Accepting request 1291456 from home:pmonrealgonzalez:branches:security:chipcard

- Fix error found when compiling with gcc 15
  * https://github.com/OpenSC/OpenSC/pull/3316
  * Add opensc-gcc15.patch

OBS-URL: https://build.opensuse.org/request/show/1291456
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=94

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

baselibs.conf

@@ -0,0 +1,5 @@
+opensc
+    +/usr/lib(64)?/*.la
+    +/usr/lib(64)?/*.so*
+    +/usr/lib(64)?/pkcs11/*.so
+    requires "opensc = <version>"

opensc-0.25.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23cbaae8bd7c8eb589b68c0a961dfb0d02007bea3165a3fc5efe2621d549b37b
+size 2395579

opensc-0.26.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:837baead45e1505260d868871056150ede6e73d35460a470f2595a9e5e75f82b
+size 2415271

opensc-CVE-2024-45615.patch

@@ -0,0 +1,111 @@
+commit 5e4f26b510b04624386c54816bf26aacea0fe4a1
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Thu Jul 11 14:58:25 2024 +0200
+
+    cac: Fix uninitialized values
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_card/1,fuzz_pkcs11/6
+
+Index: opensc-0.25.1/src/libopensc/card-cac.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-cac.c
++++ opensc-0.25.1/src/libopensc/card-cac.c
+@@ -252,7 +252,7 @@ static int cac_apdu_io(sc_card_t *card,
+ 	size_t * recvbuflen)
+ {
+ 	int r;
+-	sc_apdu_t apdu;
++	sc_apdu_t apdu = {0};
+ 	u8 rbufinitbuf[CAC_MAX_SIZE];
+ 	u8 *rbuf;
+ 	size_t rbuflen;
+@@ -389,13 +389,13 @@ fail:
+ static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len)
+ {
+ 	u8 params[2];
+-	u8 count[2];
++	u8 count[2] = {0};
+ 	u8 *out = NULL;
+-	u8 *out_ptr;
++	u8 *out_ptr = NULL;
+ 	size_t offset = 0;
+ 	size_t size = 0;
+ 	size_t left = 0;
+-	size_t len;
++	size_t len = 0;
+ 	int r;
+ 
+ 	params[0] = file_type;
+@@ -458,7 +458,7 @@ static int cac_read_binary(sc_card_t *ca
+ 	const u8 *tl_ptr, *val_ptr, *tl_start;
+ 	u8 *tlv_ptr;
+ 	const u8 *cert_ptr;
+-	size_t tl_len, val_len, tlv_len;
++	size_t tl_len = 0, val_len = 0, tlv_len;
+ 	size_t len, tl_head_len, cert_len;
+ 	u8 cert_type, tag;
+ 
+@@ -1519,7 +1519,7 @@ static int cac_parse_CCC(sc_card_t *card
+ static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth)
+ {
+ 	u8 *tl = NULL, *val = NULL;
+-	size_t tl_len, val_len;
++	size_t tl_len = 0, val_len = 0;
+ 	int r;
+ 
+ 	if (depth > CAC_MAX_CCC_DEPTH) {
+Index: opensc-0.25.1/src/libopensc/card-piv.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-piv.c
++++ opensc-0.25.1/src/libopensc/card-piv.c
+@@ -4425,7 +4425,7 @@ static int piv_get_challenge(sc_card_t *
+ 	const u8 *p;
+ 	size_t out_len = 0;
+ 	int r;
+-	unsigned int tag_out, cla_out;
++	unsigned int tag_out = 0, cla_out = 0;
+ 	piv_private_data_t * priv = PIV_DATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+Index: opensc-0.25.1/src/libopensc/pkcs15-cert.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/pkcs15-cert.c
++++ opensc-0.25.1/src/libopensc/pkcs15-cert.c
+@@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_con
+ 	for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) {
+ 		const u8 *ava, *dummy, *oidp;
+ 		struct sc_object_id oid;
+-		size_t ava_len, dummy_len, oid_len;
++		size_t ava_len = 0, dummy_len, oid_len = 0;
+ 
+ 		/* unwrap the set and point to the next ava */
+ 		ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len);
+Index: opensc-0.25.1/src/libopensc/pkcs15-sc-hsm.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/pkcs15-sc-hsm.c
++++ opensc-0.25.1/src/libopensc/pkcs15-sc-hsm.c
+@@ -386,7 +386,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pk
+ 	struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE];
+ 	struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE];
+ 	struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE];
+-	unsigned int cla,tag;
++	unsigned int cla = 0, tag = 0;
+ 	size_t taglen;
+ 	const u8 *tbuf;
+ 	int r;
+Index: opensc-0.25.1/src/pkcs15init/profile.c
+===================================================================
+--- opensc-0.25.1.orig/src/pkcs15init/profile.c
++++ opensc-0.25.1/src/pkcs15init/profile.c
+@@ -1809,7 +1809,7 @@ do_pin_storedlength(struct state *cur, i
+ static int
+ do_pin_flags(struct state *cur, int argc, char **argv)
+ {
+-	unsigned int	flags;
++	unsigned int	flags = 0;
+ 	int		i, r;
+ 
+ 	if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)

