subject:"\[opensc\-devel\] r5124"

Re: [opensc-devel] r5124

2011-03-07 Thread Andre Zepezauer

On Mon, 2011-02-28 at 15:33 +0100, Andre Zepezauer wrote:
> Hello Martin,
> 
> I would like to commit the attached patch. Any objections?

Committed in r5222.

> On Thu, 2011-02-03 at 14:36 +0200, Martin Paljak wrote:
> > Hello,
> > 
> > On Thu, Jan 27, 2011 at 20:08, Andre Zepezauer
> >  wrote:
> > > Hello Martin,
> > >
> > > some comments on r5124:
> > >
> > > 1. The values of pin_info->reference and prkey_info->key_reference
> > > shouldn't be compared because:
> > >
> > > * pin_info->reference is used as P2 parameter in VERIFY command
> > > * prkey_info->key_reference is used in MSE SET tag 0x84
> > 
> > OK, I see your point.
> > Looking at your patch: could it be extracted into a small lookup
> > function like the current one that is used? such a small lookup
> > function with a small doxygen doc would look really nice.
> > 
> > I see it has been working up to because of a coincidence...
> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] r5124

2011-02-28 Thread Andre Zepezauer

Hello Martin,

I would like to commit the attached patch. Any objections?

On Thu, 2011-02-03 at 14:36 +0200, Martin Paljak wrote:
> Hello,
> 
> On Thu, Jan 27, 2011 at 20:08, Andre Zepezauer
>  wrote:
> > Hello Martin,
> >
> > some comments on r5124:
> >
> > 1. The values of pin_info->reference and prkey_info->key_reference
> > shouldn't be compared because:
> >
> > * pin_info->reference is used as P2 parameter in VERIFY command
> > * prkey_info->key_reference is used in MSE SET tag 0x84
> 
> OK, I see your point.
> Looking at your patch: could it be extracted into a small lookup
> function like the current one that is used? such a small lookup
> function with a small doxygen doc would look really nice.
> 
> I see it has been working up to because of a coincidence...
Index: src/libopensc/pkcs15-pin.c
===
--- src/libopensc/pkcs15-pin.c	(revision 5215)
+++ src/libopensc/pkcs15-pin.c	(working copy)
@@ -499,12 +499,21 @@
 		return;
 	}
 
-	/* If the PIN protects a private key with user consent, don't cache it */
-	if (sc_pkcs15_find_prkey_by_reference(p15card, NULL, pin_info->reference, &obj) == SC_SUCCESS) {
-		if (obj->user_consent) {
-			sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Not caching a PIN protecting a key with user consent");
-			return;
+	/* If the PIN protects an object with user consent, don't cache it */
+	obj = p15card->obj_list;
+	while (obj != NULL) {
+		/* Compare 'sc_pkcs15_object.auth_id' with 'sc_pkcs15_pin_info.auth_id'.
+		 * In accordance with PKCS#15 "6.1.8 CommonObjectAttributes" and
+		 * "6.1.16 CommonAuthenticationObjectAttributes" with the exception that
+		 * "CommonObjectAttributes.accessControlRules" are not taken into account. */
+		if (sc_pkcs15_compare_id(&obj->auth_id, &pin_info->auth_id)) {
+			/* Caching is refused, if the protected object requires user consent */
+			if (obj->user_consent > 0) {
+sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "caching refused (user consent)");
+return;
+			}
 		}
+		obj = obj->next;
 	}
 
 	r = sc_pkcs15_allocate_object_content(pin_obj, pin, pinlen);
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] r5124

2011-02-03 Thread Martin Paljak


On Feb 3, 2011, at 3:22 PM, Andre Zepezauer wrote:
> That patch could be some lines shorter when using
> sc_pkcs15_compare_id(). Additionally that would improve readability.
> 
> I don't know what kind of function you did mean. Extracting only that
> patch into a new function?

I mean the lookup functionality looks like it could be re-used.
-- 
@MartinPaljak.net
+3725156495

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] r5124

2011-02-03 Thread Andre Zepezauer

On Thu, 2011-02-03 at 14:36 +0200, Martin Paljak wrote:
> Hello,
> 
> On Thu, Jan 27, 2011 at 20:08, Andre Zepezauer
>  wrote:
> > Hello Martin,
> >
> > some comments on r5124:
> >
> > 1. The values of pin_info->reference and prkey_info->key_reference
> > shouldn't be compared because:
> >
> > * pin_info->reference is used as P2 parameter in VERIFY command
> > * prkey_info->key_reference is used in MSE SET tag 0x84
> 
> OK, I see your point.
> Looking at your patch: could it be extracted into a small lookup
> function like the current one that is used? such a small lookup
> function with a small doxygen doc would look really nice.

