.gitignore

@@ -1 +1 @@
-SOURCES/opensc-0.20.0.tar.gz
+SOURCES/opensc-0.23.0.tar.gz

.opensc.metadata

@@ -1 +1 @@
-86bf24a556837fa94d8f9b5aa4be3c9e55d4d94d SOURCES/opensc-0.20.0.tar.gz
+5a5367ef33efcc35ed420b191b4d1bc3aa34a538 SOURCES/opensc-0.23.0.tar.gz

SOURCES/opensc-0.19.0-pinpad.patch

@@ -3,7 +3,7 @@ diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf
 +++ opensc-0.19.0/etc/opensc.conf	2018-10-22 14:33:59.939410701 +0200
 @@ -4,4 +4,9 @@ app default {
  	framework pkcs15 {
- 		# use_file_caching = true;
+		# use_file_caching = public;
  	}
 +	reader_driver pcsc {
 +		# The pinpad is disabled by default,

SOURCES/opensc-0.20.0-CVE-2020-26570.patch

@@ -1,31 +0,0 @@
-commit 6903aebfddc466d966c7b865fae34572bf3ed23e
-Author: Frank Morgner <frankmorgner@gmail.com>
-Date:   Thu Jul 30 02:21:17 2020 +0200
-
-    Heap-buffer-overflow WRITE
-    
-    fixes https://oss-fuzz.com/testcase-detail/5088104168554496
-
-diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
-index a873aaa0..2fb32b8d 100644
---- a/src/libopensc/pkcs15-oberthur.c
-+++ b/src/libopensc/pkcs15-oberthur.c
-@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
- 		rv = sc_read_binary(card, 0, *out, sz, 0);
- 	}
- 	else	{
--		int rec;
--		int offs = 0;
--		int rec_len = file->record_length;
-+		size_t rec;
-+		size_t offs = 0;
-+		size_t rec_len = file->record_length;
- 
- 		for (rec = 1; ; rec++)   {
-+			if (rec > file->record_count) {
-+				rv = 0;
-+				break;
-+			}
- 			rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR);
- 			if (rv == SC_ERROR_RECORD_NOT_FOUND)   {
- 				rv = 0;

SOURCES/opensc-0.20.0-CVE-2020-26571.patch

@@ -1,42 +0,0 @@
-commit ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43
-Author: Frank Morgner <frankmorgner@gmail.com>
-Date:   Mon May 18 17:25:32 2020 +0200
-
-    fixed invalid read
-    
-    fixes https://oss-fuzz.com/testcase-detail/5765246676631552
-
-diff --git a/src/libopensc/pkcs15-gemsafeGPK.c b/src/libopensc/pkcs15-gemsafeGPK.c
-index e13f3b87..4b80daf2 100644
---- a/src/libopensc/pkcs15-gemsafeGPK.c
-+++ b/src/libopensc/pkcs15-gemsafeGPK.c
-@@ -205,7 +205,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
- 
- 	u8 sysrec[7];
- 	int num_keyinfo = 0;
--	keyinfo kinfo[8]; /* will loook for 8 keys */
-+	keyinfo kinfo[9]; /* will look for 9 keys */
- 	u8 modulus_buf[ 1 + 1024 / 8]; /* tag+modulus */
- 	u8 *cp;
- 	char buf[256];
-@@ -255,9 +255,9 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
- 
- 	/* There may be more then one key in the directory. */
- 	/* we need to find them so we can associate them with the */
--	/* the certificate.  The files are 0007 to 000f */
-+	/* the certificate.  The files are 0007 to 000F */
- 
--	for (i = 7; i < 16; i++) {
-+	for (i = 0x7; i <= 0xF; i++) {
- 		path.value[0] = 0x00;
- 		path.value[1] = i;
- 		path.len = 2;	
-@@ -297,7 +297,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
- 		while (j--) 
- 			*cp++ =  modulus_buf[j + 1];
- 		num_keyinfo++;
--	} 
-+	}
- 
- 	/* Get the gemsafe data with the cert */
- 	 sc_format_path("3F000200004", &path);

SOURCES/opensc-0.20.0-CVE-2020-26572.patch

@@ -1,21 +0,0 @@
-commit 9d294de90d1cc66956389856e60b6944b27b4817
-Author: Frank Morgner <frankmorgner@gmail.com>
-Date:   Thu Jun 4 10:04:10 2020 +0200
-
-    prevent out of bounds write
-    
-    fixes https://oss-fuzz.com/testcase-detail/5226571123392512
-
-diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
-index 673c2493..e88c80bd 100644
---- a/src/libopensc/card-tcos.c
-+++ b/src/libopensc/card-tcos.c
-@@ -623,6 +623,8 @@ static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len,
- 	apdu.data = sbuf;
- 	apdu.lc = apdu.datalen = crgram_len+1;
- 	sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);
-+	if (sizeof sbuf - 1 < crgram_len)
-+		return SC_ERROR_INVALID_ARGUMENTS;
- 	memcpy(sbuf+1, crgram, crgram_len);
- 
- 	r = sc_transmit_apdu(card, &apdu);

SOURCES/opensc-0.20.0-cac-pin-change.patch

@@ -1,102 +0,0 @@
-diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
-index 099923e5..61e69c88 100644
---- a/src/libopensc/card-cac.c
-+++ b/src/libopensc/card-cac.c
-@@ -1793,7 +1793,7 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
- 		}
- 		r = cac_process_ACA(card, priv);
- 		if (r == SC_SUCCESS) {
--			card->type = SC_CARD_TYPE_CAC_II;
-+			card->type = SC_CARD_TYPE_CAC_ALT_HID;
- 			card->drv_data = priv;
- 			return r;
- 		}
-@@ -1869,6 +1869,8 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
- 	 * FIPS 201 4.1.6.1 (numeric only) and * FIPS 140-2
- 	 * (6 character minimum) requirements.
- 	 */
-+	sc_apdu_t apdu;
-+	u8  sbuf[SC_MAX_APDU_BUFFER_SIZE];
- 	struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
- 
- 	if (data->cmd == SC_PIN_CMD_CHANGE) {
-@@ -1881,6 +1883,18 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
- 				return SC_ERROR_INVALID_DATA;
- 			}
- 		}
-+
-+		/* We can change the PIN of Giesecke & Devrient CAC ALT tokens
-+		 * with a bit non-standard APDU */
-+		if (card->type == SC_CARD_TYPE_CAC_ALT_HID) {
-+			int r = 0;
-+			r = iso7816_build_pin_apdu(card, &apdu, data, sbuf, sizeof(sbuf));
-+			if (r < 0)
-+				return r;
-+			/* it requires P1 = 0x01 completely against the ISO specs */
-+			apdu.p1 = 0x01;
-+			data->apdu = &apdu;
-+		}
- 	}
- 
- 	return  iso_drv->ops->pin_cmd(card, data, tries_left);
-diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
-index 0ec25a46..16846d15 100644
---- a/src/libopensc/cards.h
-+++ b/src/libopensc/cards.h
-@@ -244,6 +244,7 @@ enum {
- 	SC_CARD_TYPE_CAC_GENERIC,
- 	SC_CARD_TYPE_CAC_I,
- 	SC_CARD_TYPE_CAC_II,
-+	SC_CARD_TYPE_CAC_ALT_HID,
- 
- 	/* nPA cards */
- 	SC_CARD_TYPE_NPA = 34000,
-diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
-index b1a0e88f..d41613b2 100644
---- a/src/libopensc/iso7816.c
-+++ b/src/libopensc/iso7816.c
-@@ -1017,7 +1017,7 @@ iso7816_decipher(struct sc_card *card,
- }
- 
- 
--static int
-+int
- iso7816_build_pin_apdu(struct sc_card *card, struct sc_apdu *apdu,
- 		struct sc_pin_cmd_data *data, u8 *buf, size_t buf_len)
- {
-diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
-index b519c5d5..8ebf9fbd 100644
---- a/src/libopensc/opensc.h
-+++ b/src/libopensc/opensc.h
-@@ -1664,6 +1664,19 @@ int iso7816_update_binary_sfid(sc_card_t *card, unsigned char sfid,
-  * */
- int iso7816_logout(sc_card_t *card, unsigned char pin_reference);
- 
-+/*
-+ * @brief Format PIN APDU for modifiction by card driver
-+ *
-+ * @param[in] card           card
-+ * @param[in] apdu           apdu structure to update with PIN APDU
-+ * @param[in] data           pin command data to set into the APDU
-+ * @param[in] buf            buffer for APDU data field
-+ * @param[in] buf_len        maximum buffer length
-+ */
-+int
-+iso7816_build_pin_apdu(struct sc_card *card, struct sc_apdu *apdu,
-+		struct sc_pin_cmd_data *data, u8 *buf, size_t buf_len);
-+
- #ifdef __cplusplus
- }
- #endif
-diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
-index ccb27994..05056ea9 100644
---- a/src/libopensc/pkcs15-cac.c
-+++ b/src/libopensc/pkcs15-cac.c
-@@ -79,6 +79,7 @@ static const char * cac_get_name(int type)
-     switch (type) {
-     case SC_CARD_TYPE_CAC_I: return ("CAC I");
-     case SC_CARD_TYPE_CAC_II: return ("CAC II");
-+    case SC_CARD_TYPE_CAC_ALT_HID: return ("CAC ALT HID");
-     default: break;
-     }
-     return ("CAC");

SOURCES/opensc-0.20.0-calloc0.patch

@@ -1,102 +0,0 @@
-From f1bcadfbe9d156adbe509b0860511ee41add0c67 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Tue, 10 Mar 2020 12:13:29 +0100
-Subject: [PATCH]  pkcs11: don't try to allocate 0 byte with calloc
-
-fixes #1978
----
- src/pkcs11/pkcs11-global.c | 7 ++++++-
- win32/Make.rules.mak       | 4 ++--
- win32/winconfig.h.in       | 2 ++
- 3 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/src/pkcs11/pkcs11-global.c b/src/pkcs11/pkcs11-global.c
-index a3260314f8..671890309f 100644
---- a/src/pkcs11/pkcs11-global.c
-+++ b/src/pkcs11/pkcs11-global.c
-@@ -456,6 +456,13 @@ CK_RV C_GetSlotList(CK_BBOOL       tokenPresent,  /* only slots with token prese
- 
- 	card_detect_all();
- 
-+	if (list_empty(&virtual_slots)) {
-+		sc_log(context, "returned 0 slots\n");
-+		*pulCount = 0;
-+		rv = CKR_OK;
-+		goto out;
-+	}
-+
- 	found = calloc(list_size(&virtual_slots), sizeof(CK_SLOT_ID));
- 
- 	if (found == NULL) {
-diff --git a/win32/Make.rules.mak b/win32/Make.rules.mak
-index 4f4971a72d..c6b1aac340 100644
---- a/win32/Make.rules.mak
-+++ b/win32/Make.rules.mak
-@@ -1,7 +1,7 @@
- OPENSC_FEATURES = pcsc
- 
- #Include support for minidriver
--MINIDRIVER_DEF = /DENABLE_MINIDRIVER
-+#MINIDRIVER_DEF = /DENABLE_MINIDRIVER
- 
- #Build MSI with the Windows Installer XML (WIX) toolkit, requires WIX >= 3.9
- !IF "$(WIX)" == ""
-@@ -33,7 +33,7 @@ WIX_LIBS = "$(WIX)\SDK\$(WIXVSVER)\lib\$(PLATFORM)\dutil.lib" "$(WIX)\SDK\$(WIXV
- SM_DEF = /DENABLE_SM
- 
- #Build with debugging support
--#DEBUG_DEF = /DDEBUG
-+DEBUG_DEF = /DDEBUG
- 
- # If you want support for OpenSSL (needed for pkcs15-init tool, software hashing in PKCS#11 library and verification):
- # - download and build OpenSSL
-diff --git a/win32/winconfig.h.in b/win32/winconfig.h.in
-index 94ed9b5475..fa682c5bcc 100644
---- a/win32/winconfig.h.in
-+++ b/win32/winconfig.h.in
-@@ -103,6 +103,8 @@
- #define DEFAULT_ONEPIN_PKCS11_PROVIDER "@DEFAULT_ONEPIN_PKCS11_PROVIDER@"
- #endif
- 
-+#define PKCS11_THREAD_LOCKING
-+
- #ifndef DEFAULT_SM_MODULE
- #define DEFAULT_SM_MODULE "@DEFAULT_SM_MODULE@"
- #endif
-
-commit 500ecd3d127975379e2310626c3ce94c3e7035ea
-Author: Jakub Jelen <jjelen@redhat.com>
-Date:   Wed Nov 25 13:49:08 2020 +0100
-
-    pkcs11-tool: Avoid calloc with 0 argument
-
-diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
-index 4015aaf1..89244795 100644
---- a/src/tools/pkcs11-tool.c
-+++ b/src/tools/pkcs11-tool.c
-@@ -1270,15 +1270,18 @@ static void list_slots(int tokens, int refresh, int print)
- 		if (rv != CKR_OK)
- 			p11_fatal("C_GetSlotList(NULL)", rv);
- 		free(p11_slots);
--		p11_slots = calloc(p11_num_slots, sizeof(CK_SLOT_ID));
--		if (p11_slots == NULL) {
--			perror("calloc failed");
--			exit(1);
-+		p11_slots = NULL;
-+		if (p11_num_slots > 0) {
-+			p11_slots = calloc(p11_num_slots, sizeof(CK_SLOT_ID));
-+			if (p11_slots == NULL) {
-+				perror("calloc failed");
-+				exit(1);
-+			}
-+			rv = p11->C_GetSlotList(tokens, p11_slots, &p11_num_slots);
-+			if (rv != CKR_OK)
-+				p11_fatal("C_GetSlotList()", rv);
- 		}
- 
--		rv = p11->C_GetSlotList(tokens, p11_slots, &p11_num_slots);
--		if (rv != CKR_OK)
--			p11_fatal("C_GetSlotList()", rv);
- 	}
- 
- 	if (!print)