opensc-CVE-2024-45616.patch

@@ -0,0 +1,233 @@
+commit 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Thu Jul 11 15:27:19 2024 +0200
+
+    cardos: Fix uninitialized values
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_card/2
+
+Index: opensc-0.25.1/src/libopensc/card-cardos.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-cardos.c
++++ opensc-0.25.1/src/libopensc/card-cardos.c
+@@ -94,14 +94,14 @@ static void fixup_transceive_length(cons
+ 
+ static int cardos_match_card(sc_card_t *card)
+ {
+-	unsigned char atr[SC_MAX_ATR_SIZE];
++	unsigned char atr[SC_MAX_ATR_SIZE] = {0};
+ 	int i;
+ 
+ 	i = _sc_match_atr(card, cardos_atrs, &card->type);
+ 	if (i < 0)
+ 		return 0;
+ 
+-	memcpy(atr, card->atr.value, sizeof(atr));
++	memcpy(atr, card->atr.value, card->atr.len);
+ 
+ 	/* Do not change card type for CIE! */
+ 	if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)
+@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t *
+ 		return 1;
+ 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
+ 		int rv;
+-		sc_apdu_t apdu;
+-		u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
++		sc_apdu_t apdu = {0};
++		u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0};
+ 		/* first check some additional ATR bytes */
+ 		if ((atr[4] != 0xff && atr[4] != 0x02) ||
+ 		    (atr[6] != 0x10 && atr[6] != 0x0a) ||
+@@ -131,7 +131,7 @@ static int cardos_match_card(sc_card_t *
+ 		apdu.lc = 0;
+ 		rv = sc_transmit_apdu(card, &apdu);
+ 		LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+-		if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
++		if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2)
+ 			return 0;
+ 		if (apdu.resp[0] != atr[10] ||
+ 		    apdu.resp[1] != atr[11])
+Index: opensc-0.25.1/src/libopensc/card-cac1.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-cac1.c
++++ opensc-0.25.1/src/libopensc/card-cac1.c
+@@ -92,12 +92,12 @@ static int cac_cac1_get_certificate(sc_c
+ 		if (apdu.sw1 != 0x63 || apdu.sw2 < 1)  {
+ 			/* we've either finished reading, or hit an error, break */
+ 			r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-			left -= len;
++			left -= apdu.resplen;
+ 			break;
+ 		}
+ 		/* Adjust the lengths */
+-		left -= len;
+-		out_ptr += len;
++		left -= apdu.resplen;
++		out_ptr += apdu.resplen;
+ 		len = MIN(left, apdu.sw2);
+ 	}
+ 	if (r < 0) {
+Index: opensc-0.25.1/src/libopensc/card-oberthur.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-oberthur.c
++++ opensc-0.25.1/src/libopensc/card-oberthur.c
+@@ -148,7 +148,7 @@ auth_select_aid(struct sc_card *card)
+ {
+ 	struct sc_apdu apdu;
+ 	unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
+-	struct auth_private_data *data =  (struct auth_private_data *) card->drv_data;
++	struct auth_private_data *data = (struct auth_private_data *)card->drv_data;
+ 	int rv, ii;
+ 	struct sc_path tmp_path;
+ 
+@@ -165,6 +165,9 @@ auth_select_aid(struct sc_card *card)
+ 
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
++	if (apdu.resplen < 20) {
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length");
++	}
+ 	card->serialnr.len = 4;
+ 	memcpy(card->serialnr.value, apdu.resp+15, 4);
+ 
+Index: opensc-0.25.1/src/libopensc/card-gids.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-gids.c
++++ opensc-0.25.1/src/libopensc/card-gids.c
+@@ -231,6 +231,7 @@ static int gids_get_DO(sc_card_t* card,
+ 	size_t datasize = 0;
+ 	const u8* p;
+ 	u8 buffer[MAX_GIDS_FILE_SIZE];
++	size_t buffer_len = sizeof(buffer);
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 	sc_log(card->ctx,
+@@ -244,14 +245,15 @@ static int gids_get_DO(sc_card_t* card,
+ 	apdu.data = data;
+ 	apdu.datalen = 04;
+ 	apdu.resp = buffer;
+-	apdu.resplen = sizeof(buffer);
++	apdu.resplen = buffer_len;
+ 	apdu.le = 256;
+ 
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "gids get data failed");
+ 	LOG_TEST_RET(card->ctx,  sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return");
++	buffer_len = apdu.resplen;
+ 
+-	p = sc_asn1_find_tag(card->ctx, buffer, sizeof(buffer), dataObjectIdentifier, &datasize);
++	p = sc_asn1_find_tag(card->ctx, buffer, buffer_len, dataObjectIdentifier, &datasize);
+ 	if (!p) {
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
+ 	}
+Index: opensc-0.25.1/src/libopensc/asn1.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/asn1.c
++++ opensc-0.25.1/src/libopensc/asn1.c
+@@ -68,7 +68,7 @@ int sc_asn1_read_tag(const u8 ** buf, si
+ 
+ 	*buf = NULL;
+ 
+-	if (left == 0 || !p)
++	if (left == 0 || !p || buflen == 0)
+ 		return SC_ERROR_INVALID_ASN1_OBJECT;
+ 	if (*p == 0xff || *p == 0) {
+ 		/* end of data reached */
+@@ -83,6 +83,8 @@ int sc_asn1_read_tag(const u8 ** buf, si
+ 	 */
+ 	cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED);
+ 	tag = *p & SC_ASN1_TAG_PRIMITIVE;
++	if (left < 1)
++		return SC_ERROR_INVALID_ASN1_OBJECT;
+ 	p++;
+ 	left--;
+ 	if (tag == SC_ASN1_TAG_PRIMITIVE) {
+Index: opensc-0.25.1/src/libopensc/card-dnie.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-dnie.c
++++ opensc-0.25.1/src/libopensc/card-dnie.c
+@@ -1172,12 +1172,16 @@ static int dnie_compose_and_send_apdu(sc
+ 
+ 	if (file_out) {
+ 		/* finally process FCI response */
++		size_t len = apdu.resp[1];
+ 		sc_file_free(*file_out);
+ 		*file_out = sc_file_new();
+ 		if (*file_out == NULL) {
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
+ 		}
+-		res = card->ops->process_fci(card, *file_out, apdu.resp + 2, apdu.resp[1]);
++		if (apdu.resplen - 2 < len || len < 1) {
++			LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++		}
++		res = card->ops->process_fci(card, *file_out, apdu.resp + 2, len);
+ 	}
+ 	LOG_FUNC_RETURN(ctx, res);
+ }
+@@ -1935,7 +1939,7 @@ static int dnie_process_fci(struct sc_ca
+ 	int *op = df_acl;
+ 	int n = 0;
+ 	sc_context_t *ctx = NULL;
+-	if ((card == NULL) || (card->ctx == NULL) || (file == NULL))
++	if ((card == NULL) || (card->ctx == NULL) || (file == NULL) || buflen == 0)
+ 		return SC_ERROR_INVALID_ARGUMENTS;
+ 	ctx = card->ctx;
+ 	LOG_FUNC_CALLED(ctx);
+Index: opensc-0.25.1/src/libopensc/muscle.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/muscle.c
++++ opensc-0.25.1/src/libopensc/muscle.c
+@@ -111,13 +111,15 @@ int  sc_partial_read_object(sc_card_t *c
+ 
+ int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength)
+ {
+-	int r;
++	int r = 0;
+ 	unsigned int i;
+ 	size_t max_read_unit = MSC_MAX_READ;
+ 
+-	for(i = 0; i < dataLength; i += max_read_unit) {
++	for(i = 0; i < dataLength; i += r) {
+ 		r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit));
+ 		LOG_TEST_RET(card->ctx, r, "Error in partial object read");
++		if (r == 0)
++			break;
+ 	}
+ 	return (int)dataLength;
+ }
+@@ -154,7 +156,7 @@ int msc_create_object(sc_card_t *card, m
+ 	ushort2bebytes(buffer + 12, deleteAcl);
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+-	if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
++        if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
+ 		return (int)objectSize;
+ 	if(apdu.sw1 == 0x9C) {
+ 		if(apdu.sw2 == 0x01) {
+@@ -170,7 +172,7 @@ int msc_create_object(sc_card_t *card, m
+ 		     apdu.sw1, apdu.sw2);
+ 	}
+ 	msc_zero_object(card, objectId, objectSize);
+-	return (int)objectSize;
++	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+ }
+ 
+ /* Update up to MSC_MAX_READ - 9 bytes */
+Index: opensc-0.25.1/src/libopensc/card-entersafe.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-entersafe.c
++++ opensc-0.25.1/src/libopensc/card-entersafe.c
+@@ -1479,7 +1479,9 @@ static int entersafe_get_serialnr(sc_car
+ 	r=entersafe_transmit_apdu(card, &apdu,0,0,0,0);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+ 	LOG_TEST_RET(card->ctx, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed");
+-
++	if (apdu.resplen != 8)
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN");
++ 
+ 	card->serialnr.len=serial->len=8;
+ 	memcpy(card->serialnr.value,rbuf,8);
+ 	memcpy(serial->value,rbuf,8);

