Add support for itacns key length 2048

2022-05-02 15:31:40 +02:00 · 2022-05-02 15:31:40 +02:00 · e6940db0cc
commit e6940db0cc
parent 9514aebf05
2 changed files with 230 additions and 0 deletions
--- a/opensc-0.22.0-support-itacns-2048.patch
+++ b/opensc-0.22.0-support-itacns-2048.patch
@ -0,0 +1,227 @@
 From 24d6c30dcfec00c425360414b2b75336a42982e8 Mon Sep 17 00:00:00 2001
 From: 0xdebe <gdeber@libero.it>
 Date: Thu, 29 Jul 2021 17:13:01 +0200
 Subject: [PATCH 1/3] fix Key Lenght for ST2021
 ---
 src/libopensc/card-itacns.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/src/libopensc/card-itacns.c b/src/libopensc/card-itacns.c
 index bf085cafbc..52e144f194 100644
 --- a/src/libopensc/card-itacns.c
 +++ b/src/libopensc/card-itacns.c
@@ -105,7 +105,7 @@ static int itacns_match_cns_card(sc_card_t *card, unsigned int i)
 		DRVDATA(card)->cns_version = atr[i];
 	}
 	/* Warn if the version is not 1.0. */
 -	if(atr[i] != 0x10) {
 +	if(atr[i] != 0x10 && atr[i] != 0x11) {
 		char version[8];
 		snprintf(version, sizeof(version), "%d.%d", (atr[i] >> 4) & 0x0f, atr[i] & 0x0f);
 		sc_log(card->ctx, "CNS card version %s; no official specifications "
@@ -219,8 +219,13 @@ static int itacns_init(sc_card_t *card)
 		| SC_ALGORITHM_RSA_RAW
 		| SC_ALGORITHM_RSA_HASHES
 		;
 +
 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
 +	if (DRVDATA(card)->cns_version == 0x11) {
 +		card->caps |= SC_CARD_CAP_APDU_EXT;
 +		_sc_card_add_rsa_alg(card, 2048, flags, 0);
 +	}
 	return SC_SUCCESS;
 }
 From 9a38cd36c2823efb2b7615902e7cbef0534da1aa Mon Sep 17 00:00:00 2001
 From: 0xdebe <gdeber@libero.it>
 Date: Thu, 29 Jul 2021 17:13:16 +0200
 Subject: [PATCH 2/3] fix Modulus Lenght for ST2021
 ---
 src/libopensc/pkcs15-itacns.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 diff --git a/src/libopensc/pkcs15-itacns.c b/src/libopensc/pkcs15-itacns.c
 index 9c9b40a591..875b12276d 100644
 --- a/src/libopensc/pkcs15-itacns.c
 +++ b/src/libopensc/pkcs15-itacns.c
@@ -283,7 +283,16 @@ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card,
 	 * This is hard-coded, unless unforeseen versions of the CNS
 	 * turn up sometime.
 	 */
 -	info.modulus_length = 1024;
 +
 +	/* This is the unforseen version :D */
 +	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
 +		info.modulus_length = 2048;
 +	}
 +	else {
 +		info.modulus_length = 1024;
 +	}
 +
 +	
 	*modulus_len_out = info.modulus_length;
 	r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info);
@@ -590,6 +599,10 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
 	/* This is hard-coded, for the time being. */
 	int modulus_length = 1024;
 +	/* it's a ST2021? */
 +	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
 +		modulus_length = 2048;
 +	}
 	/* Public key; not really needed */
 	/* FIXME: set usage according to the certificate. */
 From 03707e182235ce9f83d3847e33f4fb4e38eebe42 Mon Sep 17 00:00:00 2001
 From: 0xdebe <gdeber@libero.it>
 Date: Sat, 31 Jul 2021 16:25:58 +0200
 Subject: [PATCH 3/3] fix modulus len
 ---
 src/libopensc/card-itacns.c   |  2 +-
 src/libopensc/pkcs15-itacns.c | 43 ++++++++++++-----------------------
 2 files changed, 15 insertions(+), 30 deletions(-)
 diff --git a/src/libopensc/card-itacns.c b/src/libopensc/card-itacns.c
 index 52e144f194..b26f9d3317 100644
 --- a/src/libopensc/card-itacns.c
 +++ b/src/libopensc/card-itacns.c
@@ -104,7 +104,7 @@ static int itacns_match_cns_card(sc_card_t *card, unsigned int i)
 	if(card->driver) {
 		DRVDATA(card)->cns_version = atr[i];
 	}
 -	/* Warn if the version is not 1.0. */
 +	/* Warn if version is not 1.X. */
 	if(atr[i] != 0x10 && atr[i] != 0x11) {
 		char version[8];
 		snprintf(version, sizeof(version), "%d.%d", (atr[i] >> 4) & 0x0f, atr[i] & 0x0f);
 diff --git a/src/libopensc/pkcs15-itacns.c b/src/libopensc/pkcs15-itacns.c
 index 875b12276d..afdf459c4e 100644
 --- a/src/libopensc/pkcs15-itacns.c
 +++ b/src/libopensc/pkcs15-itacns.c
@@ -189,7 +189,7 @@ static int loadFile(const sc_pkcs15_card_t *p15card, const sc_path_t *path,
 static int itacns_add_cert(sc_pkcs15_card_t *p15card,
 	int type, int authority, const sc_path_t *path,
 	const sc_pkcs15_id_t *id, const char *label, int obj_flags,
 -	int *ext_info_ok, int *key_usage, int *x_key_usage)
 +	int *ext_info_ok, int *key_usage, int *x_key_usage, int *modulus_len)
 {
 	int r;
 	/* const char *label = "Certificate"; */
@@ -237,6 +237,11 @@ static int itacns_add_cert(sc_pkcs15_card_t *p15card,
 		const u8 *throwaway = cert->data.value;
 		x509 = d2i_X509(NULL, &throwaway, cert->data.len);
 	}
 +
 +	if (cert->key && cert->key->algorithm == SC_ALGORITHM_RSA) {
 +		*modulus_len = cert->key->u.rsa.modulus.len * 8;
 +	}
 +
 	sc_pkcs15_free_certificate(cert);
 	if (!x509) return SC_SUCCESS;
 	X509_check_purpose(x509, -1, 0);
@@ -260,7 +265,7 @@ static int itacns_add_cert(sc_pkcs15_card_t *p15card,
 static int itacns_add_pubkey(sc_pkcs15_card_t *p15card,
 	 const sc_path_t *path, const sc_pkcs15_id_t *id, const char *label,
 -	int usage, int ref, int obj_flags, int *modulus_len_out)
 +	int usage, int ref, int obj_flags, int modulus_len)
 {
 	int r;
 	sc_pkcs15_pubkey_info_t info;
@@ -279,22 +284,8 @@ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card,
 	strlcpy(obj.label, label, sizeof(obj.label));
 	obj.flags		= obj_flags;
 -	/*
 -	 * This is hard-coded, unless unforeseen versions of the CNS
 -	 * turn up sometime.
