pool/opensc
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/opensc?expand=0&rev=8

Browse Source
This commit is contained in:
OBS User unknown 2008-09-13 04:31:55 +00:00 committed by Git OBS Bridge
parent d997106444
commit 0d5e7bb30b
8 changed files with 100 additions and 769 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

466
init_perso_guide.html
View File

@ -1,466 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"><title>init_perso_guide</title></head>
<body>
<h1>OpenSC card init and perso guide</h1>
<h2>1. Introduction</h2>
<div style="text-align: center;"><span style="font-style: italic;">Nothing
is impossible for the man who doesn't</span><br style="font-style: italic;">
&nbsp;
<span style="font-style: italic;">have
to do it himself. -- A.H. Weiler</span><br>
</div>
<br>
This guide is about initialising and personalising (no distinction
made) cards with the OpenSC library and tools (mostly pkcs15-init).<br>
<br>
Some knowlegde about smart cards is assumed. Below is a short overview
of some key words and concepts. For more info, see the opensc.html
manual.<br>
<br>
<span style="font-weight: bold;">Filesystem - MF - DF - EF - FID</span><br>
A smart cards has a non-volatile memory (EEPROM) in which usually
a PC-like file system is implemented. The directories are called
Dedicated Files (DF) and the files are called Elementary Files (EF).
They are
identified by a File ID (FID) on 2 bytes. For example, the root of
the file system
(called Master File or MF) has FID = 3F 00 (hex).<br>
<br>
<span style="font-weight: bold;">Commands - APDUs</span><br>
It is possible to send commands (APDUs) to the card to select, read,
write, create, list, delete, ... EFs and DFs (not all cards allow all
commands).<br>
<br>
<span style="font-weight: bold;">Access control, PIN, PUK</span><br>
The file system usually implements some sort of access control on EFs
and DFs.<br>
This is usually done by PINs or Keys: you have to provide a PIN or show
knowledge of a key before you can perform some command on some EF/DF. A
PIN is usually accompanied by a PUK (Pin Unblock Key), which can be
used to
reset (or unblock) that PIN.<br>
<br>
<span style="font-weight: bold;">Cryptographic keys</span><br>
On crypto cards, it is also possible to sign, decrypt, key(pair)
generation (what can be done exactly depends on the card). on some
cards, key
and/or PINs are files in the filesystem, on other cards, they don't
exist in the filesystem but are referenced through an ID.<br>
<br>
<span style="font-weight: bold;">Reader - PC/SC - OpenCT - CT-API</span><br>
Smart card readers come with a library that can be used on a PC to send
APDUs to the card. Commonly used APIs for those libraries are PC/SC,
OpenCT
and CT-API.<br>
<br>
<span style="font-weight: bold;">PKCS15</span><br>
There are standards (e.g. ISO7816, parts 4-...) that specify how to
select, read, write, EFs and DFs, and how to sign, decrypt, login, ...<br>
However, there is also a need to know which files contain what, or
where the keys, PINs, .. can be found.<br>
For crypto cards, PCKS15 adresses this need by defining some files that
contain info on where to find keys, certificates, PINs, and other data.
For
example, there is a PrKDF (Private Key Directory File) that contains
the EFs or
ID of the private keys, what those keys can be used for, by which PINs
they
are protected, ... So a "PCKS15 card" is nothing but any other card on
which the right set
of files has been added.<br>
In short: PKCS15 allows you to describe where to find PINS, keys,
certificates and data on a card, plus all the info that is needed to
use them.<br>
<h3>A little PKCS15 example:</h3>
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
Object Directory File), PrKDF (Private Key Directory File) and CDF
(Certificate Directory File) that contain info on resp. the PINs,
private keys and certificates. Each of them contains 1 entry.<br>
<br>
AODF:
<pre> Com. Flags : private, modifiable<br> Auth ID : 01<br> Flags : [0x32], local, initialized, needs-padding<br> Length : min_len:4, max_len:8, stored_len:8<br> Pad char : 0x00<br> Reference : 1<br> Encoding : ASCII-numeric<br> Path : 3F005015<br></pre>
PrKDF:
<pre> Com. Flags : private, modifiable<br> Com. Auth ID: 01<br> Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep<br> Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local<br> ModLength : 1024<br> Key ref : 0<br> Native : yes<br> Path : 3F00501530450012<br> ID : 45<br></pre>
X.509 Certificate [/C=BE/ST=...]