opensc-CVE-2024-45617.patch

@@ -0,0 +1,55 @@
+commit fdb9e903eb124b6b18a5a9350a26eceb775585bc
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Tue Jul 16 14:05:36 2024 +0200
+
+     cac: Check return value when selecting AID
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_pkcs11/14
+
+Index: opensc-0.22.0/src/libopensc/card-cac.c
+===================================================================
+--- opensc-0.22.0.orig/src/libopensc/card-cac.c
++++ opensc-0.22.0/src/libopensc/card-cac.c
+@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card
+ 	/* Call without OID set will just select the AID without subsequent
+ 	 * OID selection, which we need to figure out just now
+ 	 */
+-	cac_select_file_by_type(card, &new_object.path, NULL);
++	r = cac_select_file_by_type(card, &new_object.path, NULL);
++	LOG_TEST_RET(card->ctx, r, "Cannot select AID");
+ 	r = cac_get_properties(card, &prop);
+-	if (r < 0)
+-		return SC_ERROR_INTERNAL;
++	LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
+ 
+ 	for (i = 0; i < prop.num_objects; i++) {
+ 		/* don't fail just because we have more certs than we can support */
+Index: opensc-0.22.0/src/libopensc/card-cardos.c
+===================================================================
+--- opensc-0.22.0.orig/src/libopensc/card-cardos.c
++++ opensc-0.22.0/src/libopensc/card-cardos.c
+@@ -1277,7 +1277,7 @@ cardos_lifecycle_get(sc_card_t *card, in
+ 	LOG_TEST_RET(card->ctx, r, "Card returned error");
+ 
+ 	if (apdu.resplen < 1) {
+-		LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response");
+ 	}
+ 
+ 	r = SC_SUCCESS;
+Index: opensc-0.22.0/src/libopensc/card-jpki.c
+===================================================================
+--- opensc-0.22.0.orig/src/libopensc/card-jpki.c
++++ opensc-0.22.0/src/libopensc/card-jpki.c
+@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
+ 		u8 buf[4];
+ 		rc = sc_read_binary(card, 0, buf, 4, 0);
+ 		LOG_TEST_RET(card->ctx, rc, "SW Check failed");
++		if (rc < 4)
++			LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short");
+ 		file = sc_file_new();
+ 		if (!file) {
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);

opensc-CVE-2024-45618.patch

@@ -0,0 +1,67 @@
+commit 8632ec172beda894581d67eaa991e519a7874f7d
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Wed Jul 17 11:18:52 2024 +0200
+
+    pkcs15-tcos: Check return value of serial num conversion
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_pkcs15_encode/21
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index 4d02a98ee..2bd275c4f 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -531,10 +531,15 @@ int sc_pkcs15emu_tcos_init_ex(
+ 	/* get the card serial number */
+ 	r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
+ 	if (r < 0) {
+-		sc_log(ctx,  "unable to get ICCSN\n");
++		sc_log(ctx, "unable to get ICCSN");
+ 		return SC_ERROR_WRONG_CARD;
+ 	}
+-	sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0);
++	r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0);
++	if (r != SC_SUCCESS) {
++		sc_log(ctx, "serial number invalid");
++		return SC_ERROR_INTERNAL;
++	}
++
+ 	serial[19] = '\0';
+ 	set_string(&p15card->tokeninfo->serial_number, serial);
+ 
+
+commit f9d68660f032ad4d7803431d5fc7577ea8792ac3
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Wed Jul 17 14:56:22 2024 +0200
+
+    pkcs15-lib: Report transport key error
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_pkcs15init/17, fuzz_pkcs15init/18
+
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 6574e8025..943d53e98 100644
+--- a/src/pkcs15init/pkcs15-lib.c
++++ b/src/pkcs15init/pkcs15-lib.c
+@@ -3831,13 +3831,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car
+ 	if (callbacks.get_key)   {
+ 		rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize);
+ 		LOG_TEST_RET(ctx, rv, "Cannot get key");
+-	}
+-	else if (rv >= 0)  {
++	} else if (rv >= 0) {
+ 		if (*pinsize < defsize)
+ 			LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error");
+ 
+ 		memcpy(pinbuf, data.key_data, data.len);
+ 		*pinsize = data.len;
++	} else {
++		/* pinbuf and pinsize were not filled */
++		LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error");
+ 	}
+ 
+ 	memset(&auth_info, 0, sizeof(auth_info));

