From 6091968cf5ee2338da0d9eeb3f8881c42a4ce859 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 17 May 2018 12:50:50 +0200
Subject: [PATCH] opensc-0.18.0-1 (#1567503)

---
 opensc-0.17.0-cac-alt.patch             | 204 ----------
 opensc-0.17.0-cloudhsm.patch            |  78 ----
 opensc-0.17.0-feitian.patch             | 460 -----------------------
 opensc-0.17.0-infinite-loop.patch       |  62 ----
 opensc-0.17.0-piv-cardholder-name.patch | 121 ------
 opensc-0.17.0-simpletlv.patch           |  21 --
 opensc-coolkey.patch                    |  59 ---
 opensc-estonia.patch                    | 475 ------------------------
 opensc.spec                             |  41 +-
 9 files changed, 15 insertions(+), 1506 deletions(-)
 delete mode 100644 opensc-0.17.0-cac-alt.patch
 delete mode 100644 opensc-0.17.0-cloudhsm.patch
 delete mode 100644 opensc-0.17.0-feitian.patch
 delete mode 100644 opensc-0.17.0-infinite-loop.patch
 delete mode 100644 opensc-0.17.0-piv-cardholder-name.patch
 delete mode 100644 opensc-0.17.0-simpletlv.patch
 delete mode 100644 opensc-coolkey.patch
 delete mode 100644 opensc-estonia.patch

diff --git a/opensc-0.17.0-cac-alt.patch b/opensc-0.17.0-cac-alt.patch
deleted file mode 100644
index fccdbf9..0000000
--- a/opensc-0.17.0-cac-alt.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From 6dc118e1c3b89c50cda1998de1d62fa6fa666e60 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 3 Nov 2017 10:55:35 +0100
-Subject: [PATCH 1/3] Enable CAC ALT token card operations
-
----
- src/libopensc/card-cac.c | 33 +++++++++++++++++++++++++++++++++
- 1 file changed, 33 insertions(+)
-
-diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
-index 82f5c7869..bc0a754a5 100644
---- a/src/libopensc/card-cac.c
-+++ b/src/libopensc/card-cac.c
-@@ -229,6 +229,12 @@ static int cac_add_object_to_list(list_t *list, const cac_object_t *object)
- #define CAC_1_RID "\xA0\x00\x00\x00\x79"
- #define CAC_1_CM_AID "\xA0\x00\x00\x00\x30\x00\00"
- 
-+static const sc_path_t cac_ACA_Path = {
-+	"", 0,
-+	0,0,SC_PATH_TYPE_DF_NAME,
-+	{ CAC_TO_AID(CAC_1_RID "\x10\x00") }
-+};
-+
- static const sc_path_t cac_CCC_Path = {
- 	"", 0,
- 	0,0,SC_PATH_TYPE_DF_NAME,
-@@ -284,6 +290,8 @@ static const cac_object_t cac_1_objects[] = {
- static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
- 
- 
-+static int cac_select_ACA(sc_card_t *card);
-+
- /*
-  * use the object id to find our object info on the object in our CAC-1 list
-  */
-@@ -815,6 +823,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
- 		case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
- 			return cac_final_iterator(&priv->general_list);
- 		case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
-+			/* select ACA to be able to verify PIN */
-+			cac_select_ACA(card);
- 			return cac_final_iterator(&priv->pki_list);
- 	}
- 
-@@ -1157,6 +1167,12 @@ static int cac_select_CCC(sc_card_t *card)
- 	return cac_select_file_by_type(card, &cac_CCC_Path, NULL, SC_CARD_TYPE_CAC_II);
- }
- 
-+/* Select ACA in non-standard location */
-+static int cac_select_ACA(sc_card_t *card)
-+{
-+	return cac_select_file_by_type(card, &cac_ACA_Path, NULL, SC_CARD_TYPE_CAC_II);
-+}
-+
- static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, int len)
- {
- 	if (len < 10) {
-@@ -1476,6 +1492,23 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
- 		}
- 	}
- 
-+	/* Even some ALT tokens can be missing CCC so we should try with ACA */
-+	r = cac_select_ACA(card);
-+	if (r == SC_SUCCESS) {
-+		r = cac_find_first_pki_applet(card, &index);
-+	        if (r == SC_SUCCESS) {
-+			priv = cac_new_private_data();
-+			if (!priv)
-+				return SC_ERROR_OUT_OF_MEMORY;
-+			r = cac_populate_cac_1(card, index, priv);
-+			if (r == SC_SUCCESS) {
-+				card->type = SC_CARD_TYPE_CAC_II;
-+				card->drv_data = priv;
-+				return r;
-+			}
-+		}
-+	}
-+
- 	/* is this a CAC-1 specified in DoD "CAC Applet Developer Guide" version 1.0 September 2002 */
- 	r = cac_find_first_pki_applet(card, &index);
- 	if (r == SC_SUCCESS) {
-
-From 68c52640a3eff078243fd2db627cf2d12fdd37de Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 6 Nov 2017 12:37:40 +0100
-Subject: [PATCH 2/3] Add the ACA path to the PIN structure if we have one
-
----
- src/libopensc/card-cac.c   | 25 +++++++++++++++++++------
- src/libopensc/cardctl.h    |  1 +
- src/libopensc/pkcs15-cac.c |  6 ++++++
- 3 files changed, 26 insertions(+), 6 deletions(-)
-
-diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
-index bc0a754a5..178150d35 100644
---- a/src/libopensc/card-cac.c
-+++ b/src/libopensc/card-cac.c
-@@ -169,6 +169,7 @@ typedef struct cac_private_data {
- 	cac_object_t *pki_current;      /* current pki object _ctl function */
- 	list_t general_list;            /* list of general containers */
- 	cac_object_t *general_current;  /* current object for _ctl function */
-+	sc_path_t *aca_path;		/* ACA path to be selected before pin verification */
- } cac_private_data_t;
- 
- #define CAC_DATA(card) ((cac_private_data_t*)card->drv_data)
-@@ -207,6 +208,7 @@ static void cac_free_private_data(cac_private_data_t *priv)
- {
- 	free(priv->cac_id);
- 	free(priv->cache_buf);
-+	free(priv->aca_path);
- 	list_destroy(&priv->pki_list);
- 	list_destroy(&priv->general_list);
- 	free(priv);
-@@ -289,9 +291,6 @@ static const cac_object_t cac_1_objects[] = {
- 
- static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
- 
--
--static int cac_select_ACA(sc_card_t *card);
--
- /*
-  * use the object id to find our object info on the object in our CAC-1 list
-  */
-@@ -793,11 +792,21 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri
- 	if (priv->cac_id_len) {
- 		serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR);
- 		memcpy(serial->value, priv->cac_id, priv->cac_id_len);
--                SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
-+		SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
- 	}
- 	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
- }
- 
-+static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path)
-+{
-+	cac_private_data_t * priv = CAC_DATA(card);
-+
-+	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
-+	if (priv->aca_path) {
-+		*path = *priv->aca_path;
-+	}
-+	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
-+}
- 
- static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
- {
-@@ -810,6 +819,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
- 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
- 	}
- 	switch(cmd) {
-+		case SC_CARDCTL_CAC_GET_ACA_PATH:
-+			return cac_get_ACA_path(card, (sc_path_t *) ptr);
- 		case SC_CARDCTL_GET_SERIALNR:
- 			return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr);
- 		case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS:
-@@ -823,8 +834,6 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
- 		case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
- 			return cac_final_iterator(&priv->general_list);
- 		case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
--			/* select ACA to be able to verify PIN */
--			cac_select_ACA(card);
- 			return cac_final_iterator(&priv->pki_list);
- 	}
- 
-@@ -1502,6 +1511,10 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
- 				return SC_ERROR_OUT_OF_MEMORY;
- 			r = cac_populate_cac_1(card, index, priv);
- 			if (r == SC_SUCCESS) {
-+				priv->aca_path = malloc(sizeof(sc_path_t));
-+				if (!priv->aca_path)
-+					return SC_ERROR_OUT_OF_MEMORY;
-+				memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t));
- 				card->type = SC_CARD_TYPE_CAC_II;
- 				card->drv_data = priv;
- 				return r;
-diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
-index b647b0537..b610eacc7 100644
---- a/src/libopensc/cardctl.h