SOURCES/opensc-0.20.0-file-cache.patch

@@ -1,85 +0,0 @@
-From 2a28dcd3f6e4af7a5b2d7d7810b26b6321dd1bf1 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 10 Nov 2020 14:44:43 +0100
-Subject: [PATCH 1/3] ctx: Use more standard cache directory
-
-https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
----
- src/libopensc/ctx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c
-index 6b57170f01..d6058c070e 100644
---- a/src/libopensc/ctx.c
-+++ b/src/libopensc/ctx.c
-@@ -1008,7 +1008,12 @@ int sc_get_cache_dir(sc_context_t *ctx, char *buf, size_t bufsize)
- 	}
- 
- #ifndef _WIN32
--	cache_dir = ".eid/cache";
-+	cache_dir = getenv("XDG_CACHE_HOME");
-+	if (cache_dir != NULL && cache_dir[0] != '\0') {
-+		snprintf(buf, bufsize, "%s/%s", cache_dir, "opensc");
-+		return SC_SUCCESS;
-+	}
-+	cache_dir = ".cache/opensc";
- 	homedir = getenv("HOME");
- #else
- 	cache_dir = "eid-cache";
-@@ -1020,7 +1025,7 @@ int sc_get_cache_dir(sc_context_t *ctx, char *buf, size_t bufsize)
- 		homedir = temp_path;
- 	}
- #endif
--	if (homedir == NULL)
-+	if (homedir == NULL || homedir[0] == '\0')
- 		return SC_ERROR_INTERNAL;
- 	if (snprintf(buf, bufsize, "%s/%s", homedir, cache_dir) < 0)
- 		return SC_ERROR_BUFFER_TOO_SMALL;
-
-From 7c1c6f6be47f55693647827259edcacc98761371 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 10 Nov 2020 15:07:42 +0100
-Subject: [PATCH 3/3] doc: Update documentation about the cache location
-
----
- doc/files/opensc.conf.5.xml.in | 9 +++++++--
- 2 files changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/doc/files/opensc.conf.5.xml.in b/doc/files/opensc.conf.5.xml.in
-index 118922a877..791f11669a 100644
---- a/doc/files/opensc.conf.5.xml.in
-+++ b/doc/files/opensc.conf.5.xml.in
-@@ -1116,12 +1116,17 @@ app <replaceable>application</replaceable> {
- 							<itemizedlist>
- 								<listitem>
- 									<para>
--										<filename><envar>HOME</envar>/.eid/cache/</filename> (Unix)
-+										<filename><envar>$XDG_CACHE_HOME</envar>/opensc/</filename> (If <envar>$XDG_CACHE_HOME</envar> is defined)
- 									</para>
- 								</listitem>
- 								<listitem>
- 									<para>
--										<filename><envar>USERPROFILE</envar>\.eid-cache\</filename> (Windows)
-+										<filename><envar>$HOME</envar>/.cache/opensc/</filename> (Unix)
-+									</para>
-+								</listitem>
-+								<listitem>
-+									<para>
-+										<filename><envar>$USERPROFILE</envar>\.eid-cache\</filename> (Windows)
- 									</para>
- 								</listitem>
- 							</itemizedlist>
-
-diff -up opensc-0.20.0/etc/opensc.conf.file-cache opensc-0.20.0/etc/opensc.conf
---- opensc-0.20.0/etc/opensc.conf.file-cache	2020-11-20 16:49:30.995526825 +0100
-+++ opensc-0.20.0/etc/opensc.conf	2020-11-20 16:50:07.665053280 +0100
-@@ -2,7 +2,7 @@ app default {
- 	# debug = 3;
- 	# debug_file = opensc-debug.txt;
- 	framework pkcs15 {
--		# use_file_caching = true;
-+		use_file_caching = true;
- 	}
- 	reader_driver pcsc {
- 		# The pinpad is disabled by default,
-

SOURCES/opensc-0.20.0-idprime.patch

@@ -1,25 +0,0 @@
-From 34dad7f543f006ad269ce1f935a9e8d3e3a83db7 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 3 Feb 2020 16:40:51 +0100
-Subject: [PATCH] idprime: Add missing terminator in ATR list
-
-Thanks oss-fuzz
-
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20510
----
- src/libopensc/card-idprime.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/libopensc/card-idprime.c b/src/libopensc/card-idprime.c
-index 744d5189b9..9f5adde9d2 100644
---- a/src/libopensc/card-idprime.c
-+++ b/src/libopensc/card-idprime.c
-@@ -52,6 +52,7 @@ static const struct sc_atr_table idprime_atrs[] = {
- 	  "ff:ff:00:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff",
- 	  "Gemalto IDPrime MD 8840, 3840, 3810, 840 and 830 Cards",
- 	  SC_CARD_TYPE_IDPRIME_GENERIC, 0, NULL },
-+	{ NULL, NULL, NULL, 0, 0, NULL }
- };
- 
- static const sc_path_t idprime_path = {
-

SOURCES/opensc-0.20.0-label-padding.patch

@@ -1,24 +0,0 @@
-commit 8d4af9eb0b799f22b25783e8e1b7af329b5a917b
-Author: Frank Morgner <frankmorgner@gmail.com>
-Date:   Fri Jan 31 12:15:53 2020 +0100
-
-    pkcs11: fixed right padding of token label with ' '
-    
-    fixes https://github.com/OpenSC/OpenSC/issues/1922
-
-diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
-index e94eeeff..a1951c2e 100644
---- a/src/pkcs11/framework-pkcs15.c
-+++ b/src/pkcs11/framework-pkcs15.c
-@@ -1122,9 +1122,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
- 							max_tokeninfo_len);
- 					slot->token_info.label[max_tokeninfo_len]           = ' ';
- 					slot->token_info.label[max_tokeninfo_len+1]         = '(';
--					slot->token_info.label[max_tokeninfo_len+2+pin_len] = ')';
- 					strcpy_bp(slot->token_info.label+max_tokeninfo_len+2,
- 							auth->label, pin_len);
-+					strcpy_bp(slot->token_info.label+max_tokeninfo_len+2+pin_len,
-+							")", 32 - max_tokeninfo_len-2-pin_len);
- 				}
- 			} else {
- 				/* PIN label is empty or just says non-useful "PIN",

SOURCES/opensc-0.22.0-file-cache.patch

@@ -0,0 +1,23 @@
+diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf
+--- opensc-0.22.0/etc/opensc.conf.file-cache	2021-10-08 13:14:44.091772071 +0200
++++ opensc-0.22.0/etc/opensc.conf	2021-10-08 13:19:27.339051951 +0200
+@@ -2,7 +2,7 @@ app default {
+ 	# debug = 3;
+ 	# debug_file = opensc-debug.txt;
+ 	framework pkcs15 {
+-		# use_file_caching = public;
++		use_file_caching = public;
+ 	}
+ 	reader_driver pcsc {
+ 		# The pinpad is disabled by default,
+@@ -10,3 +10,10 @@ app default {
+ 		enable_pinpad = false;
+ 	}
+ }
++# the pkcs15-init is used for card initialization when the file caching
++# brings more trouble than use so disable that:
++app pkcs15-init {
++	framework pkcs15 {
++		use_file_caching = no;
++	}
++}

SOURCES/opensc-0.23.0-constant-time-pkcs1.5.patch

@@ -1,5 +1,5 @@
 diff --git a/src/common/Makefile.am b/src/common/Makefile.am
-index 5153428dc..9ecbffe8f 100644
+index 5153428dce..9ecbffe8fd 100644
 --- a/src/common/Makefile.am
 +++ b/src/common/Makefile.am
 @@ -8,7 +8,8 @@ dist_noinst_DATA = \
@@ -21,7 +21,7 @@ index 5153428dc..9ecbffe8f 100644
 +	constant-time.h
  
  check-local:
- 	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' -header-filter=.* $(TIDY_FILES) -- $(TIDY_FLAGS); fi
+ 	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' --checks='$(TIDY_CHECKS)' -header-filter=.* $(addprefix $(srcdir)/,$(TIDY_FILES)) -- $(TIDY_FLAGS); fi
 diff --git a/src/common/constant-time.h b/src/common/constant-time.h
 new file mode 100644
 index 0000000000..40c3e500c2
@@ -163,18 +163,20 @@ index 0000000000..40c3e500c2
 +
 +#endif /* CONSTANT_TIME_H */
 diff --git a/src/libopensc/internal.h b/src/libopensc/internal.h
-index 74014235a..13eccfa1a 100644
+index 7531260c14..2a98f0e966 100644
 --- a/src/libopensc/internal.h
 +++ b/src/libopensc/internal.h
-@@ -168,6 +168,8 @@ int sc_pkcs1_strip_01_padding(struct sc_context *ctx, const u8 *in_dat, size_t i
- 		u8 *out_dat, size_t *out_len);
- int sc_pkcs1_strip_02_padding(struct sc_context *ctx, const u8 *data, size_t len,
+@@ -175,8 +175,8 @@ int _sc_card_add_xeddsa_alg(struct sc_card *card, size_t key_length,
+ 
+ int sc_pkcs1_strip_01_padding(struct sc_context *ctx, const u8 *in_dat, size_t in_len,
  		u8 *out_dat, size_t *out_len);
+-int sc_pkcs1_strip_02_padding(struct sc_context *ctx, const u8 *data, size_t len,
+-		u8 *out_dat, size_t *out_len);
 +int sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const u8 *data,
 +		unsigned int data_len, u8 *out, unsigned int *out_len);
  int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm,
  		const u8 *in_dat, size_t in_len, u8 *out_dat, size_t *out_len);
-
+ #ifdef ENABLE_OPENSSL
 diff --git a/src/libopensc/padding.c b/src/libopensc/padding.c
 index ca47733a4e..ddb3061134 100644
 --- a/src/libopensc/padding.c
@@ -185,7 +187,7 @@ index ca47733a4e..ddb3061134 100644
  
 +#include "common/constant-time.h"
  #include "internal.h"
- 
+ #include "pkcs11/pkcs11.h"
  /* TODO doxygen comments */
  
 +#define SC_PKCS1_PADDING_MIN_SIZE 11
@@ -305,13 +307,283 @@ index ca47733a4e..ddb3061134 100644
 +	return constant_time_select(good, mlen, SC_ERROR_WRONG_PADDING);
  }
  
