_len;
memcpy(priv->cache_buf, cert_ptr, cert_len);
+ } else {
+ sc_log(card->ctx, "Can't read zero-length certificate");
+ goto done;
}
break;
default:
--
2.9.3


27
SOURCES/opensc-0.16.0-ecdsa-ec-point.patch Normal file
View File

@ -0,0 +1,27 @@
From ea4baf50d57a7a41164fedcd1b10fdb0438305c5 Mon Sep 17 00:00:00 2001
From: AnthonyA <ascanio.alba7@gmail.com>
Date: Mon, 19 Mar 2018 15:58:21 +0800
Subject: [PATCH] pkcs11-tool: make ECPoint behaviour standards compliant by
default

Fixes #1286. The behaviour of pkcs11-tool will follow the standard -
send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
write plain bytes.
---
src/tools/pkcs11-tool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 876bba2dc..63e5c5f7f 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -2632,7 +2632,7 @@ parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
header_len = point-gost->public.value;
memcpy(point, buf, point_len);
gost->public.len = header_len+point_len;
-#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
+#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
gost->public.len -= header_len;
gost->public.value += header_len;
#endif

50
SOURCES/opensc-0.16.0-hexadecimal-mechanism.patch Normal file
View File

@ -0,0 +1,50 @@
From 74885fb1c174468cc0a505cd7404e228d465efd8 Mon Sep 17 00:00:00 2001
From: AnthonyA <ascanio.alba7@gmail.com>
Date: Tue, 27 Mar 2018 00:48:05 +0000
Subject: [PATCH] pkcs11-tool: allow mechanism to be specified in hexadecimal

To support vendor mechanisms, let -m accept hexadecimal strings,
e.g., -m 0x80001234
---
doc/tools/pkcs11-tool.1.xml | 3 ++-
src/tools/pkcs11-tool.c | 5 ++++-
2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
index f8d638b45..e78570b10 100644
--- a/doc/tools/pkcs11-tool.1.xml
+++ b/doc/tools/pkcs11-tool.1.xml
@@ -231,7 +231,8 @@
</term>
<listitem><para>Use the specified <replaceable>mechanism</replaceable>
for token operations. See <option>-M</option> for a list
- of mechanisms supported by your token.</para></listitem>
+ of mechanisms supported by your token. The mechanism can also be specified in
+ hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 63e5c5f7f..484c019d8 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -234,7 +234,7 @@ static const char *option_help[] = {
"Hash some data",
"Derive a secret key using another key and some data",
"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations",
- "Specify mechanism (use -M for a list of supported mechanisms)",
+ "Specify mechanism (use -M for a list of supported mechanisms), or by hexadecimal, e.g., 0x80001234",
"Log into the token first",
"Specify login type ('so', 'user', 'context-specific'; default:'user')",
@@ -6076,6 +6076,9 @@ static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *name)
{
struct mech_info *mi;
+ if (strncasecmp("0x", name, 2) == 0) {
+ return strtoul(name, NULL, 0);
+ }
for (mi = p11_mechanisms; mi->name; mi++) {
if (!strcasecmp(mi->name, name)
|| (mi->short_name && !strcasecmp(mi->short_name, name)))

62
SOURCES/opensc-0.16.0-infinite-loop.patch Normal file
View File

@ -0,0 +1,62 @@
From 645f678af24fc1e0f1559e0384f57f8fd35836b4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 21 Jul 2017 11:30:47 +0200
Subject: [PATCH 1/4] cac: Make the retransmitted APDU valid by restoring the
resplen

---
src/libopensc/card-cac.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index ed15ba0a8..47f9aaf0c 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -1106,6 +1106,7 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86) {
apdu.p2 = 0x00;
+ apdu.resplen = sizeof(buf);
if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS)
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
}

From a57407a5257b24edf313a4839c523a19cd8b0dc5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 21 Jul 2017 13:09:14 +0200
Subject: [PATCH 2/4] cac: Check SWs for all the APDUs and report the errors to
underlying layers

---
src/libopensc/card-cac.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 47f9aaf0c..f3b64a33d 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -390,9 +390,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2,
goto err;
}
- if (apdu.sw1 == 0x61) {
- r = sc_check_sw(card, apdu.sw1, apdu.sw2);
- }
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error ");
diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old 2017-12-19 10:39:08.662925868 +0100
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c 2017-12-19 10:39:58.665293224 +0100
@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card
if (r < 0) {
goto fail;
}
+ if (len == 0) {
+ r = SC_ERROR_FILE_NOT_FOUND;
+ goto fail;
+ }
}
*out_len = size;
*out_buf = out;

137
SOURCES/opensc-0.16.0-labels-from-dn.patch Normal file
View File

@ -0,0 +1,137 @@
From 066fdce95a3a58e312f52c4e14536b4b3a4f5e26 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 9 May 2017 16:46:16 +0200
Subject: [PATCH 1/3] If the underlying PKCS#15 structure does not provide
label for a certificate, try to use DN from the certificate.