<pre> Com. Flags : modifiable<br> Authority : no<br> Path : 3f0050154545<br> ID : 45</pre>
Some things to note:<br>
<ul>
<li>The Auth ID (01) of the private key is the same as the one of the
PIN which
means
that you first have to do a login with this PIN before
you can use this key.</li>
<li>The key is in an EF with ID = 0012 in the DF with ID = 3045,
which
on it is turn is a DF with ID 5015, which on it is turn is a DF of
the MF (3F00).</li>
<li>The private key and certificates share the same ID (45), which
means that they
belong together.</li>
<li>The certificate is in the EF with as path: 3F00\5015\3045
and is no CA
certificate.</li>
</ul>
Use the <span style="font-weight: bold;">tests/p15dump</span> tool to
see yourself what pkcs15 data is on your card, or <span style="font-weight: bold;">tools/opensc-explorer</span> to browse
through the files.<br>
<br>
Have the PKCS15 files a fixed place so everyone can find them? No,
there's only one: the EF(DIR) in the MF and with ID 2F00. That's the
starting
place.<br>
<br>
<h2>2. The OpenSC pkcs15-init library and profiles</h2>
Reading and writing files, PIN verification, signing and decryption
happen in much the same way on all cards. Therefore, the "normal life"
commands have been implemented in OpenSC for all supported cards.<br>
<br>
However, creating and deleting files, PINs and keys is very card
specific and has not yet been implemented for all cards.
Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex,
CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check
src/pkcs15-init/pkcs15-*.c for possible updates). Because of this, and
because
pkcs15-init is not necessary for "normal life" operations, it has been
put in a separate library and in a separate directory.<br>
<br>
<span style="font-weight: bold;">Profile</span><br>
Because the initialisation/personalisation is so card-specific, it
would be very hard to make a tool or API that accepts all parameters
for all current and future cards.<br>
Therefore, a profile file has been made in OpenSC that contains all the
card-specific parameters. This card-specific profile is read by
card-specific code in the pkcs15-init library each time this library is
used on
that card.<br>
See the *.profile files in src/pkcs15-init/. There is one general file
(pkcs15.profile) and one card-specific profile for each card.<br>
<br>
<span style="font-weight: bold;">Profile options</span><br>
There are currently 3 options you can specify to modify a profile:<br>
<ul>
<li>default: creation/deletion/generation is controlled by the SO PIN
(SO = Security Officer, different from the regular user of the card)</li>
<li>onepin: creation/deletion/generation is controlled by the user
PIN and thus by the user. As a result, only 1 user PIN is possible</li>
<li>small: like default, but suitable for card with little memory</li>
</ul>
<h2>3. pkcs15-init tool</h2>
This is a command-line tool that uses the pkcs15-init library. It
allows you to do all the init/perso things, e.g. add/delete keys,
certificates, PINs and data, generate keys, ... while specifying key
usage, which PIN protects which key, ...<br>
<br>
As said before, not all cards are supported in the pkcs15-init library.
In
that case, the pkcs15-init tool won't work (top 5 questions on the
mailing list:-). To find out which card you have, try "<span style="font-style: italic;">opensc-tool -n</span>"<br>
<br>
Below is explained how to do the operations that are supported by
pkcs15-tool.<br>
Not all options are explained (run "<span style="font-style: italic;">pkcs15-tool
-h</span>" to see them) because some are card-specific or obsolete (or
we don't know about them). Feel free to experiment and explain them
here.<br>
<br>
So the things in this section are fairly general but not guaranteed to
work for all cards. See also the section on "card-specific issues".<br>
<br>
The --reader or -r can be given with any command. By default the first
reader is used. Do "<span style="font-style: italic;">opensc-tool -l</span>"
to see the list of available readers.<br>
<br>
To see the results of what you did, you can do one of the following:<br>
&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-tool --list-pins
--list-public-keys -k -c -C</span><br>
&nbsp;&nbsp; <span style="font-style: italic;">p15dump</span> (in the
src/tests directory)<br>
To see/dump the content of any file, use the <span style="font-style: italic;">opensc-explorer</span> tool.<br>
<h3>* Create the PKCS15 files</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-C {-T} {-p &lt;profile&gt;} </span><span style="font-style: italic;">--so-pin
&lt;PIN&gt; --so-puk &lt;PUK&gt; | --no-so-pin | --pin &lt;PIN&gt;
--puk &lt;PUK&gt;<br>
<br>
</span>This will create the PKCS15 DF (5015) and all the PKCS15 files
(some of which will be empty until a key, PIN, ... will be added). It
must be done before you can do any of the operations below.<br>
<ul>
<li>This operation usually requires a 'transport' key. pkcs15-init
will ask you for this key and propose the default one for that card.