-+++ b/src/libopensc/cardctl.h
-@@ -220,6 +220,7 @@ enum {
- 	SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS,
- 	SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT,
- 	SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS,
-+	SC_CARDCTL_CAC_GET_ACA_PATH,
- 
-         /*
- 	 * AuthentIC v3
-diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
-index fd463a9b4..ff87a2345 100644
---- a/src/libopensc/pkcs15-cac.c
-+++ b/src/libopensc/pkcs15-cac.c
-@@ -250,6 +250,12 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
- 		strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
- 		pin_obj.flags = pins[i].obj_flags;
- 
-+		/* get the ACA path in case it needs to be selected before PIN verify */
-+		r = sc_card_ctl(card, SC_CARDCTL_CAC_GET_ACA_PATH, &pin_info.path);
-+		if (r < 0) {
-+			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
-+		}
-+
- 		r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);
- 		if (r < 0)
- 			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
diff --git a/opensc-0.17.0-cloudhsm.patch b/opensc-0.17.0-cloudhsm.patch
deleted file mode 100644
index 22ab27e..0000000
--- a/opensc-0.17.0-cloudhsm.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 74885fb1c174468cc0a505cd7404e228d465efd8 Mon Sep 17 00:00:00 2001
-From: AnthonyA <ascanio.alba7@gmail.com>
-Date: Tue, 27 Mar 2018 00:48:05 +0000
-Subject: [PATCH] pkcs11-tool: allow mechanism to be specified in hexadecimal
-
-To support vendor mechanisms, let -m accept hexadecimal strings,
-e.g., -m 0x80001234
----
- doc/tools/pkcs11-tool.1.xml | 3 ++-
- src/tools/pkcs11-tool.c     | 5 ++++-
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
-index f8d638b45..e78570b10 100644
---- a/doc/tools/pkcs11-tool.1.xml
-+++ b/doc/tools/pkcs11-tool.1.xml
-@@ -231,7 +231,8 @@
- 					</term>
- 					<listitem><para>Use the specified <replaceable>mechanism</replaceable>
- 					for token operations. See <option>-M</option> for a list
--					of mechanisms supported by your token.</para></listitem>
-+					of mechanisms supported by your token. The mechanism can also be specified in
-+					hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
- 				</varlistentry>
- 
- 				<varlistentry>
-diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
-index 63e5c5f7f..484c019d8 100644
---- a/src/tools/pkcs11-tool.c
-+++ b/src/tools/pkcs11-tool.c
-@@ -234,7 +234,7 @@ static const char *option_help[] = {
- 	"Hash some data",
- 	"Derive a secret key using another key and some data",
- 	"Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations",
--	"Specify mechanism (use -M for a list of supported mechanisms)",
-+	"Specify mechanism (use -M for a list of supported mechanisms), or by hexadecimal, e.g., 0x80001234",
- 
- 	"Log into the token first",
- 	"Specify login type ('so', 'user', 'context-specific'; default:'user')",
-@@ -6076,6 +6076,9 @@ static CK_MECHANISM_TYPE p11_name_to_mechanism(const char *name)
- {
- 	struct mech_info *mi;
- 
-+	if (strncasecmp("0x", name, 2) == 0) {
-+		return strtoul(name, NULL, 0);
-+	}
- 	for (mi = p11_mechanisms; mi->name; mi++) {
- 		if (!strcasecmp(mi->name, name)
- 		 || (mi->short_name && !strcasecmp(mi->short_name, name)))
-
-
-From ea4baf50d57a7a41164fedcd1b10fdb0438305c5 Mon Sep 17 00:00:00 2001
-From: AnthonyA <ascanio.alba7@gmail.com>
-Date: Mon, 19 Mar 2018 15:58:21 +0800
-Subject: [PATCH] pkcs11-tool: make ECPoint behaviour standards compliant by
- default
-
-Fixes #1286. The behaviour of pkcs11-tool will follow the standard -
-send DER. If EC_POINT_NO_ASN1_OCTET_STRING is defined then it will
-write plain bytes.
----
- src/tools/pkcs11-tool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
-index 876bba2dc..63e5c5f7f 100644
---- a/src/tools/pkcs11-tool.c
-+++ b/src/tools/pkcs11-tool.c
-@@ -2632,7 +2632,7 @@ parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
- 		header_len = point-gost->public.value;
- 		memcpy(point, buf, point_len);
- 		gost->public.len = header_len+point_len;
--#ifndef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
-+#ifdef EC_POINT_NO_ASN1_OCTET_STRING // workaround for non-compliant cards not expecting DER encoding
- 		gost->public.len   -= header_len;
- 		gost->public.value += header_len;
- #endif
-
diff --git a/opensc-0.17.0-feitian.patch b/opensc-0.17.0-feitian.patch
deleted file mode 100644
index 2dd5dd4..0000000
--- a/opensc-0.17.0-feitian.patch
+++ /dev/null
@@ -1,460 +0,0 @@
-From 8d7346406d166a9db4afd239e6669df3e3b99f79 Mon Sep 17 00:00:00 2001
-From: Feitian Technologies <hongbin@ftsafe.com>
-Date: Mon, 4 Sep 2017 19:29:24 +0800
-Subject: [PATCH] Add ECC support and solve wrong Length status codes with SM
- card
-
-Fix #1073
-Fix #1115
----
- src/libopensc/card-epass2003.c    | 171 ++++++++++++++++++++++++++++++++++----
- src/libopensc/cardctl.h           |   4 +-
- src/libopensc/sm.c                |   2 +-
- src/pkcs15init/pkcs15-epass2003.c |  49 +++++++++--
- 4 files changed, 197 insertions(+), 29 deletions(-)
-
-diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c
-index 84ab64569..7feab5984 100644
---- a/src/libopensc/card-epass2003.c
-+++ b/src/libopensc/card-epass2003.c
-@@ -98,6 +98,8 @@ typedef struct epass2003_exdata_st {
- 	unsigned char sk_enc[16];	/* encrypt session key */
- 	unsigned char sk_mac[16];	/* mac session key */
- 	unsigned char icv_mac[16];	/* instruction counter vector(for sm) */
-+	unsigned char currAlg;		/* current Alg */
-+	unsigned int  ecAlgFlags; 	/* Ec Alg mechanism type*/
- } epass2003_exdata;
- 
- #define REVERSE_ORDER4(x)	(			  \
-@@ -170,6 +172,7 @@ static const struct sc_card_error epass2003_errors[] = {
- static int epass2003_transmit_apdu(struct sc_card *card, struct sc_apdu *apdu);
- static int epass2003_select_file(struct sc_card *card, const sc_path_t * in_path, sc_file_t ** file_out);
- int epass2003_refresh(struct sc_card *card);
-+static int hash_data(const unsigned char *data, size_t datalen, unsigned char *hash, unsigned int mechanismType);
- 
- static int
- epass2003_check_sw(struct sc_card *card, unsigned int sw1, unsigned int sw2)
-@@ -403,6 +406,12 @@ sha1_digest(const unsigned char *input, size_t length, unsigned char *output)
- 	return openssl_dig(EVP_sha1(), input, length, output);
- }
- 
-+static int
-+sha256_digest(const unsigned char *input, size_t length, unsigned char *output)
-+{
-+	return openssl_dig(EVP_sha256(), input, length, output);
-+}
-+
- 
- static int
- gen_init_key(struct sc_card *card, unsigned char *key_enc, unsigned char *key_mac,
-@@ -1140,6 +1149,7 @@ static int
- epass2003_init(struct sc_card *card)
- {
- 	unsigned int flags;
-+	unsigned int ext_flags;
- 	unsigned char data[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
- 	size_t datalen = SC_MAX_APDU_BUFFER_SIZE;
- 	epass2003_exdata *exdata = NULL;
-@@ -1192,6 +1202,11 @@ epass2003_init(struct sc_card *card)
- 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
- 	_sc_card_add_rsa_alg(card, 2048, flags, 0);
- 
-+	//set EC Alg Flags
-+	flags = SC_ALGORITHM_ONBOARD_KEY_GEN|SC_ALGORITHM_ECDSA_HASH_SHA1|SC_ALGORITHM_ECDSA_HASH_SHA256|SC_ALGORITHM_ECDSA_HASH_NONE|SC_ALGORITHM_ECDSA_RAW;
-+	ext_flags = 0;
-+	_sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
-+
- 	card->caps = SC_CARD_CAP_RNG | SC_CARD_CAP_APDU_EXT;
- 
- 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
-@@ -1561,6 +1576,13 @@ epass2003_set_security_env(struct sc_card *card, const sc_security_env_t * env,
- 	u8 *p;
- 	unsigned short fid = 0;
- 	int r, locked = 0;
-+	epass2003_exdata *exdata = NULL;
-+
-+	if (!card->drv_data)
-+		return SC_ERROR_INVALID_ARGUMENTS;
-+
-+	exdata = (epass2003_exdata *)card->drv_data;
-+	exdata->currAlg = SC_ALGORITHM_RSA;   //default algorithm