---
src/libopensc/libopensc.exports | 1 +
src/pkcs11/framework-pkcs15.c | 31 +++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+)

diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports
index 18f80374f..36cf57023 100644
--- a/src/libopensc/libopensc.exports
+++ b/src/libopensc/libopensc.exports
@@ -208,6 +208,7 @@ sc_pkcs15_free_prkey_info
sc_pkcs15_free_pubkey
sc_pkcs15_free_pubkey_info
sc_pkcs15_get_application_by_type
+sc_pkcs15_get_name_from_dn
sc_pkcs15_get_object_guid
sc_pkcs15_get_object_id
sc_pkcs15_get_objects
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 42c509356..f9063c8cc 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -553,6 +553,30 @@ public_key_created(struct pkcs15_fw_data *fw_data, const struct sc_pkcs15_id *id
return SC_ERROR_OBJECT_NOT_FOUND;
}
+static void
+pkcs15_cert_extract_label(struct pkcs15_cert_object *cert)
+{
+ if (!cert || !cert->cert_p15obj || !cert->cert_data)
+ return;
+
+ sc_log(context, "pkcs15_cert_extract_label() called. Current label: %s", cert->cert_p15obj->label);
+
+ /* if we didn't get a label, set one based on the CN */
+ if (*cert->cert_p15obj->label == '\0') { /* can't be NULL -- static array */
+ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
+ u8 *cn_name = NULL;
+ size_t cn_len = 0;
+ int rv = sc_pkcs15_get_name_from_dn(context,
+ cert->cert_data->subject, cert->cert_data->subject_len,
+ &cn_oid, &cn_name, &cn_len);
+ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
+ if (rv == SC_SUCCESS) {
+ memcpy(cert->cert_p15obj->label, cn_name, cn_len);
+ cert->cert_p15obj->label[cn_len] = '\0';
+ }
+ free(cn_name);
+ }
+}
static int
__pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_object *cert,
@@ -606,6 +627,9 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj
obj2->pub_genfrom = object;
object->cert_pubkey = obj2;
+ /* Find missing labels for certificate */
+ pkcs15_cert_extract_label(object);
+
if (cert_object != NULL)
*cert_object = (struct pkcs15_any_object *) object;
@@ -877,6 +901,9 @@ check_cert_data_read(struct pkcs15_fw_data *fw_data, struct pkcs15_cert_object *
if (!obj2->pub_data)
rv = sc_pkcs15_pubkey_from_cert(context, &cert->cert_data->data, &obj2->pub_data);
+ /* Find missing labels for certificate */
+ pkcs15_cert_extract_label(cert);
+
/* now that we have the cert and pub key, lets see if we can bind anything else */
pkcs15_bind_related_objects(fw_data);
@@ -3165,6 +3192,10 @@ pkcs15_cert_get_attribute(struct sc_pkcs11_session *session, void *object, CK_AT
*(CK_BBOOL*)attr->pValue = FALSE;
break;
case CKA_LABEL:
+ if (check_cert_data_read(fw_data, cert) != 0) {
+ attr->ulValueLen = 0;
+ return CKR_OK;
+ }
len = strnlen(cert->cert_p15obj->label, sizeof cert->cert_p15obj->label);
check_attribute_buffer(attr, len);
memcpy(attr->pValue, cert->cert_p15obj->label, len);

From 4d8b75c1f0a901d661ed00b29175e2fdaee940ca Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 19 May 2017 17:52:09 +0200
Subject: [PATCH 2/3] Properly check bounds for long DNs

---
src/pkcs11/framework-pkcs15.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index f9063c8cc..863ad02a1 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -566,8 +566,9 @@ pkcs15_cert_extract_label(struct pkcs15_cert_object *cert)
int rv = sc_pkcs15_get_name_from_dn(context,
cert->cert_data->subject, cert->cert_data->subject_len,
&cn_oid, &cn_name, &cn_len);
- sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
if (rv == SC_SUCCESS) {
+ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
+ cn_len = MIN(cn_len, SC_PKCS15_MAX_LABEL_SIZE-1);
memcpy(cert->cert_p15obj->label, cn_name, cn_len);
cert->cert_p15obj->label[cn_len] = '\0';
}

From 4621251bbff5cc1df826aa7fdc2aa7dfbae3c8ab Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 22 May 2017 09:46:56 +0200
Subject: [PATCH 3/3] Missing include

