rpms/opensc
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Pull the latest changes from RHEL

Browse Source
This commit is contained in:
Jakub Jelen 2018-02-21 10:42:34 +01:00
parent ac11dd7f30
commit 7a96654996
5 changed files with 423 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
opensc-0.17.0-cac-alt.patch Normal file
View File

@ -0,0 +1,204 @@
From 6dc118e1c3b89c50cda1998de1d62fa6fa666e60 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 3 Nov 2017 10:55:35 +0100
Subject: [PATCH 1/3] Enable CAC ALT token card operations
---
src/libopensc/card-cac.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 82f5c7869..bc0a754a5 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -229,6 +229,12 @@ static int cac_add_object_to_list(list_t *list, const cac_object_t *object)
#define CAC_1_RID "\xA0\x00\x00\x00\x79"
#define CAC_1_CM_AID "\xA0\x00\x00\x00\x30\x00\00"
+static const sc_path_t cac_ACA_Path = {
+ "", 0,
+ 0,0,SC_PATH_TYPE_DF_NAME,
+ { CAC_TO_AID(CAC_1_RID "\x10\x00") }
+};
+
static const sc_path_t cac_CCC_Path = {
"", 0,
0,0,SC_PATH_TYPE_DF_NAME,
@@ -284,6 +290,8 @@ static const cac_object_t cac_1_objects[] = {
static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
+static int cac_select_ACA(sc_card_t *card);
+
/*
* use the object id to find our object info on the object in our CAC-1 list
*/
@@ -815,6 +823,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
return cac_final_iterator(&priv->general_list);
case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
+ /* select ACA to be able to verify PIN */
+ cac_select_ACA(card);
return cac_final_iterator(&priv->pki_list);
}
@@ -1157,6 +1167,12 @@ static int cac_select_CCC(sc_card_t *card)
return cac_select_file_by_type(card, &cac_CCC_Path, NULL, SC_CARD_TYPE_CAC_II);
}
+/* Select ACA in non-standard location */
+static int cac_select_ACA(sc_card_t *card)
+{
+ return cac_select_file_by_type(card, &cac_ACA_Path, NULL, SC_CARD_TYPE_CAC_II);
+}
+
static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, int len)
{
if (len < 10) {
@@ -1476,6 +1492,23 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
}
}
+ /* Even some ALT tokens can be missing CCC so we should try with ACA */
+ r = cac_select_ACA(card);
+ if (r == SC_SUCCESS) {
+ r = cac_find_first_pki_applet(card, &index);
+ if (r == SC_SUCCESS) {
+ priv = cac_new_private_data();
+ if (!priv)
+ return SC_ERROR_OUT_OF_MEMORY;
+ r = cac_populate_cac_1(card, index, priv);
+ if (r == SC_SUCCESS) {
+ card->type = SC_CARD_TYPE_CAC_II;
+ card->drv_data = priv;
+ return r;
+ }
+ }
+ }
+
/* is this a CAC-1 specified in DoD "CAC Applet Developer Guide" version 1.0 September 2002 */
r = cac_find_first_pki_applet(card, &index);
if (r == SC_SUCCESS) {
From 68c52640a3eff078243fd2db627cf2d12fdd37de Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 6 Nov 2017 12:37:40 +0100
Subject: [PATCH 2/3] Add the ACA path to the PIN structure if we have one
---
src/libopensc/card-cac.c | 25 +++++++++++++++++++------
src/libopensc/cardctl.h | 1 +
src/libopensc/pkcs15-cac.c | 6 ++++++
3 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index bc0a754a5..178150d35 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -169,6 +169,7 @@ typedef struct cac_private_data {
cac_object_t *pki_current; /* current pki object _ctl function */
list_t general_list; /* list of general containers */
cac_object_t *general_current; /* current object for _ctl function */
+ sc_path_t *aca_path; /* ACA path to be selected before pin verification */
} cac_private_data_t;
#define CAC_DATA(card) ((cac_private_data_t*)card->drv_data)
@@ -207,6 +208,7 @@ static void cac_free_private_data(cac_private_data_t *priv)
{
free(priv->cac_id);
free(priv->cache_buf);
+ free(priv->aca_path);
list_destroy(&priv->pki_list);
list_destroy(&priv->general_list);
free(priv);
@@ -289,9 +291,6 @@ static const cac_object_t cac_1_objects[] = {
static const int cac_1_object_count = sizeof(cac_1_objects)/sizeof(cac_1_objects[0]);
-
-static int cac_select_ACA(sc_card_t *card);
-
/*
* use the object id to find our object info on the object in our CAC-1 list
*/
@@ -793,11 +792,21 @@ static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* seri
if (priv->cac_id_len) {
serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR);
memcpy(serial->value, priv->cac_id, priv->cac_id_len);
- SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
}
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
}
+static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path)
+{
+ cac_private_data_t * priv = CAC_DATA(card);
+
+ SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
+ if (priv->aca_path) {
+ *path = *priv->aca_path;
+ }
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+}
static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
{
@@ -810,6 +819,8 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
}
switch(cmd) {
+ case SC_CARDCTL_CAC_GET_ACA_PATH:
+ return cac_get_ACA_path(card, (sc_path_t *) ptr);
case SC_CARDCTL_GET_SERIALNR:
return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr);
case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS:
@@ -823,8 +834,6 @@ static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS:
return cac_final_iterator(&priv->general_list);
case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS:
- /* select ACA to be able to verify PIN */
- cac_select_ACA(card);
return cac_final_iterator(&priv->pki_list);
}
@@ -1502,6 +1511,10 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
return SC_ERROR_OUT_OF_MEMORY;
r = cac_populate_cac_1(card, index, priv);
if (r == SC_SUCCESS) {
+ priv->aca_path = malloc(sizeof(sc_path_t));
+ if (!priv->aca_path)
+ return SC_ERROR_OUT_OF_MEMORY;
+ memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t));
card->type = SC_CARD_TYPE_CAC_II;
card->drv_data = priv;
return r;
diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
index b647b0537..b610eacc7 100644
--- a/src/libopensc/cardctl.h
+++ b/src/libopensc/cardctl.h
@@ -220,6 +220,7 @@ enum {
SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS,
SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT,
SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS,
+ SC_CARDCTL_CAC_GET_ACA_PATH,
/*
* AuthentIC v3
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index fd463a9b4..ff87a2345 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -250,6 +250,12 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card)
strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
pin_obj.flags = pins[i].obj_flags;
+ /* get the ACA path in case it needs to be selected before PIN verify */
+ r = sc_card_ctl(card, SC_CARDCTL_CAC_GET_ACA_PATH, &pin_info.path);
+ if (r < 0) {
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+ }
+
r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);
if (r < 0)
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);