- /* add/remove DigestInfo prefix */
+ #ifdef ENABLE_OPENSSL
+diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
+index 3391994abe..5248d9758a 100644
+--- a/src/minidriver/minidriver.c
++++ b/src/minidriver/minidriver.c
+@@ -4653,9 +4653,9 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
+ 					  "sc_pkcs15_decipher: DECRYPT-INFO dwVersion=%lu\n",
+ 					  (unsigned long)pInfo->dwVersion);
+ 				if (pInfo->dwPaddingType == CARD_PADDING_PKCS1)   {
+-					size_t temp = pInfo->cbData;
++					unsigned int temp = pInfo->cbData;
+ 					logprintf(pCardData, 2, "sc_pkcs15_decipher: stripping PKCS1 padding\n");
+-					r = sc_pkcs1_strip_02_padding(vs->ctx, pbuf2, pInfo->cbData, pbuf2, &temp);
++					r = sc_pkcs1_strip_02_padding_constant_time(vs->ctx, prkey_info->modulus_length / 8, pbuf2, pInfo->cbData, pbuf2, &temp);
+ 					pInfo->cbData = (DWORD) temp;
+ 					if (r < 0)   {
+ 						logprintf(pCardData, 2, "Cannot strip PKCS1 padding: %i\n", r);
+
+diff --git a/src/tests/unittests/Makefile.am b/src/tests/unittests/Makefile.am
+index 7019ca7ba8..4c73911e48 100644
+--- a/src/tests/unittests/Makefile.am
++++ b/src/tests/unittests/Makefile.am
+@@ -6,8 +6,10 @@ include $(top_srcdir)/aminclude_static.a
+ clean-local: code-coverage-clean
+ distclean-local: code-coverage-dist-clean
+ 
+-noinst_PROGRAMS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin decode_ecdsa_signature
+-TESTS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin decode_ecdsa_signature
++noinst_PROGRAMS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin \
++	decode_ecdsa_signature strip_pkcs1_2_padding
++TESTS = asn1 simpletlv cachedir pkcs15filter openpgp-tool hextobin \
++	decode_ecdsa_signature strip_pkcs1_2_padding
+ 
+ noinst_HEADERS = torture.h
+ 
+@@ -28,6 +30,7 @@ pkcs15filter_SOURCES = pkcs15-emulator-f
+ openpgp_tool_SOURCES = openpgp-tool.c $(top_builddir)/src/tools/openpgp-tool-helpers.c
+ hextobin_SOURCES = hextobin.c
+ decode_ecdsa_signature_SOURCES = decode_ecdsa_signature.c
++strip_pkcs1_2_paddingSOURCES = strip_pkcs1_2_padding.c
+ 
+ if ENABLE_ZLIB
+ noinst_PROGRAMS += compression
+diff --git a/src/tests/unittests/Makefile.mak b/src/tests/unittests/Makefile.mak
+index 2607546f57..6284b51af9 100644
+--- a/src/tests/unittests/Makefile.mak
++++ b/src/tests/unittests/Makefile.mak
+@@ -1,10 +1,11 @@
+ TOPDIR = ..\..\..
+ 
+-TARGETS = asn1 compression pkcs15filter
++TARGETS = asn1 compression pkcs15filter strip_pkcs1_2_padding
+ 
+ OBJECTS = asn1.obj \
+ 	compression.obj \
+-	pkcs15-emulator-filter.obj
++	pkcs15-emulator-filter.obj \
++	strip_pkcs1_2_padding.obj \
+ 	$(TOPDIR)\win32\versioninfo.res
+ 
+ all: $(TARGETS)
+diff --git a/src/tests/unittests/strip_pkcs1_2_padding.c b/src/tests/unittests/strip_pkcs1_2_padding.c
+new file mode 100644
+index 0000000000..f9561b936d
+--- /dev/null
++++ b/src/tests/unittests/strip_pkcs1_2_padding.c
+@@ -0,0 +1,204 @@
++#include "common/compat_strlcpy.c"
++#include "libopensc/log.c"
++#include "libopensc/padding.c"
++#include "torture.h"
++#include <cmocka.h>
++
++static void
++torture_long_output_buffer(void **state)
++{
++	unsigned int n = 14;
++	unsigned int in_len = 14;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00,
++			'm', 's', 'g'};
++	unsigned int out_len = 3;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	unsigned char result_msg[] = {'m', 's', 'g'};
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, 3);
++	assert_memory_equal(out, result_msg, r);
++	free(out);
++}
++
++static void
++torture_short_output_buffer(void **state)
++{
++	unsigned int n = 14;
++	unsigned int in_len = 14;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00,
++			'm', 's', 'g'};
++	unsigned int out_len = 1;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
++	free(out);
++}
++
++static void
++torture_short_message_correct_padding(void **state)
++{
++	unsigned int n = 14;
++	unsigned int in_len = 14;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00,
++			'm', 's', 'g'};
++	unsigned int out_len = 3;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	unsigned char result_msg[] = {'m', 's', 'g'};
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, 3);
++	assert_memory_equal(out, result_msg, r);
++	free(out);
++}
++
++static void
++torture_missing_first_zero(void **state)
++{
++	unsigned int n = 13;
++	unsigned int in_len = 13;
++	unsigned char in[] = {0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00,
++			'm', 's', 'g'};
++	unsigned int out_len = 10;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
++	free(out);
++}
++
++static void
++torture_missing_two(void **state)
++{
++	unsigned int n = 13;
++	unsigned int in_len = 13;
++	unsigned char in[] = {0x00,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00,
++			'm', 's', 'g'};
++	unsigned int out_len = 10;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
++	free(out);
++}
++
++static void
++torture_short_padding(void **state)
++{
++	unsigned int n = 13;
++	unsigned int in_len = 13;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++			0x00,
++			'm', 's', 'g'};
++	unsigned int out_len = 10;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
++	free(out);
++}
++
++static void
++torture_missing_second_zero(void **state)
++{
++	unsigned int n = 13;
++	unsigned int in_len = 13;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			'm', 's', 'g'};
++	unsigned int out_len = 10;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
++	free(out);
++}
++
++static void
++torture_missing_message(void **state)
++{
++	unsigned int n = 20;
++	unsigned int in_len = 11;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00};
++	unsigned int out_len = 11;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
++	free(out);
++}
++
++static void
++torture_one_byte_message(void **state)
++{
++	unsigned int n = 12;
++	unsigned int in_len = 12;
++	unsigned char in[] = {0x00, 0x02,
++			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++			0x00,
++			'm'};
++	unsigned int out_len = 1;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	unsigned char result_msg[] = {'m'};
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, 1);
++	assert_memory_equal(out, result_msg, r);
++	free(out);
++}
++
++static void
++torture_longer_padding(void **state)
++{
++	unsigned int n = 26;
++	unsigned int in_len = 26;
++	unsigned char in[] = {0x00, 0x02,
++			0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11,
++			0x00,
++			0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
++	unsigned int out_len = 8;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	unsigned char result_msg[] = {0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, 8);
++	assert_memory_equal(out, result_msg, r);
++	free(out);
++}
++
++static void
++torture_empty_message(void **state)
++{
++	unsigned int n = 18;
++	unsigned int in_len = 18;
++	unsigned char in[] = {0x00, 0x02,
++			0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11,
++			0x00};
++	unsigned int out_len = 8;
++	unsigned char *out = calloc(out_len, sizeof(unsigned char));
++	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
++	assert_int_equal(r, 0);
++	free(out);
++}
++
++int
++main(void)
++{
++	const struct CMUnitTest tests[] = {
++			cmocka_unit_test(torture_long_output_buffer),
++			cmocka_unit_test(torture_short_output_buffer),
++			cmocka_unit_test(torture_short_message_correct_padding),
++			cmocka_unit_test(torture_missing_first_zero),
++			cmocka_unit_test(torture_missing_two),
++			cmocka_unit_test(torture_short_padding),
++			cmocka_unit_test(torture_missing_second_zero),
++			cmocka_unit_test(torture_missing_message),
++			cmocka_unit_test(torture_one_byte_message),
++			cmocka_unit_test(torture_longer_padding),
++			cmocka_unit_test(torture_empty_message)};
++	return cmocka_run_group_tests(tests, NULL, NULL);
++}
 
 diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
 index a019af460f..f7ee819d65 100644
 --- a/src/libopensc/pkcs15-sec.c
 +++ b/src/libopensc/pkcs15-sec.c
-@@ -286,12 +286,14 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
+@@ -308,9 +308,10 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
  
  	/* Strip any padding */
  	if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
@@ -323,7 +595,12 @@ index a019af460f..f7ee819d65 100644
 +		r = sc_pkcs1_strip_02_padding_constant_time(ctx, key_size / 8, out, s, out, &s);
 +		/* for keeping PKCS#1 v1.5 depadding constant-time, do not log error here */
  	}
- 
+ #ifdef ENABLE_OPENSSL
+ 	if (pad_flags & SC_ALGORITHM_RSA_PAD_OAEP)
+@@ -332,7 +333,8 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
+ 		LOG_TEST_RET(ctx, r, "Invalid OAEP padding");
+ 	}
+ #endif
 -	LOG_FUNC_RETURN(ctx, r);
 +	/* do not log error code to prevent side channel attack */
 +	return r;
@@ -343,7 +620,7 @@ index f75a3dbaec..632681df63 100644
  #include "config.h"
  #include <stdlib.h>
  #include <string.h>
-@@ -4174,7 +4175,8 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
+@@ -4395,7 +4396,8 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
  	struct pkcs15_fw_data *fw_data = NULL;
  	struct pkcs15_prkey_object *prkey;
  	unsigned char decrypted[512]; /* FIXME: Will not work for keys above 4096 bits */
@@ -351,11 +628,11 @@ index f75a3dbaec..632681df63 100644
 +	int rv, flags = 0, prkey_has_path = 0;
 +	CK_ULONG mask, good, rv_pkcs11;
  
- 	sc_log(context, "Initiating decryption.");
- 
-@@ -4246,27 +4248,54 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
+ 	if (pulDataLen == NULL) {
+ 		/* This is call from the C_DecyptInit function */
+@@ -4484,27 +4486,53 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
  	rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
- 			pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted));
+ 			pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted), pMechanism);
  
 -	if (rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
 +	/* skip for PKCS#1 v1.5 padding prevent side channel attack */
@@ -363,7 +640,7 @@ index f75a3dbaec..632681df63 100644
 +			rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
  		if (reselect_app_df(fw_data->p15_card) == SC_SUCCESS)
  			rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
- 					pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted));
+ 					pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted), pMechanism);
  
  	sc_unlock(p11card->card);
  
@@ -371,8 +648,8 @@ index f75a3dbaec..632681df63 100644
 +	sc_log(context, "Decryption complete.");
  
 -	if (rv < 0)
+-		return sc_to_cryptoki_error(rv, "C_Decrypt");
 +	/* Handle following code in constant-time
- 		return sc_to_cryptoki_error(rv, "C_Decrypt");
 +	 * to prevent Marvin attack for PKCS#1 v1.5 padding. */
  
 -	buff_too_small = (*pulDataLen < (CK_ULONG)rv);
@@ -382,13 +659,12 @@ index f75a3dbaec..632681df63 100644
 -	if (buff_too_small)
 -		return CKR_BUFFER_TOO_SMALL;
 -	memcpy(pData, decrypted, *pulDataLen);
--
--	return CKR_OK;
 +	/* only padding error must be handled in constant-time way,
 +	 * other error can be returned straight away */
 +	if ((~constant_time_eq_i(rv, SC_ERROR_WRONG_PADDING) & constant_time_lt_s(sizeof(decrypted), (size_t)rv)))
 +		return sc_to_cryptoki_error(rv, "C_Decrypt");
-+	
+ 
+-	return CKR_OK;
 +	/* check rv for padding error */
 +	good = ~constant_time_eq_i(rv, SC_ERROR_WRONG_PADDING);
 +	rv_pkcs11 = sc_to_cryptoki_error(SC_ERROR_WRONG_PADDING, "C_Decrypt");
@@ -418,7 +694,8 @@ index f75a3dbaec..632681df63 100644
 +	/* do not log error code to prevent side channel attack */
 +	return rv_pkcs11;
  }
-
+ 
+ 
 
 diff --git a/src/pkcs11/mechanism.c b/src/pkcs11/mechanism.c
 index 03495265a4..d3f0434231 100644
@@ -443,23 +720,86 @@ index 03495265a4..d3f0434231 100644
  		session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
  
  	return rv;
-
+@@ -1110,10 +1113,12 @@ sc_pkcs11_decr_update(struct sc_pkcs11_s
+ 	rv = op->type->decrypt_update(op, pEncryptedData, ulEncryptedDataLen,
+ 			pData, pulDataLen);
+ 
+-	/* terminate session for any error except CKR_BUFFER_TOO_SMALL */
+-	if (rv != CKR_OK && rv != CKR_BUFFER_TOO_SMALL)
++	/* terminate session for any return value except CKR_BUFFER_TOO_SMALL,
++	 * perform check in time side-channel free way to prevent Marvin attack */
++	if (~constant_time_eq_s(rv, CKR_OK) & ~constant_time_eq_s(rv, CKR_BUFFER_TOO_SMALL))
+ 		session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
+-	LOG_FUNC_RETURN(context, (int)rv);
++	/* do not log error code to prevent side channel attack */
++	return rv;
+ }
+ 
+ CK_RV
+@@ -1530,6 +1535,10 @@ sc_pkcs11_decrypt(sc_pkcs11_operation_t
+ 	if (pulDataLen)
+ 		*pulDataLen = ulDataLen;
+ 
++	/* Skip DecryptFinalize for PKCS#1 v1.5 padding to prevent time side-channel leakage */
++	if (((CK_MECHANISM_PTR)&operation->mechanism)->mechanism == CKM_RSA_PKCS)
++		return rv;
++
+ 	if (rv != CKR_OK)
+ 		return rv;
+ 
 
 
 diff --git a/src/pkcs11/pkcs11-object.c b/src/pkcs11/pkcs11-object.c
 index f04c0b4c56..b023911213 100644
 --- a/src/pkcs11/pkcs11-object.c
 +++ b/src/pkcs11/pkcs11-object.c
-@@ -926,7 +926,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSessi
+@@ -1034,7 +1034,8 @@ C_Decrypt(CK_SESSION_HANDLE hSession,	     /* the session's handle */
  		rv = reset_login_state(session->slot, rv);
  	}
  
--	sc_log(context, "C_Decrypt() = %s", lookup_enum ( RV_T, rv ));
+-	SC_LOG_RV("C_Decrypt() = %s", rv);
 +	/* do not log error code to prevent side channel attack */
-+	sc_log(context, "C_Decrypt() finished");
++	SC_LOG("C_Decrypt()");
  	sc_pkcs11_unlock();
  	return rv;
  }
+@@ -1058,7 +1059,8 @@ C_DecryptUpdate(CK_SESSION_HANDLE hSession,  /* the session's handle */
+ 		rv = sc_pkcs11_decr_update(session, pEncryptedPart, ulEncryptedPartLen,
+ 				pPart, pulPartLen);
+ 
+-	SC_LOG_RV("C_DecryptUpdate() = %s", rv);
++	/* do not log error code to prevent side channel attack */
++	SC_LOG("C_DecryptUpdate()");
+ 	sc_pkcs11_unlock();
+ 	return rv;
+ }
+@@ -1086,7 +1088,8 @@ C_DecryptFinal(CK_SESSION_HANDLE hSession,   /* the session's handle */
+ 		rv = reset_login_state(session->slot, rv);
+ 	}
+ 
+-	SC_LOG_RV("C_DecryptFinal() = %s", rv);
++	/* do not log error code to prevent side channel attack */
++	SC_LOG("C_DecryptFinal()");
+ 	sc_pkcs11_unlock();
+ 	return rv;
+ }
+diff --git a/src/pkcs11/sc-pkcs11.h b/src/pkcs11/sc-pkcs11.h
+index 66dfcdde67..510017ed2a 100644
+--- a/src/pkcs11/sc-pkcs11.h
++++ b/src/pkcs11/sc-pkcs11.h
+@@ -246,6 +246,11 @@ do {\
+         }\
+ } while(0)
+ 
++#define SC_LOG(fmt) \
++	do { \
++		sc_log(context, (fmt)); \
++	} while (0)
++
+ /* Debug virtual slots. S is slot to be highlighted or NULL
+  * C is a comment format string and args It will be preceded by "VSS " */
+ #define DEBUG_VSS(S, ...) do { sc_log(context,"VSS " __VA_ARGS__); _debug_virtual_slots(S); } while (0)
+
 
 diff --git a/src/pkcs11/misc.c b/src/pkcs11/misc.c
 index 5ca1176b1d..1d893d6181 100644
@@ -482,4 +822,3 @@ index 5ca1176b1d..1d893d6181 100644
  			slot->login_user = -1;
  			pop_all_login_states(slot);
  		}
-

