The framework-pkcs15.c did not add hashes correctly if the card did not support RSA RAW. This change fixes that and only adds hashes if the card did not specify a list of hashes. It also will not add hashes done in software if ENABLE_OPENSSL is not specified. Some error conditions are also tested for EC mechanisms. See bug report #241 for more information.
This generates the scripts that lets bash do completion per specific tool. It gets the options from the documentation XML files that are also the source for the man pages and HTML.
If OpenSSL is not present or --disable-openssl then Secure Messaging is disabled. The problem was that some Secure Messaging code is missing if OpenSSL is absent. The build/link failed with some missing symbols. Fix issue #293
If OpenSSL is not used then the functions from card-dnie.c are not defined and in particular dnie_match_card() is not defined. In that case we use a fake dnie_match_card() that just returns false.
add the possibility to store public ECC keys encoded according to SPKI EC pubkey storing: Check if params are available before copying. pkcs15-lib.c / sc_pkcs15init_store_public_key may be called with keyargs->key.u.ec.params.value == NULL. In this case, allocating and copying the parameters will fail. Add a check to prevent this.
The same function iasecc_sm_external_authentication() was declared in two different .h files. In file included from ../../src/libopensc/iasecc.h:27:0, from sm-card-iasecc.c:44: ../../src/libopensc/iasecc-sdo.h:324:5: warning: redundant redeclaration of `iasecc_sm_external_authentication' [-Wredundant-decls] In file included from ../../src/libopensc/opensc.h:44:0, from sm-card-iasecc.c:40: ../../src/libopensc/sm.h:352:5: note: previous declaration of `iasecc_sm_external_authentication' was here
Mac OS X uses "libsmm-local.3.dylib" as library name. The default value "libsmm-local.so.3" is correct for Linux but not for Mac OS X. This bug prevented the "opensc-tool -a" to work correctly and return the ATR if an IAS card is present in the reader.
framework-pkcs15: Duplicate public key related to private key rather than referencing the framework object Referencing the related public key is required to return PKCS#11 attributes for a private key only available in the public key object (i.e. CKA_MODULUS). This patch adds a copy of the public key to the private key object rather than referencing the public key object in the framework. This prevents SEGV when the public key framework object is deleted with C_DestroyObject, but the reference from the public key remains intact. The bug leads to all kind of stability problems when keys are created and deleted in the same session. The patch is in particular important if OpenSC is used with EJBCA or any other application using the SUN PKCS#11 provider: When generating key pairs, then the public key object is eventually garbage collected which removes the related object in the PKCS#11 module. Because there is no fixed time for this operation, corruption occurs at random. In a next step, the remaining related_xxx fields in sc_pkcs11_object should be revised and possibly removed. framework: Added more error checking
openpgp-tool: Added PRIVATE-DO-3 dump option The bytes of private-do-3 will be written to stdout raw. Requires pin and verify to work. openpgp-tool: Fix private-do-3 dump for Windows fwrite will convert line endings on Windows if the destination is not openend in binary mode. As this actually dumps binary data, it makes sense to reopen stdout in binary mode for the dump. openpgp-tool: Enable dumping of all DOs PRIVATE-DO-<X> can now be dumped via the -d/--do switches and the DO number as a parameter. PRIVATE-DO- can be dumped without verification. PRIVATE-DO-3 requires CHV2, PRIVATE-DO-4 CHV3. openpgp-tool: Dump DOs as hex into a tty, binary otherwise This prevents messing up a terminal if there really _is_ binary data in a private DO. To force the binary data to a terminal, pipe through cat. openpgp-tool: Hint at the pin and verify options on error SC_ERROR_SECURITY_STATUS_NOT_SATISFIED is the error code here when dumping a private DO without the appropriate verification. openpgp-tool: Explictly use --raw for binary ouput The --raw switch already exists. If present, raw binary will be written, a pretty-printed hex/ascii representation otherwise.
card-asepcos: removed dead code card-authentic: removed dead code card-belpic: removed dead code card-epass2003: removed dead code card-flex: removed dead code card-gpk: removed dead code card-oberthur: removed dead code card-piv: removed dead code card-setcos: removed dead code ctbcs: removed dead code cwa14890: removed dead code muscle: removed dead code pkcs15-atrust-acos: removed dead code pkcs15-gemsafeV1: removed dead code pkcs15-skey: removed dead code reader-ctapi: removed dead code framework-pkcs15: removed dead code pkcs11-object: removed dead code pkcs15-asepcos: removed dead code pkcs15-cardos: removed dead code pkcs15-jcop: removed dead code pkcs15-lib: removed dead code pkcs15-oberthur: removed dead code parse: removed dead code sclex: removed dead code sm-card-authentic: removed dead code sm-card-iasecc: removed dead code sm-cwa14890: removed dead code sm-global-platform: removed dead code sc-test: removed dead code pkcs11-tool: removed dead code pkcs15-tool: removed dead code
Support nonces that are not only 8 bytes in Mutual Authenticate. Use the witness length to determine the nonce size, thus existing systems using 8 bytes will continue to use 8 bytes. However, with AES 256, the nonces could be a single block size of 16 bytes or greater.
…nerating EC keys (#277) RSA and EC keys have different usage attributes. Appropriate attributes are set When using --keypairgen the user can use the --usage-sign, --usage-decrypt, and --usage-derive. to get finer control. Changes to be committed: modified: tools/pkcs11-tool.c
This adds algorithm IDs 0xA, 0xA, 0xC which as documented by the NIST PIV specification is algorithms AES-128, AES-192 and AES-256 respectively. This patch also addresses some of the hardcodes that prevented nonces greater than the single byte TLV length tags would allow. It was explicitly tested with AES-256 and 256 byte nonces. Signed-off-by: William Roberts <email@example.com>
Fixes #262 (SEGV when reader does not support extended length ADPU)