SLFO-pool/opensc
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main opensc revision 8aaa3bcb100ffedcf401a011ee060568

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 17:30:39 +02:00
commit f6dd5cb2bb
9 changed files with 1114 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

25
CVE-2024-1454.patch Normal file
View File

@ -0,0 +1,25 @@
From 5835f0d4f6c033bd58806d33fa546908d39825c9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 18 Dec 2023 11:09:50 +0100
Subject: [PATCH] authentic: Avoid use after free
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898
---
src/pkcs15init/pkcs15-authentic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pkcs15init/pkcs15-authentic.c b/src/pkcs15init/pkcs15-authentic.c
index a6d8b8ffad..798bc44138 100644
--- a/src/pkcs15init/pkcs15-authentic.c
+++ b/src/pkcs15init/pkcs15-authentic.c
@@ -868,7 +868,7 @@ authentic_emu_update_tokeninfo(struct sc_profile *profile, struct sc_pkcs15_card
rv = sc_select_file(p15card->card, &path, &file);
if (!rv) {
rv = sc_get_challenge(p15card->card, buffer, sizeof(buffer));
- if (!rv) {
+ if (rv < 0) {
sc_file_free(file);
LOG_TEST_RET(ctx, rv, "Get challenge error");
}

5
baselibs.conf Normal file
View File

@ -0,0 +1,5 @@
opensc
+/usr/lib(64)?/*.la
+/usr/lib(64)?/*.so*
+/usr/lib(64)?/pkcs11/*.so
requires "opensc = <version>"

BIN
opensc-0.24.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

31
opensc-gcc11.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c
index 41e620a..57f8a79 100644
--- a/src/tools/opensc-explorer.c
+++ b/src/tools/opensc-explorer.c
@@ -1839,6 +1839,12 @@ static int do_apdu(int argc, char **argv)
if (argc < 1)
return usage(do_apdu);
+ /* gcc-11 complains about BUF potentially being used without being
+ initialized. I can't convince myself that the calls to
+ parse_string_or_hexdata will fully initialize it, so we just
+ initialize it here. */
+ memset (buf, 0, sizeof (buf));
+
/* loop over the args and parse them, making sure the result fits into buf[] */
for (i = 0, len = 0; i < (unsigned) argc && len < sizeof(buf); i++) {
size_t len0 = sizeof(buf) - len;
commit 1680b3a1fb15319e41dbe3214ef8c4a4c215d529
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Feb 23 19:57:02 2021 +0100
Fix build on gcc11
This made most of the applications crashing in Fedora 34 when
smart card was plugged in.
The suggested patch makes the code path more obvious for gcc to
handle.
https://bugzilla.redhat.com/show_bug.cgi?id=1930652

3
opensc-rpmlintrc Normal file
View File

@ -0,0 +1,3 @@
# There is no devel package any more.
addFilter("obsolete-not-provided")
addFilter("devel-file-in-non-devel-package")