SOURCES/opensc-0.23.0-myeid-sym.patch

@@ -0,0 +1,99 @@
+From cde2e050ec4f2f1b7db38429aa4e9c0f4656308c Mon Sep 17 00:00:00 2001
+From: Peter Popovec <popovec.peter@gmail.com>
+Date: Wed, 26 Apr 2023 13:22:09 +0200
+Subject: [PATCH] NULL pointer fix
+
+Thanks to the clang analyzer:
+ Null pointer passed to 2nd parameter expecting 'nonnull'
+ [clang-analyzer-core.NonNullParamChecker]
+
+	modified:   src/libopensc/card-myeid.c
+---
+ src/libopensc/card-myeid.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
+index 31dd209f3..951c179f1 100644
+--- a/src/libopensc/card-myeid.c
++++ b/src/libopensc/card-myeid.c
+@@ -1973,6 +1973,9 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
+ 				return_len = block_size - pad_byte;
+ 			}
+ 			*outlen = return_len;
++			/* application can request buffer size or actual buffer size is too small */
++			if (out == NULL)
++				LOG_FUNC_RETURN(ctx, SC_SUCCESS);
+ 			if (return_len > *outlen)
+ 				LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
+ 			memcpy(out, priv->sym_plain_buffer, return_len);
+@@ -2042,10 +2045,11 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
+ 			priv->sym_crypt_buffer_len = 0;
+ 			rest_len = 0;
+ 		}
+-		memcpy(sdata, data, apdu_datalen);
+-		data += apdu_datalen;
+-		datalen -= apdu_datalen;
+-
++		if (data) {
++			memcpy(sdata, data, apdu_datalen);
++			data += apdu_datalen;
++			datalen -= apdu_datalen;
++		}
+ 		r = sc_transmit_apdu(card, &apdu);
+ 		LOG_TEST_RET(ctx, r, "APDU transmit failed");
+ 		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+@@ -2084,7 +2088,8 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
+ 	/* save rest of data for next run */
+ 	priv->sym_crypt_buffer_len = datalen;
+ 	sc_log(ctx, "rest data len = %zu", datalen);
+-	memcpy(priv->sym_crypt_buffer, data, datalen);
++	if (data)
++		memcpy(priv->sym_crypt_buffer, data, datalen);
+ 	sc_log(ctx, "return data len = %zu", return_len);
+ 	*outlen = return_len;
+ 	return SC_SUCCESS;
+-- 
+2.41.0
+
+From f1993dc4e0b33050b8f72a3558ee88b24c4063b2 Mon Sep 17 00:00:00 2001
+From: Peter Popovec <popovec.peter@gmail.com>
+Date: Tue, 27 Jun 2023 09:50:42 +0200
+Subject: [PATCH] myeid: fixed CID 380538  Out-of-bounds read (OVERRUN)
+
+also fixes output buffer size checking
+---
+ src/libopensc/card-myeid.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
+index 4ee424684..50e78ff1d 100644
+--- a/src/libopensc/card-myeid.c
++++ b/src/libopensc/card-myeid.c
+@@ -1986,18 +1986,20 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
+ 				sc_log(ctx, "Found padding byte %02x", pad_byte);
+ 				if (pad_byte == 0 || pad_byte > block_size)
+ 					LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
+-				sdata = priv->sym_plain_buffer + block_size - pad_byte;
++				sdata = priv->sym_plain_buffer + block_size;
+ 				for (i = 0; i < pad_byte; i++)
+-					if (sdata[i] != pad_byte)
++					if (*(--sdata) != pad_byte)
+ 						LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
+ 				return_len = block_size - pad_byte;
+ 			}
+-			*outlen = return_len;
+ 			/* application can request buffer size or actual buffer size is too small */
+-			if (out == NULL)
++			if (out == NULL) {
++				*outlen = return_len;
+ 				LOG_FUNC_RETURN(ctx, SC_SUCCESS);
++			}
+ 			if (return_len > *outlen)
+ 				LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
++			*outlen = return_len;
+ 			memcpy(out, priv->sym_plain_buffer, return_len);
+ 			sc_log(ctx, "C_DecryptFinal %zu bytes", *outlen);
+ 			return SC_SUCCESS;
+-- 
+2.41.0
+

SOURCES/opensc-0.23.0-openpgp.patch

@@ -0,0 +1,225 @@
+From 3b580b6fff9ac463ecc6e996cfaf573f62749368 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Fri, 14 Apr 2023 12:02:54 +0200
+Subject: [PATCH 1/2] openpgp: identify OpenPGP compliance with bcd_version
+ rather than card type
+
+---
+ src/libopensc/card-openpgp.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index fad32f0ce7..2ea5dc9d36 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -1780,13 +1780,18 @@ pgp_get_pubkey_pem(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len)
+  * p1: number of an instance (DO 7F21: 0x00 for AUT, 0x01 for DEC and 0x02 for SIG)
+  */
+ static int
+-pgp_select_data(sc_card_t *card, u8 p1){
++pgp_select_data(sc_card_t *card, u8 p1)
++{
+ 	sc_apdu_t	apdu;
+ 	u8	apdu_data[6];
+ 	int	r;
++	struct pgp_priv_data *priv = DRVDATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
++	if (priv->bcd_version < OPENPGP_CARD_3_0)
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
++
+ 	sc_log(card->ctx, "select data with: %u", p1);
+ 
+ 	// create apdu data (taken from spec: SELECT DATA 7.2.5.)
+@@ -2179,8 +2184,7 @@ pgp_set_security_env(sc_card_t *card,
+ 	/* The SC_SEC_ENV_ALG_PRESENT is set always so let it pass for GNUK */
+ 	if ((env->flags & SC_SEC_ENV_ALG_PRESENT)
+ 		&& (env->algorithm != SC_ALGORITHM_RSA)
+-		&& (priv->bcd_version < OPENPGP_CARD_3_0)
+-		&& (card->type != SC_CARD_TYPE_OPENPGP_GNUK))
++		&& (priv->bcd_version < OPENPGP_CARD_3_0))
+ 		LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS,
+ 				"only RSA algorithm supported");
+ 
+@@ -2944,13 +2948,13 @@ pgp_update_card_algorithms(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *ke
+ {
+ 	sc_algorithm_info_t *algo;
+ 	u8 id = key_info->key_id;
++	struct pgp_priv_data *priv = DRVDATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+ 	/* protect incompatible cards against non-RSA */
+ 	if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
+-		&& card->type < SC_CARD_TYPE_OPENPGP_V3
+-		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
++		&& priv->bcd_version < OPENPGP_CARD_3_0)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+ 
+ 	if (id > card->algorithm_count) {
+@@ -2992,13 +2996,13 @@ pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_info)
+ 	size_t apdu_le;
+ 	size_t resplen = 0;
+ 	int r = SC_SUCCESS;
++	struct pgp_priv_data *priv = DRVDATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+ 	/* protect incompatible cards against non-RSA */
+ 	if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
+-		&& card->type < SC_CARD_TYPE_OPENPGP_V3
+-		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
++		&& priv->bcd_version < OPENPGP_CARD_3_0)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+ 	if (key_info->algorithm == SC_OPENPGP_KEYALGO_EDDSA
+ 		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
+@@ -3358,13 +3362,13 @@ pgp_store_key(sc_card_t *card, sc_cardctl_openpgp_keystore_info_t *key_info)
+ 	u8 *data = NULL;
+ 	size_t len = 0;
+ 	int r;
++	struct pgp_priv_data *priv = DRVDATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+ 	/* protect incompatible cards against non-RSA */
+ 	if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA
+-		&& card->type < SC_CARD_TYPE_OPENPGP_V3
+-		&& card->type != SC_CARD_TYPE_OPENPGP_GNUK)
++		&& priv->bcd_version < OPENPGP_CARD_3_0)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+ 
+ 	/* Validate */
+
+From 9eccc1494d8303ffe42beb772732df218875e3ac Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Fri, 14 Apr 2023 12:09:55 +0200
+Subject: [PATCH 2/2] openpgp: ignore errors on SELECT DATA for OpenPGP 2 and
+ below
+
+fixes https://github.com/OpenSC/OpenSC/issues/2752
+---
+ src/libopensc/pkcs15-openpgp.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
+index e2f3442238..9d3fd746a0 100644
+--- a/src/libopensc/pkcs15-openpgp.c
++++ b/src/libopensc/pkcs15-openpgp.c
+@@ -556,14 +556,9 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
+ 		memset(&cert_info, 0, sizeof(cert_info));
+ 		memset(&cert_obj,  0, sizeof(cert_obj));
+ 
+-		/* only try to SELECT DATA for OpenPGP >= v3 */
+-		if (card->type >= SC_CARD_TYPE_OPENPGP_V3) {
+-			r = sc_card_ctl(card, SC_CARDCTL_OPENPGP_SELECT_DATA, &i);
+-			if (r < 0) {
+-				free(buffer);
+-				LOG_TEST_RET(card->ctx, r, "Failed OpenPGP - select data");
+-			}
+-		}
++		/* try to SELECT DATA. Will only work for OpenPGP >= v3, errors are non-critical */
++		sc_card_ctl(card, SC_CARDCTL_OPENPGP_SELECT_DATA, &i);
++
+ 		sc_format_path(certs[i].path, &cert_info.path);
+ 
+ 		/* Certificate ID. We use the same ID as the authentication key */
+
+commit e8fba322a2f4d06ec5c74fe80f9e2b0e9fdefec6
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Fri May 19 16:49:00 2023 +0200
+
+    openpgp: Fix fingerprint calculation
+    
+    fixes https://github.com/OpenSC/OpenSC/issues/2775
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index cc454cef..496e38e6 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2697,15 +2697,23 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
+ 
+ 	/* RSA */
+ 	if (key_info->algorithm == SC_OPENPGP_KEYALGO_RSA) {
++		unsigned short bytes_length = 0;
++
+ 		*p = 1; /* Algorithm ID, RSA */
+ 		p += 1;
++
++		/* Modulus */
++		bytes_length = BYTES4BITS(key_info->u.rsa.modulus_len);
+ 		ushort2bebytes(p, (unsigned short)key_info->u.rsa.modulus_len);
+ 		p += 2;
+-		memcpy(p, key_info->u.rsa.modulus, (BYTES4BITS(key_info->u.rsa.modulus_len)));
+-		p += (key_info->u.rsa.modulus_len >> 3);
+-		ushort2bebytes(++p, (unsigned short)key_info->u.rsa.exponent_len);
++		memcpy(p, key_info->u.rsa.modulus, bytes_length);
++		p += bytes_length;
++
++		/* Exponent */
++		bytes_length = BYTES4BITS(key_info->u.rsa.exponent_len);
++		ushort2bebytes(p, (unsigned short)key_info->u.rsa.exponent_len);
+ 		p += 2;
+-		memcpy(p, key_info->u.rsa.exponent, (BYTES4BITS(key_info->u.rsa.exponent_len)));
++		memcpy(p, key_info->u.rsa.exponent, bytes_length);
+ 	}
+ 	/* ECC */
+ 	else if (key_info->algorithm == SC_OPENPGP_KEYALGO_ECDH
+
+commit 891f10e49de1a5ee038b1cb2fb59dce40429e6c2
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Fri May 19 17:53:35 2023 +0200
+
+    openpgp: Fix modulus length calculation in pkc15init layer
+
+diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h
+index 5a0a19c5..ba685a30 100644
+--- a/src/libopensc/pkcs15.h
++++ b/src/libopensc/pkcs15.h
+@@ -373,7 +373,7 @@ struct sc_pkcs15_prkey_info {
+ 	unsigned int usage, access_flags;
+ 	int native, key_reference;
+ 	/* convert to union if other types are supported */
+-	size_t modulus_length; /* RSA */
++	size_t modulus_length; /* RSA, in bits */
+ 	size_t field_length;   /* EC in bits */
+ 
+ 	unsigned int algo_refs[SC_MAX_SUPPORTED_ALGORITHMS];
+diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c
+index c75bcbda..3e060be5 100644
+--- a/src/pkcs15init/pkcs15-openpgp.c
++++ b/src/pkcs15init/pkcs15-openpgp.c
+@@ -235,7 +235,7 @@ static int openpgp_generate_key_rsa(sc_card_t *card, sc_pkcs15_object_t *obj,
+ 
+ 	/* Prepare buffer */
+ 	key_info.u.rsa.modulus_len = required->modulus_length;
+-	key_info.u.rsa.modulus = calloc(required->modulus_length >> 3, 1);
++	key_info.u.rsa.modulus = calloc(BYTES4BITS(required->modulus_length), 1);
+ 	if (key_info.u.rsa.modulus == NULL)
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_ENOUGH_MEMORY);
+ 
+@@ -252,18 +252,18 @@ static int openpgp_generate_key_rsa(sc_card_t *card, sc_pkcs15_object_t *obj,
+ 
+ 	pubkey->algorithm = SC_ALGORITHM_RSA;
+ 	sc_log(ctx, "Set output modulus info");
+-	pubkey->u.rsa.modulus.len = key_info.u.rsa.modulus_len;
+-	pubkey->u.rsa.modulus.data = calloc(key_info.u.rsa.modulus_len, 1);
++	pubkey->u.rsa.modulus.len = BYTES4BITS(key_info.u.rsa.modulus_len);
++	pubkey->u.rsa.modulus.data = calloc(pubkey->u.rsa.modulus.len, 1);
+ 	if (pubkey->u.rsa.modulus.data == NULL)
+ 		goto err;
+-	memcpy(pubkey->u.rsa.modulus.data, key_info.u.rsa.modulus, key_info.u.rsa.modulus_len);
++	memcpy(pubkey->u.rsa.modulus.data, key_info.u.rsa.modulus, BYTES4BITS(key_info.u.rsa.modulus_len));
+ 
+ 	sc_log(ctx, "Set output exponent info");
+-	pubkey->u.rsa.exponent.len = key_info.u.rsa.exponent_len;
+-	pubkey->u.rsa.exponent.data = calloc(BYTES4BITS(key_info.u.rsa.exponent_len), 1);
++	pubkey->u.rsa.exponent.len = BYTES4BITS(key_info.u.rsa.exponent_len);
++	pubkey->u.rsa.exponent.data = calloc(pubkey->u.rsa.exponent.len, 1);
+ 	if (pubkey->u.rsa.exponent.data == NULL)
+ 		goto err;
+-	memcpy(pubkey->u.rsa.exponent.data, key_info.u.rsa.exponent, BYTES4BITS(key_info.u.rsa.exponent_len));
++	memcpy(pubkey->u.rsa.exponent.data, key_info.u.rsa.exponent, pubkey->u.rsa.exponent.len);
+ 
+ err:
+ 	free(key_info.u.rsa.modulus);