opensc-CVE-2024-45619.patch

@@ -0,0 +1,212 @@
+commit f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Tue Jul 16 14:22:02 2024 +0200
+
+    pkcs15-tcos: Check number of read bytes for cert
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_pkcs11/15
+
+Index: opensc-0.25.1/src/libopensc/pkcs15-tcos.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/pkcs15-tcos.c
++++ opensc-0.25.1/src/libopensc/pkcs15-tcos.c
+@@ -45,6 +45,7 @@ static int insert_cert(
+ 	struct sc_pkcs15_cert_info cert_info;
+ 	struct sc_pkcs15_object cert_obj;
+ 	unsigned char cert[20];
++	size_t cert_len = 0;
+ 	int r;
+ 
+ 	memset(&cert_info, 0, sizeof(cert_info));
+@@ -57,24 +58,31 @@ static int insert_cert(
+ 	strlcpy(cert_obj.label, label, sizeof(cert_obj.label));
+ 	cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;
+ 
+-	if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){
+-		sc_log(ctx, 
+-			"Select(%s) failed\n", path);
++	if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) {
++		sc_log(ctx, "Select(%s) failed", path);
+ 		return 1;
+ 	}
+-	if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){
+-		sc_log(ctx, 
+-			"ReadBinary(%s) failed\n", path);
++	r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
++	if (r <= 0) {
++		sc_log(ctx, "ReadBinary(%s) failed\n", path);
+ 		return 2;
+ 	}
+-	if(cert[0]!=0x30 || cert[1]!=0x82){
+-		sc_log(ctx, 
+-			"Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
++	cert_len = r; /* actual number of read bytes */
++	if (cert_len < 7 || (size_t)(7 + cert[5]) > cert_len) {
++		sc_log(ctx, "Invalid certificate length");
++		return 3;
++	}
++	if (cert[0] != 0x30 || cert[1] != 0x82) {
++		sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
+ 		return 3;
+ 	}
+ 
+ 	/* some certificates are prefixed by an OID */
+-	if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){
++	if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) {
++		if ((size_t)(9 + cert[5]) > cert_len) {
++			sc_log(ctx, "Invalid certificate length");
++			return 3;
++		}
+ 		cert_info.path.index=6+cert[5];
+ 		cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;
+ 	} else {
+@@ -82,12 +90,12 @@ static int insert_cert(
+ 		cert_info.path.count=(cert[2]<<8) + cert[3] + 4;
+ 	}
+ 
+-	r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+-	if(r!=SC_SUCCESS){
+-		sc_log(ctx,  "sc_pkcs15emu_add_x509_cert(%s) failed\n", path);
++	r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
++	if (r != SC_SUCCESS) {
++		sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path);
+ 		return 4;
+ 	}
+-	sc_log(ctx,  "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count);
++	sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count);
+ 	return 0;
+ }
+ 
+Index: opensc-0.25.1/src/libopensc/pkcs15-gemsafeV1.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/pkcs15-gemsafeV1.c
++++ opensc-0.25.1/src/libopensc/pkcs15-gemsafeV1.c
+@@ -169,6 +169,7 @@ static int gemsafe_get_cert_len(sc_card_
+ 	size_t objlen;
+ 	int certlen;
+ 	unsigned int ind, i=0;
++	int read_len;
+ 
+ 	sc_format_path(GEMSAFE_PATH, &path);
+ 	r = sc_select_file(card, &path, &file);
+@@ -177,9 +178,11 @@ static int gemsafe_get_cert_len(sc_card_
+ 	sc_file_free(file);
+ 
+ 	/* Initial read */
+-	r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
+-	if (r < 0)
++	read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
++	if (read_len <= 2) {
++		sc_log(card->ctx, "Invalid size of object data: %d", read_len);
+ 		return SC_ERROR_INTERNAL;
++	}
+ 
+ 	/* Actual stored object size is encoded in first 2 bytes
+ 	 * (allocated EF space is much greater!)
+@@ -208,7 +211,7 @@ static int gemsafe_get_cert_len(sc_card_
+ 	 * the private key.
+ 	 */
+ 	ind = 2; /* skip length */
+-	while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
++	while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
+ 		if (ibuf[ind+1] == 0xFE) {
+ 			gemsafe_prkeys[i].ref = ibuf[ind+4];
+ 			sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
+@@ -235,7 +238,7 @@ static int gemsafe_get_cert_len(sc_card_
+ 	/* Read entire file, then dissect in memory.
+ 	 * Gemalto ClassicClient seems to do it the same way.
+ 	 */
+-	iptr = ibuf + GEMSAFE_READ_QUANTUM;
++	iptr = ibuf + read_len;
+ 	while ((size_t)(iptr - ibuf) < objlen) {
+ 		r = sc_read_binary(card, (unsigned)(iptr - ibuf), iptr,
+ 				   MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0);
+@@ -243,7 +246,14 @@ static int gemsafe_get_cert_len(sc_card_
+ 			sc_log(card->ctx, "Could not read cert object");
+ 			return SC_ERROR_INTERNAL;
+ 		}
+-		iptr += GEMSAFE_READ_QUANTUM;
++		if (r == 0)
++			break;
++		read_len += r;
++		iptr += r;
++	}
++	if ((size_t)read_len < objlen) {
++		sc_log(card->ctx, "Could not read cert object");
++		return SC_ERROR_INTERNAL;
+ 	}
+ 
+ 	/* Search buffer for certificates, they start with 0x3082. */
+Index: opensc-0.25.1/src/pkcs15init/pkcs15-setcos.c
+===================================================================
+--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-setcos.c
++++ opensc-0.25.1/src/pkcs15init/pkcs15-setcos.c
+@@ -507,6 +507,9 @@ setcos_generate_key(struct sc_profile *p
+ 		r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj);
+ 		LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed");
+ 
++		if (data_obj.DataLen < 3 || data_obj.DataLen < pubkey->u.rsa.modulus.len)
++			LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key");
++
+ 		keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]);  /* modulus bit length */
+ 		if (keybits != key_info->modulus_length)  {
+ 			sc_log(ctx,
+Index: opensc-0.25.1/src/pkcs15init/pkcs15-sc-hsm.c
+===================================================================
+--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-sc-hsm.c
++++ opensc-0.25.1/src/pkcs15init/pkcs15-sc-hsm.c
+@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(stru
+ 	LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier");
+ 
+ 	for (j = 0; j < 256; j++) {
+-		for (i = 0; i < filelistlength; i += 2) {
++		for (i = 0; i + 1 < filelistlength; i += 2) {
+ 			if ((filelist[i] == range) && (filelist[i + 1] == j)) {
+ 				break;
+ 			}
+Index: opensc-0.25.1/src/libopensc/card-coolkey.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/card-coolkey.c
++++ opensc-0.25.1/src/libopensc/card-coolkey.c
+@@ -1697,6 +1697,7 @@ static int coolkey_rsa_op(sc_card_t *car
+ 	u8 key_number;
+ 	size_t params_len;
+ 	u8 buf[MAX_COMPUTE_BUF + 2];
++	size_t buf_len;
+ 	u8 *buf_out;
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+@@ -1737,8 +1738,6 @@ static int coolkey_rsa_op(sc_card_t *car
+ 		ushort2bebytes(params.init.buf_len, 0);
+ 	} else {
+ 		/* The data fits in APDU. Copy it to the params object */
+-		size_t buf_len;
+-
+ 		params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
+ 
+ 		params_len = sizeof(params.init) + datalen;
+@@ -1758,6 +1757,7 @@ static int coolkey_rsa_op(sc_card_t *car
+ 	if (r < 0) {
+ 		goto done;
+ 	}
++	buf_len = crypt_out_len_p;
+ 
+ 	if (datalen > MAX_COMPUTE_BUF) {
+ 		u8 len_buf[2];
+@@ -1776,7 +1776,12 @@ static int coolkey_rsa_op(sc_card_t *car
+ 					priv->nonce, sizeof(priv->nonce));
+ 
+ 	} else {
+-		size_t out_length = bebytes2ushort(buf);
++		size_t out_length;
++		if (buf_len < 2) {
++			r = SC_ERROR_WRONG_LENGTH;
++			goto done;
++		}
++		out_length = bebytes2ushort(buf);
+ 		if (out_length > sizeof buf - 2) {
+ 			r = SC_ERROR_WRONG_LENGTH;
+ 			goto done;

