Permalink
Commits on Nov 23, 2016
  1. try travis with allow failed jobs

    committed Nov 23, 2016
  2. tools: fix segfault with verbose log into 'stderr'

    Issue #824
    
    In Windows, file handles (including 'stderr', 'stdout') can not be shared
    between DLL-s, and so, the log handle (File *), defined in one module, cannot
    be reused in another.
    
    That is the situation when, for example, the SM is processed
    in external, dynamically loadable module as it currently implemented for
    IAS/ECC card.
    
    That's for the configuration option 're-open of log file on each message' was
    introduced.
    
    This 're-open' logic has not been tested in the particular case of opensc-*
    tools used with verbose log into 'stderr' -- in dynamically loaded module the
    'stderr' handle, defined in the 'main' module, was not recognized as 'stderr'
    and there was an attempt to close it.
    committed Nov 23, 2016
Commits on Nov 20, 2016
  1. Restore blocking WaitForSlotEvent functionality for recent PCSC-Lite …

    …versions
    
     * Add configure-time dependency on pcsclite (required version from comments in reader-pcsc.c)
     * The functionality is already supported in PCSC-Lite
     * For older PCSC-Lite versions still return CKR_FUNCTION_NOT_SUPPORTED
    
     # closes #899
    Jakuje committed with Nov 10, 2016
  2. pkcs15-cert: fix double free issue, memory leak and comment

    if no extensions are found, val was uninitialized.
    If multiple extensions, val was not freed for non interestinf extensions.
    COmments dind not have valid OID values.
    
     On branch piv-keyusage
     Changes to be committed:
    	modified:   pkcs15-cert.c
    
     # VTA: closes #905
    dengert committed with Nov 18, 2016
  3. piv: use cert keyUsage to set PKCS#11 key attributes

    This mod is for non federal issued PIV cards. It will set PKCS#11 key attributes
    based on the keyUsage extension from the coresponding certificates.
    
    This mod applies to a PIV or PIV-like card without a CHUID or without a FASC-N
    or a FASC-N that startes with 9999.  A federal issued PIV card will have a CHUID
    object with FASC-N that does not have the agency code 9999.
    
    If the certificate does not have keyUsage,the current defaults will be used.
    This avoids backword compatability issues with cards in the field.
    
    To take advantage of this mod, make sure certificates have keyUsage extension.
    This mod applies to all keys on the card including retiered keys.
    
    The NIST 800-73 standards specify the key usage for each key and different keys
    have different PIN requirements. This mod is designed to be used with  PIV-like
    cards or devices.
    
     On branch piv-keyusage
     Changes to be committed:
    	modified:   src/libopensc/pkcs15-piv.c
    
     # squashed by VTA with:
    
    Remove use of llu  in integer literal
    
    llu in literals is not supported in all compilers.
    let the compiler expand the literal befor doing the & opetation
    dengert committed with Aug 16, 2016
  4. Pkcs11-tool.c changes to accommodate ECDH operations using SoftHSM. (#…

    …901)
    
    PKCS#11 v2.20 in not clear on the format of the public key of the other party
    pased during ECDH key derivation. Some implementations (OpenSC) pass just the value
    of the public key (RAW), while others (SoftHSM) pass an ASN.1 DER encoded OCTET_STRING.
    
    PKCS$11 v2.40 points out this problem and says implementations must support the
    RAW format and may also support the DER format.
    
    To allow pkcs11-tool.c to work with ECDH derivation and using the current libSoftHSM2.so
    a new parameter was added to pkcs11-tool, --derive-pass-der.
    
    Also added to teh template fot the new key were:
    
    CKA_SENSITIVE = false
    CKA_EXTRACTABLE = true
    CKA_VALUE_LEN = size of key to be derived.
    
    OpenSC currently only support derivation of ECDH session keys, (CKA_TOKEN = false)
    The derived key must be CK_KEY_TYPE = CKK_GENERIC_SECRET
    Additional changes could be made to support AES or DES3 keys.
    
    It is not clear if there is a need to support CKA_TOKEN =  true which says the
    derived key must be on the hardware token. For ECDH, these keys are short lived.
    
     On branch pkcs11-tool-simple-ecdh
     Changes to be committed:
    	modified:   src/tools/pkcs11-tool.c
    dengert committed with Nov 20, 2016
Commits on Nov 17, 2016
  1. pkcs15-tool: add --list-info option

    Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
    nunojpg committed with frankmorgner Nov 10, 2016
  2. pkcs15-tool: make --list* messages consistent

    Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
    nunojpg committed with frankmorgner Nov 10, 2016
Commits on Nov 8, 2016
  1. pkcs15-pteid: new implementation

    This implementation reads most of the data from the pkcs15 structure on card, so the objects list are greatly reduced.
    
    This improves several pending issues:
    
    * drop support for IAS card type
    In accordance to [1] IAS card type is no longer issued since version
    004.003.11 (2010-06-15) and as a legal requirement all documents have
    been destroyed or declared lost.
    
