From e6940db0ccc61ace9919b2161e49f5ed895ac8ab Mon Sep 17 00:00:00 2001
From: Veronika Hanulikova <vhanulik@redhat.com>
Date: Mon, 2 May 2022 15:31:40 +0200
Subject: [PATCH] Add support for itacns key length 2048

---
 opensc-0.22.0-support-itacns-2048.patch | 227 ++++++++++++++++++++++++
 opensc.spec                             |   3 +
 2 files changed, 230 insertions(+)
 create mode 100644 opensc-0.22.0-support-itacns-2048.patch

diff --git a/opensc-0.22.0-support-itacns-2048.patch b/opensc-0.22.0-support-itacns-2048.patch
new file mode 100644
index 0000000..b420c87
--- /dev/null
+++ b/opensc-0.22.0-support-itacns-2048.patch
@@ -0,0 +1,227 @@
+From 24d6c30dcfec00c425360414b2b75336a42982e8 Mon Sep 17 00:00:00 2001
+From: 0xdebe <gdeber@libero.it>
+Date: Thu, 29 Jul 2021 17:13:01 +0200
+Subject: [PATCH 1/3] fix Key Lenght for ST2021
+
+---
+ src/libopensc/card-itacns.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-itacns.c b/src/libopensc/card-itacns.c
+index bf085cafbc..52e144f194 100644
+--- a/src/libopensc/card-itacns.c
++++ b/src/libopensc/card-itacns.c
+@@ -105,7 +105,7 @@ static int itacns_match_cns_card(sc_card_t *card, unsigned int i)
+ 		DRVDATA(card)->cns_version = atr[i];
+ 	}
+ 	/* Warn if the version is not 1.0. */
+-	if(atr[i] != 0x10) {
++	if(atr[i] != 0x10 && atr[i] != 0x11) {
+ 		char version[8];
+ 		snprintf(version, sizeof(version), "%d.%d", (atr[i] >> 4) & 0x0f, atr[i] & 0x0f);
+ 		sc_log(card->ctx, "CNS card version %s; no official specifications "
+@@ -219,8 +219,13 @@ static int itacns_init(sc_card_t *card)
+ 		| SC_ALGORITHM_RSA_RAW
+ 		| SC_ALGORITHM_RSA_HASHES
+ 		;
++
+ 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
+ 
++	if (DRVDATA(card)->cns_version == 0x11) {
++		card->caps |= SC_CARD_CAP_APDU_EXT;
++		_sc_card_add_rsa_alg(card, 2048, flags, 0);
++	}
+ 	return SC_SUCCESS;
+ }
+ 
+
+From 9a38cd36c2823efb2b7615902e7cbef0534da1aa Mon Sep 17 00:00:00 2001
+From: 0xdebe <gdeber@libero.it>
+Date: Thu, 29 Jul 2021 17:13:16 +0200
+Subject: [PATCH 2/3] fix Modulus Lenght for ST2021
+
+---
+ src/libopensc/pkcs15-itacns.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-itacns.c b/src/libopensc/pkcs15-itacns.c
+index 9c9b40a591..875b12276d 100644
+--- a/src/libopensc/pkcs15-itacns.c
++++ b/src/libopensc/pkcs15-itacns.c
+@@ -283,7 +283,16 @@ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card,
+ 	 * This is hard-coded, unless unforeseen versions of the CNS
+ 	 * turn up sometime.
