[opensc-devel] #252
Hello,
the pkcs15init tool currently writes to cards, even when the profile
indication (3F00/5015/4946) isn't found. That's bad, because it's highly
possible that such a card was personalised with another library or has
an unknown profile. In my opinion there are the following issues:
1. opensc isn't smart enough to do such things (see #252)
2. after a successful write operation the TokenInfo is overridden, which
* is incomplete and
* contains broken ASN1 encoding
The attached patch prevents that behaviour and fixes #252. It is for
current trunk. But should work for 0.11.13 too.
Regards
Andre
Index: pkcs15init/pkcs15-lib.c
===
--- pkcs15init/pkcs15-lib.c (revision 4851)
+++ pkcs15init/pkcs15-lib.c (working copy)
@@ -3518,8 +3518,6 @@
if ((mem = malloc(len)) != NULL) {
r = sc_read_binary(card, 0, mem, len, 0);
}
- } else {
- r = 0;
}
if (r >= 0)
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC with or without OpenSSL - What is the direction?
Hello Martin,
On Tue, 2010-10-05 at 18:04 +0300, Martin Paljak wrote:
> Hello
> On Thu, Sep 30, 2010 at 18:07, Douglas E. Engert wrote:
>
> > With OpenSSL-1.0.0a pkcs11-tool -M shows:
> >
> > Supported mechanisms:
> > RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, keypairgen
>
> >
> > Without OPenSSL, pkc11-tool -M
> > RSA-PKCS, keySize={1024,3072}, sign, unwrap, decrypt
> >
> > Note that verify is not listed without OpenSSL, as the
> > pkcs11/openssl.c adds the OpenSSL hash and verify functions.
>
> Interesting. RSA-PKCS-KEY-PAIR-GEN should have nothing to do with
> OpenSSL.
look at [1], there you can find the reason. To fix this, one could mess
around with:
SC_ALGORITHM_ONBOARD_KEY_GEN
SC_CARD_FLAG_ONBOARD_KEY_GEN
SC_CARDCTL_XXX_GENERATE_KEY
Some examples:
muscle: card->flags |= SC_CARD_FLAG_ONBOARD_KEY_GEN;
setcos: card->caps |= SC_CARD_FLAG_ONBOARD_KEY_GEN;
lots:flags |= SC_ALGORITHM_ONBOARD_KEY_GEN;
_sc_card_add_rsa_alg(card, 512, flags, 0);
_sc_card_add_rsa_alg(card, 1024, flags, 0);
Additionally it seems, that there is no way to generate keys in hardware
form within pkcs11. Only pkcs15init/pkcs15-*.c can do so.
Regards
Andre
[1]
http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c#L3142
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] fixes #220
Hello,
the attached patch fixes #220. Now the login function does what its name
promises. If user-login is not desired, then simply don't call login()!
(remove pkcs11/framework-pkcs15.c#L792, for testing the patch)
Regards
Andre
Index: tools/pkcs11-tool.c
===
--- tools/pkcs11-tool.c (revision 4829)
+++ tools/pkcs11-tool.c (working copy)
@@ -908,9 +908,6 @@
get_token_info(opt_slot, &info);
- if (!(info.flags & CKF_LOGIN_REQUIRED))
- return 0;
-
/* Identify which pin to enter */
if (login_type == CKU_SO)
@@ -920,8 +917,7 @@
else if (login_type == CKU_CONTEXT_SPECIFIC)
pin = opt_pin ? opt_pin : opt_puk;
- if (!pin && (info.flags & CKF_LOGIN_REQUIRED)
- && !(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
+ if (!pin && !(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
printf("Logging in to \"%s\".\n", p11_utf8_to_local(info.label, sizeof(info.label)));
if (login_type == CKU_SO)
printf("Please enter SO PIN: ");
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] OpenDNIe: first bytes
I've just published first bytes of Cenatic's (and mine) LGPL version of Spanish DNIe OpenSC driver svn checkout https://svn.forge.morfeo-project.org/opendnie/opendnie It's in a very early stage: many functions needs to be completed, and SM is only in skeleton. At this moment is a "just compile". but expected to have something functional at mid-November, and get it complete as Christmas gift The code is entirely new, no lines from Official Police's code. With the publication of SM keys and DNIe programmer manual, the ability of create a new, written from scratch driver has become. And here it is Please, take a look, Any help, suggestion, and -of course- blame will be wellcomed Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Warns in piv-tool.c
FYI: Not sure if this is intentional, but some warnings are shown at
piv-tool.c
.
piv-tool.c: En la función ‘gen_key’:
piv-tool.c:252: aviso: exceso de elementos en el inicializador de struct
piv-tool.c:252: aviso: (cerca de la inicialización de ‘keydata’)
Offending line piv-tool.c#252 shows:
sc_cardctl_piv_genkey_info_t
keydata = {0, 0, 0, 0, NULL, 0, NULL, 0, NULL, 0};
But on revision r4767 sc_card_ctl_piv_genkey_info_t was defined
at cardctl.c#751 as:
typedef struct sc_cardctl_piv_genkey_info_st {
unsigned intkey_num;
unsigned intkey_algid; /* RSA 5, 6, 7; EC 11, 14 */
unsigned intkey_bits; /* RSA */
unsigned long exponent; /* RSA */
unsigned char * pubkey; /* RSA */
unsigned intpubkey_len; /* RSA */
} sc_cardctl_piv_genkey_info_t;
BTW: what's the OpenSC polithics about compile warnings?
Juan Antonio
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