- 
- 	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, 0x41, 0);
- 	switch (env->operation) {
-@@ -1590,6 +1612,28 @@ epass2003_set_security_env(struct sc_card *card, const sc_security_env_t * env,
- 	apdu.lc = r;
- 	apdu.datalen = r;
- 	apdu.data = sbuf;
-+
-+	if (env->algorithm == SC_ALGORITHM_EC)
-+	{
-+		apdu.p2 = 0xB6;
-+		exdata->currAlg = SC_ALGORITHM_EC;
-+		if(env->algorithm_flags | SC_ALGORITHM_ECDSA_HASH_SHA1)
-+		{
-+			sbuf[2] = 0x91;
-+			exdata->ecAlgFlags = SC_ALGORITHM_ECDSA_HASH_SHA1;
-+		}
-+		else if (env->algorithm_flags | SC_ALGORITHM_ECDSA_HASH_SHA256)
-+		{
-+			sbuf[2] = 0x92;
-+			exdata->ecAlgFlags = SC_ALGORITHM_ECDSA_HASH_SHA256;
-+		}
-+		else
-+		{
-+			sc_log(card->ctx, "%0x Alg Not Support! ", env->algorithm_flags);
-+			goto err;
-+		}
-+	}
-+
- 	if (se_num > 0) {
- 		r = sc_lock(card);
- 		LOG_TEST_RET(card->ctx, r, "sc_lock() failed");
-@@ -1640,7 +1684,55 @@ static int epass2003_decipher(struct sc_card *card, const u8 * data, size_t data
- 	struct sc_apdu apdu;
- 	u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
- 	u8 sbuf[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
-+	epass2003_exdata *exdata = NULL;
-+	
-+	LOG_FUNC_CALLED(card->ctx);
-+	
-+	if (!card->drv_data)
-+		return SC_ERROR_INVALID_ARGUMENTS;
-+	
-+	exdata = (epass2003_exdata *)card->drv_data;
- 
-+	if(exdata->currAlg == SC_ALGORITHM_EC)
-+	{
-+		unsigned char hash[HASH_LEN] = { 0 };
-+		if(exdata->ecAlgFlags | SC_ALGORITHM_ECDSA_HASH_SHA1)
-+		{
-+			hash_data(data, datalen, hash, SC_ALGORITHM_ECDSA_HASH_SHA1);
-+			sc_format_apdu(card, &apdu, SC_APDU_CASE_3,0x2A, 0x9E, 0x9A);
-+			memset(sbuf, 0, sizeof(sbuf));
-+			memcpy(sbuf, hash, 0x14);
-+			apdu.data = sbuf;
-+			apdu.lc = 0x14;
-+			apdu.datalen = 0x14;
-+		}
-+		else if (exdata->ecAlgFlags | SC_ALGORITHM_ECDSA_HASH_SHA256)
-+		{
-+			hash_data(data, datalen, hash, SC_ALGORITHM_ECDSA_HASH_SHA256);
-+			sc_format_apdu(card, &apdu, SC_APDU_CASE_3,0x2A, 0x9E, 0x9A);
-+			memset(sbuf, 0, sizeof(sbuf));
-+			memcpy(sbuf, hash, 0x20);
-+			apdu.data = sbuf;
-+			apdu.lc = 0x20;
-+			apdu.datalen = 0x20;
-+		}
-+		else
-+		{
-+			return SC_ERROR_NOT_SUPPORTED;
-+		}
-+		apdu.resp = rbuf;
-+		apdu.resplen = sizeof(rbuf);
-+		apdu.le = 0;
-+
-+		r = sc_transmit_apdu_t(card, &apdu);
-+		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
-+		if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
-+			size_t len = apdu.resplen > outlen ? outlen : apdu.resplen;
-+			memcpy(out, apdu.resp, len);
-+			LOG_FUNC_RETURN(card->ctx, len);
-+		}
-+		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
-+	}
- 	sc_format_apdu(card, &apdu, SC_APDU_CASE_4_EXT, 0x2A, 0x80, 0x86);
- 	apdu.resp = rbuf;
- 	apdu.resplen = sizeof(rbuf);
-@@ -1862,11 +1954,13 @@ epass2003_construct_fci(struct sc_card *card, const sc_file_t * file,
- 
- 	}
- 	else if (file->type == SC_FILE_TYPE_INTERNAL_EF) {
--		if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_CRT) {
-+		if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_CRT ||
-+			file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_CRT) {
- 			buf[0] = 0x11;
- 			buf[1] = 0x00;
- 		}
--		else if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) {
-+		else if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC ||
-+				file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_PUBLIC) {
- 			buf[0] = 0x12;
- 			buf[1] = 0x00;
- 		}
-@@ -1903,7 +1997,9 @@ epass2003_construct_fci(struct sc_card *card, const sc_file_t * file,
- 	}
- 	else if (file->type == SC_FILE_TYPE_INTERNAL_EF) {
- 		if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_CRT ||
--		    file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) {
-+		    file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC||
-+		    file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_CRT||
-+		    file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_PUBLIC) {
- 			buf[0] = (file->size >> 8) & 0xFF;
- 			buf[1] = file->size & 0xFF;
- 			sc_asn1_put_tag(0x85, buf, 2, p, *outlen - (p - out), &p);
-@@ -1942,13 +2038,14 @@ epass2003_construct_fci(struct sc_card *card, const sc_file_t * file,
- 			ops[3] = SC_AC_OP_DELETE;
- 		}
- 		else if (file->type == SC_FILE_TYPE_INTERNAL_EF) {
--			if (file->ef_structure ==
--			    SC_CARDCTL_OBERTHUR_KEY_RSA_CRT) {
-+			if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_CRT ||
-+				file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_CRT) {
- 				ops[1] = SC_AC_OP_UPDATE;
- 				ops[2] = SC_AC_OP_CRYPTO;
- 				ops[3] = SC_AC_OP_DELETE;
- 			}
--			else if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) {
-+			else if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC||
-+					file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_PUBLIC) {
- 				ops[0] = SC_AC_OP_READ;
- 				ops[1] = SC_AC_OP_UPDATE;
- 				ops[2] = SC_AC_OP_CRYPTO;
-@@ -1973,13 +2070,22 @@ epass2003_construct_fci(struct sc_card *card, const sc_file_t * file,
- 			buf[ii] = rv;
- 		}
- 		sc_asn1_put_tag(0x86, buf, sizeof(ops), p, *outlen - (p - out), &p);
-+		if(file->size == 256)	
-+		{
-+			out[4]= 0x13;
-+		}
- 
- 	}
- 
- 	/* VT ??? */
--	if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) {
-+	if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC||
-+		file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_EC_PUBLIC) {
- 		unsigned char data[2] = {0x00, 0x66};
- 		sc_asn1_put_tag(0x87, data, sizeof(data), p, *outlen - (p - out), &p);
-+		if(file->size == 256)	
-+		{
-+			out[4]= 0x14;
-+		}
- 	}
- 
- 	out[1] = p - out - 2;
-@@ -2129,19 +2235,36 @@ internal_write_rsa_key(struct sc_card *card, unsigned short fid, struct sc_pkcs1
- 
- 
- static int
--hash_data(unsigned char *data, size_t datalen, unsigned char *hash)
-+hash_data(const unsigned char *data, size_t datalen, unsigned char *hash, unsigned int mechanismType)
- {
--	unsigned char data_hash[24] = { 0 };
--	size_t len = 0;
- 
- 	if ((NULL == data) || (NULL == hash))
- 		return SC_ERROR_INVALID_ARGUMENTS;
- 
--	sha1_digest(data, datalen, data_hash);
-+	if(mechanismType | SC_ALGORITHM_ECDSA_HASH_SHA1)
-+	{
-+		unsigned char data_hash[24] = { 0 };
-+		size_t len = 0;
- 
--	len = REVERSE_ORDER4(datalen);
--	memcpy(&data_hash[20], &len, 4);
--	memcpy(hash, data_hash, 24);
-+		sha1_digest(data, datalen, data_hash);
-+		len = REVERSE_ORDER4(datalen);
-+		memcpy(&data_hash[20], &len, 4);
-+		memcpy(hash, data_hash, 24);
-+	}
-+	else if(mechanismType | SC_ALGORITHM_ECDSA_HASH_SHA256)
-+	{
-+		unsigned char data_hash[36] = { 0 };
-+		size_t len = 0;
-+
-+		sha256_digest(data, datalen, data_hash);
-+		len = REVERSE_ORDER4(datalen);
-+		memcpy(&data_hash[32], &len, 4);
-+		memcpy(hash, data_hash, 36);
-+	}
-+	else
-+	{
-+		return SC_ERROR_NOT_SUPPORTED;
-+	}
- 
- 	return SC_SUCCESS;
- }
-@@ -2214,7 +2337,7 @@ internal_install_pin(struct sc_card *card, sc_epass2003_wkey_data * pin)
- 	int r;
- 	unsigned char hash[HASH_LEN] = { 0 };
- 
--	r = hash_data(pin->key_data.es_secret.key_val, pin->key_data.es_secret.key_len, hash);
-+	r = hash_data(pin->key_data.es_secret.key_val, pin->key_data.es_secret.key_len, hash, SC_ALGORITHM_ECDSA_HASH_SHA1);
- 	LOG_TEST_RET(card->ctx, r, "hash data failed");
- 
- 	r = install_secret_key(card, 0x04, pin->key_data.es_secret.kid,
-@@ -2265,7 +2388,14 @@ epass2003_gen_key(struct sc_card *card, sc_epass2003_gen_key_data * data)
- 
- 	LOG_FUNC_CALLED(card->ctx);
- 
--	sbuf[0] = 0x01;
-+	if(len == 256)
-+	{
-+		sbuf[0] = 0x02;
-+	}
-+	else
-+	{
-+		sbuf[0] = 0x01;
-+	}
- 	sbuf[1] = (u8) ((len >> 8) & 0xff);
- 	sbuf[2] = (u8) (len & 0xff);
- 	sbuf[3] = (u8) ((data->prkey_id >> 8) & 0xFF);
-@@ -2285,6 +2415,10 @@ epass2003_gen_key(struct sc_card *card, sc_epass2003_gen_key_data * data)