opensc-CVE-2024-45620.patch

@@ -0,0 +1,73 @@
+commit a1bcc6516f43d570899820d259b71c53f8049168
+Author: Veronika Hanulíková <vhanulik@redhat.com>
+Date:   Thu Jul 18 09:23:20 2024 +0200
+
+    pkcs15-starcos: Check length of file to be non-zero
+    
+    Thanks Matteo Marini for report
+    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+    
+    fuzz_pkcs15init/20
+
+Index: opensc-0.25.1/src/pkcs15init/pkcs15-starcos.c
+===================================================================
+--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-starcos.c
++++ opensc-0.25.1/src/pkcs15init/pkcs15-starcos.c
+@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profil
+ 		return r;
+ 	len = tfile->size;
+ 	sc_file_free(tfile);
++	if (len == 0)
++		return SC_ERROR_INTERNAL;
+ 	buf = malloc(len);
+ 	if (!buf)
+ 		return SC_ERROR_OUT_OF_MEMORY;
+@@ -684,7 +686,7 @@ static int starcos_write_pukey(sc_profil
+ 	if (num_keys == 0xff)
+ 		num_keys = 0;
+ 	/* encode public key */
+-	keylen  = starcos_encode_pukey(rsa, NULL, kinfo);
++	keylen = starcos_encode_pukey(rsa, NULL, kinfo);
+ 	if (!keylen) {
+ 		free(buf);
+ 		return SC_ERROR_INTERNAL;
+Index: opensc-0.25.1/src/libopensc/iasecc-sdo.c
+===================================================================
+--- opensc-0.25.1.orig/src/libopensc/iasecc-sdo.c
++++ opensc-0.25.1/src/libopensc/iasecc-sdo.c
+@@ -318,16 +318,26 @@ iasecc_se_parse(struct sc_card *card, un
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
++        if (data_len < 1)
++                LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, data_len - 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+ 
++                if (data_len - 1 < size)
++                       LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
++
+ 		data += size_size + 1;
+ 		data_len = size;
+ 		sc_log(ctx,
+ 		       "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %d",
+ 		       size, size_size);
+ 
++                if (data_len < 3)
++                        LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 		if (*data != IASECC_SDO_TAG_HEADER)
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ 
+@@ -759,6 +769,8 @@ iasecc_sdo_parse(struct sc_card *card, u
+ 	int rv;
+ 
+ 	LOG_FUNC_CALLED(ctx);
++	if (data == NULL || data_len < 2)
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ 
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, data_len - 1, &size);

opensc-CVE-2024-8443.patch

@@ -0,0 +1,78 @@
+commit b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Mon Aug 12 19:02:14 2024 +0200
+
+    openpgp: Do not accept non-matching key responses
+    
+    When generating RSA key pair using PKCS#15 init, the driver could accept
+    responses relevant to ECC keys, which made further processing in the
+    pkcs15-init failing/accessing invalid parts of structures.
+    
+    Thanks oss-fuzz!
+    
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010
+    
+    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+Index: opensc-0.22.0/src/libopensc/card-openpgp.c
+===================================================================
+--- opensc-0.22.0.orig/src/libopensc/card-openpgp.c
++++ opensc-0.22.0/src/libopensc/card-openpgp.c
+@@ -2657,14 +2657,21 @@ pgp_calculate_and_store_fingerprint(sc_c
+ 	/* update the blob containing fingerprints (00C5) */
+ 	sc_log(card->ctx, "Updating fingerprint blob 00C5.");
+ 	fpseq_blob = pgp_find_blob(card, 0x00C5);
+-	if (fpseq_blob == NULL)
+-		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
++	if (fpseq_blob == NULL) {
++		r = SC_ERROR_OUT_OF_MEMORY;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
++	}
++	if (20 * key_info->key_id > fpseq_blob->len) {
++		r = SC_ERROR_OBJECT_NOT_VALID;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");
++	}
+ 
+ 	/* save the fingerprints sequence */
+ 	newdata = malloc(fpseq_blob->len);
+-	if (newdata == NULL)
+-		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
+-			"Not enough memory to update fingerprint blob 00C5");
++	if (newdata == NULL) {
++		r = SC_ERROR_OUT_OF_MEMORY;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");
++	}
+ 
+ 	memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
+ 	/* move p to the portion holding the fingerprint of the current key */
+@@ -2778,6 +2785,9 @@ pgp_parse_and_set_pubkey_output(sc_card_
+ 
+ 		/* RSA modulus */
+ 		if (tag == 0x0081) {
++			if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++			}
+ 			if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len)  /* modulus_len is in bits */
+ 				|| key_info->u.rsa.modulus == NULL) {
+ 
+@@ -2793,6 +2803,9 @@ pgp_parse_and_set_pubkey_output(sc_card_
+ 		}
+ 		/* RSA public exponent */
+ 		else if (tag == 0x0082) {
++			if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++			}
+ 			if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len)  /* exponent_len is in bits */
+ 				|| key_info->u.rsa.exponent == NULL) {
+ 
+@@ -2808,6 +2821,10 @@ pgp_parse_and_set_pubkey_output(sc_card_
+ 		}
+ 		/* ECC public key */
+ 		else if (tag == 0x0086) {
++			if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA &&
++					key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) {
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++			}
+ 			/* set the output data */
+ 			/* len is ecpoint length + format byte
+ 			 * see section 7.2.14 of 3.3.1 specs */

opensc-docbook-xsl-fix.patch

@@ -0,0 +1,13 @@
+diff --git a/doc/html.xsl b/doc/html.xsl
+index 665d45f..734fa98 100644
+--- a/doc/html.xsl
++++ b/doc/html.xsl
+@@ -3,7 +3,7 @@
+ <!ENTITY css SYSTEM "api.css">
+ ]>
+ <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+-	<xsl:import href="docbook-utf8.xsl"/>
++	<xsl:import href="docbook.xsl"/>
+ 	<xsl:param name="toc.section.depth" select="0"/>
+ 	<xsl:param name="generate.consistent.ids" select="1"/>
+ 	<xsl:template name="user.head.content">

opensc-gcc11.patch

@@ -0,0 +1,31 @@
+diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c
+index 41e620a..57f8a79 100644
+--- a/src/tools/opensc-explorer.c
++++ b/src/tools/opensc-explorer.c
+@@ -1839,6 +1839,12 @@ static int do_apdu(int argc, char **argv)
+ 	if (argc < 1)
+ 		return usage(do_apdu);
+ 
++	/* gcc-11 complains about BUF potentially being used without being
++	   initialized.  I can't convince myself that the calls to
++	   parse_string_or_hexdata will fully initialize it, so we just
++	   initialize it here.  */
++	memset (buf, 0, sizeof (buf));
++
+ 	/* loop over the args and parse them, making sure the result fits into buf[] */
+ 	for (i = 0, len = 0; i < (unsigned) argc && len < sizeof(buf); i++)   {
+ 		size_t len0 = sizeof(buf) - len;
+commit 1680b3a1fb15319e41dbe3214ef8c4a4c215d529
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Tue Feb 23 19:57:02 2021 +0100
+
+    Fix build on gcc11
+    
+    This made most of the applications crashing in Fedora 34 when
+    smart card was plugged in.
+    
+    The suggested patch makes the code path more obvious for gcc to
+    handle.
+    
+    https://bugzilla.redhat.com/show_bug.cgi?id=1930652
+