SOURCES/opensc-0.23.0-pkcs11-tool-import.patch

@@ -0,0 +1,212 @@
+From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:08:53 +0100
+Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
+
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index aae205fe2c..cfee8526d5 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 		RSA_get0_factors(r, &r_p, &r_q);
+ 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
+ #else
+-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
++		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+-			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
+ 			util_fatal("OpenSSL error during RSA private key parsing");
++			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ 		}
+ #endif
+ 		RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:11:41 +0100
+Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
+
+---
+ src/tools/pkcs11-tool.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index cfee8526d5..f2e6b1dd91 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
+ 	r = EVP_PKEY_get1_RSA(pkey);
+ 	if (!r) {
+-		if (private)
+-			util_fatal("OpenSSL error during RSA private key parsing");
+-		else
+-			util_fatal("OpenSSL error during RSA public key parsing");
++		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
++			ERR_error_string(ERR_peek_last_error(), NULL));
+ 	}
+ 
+ 	RSA_get0_key(r, &r_n, &r_e, NULL);
+@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
+ 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
+ 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
+-		if (private)
+-			util_fatal("OpenSSL error during RSA private key parsing");
+-		else
+-			util_fatal("OpenSSL error during RSA public key parsing");
++		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
++			ERR_error_string(ERR_peek_last_error(), NULL));
+ 	 }
+ #endif
+ 	RSA_GET_BN(rsa, modulus, r_n);
+@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+-			util_fatal("OpenSSL error during RSA private key parsing");
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
++			util_fatal("OpenSSL error during RSA private key parsing: %s",
++				ERR_error_string(ERR_peek_last_error(), NULL));
+ 		}
+ #endif
+ 		RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:38:31 +0100
+Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
+
+---
+ tests/Makefile.am                | 10 ++++---
+ tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 4 deletions(-)
+ create mode 100755 tests/test-pkcs11-tool-import.sh
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index d378e2ee00..9d8a24c321 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
+                       test-pkcs11-tool-test-threads.sh \
+                       test-pkcs11-tool-sign-verify.sh \
+                       test-pkcs11-tool-allowed-mechanisms.sh \
+-                      test-pkcs11-tool-sym-crypt-test.sh\
+-                      test-pkcs11-tool-unwrap-wrap-test.sh
++                      test-pkcs11-tool-sym-crypt-test.sh \
++                      test-pkcs11-tool-unwrap-wrap-test.sh \
++                      test-pkcs11-tool-import.sh
+ 
+ .NOTPARALLEL:
+ TESTS = \
+@@ -25,8 +26,9 @@ TESTS = \
+         test-pkcs11-tool-test.sh \
+         test-pkcs11-tool-test-threads.sh \
+         test-pkcs11-tool-allowed-mechanisms.sh \
+-        test-pkcs11-tool-sym-crypt-test.sh\
+-        test-pkcs11-tool-unwrap-wrap-test.sh
++        test-pkcs11-tool-sym-crypt-test.sh \
++        test-pkcs11-tool-unwrap-wrap-test.sh \
++        test-pkcs11-tool-import.sh
+ XFAIL_TESTS = \
+         test-pkcs11-tool-test-threads.sh \
+         test-pkcs11-tool-test.sh
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+new file mode 100755
+index 0000000000..76ff8e51be
+--- /dev/null
++++ b/tests/test-pkcs11-tool-import.sh
+@@ -0,0 +1,48 @@
++#!/bin/bash
++SOURCE_PATH=${SOURCE_PATH:-..}
++
++source $SOURCE_PATH/tests/common.sh
++
++echo "======================================================="
++echo "Setup SoftHSM"
++echo "======================================================="
++if [[ ! -f $P11LIB ]]; then
++    echo "WARNING: The SoftHSM is not installed. Can not run this test"
++    exit 77;
++fi
++card_setup
++
++ID="0100"
++OPTS=""
++for KEYTYPE in "RSA" "EC"; do
++    echo "======================================================="
++    echo "Generate and import $KEYTYPE keys"
++    echo "======================================================="
++    if [ "$KEYTYPE" == "RSA" ]; then
++        ID="0100"
++    elif [ "$KEYTYPE" == "EC" ]; then
++        ID="0200"
++        OPTS="-pkeyopt ec_paramgen_curve:P-521"
++    fi
++    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
++    assert $? "Failed to generate private $KEYTYPE key"
++    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
++        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
++    assert $? "Failed to write private $KEYTYPE key"
++
++    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
++    assert $? "Failed to convert private $KEYTYPE key to public"
++    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
++        -p $PIN --module $P11LIB
++    assert $? "Failed to write public $KEYTYPE key"
++    # certificate import already tested in all other tests
++
++    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
++done
++
++echo "======================================================="
++echo "Cleanup"
++echo "======================================================="
++card_cleanup
++
++exit $ERRORS
+
+From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jakuje@gmail.com>
+Date: Fri, 2 Dec 2022 18:07:43 +0100
+Subject: [PATCH 4/4] Simplify the new test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
+---
+ tests/test-pkcs11-tool-import.sh | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+index 76ff8e51be..c90b3b4926 100755
+--- a/tests/test-pkcs11-tool-import.sh
++++ b/tests/test-pkcs11-tool-import.sh
+@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
+ fi
+ card_setup
+ 
+-ID="0100"
+-OPTS=""
+ for KEYTYPE in "RSA" "EC"; do
+     echo "======================================================="
+     echo "Generate and import $KEYTYPE keys"
+     echo "======================================================="
+-    if [ "$KEYTYPE" == "RSA" ]; then
+-        ID="0100"
+-    elif [ "$KEYTYPE" == "EC" ]; then
++    ID="0100"
++    OPTS=""
++    if [ "$KEYTYPE" == "EC" ]; then
+         ID="0200"
+         OPTS="-pkeyopt ec_paramgen_curve:P-521"
+     fi
+