+ 	 */
+-	info.modulus_length = 1024;
++
++	/* This is the unforseen version :D */
++	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
++		info.modulus_length = 2048;
++	}
++	else {
++		info.modulus_length = 1024;
++	}
++
++	
+ 
+ 	*modulus_len_out = info.modulus_length;
+ 	r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info);
+@@ -590,6 +599,10 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
+ 
+ 	/* This is hard-coded, for the time being. */
+ 	int modulus_length = 1024;
++	/* it's a ST2021? */
++	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
++		modulus_length = 2048;
++	}
+ 
+ 	/* Public key; not really needed */
+ 	/* FIXME: set usage according to the certificate. */
+
+From 03707e182235ce9f83d3847e33f4fb4e38eebe42 Mon Sep 17 00:00:00 2001
+From: 0xdebe <gdeber@libero.it>
+Date: Sat, 31 Jul 2021 16:25:58 +0200
+Subject: [PATCH 3/3] fix modulus len
+
+---
+ src/libopensc/card-itacns.c   |  2 +-
+ src/libopensc/pkcs15-itacns.c | 43 ++++++++++++-----------------------
+ 2 files changed, 15 insertions(+), 30 deletions(-)
+
+diff --git a/src/libopensc/card-itacns.c b/src/libopensc/card-itacns.c
+index 52e144f194..b26f9d3317 100644
+--- a/src/libopensc/card-itacns.c
++++ b/src/libopensc/card-itacns.c
+@@ -104,7 +104,7 @@ static int itacns_match_cns_card(sc_card_t *card, unsigned int i)
+ 	if(card->driver) {
+ 		DRVDATA(card)->cns_version = atr[i];
+ 	}
+-	/* Warn if the version is not 1.0. */
++	/* Warn if version is not 1.X. */
+ 	if(atr[i] != 0x10 && atr[i] != 0x11) {
+ 		char version[8];
+ 		snprintf(version, sizeof(version), "%d.%d", (atr[i] >> 4) & 0x0f, atr[i] & 0x0f);
+diff --git a/src/libopensc/pkcs15-itacns.c b/src/libopensc/pkcs15-itacns.c
+index 875b12276d..afdf459c4e 100644
+--- a/src/libopensc/pkcs15-itacns.c
++++ b/src/libopensc/pkcs15-itacns.c
+@@ -189,7 +189,7 @@ static int loadFile(const sc_pkcs15_card_t *p15card, const sc_path_t *path,
+ static int itacns_add_cert(sc_pkcs15_card_t *p15card,
+ 	int type, int authority, const sc_path_t *path,
+ 	const sc_pkcs15_id_t *id, const char *label, int obj_flags,
+-	int *ext_info_ok, int *key_usage, int *x_key_usage)
++	int *ext_info_ok, int *key_usage, int *x_key_usage, int *modulus_len)
+ {
+ 	int r;
+ 	/* const char *label = "Certificate"; */
+@@ -237,6 +237,11 @@ static int itacns_add_cert(sc_pkcs15_card_t *p15card,
+ 		const u8 *throwaway = cert->data.value;
+ 		x509 = d2i_X509(NULL, &throwaway, cert->data.len);
+ 	}
++
++	if (cert->key && cert->key->algorithm == SC_ALGORITHM_RSA) {
++		*modulus_len = cert->key->u.rsa.modulus.len * 8;
++	}
++
+ 	sc_pkcs15_free_certificate(cert);
+ 	if (!x509) return SC_SUCCESS;
+ 	X509_check_purpose(x509, -1, 0);
+@@ -260,7 +265,7 @@ static int itacns_add_cert(sc_pkcs15_card_t *p15card,
+ 
+ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card,
+ 	 const sc_path_t *path, const sc_pkcs15_id_t *id, const char *label,
+-	int usage, int ref, int obj_flags, int *modulus_len_out)
++	int usage, int ref, int obj_flags, int modulus_len)
+ {
+ 	int r;
+ 	sc_pkcs15_pubkey_info_t info;
+@@ -279,22 +284,8 @@ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card,
+ 	strlcpy(obj.label, label, sizeof(obj.label));
+ 	obj.flags		= obj_flags;
+ 
+-	/*
+-	 * This is hard-coded, unless unforeseen versions of the CNS
+-	 * turn up sometime.
