diff --git a/init_perso_guide.html b/init_perso_guide.html
deleted file mode 100644
index 59363bb..0000000
--- a/init_perso_guide.html
+++ /dev/null
@@ -1,466 +0,0 @@
-
-
- init_perso_guide
-
-
-OpenSC card init and perso guide
-1. Introduction
-Nothing
-is impossible for the man who doesn't
-
-have
-to do it himself. -- A.H. Weiler
-
-
-This guide is about initialising and personalising (no distinction
-made) cards with the OpenSC library and tools (mostly pkcs15-init).
-
-Some knowlegde about smart cards is assumed. Below is a short overview
-of some key words and concepts. For more info, see the opensc.html
-manual.
-
-Filesystem - MF - DF - EF - FID
-A smart cards has a non-volatile memory (EEPROM) in which usually
-a PC-like file system is implemented. The directories are called
-Dedicated Files (DF) and the files are called Elementary Files (EF).
-They are
-identified by a File ID (FID) on 2 bytes. For example, the root of
-the file system
-(called Master File or MF) has FID = 3F 00 (hex).
-
-Commands - APDUs
-It is possible to send commands (APDUs) to the card to select, read,
-write, create, list, delete, ... EFs and DFs (not all cards allow all
-commands).
-
-Access control, PIN, PUK
-The file system usually implements some sort of access control on EFs
-and DFs.
-This is usually done by PINs or Keys: you have to provide a PIN or show
-knowledge of a key before you can perform some command on some EF/DF. A
-PIN is usually accompanied by a PUK (Pin Unblock Key), which can be
-used to
-reset (or unblock) that PIN.
-
-Cryptographic keys
-On crypto cards, it is also possible to sign, decrypt, key(pair)
-generation (what can be done exactly depends on the card). on some
-cards, key
-and/or PINs are files in the filesystem, on other cards, they don't
-exist in the filesystem but are referenced through an ID.
-
-Reader - PC/SC - OpenCT - CT-API
-Smart card readers come with a library that can be used on a PC to send
-APDUs to the card. Commonly used APIs for those libraries are PC/SC,
-OpenCT
-and CT-API.
-
-PKCS15
-There are standards (e.g. ISO7816, parts 4-...) that specify how to
-select, read, write, EFs and DFs, and how to sign, decrypt, login, ...
-However, there is also a need to know which files contain what, or
-where the keys, PINs, .. can be found.
-For crypto cards, PCKS15 adresses this need by defining some files that
-contain info on where to find keys, certificates, PINs, and other data.
-For
-example, there is a PrKDF (Private Key Directory File) that contains
-the EFs or
-ID of the private keys, what those keys can be used for, by which PINs
-they
-are protected, ... So a "PCKS15 card" is nothing but any other card on
-which the right set
-of files has been added.
-In short: PKCS15 allows you to describe where to find PINS, keys,
-certificates and data on a card, plus all the info that is needed to
-use them.
-A little PKCS15 example:
-Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
-Object Directory File), PrKDF (Private Key Directory File) and CDF
-(Certificate Directory File) that contain info on resp. the PINs,
-private keys and certificates. Each of them contains 1 entry.
-
-AODF:
- Com. Flags : private, modifiable
Auth ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Encoding : ASCII-numeric
Path : 3F005015
-PrKDF:
- Com. Flags : private, modifiable
Com. Auth ID: 01
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 0
Native : yes
Path : 3F00501530450012
ID : 45
-X.509 Certificate [/C=BE/ST=...]
- Com. Flags : modifiable
Authority : no
Path : 3f0050154545
ID : 45
-Some things to note:
-
- - The Auth ID (01) of the private key is the same as the one of the
-PIN which
-means
-that you first have to do a login with this PIN before
-you can use this key.
- - The key is in an EF with ID = 0012 in the DF with ID = 3045,
-which
-on it is turn is a DF with ID 5015, which on it is turn is a DF of
-the MF (3F00).
- - The private key and certificates share the same ID (45), which
-means that they
-belong together.
- - The certificate is in the EF with as path: 3F00\5015\3045
-and is no CA
-certificate.
-
-Use the tests/p15dump tool to
-see yourself what pkcs15 data is on your card, or tools/opensc-explorer to browse
-through the files.
-
-Have the PKCS15 files a fixed place so everyone can find them? No,
-there's only one: the EF(DIR) in the MF and with ID 2F00. That's the
-starting
-place.
-
-2. The OpenSC pkcs15-init library and profiles
-Reading and writing files, PIN verification, signing and decryption
-happen in much the same way on all cards. Therefore, the "normal life"
-commands have been implemented in OpenSC for all supported cards.