62
opensc-0.17.0-infinite-loop.patch Normal file
View File

@ -0,0 +1,62 @@
From 645f678af24fc1e0f1559e0384f57f8fd35836b4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 21 Jul 2017 11:30:47 +0200
Subject: [PATCH 1/4] cac: Make the retransmitted APDU valid by restoring the
resplen
---
src/libopensc/card-cac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index ed15ba0a8..47f9aaf0c 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -1106,6 +1106,7 @@ static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86) {
apdu.p2 = 0x00;
+ apdu.resplen = sizeof(buf);
if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS)
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
}
From a57407a5257b24edf313a4839c523a19cd8b0dc5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 21 Jul 2017 13:09:14 +0200
Subject: [PATCH 2/4] cac: Check SWs for all the APDUs and report the errors to
underlying layers
---
src/libopensc/card-cac.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 47f9aaf0c..f3b64a33d 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -390,9 +390,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2,
goto err;
}
- if (apdu.sw1 == 0x61) {
- r = sc_check_sw(card, apdu.sw1, apdu.sw2);
- }
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error ");
diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old 2017-12-19 10:39:08.662925868 +0100
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c 2017-12-19 10:39:58.665293224 +0100
@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card
if (r < 0) {
goto fail;
}
+ if (len == 0) {
+ r = SC_ERROR_FILE_NOT_FOUND;
+ goto fail;
+ }
}
*out_len = size;
*out_buf = out;