---
src/pkcs11/framework-pkcs15.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 863ad02a1..ce890b7a1 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include <string.h>
#include "libopensc/log.h"
+#include "libopensc/internal.h"
#include "libopensc/asn1.h"
#include "libopensc/cardctl.h"
#include "common/compat_strnlen.h"

59
SOURCES/opensc-0.16.0-lock.patch Normal file
View File

@ -0,0 +1,59 @@
From 6b36a341c372f3dcec13c5ddee52fdb907a255a9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 12 Apr 2017 17:42:54 +0200
Subject: [PATCH 1/2] Make sure the lock is released when returning

---
src/pkcs11/framework-pkcs15.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 2f78a63..3441b99 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -487,12 +487,16 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
goto out;
}
- if (slot->p11card == NULL)
- return CKR_TOKEN_NOT_PRESENT;
+ if (slot->p11card == NULL) {
+ rv = CKR_TOKEN_NOT_PRESENT;
+ goto out;
+ }
fw_data = (struct pkcs15_fw_data *) slot->p11card->fws_data[slot->fw_data_idx];
- if (!fw_data)
- return sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo");
+ if (!fw_data) {
+ rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo");
+ goto out;
+ }
p15card = fw_data->p15_card;
/* User PIN flags are cleared before re-calculation */

From 8e8f0ffdcc959f9dd7ea9036aea887917e961bd1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 12 Apr 2017 17:43:32 +0200
Subject: [PATCH 2/2] pkcs11-tool: Do not use unitialized data when
C_GetTokenInfo() failed

---
src/tools/pkcs11-tool.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index ef5d2a6..555029d 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -1105,6 +1105,9 @@ static void show_token(CK_SLOT_ID slot)
if (rv == CKR_TOKEN_NOT_RECOGNIZED) {
printf(" (token not recognized)\n");
return;
+ } else if (rv != CKR_OK) {
+ printf("C_GetTokenInfo() failed: rv = %s\n", CKR2Str(rv));
+ return;
}
if (!(info.flags & CKF_TOKEN_INITIALIZED) && (!verbose)) {
printf(" token state: uninitialized\n");

13
SOURCES/opensc-0.16.0-pinpad.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in.pinpad OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in
--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in.pinpad 2018-05-28 14:30:05.605085241 +0200
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/etc/opensc.conf.in 2018-05-28 14:31:00.963495548 +0200
@@ -101,7 +101,8 @@ app default {
#
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
# Default: true
- # enable_pinpad = false;
+ # RHEL 7.6: Disabled by default, because of many broken readers
+ enable_pinpad = false;
#
# Use specific pcsc provider.
# Default: @DEFAULT_PCSC_PROVIDER@

121
SOURCES/opensc-0.16.0-piv-cardholder-name.patch Normal file
View File

@ -0,0 +1,121 @@
From bac1ced89dde5780ecb5014b3887e4fd81c7d81c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 18 Aug 2017 13:49:57 +0200
Subject: [PATCH 1/3] Use shorter PIN name for default PIN to accomodate Card
Holder name in future

---
src/libopensc/pkcs15-piv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index d38d7ba73..7f9015dcc 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
};
static const pindata pins[] = {
- { "01", "PIV Card Holder pin", "", 0x80,
+ { "01", "PIN", "", 0x80,
/* label, flag and ref will change if using global pin */
SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
8, 4, 8,
@@ -932,7 +932,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
pin_info.attrs.pin.reference = pin_ref;
pin_info.attrs.pin.flags &= ~SC_PKCS15_PIN_FLAG_LOCAL;
label = "Global PIN";
- }
+ }
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
pin_obj.flags = pins[i].obj_flags;

From 74b070128c27e24aa67db041a049a9eee5dddcd6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 18 Aug 2017 14:18:00 +0200
Subject: [PATCH 2/3] Get cardholder name from the first certificate

---
src/libopensc/pkcs15-piv.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index 7f9015dcc..6f3c9199d 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -613,7 +613,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
char buf[SC_MAX_SERIALNR * 2 + 1];
common_key_info ckis[PIV_NUM_CERTS_AND_KEYS];
int follows_nist_fascn = 0;
-
+ char *token_name = NULL;
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
@@ -765,6 +765,30 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
sc_pkcs15_free_certificate(cert_out);
continue;
}
+
+ /* set the token name to the name of the CN of the first certificate */
+ if (!token_name) {
+ u8 * cn_name = NULL;
+ size_t cn_len = 0;
+ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
+ r = sc_pkcs15_get_name_from_dn(card->ctx, cert_out->subject,
+ cert_out->subject_len, &cn_oid, &cn_name, &cn_len);
+ if (r == SC_SUCCESS) {
+ token_name = malloc (cn_len+1);
+ if (!token_name) {
+ sc_pkcs15_free_certificate(cert_out);
+ free(cn_name);
+ SC_FUNC_RETURN(card->ctx,
+ SC_ERROR_OUT_OF_MEMORY, r);
+ }
+ memcpy(token_name, cn_name, cn_len);
+ free(cn_name);
+ token_name[cn_len] = 0;
+ free(p15card->tokeninfo->label);
+ p15card->tokeninfo->label = token_name;
+ }
+ }
+
/*
* get keyUsage if present save in ckis[i]
* Will only use it if this in a non FED issued card