SOURCES/opensc-0.23.0-pkcs11-uri.patch

@@ -0,0 +1,446 @@
+From 700b6e767391fdec3e9ed3865780f6bf7828ac85 Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Fri, 19 Apr 2024 16:02:13 +0200
+Subject: [PATCH 1/2] Include uri in pkcs11-tool -L option
+
+Fixes: #3123
+
+Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
+---
+ src/tools/pkcs11-tool.c | 66 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 5b2abf590c..c165945872 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -621,6 +621,7 @@ static void		generate_random(CK_SESSION_HANDLE session);
+ static CK_RV		find_object_with_attributes(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *out,
+ 				CK_ATTRIBUTE *attrs, CK_ULONG attrsLen, CK_ULONG obj_index);
+ static CK_ULONG		get_private_key_length(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE prkey);
++static const char *percent_encode(CK_UTF8CHAR *, size_t);
+ 
+ /* win32 needs this in open(2) */
+ #ifndef O_BINARY
+@@ -1681,6 +1682,15 @@ static void show_token(CK_SLOT_ID slot)
+ 	printf("  serial num         : %s\n", p11_utf8_to_local(info.serialNumber,
+ 			sizeof(info.serialNumber)));
+ 	printf("  pin min/max        : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
++	printf("  uri                : pkcs11:model=");
++	printf("%s", percent_encode(info.model, sizeof(info.model)));
++	printf(";manufacturer=");
++	printf("%s", percent_encode(info.manufacturerID, sizeof(info.manufacturerID)));
++	printf(";serial=");
++	printf("%s", percent_encode(info.serialNumber, sizeof(info.serialNumber)));
++	printf(";token=");
++	printf("%s", percent_encode(info.label, sizeof(info.label)));
++	printf("\n");
+ }
+ 
+ static void list_mechs(CK_SLOT_ID slot)
+@@ -8293,6 +8303,62 @@ static const char *p11_utf8_to_local(CK_UTF8CHAR *string, size_t len)
+ 	return buffer;
+ }
+ 
++static CK_BBOOL
++p11_is_percent_format_reserved_char(CK_UTF8CHAR c)
++{
++	switch (c) {
++	case ' ':
++	case '!':
++	case '"':
++	case '#':
++	case '$':
++	case '%':
++	case '&':
++	case '\'':
++	case '(':
++	case ')':
++	case '*':
++	case '+':
++	case ',':
++	case '/':
++	case ':':
++	case ';':
++	case '=':
++	case '?':
++	case '@':
++	case '[':
++	case ']':
++		return CK_TRUE;
++	}
++	return CK_FALSE;
++}
++
++static const char *
++percent_encode(CK_UTF8CHAR *string, size_t len)
++{
++	static char buffer[1024];
++	size_t output_index, input_index;
++
++	while (len && string[len - 1] == ' ')
++		len--;
++
++	for (output_index = input_index = 0; output_index < sizeof(buffer) - 3;
++			output_index++) {
++		if (input_index >= len) {
++			break;
++		}
++		if (p11_is_percent_format_reserved_char(string[input_index])) {
++			snprintf(&buffer[output_index], 4, "%%%x", string[input_index]);
++			output_index += 2;
++		} else {
++			buffer[output_index] = string[input_index];
++		}
++		input_index++;
++	}
++	buffer[output_index] = '\0';
++	return buffer;
++}
++
+ static void p11_fatal(const char *func, CK_RV rv)
+ {
+ 	if (p11)
+
+From d9119d0695ea207dca50d651f78ec5fd0a9023ba Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Thu, 25 Apr 2024 13:42:14 +0200
+Subject: [PATCH 2/2] Update src/tools/pkcs11-tool.c
+
+Co-authored-by: Jakub Jelen <jakuje@gmail.com>
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index c165945872..46f8b735e5 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -1682,8 +1682,8 @@ static void show_token(CK_SLOT_ID slot)
+ 	printf("  serial num         : %s\n", p11_utf8_to_local(info.serialNumber,
+ 			sizeof(info.serialNumber)));
+ 	printf("  pin min/max        : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
+-	printf("  uri                : pkcs11:model=");
+-	printf("%s", percent_encode(info.model, sizeof(info.model)));
++	printf("  uri                : pkcs11:");
++	printf("model=%s", percent_encode(info.model, sizeof(info.model)));
+ 	printf(";manufacturer=");
+ 	printf("%s", percent_encode(info.manufacturerID, sizeof(info.manufacturerID)));
+ 	printf(";serial=");
+
+From 5289269d4a57563bdcd604ec091e6eda0f0547fd Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Tue, 30 Apr 2024 18:30:16 +0200
+Subject: [PATCH] Include URIs for PKCS#11 objects
+
+Fixes: #3129
+
+Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
+---
+ src/tests/fuzzing/fuzz_pkcs15init.c |   7 +-
+ src/tools/pkcs11-tool.c             | 119 ++++++++++++++++++++++------
+ tests/test-pkcs11-tool-test.sh      |  20 ++++-
+ 3 files changed, 116 insertions(+), 30 deletions(-)
+
+diff --git a/src/tests/fuzzing/fuzz_pkcs15init.c b/src/tests/fuzzing/fuzz_pkcs15init.c
+index e44e3aae35..85810ded77 100644
+--- a/src/tests/fuzzing/fuzz_pkcs15init.c
++++ b/src/tests/fuzzing/fuzz_pkcs15init.c
+@@ -109,7 +109,7 @@ int fuzz_get_reader_data(const uint8_t *from, size_t from_size, const uint8_t **
+     size_t i = 0;
+     while(i < from_size - 1 && from[i] != '\0')
+         i++;
+-        
++
+     if (from[i] != '\0')
+         return 0;
+ 
+@@ -126,6 +126,7 @@ void do_init_app(struct sc_profile *profile, struct sc_pkcs15_card *p15card, sc_
+     int                           so_puk_disabled = 0;
+ 
+     memset(&init_args, 0, sizeof(init_args));
++    memset(&info, 0, sizeof(info));
+     sc_pkcs15init_get_pin_info(profile, SC_PKCS15INIT_SO_PIN, &info);
+     if ((info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED) &&
+         (info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN))
+@@ -150,7 +151,7 @@ void do_store_pin(struct sc_profile *profile, struct sc_pkcs15_card *p15card, sc
+     struct sc_pkcs15init_pinargs pin_args;
+     char   pin_id[SC_PKCS15_MAX_ID_SIZE] = "1\0";
+     sc_pkcs15init_set_p15card(profile, p15card);
+-    
++
+     memcpy(pin, "1234555678\0", 11); /* Set new pin */
+     memset(&pin_args, 0, sizeof(pin_args));
+ 
+@@ -363,6 +364,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+     if (card)
+ 	    sc_disconnect_card(card);
+     sc_release_context(ctx);
+-        
++
+     return 0;
+ }
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 46f8b735e5..4e1668290f 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -1648,6 +1648,43 @@ static void list_slots(int tokens, int refresh, int print)
+ 	}
+ }
+ 
++static const char *
++copy_key_value_to_uri(const char *key, const char *value, CK_BBOOL last)
++{
++	static char URI[1024];
++	static size_t shift = 0;
++	if (key && (shift + strlen(key) < sizeof(URI))) {
++		strcpy(&URI[shift], key);
++		shift += strlen(key);
++	}
++	if (value && (shift + strlen(value) < sizeof(URI))) {
++		strcpy(&URI[shift], value);
++		shift += strlen(value);
++	}
++	if (key && value && !last && shift < sizeof(URI)) {
++		URI[shift++] = ';';
++	}
++	if (last && shift < sizeof(URI)) {
++		URI[shift] = '\0';
++		shift = 0;
++	}
++	return URI;
++}
++
++static const char *
++get_uri(CK_TOKEN_INFO_PTR info)
++{
++	copy_key_value_to_uri("pkcs11:", NULL, CK_FALSE);
++	const char *model = percent_encode(info->model, sizeof(info->model));
++	copy_key_value_to_uri("model=", model, CK_FALSE);
++	const char *manufacturer = percent_encode(info->manufacturerID, sizeof(info->manufacturerID));
++	copy_key_value_to_uri("manufacturer=", manufacturer, CK_FALSE);
++	const char *serial = percent_encode(info->serialNumber, sizeof(info->serialNumber));
++	copy_key_value_to_uri("serial=", serial, CK_FALSE);
++	const char *token = percent_encode(info->label, sizeof(info->label));
++	return copy_key_value_to_uri("token=", token, CK_TRUE);
++}
++
+ static void show_token(CK_SLOT_ID slot)
+ {
+ 	CK_TOKEN_INFO	info;
+@@ -1682,14 +1719,7 @@ static void show_token(CK_SLOT_ID slot)
+ 	printf("  serial num         : %s\n", p11_utf8_to_local(info.serialNumber,
+ 			sizeof(info.serialNumber)));
+ 	printf("  pin min/max        : %lu/%lu\n", info.ulMinPinLen, info.ulMaxPinLen);
+-	printf("  uri                : pkcs11:");
+-	printf("model=%s", percent_encode(info.model, sizeof(info.model)));
+-	printf(";manufacturer=");
+-	printf("%s", percent_encode(info.manufacturerID, sizeof(info.manufacturerID)));
+-	printf(";serial=");
+-	printf("%s", percent_encode(info.serialNumber, sizeof(info.serialNumber)));
+-	printf(";token=");
+-	printf("%s", percent_encode(info.label, sizeof(info.label)));
++	printf("  uri                : %s", get_uri(&info));
+ 	printf("\n");
+ }
+ 
+@@ -5045,13 +5075,14 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ {
+ 	CK_MECHANISM_TYPE_PTR mechs = NULL;
+ 	CK_KEY_TYPE	key_type = getKEY_TYPE(sess, obj);
+-	CK_ULONG	size = 0;
++	CK_ULONG size, idsize = 0;
+ 	unsigned char	*id, *oid, *value;
+ 	const char      *sepa;
+ 	char		*label;
+ 	char		*unique_id;
+ 	int		pub = 1;
+ 	int		sec = 0;
++	CK_TOKEN_INFO info;
+ 
+ 	switch(getCLASS(sess, obj)) {
+ 		case CKO_PRIVATE_KEY:
+@@ -5243,17 +5274,15 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 
+ 	if ((label = getLABEL(sess, obj, NULL)) != NULL) {
+ 		printf("  label:      %s\n", label);
+-		free(label);
+ 	}
+ 
+-	if ((id = getID(sess, obj, &size)) != NULL && size) {
++	if ((id = getID(sess, obj, &idsize)) != NULL && idsize) {
+ 		unsigned int	n;
+ 
+ 		printf("  ID:         ");
+-		for (n = 0; n < size; n++)
++		for (n = 0; n < idsize; n++)
+ 			printf("%02x", id[n]);
+ 		printf("\n");
+-		free(id);
+ 	}
+ 
+ 	printf("  Usage:      ");
+@@ -5355,7 +5384,26 @@ show_key(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 		printf("  Unique ID:  %s\n", unique_id);
+ 		free(unique_id);
+ 	}
+-
++	get_token_info(opt_slot, &info);
++	printf("  uri:        %s", get_uri(&info));
++	if (id != NULL && idsize) {
++		printf(";id=%%");
++		for (unsigned int n = 0; n < idsize; n++)
++			printf("%02x", id[n]);
++		free(id);
++	}
++	if (label != NULL) {
++		const char *pelabel = percent_encode((unsigned char *)label, strlen(label));
++		printf(";object=%s", pelabel);
++		free(label);
++	}
++	if (sec) {
++		printf(";type=secret-key\n");
++	} else if (pub) {
++		printf(";type=public\n");
++	} else {
++		printf(";type=private\n");
++	}
+ 	suppress_warn = 0;
+ }
+ 
+@@ -5363,6 +5411,7 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ {
+ 	CK_CERTIFICATE_TYPE	cert_type = getCERTIFICATE_TYPE(sess, obj);
+ 	CK_ULONG	size;
++	CK_TOKEN_INFO info;
+ 	unsigned char	*id;
+ 	char		*label;
+ 	char		*unique_id;
+@@ -5389,7 +5438,6 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 
+ 	if ((label = getLABEL(sess, obj, NULL)) != NULL) {
+ 		printf("  label:      %s\n", label);
+-		free(label);
+ 	}
+ 
+ #if defined(ENABLE_OPENSSL)
+@@ -5433,37 +5481,49 @@ static void show_cert(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 		for (n = 0; n < size; n++)
+ 			printf("%02x", id[n]);
+ 		printf("\n");
+-		free(id);
+ 	}
+ 	if ((unique_id = getUNIQUE_ID(sess, obj, NULL)) != NULL) {
+ 		printf("  Unique ID:  %s\n", unique_id);
+ 		free(unique_id);
+ 	}
++	get_token_info(opt_slot, &info);
++	printf("  uri:        %s", get_uri(&info));
++	if (id != NULL && size) {
++		printf(";id=%%");
++		for (unsigned int n = 0; n < size; n++)
++			printf("%02x", id[n]);
++		free(id);
++	}
++	if (label != NULL) {
++		const char *pelabel = percent_encode((unsigned char *)label, strlen(label));
++		printf(";object=%s", pelabel);
++		free(label);
++	}
++	printf(";type=cert\n");
+ }
+ 
+ static void show_dobj(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ {
+ 	unsigned char *oid_buf;
+ 	char *label;
++	char *application;
+ 	CK_ULONG    size = 0;
++	CK_TOKEN_INFO info;
+ 
+ 	suppress_warn = 1;
+ 	printf("Data object %u\n", (unsigned int) obj);
+ 	printf("  label:          ");
+ 	if ((label = getLABEL(sess, obj, NULL)) != NULL) {
+ 		printf("'%s'\n", label);
+-		free(label);
+-	}
+-	else   {
++	} else {
+ 		printf("<empty>\n");
+ 	}
+ 
+ 	printf("  application:    ");
+-	if ((label = getAPPLICATION(sess, obj, NULL)) != NULL) {
+-		printf("'%s'\n", label);
+-		free(label);
+-	}
+-	else   {
++	if ((application = getAPPLICATION(sess, obj, NULL)) != NULL) {
++		printf("'%s'\n", application);
++		free(application);
++	} else {
+ 		printf("<empty>\n");
+ 	}
+ 
+@@ -5494,8 +5554,16 @@ static void show_dobj(CK_SESSION_HANDLE sess, CK_OBJECT_HANDLE obj)
+ 		printf(" private");
+ 	if (!getMODIFIABLE(sess, obj) && !getPRIVATE(sess, obj))
+ 		printf("<empty>");
++	printf("\n");
+ 
+-	printf ("\n");
++	get_token_info(opt_slot, &info);
++	printf("  uri:            %s", get_uri(&info));
++	if (label != NULL) {
++		const char *pelabel = percent_encode((unsigned char *)label, strlen(label));
++		printf(";object=%s", pelabel);
++		free(label);
++	}
++	printf(";type=data\n");
+ 	suppress_warn = 0;
+ }
+ 
+@@ -8337,6 +8405,7 @@ static const char *
+ percent_encode(CK_UTF8CHAR *string, size_t len)
+ {
+ 	static char buffer[1024];
++	memset(buffer, 0, 1024);
+ 	size_t output_index, input_index;
+ 
+ 	while (len && string[len - 1] == ' ')
+diff --git a/tests/test-pkcs11-tool-test.sh b/tests/test-pkcs11-tool-test.sh
+index 2a1f43b8bc..1a96cbd754 100755
+--- a/tests/test-pkcs11-tool-test.sh
++++ b/tests/test-pkcs11-tool-test.sh
+@@ -20,12 +20,28 @@ assert $? "Failed to set up card"
+ echo "======================================================="
+ echo "Test"
+ echo "======================================================="
+-$PKCS11_TOOL --test -p $PIN --module $P11LIB
++$PKCS11_TOOL --test -p "${PIN}" --module "${P11LIB}"
+ assert $? "Failed running tests"
+ 
++echo "======================================================="
++echo "Test objects URI"
++echo "======================================================="
++$PKCS11_TOOL -O 2>/dev/null | grep 'uri:' 2>/dev/null >/dev/null
++assert $? "Failed running objects URI tests"
++$PKCS11_TOOL -O 2>/dev/null | grep 'uri:' | awk -F 'uri:' '{print $2}' | tr -d ' ' | grep ^"pkcs11:" 2>/dev/null >/dev/null
++assert $? "Failed running objects URI tests"
++
++echo "======================================================="
++echo "Test slots URI"
++echo "======================================================="
++$PKCS11_TOOL -L 2>/dev/null | grep 'uri' 2>/dev/null >/dev/null
++assert $? "Failed running slots URI tests"
++$PKCS11_TOOL -O 2>/dev/null | grep 'uri' | awk -F 'uri*:' '{print $2}' | tr -d ' '  | grep ^"pkcs11:" 2>/dev/null >/dev/null
++assert $? "Failed running slots URI tests"
++
+ echo "======================================================="
+ echo "Cleanup"
+ echo "======================================================="
+ card_cleanup
+ 
+-exit $ERRORS
++exit "${ERRORS}"