    [1] https://www.cartaodecidadao.pt/documentos/DOC_01-DCM-15_V3_CC_Controlo_Versao_2016-01-20.pdf
    
    * fix pteid_cert_ids
    The Signature and Authentication Sub CA certificates ids were wrong.
    
    * add objects and fix flags
    Add Root CA certificate.
    Add data objects SOD and TRACe
    Data object 'Citizen Notepad' doesn't require login to be read. Remove flags.
    
    * Support PIN max tries and tries left report
    
    * Properly report cards with 2048b keys.
    
    Suggested-by: João Poupino <joao.poupino@gmail.com>
    Suggested-by: André Guerreiro <andre.guerreiro@caixamagica.pt>
    Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
    
    -- closes #806
    nunojpg committed with Jul 10, 2016
  2. card-gemsafeV1: use iso7816 pin_cmd implementation

    GemsafeV1 is compatible with iso7816 pin commands, including
    SC_PIN_CMD_GET_INFO so it doesn't need to customize it.
    
    Acked-by: João Poupino <joao.poupino@gmail.com>
    Tested-by: Lukas Wunner <lukas@wunner.de>
    Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
    nunojpg committed with Jun 21, 2016
  3. card-gemsafeV1: fix driver name

    Acked-by: João Poupino <joao.poupino@gmail.com>
    Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
    nunojpg committed with Jun 21, 2016
  4. prkey_fixup_rsa changes for OpenSSL-1.1.0

    Remove restrictions in prkey_fixup_rsa:
      /* Not thread safe, but much better than a memory leak */
      /* TODO put on stack, or allocate and clear and then free */
    Compute dmp1, dmp1 and/or iqmp if not in sc_pkcs15_prkey_rsa
    
    Remove the GETBN macro that was causing problems.
    
     Changes to be committed:
    	modified:   src/pkcs15init/pkcs15-lib.c
    
    -- closes #894
    dengert committed with Oct 26, 2016
  5. Add Coolkey driver

    Author: Robert Relyea <rrelyea@redhat.com>
    
    Coolkey driver improvements:
     * Remove hardcoded list and use SimCList
     * Whitespace cleanup
     * Remove bogus if
     * drop inline keywords
     * proper path to include sys/types.h
     * full name of ushort type
     * condition to use compression
     * proper include path
     * Resolve template name conflict in Tokend
    
    Clean up the copyright headers
    
    -- rebased into one commit by VTA
    -- closes #896
    Jakuje committed with Oct 14, 2016
Commits on Oct 31, 2016
  1. hex_to_bin: don't strip leading null-bytes

    fixes OpenSC#838
    
    ... and hopefully doesn't have any side effects
    frankmorgner committed Oct 16, 2016
  2. only build opensc when needed

    Frank Morgner committed with frankmorgner Oct 12, 2016
  3. src/libopensc/Makefile.am: add missing header (#895)

    That ensures that sc-ossl-compat.h is included on releases.
    nmav committed with frankmorgner Oct 31, 2016
Commits on Oct 16, 2016
  1. Move include for internal.h from aux-date.h to aux-data.c (#888)

    with #861 internal.h, includes sc-ossl-compat.h  which requires
    openssl header files. the tests/Makefile.am did not include the
    openssl CFLAGS.
    dengert committed with frankmorgner Oct 16, 2016
Commits on Oct 14, 2016
  1. pkcs15-tool: Fix compiler warning

    pkcs15-tool.c:1201:5: warning: no previous prototype for ‘unlink_cb’ [-Wmissing-prototypes]
     int unlink_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf)
         ^~~~~~~~~
    LudovicRousseau committed Oct 14, 2016
  2. pkcs11-tool.c: fix compiler warning

    pkcs11-tool.c:2992:1: warning: control reaches end of non-void function
          [-Wreturn-type]
    }
    ^
    LudovicRousseau committed with LudovicRousseau Oct 14, 2016
  3. MacOSX/build-package: fix build for make multi jobs

    If --jobs=... argument is used for make (or the equivalent MAKEFLAGS is
    defined) then the command "make clean update depend" fails because the 3
    actions must be done in sequence and not in parallel.
    LudovicRousseau committed Oct 14, 2016
  4. src/tests/Makefile.am: fix compilation with OpenSSL

    OpenSSL header files are used indirectly by the binaries.
    