With -T, the default will be used without asking. NOTE: if you get a
"Failed to erase card: PIN code or key incorrect", the transport key is
wrong. Find this key and then try again, DO NOT try the default key
again!</li>
<li>If you want an SO PIN and PUK, do so with the --so-pin and
--so-puk options, or specify --no-so-pin if you don't want to. If you
use
the onpin profile, there is no SO PIN so you should specify --pin and
--puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
&lt;PIN&gt; --puk &lt;PUK&gt;)</li>
<li>To specify the profile file + option. The profile file can only
be "pkcs15" for the moment, so you can have:<br>
&nbsp;&nbsp;&nbsp;&nbsp; pkcs15+default : the default (not needed to
specify it)<br>
&nbsp;&nbsp;&nbsp;&nbsp; pkcs15+onepin: for the onepin profile
option<br>
&nbsp;&nbsp;&nbsp;&nbsp; pkcs15+small: for the small
profile option</li>
</ul>
<h3>* Erase the card's content</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-E {-T}</span><br>
<br>
This will delete all keys, PINS, certificates, data that were listed in
PKCS15
files, along with the PKCS15 files themselves.<br>
<ul>
<li>This operation usually requires a 'transport' key. pkcs15-init
will ask you for this key and propose the default one for that card.
With -T, the default will be used without asking. NOTE: if you get a
"Failed to erase card: PIN code or key incorrect", the transport key is
wrong. Find this key and then try again, DO NOT try the default key
again!</li>
</ul>
Note: you can combine erase/create (-E -C or -EC) to erase and then
create<br>
the card's contents, except when you change the profile option.<br>
<h3>* Add a PIN (not possible with the onepin profile option)</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-P {-a &lt;AuthID&gt;} {--pin &lt;PIN&gt;} {--puk &lt;PUK&gt;} {-l
&lt;label&gt;}</span><br>
<ul>
<li>You can specify the AuthID with -a, if you don't do so, a value
that didn't exist yet on the card will be chosen.</li>
<li>Specify the PIN and PUK with --pin and --puk, if you don't do so,
the tool will prompt you for one.</li>
<li>Specify the label (name) of the PIN with -l, or accept the
default label.</li>
</ul>
<h3>* Generate a key pair (on card or in software on the PC)</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-G &lt;keyspec&gt; -a &lt;AuthID&gt; --insecure {-i &lt;ID&gt;}
{--soft}{-u &lt;keyusage&gt;}{-l &lt;privkeylabel&gt;}
{--public-key-label &lt;pubkeylabel&gt;}</span><br>
<br>
This will generate a public and private key pair.<br>
<ul>
<li>The keyspec consist of the key type, rsa or dsa (depends on what
your cards supports), and optinally a slash followed by the keysize in
bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
not
fully supported.</li>
<li>Specify the AuthID of the PIN that protects this key (from being
used in a signature or decryption operation) with -a; or specify
--insecure if you want the private key to be used without first
providing a PIN.</li>
<li>Specify the ID of the key with -i, otherwise the tool with choose
one.</li>
<li>Specify --soft if you don't want the key pair to be generated
on-chip.</li>
<li>Specify the usage of the private key with -u; if you add a
corresponding certificate later, it should have the same key usage. (Do
"pkcs15-init -u help" for help).</li>
<li>Specify the label (name) of the private key with -l, or accept
the default label.</li>
<li>Specify the label (name) of the public key with
--public-key-label, or accept the default label if you don't do so.</li>
<li>Depending on your card and profile option, you will be prompted
to provide your SO PIN and/or PIN; if you don't want to be prompted,
add them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
NOTE: see the SSL engines (below) on how to make a certificate request
with the key you generated.<br>
<h3>* Add a private key</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-S &lt;keyfile&gt; {-f &lt;keyformat&gt;} -a &lt;AuthID&gt; --insecure
{-i &lt;ID&gt;} {-u &lt;keyusage&gt;} {--passphrase &lt;password&gt;}
{-l &lt;label&gt;}</span><br>
<ul>
<li>The keyfile should be in DER (binary) or PEM format.</li>
<li>The keyformat should be PEM (default) or DER.</li>
<li>Specify the AuthID of the PIN that protects this key (from being
used in a signature or decryption operation) with -a; or specify
--insecure if you want the private key to be used without first
providing a PIN.</li>
<li>Specify the ID of the key with -i</li>
&lt;&gt;Specify the usage of the private key with -u; if you add a
corresponding certificate later, it should have the same key usage. (Do
"pkcs15-init -u help" for help). <li>Specify the label (name) of
the with -l, or accept the
default label.</li>
<li>Depending on your card and profile option, you will be prompted
to provide your SO PIN and/or PIN; if you don't want to be prompted,
add them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add a private key + certificate(s) (in a pkcs12 file)</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-S &lt;pkcs12file&gt; -f PKCS12 -a &lt;AuthID&gt; {--insecure} {-i
&lt;ID&gt;} {-u &lt;keyusage&gt;} {--passphrase &lt;password&gt;} {-l
&lt;privkeylabel&gt;} {--cert-label &lt;usercertlabel&gt;}</span><br>
<br>
This adds the private key and certificate chain to the card. If a
certificate already exists on the card, it won't be added again.<br>
<ul>
<li>Specify the AuthID of the PIN that protects this key (from being
used in a signature or decryption operation) with -a; or specify
--insecure if you want the private key to be used without first
providing a PIN.</li>
<li>Specify the ID of the key and the corresponding certificate with
-i,