opensc-gcc15.patch

@@ -0,0 +1,337 @@
+diff --git a/src/libopensc/card-epass2003.c b/src/libopensc/card-epass2003.c
+index 14d389a43..0650b1d48 100644
+--- a/src/libopensc/card-epass2003.c
++++ b/src/libopensc/card-epass2003.c
+@@ -3046,11 +3046,14 @@ epass2003_erase_card(struct sc_card *card)
+ {
+ 	static const unsigned char install_magic_pin[26] = {
+ 		/* compare install_secret_key */
+-		0x06,0x01,0x10,0x16, 0x16,0x16,0x00,0x0f, 0xff,0x66,
+-		0x31,0x32,0x33,0x34, 0x35,0x36,0x37,0x38,
+-		0x31,0x32,0x33,0x34, 0x35,0x36,0x37,0x38,
++			0x06, 0x01, 0x10, 0x16, 0x16, 0x16, 0x00, 0x0f, 0xff, 0x66,
++			0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
++			0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
++	};
++	static const unsigned char magic_pin[16] = {
++			0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
++			0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
+ 	};
+-	static const unsigned char magic_pin[16] = "1234567812345678";
+ 	static const unsigned char mf_path[2] = { 0x3f, 0x00 };
+ 	sc_apdu_t apdu;
+ 	int r;
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index 81a1ad541..573d0bae5 100644
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -604,143 +604,143 @@ struct piv_object {
+ static const struct piv_object piv_objects[] = {
+ 	{ PIV_OBJ_CCC, "Card Capability Container",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00", PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.1.219.0", 3, {0x5F, 0xC1, 0x07}, {0xDB, 0x00}, PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_CHUI, "Card Holder Unique Identifier",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00", 0},
++			"2.16.840.1.101.3.7.2.48.0", 3, {0x5F, 0xC1, 0x02}, {0x30, 0x00}, 0},
+ 	{ PIV_OBJ_X509_PIV_AUTH, "X.509 Certificate for PIV Authentication",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01", PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI} ,
++			"2.16.840.1.101.3.7.2.1.1", 3, {0x5F, 0xC1, 0x05}, {0x01, 0x01}, PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI} ,
+ 	{ PIV_OBJ_CHF, "Card Holder Fingerprints",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10", PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.96.16", 3, {0x5F, 0xC1, 0x03}, {0x60, 0x10}, PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_PI, "Printed Information",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01", PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.48.1", 3, {0x5F, 0xC1, 0x09}, {0x30, 0x01}, PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_CHFI, "Cardholder Facial Images",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30", PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.96.48", 3, {0x5F, 0xC1, 0x08}, {0x60, 0x30}, PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_X509_DS, "X.509 Certificate for Digital Signature",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00", PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.1.0", 3, {0x5F, 0xC1, 0x0A}, {0x01, 0x00}, PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_X509_KM, "X.509 Certificate for Key Management",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02", PIV_OBJECT_TYPE_CERT},
++			"2.16.840.1.101.3.7.2.1.2", 3, {0x5F, 0xC1, 0x0B}, {0x01, 0x02}, PIV_OBJECT_TYPE_CERT},
+ 	{ PIV_OBJ_X509_CARD_AUTH, "X.509 Certificate for Card Authentication",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00", PIV_OBJECT_TYPE_CERT},
++			"2.16.840.1.101.3.7.2.5.0", 3, {0x5F, 0xC1, 0x01}, {0x05, 0x00}, PIV_OBJECT_TYPE_CERT},
+ 	{ PIV_OBJ_SEC_OBJ, "Security Object",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00", PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.144.0", 3, {0x5F, 0xC1, 0x06}, {0x90, 0x00}, PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_DISCOVERY, "Discovery Object",
+ 			SC_ASN1_APP | SC_ASN1_CONS | 0x1E,
+-			"2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50", 0},
++			"2.16.840.1.101.3.7.2.96.80", 1, {0x7E}, {0x60, 0x50}, 0},
+ 	{ PIV_OBJ_HISTORY, "Key History Object",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60", PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.96.96", 3, {0x5F, 0xC1, 0x0C}, {0x60, 0x60}, PIV_OBJECT_NEEDS_VCI},
+ 
+ /* 800-73-3, 21 new objects, 20 history certificates */
+ 	{ PIV_OBJ_RETIRED_X509_1, "Retired X.509 Certificate for Key Management 1",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01",
++			"2.16.840.1.101.3.7.2.16.1", 3, {0x5F, 0xC1, 0x0D}, {0x10, 0x01},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_2, "Retired X.509 Certificate for Key Management 2",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02",
++			"2.16.840.1.101.3.7.2.16.2", 3, {0x5F, 0xC1, 0x0E}, {0x10, 0x02},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_3, "Retired X.509 Certificate for Key Management 3",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03",
++			"2.16.840.1.101.3.7.2.16.3", 3, {0x5F, 0xC1, 0x0F}, {0x10, 0x03},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_4, "Retired X.509 Certificate for Key Management 4",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04",
++			"2.16.840.1.101.3.7.2.16.4", 3, {0x5F, 0xC1, 0x10}, {0x10, 0x04},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_5, "Retired X.509 Certificate for Key Management 5",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05",
++			"2.16.840.1.101.3.7.2.16.5", 3, {0x5F, 0xC1, 0x11}, {0x10, 0x05},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_6, "Retired X.509 Certificate for Key Management 6",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.6", 3, "\x5F\xC1\x12", "\x10\x06",
++			"2.16.840.1.101.3.7.2.16.6", 3, {0x5F, 0xC1, 0x12}, {0x10, 0x06},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_7, "Retired X.509 Certificate for Key Management 7",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07",
++			"2.16.840.1.101.3.7.2.16.7", 3, {0x5F, 0xC1, 0x13}, {0x10, 0x07},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_8, "Retired X.509 Certificate for Key Management 8",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08",
++			"2.16.840.1.101.3.7.2.16.8", 3, {0x5F, 0xC1, 0x14}, {0x10, 0x08},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_9, "Retired X.509 Certificate for Key Management 9",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09",
++			"2.16.840.1.101.3.7.2.16.9", 3, {0x5F, 0xC1, 0x15}, {0x10, 0x09},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_10, "Retired X.509 Certificate for Key Management 10",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A",
++			"2.16.840.1.101.3.7.2.16.10", 3, {0x5F, 0xC1, 0x16}, {0x10, 0x0A},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_11, "Retired X.509 Certificate for Key Management 11",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B",
++			"2.16.840.1.101.3.7.2.16.11", 3, {0x5F, 0xC1, 0x17}, {0x10, 0x0B},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_12, "Retired X.509 Certificate for Key Management 12",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C",
++			"2.16.840.1.101.3.7.2.16.12", 3, {0x5F, 0xC1, 0x18}, {0x10, 0x0C},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_13, "Retired X.509 Certificate for Key Management 13",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D",
++			"2.16.840.1.101.3.7.2.16.13", 3, {0x5F, 0xC1, 0x19}, {0x10, 0x0D},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_14, "Retired X.509 Certificate for Key Management 14",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E",
++			"2.16.840.1.101.3.7.2.16.14", 3, {0x5F, 0xC1, 0x1A}, {0x10, 0x0E},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_15, "Retired X.509 Certificate for Key Management 15",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F",
++			"2.16.840.1.101.3.7.2.16.15", 3, {0x5F, 0xC1, 0x1B}, {0x10, 0x0F},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_16, "Retired X.509 Certificate for Key Management 16",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10",
++			"2.16.840.1.101.3.7.2.16.16", 3, {0x5F, 0xC1, 0x1C}, {0x10, 0x10},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_17, "Retired X.509 Certificate for Key Management 17",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11",
++			"2.16.840.1.101.3.7.2.16.17", 3, {0x5F, 0xC1, 0x1D}, {0x10, 0x11},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_18, "Retired X.509 Certificate for Key Management 18",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12",
++			"2.16.840.1.101.3.7.2.16.18", 3, {0x5F, 0xC1, 0x1E}, {0x10, 0x12},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_19, "Retired X.509 Certificate for Key Management 19",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13",