- 
- 	/* read public key */
- 	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xb4, 0x02, 0x00);
-+	if(len == 256)
-+	{
-+		apdu.p1 = 0x00;
-+	}
- 	apdu.cla = 0x80;
- 	apdu.lc = apdu.datalen = 2;
- 	apdu.data = &sbuf[5];
-@@ -2349,6 +2483,7 @@ epass2003_card_ctl(struct sc_card *card, unsigned long cmd, void *ptr)
- {
- 	LOG_FUNC_CALLED(card->ctx);
- 
-+	sc_log(card->ctx, "cmd is %0lx", cmd);
- 	switch (cmd) {
- 	case SC_CARDCTL_ENTERSAFE_WRITE_KEY:
- 		return epass2003_write_key(card, (sc_epass2003_wkey_data *) ptr);
-@@ -2474,7 +2609,7 @@ external_key_auth(struct sc_card *card, unsigned char kid,
- 	r = sc_get_challenge(card, random, 8);
- 	LOG_TEST_RET(card->ctx, r, "get challenge external_key_auth failed");
- 
--	r = hash_data(data, datalen, hash);
-+	r = hash_data(data, datalen, hash, SC_ALGORITHM_ECDSA_HASH_SHA1);
- 	LOG_TEST_RET(card->ctx, r, "hash data failed");
- 
- 	des3_encrypt_cbc(hash, HASH_LEN, iv, random, 8, tmp_data);
-@@ -2501,7 +2636,7 @@ update_secret_key(struct sc_card *card, unsigned char ktype, unsigned char kid,
- 	unsigned char tmp_data[256] = { 0 };
- 	unsigned char maxtries = 0;
- 
--	r = hash_data(data, datalen, hash);
-+	r = hash_data(data, datalen, hash, SC_ALGORITHM_ECDSA_HASH_SHA1);
- 	LOG_TEST_RET(card->ctx, r, "hash data failed");
- 
- 	r = get_external_key_maxtries(card, &maxtries);
-diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
-index 9a58427b7..b647b0537 100644
---- a/src/libopensc/cardctl.h
-+++ b/src/libopensc/cardctl.h
-@@ -490,7 +490,9 @@ enum SC_CARDCTL_OBERTHUR_KEY_TYPE {
- 	SC_CARDCTL_OBERTHUR_KEY_RSA_SFM,
- 	SC_CARDCTL_OBERTHUR_KEY_RSA_CRT,
- 	SC_CARDCTL_OBERTHUR_KEY_DSA_PUBLIC,
--	SC_CARDCTL_OBERTHUR_KEY_DSA_PRIVATE
-+	SC_CARDCTL_OBERTHUR_KEY_DSA_PRIVATE,
-+	SC_CARDCTL_OBERTHUR_KEY_EC_CRT,
-+	SC_CARDCTL_OBERTHUR_KEY_EC_PUBLIC
- };
- 
- struct sc_cardctl_oberthur_genkey_info {
-diff --git a/src/libopensc/sm.c b/src/libopensc/sm.c
-index 94f7ce7c3..877a5ef12 100644
---- a/src/libopensc/sm.c
-+++ b/src/libopensc/sm.c
-@@ -157,7 +157,7 @@ sc_sm_single_transmit(struct sc_card *card, struct sc_apdu *apdu)
- 	}
- 
- 	/* send APDU flagged as NO_SM */
--	sm_apdu->flags |= SC_APDU_FLAGS_NO_SM;
-+	sm_apdu->flags |= SC_APDU_FLAGS_NO_SM | SC_APDU_FLAGS_NO_RETRY_WL;
- 	rv = sc_transmit_apdu(card, sm_apdu);
- 	if (rv < 0) {
- 		card->sm_ctx.ops.free_sm_apdu(card, apdu, &sm_apdu);
-diff --git a/src/pkcs15init/pkcs15-epass2003.c b/src/pkcs15init/pkcs15-epass2003.c
-index 3be5ab856..786a71258 100644
---- a/src/pkcs15init/pkcs15-epass2003.c
-+++ b/src/pkcs15init/pkcs15-epass2003.c
-@@ -312,6 +312,16 @@ cosm_new_file(struct sc_profile *profile, struct sc_card *card,
- 		 num);
- 	while (1) {
- 		switch (type) {
-+		case SC_PKCS15_TYPE_PRKEY_EC:
-+			desc = "RSA private key";
-+			_template = "private-key";
-+			structure = SC_CARDCTL_OBERTHUR_KEY_EC_CRT;
-+			break;
-+		case SC_PKCS15_TYPE_PUBKEY_EC:
-+			desc = "RSA public key";
-+			_template = "public-key";
-+			structure = SC_CARDCTL_OBERTHUR_KEY_EC_PUBLIC;
-+			break;
- 		case SC_PKCS15_TYPE_PRKEY_RSA:
- 			desc = "RSA private key";
- 			_template = "private-key";
-@@ -497,11 +507,14 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
- 
- 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
- 
--	if (obj->type != SC_PKCS15_TYPE_PRKEY_RSA)
-+	if (obj->type != SC_PKCS15_TYPE_PRKEY_RSA && obj->type != SC_PKCS15_TYPE_PRKEY_EC)
- 		return SC_ERROR_NOT_SUPPORTED;
- 
-+	if(obj->type == SC_PKCS15_TYPE_PRKEY_EC && keybits == 0)
-+		keybits = 256; 	//EC key length is 256 ...
-+
- 	/* allocate key object */
--	r = cosm_new_file(profile, card, SC_PKCS15_TYPE_PRKEY_RSA, idx, &file);
-+	r = cosm_new_file(profile, card, obj->type, idx, &file); //replace SC_PKCS15_TYPE_PRKEY_RSA with obj->type
- 	SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r,
- 		    "create key: failed to allocate new key object");
- 	file->size = keybits;
-@@ -525,11 +538,18 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
- 		 "index %"SC_FORMAT_LEN_SIZE_T"u; keybits %"SC_FORMAT_LEN_SIZE_T"u\n",
- 		 idx, keybits);
- 	if (keybits < 1024 || keybits > 2048 || (keybits % 0x20)) {
--		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
--			 "Unsupported key size %"SC_FORMAT_LEN_SIZE_T"u\n",
--			 keybits);
--		r = SC_ERROR_INVALID_ARGUMENTS;
--		goto err;
-+		if(obj->type == SC_PKCS15_TYPE_PRKEY_EC && keybits == 256)
-+		{
-+			sc_log(card->ctx, "current Alg is EC,Only support 256 ..\n");
-+		}
-+		else
-+		{
-+			sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
-+				 "Unsupported key size %"SC_FORMAT_LEN_SIZE_T"u\n",
-+				 keybits);
-+			r = SC_ERROR_INVALID_ARGUMENTS;
-+			goto err;
-+		}
- 	}
- 
- 	path = key_info->path;
-@@ -549,12 +569,23 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
- 	SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r,
- 		    "generate key: pkcs15init_authenticate(SC_AC_OP_CREATE) failed");
- 
--	if ((r = cosm_new_file(profile, card, SC_PKCS15_TYPE_PUBKEY_RSA, idx,
--			       &pukf)) < 0) {
-+	if (obj->type != SC_PKCS15_TYPE_PRKEY_RSA )
-+	{
-+	
-+		r = cosm_new_file(profile, card, SC_PKCS15_TYPE_PUBKEY_EC, idx, &pukf);
-+	}
-+	else
-+	{
-+		
-+		r = cosm_new_file(profile, card, SC_PKCS15_TYPE_PUBKEY_RSA, idx, &pukf);
-+	}
-+
-+	if (r < 0) {
- 		sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- 			 "generate key: create temporary pukf failed\n");
- 		goto err;
- 	}
-+
- 	pukf->size = keybits;
- 	pukf->id = pukf->path.value[pukf->path.len - 2] * 0x100
- 	    + pukf->path.value[pukf->path.len - 1];
-
diff --git a/opensc-0.17.0-infinite-loop.patch b/opensc-0.17.0-infinite-loop.patch
deleted file mode 100644
index 732314d..0000000
--- a/opensc-0.17.0-infinite-loop.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 645f678af24fc1e0f1559e0384f57f8fd35836b4 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 21 Jul 2017 11:30:47 +0200
-Subject: [PATCH 1/4] cac: Make the retransmitted APDU valid by restoring the
- resplen
-
----
- src/libopensc/card-cac.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
-index ed15ba0a8..47f9aaf0c 100644
---- a/src/libopensc/card-cac.c
-+++ b/src/libopensc/card-cac.c
-@@ -1106,6 +1106,7 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc
- 		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
- 		if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86)   {
- 			apdu.p2 = 0x00;
-+			apdu.resplen = sizeof(buf);
- 			if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS)
- 				r = sc_check_sw(card, apdu.sw1, apdu.sw2);
- 		}
-
-From a57407a5257b24edf313a4839c523a19cd8b0dc5 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 21 Jul 2017 13:09:14 +0200
-Subject: [PATCH 2/4] cac: Check SWs for all the APDUs and report the errors to
- underlying layers
-
----
- src/libopensc/card-cac.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
-index 47f9aaf0c..f3b64a33d 100644
---- a/src/libopensc/card-cac.c
-+++ b/src/libopensc/card-cac.c
-@@ -390,9 +390,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2,
- 		goto err;
- 	}
- 
--	if (apdu.sw1 == 0x61) {
--		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
--	}
-+	r = sc_check_sw(card, apdu.sw1, apdu.sw2);
- 
- 	if (r < 0) {
- 		sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error ");
-diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
---- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old	2017-12-19 10:39:08.662925868 +0100
-+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c	2017-12-19 10:39:58.665293224 +0100
-@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card
- 		if (r < 0) {
- 			goto fail;
- 		}
-+		if (len == 0) {
-+			r = SC_ERROR_FILE_NOT_FOUND;
-+			goto fail;
-+		}
- 	}
- 	*out_len = size;