otherwise the tool with choose one; only the 'user cert' will get the
same ID as the key, the other certificates will get 'authority' status
and
another ID.</li>
<li>You can specify the key-usage, but it is not advised to do this
so the key usage from the certificate is used.</li>
<li>Specify the password of the pkcs12 key file if you don't want to
be prompted for one.</li>
<li>Specify the label (name) of the private key with -l, or accept
the default label.</li>
<li>Specify the label (name) of the user certificate with
--cert-label, or accept the default label.</li>
<li>Depending on your card and profile option, you will be prompted
to provide your SO PIN and/or PIN; if you don't want to be prompted,
add them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add a certificate</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-style: italic;">
pkcs15-init -W &lt;certfile&gt; {-f &lt;certformat&gt;} {-i &lt;ID&gt;}
{--authority}</span><br>
<ul>
<li>The certfile should be in DER (binary) or PEM format</li>
<li>The certformat should be PEM (default) or DER</li>
<li>Specify the ID of the certificate with -i, otherwise the tool
with
choose one; if the certificate corresponds to a private and/or public
key, you
should specify the same ID as that key.</li>
<li>Specify --authority if it is a CA certificate.</li>
<li>Depending on your card and profile option, you will be prompted
to
provide your SO PIN and/or PIN; if you don't want to be prompted, add
them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add a public key</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
--store-public-key &lt;keyfile&gt; {-f &lt;keyformat&gt;} {-i
&lt;ID&gt;} {-l &lt;label&gt;}</span><br>
<ul>
<li>The keyfile should be in DER (binary) or PEM format</li>
<li>The keyformat should be PEM (default) or DER</li>
<li>Specify the ID of the key with -i, otherwise the tool with choose
one; if the key corresponds to a private key and/or certificate, you
should
specify the same ID as that private key and/or certificate.</li>
<li>Specify the label (name) of the with -l, or accept the
default label.</li>
<li>Depending on your card and profile option, you will be prompted
to
provide your SO PIN and/or PIN; if you don't want to be prompted, add
them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h3>* Add data</h3>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">pkcs15-init
-W &lt;datafile&gt; {-i &lt;ID&gt;} {-l &lt;label&gt;}</span><br>
<ul>
<li>The datafile is stored "as is" onto the card.</li>
<li>Specify the ID of the data with -i, or accept the default ID.</li>
<li>Specify the label (name) of the with -l, or accept the
default label.</li>
<li>Depending on your card and profile option, you will be prompted
to
provide your SO PIN and/or PIN; if you don't want to be prompted, add
them to the command line with --so-pin &lt;SOPIN&gt; and/or --pin
&lt;PIN&gt;.</li>
</ul>
<h2>4. Other tools</h2>
<h3>* SSL-engines</h3>
These libraries can be loaded in OpenSSL so you can do a certificate
request with the openssl tool; the signature on the certificate request
will
then be made with the smart card. The result can then be sent to a CA
for certification, the resulting certificate can be put on the card
with
pkcs15-init or pkcs11-tool.<br>
<ul>
<li>Run openssl</li>
<li>On the openssl command prompt, type<br>
&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">engine dynamic
-pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD</span><br>
&nbsp;or<br>
&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">engine dynamic
-pre
SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD</span><br>
depending on which one of the 2 engines (pkcs11 or opensc) you want to
use.</li>
</ul>
<ul>
<li>Then type (on the openssl command prompt)<br>
&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">req -engine
pkcs11 -new -key &lt;ID&gt; -keyform engine -out &lt;cert_req&gt;</span><br>
or<span style="font-style: italic;"><br>
</span><span style="font-style: italic;">&nbsp;&nbsp;&nbsp;&nbsp;
req -engine opensc -new -key &lt;ID&gt; -keyform engine -out
&lt;cert_req&gt;</span><br>
in which ID is the slot+ID in the following format:<br>
&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-style: italic;">[slot_&lt;slotID&gt;][-][id_&lt;ID&gt;]</span>,
e.g. <span style="font-style: italic;">id_45</span> or <span style="font-style: italic;">slot_0-id_45</span><br>
</li>
</ul>
<h3>* pkcs11-tool and Mozilla/Netscape</h3>
You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
or Netscape, and let the browser generate a certificate request that
is sent to an on-line CA to issue and send you a certificate that is
then added to the card.<br>
<br>
Just go to an online CA (Globalsign, Thawte, ...) and follow their
guidelines. Because such a request either costs you or at least
requires you to provide a valid mail address, it is advisable to first
try you card with "<span style="font-weight: bold;">pkcs11-tool
--moz-cert
&lt;cert_file_in_der_format&gt; --login</span>".<br>
<br>
NOTE: This can only be done with the onepin profile option (because the
browser won't ask for an SO PIN, only for the user PIN).<br>
<br>
<h2>5. Card-specific issues</h2>
<div style="text-align: center;"><span style="font-style: italic;">Experience
is that marvelous thing that enables you to recognize</span><br style="font-style: italic;">
<span style="font-style: italic;">a mistake when you make it again. --
Franklin P. Jones</span><br>
</div>
<br>
<span style="font-weight: bold;">Cryptoflex:</span><br>
<ul>
<li>DFs and EFs in a DF have to be deleted in reverse order of
creation.<br>
OpenSC relies on this fact for security, but also has some downsides.