++			"2.16.840.1.101.3.7.2.16.19", 3, {0x5F, 0xC1, 0x1F}, {0x10, 0x13},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 	{ PIV_OBJ_RETIRED_X509_20, "Retired X.509 Certificate for Key Management 20",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14",
++			"2.16.840.1.101.3.7.2.16.20", 3, {0x5F, 0xC1, 0x20}, {0x10, 0x14},
+ 			PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT | PIV_OBJECT_NEEDS_VCI},
+ 
+ 	{ PIV_OBJ_IRIS_IMAGE, "Cardholder Iris Images",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15", PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.16.21", 3, {0x5F, 0xC1, 0x21}, {0x10, 0x15}, PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
+ 
+ /* 800-73-4, 3 new objects */
+ 	{ PIV_OBJ_BITGT, "Biometric Information Templates Group Template",
+ 			 SC_ASN1_APP | SC_ASN1_CONS | 0x1F61,
+-			"2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16", 0},
++			"2.16.840.1.101.3.7.2.16.22", 2, {0x7F, 0x61}, {0x10, 0x16}, 0},
+ 	{ PIV_OBJ_SM_CERT_SIGNER, "Secure Messaging Certificate Signer",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17",
++			"2.16.840.1.101.3.7.2.16.23", 3, {0x5F, 0xC1, 0x22}, {0x10, 0x17},
+ 			PIV_OBJECT_TYPE_CERT | PIV_OBJECT_TYPE_CVC},
+ 	{PIV_OBJ_PCRDCS, "Pairing Code Reference Data Container",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18", PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
++			"2.16.840.1.101.3.7.2.16.24", 3, {0x5F, 0xC1, 0x23}, {0x10, 0x18}, PIV_OBJECT_NEEDS_PIN | PIV_OBJECT_NEEDS_VCI},
+ 
+ /* following not standard , to be used by piv-tool only for testing */
+ 	{ PIV_OBJ_9B03, "3DES-ECB ADM",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0},
++			"2.16.840.1.101.3.7.2.9999.3", 2, {0x9B, 0x03}, {0x9B, 0x03}, 0},
+ 	/* Only used when signing a cert req, usually from engine
+ 	 * after piv-tool generated the key and saved the pub key
+ 	 * to a file. Note RSA key can be 1024, 2048 or 3072
+@@ -748,77 +748,77 @@ static const struct piv_object piv_objects[] = {
+ 	 */
+ 	{ PIV_OBJ_9A06, "RSA 9A Pub key from last genkey",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.20", 2, {0x9A, 0x06}, {0x9A, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9C06, "Pub 9C key from last genkey",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.21", 2, {0x9C, 0x06}, {0x9C, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9D06, "Pub 9D key from last genkey",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.22", 2, {0x9D, 0x06}, {0x9D, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9E06, "Pub 9E key from last genkey",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.23", 2, {0x9E, 0x06}, {0x9E, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 
+ 	{ PIV_OBJ_8206, "Pub 82 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.101", 2, "\x82\x06", "\x82\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.101", 2, {0x82, 0x06}, {0x82, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8306, "Pub 83 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.102", 2, "\x83\x06", "\x83\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.102", 2, {0x83, 0x06}, {0x83, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8406, "Pub 84 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.103", 2, "\x84\x06", "\x84\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.103", 2, {0x84, 0x06}, {0x84, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8506, "Pub 85 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.104", 2, "\x85\x06", "\x85\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.104", 2, {0x85, 0x06}, {0x85, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8606, "Pub 86 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.105", 2, "\x86\x06", "\x86\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.105", 2, {0x86, 0x06}, {0x86, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8706, "Pub 87 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.106", 2, "\x87\x06", "\x87\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.106", 2, {0x87, 0x06}, {0x87, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8806, "Pub 88 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.107", 2, "\x88\x06", "\x88\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.107", 2, {0x88, 0x06}, {0x88, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8906, "Pub 89 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.108", 2, "\x89\x06", "\x89\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.108", 2, {0x89, 0x06}, {0x89, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8A06, "Pub 8A key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.109", 2, "\x8A\x06", "\x8A\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.109", 2, {0x8A, 0x06}, {0x8A, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8B06, "Pub 8B key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.110", 2, "\x8B\x06", "\x8B\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.110", 2, {0x8B, 0x06}, {0x8B, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8C06, "Pub 8C key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.111", 2, "\x8C\x06", "\x8C\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.111", 2, {0x8C, 0x06}, {0x8C, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8D06, "Pub 8D key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.112", 2, "\x8D\x06", "\x8D\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.112", 2, {0x8D, 0x06}, {0x8D, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8E06, "Pub 8E key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.113", 2, "\x8E\x06", "\x8E\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.113", 2, {0x8E, 0x06}, {0x8E, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_8F06, "Pub 8F key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.114", 2, "\x8F\x06", "\x8F\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.114", 2, {0x8F, 0x06}, {0x8F, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9006, "Pub 90 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.115", 2, "\x90\x06", "\x90\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.115", 2, {0x90, 0x06}, {0x90, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9106, "Pub 91 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.116", 2, "\x91\x06", "\x91\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.116", 2, {0x91, 0x06}, {0x91, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9206, "Pub 92 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.117", 2, "\x92\x06", "\x92\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.117", 2, {0x92, 0x06}, {0x92, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9306, "Pub 93 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.118", 2, "\x93\x06", "\x93\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.118", 2, {0x93, 0x06}, {0x93, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9406, "Pub 94 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.119", 2, "\x94\x06", "\x94\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.119", 2, {0x94, 0x06}, {0x94, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 	{ PIV_OBJ_9506, "Pub 95 key ",
+ 			SC_ASN1_APP | 0x13,
+-			"2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY},
++			"2.16.840.1.101.3.7.2.9999.120", 2, {0x95, 0x06}, {0x95, 0x06}, PIV_OBJECT_TYPE_PUBKEY},
+ 			/*
+ 			 * "Secure Messaging Certificate Signer" is just a certificate.
+ 			 * No pub or private key on the card.
+diff --git a/src/tests/p11test/p11test_case_wrap.c b/src/tests/p11test/p11test_case_wrap.c
+index ecb257b56..e9c503d7e 100644
+--- a/src/tests/p11test/p11test_case_wrap.c
++++ b/src/tests/p11test/p11test_case_wrap.c
+@@ -390,15 +390,15 @@ test_unwrap_aes(test_cert_t *o, token_info_t *info, test_mech_t *mech)
+ 	CK_ULONG key_padded_len = sizeof(key);
+ 	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ 	CK_KEY_TYPE keyType = CKK_AES;
+-	CK_BBOOL true = CK_TRUE;
++	CK_BBOOL _true = CK_TRUE;
+ 	CK_BYTE new_id[] = {0x00, 0xff, 0x42};
+ 	CK_BYTE new_label[] = "Unwrapped key";
+ 	CK_ATTRIBUTE template[] = {
+ 			{CKA_CLASS, &keyClass, sizeof(keyClass)},
+ 			{CKA_KEY_TYPE, &keyType, sizeof(keyType)},
+-			{CKA_ENCRYPT, &true, sizeof(true)},
+-			{CKA_DECRYPT, &true, sizeof(true)},
+-			{CKA_TOKEN, &true, sizeof(true)},
++			{CKA_ENCRYPT, &_true, sizeof(_true)},
++			{CKA_DECRYPT, &_true, sizeof(_true)},
++			{CKA_TOKEN, &_true, sizeof(_true)},
+ 			{CKA_ID, &new_id, sizeof(new_id)},
+ 			{CKA_LABEL, &new_label, sizeof(new_label)},
+ 			{CKA_VALUE_LEN, &key_len, sizeof(key_len)}, /* keep this one last! */
+-- 
+2.48.0
+