From 78c2b7b970a8c2d841552926a7f4c386c31abeb8 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 21 Aug 2017 13:43:08 +0200
Subject: [PATCH 3/3] Do not add non-informative PIN to the token label

---
src/pkcs11/framework-pkcs15.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 5b3cb32e5..8ded1125b 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -1024,6 +1024,7 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
struct sc_pkcs15_auth_info *pin_info = NULL;
char label[64];
+ sc_log(context, "Called");
pkcs15_init_token_info(p15card, &slot->token_info);
slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
if (auth != NULL)
@@ -1048,9 +1049,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
pin_info = NULL;
}
else {
- if (auth->label[0])
+ if (auth->label[0] && strncmp(auth->label, "PIN", 4) != 0)
snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label);
else
+ /* The PIN label is empty or says just non-useful "PIN" */
snprintf(label, sizeof(label), "%s", p15card->tokeninfo->label);
slot->token_info.flags |= CKF_LOGIN_REQUIRED;
}

21
SOURCES/opensc-0.16.0-simpletlv.patch Normal file
View File

@ -0,0 +1,21 @@
commit 602279acecb9aaff1154ac1e2993562741a57281
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Jan 2 11:08:31 2018 +0100

Skip correctly two bytes after reading 2b size

diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c
index f526a1cd..ab0401b5 100644
--- a/src/libopensc/simpletlv.c
+++ b/src/libopensc/simpletlv.c
@@ -90,8 +90,9 @@ sc_simpletlv_read_tag(u8 **buf, size_t buflen, u8 *tag_out, size_t *taglen)
*taglen = 0;
return SC_ERROR_INVALID_ARGUMENTS;
}
+ /* skip two bytes (the size) */
len = lebytes2ushort(p);
- p++;
+ p+=2;
}
*taglen = len;
*buf = p;

77
SOURCES/pkcs11-switch.sh Executable file
View File

@ -0,0 +1,77 @@
#!/bin/sh

# Paths, names and functions definitions
NSSDB="/etc/pki/nssdb/"
COOLKEY_NAME="CoolKey PKCS #11 Module"
COOLKEY_LIBRARY="libcoolkeypk11.so"
OPENSC_NAME="OpenSC PKCS #11 Module"
OPENSC_LIBRARY="opensc-pkcs11.so"

add_module() {
NAME="$1"
LIBRARY="$2"
modutil -add "$NAME" -dbdir "$NSSDB" -libfile "$LIBRARY"
}
remove_module() {
NAME="$1"
modutil -delete "$NAME" -dbdir "$NSSDB" -force
}

# Parse arguments. If wrong, print usage
TARGET="$1"
if [ "$TARGET" = "" ]; then
# Print currently installed module
PRINT_CURRENT="1"
elif [ "$TARGET" = "opensc" ] || [ "$TARGET" = "coolkey" ]; then
: # Correct arguments
else
echo "Simple tool to switch between OpenSC and Coolkey PKCS#11 modules in main NSS DB."
echo "Usage: $0 [coolkey|opensc]"
echo " [coolkey|opensc] says which of the modules should be used."
echo " The other one will be removed from database."
echo
echo " If there is no argument specified, prints the current module in NSS DB"
exit 255
fi

if [ ! -x /usr/bin/modutil ]; then
echo "The modutil is not installed. Please install package nss-util"
exit 255
fi

# Find the current library in NSS DB
CURRENT="" # none
LIBS=$(modutil -rawlist -dbdir "$NSSDB" | grep "^library=")
if echo "$LIBS" | grep "$COOLKEY_NAME" > /dev/null; then
CURRENT="coolkey"
fi
if echo "$LIBS" | grep "$OPENSC_NAME" > /dev/null; then
if [ -n "$CURRENT" ]; then
CURRENT="opensc coolkey"
echo "There are both modules in NSS DB, which is not recommended."
echo "I will remove the other."
else
CURRENT="opensc"
fi
fi

if [ "$PRINT_CURRENT" = "1" ]; then
echo "$CURRENT"
exit 0
fi

# Do we need to change something?
if [ "$CURRENT" = "$TARGET" ]; then
echo "The requested module is already in the NSS DB"
exit 0
fi