For example, if you did a "pkcs15-init -C" and then added some EFs or
DFs in the MF, you won't be able to do a "pkcs15-init -E" afterwards to
remove the PKCS15 DF (5015). So you'll first have to manually remove
all EFs/DFs you created in the MF before being able remove the pkcs15
DF.<br>
</li>
</ul>
<span style="font-weight: bold;">Starcos SPK 2.3:</span><br>
<ul>
<li>Due to the way Starcos SPK 2.3 manages access rights it is
necessary to manually call "pkcs15-init --finalize" after card
personalization if no SO-PIN has been specified. Once the card has been
finalized it is no possible to add new private/secrets keys or PINs. If
a SO-PIN is used the card will automatically be finalized after the
SO-PIN has been stored.</li>
<li>If an SO-PIN is used and if there is enough space in the key file
left, then the owner of the SO-PIN can access/use every protected item
by creating a PIN for the necessary state.</li>
</ul>
<br>
</body></html>

3
opensc-0.11.4.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a92d563c68ab052d133f69c12f4e2584d781f2266d47980b1786e76ce1202c06
size 1083131

3
opensc-0.11.6.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:38ba637a940a3ee99f5e60ceb4fef9f61d09386ac2d3aa6331f4c5b58dea0db2
size 1077790

276
opensc-cardos-CVE-2008-2235.patch
View File

@ -1,276 +0,0 @@
diff -udrNPp --exclude=.svn opensc.orig/src/libopensc/card-cardos.c opensc/src/libopensc/card-cardos.c
--- opensc.orig/src/libopensc/card-cardos.c 2007-08-08 22:15:48.000000000 +0200
+++ opensc/src/libopensc/card-cardos.c 2008-07-30 13:19:22.000000000 +0200
@@ -385,7 +385,7 @@ static const int df_acl[9] = {
SC_AC_OP_REHABILITATE, /* DF */
SC_AC_OP_DELETE, /* DF */
- -1, /* ADMIN DF */
+ SC_AC_OP_UPDATE, /* ADMIN DF */
SC_AC_OP_CREATE, /* Files */
-1 /* Reserved */
};
@@ -400,7 +400,7 @@ static const int ef_acl[9] = {
/* XXX: ADMIN should be an ACL type of its own, or mapped
* to erase */
- -1, /* ADMIN EF (modify meta information?) */
+ SC_AC_OP_UPDATE, /* ADMIN EF (modify meta information?) */
-1, /* INC (-> cylic fixed files) */
-1 /* DEC */
};
diff -udrNPp --exclude=.svn opensc.orig/src/tools/pkcs15-tool.c opensc/src/tools/pkcs15-tool.c
--- opensc.orig/src/tools/pkcs15-tool.c 2007-06-30 10:55:57.000000000 +0200
+++ opensc/src/tools/pkcs15-tool.c 2008-07-30 13:19:42.000000000 +0200
@@ -2,6 +2,7 @@
* pkcs15-tool.c: Tool for poking with PKCS #15 smart cards
*
* Copyright (C) 2001 Juha Yrjölä <juha.yrjola@iki.fi>
+ * Copyright (C) 2008 Andreas Jellinghaus <aj@dungeon.inka.de>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -90,6 +91,8 @@ static const struct option options[] = {
#if defined(HAVE_OPENSSL) && (defined(_WIN32) || defined(HAVE_INTTYPES_H))
{ "read-ssh-key", required_argument, NULL, OPT_READ_SSH },
#endif
+ { "test-update", no_argument, NULL, 'T' },
+ { "update", no_argument, NULL, 'U' },
{ "reader", required_argument, NULL, OPT_READER },
{ "pin", required_argument, NULL, OPT_PIN },
{ "new-pin", required_argument, NULL, OPT_NEWPIN },
@@ -116,6 +119,8 @@ static const char *option_help[] = {
"Lists public keys",
"Reads public key with ID <arg>",
"Reads public key with ID <arg>, outputs ssh format",
+ "Test if the card needs a security update",
+ "Update the card with a security update",
"Uses reader number <arg>",
"Specify PIN",
"Specify New PIN (when changing or unblocking)",
@@ -1175,6 +1180,176 @@ static int learn_card(void)
return 0;
}
+static int test_update(sc_card_t *in_card)
+{
+ sc_apdu_t apdu;
+ static u8 cmd1[2] = { 0x50, 0x15};
+ u8 rbuf[258];
+ int rc;
+ int r;
+ static u8 fci_bad[] = { 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+ static u8 fci_good[] = { 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00 };
+
+
+
+ if (strcmp("cardos",in_card->driver->short_name) != 0) {
+ printf("not using the cardos driver, card is fine.");
+ rc = 0;
+ goto end;
+ }
+
+ /* first select file on 5015 and get fci */