- 	*out_buf = out;
diff --git a/opensc-0.17.0-piv-cardholder-name.patch b/opensc-0.17.0-piv-cardholder-name.patch
deleted file mode 100644
index e1c358e..0000000
--- a/opensc-0.17.0-piv-cardholder-name.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From bac1ced89dde5780ecb5014b3887e4fd81c7d81c Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 18 Aug 2017 13:49:57 +0200
-Subject: [PATCH 1/3] Use shorter PIN name for default PIN to accomodate Card
- Holder name in future
-
----
- src/libopensc/pkcs15-piv.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
-index d38d7ba73..7f9015dcc 100644
---- a/src/libopensc/pkcs15-piv.c
-+++ b/src/libopensc/pkcs15-piv.c
-@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
- 	};
- 
- 	static const pindata pins[] = {
--		{ "01", "PIV Card Holder pin", "", 0x80,
-+		{ "01", "PIN", "", 0x80,
- 		  /* label, flag  and ref will change if using global pin */
- 		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
- 		  8, 4, 8, 
-@@ -932,7 +932,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
- 			pin_info.attrs.pin.reference = pin_ref;
- 			pin_info.attrs.pin.flags &= ~SC_PKCS15_PIN_FLAG_LOCAL;
- 			label = "Global PIN";
--		} 
-+		}
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
- 		strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
- 		pin_obj.flags = pins[i].obj_flags;
-
-From 74b070128c27e24aa67db041a049a9eee5dddcd6 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Fri, 18 Aug 2017 14:18:00 +0200
-Subject: [PATCH 2/3] Get cardholder name from the first certificate
-
----
- src/libopensc/pkcs15-piv.c | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
-index 7f9015dcc..6f3c9199d 100644
---- a/src/libopensc/pkcs15-piv.c
-+++ b/src/libopensc/pkcs15-piv.c
-@@ -613,7 +613,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
- 	char buf[SC_MAX_SERIALNR * 2 + 1];
- 	common_key_info ckis[PIV_NUM_CERTS_AND_KEYS];
- 	int follows_nist_fascn = 0;
--
-+	char *token_name = NULL;
- 
- 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
- 
-@@ -765,6 +765,30 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
- 				sc_pkcs15_free_certificate(cert_out);
- 			continue;
- 		}
-+
-+		/* set the token name to the name of the CN of the first certificate */
-+		if (!token_name) {
-+			u8 * cn_name = NULL;
-+			size_t cn_len = 0;
-+			static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
-+			r = sc_pkcs15_get_name_from_dn(card->ctx, cert_out->subject,
-+				cert_out->subject_len, &cn_oid, &cn_name, &cn_len);
-+			if (r == SC_SUCCESS) {
-+				token_name = malloc (cn_len+1);
-+				if (!token_name) {
-+					sc_pkcs15_free_certificate(cert_out);
-+					free(cn_name);
-+					SC_FUNC_RETURN(card->ctx,
-+						SC_ERROR_OUT_OF_MEMORY, r);
-+				}
-+				memcpy(token_name, cn_name, cn_len);
-+				free(cn_name);
-+				token_name[cn_len] = 0;
-+				free(p15card->tokeninfo->label);
-+				p15card->tokeninfo->label = token_name;
-+			}
-+		}
-+
- 		/* 
- 		 * get keyUsage if present save in ckis[i]
- 		 * Will only use it if this in a non FED issued card
-
-From 78c2b7b970a8c2d841552926a7f4c386c31abeb8 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 21 Aug 2017 13:43:08 +0200
-Subject: [PATCH 3/3] Do not add non-informative PIN to the token label
-
----
- src/pkcs11/framework-pkcs15.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
-index 5b3cb32e5..8ded1125b 100644
---- a/src/pkcs11/framework-pkcs15.c
-+++ b/src/pkcs11/framework-pkcs15.c
-@@ -1024,6 +1024,7 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
- 	struct sc_pkcs15_auth_info *pin_info = NULL;
- 	char label[64];
- 
-+	sc_log(context, "Called");
- 	pkcs15_init_token_info(p15card, &slot->token_info);
- 	slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
- 	if (auth != NULL)
-@@ -1048,9 +1049,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
- 			pin_info = NULL;
- 		}
- 		else   {
--			if (auth->label[0])
-+			if (auth->label[0] && strncmp(auth->label, "PIN", 4) != 0)
- 				snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label);
- 			else
-+				/* The PIN label is empty or says just non-useful "PIN" */
- 				snprintf(label, sizeof(label), "%s", p15card->tokeninfo->label);
- 			slot->token_info.flags |= CKF_LOGIN_REQUIRED;
- 		}
-
diff --git a/opensc-0.17.0-simpletlv.patch b/opensc-0.17.0-simpletlv.patch
deleted file mode 100644
index 04d1e7f..0000000
--- a/opensc-0.17.0-simpletlv.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-commit 602279acecb9aaff1154ac1e2993562741a57281
-Author: Jakub Jelen <jjelen@redhat.com>
-Date:   Tue Jan 2 11:08:31 2018 +0100
-
-    Skip correctly two bytes after reading 2b size
-
-diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c
-index f526a1cd..ab0401b5 100644
---- a/src/libopensc/simpletlv.c
-+++ b/src/libopensc/simpletlv.c
-@@ -90,8 +90,9 @@ sc_simpletlv_read_tag(u8 **buf, size_t buflen, u8 *tag_out, size_t *taglen)
- 			*taglen = 0;
- 			return SC_ERROR_INVALID_ARGUMENTS;
- 		}
-+		/* skip two bytes (the size) */
- 		len = lebytes2ushort(p);
--		p++;
-+		p+=2;
- 	}
- 	*taglen = len;
- 	*buf = p;
diff --git a/opensc-coolkey.patch b/opensc-coolkey.patch
deleted file mode 100644
index 6b493de..0000000
--- a/opensc-coolkey.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c
-index 5064a0f..d93875a 100644
---- a/src/libopensc/pkcs15-coolkey.c
-+++ b/src/libopensc/pkcs15-coolkey.c
-@@ -484,7 +484,7 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
- 	sc_card_t *card = p15card->card;
- 	sc_serial_number_t serial;
- 	int count;
--
-+	struct sc_pkcs15_object *obj;
- 
- 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
- 
-@@ -558,6 +558,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card)
- 
- 
- 		memset(&obj_obj, 0, sizeof(obj_obj));
-+		/* coolkey applets have label only on the certificates,
-+		 * but we should copy it also to the keys maching the same ID */
- 		coolkey_get_attribute_bytes(card, &coolkey_obj, CKA_LABEL, (u8 *)obj_obj.label, &len, sizeof(obj_obj.label));
- 		coolkey_get_flags(card, &coolkey_obj, &obj_obj.flags);
- 		if (obj_obj.flags & SC_PKCS15_CO_FLAG_PRIVATE) {
-@@ -677,6 +679,36 @@ fail:
- 	}
- 	r = (card->ops->card_ctl)(card, SC_CARDCTL_COOLKEY_FINAL_GET_OBJECTS, &count);
- 
-+	/* Iterate over all the objects again and fill missing labels */
-+	for (obj = p15card->obj_list; obj != NULL; obj = obj->next) {
-+		struct sc_pkcs15_id *id = NULL;
-+		struct sc_pkcs15_object *cert_object;
-+
-+		sc_log(card->ctx, "Object with label %s", obj->label);
-+		if (obj->label[0] != '\0')
-+			/* label already filled -- do not overwrite */
-+			continue;
-+
-+		switch (obj->type & SC_PKCS15_TYPE_CLASS_MASK) {
-+		case SC_PKCS15_TYPE_PUBKEY:
-+			id = &((struct sc_pkcs15_pubkey_info *)obj->data)->id;
-+			break;
-+		case SC_PKCS15_TYPE_PRKEY:
-+			id = &((struct sc_pkcs15_prkey_info *)obj->data)->id;
-+			break;
-+		default:
-+			/* We do not care about other objects */
-+			continue;
-+		}
-+		sc_log(card->ctx, "Object ID is %s", id->value);
-+		r = sc_pkcs15_find_cert_by_id(p15card, id, &cert_object);
-+		if (r != 0)
-+			continue;
-+
-+		sc_log(card->ctx, "Found cert with with label %s", cert_object->label);
-+		memcpy(obj->label, cert_object->label, SC_PKCS15_MAX_LABEL_SIZE);
-+	}
-+
- 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
- }
- 
diff --git a/opensc-estonia.patch b/opensc-estonia.patch
deleted file mode 100644
index c22c5ce..0000000
--- a/opensc-estonia.patch
+++ /dev/null
@@ -1,475 +0,0 @@
-From cb73a14bd7ec1947871dd719536002cc4d8dc90b Mon Sep 17 00:00:00 2001
-From: Raul Metsma <raul@metsma.ee>
-Date: Fri, 27 Oct 2017 20:51:33 +0300
-Subject: [PATCH 1/5] EstEID ECDSA token support (#1158)
-
----
- src/libopensc/card-mcrd.c     | 10 ++++++---