That patch could be some lines shorter when using
sc_pkcs15_compare_id(). Additionally that would improve readability.

I don't know what kind of function you did mean. Extracting only that
patch into a new function?

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] r5124

2011-02-03 Thread Martin Paljak

Hello,

On Thu, Jan 27, 2011 at 20:08, Andre Zepezauer
 wrote:
> Hello Martin,
>
> some comments on r5124:
>
> 1. The values of pin_info->reference and prkey_info->key_reference
> shouldn't be compared because:
>
> * pin_info->reference is used as P2 parameter in VERIFY command
> * prkey_info->key_reference is used in MSE SET tag 0x84

OK, I see your point.
Looking at your patch: could it be extracted into a small lookup
function like the current one that is used? such a small lookup
function with a small doxygen doc would look really nice.

I see it has been working up to because of a coincidence...
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] r5124

2011-01-28 Thread Martin Paljak

Hello,

On Jan 27, 2011, at 8:08 PM, Andre Zepezauer wrote:
> some comments on r5124:
> 
> 1. The values of pin_info->reference and prkey_info->key_reference
> shouldn't be compared because:
> 
> * pin_info->reference is used as P2 parameter in VERIFY command
> * prkey_info->key_reference is used in MSE SET tag 0x84
> 
> There is no relation between these two values. See PKCS#15 for the
> meaning of these attributes and attachment for another solution.

OK, needs a further investigation (during weekend or so..). I only recovered 
the functionality as it was before r4048, as the feature used to work.
Maybe It was because an accidental side-effect.

> 2. The Authentication-Objects can have two authId attributes because:
> 
> * they can protect objects (this is 
> CommonAuthenticationObjectAttributes->authId)
> * they could be protected by another PIN i.e. for unblocking purpose
>  (this is CommonObjectAttributes->authId)
> 
> 3. User consent for PIN objects does make sense i.e. for unblocking purpose
That's theoretical, to my knowledge this far user consent related bits have 
been used for digital signature keys only.

> 4. There is also a ticket relating to pin re-validation (#293).
That was probably the result of the same change.


-- 
@MartinPaljak.net
+3725156495

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] r5124

2011-01-27 Thread Andre Zepezauer

Hello Martin,

some comments on r5124:

1. The values of pin_info->reference and prkey_info->key_reference
shouldn't be compared because:

* pin_info->reference is used as P2 parameter in VERIFY command
* prkey_info->key_reference is used in MSE SET tag 0x84

There is no relation between these two values. See PKCS#15 for the
meaning of these attributes and attachment for another solution.

2. The Authentication-Objects can have two authId attributes because:

* they can protect objects (this is 
CommonAuthenticationObjectAttributes->authId)
* they could be protected by another PIN i.e. for unblocking purpose
  (this is CommonObjectAttributes->authId)

3. User consent for PIN objects does make sense i.e. for unblocking purpose

4. There is also a ticket relating to pin re-validation (#293).

Regards
Andre
Index: src/libopensc/pkcs15-pin.c
===
--- src/libopensc/pkcs15-pin.c	(revision 5124)
+++ src/libopensc/pkcs15-pin.c	(working copy)
@@ -499,12 +499,21 @@
 		return;
 	}
 
-	/* If the PIN protects a private key with user consent, don't cache it */
-	if (sc_pkcs15_find_prkey_by_reference(p15card, NULL, pin_info->reference, &obj) == SC_SUCCESS) {
-		if (obj->user_consent) {
-			sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Not caching a PIN protecting a key with user consent");
-			return;
+	/* If the PIN protects an object with user consent, don't cache it */
+	obj = p15card->obj_list;
+	while (obj != NULL) {
+		if (obj->auth_id.len == pin_info->auth_id.len) {
+			if (memcmp(obj->auth_id.value, pin_info->auth_id.value, pin_info->auth_id.len) == 0) {
+/* When we get here, then 'obj' is protected by this PIN */
+if (obj->user_consent > 0) {
+	sc_debug(ctx, SC_LOG_DEBUG_NORMAL,
+		"Not caching a PIN protecting an object with user consent");
+	return;
+}
+			}
 		}
+
+		obj = obj->next;
 	}
 
 	r = sc_pkcs15_allocate_object_content(pin_obj, pin, pinlen);
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] r5124

Re: [opensc-devel] r5124

Re: [opensc-devel] r5124

Re: [opensc-devel] r5124

Re: [opensc-devel] r5124

Re: [opensc-devel] r5124

[opensc-devel] r5124

7 matches

Site Navigation

Mail list logo

Footer information