+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_4_SHORT, 0xa4, 0x08, 0x00);
+ apdu.lc = sizeof(cmd1);
+ apdu.datalen = sizeof(cmd1);
+ apdu.data = cmd1;
+ apdu.le = 256;
+ apdu.resp = rbuf;
+ apdu.resplen = sizeof(rbuf);
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0) {
+ printf("selecting folder failed: %s\n", sc_strerror(r));
+ rc = 2;
+ goto end;
+ }
+
+ if (apdu.sw1 != 0x90) {
+ printf("apdu command select file: card returned %02X %02X\n",
+ apdu.sw1, apdu.sw2);
+ rc = 2;
+ goto end;
+
+ }
+
+ if (apdu.resplen < 6) {
+ printf("select file did not return enough data (length %d)\n",
+ (int) apdu.resplen);
+ goto bad_fci;
+ }
+
+ if (rbuf[0] != 0x6f) {
+ printf("select file did not return the information we need\n");
+ goto bad_fci;
+ }
+
+ if (rbuf[1] != apdu.resplen -2) {
+ printf("select file did return inconsistent information\n");
+ goto bad_fci;
+ }
+
+ {
+ int i=0;
+ while(i < rbuf[1]) {
+ if (rbuf[2+i] == 0x86) { /* found our buffer */
+ break;
+ }
+ /* other tag */
+ i += 2 + rbuf[2+i+1]; /* length of this tag*/
+ }
+ if (rbuf[2+i+1] < 9 || 2+i+2+9 > apdu.resplen) {
+ printf("select file did return short fci\n");
+ goto bad_fci;
+ }
+
+ if (memcmp(&rbuf[2+i+2],fci_good,sizeof(fci_good)) == 0) {
+ printf("fci is up-to-date, card is fine\n");
+ rc = 0;
+ goto end;
+ }
+
+ if (memcmp(&rbuf[2+i+2],fci_bad,sizeof(fci_bad)) == 0) {
+ printf("fci is out-off-date, card is vulnerable\n");
+ rc = 1;
+ goto end;
+ }
+
+ printf("select file returned fci with unknown data\n");
+ goto bad_fci;
+ }
+end:
+ /* 0 = card ok, 1 = card vulnerable, 2 = problem! */
+ return rc;
+
+bad_fci:
+ hex_dump(stdout,rbuf,apdu.resplen," ");
+ printf("\n");
+ return 2;
+}
+
+static int update(sc_card_t *in_card)
+{
+ sc_apdu_t apdu;
+ static u8 cmd1[2] = { 0x50, 0x15};
+ static u8 cmd3[11] = { 0x86, 0x09, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00,
+ 0xff, 0x00, 0x00};
+ int r;
+
+ /* first select file on 5015 */
+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_3_SHORT, 0xa4, 0x08, 0x00);
+ apdu.lc = sizeof(cmd1);
+ apdu.datalen = sizeof(cmd1);
+ apdu.data = cmd1;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0) {
+ printf("selecting folder failed: %s\n", sc_strerror(r));
+ goto end;
+ }
+
+ if (apdu.sw1 != 0x90) {
+ printf("apdu command select file: card returned %02X %02X\n",
+ apdu.sw1, apdu.sw2);
+ goto end;
+
+ }
+
+ /* next phase control / change lifecycle to operational */
+ memset(&apdu, 0, sizeof(apdu));
+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_1, 0x10, 0x00, 0x00);
+ apdu.cla = 0x80;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0) {
+ printf("change lifecycle failed: %s\n", sc_strerror(r));
+ goto end;
+ }
+
+ if (apdu.sw1 != 0x90) {
+ printf("apdu command change lifecycle failed: card returned %02X %02X\n",
+ apdu.sw1, apdu.sw2);
+ goto end;
+
+ }
+
+ /* last update AC */
+ memset(&apdu, 0, sizeof(apdu));
+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_3_SHORT, 0xda, 0x01, 0x6f);
+ apdu.lc = sizeof(cmd3);
+ apdu.datalen = sizeof(cmd3);
+ apdu.data = cmd3;
+ apdu.le = 0;
+ apdu.resplen = 0;
+ apdu.resp = NULL;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0) {
+ printf("update fci failed: %s\n", sc_strerror(r));
+ goto end;
+ }
+
+ if (apdu.sw1 != 0x90) {
+ printf("apdu command update fci failed: card returned %02X %02X\n",
+ apdu.sw1, apdu.sw2);
+ goto end;
+
+ }
+
+ printf("security update applied with success.\n");
+end:
+ return 0;
+}
+
int main(int argc, char * const argv[])
{
int err = 0, r, c, long_optind = 0;
@@ -1193,11 +1374,13 @@ int main(int argc, char * const argv[])
int do_change_pin = 0;
int do_unblock_pin = 0;
int do_learn_card = 0;
+ int do_test_update = 0;
+ int do_update = 0;
int action_count = 0;
sc_context_param_t ctx_param;
while (1) {
- c = getopt_long(argc, argv, "r:cuko:va:LR:CwD", options, &long_optind);
+ c = getopt_long(argc, argv, "r:cuko:va:LR:CwDTU", options, &long_optind);
if (c == -1)
break;
if (c == '?')