-
-However, creating and deleting files, PINs and keys is very card
-specific and has not yet been implemented for all cards.
-Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex,
-CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check
-src/pkcs15-init/pkcs15-*.c for possible updates). Because of this, and
-because
-pkcs15-init is not necessary for "normal life" operations, it has been
-put in a separate library and in a separate directory.
-
-Profile
-Because the initialisation/personalisation is so card-specific, it
-would be very hard to make a tool or API that accepts all parameters
-for all current and future cards.
-Therefore, a profile file has been made in OpenSC that contains all the
-card-specific parameters. This card-specific profile is read by
-card-specific code in the pkcs15-init library each time this library is
-used on
-that card.
-See the *.profile files in src/pkcs15-init/. There is one general file
-(pkcs15.profile) and one card-specific profile for each card.
-
-Profile options
-There are currently 3 options you can specify to modify a profile:
-
- - default: creation/deletion/generation is controlled by the SO PIN
-(SO = Security Officer, different from the regular user of the card)
- - onepin: creation/deletion/generation is controlled by the user
-PIN and thus by the user. As a result, only 1 user PIN is possible
- - small: like default, but suitable for card with little memory
-
-3. pkcs15-init tool
-This is a command-line tool that uses the pkcs15-init library. It
-allows you to do all the init/perso things, e.g. add/delete keys,
-certificates, PINs and data, generate keys, ... while specifying key
-usage, which PIN protects which key, ...
-
-As said before, not all cards are supported in the pkcs15-init library.
-In
-that case, the pkcs15-init tool won't work (top 5 questions on the
-mailing list:-). To find out which card you have, try "opensc-tool -n"
-
-Below is explained how to do the operations that are supported by
-pkcs15-tool.
-Not all options are explained (run "pkcs15-tool
--h" to see them) because some are card-specific or obsolete (or
-we don't know about them). Feel free to experiment and explain them
-here.
-
-So the things in this section are fairly general but not guaranteed to
-work for all cards. See also the section on "card-specific issues".
-
-The --reader or -r can be given with any command. By default the first
-reader is used. Do "opensc-tool -l"
-to see the list of available readers.
-
-To see the results of what you did, you can do one of the following:
- pkcs15-tool --list-pins
---list-public-keys -k -c -C
- p15dump (in the
-src/tests directory)
-To see/dump the content of any file, use the opensc-explorer tool.
-* Create the PKCS15 files
- pkcs15-init
--C {-T} {-p <profile>} --so-pin
-<PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN>
---puk <PUK>
-
-This will create the PKCS15 DF (5015) and all the PKCS15 files
-(some of which will be empty until a key, PIN, ... will be added). It
-must be done before you can do any of the operations below.
-
- - This operation usually requires a 'transport' key. pkcs15-init
-will ask you for this key and propose the default one for that card.
-With -T, the default will be used without asking. NOTE: if you get a
-"Failed to erase card: PIN code or key incorrect", the transport key is
-wrong. Find this key and then try again, DO NOT try the default key
-again!
- - If you want an SO PIN and PUK, do so with the --so-pin and
---so-puk options, or specify --no-so-pin if you don't want to. If you
-use
-the onpin profile, there is no SO PIN so you should specify --pin and
---puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
-<PIN> --puk <PUK>)
- - To specify the profile file + option. The profile file can only
-be "pkcs15" for the moment, so you can have:
- pkcs15+default : the default (not needed to
-specify it)
- pkcs15+onepin: for the onepin profile
-option
- pkcs15+small: for the small
-profile option
-
-* Erase the card's content
- pkcs15-init
--E {-T}
-
-This will delete all keys, PINS, certificates, data that were listed in
-PKCS15
-files, along with the PKCS15 files themselves.
-
- - This operation usually requires a 'transport' key. pkcs15-init
-will ask you for this key and propose the default one for that card.
-With -T, the default will be used without asking. NOTE: if you get a
-"Failed to erase card: PIN code or key incorrect", the transport key is
-wrong. Find this key and then try again, DO NOT try the default key
-again!
-
-Note: you can combine erase/create (-E -C or -EC) to erase and then
-create
-the card's contents, except when you change the profile option.
-* Add a PIN (not possible with the onepin profile option)
- pkcs15-init
--P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l
-<label>}
-
- - You can specify the AuthID with -a, if you don't do so, a value
-that didn't exist yet on the card will be chosen.
- - Specify the PIN and PUK with --pin and --puk, if you don't do so,
-the tool will prompt you for one.