# Do the actual change
if [ "$TARGET" = "opensc" ]; then
add_module "$OPENSC_NAME" "$OPENSC_LIBRARY"
remove_module "$COOLKEY_NAME"
fi
if [ "$TARGET" = "coolkey" ]; then
add_module "$COOLKEY_NAME" "$COOLKEY_LIBRARY"
remove_module "$OPENSC_NAME"
fi

555
SPECS/opensc.spec Normal file
View File

@ -0,0 +1,555 @@
%global commit0 777e2a3751e3f6d53f056c98e9e20e42af674fb1
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

Name: opensc
Version: 0.16.0
Release: 10.20170227git%{shortcommit0}%{?dist}
Summary: Smart card library and applications

Group: System Environment/Libraries
License: LGPLv2+
URL: https://github.com/OpenSC/OpenSC/wiki
Source0: https://github.com/OpenSC/OpenSC/archive/%{commit0}.zip#/%{name}-%{version}-git%{shortcommit0}.zip
Source1: opensc.module
Source2: pkcs11-switch.sh
Patch0: opensc-0.16.0-coverity.patch
Patch1: opensc-0.16.0-cardos.patch
Patch2: opensc-0.16.0-lock.patch
# Use label from certificate DN if there is none (#1448555)
Patch3: opensc-0.16.0-labels-from-dn.patch
# Use Cardholder name in the token label (#1449740)
Patch4: opensc-0.16.0-piv-cardholder-name.patch
# Avoid infinite loop when reading CAC cards (#1473335)
Patch5: opensc-0.16.0-infinite-loop.patch
# Workaround for CAC Alt tokens (#1473418)
Patch6: opensc-0.16.0-cac-alt.patch
# Copy labels from certificate (#1448555)
Patch7: opensc-0.16.0-coolkey-labels.patch
# Properly parse multi-byte length (#1473418)
Patch8: opensc-0.16.0-simpletlv.patch
# Disable pinpad by default (#1547117, #1547744)
Patch9: opensc-0.16.0-pinpad.patch
# https://github.com/OpenSC/OpenSC/commit/74885fb
Patch10: opensc-0.16.0-hexadecimal-mechanism.patch
# https://github.com/OpenSC/OpenSC/commit/ea4baf5
Patch11: opensc-0.16.0-ecdsa-ec-point.patch
# https://github.com/OpenSC/OpenSC/commit/60dbebf
Patch12: opensc-0.16.0-cardos5.patch

BuildRequires: pcsc-lite-devel
BuildRequires: readline-devel
BuildRequires: openssl-devel
BuildRequires: /usr/bin/xsltproc
BuildRequires: docbook-style-xsl
BuildRequires: autoconf automake libtool
Requires: pcsc-lite-libs%{?_isa}
Requires: pcsc-lite
Obsoletes: mozilla-opensc-signer < 0.12.0
Obsoletes: opensc-devel < 0.12.0

%description
OpenSC provides a set of libraries and utilities to work with smart cards. Its
main focus is on cards that support cryptographic operations, and facilitate
their use in security applications such as authentication, mail encryption and
digital signatures. OpenSC implements the PKCS#11 API so applications
supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On
the card OpenSC implements the PKCS#15 standard and aims to be compatible with
every software/card that does so, too.


%prep
%setup -q -n OpenSC-%{commit0}
%patch0 -p1 -b .coverity
%patch1 -p1 -b .cardos
%patch2 -p1 -b .lock
%patch3 -p1 -b .label
%patch4 -p1 -b .cardholder
%patch5 -p1 -b .infinite
%patch6 -p1 -b .cac-alt
%patch7 -p1 -b .coolkey-labels
%patch8 -p1 -b .simpletlv
%patch9 -p1 -b .pinpad
%patch10 -p1 -b .hex-mech
%patch11 -p1 -b .ec-point
%patch12 -p1 -b .cardos5

cp -p src/pkcs15init/README ./README.pkcs15init
cp -p src/scconf/README.scconf .
# No {_libdir} here to avoid multilib conflicts; it's just an example
sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.in


%build
autoreconf -fvi
sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
%configure --disable-static \
--disable-assert \
--enable-pcsc \
--enable-sm \
--with-pcsc-provider=libpcsclite.so.1
make %{?_smp_mflags} V=1


%install
make install DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf
install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
install -Dpm 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/pkcs11-switch
# use NEWS file timestamp as reference for configuration file
touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf

find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" | xargs rm

rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc

# Upstream considers libopensc API internal and no longer ships
# public headers and pkgconfig files.
# Remove the symlink as nothing is supposed to link against libopensc.
rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
%if 0%{?rhel}
rm -rf %{buildroot}%{_sysconfdir}/bash_completion.d/
%endif