910
opensc.changes Normal file
View File

@ -0,0 +1,910 @@
-------------------------------------------------------------------
Sun Feb 25 20:35:05 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Add CVE-2024-1454.patch.
Fix for CVE-2024-1454 / bsc#1219868.
-------------------------------------------------------------------
Wed Dec 13 12:27:34 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Update to OpenSC 0.24.0:
* Security
- CVE-2023-40660: Fix Potential PIN bypass
(#2806, frankmorgner/OpenSCToken#50, #2807)
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption
using symmetric keys (f1993dc)
* General improvements
- Fix compatibility of EAC with OpenSSL 3.0 (#2674)
- Enable use_file_cache by default (#2501)
- Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
- Fix record-based files (#2604)
- Fix several race conditions (#2735)
- Run tests under Valgrind (#2756)
- Test signing of data bigger than 512 bytes (#2789)
- Update to OpenPACE 1.1.3 (#2796)
- Implement logout for some of the card drivers (#2807)
- Fix wrong popup position of opensc-notify (#2901)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card
drivers, PKCS#11 and PKCS#15 init
* PKCS#11
- Check card presence state in C_GetSessionInfo (#2740)
- Remove onepin-opensc-pkcs11 module (#2681)
- Do not use colons in the token info label (#2760)
- Present profile objects in all slots with the CKA_TOKEN attribute to
resolve issues with NSS (#2928, #2924)
- Use secure memory for PUK (#2906)
- Don't logout to preserve concurrent access from different processes
(#2907)
- Add more examples to manual page (#2936)
- Present profile objects in all virtual slots (#2928)
- Provide CKA_TOKEN attribute for profile objects (#2924)
- Improve --slot parameter documentation (#2951)
* PKCS#15
- Honor cache offsets when writing file cache (#2858)
- Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
- Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and
back to PKCS#11 (#2936)
* Minidriver
- Fix for private keys that do not need a PIN (#2722)
- Unbreak decipher when the first null byte of PKCS#1.5 padding is
missing (#2939*
* pkcs11-tool
- Fix RSA key import with OpenSSL 3.0 (#2656)
- Add support for attribute filtering when listing objects (#2687)
- Add support for --private flag when writing certificates (#2768)
- Add support for non-AEAD ciphers to the test mode (#2780)
- Show CKA_SIGN attribute for secret keys (#2862)
- Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys
(#2864, #2913)
- Show Sign/VerifyRecover attributes (#2888)
- Add option to import generic keys (#2955)
* westcos-tool
- Generate 2k RSA keys by default (b53fc5c)
* pkcs11-register
- Disable autostart on Linux by default (#2680)
* IDPrime
- Add support for IDPrime MD 830, 930 and 940 (#2666)
- Add support for SafeNet eToken 5110 token (#2812)
- Process index even without keyrefmap and use correct label for second
PIN (#2878)
- Add support for Gemalto IDPrime 940C (#2941)
* EPass2003
- Change of PIN requires verification of the PIN (#2759)
- Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
- Use true random number for mutual authentication for SM (#2766)
- Add verification of data coming from the token in the secure messaging
mode (#2772)
- Avoid success when using unsupported digest and fix data length for RAW
ECDSA signatures (#2845)
* OpenPGP
- Fix select data command (#2753, issue #2752)
- Unbreak ed/curve25519 support (#2892)
* eOI
- Add support for Slovenian eID card (eOI) (#2646)
* Italian CNS
- Add support for IDEMIA (Oberthur) tokens (#2483)
* PIV
- Add support for Swissbit iShield FIDO2 Authenticator (#2671)
- Implement PIV secure messaging (#2053)
* SkeID
- Add support for Slovak eID cards (#2672)
* isoApplet
- Support ECDSA with off-card hashing (#2642)
* MyEID
- Fix WRAP operation when using T0 (#2695)
- Identify changes on the card and enable use_file_cache (#2798)
- Workaround for unwrapping using 2K RSA key (#2921)
* SC-HSM
- Add support for opensc-tool --serial (#2675)
- Fix unwrapping of 4096 keys with handling reader limits (#2682)
- Indicate supported hashes and MGF1s (#2827)
- Remove patches:
* opensc-CVE-2023-40660-1of2.patch
* opensc-CVE-2023-40660-2of2.patch
* opensc-CVE-2023-40661-1of12.patch
* opensc-CVE-2023-40661-2of12.patch
* opensc-CVE-2023-40661-3of12.patch
* opensc-CVE-2023-40661-4of12.patch
* opensc-CVE-2023-40661-5of12.patch
* opensc-CVE-2023-40661-6of12.patch
* opensc-CVE-2023-40661-7of12.patch
* opensc-CVE-2023-40661-8of12.patch
* opensc-CVE-2023-40661-9of12.patch
* opensc-CVE-2023-40661-10of12.patch
* opensc-CVE-2023-40661-11of12.patch
* opensc-CVE-2023-40661-12of12.patch
* opensc-CVE-2023-4535.patch
* opensc-CVE-2023-2977.patch
* opensc-NULL_pointer_fix.patch
-------------------------------------------------------------------
Fri Oct 6 06:49:24 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-40661, bsc#1215761]
* opensc: multiple memory issues with pkcs15-init (enrollment tool)
* Add patches:
- opensc-CVE-2023-40661-1of12.patch
- opensc-CVE-2023-40661-2of12.patch
- opensc-CVE-2023-40661-3of12.patch
- opensc-CVE-2023-40661-4of12.patch
- opensc-CVE-2023-40661-5of12.patch
- opensc-CVE-2023-40661-6of12.patch
- opensc-CVE-2023-40661-7of12.patch
- opensc-CVE-2023-40661-8of12.patch
- opensc-CVE-2023-40661-9of12.patch
- opensc-CVE-2023-40661-10of12.patch
- opensc-CVE-2023-40661-11of12.patch
- opensc-CVE-2023-40661-12of12.patch
-------------------------------------------------------------------
Thu Oct 5 13:45:16 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-4535, bsc#1215763]
* Add patches:
- opensc-CVE-2023-4535.patch
- opensc-NULL_pointer_fix.patch
-------------------------------------------------------------------