- - Specify the label (name) of the PIN with -l, or accept the
-default label.
-
-* Generate a key pair (on card or in software on the PC)
- pkcs15-init
--G <keyspec> -a <AuthID> --insecure {-i <ID>}
-{--soft}{-u <keyusage>}{-l <privkeylabel>}
-{--public-key-label <pubkeylabel>}
-
-This will generate a public and private key pair.
-
- - The keyspec consist of the key type, rsa or dsa (depends on what
-your cards supports), and optinally a slash followed by the keysize in
-bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
-not
-fully supported.
- - Specify the AuthID of the PIN that protects this key (from being
-used in a signature or decryption operation) with -a; or specify
---insecure if you want the private key to be used without first
-providing a PIN.
- - Specify the ID of the key with -i, otherwise the tool with choose
-one.
- - Specify --soft if you don't want the key pair to be generated
-on-chip.
- - Specify the usage of the private key with -u; if you add a
-corresponding certificate later, it should have the same key usage. (Do
-"pkcs15-init -u help" for help).
- - Specify the label (name) of the private key with -l, or accept
-the default label.
- - Specify the label (name) of the public key with
---public-key-label, or accept the default label if you don't do so.
- - Depending on your card and profile option, you will be prompted
-to provide your SO PIN and/or PIN; if you don't want to be prompted,
-add them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-NOTE: see the SSL engines (below) on how to make a certificate request
-with the key you generated.
-* Add a private key
- pkcs15-init
--S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
-{-i <ID>} {-u <keyusage>} {--passphrase <password>}
-{-l <label>}
-
- - The keyfile should be in DER (binary) or PEM format.
- - The keyformat should be PEM (default) or DER.
- - Specify the AuthID of the PIN that protects this key (from being
-used in a signature or decryption operation) with -a; or specify
---insecure if you want the private key to be used without first
-providing a PIN.
- - Specify the ID of the key with -i
- <>Specify the usage of the private key with -u; if you add a
-corresponding certificate later, it should have the same key usage. (Do
-"pkcs15-init -u help" for help). - Specify the label (name) of
-the with -l, or accept the
-default label.
- - Depending on your card and profile option, you will be prompted
-to provide your SO PIN and/or PIN; if you don't want to be prompted,
-add them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add a private key + certificate(s) (in a pkcs12 file)
- pkcs15-init
--S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i
-<ID>} {-u <keyusage>} {--passphrase <password>} {-l
-<privkeylabel>} {--cert-label <usercertlabel>}
-
-This adds the private key and certificate chain to the card. If a
-certificate already exists on the card, it won't be added again.
-
- - Specify the AuthID of the PIN that protects this key (from being
-used in a signature or decryption operation) with -a; or specify
---insecure if you want the private key to be used without first
-providing a PIN.
- - Specify the ID of the key and the corresponding certificate with
--i,
-otherwise the tool with choose one; only the 'user cert' will get the
-same ID as the key, the other certificates will get 'authority' status
-and
-another ID.
- - You can specify the key-usage, but it is not advised to do this
-so the key usage from the certificate is used.
- - Specify the password of the pkcs12 key file if you don't want to
-be prompted for one.
- - Specify the label (name) of the private key with -l, or accept
-the default label.
- - Specify the label (name) of the user certificate with
---cert-label, or accept the default label.
- - Depending on your card and profile option, you will be prompted
-to provide your SO PIN and/or PIN; if you don't want to be prompted,
-add them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add a certificate
-
-pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>}
-{--authority}
-
- - The certfile should be in DER (binary) or PEM format
- - The certformat should be PEM (default) or DER
- - Specify the ID of the certificate with -i, otherwise the tool
-with
-choose one; if the certificate corresponds to a private and/or public
-key, you
-should specify the same ID as that key.
- - Specify --authority if it is a CA certificate.
- - Depending on your card and profile option, you will be prompted
-to
-provide your SO PIN and/or PIN; if you don't want to be prompted, add
-them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add a public key
- pkcs15-init
---store-public-key <keyfile> {-f <keyformat>} {-i
-<ID>} {-l <label>}
-
- - The keyfile should be in DER (binary) or PEM format
- - The keyformat should be PEM (default) or DER
- - Specify the ID of the key with -i, otherwise the tool with choose
-one; if the key corresponds to a private key and/or certificate, you
-should
-specify the same ID as that private key and/or certificate.
- - Specify the label (name) of the with -l, or accept the
-default label.