- src/libopensc/pkcs15-esteid.c | 47 +++++++++++++++++++++++++------------------
- 2 files changed, 34 insertions(+), 23 deletions(-)
-
-diff --git a/src/libopensc/card-mcrd.c b/src/libopensc/card-mcrd.c
-index cbba3fdfa..28f8abfad 100644
---- a/src/libopensc/card-mcrd.c
-+++ b/src/libopensc/card-mcrd.c
-@@ -304,7 +304,7 @@ static int mcrd_match_card(sc_card_t * card)
- 
- static int mcrd_init(sc_card_t * card)
- {
--	unsigned long flags;
-+	unsigned long flags, ext_flags;
- 	struct mcrd_priv_data *priv;
- 	int r;
- 	sc_path_t tmppath;
-@@ -329,6 +329,10 @@ static int mcrd_init(sc_card_t * card)
- 			flags = SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_RSA_HASH_SHA1 | SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA256;
- 			/* EstEID v3.0 has 2048 bit keys */
- 			_sc_card_add_rsa_alg(card, 2048, flags, 0);
-+
-+			flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE;
-+			ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
-+			_sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL);
- 			sc_reset(card, 0);
- 
- 			sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xA4, 0x04, 0x00);
-@@ -1188,7 +1192,7 @@ static int mcrd_set_security_env(sc_card_t * card,
- 	if (is_esteid_card(card)) {
- 		/* some sanity checks */
- 		if (env->flags & SC_SEC_ENV_ALG_PRESENT) {
--			if (env->algorithm != SC_ALGORITHM_RSA)
-+			if (env->algorithm != SC_ALGORITHM_RSA && env->algorithm != SC_ALGORITHM_EC)
- 				return SC_ERROR_INVALID_ARGUMENTS;
- 		}
- 		if (!(env->flags & SC_SEC_ENV_KEY_REF_PRESENT)
-@@ -1375,7 +1379,7 @@ static int mcrd_compute_signature(sc_card_t * card,
- 	apdu.lc = datalen;
- 	apdu.data = data;
- 	apdu.datalen = datalen;
--	apdu.le = 0x80;
-+	apdu.le = MIN(0x80u, outlen);
- 	apdu.resp = out;
- 	apdu.resplen = outlen;
- 
-diff --git a/src/libopensc/pkcs15-esteid.c b/src/libopensc/pkcs15-esteid.c
-index 361b2525a..a4655b7f7 100644
---- a/src/libopensc/pkcs15-esteid.c
-+++ b/src/libopensc/pkcs15-esteid.c
-@@ -33,6 +33,7 @@
- #include "common/compat_strlcat.h"
- 
- #include "internal.h"
-+#include "opensc.h"
- #include "pkcs15.h"
- #include "esteid.h"
- 
-@@ -64,6 +65,7 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 	sc_card_t *card = p15card->card;
- 	unsigned char buff[128];
- 	int r, i;
-+	size_t field_length = 0, modulus_length = 0;
- 	sc_path_t tmppath;
- 
- 	set_string (&p15card->tokeninfo->label, "ID-kaart");
-@@ -74,7 +76,7 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 	r = sc_select_file (card, &tmppath, NULL);
- 	SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "select esteid PD failed");
- 
--	/* read the serial (document number) */	
-+	/* read the serial (document number) */
- 	r = sc_read_record (card, SC_ESTEID_PD_DOCUMENT_NR, buff, sizeof(buff), SC_RECORD_BY_REC_NR);
- 	SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "read document number failed");
- 	buff[r] = '\0';
-@@ -93,10 +95,10 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 			"3f00eeeeaace",
- 			"3f00eeeeddce"};
- 		static int esteid_cert_ids[2] = {1, 2};
--			
-+
- 		struct sc_pkcs15_cert_info cert_info;
- 		struct sc_pkcs15_object cert_obj;
--		
-+
- 		memset(&cert_info, 0, sizeof(cert_info));
- 		memset(&cert_obj, 0, sizeof(cert_obj));
- 
-@@ -110,6 +112,10 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 		if (i == 0) {
- 			sc_pkcs15_cert_t *cert;
- 			r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert);
-+			if (cert->key->algorithm == SC_ALGORITHM_EC)
-+				field_length = cert->key->u.ec.params.field_length;
-+			else
-+				modulus_length = cert->key->u.rsa.modulus.len * 8;
- 			if (r == SC_SUCCESS) {
- 				static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
- 				u8 *cn_name = NULL;
-@@ -155,16 +161,16 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 
- 		memset(&pin_info, 0, sizeof(pin_info));
- 		memset(&pin_obj, 0, sizeof(pin_obj));
--		
-+
- 		/* read the number of tries left for the PIN */
- 		r = sc_read_record (card, i + 1, buff, sizeof(buff), SC_RECORD_BY_REC_NR);
- 		if (r < 0)
- 			return SC_ERROR_INTERNAL;
- 		tries_left = buff[5];
--		
-+
- 		pin_info.auth_id.len = 1;
- 		pin_info.auth_id.value[0] = esteid_pin_authid[i];
--		pin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;	
-+		pin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;
- 		pin_info.attrs.pin.reference = esteid_pin_ref[i];
- 		pin_info.attrs.pin.flags = esteid_pin_flags[i];
- 		pin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC;
-@@ -188,16 +194,11 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 		if (r < 0)
- 			return SC_ERROR_INTERNAL;
- 	}
--	
-+
- 	/* add private keys */
- 	for (i = 0; i < 2; i++) {
- 		static int prkey_pin[2] = {1, 2};
--		static int prkey_usage[2] = {
--			SC_PKCS15_PRKEY_USAGE_ENCRYPT
--			| SC_PKCS15_PRKEY_USAGE_DECRYPT
--			| SC_PKCS15_PRKEY_USAGE_SIGN,
--			SC_PKCS15_PRKEY_USAGE_NONREPUDIATION};
--			
-+
- 		static const char *prkey_name[2] = {
- 			"Isikutuvastus",
- 			"Allkirjastamine"};
-@@ -207,16 +208,19 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 
- 		memset(&prkey_info, 0, sizeof(prkey_info));
- 		memset(&prkey_obj, 0, sizeof(prkey_obj));
--		
-+
- 		prkey_info.id.len = 1;
- 		prkey_info.id.value[0] = prkey_pin[i];
--		prkey_info.usage  = prkey_usage[i];
- 		prkey_info.native = 1;
- 		prkey_info.key_reference = i + 1;
--		if (card->type == SC_CARD_TYPE_MCRD_ESTEID_V30)
--			prkey_info.modulus_length = 2048;
-+		prkey_info.field_length = field_length;
-+		prkey_info.modulus_length = modulus_length;
-+		if (i == 1)
-+			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
-+		else if(field_length > 0) // ECC has only sign usage
-+			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN;
- 		else
--			prkey_info.modulus_length = 1024;	
-+			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_DECRYPT;
- 
- 		strlcpy(prkey_obj.label, prkey_name[i], sizeof(prkey_obj.label));
- 		prkey_obj.auth_id.len = 1;
-@@ -224,7 +228,10 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 		prkey_obj.user_consent = 0;
- 		prkey_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE;
- 
--		r = sc_pkcs15emu_add_rsa_prkey(p15card, &prkey_obj, &prkey_info);
-+		if(field_length > 0)
-+			r = sc_pkcs15emu_add_ec_prkey(p15card, &prkey_obj, &prkey_info);
-+		else
-+			r = sc_pkcs15emu_add_rsa_prkey(p15card, &prkey_obj, &prkey_info);
- 		if (r < 0)
- 			return SC_ERROR_INTERNAL;
- 	}
-@@ -236,7 +243,7 @@ static int esteid_detect_card(sc_pkcs15_card_t *p15card)
- {
- 	if (is_esteid_card(p15card->card))
- 		return SC_SUCCESS;
--	else		
-+	else
- 		return SC_ERROR_WRONG_CARD;
- }
- 
-
-From bea03e86d385a7d1ec58f42a501a5c2d471357d1 Mon Sep 17 00:00:00 2001
-From: Raul Metsma <raul@metsma.ee>
-Date: Wed, 8 Nov 2017 14:24:18 +0200
-Subject: [PATCH 2/5] Fix crash when certificate read failed (#1189)
-
-Fixes https://github.com/OpenSC/OpenSC/issues/1176
----
- src/libopensc/pkcs15-esteid.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/libopensc/pkcs15-esteid.c b/src/libopensc/pkcs15-esteid.c
-index a4655b7f7..a5f9af8b2 100644
---- a/src/libopensc/pkcs15-esteid.c
-+++ b/src/libopensc/pkcs15-esteid.c
-@@ -110,8 +110,10 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 		if (r < 0)
- 			return SC_ERROR_INTERNAL;
- 		if (i == 0) {
--			sc_pkcs15_cert_t *cert;
-+			sc_pkcs15_cert_t *cert = NULL;
- 			r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert);
-+			if (r < 0)
-+				return SC_ERROR_INTERNAL;
- 			if (cert->key->algorithm == SC_ALGORITHM_EC)
- 				field_length = cert->key->u.ec.params.field_length;
- 			else
-
-From da05d83a0d3a97eea8f33d5566c60798acc137fc Mon Sep 17 00:00:00 2001
-From: Raul Metsma <raul@metsma.ee>