Wed Oct 4 13:26:11 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-40660, bsc#1215762]
* opensc: PIN bypass when card tracks its own login state
* Add patches:
- opensc-CVE-2023-40660-1of2.patch
- opensc-CVE-2023-40660-2of2.patch
-------------------------------------------------------------------
Thu Jun 1 12:55:19 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-2977, bsc#1211894]
* opensc: out of bounds read in pkcs15 cardos_have_verifyrc_package()
* Add opensc-CVE-2023-2977.patch
-------------------------------------------------------------------
Tue Nov 29 17:52:46 UTC 2022 - Michael Ströder <michael@stroeder.com>
- Update to OpenSC 0.23.0:
* General improvements
- Support signing of data with a length of more than 512 bytes (#2314)
- By default, disable support for old card drivers (#2391) and remove
support for old drivers MioCOS and JCOP (#2374)
- Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
- Compatibility with LibreSSL (#2495, #2595)
- Remove support for DSA (#2503)
- Extend p11test to support symmetric keys (#2430)
- Notice detached reader on macOS (#2418)
- Support for OAEP padding (#2475, #2484)
- Fix for PSS salt length (#2478)
- Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding
card drivers, PKCS#11 and PKCS#15 init
- Fix issues with OpenPACE (#2472)
- Containers support for local testing
- Add support for encryption and decryption using symmetric keys (#2473, #2607)
- Stop building support for Gost algorithms with OpenSSL 3.0 as they
require deprecated API (#2586)
- Fix detection of disconnected readers in PCSC (#2600)
- Add configuration option for on-disk caching of private data (#2588)
- Skip building empty binaries when dependencies are missing and
remove needless linking (#2617)
- Define arm64 as a supported architecture in the Installer package (#2610)
* PKCS#11
- Implement C_CreateObject for EC keys and fix signature verification
for CKM_ECDSA_SHAx cards (#2420)
* pkcs11-tool
- Add more elliptic curves (#2301)
- Add support for symmetric encrypt and decrypt, wrap and unwrap operations,
and initialization vector (#2268)
- Fix consistent handling of secret key attributes (#2497)
- Add support for signing and verifying with HMAC (#2385)
- Add support for SHA3 (#2467)
- Make object selectable via label (#2570)
- Do not require an R/W session for some operations and
add --session-rw option (#2579)
- Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and
serial number for certificates (#2644, #2643, #2641)
- Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645)
* sc-hsm-tool
- Add options for public key authentication (#2301)
* Minidriver
- Fix reinit of the card (#2525)
- Add an entry for Italian CNS (e) (#2548)
- Fix detection of ECC mechanisms (#2523)
- Fix ATRs before adding them to the windows registry (#2628)
* NQ-Applet
- Add support for the JCOP4 Cards with NQ-Applet (#2425)
* ItaCNS
- Add support for ItaCMS v1.1 (key length 2048) (#2371)
* Belpic
- Add support for applet v1.8 (#2455)
* Starcos
- Add ATR for V3.4 (#2464)
- Add PKCS#15 emulator for 3.x cards with eSign app (#2544)
* ePass2003
- Fix PKCS#15 initialization (#2403)
- Add support for FIPS (#2543)
- Fix matching with newer versions and tokens initialized with OpenSC (#2575)
* MyEID
- Support logout operation (#2557)
- Support for symmetric encryption and decryption (#2473, #2607)
* GIDS
- Fix decipher for TPM (#1881)
* OpenPGP
- Get the list of supported algorithms from algorithm information
on the card (#2287)
- Support for 3 certificates with OpenPGP 3+ (#2103)
* nPA
- Fix card detection (#2463)
* Rutoken
- Fix formatting rtecp cards (#2599)
* PIV
- Add new PIVKey ATRs for current cards (#2602)
-------------------------------------------------------------------
Mon Oct 4 12:59:24 UTC 2021 - Daniel Donisa <daniel.donisa@suse.com>
- Update to OpenSC 0.22.0:
* Removed changes in opensc-gcc11.patch already present in upstream.
- See https://github.com/OpenSC/OpenSC/pull/2241/commits/e549e9c62eb4fcd2260800e2665071e4dd9bbbda
* Removed some false positives from the openrc-rpmlintrc file.
* Use standard paths for file cache on Linux (#2148) and OSX (#2214)
* Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
* Add threading test to `pkcs11-tool` (#2067)
* Add support to generate generic secret keys (#2140)
* `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
* Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
* Support for gcc11 and its new strict aliasing rules (#2241, #2260)
* Initial support for building with OpenSSL 3.0 (#2343)
* pkcs15-tool: Write data objects in binary mode (#2324)
* Avoid limited size of log messages (#2352)
* Support for ECDSA verification (#2211)
* Support for ECDSA with different SHA hashes (#2190)
* Prevent issues in p11-kit by not returning unexpected return codes (#2207)
* Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
* Standardize the version 2 on 2.20 in the code (#2096)
* Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
* Copy arguments of C_Initialize (#2350)
* Fix RSA-PSS signing (#2234)
* Fix DO deletion (#2215)
* Add support for (X)EdDSA keys (#1960)
* Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
* Add support for applet version 4 (#2332)
* New configuration option for opensc.conf to disable pkcs1_padding (#2193)
* Add support for ECDSA with different hashes (#2190)
* Enable more mechanisms (#2178)
* Fixed asking for a user pin when formatting a card (#1737)
* Added support for French CPx Healthcare cards (#2217)
* Added ATR for new CardOS 5.4 version (#2296)
* Fixes security issues:
* tcos: use after return (bsc#1192005, CVE-2021-42780)
* oberthur: use after free (bsc#1191992, CVE-2021-42779)
* oberthur: multiple heap buffer overflows (bsc#1192000,
CVE-2021-42781)
* multiple stack buffer overflow issues (bsc#1191957,