@@ -1261,6 +1444,14 @@ int main(int argc, char * const argv[])
do_learn_card = 1;
action_count++;
break;
+ case 'T':
+ do_test_update = 1;
+ action_count++;
+ break;
+ case 'U':
+ do_update = 1;
+ action_count++;
+ break;
case OPT_READER:
opt_reader = atoi(optarg);
break;
@@ -1388,6 +1579,18 @@ int main(int argc, char * const argv[])
goto end;
action_count--;
}
+ if (do_test_update || do_update) {
+ err = test_update(card);
+ action_count--;
+ if (err == 2) { /* problem */
+ err =1;
+ goto end;
+ }
+ if (do_update && err == 1) { /* card vulnerable */
+ if ((err = update(card)))
+ goto end;
+ }
+ }
end:
if (p15card)
sc_pkcs15_unbind(p15card);

22
opensc-code-fixes.patch Normal file
View File

@ -0,0 +1,22 @@
--- src/libopensc/card-entersafe.c
+++ src/libopensc/card-entersafe.c
@@ -913,7 +913,7 @@
return entersafe_compute_with_prkey(card,crgram,crgram_len,out,outlen);
}
-static int entersafe_init_pin_info(struct sc_pin_cmd_pin *pin, unsigned int num)
+static void entersafe_init_pin_info(struct sc_pin_cmd_pin *pin, unsigned int num)
{
pin->encoding = SC_PIN_ENCODING_ASCII;
pin->min_length = 4;
--- src/libopensc/card-gemsafeV1.c
+++ src/libopensc/card-gemsafeV1.c
@@ -332,7 +332,7 @@
tag = sc_asn1_find_tag(ctx, p, len, 0x8C, &tlen);
if (tag) {
- r = gemsafe_setacl(card, file, tag, type == "DF" ? 1 : 0);
+ r = gemsafe_setacl(card, file, tag, strcmp(type, "DF") ? 0 : 1);
if (r < 0) {
sc_debug(ctx, "unable to set ACL\n");
return SC_ERROR_INTERNAL;

8
opensc-rpmlintrc
View File

@ -1,4 +1,4 @@
addFilter("opensc devel-file-in-non-devel-package")
addFilter("opensc shlib-policy-devel-file")
addFilter("opensc shlib-policy-nonversioned-dir")
addFilter("opensc shlib-policy-missing-suffix")
addFilter("devel-file-in-non-devel-package")
addFilter("shlib-policy-devel-file")
addFilter("shlib-policy-nonversioned-dir")
addFilter("shlib-policy-missing-suffix")

16
opensc.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Wed Sep 10 13:46:44 CEST 2008 - sbrabec@suse.cz
- Updated to version 0.11.6:
* New support for Feitian ePass3000.
* GemSafeV1 improved to handle key_ref other than 3.
* Build system rewritten.
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamically linked.
* PKCS#11 provider is now installed at LIBDIR/pkcs11.
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configureable for siemens cards.
-------------------------------------------------------------------
Mon Sep 1 14:06:17 CEST 2008 - sbrabec@suse.cz

75
opensc.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package opensc (Version 0.11.4)
# spec file for package opensc (Version 0.11.6)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -19,7 +19,7 @@
Name: opensc
BuildRequires: openssl-devel pcsc-lite-devel pkg-config readline-devel xorg-x11-devel
BuildRequires: libusb-devel openssl-devel pcsc-lite-devel pkg-config readline-devel xorg-x11-devel
%if %suse_version > 1020
BuildRequires: libassuan-devel
%else
@ -29,16 +29,15 @@ BuildRequires: libassuan
BuildRequires: openct-devel
%endif
Url: http://www.opensc-project.org/opensc/
Version: 0.11.4
Release: 79
Version: 0.11.6
Release: 1
Group: Productivity/Security
Summary: OpenSC Smart Card Library
License: LGPL v2.1 or later
Requires: libopensc2 = %{version} pcsc-lite
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source: %{name}-%{version}.tar.bz2
Source1: http://www.opensc.org/files/doc/init_perso_guide.html
Patch: opensc-cardos-CVE-2008-2235.patch
Patch: opensc-code-fixes.patch
# Supress all ugly warnings related to required .so and .la files in the main package:
Source2: %{name}-rpmlintrc
# and also skip-check-libtool-deps (and add these dependencies to the devel package)
@ -52,6 +51,13 @@ API. Applications supporting this API, such as Mozilla Firefox and
Thunderbird, can use it. OpenSC implements the PKCS#15 standard and
aims to be compatible with every software that does so, too.