-Date: Fri, 10 Nov 2017 09:58:31 +0200
-Subject: [PATCH 3/5] EstEID ECDH token support (#1185)
-
----
- src/libopensc/card-mcrd.c     | 89 ++++++++++++++++++++++++++++++++++++++++---
- src/libopensc/pkcs15-esteid.c |  4 +-
- 2 files changed, 86 insertions(+), 7 deletions(-)
-
-diff --git a/src/libopensc/card-mcrd.c b/src/libopensc/card-mcrd.c
-index 28f8abfad..085d02965 100644
---- a/src/libopensc/card-mcrd.c
-+++ b/src/libopensc/card-mcrd.c
-@@ -59,9 +59,9 @@ static struct sc_atr_table mcrd_atrs[] = {
- 	{NULL, NULL, NULL, 0, 0, NULL}
- };
- 
--static unsigned char EstEID_v3_AID[] = {0xF0, 0x45, 0x73, 0x74, 0x45, 0x49, 0x44, 0x20, 0x76, 0x65, 0x72, 0x20, 0x31, 0x2E, 0x30};
--static unsigned char EstEID_v35_AID[] = {0xD2, 0x33, 0x00, 0x00, 0x00, 0x45, 0x73, 0x74, 0x45, 0x49, 0x44, 0x20, 0x76, 0x33, 0x35};
--static unsigned char AzeDIT_v35_AID[] = {0xD0, 0x31, 0x00, 0x00, 0x00, 0x44, 0x69, 0x67, 0x69, 0x49, 0x44};
-+static const unsigned char EstEID_v3_AID[] = {0xF0, 0x45, 0x73, 0x74, 0x45, 0x49, 0x44, 0x20, 0x76, 0x65, 0x72, 0x20, 0x31, 0x2E, 0x30};
-+static const unsigned char EstEID_v35_AID[] = {0xD2, 0x33, 0x00, 0x00, 0x00, 0x45, 0x73, 0x74, 0x45, 0x49, 0x44, 0x20, 0x76, 0x33, 0x35};
-+static const unsigned char AzeDIT_v35_AID[] = {0xD0, 0x31, 0x00, 0x00, 0x00, 0x44, 0x69, 0x67, 0x69, 0x49, 0x44};
- 
- static struct sc_card_operations mcrd_ops;
- static struct sc_card_driver mcrd_drv = {
-@@ -119,6 +119,24 @@ struct mcrd_priv_data {
- 
- #define DRVDATA(card)        ((struct mcrd_priv_data *) ((card)->drv_data))
- 
-+// Control Reference Template Tag for Key Agreement (ISO 7816-4:2013 Table 54)
-+static const struct sc_asn1_entry c_asn1_control[] = {
-+	{ "control", SC_ASN1_STRUCT, SC_ASN1_CONS | SC_ASN1_CTX | 0xA6, 0, NULL, NULL },
-+	{ NULL, 0, 0, 0, NULL, NULL }
-+};
-+
-+// Ephemeral public key Template Tag (ISO 7816-8:2016 Table 3)
-+static const struct sc_asn1_entry c_asn1_ephermal[] = {
-+	{ "ephemeral", SC_ASN1_STRUCT, SC_ASN1_CONS | SC_ASN1_APP | 0x7F49, 0, NULL, NULL },
-+	{ NULL, 0, 0, 0, NULL, NULL }
-+};
-+
-+// External Public Key
-+static const struct sc_asn1_entry c_asn1_public[] = {
-+	{ "publicKey", SC_ASN1_OCTET_STRING, SC_ASN1_CTX | 0x86, 0, NULL, NULL },
-+	{ NULL, 0, 0, 0, NULL, NULL }
-+};
-+
- static int load_special_files(sc_card_t * card);
- static int select_part(sc_card_t * card, u8 kind, unsigned short int fid,
- 		       sc_file_t ** file);
-@@ -1208,6 +1226,7 @@ static int mcrd_set_security_env(sc_card_t * card,
- 		select_esteid_df(card);
- 		switch (env->operation) {
- 		case SC_SEC_OPERATION_DECIPHER:
-+		case SC_SEC_OPERATION_DERIVE:
- 			sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
- 				 "Using keyref %d to dechiper\n",
- 				 env->key_ref[0]);
-@@ -1351,11 +1370,14 @@ static int mcrd_compute_signature(sc_card_t * card,
- 				  u8 * out, size_t outlen)
- {
- 	struct mcrd_priv_data *priv = DRVDATA(card);
--	sc_security_env_t *env = &priv->sec_env;
-+	sc_security_env_t *env = NULL;
- 	int r;
- 	sc_apdu_t apdu;
- 
--	assert(card != NULL && data != NULL && out != NULL);
-+	if (card == NULL || data == NULL || out == NULL)
-+		return SC_ERROR_INVALID_ARGUMENTS;
-+	env = &priv->sec_env;
-+
- 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
- 	if (env->operation != SC_SEC_OPERATION_SIGN)
- 		return SC_ERROR_INVALID_ARGUMENTS;
-@@ -1391,6 +1413,62 @@ static int mcrd_compute_signature(sc_card_t * card,
- 	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, apdu.resplen);
- }
- 
-+static int mcrd_decipher(struct sc_card *card,
-+						 const u8 * crgram, size_t crgram_len,
-+						 u8 * out, size_t outlen)
-+{
-+	sc_security_env_t *env = NULL;
-+	int r = 0;
-+	size_t sbuf_len = 0;
-+	sc_apdu_t apdu;
-+	u8 *sbuf = NULL;
-+	struct sc_asn1_entry asn1_control[2], asn1_ephermal[2], asn1_public[2];
-+
-+	if (card == NULL || crgram == NULL || out == NULL)
-+		return SC_ERROR_INVALID_ARGUMENTS;
-+	env = &DRVDATA(card)->sec_env;
-+
-+	LOG_FUNC_CALLED(card->ctx);
-+	if (env->operation != SC_SEC_OPERATION_DERIVE)
-+		SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, iso_ops->decipher(card, crgram, crgram_len, out, outlen));
-+	if (crgram_len > 255)
-+		SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);
-+
-+	sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
-+		 "Will dervie (%d) for %"SC_FORMAT_LEN_SIZE_T"u (0x%02"SC_FORMAT_LEN_SIZE_T"x) bytes using key %d algorithm %d flags %d\n",
-+		 env->operation, crgram_len, crgram_len, env->key_ref[0],
-+		 env->algorithm, env->algorithm_flags);
-+
-+	// Encode TLV
-+	sc_copy_asn1_entry(c_asn1_control, asn1_control);
-+	sc_copy_asn1_entry(c_asn1_ephermal, asn1_ephermal);
-+	sc_copy_asn1_entry(c_asn1_public, asn1_public);
-+	sc_format_asn1_entry(asn1_public + 0, (void*)crgram, &crgram_len, 1);
-+	sc_format_asn1_entry(asn1_ephermal + 0, &asn1_public, NULL, 1);
-+	sc_format_asn1_entry(asn1_control + 0, &asn1_ephermal, NULL, 1);
-+	r = sc_asn1_encode(card->ctx, asn1_control, &sbuf, &sbuf_len);
-+	LOG_TEST_RET(card->ctx, r, "Error encoding TLV.");
-+
-+	// Create APDU
-+	sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x80, 0x86);
-+	apdu.lc = sbuf_len;
-+	apdu.data = sbuf;
-+	apdu.datalen = sbuf_len;
-+	apdu.le = MIN(0x80u, outlen);
-+	apdu.resp = out;
-+	apdu.resplen = outlen;
-+
-+	r = sc_transmit_apdu(card, &apdu);
-+	sc_mem_clear(sbuf, sbuf_len);
-+	free(sbuf);
-+	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
-+
-+	r = sc_check_sw(card, apdu.sw1, apdu.sw2);
-+	LOG_TEST_RET(card->ctx, r, "Card returned error");
-+
-+	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, apdu.resplen);
-+}
-+
- /* added by -mp, to give pin information in the card driver (pkcs15emu->driver needed) */
- static int mcrd_pin_cmd(sc_card_t * card, struct sc_pin_cmd_data *data,
- 			int *tries_left)
-@@ -1454,6 +1532,7 @@ static struct sc_card_driver *sc_get_driver(void)
- 	mcrd_ops.select_file = mcrd_select_file;
- 	mcrd_ops.set_security_env = mcrd_set_security_env;
- 	mcrd_ops.compute_signature = mcrd_compute_signature;
-+	mcrd_ops.decipher = mcrd_decipher;
- 	mcrd_ops.pin_cmd = mcrd_pin_cmd;
- 
- 	return &mcrd_drv;
-diff --git a/src/libopensc/pkcs15-esteid.c b/src/libopensc/pkcs15-esteid.c
-index a5f9af8b2..b3cf5178f 100644
---- a/src/libopensc/pkcs15-esteid.c
-+++ b/src/libopensc/pkcs15-esteid.c
-@@ -219,8 +219,8 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card)
- 		prkey_info.modulus_length = modulus_length;
- 		if (i == 1)
- 			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
--		else if(field_length > 0) // ECC has only sign usage
--			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN;
-+		else if(field_length > 0) // ECC has sign and derive usage
-+			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_DERIVE;
- 		else
- 			prkey_info.usage = SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_DECRYPT;
- 
-
-From 3b33bf0e11253302ae48c2a3027b114162b92472 Mon Sep 17 00:00:00 2001
-From: Raul Metsma <raul@metsma.ee>
-Date: Thu, 9 Nov 2017 14:42:30 +0200
-Subject: [PATCH 4/5] Cleanup expired EstEID card ATR-s
-
-Signed-off-by: Raul Metsma <raul@metsma.ee>
----
- etc/opensc.conf.in | 24 +-----------------------
- 1 file changed, 1 insertion(+), 23 deletions(-)
-
-diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in
-index 63abba9bf..2bbbe624c 100644
---- a/etc/opensc.conf.in
-+++ b/etc/opensc.conf.in
-@@ -309,33 +309,11 @@ app default {
- 		# driver = "piv";
- 	# }
- 
--	# Estonian ID card and Micardo driver sometimes only play together with T=0
-+	# Micardo driver sometimes only play together with T=0
- 	# In theory only the 'cold' ATR should be specified, as T=0 will
- 	# be the preferred protocol once you boot it up with T=0, but be
- 	# paranoid.