 -	 */
 -
 -	/* This is the unforseen version :D */
 -	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
 -		info.modulus_length = 2048;
 -	}
 -	else {
 -		info.modulus_length = 1024;
 -	}
 +	info.modulus_length = modulus_len;
 -	
 -
 -	*modulus_len_out = info.modulus_length;
 	r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info);
 	LOG_TEST_RET(p15card->card->ctx, r,
 		"Could not add pub key");
@@ -589,7 +580,7 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
 	const char *label, int sec_env, sc_pkcs15_id_t *cert_id,
 	const char *pubkey_path, const char *prkey_path,
 	unsigned int pubkey_usage_flags, unsigned int prkey_usage_flags,
 -	u8 pin_ref)
 +	u8 pin_ref, int modulus_len)
 {
 	int r;
 	sc_path_t path;
@@ -597,19 +588,13 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
 	char pinlabel[16];
 	int fake_puk_authid, pin_flags;
 -	/* This is hard-coded, for the time being. */
 -	int modulus_length = 1024;
 -	/* it's a ST2021? */
 -	if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) {
 -		modulus_length = 2048;
 -	}
 	/* Public key; not really needed */
 	/* FIXME: set usage according to the certificate. */
 	if (pubkey_path) {
 		sc_format_path(pubkey_path, &path);
 		r = itacns_add_pubkey(p15card, &path, cert_id, label,
 -			pubkey_usage_flags, sec_env, 0, &modulus_length);
 +			pubkey_usage_flags, sec_env, 0, modulus_len);
 		LOG_TEST_RET(p15card->card->ctx, r,
 			"Could not add public key");
 	}
@@ -623,7 +608,7 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card,
 		private_path = &path;
 	}
 	r = itacns_add_prkey(p15card, cert_id, label, SC_PKCS15_TYPE_PRKEY_RSA,
 -		modulus_length,
 +		modulus_len,
 		prkey_usage_flags,
 		private_path, sec_env, cert_id, SC_PKCS15_CO_FLAG_PRIVATE);
 	LOG_TEST_RET(p15card->card->ctx, r,
@@ -674,7 +659,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card,
 	sc_path_t path;
 	sc_pkcs15_id_t cert_id;
 	int ext_info_ok;
 -	int ku = 0, xku = 0;
 +	int ku = 0, xku = 0, modulus_len = 0;
 	int pubkey_usage_flags = 0, prkey_usage_flags = 0;
 	cert_id.len = 1;
@@ -720,7 +705,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card,
 	}
 	r = itacns_add_cert(p15card, SC_PKCS15_TYPE_CERT_X509, 0,
 -		&path, &cert_id, label, 0, &ext_info_ok, &ku, &xku);
 +		&path, &cert_id, label, 0, &ext_info_ok, &ku, &xku, &modulus_len);
 	if (r == SC_ERROR_INVALID_ASN1_OBJECT)
 		return 0;
 	LOG_TEST_RET(p15card->card->ctx, r,
@@ -765,7 +750,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card,
 	r = itacns_add_keyset(p15card, label, sec_env, &cert_id,
 		pubkey_path, prkey_path, pubkey_usage_flags, prkey_usage_flags,
 -		pin_ref);
 +		pin_ref, modulus_len);
 	LOG_TEST_RET(p15card->card->ctx, r,
 		"Could not add keys for this certificate");
--- a/opensc.spec
+++ b/opensc.spec
@ -18,6 +18,8 @@ Patch9:         %{name}-%{version}-detect-empty.patch
 # https://github.com/OpenSC/OpenSC/pull/2512 (#2046792)
 Patch10:        %{name}-%{version}-realloc-pointer.patch
 Patch11:        %{name}-%{version}-init-var.patch
 # https://github.com/OpenSC/OpenSC/pull/2371 (#2080783)
 Patch12:        %{name}-%{version}-support-itacns-2048.patch
 BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
@ -61,6 +63,7 @@ every software/card that does so, too.
 %patch9 -p1 -b .detect-empty
 %patch10 -p1 -b .realloc-pointer
 %patch11 -p1 -b .init-var
 %patch12 -p1 -b .support-itacns-2048
 # The test-pkcs11-tool-allowed-mechanisms already works in Fedora
 sed -i -e '/XFAIL_TESTS/,$ {