Before purchasing any cards, please read carefully documentation in
/usr/share/doc/packages/opensc/wiki/index.html - only some cards are
supported. Not only card type matters, but also card version, card OS
version and preloaded applet. Only subset of possible operations may be
supported for your card. Card initialization may require third party
proprietary software.
Authors:
@ -69,13 +75,20 @@ Requires: %{name} >= %{version}
%description -n libopensc2
OpenSC provides a set of libraries and utilities to access smart cards.
Its main focus is on cards that support cryptographic operations. It
It mainly focuses on cards that support cryptographic operations. It
facilitates their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11
API so applications supporting this API, such as Mozilla Firefox and
API. Applications supporting this API, such as Mozilla Firefox and
Thunderbird, can use it. OpenSC implements the PKCS#15 standard and
aims to be compatible with every software that does so, too.
Before purchasing any cards, please read carefully documentation in
/usr/share/doc/packages/opensc/wiki/index.html - only some cards are
supported. Not only card type matters, but also card version, card OS
version and preloaded applet. Only subset of possible operations may be
supported for your card. Card initialization may require third party
proprietary software.
Authors:
@ -89,7 +102,8 @@ Authors:
License: GPL v2 or later
Group: Development/Libraries/C and C++
Summary: Additional files needed for OpenSC development
Requires: %{name} = %{version} glibc-devel openct-devel libopenssl-devel pcsc-lite-devel
# FIXME: Change to libtool-devel for the next libtool version:
Requires: %{name} = %{version} glibc-devel openct-devel libopenssl-devel zlib-devel libtool
%description devel
This package contains files required to develop applications using the
@ -106,23 +120,23 @@ Authors:
%prep
%setup -q
%patch -p1
chmod -x doc/svn2cl.xsl
%patch
%build
#cp -a /usr/share/gettext/config.rpath .
autoreconf -f -i
%configure\
--with-plugin-dir=%{_libdir}/browser-plugins
--docdir=%{_docdir}/%{name}\
--disable-static\
--enable-doc\
--enable-pcsc\
--enable-openct\
--enable-nsplugin\
--with-plugindir=%{_libdir}/browser-plugins
make %{?jobs:-j%jobs}
%install
%makeinstall
# Install opensc.conf
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}
install -m 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}
# Copy init_perso.html to docs so it's installed
cp %{SOURCE1} .
cp COPYING doc/nonpersistent/ChangeLog $RPM_BUILD_ROOT%{_docdir}/%{name}
%clean
rm -rf $RPM_BUILD_ROOT
@ -133,7 +147,13 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc COPYING NEWS README doc/*.css doc/*.gif doc/*.html doc/ChangeLog init_perso_guide.html
%doc %dir %{_docdir}/%{name}
%doc %{_docdir}/%{name}/ChangeLog
%doc %{_docdir}/%{name}/COPYING
%doc %{_docdir}/%{name}/NEWS
%doc %{_docdir}/%{name}/README
%doc %{_docdir}/%{name}/tools.html
%doc %{_docdir}/%{name}/wiki
%{_bindir}/*
%exclude %{_bindir}/*-config
%{_datadir}/opensc
@ -141,6 +161,8 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/*.la
%{_libdir}/*.so
%{_libdir}/browser-plugins/*.so
%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/*.so
%doc %{_mandir}/man?/*.*
%config %{_sysconfdir}/opensc.conf
@ -150,12 +172,25 @@ rm -rf $RPM_BUILD_ROOT
%files devel
%defattr(-,root,root)
%doc %{_docdir}/%{name}/api.html
%{_bindir}/*-config
%{_includedir}/opensc
%{_libdir}/*.a
%{_libdir}/pkgconfig/*.pc
%changelog
* Wed Sep 10 2008 sbrabec@suse.cz
- Updated to version 0.11.6:
* New support for Feitian ePass3000.
* GemSafeV1 improved to handle key_ref other than 3.
* Build system rewritten.
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamically linked.
* PKCS#11 provider is now installed at LIBDIR/pkcs11.
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configureable for siemens cards.
* Mon Sep 01 2008 sbrabec@suse.cz
- Check validity of SSL certificates for all Siemens CardOS M4
cards (SCA and SCB are affected as well, bnc#413496#c6).