%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig


%files
%defattr(-,root,root,-)
%doc COPYING NEWS README*

%if ! 0%{?rhel}
%{_sysconfdir}/bash_completion.d/*
%endif

%config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf
%{_datadir}/p11-kit/modules/opensc.module
%{_bindir}/cardos-tool
%{_bindir}/cryptoflex-tool
%{_bindir}/eidenv
%{_bindir}/iasecc-tool
%{_bindir}/gids-tool
%{_bindir}/netkey-tool
%{_bindir}/openpgp-tool
%{_bindir}/opensc-explorer
%{_bindir}/opensc-tool
%{_bindir}/piv-tool
%{_bindir}/pkcs11-tool
%{_bindir}/pkcs11-switch
%{_bindir}/pkcs15-crypt
%{_bindir}/pkcs15-init
%{_bindir}/pkcs15-tool
%{_bindir}/sc-hsm-tool
%{_bindir}/dnie-tool
%{_bindir}/westcos-tool
%{_libdir}/lib*.so.*
%{_libdir}/opensc-pkcs11.so
%{_libdir}/pkcs11-spy.so
%{_libdir}/onepin-opensc-pkcs11.so
%{_libdir}/pkgconfig/*.pc
%%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/opensc-pkcs11.so
%{_libdir}/pkcs11/onepin-opensc-pkcs11.so
%{_libdir}/pkcs11/pkcs11-spy.so
%{_datadir}/opensc/
%{_mandir}/man1/cardos-tool.1*
%{_mandir}/man1/cryptoflex-tool.1*
%{_mandir}/man1/eidenv.1*
%{_mandir}/man1/gids-tool.1*
%{_mandir}/man1/iasecc-tool.1*
%{_mandir}/man1/netkey-tool.1*
%{_mandir}/man1/openpgp-tool.1*
%{_mandir}/man1/opensc-explorer.*
%{_mandir}/man1/opensc-tool.1*
%{_mandir}/man1/piv-tool.1*
%{_mandir}/man1/pkcs11-tool.1*
%{_mandir}/man1/pkcs15-crypt.1*
%{_mandir}/man1/pkcs15-init.1*
%{_mandir}/man1/pkcs15-tool.1*
%{_mandir}/man1/sc-hsm-tool.1*
%{_mandir}/man1/westcos-tool.1*
%{_mandir}/man1/dnie-tool.1*
%{_mandir}/man5/*.5*


%changelog
* Tue Jul 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-10.20170227git
- Improve support for ECC-enabled CardOS 5.3 card (#1562277)

* Tue Jun 19 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-9.20170227git
- make ECPoint behavior standards compliant by default (#1562572)
- allow mechanism to be specified in hexadecimal (#1562572)
- Disable pinpad by default (#1547117, #1547744)

* Wed Jan 03 2018 Jakub Jelen <jjelen@redhat.com> - 0.16.0-8.20170227git
- Copy labels from certificate (#1448555)
- Avoid infinite loop in CAC driver when reading non-CAC cards (#1473335)
- Properly parse Simple TLV structures in CAC driver (#1473418)

* Tue Nov 07 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-7.20170227git
- Fix issues reported by Coverity
- Use upstream accepted fix for CAC Alt tokens (#1473418)

* Fri Nov 03 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-6.20170227git
- Use label from certificate DN if there is none (#1448555)
- Use Cardholder name in the token label (#1449740)
- Avoid infinite loop when reading CAC cards (#1473335)
- Workaround for CAC Alt tokens (#1473418)

* Thu May 18 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-5.20170227git
- Add missing pkcs11-switch script

* Thu Apr 13 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-4.20170227git
- Release aquired lock for uninitialized ASEPCOS cards (#1376090)

* Thu Mar 23 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-3.20170227git
- Fix more issues identified by Coverity scan

* Thu Mar 23 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-2.20170227git
- Add support for CardOS 5.3
- Fix coverity issues
- Provide simple tool to swith PKCS#11 library in NSS DB

* Tue Jan 10 2017 Jakub Jelen <jjelen@redhat.com> - 0.16.0-1.20170110git
- Rebase to OpenSC master with support for CAC cards (#1373164)

* Thu Feb 25 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.14.0-2
- Export PKCS#11 symbols from spy library (#1283305)

* Thu Apr 23 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.14.0-1
- Updated to opensc 0.14.0

* Fri Mar 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-9
- Configuration file includes arch to allow it operate under multilib

* Mon Mar 10 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-8
- Ensure that variables are in scope when used (#1062307)

* Tue Feb 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 0.13.0-7
- Corrected path of opensc.module (#1060034)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.13.0-6
- Mass rebuild 2014-01-24

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.13.0-5
- Mass rebuild 2013-12-27

* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.13.0-4
- Use the standard name format for p11-kit module configs
- Put the p11-kit module config is the system location

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Sun Jan 13 2013 Kalev Lember <kalevlember@gmail.com> - 0.13.0-2
- Backport an upstream patch for fixing pkcs15 cert length calculation

* Thu Jan 03 2013 Milan Broz <mbroz@redhat.com> - 0.13.0-1
- Update to 0.13.0 (#890770)
- Remove no longer provided onepin-opensc-pkcs11.so.
- Add iasecc-tool, openpgp-tool and sc-hsm-tool.