CVE-2021-42782)
-------------------------------------------------------------------
Sun Jun 27 16:48:49 UTC 2021 - Predrag Ivanović <predivan@mts.rs>
- Fix build on GCC11
* Add opensc-gcc11.patch from Fedora
(https://github.com/OpenSC/OpenSC/pull/2241/)
-------------------------------------------------------------------
Fri Mar 12 22:58:46 UTC 2021 - Dirk Müller <dmueller@suse.com>
- move licenses to licensedir
-------------------------------------------------------------------
Fri Nov 27 19:27:30 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
- OpenSC 0.21.0:
* CVE-2020-26571: stack-based buffer overflow in the gemsafe GPK
smart card software driver (boo#1177380)
* CVE-2020-26572: stack-based buffer overflow in the TCOS smart
card software driver (boo#1177378)
* CVE-2020-26570: heap-based buffer overflow in the Oberthur
smart card software driver (boo#1177364)
* CardOS 5.x support boo#1179291
* Support for OAEP encryption, make SHA256 default
* New separate debug level for PIN commands
* Fix handling of card/reader insertion/removal events in pcscd
* Fixes of removed readers handling
* Fix Firefox crash because of invalid pcsc context
* PKCS#11: Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards
* Propagate ignore_user_content to PKCS#11 layer not to confuse applications
* Minidriver: Fix check of ATR length (2-to 33 characters inclusive)
* pkcs11-tool: allow using SW tokens
* opensc-explorer asn1 accepts offsets and decode records
* opensc-explorer cat accepts records
* OpenPGP: Add new ec curves supported by GNUK
* First steps supporting OpenPGP 3.4
* OpenPGP: Add support for EC key import
* Rutoken: Add ATR for Rutoken ECP SC NFC
* Improve detection of various CardOS 5 configurations
* DNIe: Add new DNIe CA structure for the secure channel
* ePass2003: Improve ECC support
* ePass2003: Fix erase sequence
* IAS-ECC: Fix support for Idemia Cosmo cards
* IAS-ECC: PIN padding settings are now used from PKCS#15 info when available
* IAS-ECC: Added PIN-pad support for PIN unblock
* New driver for Gemalto IDPrime (only some types)
* eDo: New driver with initial support for Polish eID card (e-dowód, eDO)
* MCRD: Remove unused and broken RSA EstEID support
* TCOS: Add missing encryption certificates
* PIV: Add ATR of DOD Yubikey
* fixed PIV global pin bug
* CAC1: Support changing PIN with CAC Alt tokens
- includes changes from 0.20.0
* CVE-2019-6502: memory leak in libopensc (boo#1122756)
* CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string (boo#1149747)
* CVE-2019-15945: out-of-bounds access of an ASN.1 Bitstring (boo#1149746)
* CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (boo#1158256)
* CVE-2019-19480: improper free operation in sc_pkcs15_decode_prkdf_entry (boo#1158307)
* CVE-2019-20792: double free in coolkey_free_private_dat (bsc#1170809)
* Support RSA-PSS signature mechanisms using RSA-RAW
* Added memory locking for secrets
* added support for terminal colors
* PC/SC driver: Fixed error handling in case of changing or removing the card reader
* rename md_read_only to read_only and use it for PKCS#11 and Minidriver
* allow global use of ignore_private_certificate
* PKCS#11: Implement write protection (CKF_WRITE_PROTECTED) based on the card profile
* PKCS#11: Add C_WrapKey and C_UnwrapKey implementations
* PKCS#11: Handle CKA_ALWAYS_AUTHENTICATE when creating key objects
* PKCS#11: Truncate long PKCS#11 labels with ...
* PKCS#11: Fixed recognition of a token when being unplugged and reinserted
* Minidriver: Register for CardOS5 cards
* Minidriver: Add support for RSA-PSS
* tools: Harmonize the use of option -r/--reader
* goid-tool: GoID personalization with fingerprint
* openpgp-tool: replace the options -L/--key-length with -t/--key-type
* openpgp-tool: add options -C/--card-info and -K/--key-info
* opensc-explorer: add command pin_info, extend random
* pkcs11-register: Auto-configuration of applications for use of OpenSC PKCS#11
* pkcd11-register: Autostart
* opensc-tool: Show ATR also for cards not recognized by OpenSC
* pkcs11-spy: parse CKM_AES_GCM, EC Derive parameters
* pkcs11-spy: Add support for CKA_OTP_* and CKM_*_PSS values
* pkcs11-tool: Support for signature verification via --verify
* pkcs11-tool: Add object type secrkey for --type option
* pkcs11-tool: Implement Secret Key write object
* pkcs11-tool: Add GOSTR3410-2012 support
* pkcs11-tool: Add support for testing CKM_RSA_PKCS_OAEP
* pkcs11-tool: Add extractable option to key import
* pkcs11-tool: list more key access flags when listing keys
* pkcs11-tool: Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys
* pkcs15-crypt: *Handle keys with user consent
* New separate CAC1 driver using the old CAC specification (#1502)
* CardOS: Add support for 4K RSA keys in CardOS 5
* CardOS: Fixed decryption with CardOS 5
* Enable CoolKey driver to handle 2048-bit keys
* EstEID: add support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018
* GIDS Decipher fix (#1881)
* GIDS: Allow RSA 4K support
* MICARDO: Remove long expired EstEID 1.0/1.1 card support
* MyEID: Add support for unwrapping a secret key with an RSA key or secret key
* MyEID Add support for wrapping a secret key with a secret key
* Support for MyEID 4K RSA
* Support for OsEID
* Gemalto GemSafe: add new PTeID ATRs, add support for 4K RSA keys
* OpenPGP Card v3 ECC support
* Add Rutoken ECP SC
* Add Rutoken Lite
* Add SmartCard-HSM 4K ATR
* Add missing secp384r1 curve parameter
* Stacros: Fix decipher with 2.3
* Stacros: Add ATR for 2nd gen. eGK
* Stacros: Add new ATR for 3.5
* Stacros: Detect and allow Globalplatform PIN encoding
* Fix TCOS IDKey support
* TCOS: add encryption certificate for IDKey
* Infocamere, Postecert, Cnipa: Remove profiles