    Fix the compilation error:
      CC       base64.o
    In file included from base64.c:6:
    In file included from ../../src/libopensc/asn1.h:29:
    In file included from ../../src/libopensc/pkcs15.h:29:
    In file included from ../../src/libopensc/aux-data.h:31:
    In file included from ../../src/libopensc/internal.h:44:
    ../../src/libopensc/sc-ossl-compat.h:30:10: fatal error: 'openssl/opensslv.h'
          file not found
             ^
    1 error generated.
    LudovicRousseau committed Oct 14, 2016
  5. MacOSX: fix OpenSSL check in build-package.in

    OpenSSL is configured to be installed in $PREFIX so the files should be
    checked in $BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig and not
    $BUILDPATH/openssl_bin/lib/pkgconfig
    LudovicRousseau committed Oct 14, 2016
Commits on Oct 10, 2016
  1. Solve #871 #731 #730

    1. Solved multiple epss2003
    2. check expats point to prevent memory leak
    3. Add new ATR for entersafe PKI card
    4. declare all variables at the beginning of block
    5. Solved Incorrect PIN raise wrong CKR error, no token flags change
    
    Closes OpenSC#879
    FeitianSmartcardReader committed with frankmorgner Sep 27, 2016
  2. Fix Coverity remarks (#876)

    Jakuje committed with frankmorgner Oct 10, 2016
Commits on Oct 8, 2016
  1. Add support for LibreSSL compatability as well as OpenSSL-1.1.0

    This commit is based on input from https://github.com/lbschenkel
    LibreSSL is based on OpenSSL 1.0.1. API.
    
     Changes to be committed:
    	modified:   libopensc/sc-ossl-compat.h
    	modified:   tools/pkcs11-tool.c
    	modified:   tools/pkcs15-init.c
    	modified:   tools/sc-hsm-tool.c
    dengert committed Oct 4, 2016
  2. Use OpenSSL versions OpenSSL-0.9.7 to 1.1.0a for OpenSC

    OpenSSL-1.1.0 was released 8/25/2016
    OpenSSL-1.1.0a was released 9/22/2016
    
      https://www.openssl.org/news/openssl-1.1.0-notes.html
    
    Changes to allow the OpenSC code base to work with OpenSSL versions from
    0.9.7 to 1.1.0 with few changes.
    
    This is an update and rebased version of my prep-openssl-1.1.0-pre6 branch.
    
    No attempt was made to back port any OpenSSL features. These changes
    just allow an updated OpenSC code base to use what is in the various OpenSSL
    releases.
    
    A new header libopensc/sc-ossl-compat.h contains extra defines
    to reduce the need for so many #if OPENSSL_VERSION_NUMBER statements
    in the source code.
    
    The OpenSC source can now use the OpenSSL 1.1 API. The libopensc/sc-ossl-compat.h
    has defines for the new API for use with older versions of OpenSSL.
    
    sc-ossl-compat.h is included by libopensc/internal.h so all OpenSC
    library routines can take advantage of it. For the tools, which do not use
    libopensc/internal.h, libopensc/sc-ossl-compat.h is included by the tools.
    
    The OpenSC source has been modified to use OpenSSL functions to access
    hidden structures, such X509, BIGNUM, EVP_CIPHER_CTX, and use XXX_new
    functions to allocate structures which must use pointer such as
    BIGNUM and EVP_CIPHER_CTX.
    
    For backward compatability sc-ossl-compat.h now defines inline routines
    to emulate the RSA and DSA  access routines in OpenSSL-1.1.0. Thus
    the same OpenSC source code can be used with openSSL versions from
    0.9.7 to 1.1.0.
    
    Inline routines were chosen, because using macros does not work on all platforms.
    Having OpenSC versions of these routines in libopensc would be a posibility,
    but they are only used for older version of OpenSSL, and could be removed in
    the future.
     Changes to be committed:
    	modified:   src/libopensc/card-entersafe.c
    	modified:   src/libopensc/card-epass2003.c
    	modified:   src/libopensc/card-gids.c
    	modified:   src/libopensc/card-gpk.c
    	modified:   src/libopensc/card-oberthur.c
    	modified:   src/libopensc/card-piv.c
    	modified:   src/libopensc/card-westcos.c
    	modified:   src/libopensc/cwa-dnie.c
    	modified:   src/libopensc/cwa14890.c
    	modified:   src/libopensc/internal.h
    	modified:   src/libopensc/p15card-helper.c
    	modified:   src/libopensc/pkcs15-itacns.c
    	modified:   src/libopensc/pkcs15-prkey.c
    	modified:   src/libopensc/pkcs15-pubkey.c
    	new file:   src/libopensc/sc-ossl-compat.h
    	modified:   src/pkcs11/openssl.c
    	modified:   src/pkcs15init/pkcs15-lib.c
    	modified:   src/pkcs15init/pkcs15-oberthur-awp.c
    	modified:   src/pkcs15init/pkcs15-oberthur.c
    	modified:   src/pkcs15init/pkcs15-oberthur.h
    	modified:   src/pkcs15init/pkcs15-westcos.c
    	modified:   src/tools/cryptoflex-tool.c
    	modified:   src/tools/gids-tool.c
    	modified:   src/tools/netkey-tool.c
    	modified:   src/tools/piv-tool.c
    	modified:   src/tools/pkcs11-tool.c
    	modified:   src/tools/pkcs15-init.c
    	modified:   src/tools/sc-hsm-tool.c
    	modified:   src/tools/westcos-tool.c
    dengert committed Jan 6, 2016
Commits on Oct 7, 2016
  1. AppVeyor: use Github as zlib download mirror

    fixes downloading problems with Sourceforge
    frankmorgner committed Sep 14, 2016