SOURCES/opensc-0.23.0-pkcs15init.patch

@@ -343,6 +343,115 @@ index 70a28048b..1eeeda064 100644
 -- 
 2.42.0
 
+From 609164045facaeae193feb48d9c2fc5cc4321e8a Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 16 Nov 2023 09:55:47 +0100
+Subject: [PATCH] epass2003: Avoid heap buffer overflow
+
+Removes also needless malloc & memcpy instead of returning the first
+allocated buffer.
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64215
+---
+ src/libopensc/card-epass2003.c    | 30 +++++++++++++++---------------
+ src/libopensc/cardctl.h           |  1 +
+ src/pkcs15init/pkcs15-epass2003.c |  7 ++++---
+ 3 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c
+index ed2ec649b..76ba339e6 100644
+--- a/src/libopensc/card-epass2003.c
++++ b/src/libopensc/card-epass2003.c
+@@ -3082,11 +3082,21 @@ epass2003_gen_key(struct sc_card *card, sc_epass2003_gen_key_data * data)
+ 	if (len < apdu.resplen)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
+ 
+-	if(256 == len)
++	if(256 == len) /* ECC 256 bit */
+ 	{
+-		int xCoordinateLen = rbuf[1];
+-		int yCoordinateLen = rbuf[2+xCoordinateLen+1];
+-		unsigned char * tmp =(u8 *)malloc(xCoordinateLen + yCoordinateLen);
++		size_t xCoordinateLen = rbuf[1];
++		size_t yCoordinateLen;
++		unsigned char *tmp;
++
++		if (2 + xCoordinateLen + 1 >= apdu.resplen) {
++			LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
++		}
++		yCoordinateLen = rbuf[2 + xCoordinateLen + 1];
++		if (2 + xCoordinateLen + 2 + yCoordinateLen >= apdu.resplen) {
++			LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
++		}
++		data->modulus_len = xCoordinateLen + yCoordinateLen;
++		tmp = (u8 *)malloc(data->modulus_len);
+ 		if(!tmp)
+ 		{
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+@@ -3109,17 +3119,7 @@ epass2003_gen_key(struct sc_card *card, sc_epass2003_gen_key_data * data)
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
+ 		}
+ 
+-		data->modulus = (u8 *) malloc(xCoordinateLen + yCoordinateLen);
+-		if (!data->modulus)
+-		{
+-			free(tmp);
+-			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+-		}
+-		else
+-		{
+-			memcpy(data->modulus, tmp, xCoordinateLen+yCoordinateLen);
+-			free(tmp);
+-		}
++		data->modulus = tmp;
+ 	}
+ 	else
+ 	{
+diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h
+index 9ce90ec15..acefbee5c 100644
+--- a/src/libopensc/cardctl.h
++++ b/src/libopensc/cardctl.h
+@@ -833,6 +833,7 @@ typedef struct sc_epass2003_gen_key_data_st {
+ 	 int pukey_id;
+ 	 size_t key_length;
+ 	 u8 *modulus;
++	 int modulus_len;
+ } sc_epass2003_gen_key_data;
+ 
+ 
+diff --git a/src/pkcs15init/pkcs15-epass2003.c b/src/pkcs15init/pkcs15-epass2003.c
+index b9b9a1156..92bf46895 100644
+--- a/src/pkcs15init/pkcs15-epass2003.c
++++ b/src/pkcs15init/pkcs15-epass2003.c
+@@ -638,10 +638,11 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
+ 	gendat.pukey_id = pukf->id;
+ 	gendat.key_length = keybits;
+ 	gendat.modulus = NULL;
++	gendat.modulus_len = 0;
+ 	r = sc_card_ctl(card, SC_CARDCTL_ENTERSAFE_GENERATE_KEY, &gendat);
+ 	SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_VERBOSE, r,
+ 		    "generate RSA key pair failed");
+-	
++
+ 	if (!gendat.modulus) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
+ 		goto err;
+@@ -679,8 +680,8 @@ static int epass2003_pkcs15_generate_key(struct sc_profile *profile,
+ 		}
+ 
+ 		pubkey->u.ec.ecpointQ.value[0] = 0x04;
+-		memcpy(&pubkey->u.ec.ecpointQ.value[1], gendat.modulus, 64);
+-		pubkey->u.ec.ecpointQ.len = 65;
++		memcpy(&pubkey->u.ec.ecpointQ.value[1], gendat.modulus, gendat.modulus_len);
++		pubkey->u.ec.ecpointQ.len = gendat.modulus_len;
+ 
+ 		free(pubkey->u.ec.params.named_curve);
+ 		pubkey->u.ec.params.named_curve = NULL; 
+-- 
+2.42.0
+
 From 8fc2c20c3f895569eeb58328bb882aec07325d3b Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 7 Nov 2023 17:48:27 +0100
@@ -853,3 +962,55 @@ index 168894abd..feb9ebe18 100644
 -- 
 2.42.0
 
+From b5f6370a35f151497838628f78111087eb8e7ff1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 3 May 2023 16:47:44 +0200
+Subject: [PATCH] Fix cycling fuzz pkcs11 test
+
+---
+ src/tests/fuzzing/fuzz_pkcs11.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/fuzzing/fuzz_pkcs11.c b/src/tests/fuzzing/fuzz_pkcs11.c
+index b2a4c985e..b6e05c9ad 100644
+--- a/src/tests/fuzzing/fuzz_pkcs11.c
++++ b/src/tests/fuzzing/fuzz_pkcs11.c
+@@ -509,7 +509,7 @@ static void test_verify(const uint8_t *data, size_t size)
+ 		memcpy(in_buffer, verify_data, verify_data_size);
+ 		p11->C_Verify(session, in_buffer, verify_data_size, sig_buffer, sig_len);
+ 	} else {
+-		while (size > 0) {
++		while (verify_data_size > 0) {
+ 			to_process = verify_data_size < sizeof(in_buffer) ? verify_data_size : sizeof(in_buffer);
+ 			verify_data_size -= to_process;
+ 			memcpy(in_buffer, data, to_process);
+-- 
+2.42.0
+
+From ffbff25ec6c6d0ad3f8df76f57210698f7947fc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 11 Aug 2023 09:44:57 +0200
+Subject: [PATCH] fuzz_pkcs11.c: Use valid data for verify
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60971
+---
+ src/tests/fuzzing/fuzz_pkcs11.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/fuzzing/fuzz_pkcs11.c b/src/tests/fuzzing/fuzz_pkcs11.c
+index b6e05c9ad..fdc163b48 100644
+--- a/src/tests/fuzzing/fuzz_pkcs11.c
++++ b/src/tests/fuzzing/fuzz_pkcs11.c
+@@ -512,7 +512,7 @@ static void test_verify(const uint8_t *data, size_t size)
+ 		while (verify_data_size > 0) {
+ 			to_process = verify_data_size < sizeof(in_buffer) ? verify_data_size : sizeof(in_buffer);
+ 			verify_data_size -= to_process;
+-			memcpy(in_buffer, data, to_process);
++			memcpy(in_buffer, verify_data, to_process);
+ 			verify_data += to_process;
+ 
+ 			if (p11->C_VerifyUpdate(session, in_buffer, to_process) != CKR_OK)
+-- 
+2.42.0
+

SPECS/opensc.spec

@@ -2,64 +2,33 @@
 %define nssdb %{_sysconfdir}/pki/nssdb
 
 Name:           opensc
-Version:        0.20.0
-Release:        8%{?dist}
+Version:        0.23.0
+Release:        5%{?dist}
 Summary:        Smart card library and applications
 
-Group:          System Environment/Libraries
 License:        LGPLv2+
 URL:            https://github.com/OpenSC/OpenSC/wiki
 Source0:        https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        opensc.module
-Patch6:         opensc-0.19.0-pinpad.patch
-# https://github.com/OpenSC/OpenSC/pull/1772
-Patch8:         opensc-0.19.0-idprime.patch
-# https://github.com/OpenSC/OpenSC/pull/1987
-Patch9:         opensc-0.20.0-cardos.patch
-# https://github.com/OpenSC/OpenSC/pull/2129
-Patch10:        opensc-0.20.0-cac-pin-change.patch
-# https://github.com/OpenSC/OpenSC/commit/6903aebf
-Patch11:        opensc-0.20.0-CVE-2020-26570.patch
-# https://github.com/OpenSC/OpenSC/commit/ed55fcd2
-Patch12:        opensc-0.20.0-CVE-2020-26571.patch
-# https://github.com/OpenSC/OpenSC/commit/9d294de9
-Patch13:        opensc-0.20.0-CVE-2020-26572.patch
-# https://github.com/OpenSC/OpenSC/commit/8d4af9eb
-Patch14:        opensc-0.20.0-label-padding.patch
-# https://github.com/OpenSC/OpenSC/commit/f1bcadfb
-# https://github.com/OpenSC/OpenSC/pull/2166
-Patch15:        opensc-0.20.0-calloc0.patch
-# https://github.com/OpenSC/OpenSC/pull/2148
-# + configuration change by default
-Patch16:        opensc-0.20.0-file-cache.patch
-# https://github.com/OpenSC/OpenSC/pull/1929
-Patch17:        opensc-0.20.0-idprime.patch
-# https://github.com/OpenSC/OpenSC/pull/2787
-Patch18:        opensc-0.20.0-CVE-2023-2977.patch
-# 31d8c2dfd14ed01b430def2f46cc718ef4b595fc
-# 8f4a6c703b5ae7d4f44cf33c85330171afa917bf
-# https://github.com/OpenSC/OpenSC/pull/1970 without the first and last commits
-# https://github.com/OpenSC/OpenSC/pull/1923
-# https://github.com/OpenSC/OpenSC/pull/2051
-# https://github.com/OpenSC/OpenSC/pull/2077
-# https://github.com/OpenSC/OpenSC/pull/2418
-# https://github.com/OpenSC/OpenSC/pull/2600
-# c2e00e9071952b30ed6d58d9b7670eb3d93ea6fb
-# https://github.com/OpenSC/OpenSC/pull/2740
-## OpenSC notify build issues
-# 5e79a2a4abdd523cfff19824718bbb0d8ced7320
-# 843779fe6e0f345f483f9ce9c9739913502391eb
-# 7936bdef15c71139a6a6159cabaf9e6101565add
-# 1202eceeefd5ffab45648d41ed0a3076cac10920
-# 295f399304644e6b0acde267ac410d0aae4a1aee
-# ca01aa7a8edc8280a5ceadebb472c2e3c198d8c2
-Patch19:        opensc-0.20.0-reader-removal.patch
+Patch1:         opensc-0.19.0-pinpad.patch
+# File caching by default (#2000626)
+Patch8:         %{name}-0.22.0-file-cache.patch
+# https://github.com/OpenSC/OpenSC/pull/2656
+Patch9:         %{name}-0.23.0-pkcs11-tool-import.patch
+# https://github.com/OpenSC/OpenSC/pull/2712
+Patch10:         %{name}-0.23.0-openssl-ctx.patch
+# https://github.com/OpenSC/OpenSC/pull/2753
+# https://github.com/OpenSC/OpenSC/commit/e8fba322a2f4d06ec5c74fe80f9e2b0e9fdefec6
+# https://github.com/OpenSC/OpenSC/commit/891f10e49de1a5ee038b1cb2fb59dce40429e6c2
+Patch11:         %{name}-0.23.0-openpgp.patch
+# https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+Patch12:        %{name}-0.23.0-cardos-pkcs15init.patch
 # https://github.com/OpenSC/OpenSC/commit/bff98ff078a99e6864ba1a598fd7dc9af4a9476b
 # https://github.com/OpenSC/OpenSC/commit/0875c69295ef28b45fb682b37cede58fc36b7a1a
-Patch20:        %{name}-0.23.0-cache-offsets.patch
+Patch13:        %{name}-0.23.0-cache-offsets.patch
 # https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
 # https://github.com/OpenSC/OpenSC/commit/80cc5d30635f0d2c92b5099c0f9dc680d0ffce2f
-Patch21:        %{name}-0.23.0-pin-bypass.patch
+Patch14:        %{name}-0.23.0-pin-bypass.patch
 # https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7
 # https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651
 # https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e
@@ -70,32 +39,50 @@ Patch21:        %{name}-0.23.0-pin-bypass.patch
 # https://github.com/OpenSC/OpenSC/commit/e7f81d86dcdc751f4737f4b29a99bfc54d29c5c9
 # https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1
 # https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec
-# https://github.com/OpenSC/OpenSC/commit/013a807492568bf9907cfb3df41f130ac83c7b9
+# https://github.com/OpenSC/OpenSC/commit/4013a807492568bf9907cfb3df41f130ac83c7b9
+# https://github.com/OpenSC/OpenSC/commit/09164045facaeae193feb48d9c2fc5cc4321e8a
 # https://github.com/OpenSC/OpenSC/commit/fc2c20c3f895569eeb58328bb882aec07325d3b
 # https://github.com/OpenSC/OpenSC/commit/3b9129bd3cfc6ac57d5554e015c3df85f5076dc
 # https://github.com/OpenSC/OpenSC/commit/bda61d0d276dc98b9d1d1e6810bbd21d19e3859
 # https://github.com/OpenSC/OpenSC/commit/a4921ab23fd0853f327517636c50de947548161
 # https://github.com/OpenSC/OpenSC/commit/085994384a7171c5c68f6718d9db10ed77c5af1
 # https://github.com/OpenSC/OpenSC/commit/0f0985f6343eeac4044661d56807ee9286db42c
-Patch22:        %{name}-0.23.0-pkcs15init.patch
+# https://github.com/OpenSC/OpenSC/commit/5f6370a35f151497838628f78111087eb8e7ff1
+# https://github.com/OpenSC/OpenSC/commit/fbff25ec6c6d0ad3f8df76f57210698f7947fc3
+Patch15:        %{name}-0.23.0-pkcs15init.patch
+# https://github.com/OpenSC/OpenSC/commit/cde2e050ec4f2f1b7db38429aa4e9c0f4656308c
+# https://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2
+Patch16:        %{name}-0.23.0-myeid-sym.patch
 # https://github.com/OpenSC/OpenSC/pull/2948
 # https://github.com/OpenSC/OpenSC/pull/3016
-Patch23:        %{name}-0.23.0-constant-time-pkcs1.patch
+Patch17:        %{name}-0.23.0-constant-time-pkcs1.5.patch
+# https://github.com/OpenSC/OpenSC/pull/3125
+# https://github.com/OpenSC/OpenSC/pull/3130
+Patch18:        %{name}-0.23.0-pkcs11-uri.patch
 
+BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
 BuildRequires:  openssl-devel
 BuildRequires:  /usr/bin/xsltproc
 BuildRequires:  docbook-style-xsl
 BuildRequires:  autoconf automake libtool gcc
-BuildRequires:  desktop-file-utils
 BuildRequires:  bash-completion
 BuildRequires:  zlib-devel
+# For tests
+BuildRequires:  libcmocka-devel
+BuildRequires:  vim-common
+%if ! 0%{?rhel}
+BuildRequires:  softhsm
+%endif
+BuildRequires:  openssl
 Requires:       pcsc-lite-libs%{?_isa}
 Requires:       pcsc-lite
 Obsoletes:      mozilla-opensc-signer < 0.12.0
 Obsoletes:      opensc-devel < 0.12.0
 Obsoletes:      coolkey <= 1.1.0-36
+# The simclist is bundled in upstream
+Provides:       bundled(simclist) = 1.5
 
 %description
 OpenSC provides a set of libraries and utilities to work with smart cards. Its
@@ -109,23 +96,18 @@ every software/card that does so, too.
 