121
opensc-0.17.0-piv-cardholder-name.patch Normal file
View File

@ -0,0 +1,121 @@
From bac1ced89dde5780ecb5014b3887e4fd81c7d81c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 18 Aug 2017 13:49:57 +0200
Subject: [PATCH 1/3] Use shorter PIN name for default PIN to accomodate Card
Holder name in future
---
src/libopensc/pkcs15-piv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index d38d7ba73..7f9015dcc 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
};
static const pindata pins[] = {
- { "01", "PIV Card Holder pin", "", 0x80,
+ { "01", "PIN", "", 0x80,
/* label, flag and ref will change if using global pin */
SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
8, 4, 8,
@@ -932,7 +932,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
pin_info.attrs.pin.reference = pin_ref;
pin_info.attrs.pin.flags &= ~SC_PKCS15_PIN_FLAG_LOCAL;
label = "Global PIN";
- }
+ }
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
strncpy(pin_obj.label, label, SC_PKCS15_MAX_LABEL_SIZE - 1);
pin_obj.flags = pins[i].obj_flags;
From 74b070128c27e24aa67db041a049a9eee5dddcd6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 18 Aug 2017 14:18:00 +0200
Subject: [PATCH 2/3] Get cardholder name from the first certificate
---
src/libopensc/pkcs15-piv.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index 7f9015dcc..6f3c9199d 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -613,7 +613,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
char buf[SC_MAX_SERIALNR * 2 + 1];
common_key_info ckis[PIV_NUM_CERTS_AND_KEYS];
int follows_nist_fascn = 0;
-
+ char *token_name = NULL;
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
@@ -765,6 +765,30 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
sc_pkcs15_free_certificate(cert_out);
continue;
}
+
+ /* set the token name to the name of the CN of the first certificate */
+ if (!token_name) {
+ u8 * cn_name = NULL;
+ size_t cn_len = 0;
+ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
+ r = sc_pkcs15_get_name_from_dn(card->ctx, cert_out->subject,
+ cert_out->subject_len, &cn_oid, &cn_name, &cn_len);
+ if (r == SC_SUCCESS) {
+ token_name = malloc (cn_len+1);
+ if (!token_name) {
+ sc_pkcs15_free_certificate(cert_out);
+ free(cn_name);
+ SC_FUNC_RETURN(card->ctx,
+ SC_ERROR_OUT_OF_MEMORY, r);
+ }
+ memcpy(token_name, cn_name, cn_len);
+ free(cn_name);
+ token_name[cn_len] = 0;
+ free(p15card->tokeninfo->label);
+ p15card->tokeninfo->label = token_name;
+ }
+ }
+
/*
* get keyUsage if present save in ckis[i]
* Will only use it if this in a non FED issued card
From 78c2b7b970a8c2d841552926a7f4c386c31abeb8 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 21 Aug 2017 13:43:08 +0200
Subject: [PATCH 3/3] Do not add non-informative PIN to the token label
---
src/pkcs11/framework-pkcs15.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 5b3cb32e5..8ded1125b 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -1024,6 +1024,7 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
struct sc_pkcs15_auth_info *pin_info = NULL;
char label[64];
+ sc_log(context, "Called");
pkcs15_init_token_info(p15card, &slot->token_info);
slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
if (auth != NULL)
@@ -1048,9 +1049,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
pin_info = NULL;
}
else {
- if (auth->label[0])
+ if (auth->label[0] && strncmp(auth->label, "PIN", 4) != 0)
snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label);
else
+ /* The PIN label is empty or says just non-useful "PIN" */
snprintf(label, sizeof(label), "%s", p15card->tokeninfo->label);
slot->token_info.flags |= CKF_LOGIN_REQUIRED;
}

21
opensc-0.17.0-simpletlv.patch Normal file
View File

@ -0,0 +1,21 @@
commit 602279acecb9aaff1154ac1e2993562741a57281
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Jan 2 11:08:31 2018 +0100
Skip correctly two bytes after reading 2b size
diff --git a/src/libopensc/simpletlv.c b/src/libopensc/simpletlv.c
index f526a1cd..ab0401b5 100644
--- a/src/libopensc/simpletlv.c
+++ b/src/libopensc/simpletlv.c
@@ -90,8 +90,9 @@ sc_simpletlv_read_tag(u8 **buf, size_t buflen, u8 *tag_out, size_t *taglen)
*taglen = 0;
return SC_ERROR_INVALID_ARGUMENTS;
}
+ /* skip two bytes (the size) */
len = lebytes2ushort(p);
- p++;
+ p+=2;
}
*taglen = len;
*buf = p;

17
opensc.spec
View File

@ -13,7 +13,16 @@ Source0: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{
Source1: opensc.module
Source2: pkcs11-switch.sh
Patch0: opensc-coolkey.patch
# Allow functionality of new Estonia ID cards (#1519751)
Patch1: opensc-estonia.patch
# Use Cardholder name in the token label (#1449740)
Patch2: opensc-0.17.0-piv-cardholder-name.patch
# Avoid infinite loop when reading CAC cards (#1473335)
Patch3: opensc-0.17.0-infinite-loop.patch
# Workaround for CAC Alt tokens (#1473418)
Patch4: opensc-0.17.0-cac-alt.patch
# Properly parse multi-byte length (#1473418)
Patch5: opensc-0.17.0-simpletlv.patch
BuildRequires: pcsc-lite-devel
BuildRequires: readline-devel
@ -39,8 +48,12 @@ every software/card that does so, too.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch0 -p1 -b .coolkey
%patch1 -p1 -b .estonia
%patch2 -p1 -b .piv
%patch3 -p1 -b .infinite
%patch4 -p1 -b .cac-alt
%patch5 -p1 -b .simpletlv
cp -p src/pkcs15init/README ./README.pkcs15init
cp -p src/scconf/README.scconf .