* Remove incomplete acos5 driver
- drop patches now upstream:
* opensc-0.19.0-piv_card_matching.patch
* opensc-0.19.0-redundant_logging.patch
* opensc-0.19.0-rsa-pss.patch
-------------------------------------------------------------------
Sun Aug 18 01:35:45 UTC 2019 - Jason Sikes <jsikes@suse.com>
- added opensc-0.19.0-piv_card_matching.patch
* Improve Card Matching for Dual CAC/PIV and PIVKEY cards.
* sourced from https://github.com/OpenSC/OpenSC/pull/1549
-------------------------------------------------------------------
Tue Jul 30 03:15:14 UTC 2019 - Jason Sikes <jsikes@suse.de>
- added opensc-0.19.0-rsa-pss.patch
* Fixes the pkcs11-tool example
* Added missing CKM_SHA224_RSA_PKCS_PSS
* Add support for PSS padding to RSA signatures
* Support for signature verification in pkcs11-tool
* Switch cleanup steps to avoid segfaults on errors and more sanity checking
- added opensc-0.19.0-redundant_logging.patch
* Remove redundant debug output
-------------------------------------------------------------------
Tue Jul 23 21:51:42 UTC 2019 - Benjamin Greiner <code@bnavigator.de>
- add explicit BuildRequires: zlib-devel
-------------------------------------------------------------------
Thu Sep 13 13:46:43 UTC 2018 - Karol Babioch <kbabioch@suse.com>
- Update to version 0.19.0
* Fixed multiple security problems (out of bound writes/reads):
* bsc#1104812
* CVE-2018-16391 (bsc#1106998)
* CVE-2018-16392 (bsc#1106999)
* CVE-2018-16393 (bsc#1108318)
* CVE-2018-16418 (bsc#1107039)
* CVE-2018-16419 (bsc#1107107)
* CVE-2018-16420 (bsc#1107097)
* CVE-2018-16421 (bsc#1107049)
* CVE-2018-16422 (bsc#1107038)
* CVE-2018-16423 (bsc#1107037)
* CVE-2018-16424 (bsc#1107036)
* CVE-2018-16425 (bsc#1107035)
* CVE-2018-16426 (bsc#1107034)
* CVE-2018-16427 (bsc#1107033)
* Workaround cards returning short signatures without leading zeroes
* Distribute minimal opensc.conf
* `pkcs11_enable_InitToken made` global configuration option
* Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver
list instead of forcing one driver and skipping vital parts of
configuration
* Removed configuration options `zero_ckaid_for_ca_certs`,
`force_card_driver`, `reopen_debug_file`, `paranoid-memory`
* Generalized configuration option `ignored_readers`
* If card initialization fails, continue card detection with other card
drivers
* reader-pcsc: allow fixing the length of a PIN
* fixed crash during `C_WaitForSlotEvent`
* Allow cancelling the PIN pad prompt before starting the reader transaction.
Whether to start the transaction immediately or not is user-configurable
for each application
* opensc-notify
* add Exit button to tray icon
* User better description (GenericName) and a generic application icon
* Do not display in the application list
- Removed patches included upstream now:
* opensc-desktop.patch
* opensc-desktop2.patch
* opensc-bash-completions.patch
- Applied spec-cleaner
-------------------------------------------------------------------
Tue Jul 10 16:56:28 CEST 2018 - sbrabec@suse.com
- Update to version 0.18.0:
* Further improvements of PIN support.
* Large number of improvements and fixes
(boo#1097951, boo#1100501).
* See /usr/share/doc/packages/opensc/NEWS for complete list.
- Add opensc-desktop.patch, opensc-desktop2.patch and
opensc-bash-completions.patch.
-------------------------------------------------------------------
Mon Jan 1 16:16:13 UTC 2018 - michael@stroeder.com
- update to version 0.17.0:
* support for new cards
* PIN support enhancemets
* added .pc file
* builds with OpenSSL 1.1.0 (1074799)
* See /usr/share/doc/packages/opensc/NEWS for complete list.
-------------------------------------------------------------------
Tue Jul 18 13:58:05 UTC 2017 - tchvatal@suse.com
- Switch to tarball fetching from github
- Few small cleanups
-------------------------------------------------------------------
Tue Nov 22 16:42:06 CET 2016 - sbrabec@suse.com
- Add baselibs.conf to provide 32-bit PKCS11 plugins (bsc#996047).
- Drop opensc-ADVISORIES. There is no new advisory since 2009.
-------------------------------------------------------------------
Tue Jul 5 12:09:24 UTC 2016 - t.gruner@katodev.de
- update to version 0.16.0
- remove fix (issue 505)
- clean up spec-file
-------------------------------------------------------------------
Thu Jul 30 16:16:19 EEST 2015 - bwachter-pkg@lart.info
- update to version 0.15.0
- register with p11-kit
(https://www.opensc-project.org/opensc/ticket/390)
-------------------------------------------------------------------
Mon Feb 16 15:14:55 UTC 2015 - michael@stroeder.com
- update to version 0.14.0
-------------------------------------------------------------------
Tue Dec 3 18:53:23 UTC 2013 - luizluca@tre-sc.gov.br
- update to version 0.13.0
-------------------------------------------------------------------
Tue Jun 12 21:00:03 UTC 2012 - mgorse@suse.com
- make needed directories before running make install
-------------------------------------------------------------------
Thu Sep 29 18:26:23 UTC 2011 - lmedinas@opensuse.org
- Updated to version 0.12.2:
* Builds are now silent by default when OpenSC is built from
source on Unix.
* Using --wait with command line tools works with 64bit Linux
again.
* Greatly improved OpenPGP card support, including OpenPGP
2.0 cards like the one found in German Privacy Foundation
CryptoStick.
* Fixed support for FINeID cards issued after 01.03.2011 with
2048bit keys.
* #256: Fixed support for TCOS cards (broken since 0.12.0).
* Added support for IDKey-cards to TCOS3 driver.
* #361: Improved PC/SC driver to fetch the maximum PIN sizes
from the open source CCID driver. This fixes the issue for
Linux/OSX with recent driver.
* Fix FINeID cards for organizations.
* Several smaller bugs and compiler warnings fixed