- 	#
--	# Warm ATR v1
--	card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
--		force_protocol = t0;
--	}
--	# Cold ATR v1
--	card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
--		force_protocol = t0;
--	}
--	# Warm ATR v2
--	card_atr 3b:5e:11:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
--		force_protocol = t0;
--	}
--	# Cold ATR v2
--	card_atr 3b:de:18:ff:c0:80:b1:fe:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:2b {
--		force_protocol = t0;
--	}
--	# Digi-ID cold ATR. The same card has the same warm ATR as "Cold ATR v1" above
--	# The card is claimed to only support T=0 but in fact (sometimes) works with T=1, even if not advertised in ATR.
--	card_atr 3b:6e:00:00:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
--		force_protocol = t0;
--	}
--
- 	# D-Trust cards are also based on micardo and need T=0 for some reason
- 	card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
- 		force_protocol = t0;
-
-From 1c28c1b56a28c38d24714f1377eebe87a0371421 Mon Sep 17 00:00:00 2001
-From: Raul Metsma <raul@metsma.ee>
-Date: Fri, 17 Nov 2017 11:46:34 +0200
-Subject: [PATCH 5/5] Fix reading EstEID certificates with T=0 (#1193)
-
----
- src/libopensc/card-mcrd.c | 21 +++++++++++++--------
- 1 file changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/src/libopensc/card-mcrd.c b/src/libopensc/card-mcrd.c
-index 085d02965..525717ce9 100644
---- a/src/libopensc/card-mcrd.c
-+++ b/src/libopensc/card-mcrd.c
-@@ -365,15 +365,20 @@ static int mcrd_init(sc_card_t * card)
- 			if(apdu.sw1 != 0x90 && apdu.sw2 != 0x00)
- 			{
- 				sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xA4, 0x04, 0x00);
--	                        apdu.lc = sizeof(EstEID_v35_AID);
--        	                apdu.data = EstEID_v35_AID;
--                	        apdu.datalen = sizeof(EstEID_v35_AID);
--                        	apdu.resplen = 0;
--	                        apdu.le = 0;
-+				apdu.lc = sizeof(EstEID_v35_AID);
-+				apdu.data = EstEID_v35_AID;
-+				apdu.datalen = sizeof(EstEID_v35_AID);
-+				apdu.resplen = 0;
-+				apdu.le = 0;
- 				r = sc_transmit_apdu(card, &apdu);
--	                        SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
--        	                sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "SELECT AID: %02X%02X", apdu.sw1, apdu.sw2);
--				if (apdu.sw1 != 0x90 && apdu.sw2 != 0x00) {
-+				SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
-+				sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "SELECT AID: %02X%02X", apdu.sw1, apdu.sw2);
-+				if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
-+					// Force EstEID 3.5 card recv size 255 with T=0 to avoid recursive read binary
-+					// sc_read_binary cannot handle recursive 61 00 calls
-+					if (card->reader && card->reader->active_protocol == SC_PROTO_T0)
-+						card->max_recv_size = 255;
-+				} else {
- 					sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xA4, 0x04, 0x00);
- 					apdu.lc = sizeof(AzeDIT_v35_AID);
- 					apdu.data = AzeDIT_v35_AID;
-
diff --git a/opensc.spec b/opensc.spec
index abd2eff..ed454fd 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -2,8 +2,8 @@
 %define nssdb %{_sysconfdir}/pki/nssdb
 
 Name:           opensc
-Version:        0.17.0
-Release:        10%{?dist}
+Version:        0.18.0
+Release:        1%{?dist}
 Summary:        Smart card library and applications
 
 Group:          System Environment/Libraries
@@ -12,22 +12,6 @@ URL:            https://github.com/OpenSC/OpenSC/wiki
 Source0:        https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        opensc.module
 Source2:        pkcs11-switch.sh
-Patch0:         opensc-coolkey.patch
-# Allow functionality of new Estonia ID cards (#1519751)
-Patch1:         opensc-estonia.patch
-# Use Cardholder name in the token label (#1449740)
-Patch2:		opensc-0.17.0-piv-cardholder-name.patch
-# Avoid infinite loop when reading CAC cards (#1473335)
-Patch3:		opensc-0.17.0-infinite-loop.patch
-# Workaround for CAC Alt tokens (#1473418)
-Patch4:		opensc-0.17.0-cac-alt.patch
-# Properly parse multi-byte length (#1473418)
-Patch5:		opensc-0.17.0-simpletlv.patch
-# Make Feitian tokens working again (#1558099)
-# https://github.com/OpenSC/OpenSC/pull/1145
-Patch6:		opensc-0.17.0-feitian.patch
-# CloudHSM improvements (proper EC_POINT, specification of mechanisms)
-Patch7:		opensc-0.17.0-cloudhsm.patch
 
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
@@ -35,6 +19,7 @@ BuildRequires:  openssl-devel
 BuildRequires:  /usr/bin/xsltproc
 BuildRequires:  docbook-style-xsl
 BuildRequires:  autoconf automake libtool gcc
+BuildRequires:  desktop-file-utils
 Requires:       pcsc-lite-libs%{?_isa}
 Requires:	pcsc-lite
 Requires:	nss-tools
@@ -54,14 +39,6 @@ every software/card that does so, too.
 
 %prep
 %setup -q
-%patch0 -p1 -b .coolkey
-%patch1 -p1 -b .estonia
-%patch2 -p1 -b .piv
-%patch3 -p1 -b .infinite
-%patch4 -p1 -b .cac-alt
-%patch5 -p1 -b .simpletlv
-%patch6 -p1 -b .feitian
-%patch7 -p1 -b .cloudhsm
 
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@@ -109,6 +86,8 @@ rm -rf %{buildroot}%{_sysconfdir}/bash_completion.d/
 rm -rf %{buildroot}%{_bindir}/npa-tool
 rm -rf %{buildroot}%{_mandir}/man1/npa-tool.1*
 
+desktop-file-validate %{buildroot}/%{_datadir}/applications/org.opensc.notify.desktop
+
 %post
 /sbin/ldconfig
 isThere=`modutil -rawlist -dbdir %{nssdb} | grep %{opensc_module} || echo NO`
@@ -152,6 +131,8 @@ fi
 %{_bindir}/openpgp-tool
 %{_bindir}/opensc-explorer
 %{_bindir}/opensc-tool
+%{_bindir}/opensc-asn1
+%{_bindir}/opensc-notify
 %{_bindir}/piv-tool
 %{_bindir}/pkcs11-tool
 %if 0%{?rhel} <= 7
@@ -163,6 +144,8 @@ fi
 %{_bindir}/sc-hsm-tool
 %{_bindir}/dnie-tool
 %{_bindir}/westcos-tool
+%{_bindir}/egk-tool
+%{_datadir}/applications/org.opensc.notify.desktop
 %{_libdir}/lib*.so.*
 %{_libdir}/opensc-pkcs11.so
 %{_libdir}/pkcs11-spy.so
@@ -182,6 +165,8 @@ fi
 %{_mandir}/man1/openpgp-tool.1*
 %{_mandir}/man1/opensc-explorer.*
 %{_mandir}/man1/opensc-tool.1*
+%{_mandir}/man1/opensc-asn1.1*
+%{_mandir}/man1/opensc-notify.1*
 %{_mandir}/man1/piv-tool.1*
 %{_mandir}/man1/pkcs11-tool.1*
 %{_mandir}/man1/pkcs15-crypt.1*
@@ -190,10 +175,14 @@ fi
 %{_mandir}/man1/sc-hsm-tool.1*
 %{_mandir}/man1/westcos-tool.1*
 %{_mandir}/man1/dnie-tool.1*
+%{_mandir}/man1/egk-tool.1*
 %{_mandir}/man5/*.5*
 
 
 %changelog
+* Thu May 17 2018 Jakub Jelen <jjelen@redhat.com> - 0.18.0-1
+- New upstream release (#1567503)
+
 * Wed Apr 04 2018 Jakub Jelen <jjelen@redhat.com> - 0.17.0-10
 - Install the PKCS#11 modules also to the new NSS DB
 - Drop the pkcs11-switch as the coolkey is gone