+-	 */
+-
+-	/* This is the unforseen version :D */
+-	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
+-		info.modulus_length = 2048;
+-	}
+-	else {
+-		info.modulus_length = 1024;
+-	}
++	info.modulus_length = modulus_len;
+ 
+-	
+-
+-	*modulus_len_out = info.modulus_length;
+ 	r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info);
+ 	LOG_TEST_RET(p15card->card->ctx, r,
+ 		"Could not add pub key");
+@@ -589,7 +580,7 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
+ 	const char *label, int sec_env, sc_pkcs15_id_t *cert_id,
+ 	const char *pubkey_path, const char *prkey_path,
+ 	unsigned int pubkey_usage_flags, unsigned int prkey_usage_flags,
+-	u8 pin_ref)
++	u8 pin_ref, int modulus_len)
+ {
+ 	int r;
+ 	sc_path_t path;
+@@ -597,19 +588,13 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
+ 	char pinlabel[16];
+ 	int fake_puk_authid, pin_flags;
+ 
+-	/* This is hard-coded, for the time being. */
+-	int modulus_length = 1024;
+-	/* it's a ST2021? */
+-	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
+-		modulus_length = 2048;
+-	}
+ 
+ 	/* Public key; not really needed */
+ 	/* FIXME: set usage according to the certificate. */
+ 	if (pubkey_path) {
+ 		sc_format_path(pubkey_path, &path);
+ 		r = itacns_add_pubkey(p15card, &path, cert_id, label,
+-			pubkey_usage_flags, sec_env, 0, &modulus_length);
++			pubkey_usage_flags, sec_env, 0, modulus_len);
+ 		LOG_TEST_RET(p15card->card->ctx, r,
+ 			"Could not add public key");
+ 	}
+@@ -623,7 +608,7 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
+ 		private_path = &path;
+ 	}
+ 	r = itacns_add_prkey(p15card, cert_id, label, SC_PKCS15_TYPE_PRKEY_RSA,
+-		modulus_length,
++		modulus_len,
+ 		prkey_usage_flags,
+ 		private_path, sec_env, cert_id, SC_PKCS15_CO_FLAG_PRIVATE);
+ 	LOG_TEST_RET(p15card->card->ctx, r,
+@@ -674,7 +659,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card,
+ 	sc_path_t path;
+ 	sc_pkcs15_id_t cert_id;
+ 	int ext_info_ok;
+-	int ku = 0, xku = 0;
++	int ku = 0, xku = 0, modulus_len = 0;
+ 	int pubkey_usage_flags = 0, prkey_usage_flags = 0;
+ 
+ 	cert_id.len = 1;
+@@ -720,7 +705,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card,
+ 	}
+ 
+ 	r = itacns_add_cert(p15card, SC_PKCS15_TYPE_CERT_X509, 0,
+-		&path, &cert_id, label, 0, &ext_info_ok, &ku, &xku);
++		&path, &cert_id, label, 0, &ext_info_ok, &ku, &xku, &modulus_len);
+ 	if (r == SC_ERROR_INVALID_ASN1_OBJECT)
+ 		return 0;
+ 	LOG_TEST_RET(p15card->card->ctx, r,
+@@ -765,7 +750,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card,
+ 
+ 	r = itacns_add_keyset(p15card, label, sec_env, &cert_id,
+ 		pubkey_path, prkey_path, pubkey_usage_flags, prkey_usage_flags,
+-		pin_ref);
++		pin_ref, modulus_len);
+ 	LOG_TEST_RET(p15card->card->ctx, r,
+ 		"Could not add keys for this certificate");
+ 
diff --git a/opensc.spec b/opensc.spec
index 322d07d..3a8c0b6 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -18,6 +18,8 @@ Patch9:         %{name}-%{version}-detect-empty.patch
 # https://github.com/OpenSC/OpenSC/pull/2512 (#2046792)
 Patch10:        %{name}-%{version}-realloc-pointer.patch
 Patch11:        %{name}-%{version}-init-var.patch
+# https://github.com/OpenSC/OpenSC/pull/2371 (#2080783)
+Patch12:        %{name}-%{version}-support-itacns-2048.patch
 
 BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
@@ -61,6 +63,7 @@ every software/card that does so, too.
 %patch9 -p1 -b .detect-empty
 %patch10 -p1 -b .realloc-pointer
 %patch11 -p1 -b .init-var
+%patch12 -p1 -b .support-itacns-2048
 
 # The test-pkcs11-tool-allowed-mechanisms already works in Fedora
 sed -i -e '/XFAIL_TESTS/,$ {