* Fri Jul 27 2012 Tomas Mraz <tmraz@redhat.com> - 0.12.2-6
- Add a configuration file for p11-kit (#840504)

* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Sun Mar 4 2012 Peter Robinson <pbrobinson@fedoraproject.org> - 0.12.2-4
- Add patch for dso

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Wed Aug 17 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.2-2
- Rebuilt to fix trailing slashes in filelist from rpmbuild bug

* Tue Jul 19 2011 Kalev Lember <kalevlember@gmail.com> - 0.12.2-1
- Update to 0.12.2 (#722659)

* Wed May 18 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.1-1
- Update to 0.12.1 (#705743)
- Removed BR libtool-ltdl-devel to build with glibc's libdl instead

* Tue Apr 12 2011 Tomas Mraz <tmraz@redhat.com> - 0.12.0-4
- drop multilib conflicting and duplicated doc file (#695368)

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-2
- Disabled asserts

* Mon Jan 03 2011 Kalev Lember <kalev@smartlink.ee> - 0.12.0-1
- Update to 0.12.0
- Removed and obsoleted mozilla-opensc-signer and opensc-devel subpackages
- Dropped patches which are now upstreamed
- It is no longer possible to build in both pcsc-lite and openct support,
so opensc now gets built exclusively with pcsc-lite.

* Tue Dec 21 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-6
- fix buffer overflow on rogue card serial numbers

* Tue Oct 19 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-5
- own the _libdir/pkcs11 subdirectory (#644527)

* Tue Sep 7 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-4
- fix build with new pcsc-lite

* Wed Aug 11 2010 Rex Dieter <rdieter@fedoraproject.org> - 0.11.13-3
- build against libassuan1 (f14+)

* Wed Jun 9 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-2
- replace file dependency (#601943)

* Tue Feb 16 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.13-1
- new upstream version

* Sun Feb 14 2010 Kalev Lember <kalev@smartlink.ee> - 0.11.12-2
- Added patch to fix linking with the new --no-add-needed default (#564758)

* Mon Dec 21 2009 Kalev Lember <kalev@smartlink.ee> - 0.11.12-1
- new upstream version
- replaced %%define with %%global
- BR clean up from items not applicable to current Fedora releases

* Tue Dec 8 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 0.11.11-2
- Explicitly BR libassuan-static in accordance with the Packaging
Guidelines (libassuan-devel is still static-only).

* Thu Nov 19 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.11-1
- new upstream version

* Tue Sep 29 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-2
- fix multilib conflict in the configuration file (#526269)

* Wed Sep 09 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.9-1
- new upstream version

* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-5
- rebuilt with new openssl

* Mon Jul 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-4
- Depend on specific arch of pcsc-lite-libs (reported by Kalev Lember)

* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Mon Jun 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-2
- Rebuilt with new openct

* Mon May 11 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.8-1
- new upstream version - fixes security issue

* Fri Feb 27 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.7-1
- new upstream version - fixes CVE-2009-0368

* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.11.6-2
- Add explicit requires for pcsc-lite-libs. Dlopen libpcsclite with the full
soname.

* Tue Sep 2 2008 Tomas Mraz <tmraz@redhat.com> - 0.11.6-1
- Update to latest upstream, fixes CVE-2008-2235

* Thu Apr 10 2008 Hans de Goede <j.w.r.degoede@hhs.nl> - 0.11.4-5
- BuildRequire libassuan-devel instead of libassuan-static (bz 441812)

* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.11.4-4
- Autorebuild for GCC 4.3

* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 0.11.4-3
- Rebuild for deps

* Wed Dec 5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-2
- Rebuild.

* Mon Sep 10 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-1
- 0.11.4.

* Mon Aug 20 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-0.1.rc1
- 0.11.4-rc1, pkcs11-tool usage message fix applied upstream.
- License: LGPLv2+

* Thu Jul 26 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-2
- Fix pkcs11-tool usage message crash (#249702).

* Tue Jul 17 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-1
- 0.11.3.

* Sat Jun 30 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre2
- 0.11.3-pre2.

* Thu Jun 21 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.3-0.1.pre1
- 0.11.3-pre1.

* Sun May 6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-2
- Add explicit build dependency on ncurses-devel.

* Sat May 5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-1
- 0.11.2.

* Tue Apr 24 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc2
- 0.11.2-rc2.