- Updated to version 0.12.1:
* IAS-ECC 1.0.1
* Support for cards with multiple PKCS#15 applications
* New card driver: IAS/ECC 1.0.1
* rutoken-tool has been deprecated and removed.
* eidenv and piv-tool utilities now have manual pages.
* pkcs11-tool now requires the use of --module parameter.
* All tools can now use an ATR as an argument to --reader,
to skip to the card with given ATR.
* opensc-tool -l with -v now shows information about the
inserted cards.
* Creating files have an enforced upper size limit, 64K
* Support for multiple PKCS#15 applications with different
AID-s. PKCS#15 applications can be listed with pkcs15-tool
--list-applications. Binding to a specific AID with PKCS#15
tools can be done with --aid.
* Hex strings (like card ATR or APDU-s) can now be separated
by space, in addition to colons.
* Pinpad readers known to be bogus are now ignored by OpenSC.
At the moment only "HP USB Smart Card Keyboard" is disabled.
* Numerous compiler warnings, unused code and internal bugs
have been eliminated.
-------------------------------------------------------------------
Fri Jan 7 14:49:37 CET 2011 - sbrabec@suse.cz
- Updated to version 0.12.0:
* Security fix (bnc#660109, CVE-2010-4523).
* Only one backend is supported. openSUSE will use pcsc-lite.
* libopensc made private, library should not be used by other
applications. Please use generic PKCS#11 interface instead.
* Signer plugin discontinued. Please use openssl engine_pkcs11.
* No more depends on libassuan.
* New card drivers.
* Support for CardOS enhanced.
* More changes and enhancements.
- libopensc merged back to the main package, as it is private now.
-------------------------------------------------------------------
Mon Aug 23 14:15:22 CEST 2010 - sbrabec@suse.cz
- Fixed broken opensc-fix-gcc-warnings.patch (bnc#627619).
- Simplified plugin installation.
-------------------------------------------------------------------
Tue Apr 13 14:35:32 UTC 2010 - puzel@novell.com
- update to version 0.11.13
* Modify Rutoken S binary interfaces by Aktiv Co.
* Muscle driver fixed (acl reading issue)
* Many small fixes (e.g. mem leaks)
* Compiling with openssl 1.0.0-beta fixed
* Document integer problem in OpenSC and implement workaround
* Improve entersafe profile to support private data objects
- Require pinentry
- add opensc-libassuan-2.patch
- add opensc-fix-gcc-warnings.patch
-------------------------------------------------------------------
Fri Jan 1 20:07:35 CET 2010 - jengelh@medozas.de
- package baselibs.conf
-------------------------------------------------------------------
Wed Aug 5 14:59:33 CEST 2009 - sbrabec@suse.cz
- Updated to version 0.11.9:
* New rutoken_ecp driver
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
-------------------------------------------------------------------
Thu Jul 30 12:45:26 CEST 2009 - sbrabec@suse.cz
- libopensc2 should not require opensc (bnc#466430).
-------------------------------------------------------------------
Thu May 7 17:52:06 CEST 2009 - sbrabec@suse.cz
- Updated to version 0.11.8:
* Fix security problem in pkcs11-tool gen_keypair
(PublicExponent 1) (bnc#501726)
See http://en.opensuse.org/Smart_Cards/Advisories for more.
* updated and improve entersafe driver. FTCOS/PK-01C cards are
supported now, compatible with cards writen by Feitian's
software on windows.
-------------------------------------------------------------------
Thu Apr 9 11:32:23 CEST 2009 - sbrabec@suse.cz
- Fixed undefined code (bnc#440853).
- Don't call autoreconf on older products.
-------------------------------------------------------------------
Tue Mar 17 18:01:29 CET 2009 - sbrabec@suse.cz
- Updated to version 0.11.7:
* hide_empty_slots now on by default? small logic change?
* ruToken driver was updated.
* openct virtual readers reduced to 2 by default.
* Security issue: Fix private data support. (bnc#480262,
CVE-2009-0368)
See http://en.opensuse.org/Smart_Cards/Advisories for more.
* Enable lock_login by default.
* Disable allow_soft_keygen by default.
-------------------------------------------------------------------
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
(bnc#437293)
-------------------------------------------------------------------
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
-------------------------------------------------------------------
Wed Sep 10 13:46:44 CEST 2008 - sbrabec@suse.cz
- Updated to version 0.11.6:
* New support for Feitian ePass3000.
* GemSafeV1 improved to handle key_ref other than 3.
* Build system rewritten.
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamically linked.
* PKCS#11 provider is now installed at LIBDIR/pkcs11.
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configureable for siemens cards.
-------------------------------------------------------------------
Mon Sep 1 14:06:17 CEST 2008 - sbrabec@suse.cz
- Check validity of SSL certificates for all Siemens CardOS M4
cards (SCA and SCB are affected as well, bnc#413496#c6).
-------------------------------------------------------------------
Thu Jul 31 12:45:11 CEST 2008 - sbrabec@suse.cz
- Fixed initialization access rights for Siemens CardOS M4, added
a security check to pkcs15-tool (bnc#413496, CVE-2008-2235)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
-------------------------------------------------------------------
Thu Feb 7 17:12:02 CET 2008 - sbrabec@suse.cz
- Updated to version 0.11.4:
* Browser plugin support
* Support Siemens CardOS initialized cards (signing with
decryption)
* Add Siemens CardOS M4.2B support (experimental)
* Support for AKIS cards added (partial)
-------------------------------------------------------------------
Thu Jul 26 13:40:30 CEST 2007 - sbrabec@suse.cz
- Updated to version 0.11.3:
* make lots of internal functions and variables static.
* fix 0 vs NULL in many places. fix ansi c style (void).
* avoid variable names used also as glibc function (random etc.).
* new code for deleting objects.
* special hack for firefox.
* suport for Athena APCOS cards added.
* piv driver now supports bigger rsa keys too.
* enabled pin caching by default.
* use max_send_size 255 / max_recv_size 256 bytes by default.
* increase pin buffer size to allow longer pin codes.
* Added --read-ssk-key option to pkcs15-tool
* use pkg-config for finding openct
* use strlcpy function
* use new pkcs11.h from scute with an open source license
* add support for sha2 to pkcs15-crypt
* add piv-tool for managing piv cards
* add muscle driver
* improved oberthur driver
* add support for pcsc v2 part10
* convert source files to utf-8
- Split package according to shared library packaging policy.
-------------------------------------------------------------------
Tue Feb 27 12:12:30 CET 2007 - mvaner@suse.cz
- Fixing dodgy use of sizeof (#238660)
- sizeof.patch
-------------------------------------------------------------------
Mon Oct 2 18:49:35 CEST 2006 - sbrabec@suse.cz
- Updated to version 0.11.1:
* Update for piv pkcs#15 emulation
* Improved TCOS driver for Uni Giesen Card
* Handle size_t printf with "%lu" and (unsigned long) cast
* Add support for d-trust cards / improve micardo 2.1 driver
-------------------------------------------------------------------
Thu May 25 16:13:02 CEST 2006 - sbrabec@suse.cz
- Fixed build for old SuSE Linux versions.
-------------------------------------------------------------------
Thu May 11 13:00:00 CEST 2006 - sbrabec@suse.cz
- Fixed devel dependencies.
-------------------------------------------------------------------
Wed May 10 16:58:12 CEST 2006 - sbrabec@suse.cz
- Updated to version 0.11.0.
-------------------------------------------------------------------
Wed Jan 25 21:39:06 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Thu Jan 5 02:05:11 CET 2006 - ro@suse.de
- added unpackaged so-links to devel filelist
-------------------------------------------------------------------
Tue Oct 25 15:30:04 CEST 2005 - rhafer@suse.de
- added LDAP_DEPRECATED to CFLAGS to build correctly with·
OpenLDAP 2.3
-------------------------------------------------------------------
Fri Sep 2 12:56:14 CEST 2005 - okir@suse.de
- Removed +x permissions on opensc.conf (#114849)
-------------------------------------------------------------------
Thu Jul 14 16:11:56 CEST 2005 - okir@suse.de
- Updated to latest upstream version
- Added missing documentation files (#75425)
-------------------------------------------------------------------
Fri Mar 4 11:06:48 CET 2005 - meissner@suse.de
- fixed gcc4 compilation.
-------------------------------------------------------------------
Fri Jan 21 14:43:23 CET 2005 - okir@suse.de
- Updated to latest upstream version (0.9.4)
-------------------------------------------------------------------
Thu Nov 18 15:49:34 CET 2004 - ro@suse.de
- use kerberos-devel-packages
-------------------------------------------------------------------
Mon Jul 19 14:06:10 CEST 2004 - adrian@suse.de
- fix file list
-------------------------------------------------------------------
Mon Jul 12 17:26:31 CEST 2004 - adrian@suse.de
- update to version 0.8.1
-------------------------------------------------------------------
Fri Mar 19 11:10:13 CET 2004 - okir@suse.de
- Fixed permissions and path names of some include files (#36432)
-------------------------------------------------------------------
Fri Jan 16 13:19:16 CET 2004 - kukuk@suse.de
- Add pam-devel to neededforbuild
-------------------------------------------------------------------
Sat Jan 10 15:47:57 CET 2004 - adrian@suse.de
- add %run_ldconfig and %defattr
-------------------------------------------------------------------
Mon Aug 4 11:00:27 CEST 2003 - okir@suse.de
- Build fixes for x86_64/ppc64
- use a version string other than "CVS" (#28423)
-------------------------------------------------------------------
Fri Aug 1 12:04:29 CEST 2003 - okir@suse.de
- Updated to most recent upstream snapshot
-------------------------------------------------------------------
Thu Jun 12 13:28:31 CEST 2003 - kukuk@suse.de
- Fix filelist and permissions
-------------------------------------------------------------------
Wed Jun 4 00:39:12 CEST 2003 - ro@suse.de
- added rest of static libs to devel filelist
- remove unpackaged files from buildroot
-------------------------------------------------------------------
Wed Jan 15 17:34:58 CET 2003 - ro@suse.de
- use sasl2
-------------------------------------------------------------------
Thu Dec 5 11:22:44 CET 2002 - okir@suse.de
- fixed x86_64 build problem
- updated to latest upstream
-------------------------------------------------------------------
Fri Nov 29 10:01:14 CET 2002 - okir@suse.de
- updated to current CVS snapshot
-------------------------------------------------------------------
Fri Aug 9 21:35:43 CEST 2002 - okir@suse.de
- added missing libs to files list
-------------------------------------------------------------------
Thu Jul 4 17:48:11 CEST 2002 - ro@suse.de
- added heimdal-devel to neededforbuild to make libtool happy
-------------------------------------------------------------------
Fri Jun 28 17:34:49 CEST 2002 - schwab@suse.de
- Fix bootstrap script.
- Use correct libtool macros.
-------------------------------------------------------------------
Mon May 27 19:10:07 CEST 2002 - sf@suse.de
- @libdir@ added to Makefile.am to use correct dirs for
*/lib */lib64
-------------------------------------------------------------------
Tue Apr 30 16:05:12 CEST 2002 - okir@suse.de
- Initial check-in