opensc-rpmlintrc

@@ -0,0 +1,3 @@
+# There is no devel package any more.
+addFilter("obsolete-not-provided")
+addFilter("devel-file-in-non-devel-package")

opensc.module

@@ -0,0 +1,8 @@
+# This file describes how to load the opensc module
+# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
+
+# This is a relative path, which means it will be loaded from
+# the p11-kit default path which is usually $(libdir)/pkcs11.
+# Doing it this way allows for packagers to package opensc for
+# 32-bit and 64-bit and make them parallel installable
+module: onepin-opensc-pkcs11.so

opensc.spec

@@ -0,0 +1,132 @@
+#
+# spec file for package opensc
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define sover 12
+%define completionsdir %(pkg-config --variable completionsdir bash-completion)
+Name:           opensc
+Version:        0.26.1
+Release:        0
+Summary:        Smart Card Utilities
+License:        LGPL-2.1-or-later
+Group:          Productivity/Security
+URL:            https://github.com/OpenSC/OpenSC/wiki
+Source:         https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:        baselibs.conf
+Source2:        %{name}-rpmlintrc
+# Register with p11-kit
+# https://web.archive.org/web/20111225073733/http://www.opensc-project.org/opensc/ticket/390
+Source3:        opensc.module
+Patch0:         opensc-gcc11.patch
+Patch1:         opensc-docbook-xsl-fix.patch
+# PATCH-FIX-UPSTREAM Fix error found when compiling with gcc 15 #3316
+Patch2:         opensc-gcc15.patch
+BuildRequires:  automake
+BuildRequires:  docbook-xsl-stylesheets
+BuildRequires:  libxslt
+BuildRequires:  pkgconfig
+BuildRequires:  readline-devel
+BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig(bash-completion)
+BuildRequires:  pkgconfig(libeac)  >= 0.9
+BuildRequires:  pkgconfig(libpcsclite) >= 1.8.22
+BuildRequires:  pkgconfig(openssl) >= 1.0.1
+Requires:       pcsc-lite
+# There is no more devel package.
+Obsoletes:      opensc-devel < %{version}
+
+%description
+OpenSC provides a set of utilities to access smart cards. It mainly
+focuses on cards that support cryptographic operations. It facilitates
+their use in security applications such as mail encryption,
+authentication, and digital signature. OpenSC implements the PKCS#11
+API. Applications supporting this API, such as Mozilla Firefox and
+Thunderbird, can use it. OpenSC implements the PKCS#15 standard and aims
+to be compatible with every software that does so, too.
+
+Before purchasing any cards, please read carefully documentation on the
+web pageonly some cards are supported. Not only card type matters, but
+also card version, card OS version and preloaded applet. Only subset of
+possible operations may be supported for your card. Card initialization
+may require third party proprietary software.
+
+%package bash-completion
+Summary:        Bash Completion for %{name}
+Group:          Productivity/Security
+Requires:       %{name} = %{version}
+Requires:       bash-completion
+Supplements:    (%{name} and bash-completion)
+BuildArch:      noarch
+
+%description bash-completion
+Bash completion script for %{name}.
+
+%prep
+%setup -q
+%autopatch -p1
+
+%build
+%configure \
+  --docdir=%{_docdir}/%{name} \
+  --disable-static \
+  --enable-doc \
+  --disable-silent-rules
+%make_build
+
+%install
+%make_install
+# Private library.
+rm %{buildroot}%{_libdir}/libopensc.so
+install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pkcs11/modules/opensc.module
+
+%ldconfig_scriptlets
+
+%files
+%license COPYING
+%doc NEWS README
+%doc %{_docdir}/%{name}/tools.html
+%doc %{_docdir}/%{name}/files.html
+%doc %{_docdir}/%{name}/opensc.conf
+#
+%config(noreplace) %{_sysconfdir}/eac/cvc/DESCHSMCVCA00001
+%config(noreplace) %{_sysconfdir}/eac/cvc/DESRCACC100001
+#
+%{_bindir}/*
+%{_datadir}/applications/*.desktop
+%{_datadir}/opensc
+# Note: .la and .so must be in the main package, required by ltdl:
+%{_libdir}/*.la
+%{_libdir}/libsmm-local.so
+%{_libdir}/onepin-opensc-pkcs11.so
+%{_libdir}/opensc-pkcs11.so
+%{_libdir}/pkcs11-spy.so
+# This is a private library. There is no reason to split it to libopensc* package.
+%{_libdir}/libsmm-local.so.%{sover}*
+%{_libdir}/libopensc.so.%{sover}*
+#
+%dir %{_libdir}/pkcs11
+%{_libdir}/pkcs11/*.so
+%{_libdir}/pkgconfig/opensc-pkcs11.pc
+%{_mandir}/man?/*%{ext_man}
+%config %{_sysconfdir}/opensc.conf
+%dir %{_sysconfdir}/pkcs11
+%config %{_sysconfdir}/pkcs11/modules/
+
+%files bash-completion
+%{completionsdir}/*
+
+%changelog