* Fri Mar 23 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.3.rc1
- 0.11.2-rc1.

* Thu Mar 15 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre6
- 0.11.2-pre6.

* Tue Mar 6 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.2.pre4
- 0.11.2-pre4.
- Require pinentry-gui instead of the pinentry executable in signer.

* Sun Dec 3 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.2-0.1.pre3
- 0.11.2-pre3.
- Build with new libassuan.
- Don't run autotools during build.
- Adjust to readline/termcap/ncurses changes.

* Sat Oct 14 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-6
- Rebuild with new libassuan.

* Sun Oct 8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-5
- Rebuild with new libassuan.

* Mon Oct 2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-4
- Rebuild.

* Tue Sep 26 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-3
- Rebuild with new libassuan.

* Sat Sep 2 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-2
- Rebuild.

* Wed May 31 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.1-1
- 0.11.1.
- Avoid some multilib conflicts.

* Sun May 7 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-2
- Sync example paths in openct.conf with ctapi-common.
- Update URL.

* Thu May 4 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-1
- 0.11.0.

* Thu Apr 27 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc2
- 0.11.0-rc2.

* Sat Apr 22 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.11.0-0.1.rc1
- 0.11.0-rc1.

* Mon Mar 6 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-3
- Rebuild.

* Wed Feb 15 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-2
- Avoid standard rpaths on lib64 archs.

* Sun Jan 8 2006 Ville Skyttä <ville.skytta at iki.fi> - 0.10.1-1
- 0.10.1.

* Wed Nov 9 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-1
- 0.10.0.
- Adapt to modularized X.Org.

* Wed Oct 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc2
- 0.10.0-rc2.
- Install signer plugin only to plugin dir.

* Sat Oct 22 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.rc1
- 0.10.0-rc1.

* Wed Oct 19 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.10.0-0.1.beta2.rc1
- 0.10.0-beta2-rc1.
- Specfile cleanups.

* Tue Apr 26 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.6-2
- 0.9.6, build patch applied upstream.
- Package summary and description improvements.
- Drop explicit openct dependency.

* Fri Mar 18 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-3
- Fix FC4 build.
- Rename opensc-pam to pam_opensc per package naming guidelines.

* Wed Feb 9 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.9.4-2
- Substitute hardcoded 'lib' in OpenSSL checks for multi-lib platforms.
- Use --with-plugin-dir instead of --with-plugin-path (fixes x86_64).

* Thu Feb 3 2005 Ville Skyttä <ville.skytta at iki.fi> - 0.9.4-1
- Drop unnecessary Epochs, pre-FC1 compat cruft, and no longer relevant
--with(out) rpmbuild options.
- Exclude *.la.

* Wed Nov 3 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.4-0.fdr.1
- Update to 0.9.4, parallel build patch applied upstream.
- Patch to fix library paths and LDFLAGS.
- Don't require mozilla, but the plugin dir in signer.
- Build with dependency tracking disabled.

* Tue Jul 27 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.2
- Building the signer plugin can be disabled with "--without signer".
Thanks to Fritz Elfert for the idea.
- Update description.

* Sun Jul 25 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.2-0.fdr.1
- Update to 0.9.2, old patches applied upstream.
- Add patch to fix parallel builds.
- Convert man pages to UTF-8.

* Thu Jul 22 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.1-0.fdr.1
- Update to 0.9.1 (preview).

* Thu Jul 1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.9.0-0.fdr.0.1.alpha
- Update to 0.9.0-alpha.

* Sat May 1 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.8
- Rebuild with libassuan 0.6.5.

* Sat Jan 31 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.7
- Rebuild with libassuan 0.6.3.
- Add gdm example to PAM quickstart.

* Mon Jan 19 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.6
- Use /%%{_lib} instead of hardcoding /lib.

* Sat Dec 20 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.5
- Split PAM support into a subpackage.
- Rebuild with libassuan 0.6.2.

* Sun Nov 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.4
- Rebuild with libassuan 0.6.1.
- Include PAM quickstart doc snippet.

* Fri Nov 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.3
- Require OpenCT.

* Fri Oct 17 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.2
- Install example config files as documentation.

* Tue Oct 14 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.1-0.fdr.1
- Update to 0.8.1.

* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.2
- Signer can be built with oldssl too.

* Wed Aug 27 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.1
- Update to 0.8.0.

* Wed Jul 30 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.2.cvs20030730
- Update to 20030730.
- Clean up %%docs.
- Include *.la (uses ltdl).
- Own the %%{_libdir}/pkcs11 directory.
- Disable signer; assuan has disappeared from the tarball :(

* Fri May 23 2003 Ville Skyttä <ville.skytta at iki.fi> - 0:0.8.0-0.fdr.0.1.rc1
- First build.