8
opensc.module Normal file
View File

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: onepin-opensc-pkcs11.so

106
opensc.spec Normal file
View File

@ -0,0 +1,106 @@
#
# spec file for package opensc
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define completionsdir %(pkg-config --variable completionsdir bash-completion)
Name: opensc
Version: 0.24.0
Release: 0
Summary: Smart Card Utilities
License: LGPL-2.1-or-later
Group: Productivity/Security
URL: https://github.com/OpenSC/OpenSC/wiki
Source: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: baselibs.conf
Source2: %{name}-rpmlintrc
# Register with p11-kit
# https://web.archive.org/web/20111225073733/http://www.opensc-project.org/opensc/ticket/390
Source3: opensc.module
Patch0: opensc-gcc11.patch
# PATCH-FIX-UPSTREAM martin.schreiner@suse.com CVE-2024-1454 bsc#1219868
Patch1: CVE-2024-1454.patch
BuildRequires: docbook-xsl-stylesheets
BuildRequires: libxslt
BuildRequires: pkgconfig
BuildRequires: readline-devel
BuildRequires: zlib-devel
BuildRequires: pkgconfig(bash-completion)
BuildRequires: pkgconfig(libpcsclite) >= 1.8.22
BuildRequires: pkgconfig(openssl) >= 1.0.1
Requires: pcsc-lite
# There is no more devel package.
Obsoletes: opensc-devel < %{version}
%description
OpenSC provides a set of utilities to access smart cards. It mainly
focuses on cards that support cryptographic operations. It facilitates
their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11
API. Applications supporting this API, such as Mozilla Firefox and
Thunderbird, can use it. OpenSC implements the PKCS#15 standard and aims
to be compatible with every software that does so, too.
Before purchasing any cards, please read carefully documentation on the
web pageonly some cards are supported. Not only card type matters, but
also card version, card OS version and preloaded applet. Only subset of
possible operations may be supported for your card. Card initialization
may require third party proprietary software.
%prep
%autosetup -p1
%build
%configure \
--docdir=%{_docdir}/%{name} \
--disable-static \
--enable-doc \
--disable-silent-rules
%make_build
%install
%make_install
# Private library.
rm %{buildroot}%{_libdir}/libopensc.so
install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pkcs11/modules/opensc.module
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license COPYING
%doc NEWS README
%doc %{_docdir}/%{name}/tools.html
%doc %{_docdir}/%{name}/files.html
%doc %{_docdir}/%{name}/opensc.conf
%{_bindir}/*
%{_datadir}/applications/*.desktop
%{_datadir}/opensc
# Note: .la and .so must be in the main package, required by ltdl:
%{_libdir}/*.la
%{_libdir}/*.so*
%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/*.so
%{_libdir}/pkgconfig/opensc-pkcs11.pc
%{_mandir}/man?/*%{ext_man}
%config %{_sysconfdir}/opensc.conf
%dir %{_sysconfdir}/pkcs11
%config %{_sysconfdir}/pkcs11/modules/
# This is a private library. There is no reason to split it to libopensc* package.
%{_libdir}/libopensc.so.*
%{completionsdir}/*
%changelog