 %prep
 %setup -q
-%patch6 -p1 -b .pinpad
-%patch8 -p1 -b .idprime
-%patch9 -p1 -b .cardos
-%patch10 -p1 -b .cac-pin-change
-%patch11 -p1 -b .CVE-2020-26570
-%patch12 -p1 -b .CVE-2020-26571
-%patch13 -p1 -b .CVE-2020-26572
-%patch14 -p1 -b .padding
-%patch15 -p1 -b .calloc0
-%patch16 -p1 -b .file-cache
-%patch17 -p1 -b .idprime
-%patch18 -p1 -b .CVE-2023-2977
-%patch19 -p1 -b .reader-removal
-%patch20 -p1 -b .cache-offsets
-%patch21 -p1 -b .pin-bypass
-%patch22 -p1 -b .pkcs15init
-%patch23 -p1 -b .constant-time-pkcs1.5
+%patch1 -p1 -b .pinpad
+%patch8 -p1 -b .file-cache
+%patch9 -p1 -b .pkcs11-tool-import
+%patch10 -p1 -b .ossl3context
+%patch11 -p1 -b .openpgp
+%patch12 -p1 -b .cardos-pkcs15init
+%patch13 -p1 -b .cache-offsets
+%patch14 -p1 -b .pin-bypass
+%patch15 -p1 -b .pkcs15init
+%patch16 -p1 -b .myeid-sym
+%patch17 -p1 -b .constant-time-pkcs1
+%patch18 -p1 -b .pkcs11-uri
 
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@@ -135,25 +117,30 @@ sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.example.
 
 %build
 autoreconf -fvi
-%ifarch %{ix86} ppc s390
+%ifarch %{ix86}
 sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
 %endif
 sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
-%configure  --disable-static \
+%set_build_flags
+CFLAGS="$CFLAGS -Wstrict-aliasing=2 -Wno-deprecated-declarations"
+%configure --disable-static \
   --disable-autostart-items \
+  --disable-notify \
   --disable-assert \
   --enable-pcsc \
-  --disable-tests \
-  --enable-sm \
-  --with-pcsc-provider=libpcsclite.so.1
-make %{?_smp_mflags} V=1
+  --enable-cmocka \
+  --enable-sm
+%make_build
 
 
+%check
+make check
+
 %install
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module
 
-%ifarch %{ix86} ppc s390
+%ifarch %{ix86}
 # To avoid multilib issues, move these files on 32b intel architectures
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf
 install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf
@@ -175,51 +162,29 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc
 # public headers and pkgconfig files.
 # Remove the symlink as nothing is supposed to link against libopensc.
 rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so
+# remove the .pc file so we do not confuse users #1673139
+rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/*.pc
 rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so
-%if 0%{?rhel} && 0%{?rhel} < 7
-rm -rf %{buildroot}%{_datadir}/bash-completion/
-%endif
 
 # the npa-tool builds to nothing since we do not have OpenPACE library
 rm -rf %{buildroot}%{_bindir}/npa-tool
 rm -rf %{buildroot}%{_mandir}/man1/npa-tool.1*
 
-# We use p11-kit for pkcs11 modules registration
+# the pkcs11-register is not applicable to Fedora/RHEL where we use p11-kit
 rm -rf %{buildroot}%{_bindir}/pkcs11-register
-# It is even missing the manual page
-#rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1*
+rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1*
 
-desktop-file-validate %{buildroot}/%{_datadir}/applications/org.opensc.notify.desktop
+# Remove the notification files
+rm %{buildroot}%{_datadir}/applications/org.opensc.notify.desktop
+rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 
-%post
-/sbin/ldconfig
-# Remove our PKCS#11 module from NSS DB, if there is NSS installed, because
-# it is already loaded by p11-kit-proxy. Using both of them can cause
-# race conditions and hard-to-debug problems
-# TODO Remove with F30 or so
-if [ -x /usr/bin/modutil ]; then
-	isThere=`modutil -rawlist -dbdir %{nssdb} | grep %{opensc_module} || echo NO`
-	if [ ! "$isThere" == "NO" ]; then
-		modutil -delete %{opensc_module} -dbdir %{nssdb} -force || :
-
-	fi
-	isThere=`modutil -rawlist -dbdir sql:%{nssdb} | grep %{opensc_module} || echo NO`
-	if [ ! "$isThere" == "NO" ]; then
-		modutil -delete %{opensc_module} -dbdir sql:%{nssdb} -force || :
-	fi
-fi
-
-%postun
-/sbin/ldconfig
 
 %files
 %doc COPYING NEWS README*
 
-%if ! 0%{?rhel} || 0%{?rhel} >= 7
 %{_datadir}/bash-completion/*
-%endif
 
-%ifarch %{ix86} ppc s390
+%ifarch %{ix86}
 %{_mandir}/man5/opensc-%{_arch}.conf.5*
 %else
 %config(noreplace) %{_sysconfdir}/opensc.conf
@@ -227,6 +192,9 @@ fi
 %endif
 
 %config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf
+# Co-owned with p11-kit so it is not hard dependency
+%dir %{_datadir}/p11-kit
+%dir %{_datadir}/p11-kit/modules
 %{_datadir}/p11-kit/modules/opensc.module
 %{_bindir}/cardos-tool
 %{_bindir}/cryptoflex-tool
@@ -238,7 +206,6 @@ fi
 %{_bindir}/opensc-explorer
 %{_bindir}/opensc-tool
 %{_bindir}/opensc-asn1
-%{_bindir}/opensc-notify
 %{_bindir}/piv-tool
 %{_bindir}/pkcs11-tool
 %{_bindir}/pkcs15-crypt
@@ -248,13 +215,11 @@ fi
 %{_bindir}/dnie-tool
 %{_bindir}/westcos-tool
 %{_bindir}/egk-tool
-%{_datadir}/applications/org.opensc.notify.desktop
 %{_bindir}/goid-tool
 %{_libdir}/lib*.so.*
 %{_libdir}/opensc-pkcs11.so
 %{_libdir}/pkcs11-spy.so
 %{_libdir}/onepin-opensc-pkcs11.so
-%{_libdir}/pkgconfig/*.pc
 %%dir %{_libdir}/pkcs11
 %{_libdir}/pkcs11/opensc-pkcs11.so
 %{_libdir}/pkcs11/onepin-opensc-pkcs11.so
@@ -264,13 +229,13 @@ fi
 %{_mandir}/man1/cryptoflex-tool.1*
 %{_mandir}/man1/eidenv.1*
 %{_mandir}/man1/gids-tool.1*
+%{_mandir}/man1/goid-tool.1*
 %{_mandir}/man1/iasecc-tool.1*
 %{_mandir}/man1/netkey-tool.1*
 %{_mandir}/man1/openpgp-tool.1*
 %{_mandir}/man1/opensc-explorer.*
 %{_mandir}/man1/opensc-tool.1*
 %{_mandir}/man1/opensc-asn1.1*
-%{_mandir}/man1/opensc-notify.1*
 %{_mandir}/man1/piv-tool.1*
 %{_mandir}/man1/pkcs11-tool.1*
 %{_mandir}/man1/pkcs15-crypt.1*
@@ -284,62 +249,116 @@ fi
 
 
 %changelog
-* Thu Feb 08 2024 Veronika Hanulikova <vhanulik@redhat.com> - 0.20.0-8
+* Thu Oct 24 2024 Veronika Hanulikova <vhanulik@redhat.com> - 0.23.0-5
+- Add URI in PKCS#11 objects and pkcs11-tool (RHEL-53115)
+
+* Thu Feb 08 2024 Veronika Hanulikova <vhanulik@redhat.com> - 0.23.0-4
 - Fix CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding
 
-* Thu Nov 30 2023 Jakub Jelen <jjelen@redhat.com> - 0.20.0-7
-- Fix file caching with different offsets (RHEL-4077)
+* Thu Nov 30 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-3
+- Fix file caching with different offsets (RHEL-4079)
 - Fix CVE-2023-40660: Potential PIN bypass
 - Fix CVE-2023-40661: Dynamic analyzers reports in pkcs15init
-- Fix CVE-2023-5992: Marvin: Side-channel leaks while stripping encryption PKCS#1.5 padding
+- Fix CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys
+- Fix CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding
 
-* Tue Jul 11 2023 Jakub Jelen <jjelen@redhat.com> - 0.20.0-6
-- Fix introduced issues tagged by coverity (RHEL-765)
+* Thu May 25 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-2
+- Fix regression in handling OpenPGP cards
+- Fix CVE-2023-2977: buffer overrun in pkcs15init for cardos
 
-* Thu Jun 15 2023 Jakub Jelen <jjelen@redhat.com> - 0.20.0-5
-- Avoid potential crash because of missing list terminator (#2196234)
-- Fix CVE-2023-2977: potential buffer overrun in pkcs15 cardos_have_verifyrc_package (#2211093)
-- Backport upstream changes regarding to reader removal (#2097048)
+* Wed Mar 08 2023 Jakub Jelen <jjelen@redhat.com> - 0.23.0-1
+- Rebase to latest 0.23.0 release (#2100409)
+- Use separate OpenSSL context to work better from inside of OpenSSL providers
 
-* Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-4
-- Use file cache by default (#1892810)
-- Avoid calloc with 0 argument (#1895401)
+* Fri Oct 08 2021 Jakub Jelen <jjelen@redhat.com> - 0.22.0-2
+- Unbreak detection of unentrolled smart cards (#2007029)
+- Enable file caching by default except for pkcs15-init (#2000626)
 
-* Tue Oct 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-3
-- Support PIN change for HID Alt tokens (#1830901)
-- Fix CVE-2020-26570, CVE-2020-26571 and CVE-2020-26572
-- Fix right padding of token labels of some cards (#1877973)
+* Wed Aug 11 2021 Jakub Jelen <jjelen@redhat.com> - 0.22.0-1
+- New upstream release (#1970534)
 
-* Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-2
-- Unbreak different CardOS 5 configurations supporting raw RSA (#1830856)
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.21.0-9
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Apr 22 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-1
-- Rebase to current upstream release (#1810660)
+* Thu Jul 15 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-8
+- Fix issue with handling EC keys in OpenSSL 3.0 (#1953480)
 
-* Mon Nov 25 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-7
-- Unbreak RSA-PSS mechanisms in -6 release (#1775673)
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.21.0-7
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
 
-* Thu Nov 14 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-6
-- Add support for Gemalto IDPrime smart cards (#1657970)
-- Fix 2k RSA key operations with Coolkey (#1766712)
+* Mon May 24 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-6
+- Build against OpenSSL 3.0 (#1953480)
 
-* Thu Apr 18 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-5
-- Avoid multilib issues (#1693380)
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.21.0-5
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Wed Dec 12 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-4
-- Unbreak the Dual CAC cards in PIV driver (#1651748)
-- Fix few more corner cases for handling different types of padding (#1595626)
-- Unbreak signature verification in pkcs11-tool (#1651748)
+* Thu Feb 25 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-4
+- Couple of more issues of strict aliasing (#1930652)
+
+* Tue Feb 23 2021 Jakub Jelen <jjelen@redhat.com> - 0.21.0-3
+- Unbreak with gcc11 (#1930652)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.21.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 0.21.0-1
+- New upstream release (#1884886)
+
+* Fri Oct 30 2020 Jeff Law <law@redhat.com> - 0.20.0-9
+- Fix potentially uninitialized array reference exposed by gcc-11
+
+* Wed Aug 19 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 0.20.0-8
+- Drop useless ldconfig scriptlets
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.20.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed May 13 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-6
+- Unbreak CardOS 5.x support (#1830528)
+
+* Mon Feb 10 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-5
+- Unbreak build on gcc10 with -fno-common (#1799836)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.20.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 10 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-3
+- Drop the notification support for now
+
+* Fri Jan 10 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-2
+- Cleanup spec file
+- Split notify support to separate subpackage
+
+* Thu Jan 02 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-1
+- New upstream release (#1749357)
+- Fixes for various security issues identified by fuzzing (#1765223, #1765231, #1782520, #1782951, #1782956)
+
+* Mon Sep 30 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-8
+- Correctly mention bundled simclist library
+- Add missing zlib build requires (#1756326)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.19.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Mar 27 2019 Jakub Jelen <jjelen@redhat.com> - 0.19.0-6
+- Make OpenSC multilib again by moving the offending files on ix86 arch
+- Do not ship packageconfig files to avoid inadvertent linking against pkcs11 modules (#1673139)
+
+* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.19.0-5
+- Rebuild for readline 8.0
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.19.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
 * Wed Oct 31 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-3
-- Unbreak the RSA-PSS mechanisms (#1595626)
-- Unbreak the signing using hashed mechanisms in CardOS and others (#1644338)
+- Unbreak the RSA-PSS mechanisms
+- Unbreak the signing using hashed mechanisms in CardOS and others
 
 * Mon Oct 22 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-2
-- Avoid mismatching coolkey cards for muscle ones (#1588722)
-- Implement legacy CAC1 driver (#1638052)
-- Disable pinpad
-- Fixup verification after RSA-PSS implementation
+- Fix verification after implementing RSA-PSS mechanisms
+- Disable pinpad by default
 
 * Tue Sep 25 2018 Jakub Jelen <jjelen@redhat.com> - 0.19.0-1
 - New upstream release fixing various CVE-2018-16418 - 16421, 16423 - 16427
@@ -599,7 +618,7 @@ fi
 - Autorebuild for GCC 4.3
 
 * Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 0.11.4-3
- - Rebuild for deps
+- Rebuild for deps
 
 * Wed Dec  5 2007 Ville Skyttä <ville.skytta at iki.fi> - 0.11.4-2
 - Rebuild.