- - Depending on your card and profile option, you will be prompted
-to
-provide your SO PIN and/or PIN; if you don't want to be prompted, add
-them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add data
- pkcs15-init
--W <datafile> {-i <ID>} {-l <label>}
-
- - The datafile is stored "as is" onto the card.
- - Specify the ID of the data with -i, or accept the default ID.
- - Specify the label (name) of the with -l, or accept the
-default label.
- - Depending on your card and profile option, you will be prompted
-to
-provide your SO PIN and/or PIN; if you don't want to be prompted, add
-them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-4. Other tools
-* SSL-engines
-These libraries can be loaded in OpenSSL so you can do a certificate
-request with the openssl tool; the signature on the certificate request
-will
-then be made with the smart card. The result can then be sent to a CA
-for certification, the resulting certificate can be put on the card
-with
-pkcs15-init or pkcs11-tool.
-
- - Run openssl
- - On the openssl command prompt, type
- engine dynamic
--pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
- or
- engine dynamic
--pre
-SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
-depending on which one of the 2 engines (pkcs11 or opensc) you want to
-use.
-
-
- - Then type (on the openssl command prompt)
- req -engine
-pkcs11 -new -key <ID> -keyform engine -out <cert_req>
-or
-
-req -engine opensc -new -key <ID> -keyform engine -out
-<cert_req>
-in which ID is the slot+ID in the following format:
- [slot_<slotID>][-][id_<ID>],
-e.g. id_45 or slot_0-id_45
-
-
-* pkcs11-tool and Mozilla/Netscape
-You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
-or Netscape, and let the browser generate a certificate request that
-is sent to an on-line CA to issue and send you a certificate that is
-then added to the card.
-
-Just go to an online CA (Globalsign, Thawte, ...) and follow their
-guidelines. Because such a request either costs you or at least
-requires you to provide a valid mail address, it is advisable to first
-try you card with "pkcs11-tool
---moz-cert
-<cert_file_in_der_format> --login".
-
-NOTE: This can only be done with the onepin profile option (because the
-browser won't ask for an SO PIN, only for the user PIN).
-
-5. Card-specific issues
-Experience
-is that marvelous thing that enables you to recognize
-a mistake when you make it again. --
-Franklin P. Jones
-
-
-Cryptoflex:
-
- - DFs and EFs in a DF have to be deleted in reverse order of
-creation.
-OpenSC relies on this fact for security, but also has some downsides.
-For example, if you did a "pkcs15-init -C" and then added some EFs or
-DFs in the MF, you won't be able to do a "pkcs15-init -E" afterwards to
-remove the PKCS15 DF (5015). So you'll first have to manually remove
-all EFs/DFs you created in the MF before being able remove the pkcs15
-DF.
-
-
-Starcos SPK 2.3:
-
- - Due to the way Starcos SPK 2.3 manages access rights it is
-necessary to manually call "pkcs15-init --finalize" after card
-personalization if no SO-PIN has been specified. Once the card has been
-finalized it is no possible to add new private/secrets keys or PINs. If
-a SO-PIN is used the card will automatically be finalized after the
-SO-PIN has been stored.
- - If an SO-PIN is used and if there is enough space in the key file
-left, then the owner of the SO-PIN can access/use every protected item
-by creating a PIN for the necessary state.
-
-
-
diff --git a/opensc-0.11.4.tar.bz2 b/opensc-0.11.4.tar.bz2
deleted file mode 100644
index 0417e35..0000000
--- a/opensc-0.11.4.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a92d563c68ab052d133f69c12f4e2584d781f2266d47980b1786e76ce1202c06
-size 1083131
diff --git a/opensc-0.11.6.tar.bz2 b/opensc-0.11.6.tar.bz2
new file mode 100644
index 0000000..b2e2f0f
--- /dev/null
+++ b/opensc-0.11.6.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:38ba637a940a3ee99f5e60ceb4fef9f61d09386ac2d3aa6331f4c5b58dea0db2
+size 1077790
diff --git a/opensc-cardos-CVE-2008-2235.patch b/opensc-cardos-CVE-2008-2235.patch
deleted file mode 100644
index d8c5175..0000000
--- a/opensc-cardos-CVE-2008-2235.patch
+++ /dev/null
@@ -1,276 +0,0 @@
-diff -udrNPp --exclude=.svn opensc.orig/src/libopensc/card-cardos.c opensc/src/libopensc/card-cardos.c
---- opensc.orig/src/libopensc/card-cardos.c 2007-08-08 22:15:48.000000000 +0200
-+++ opensc/src/libopensc/card-cardos.c 2008-07-30 13:19:22.000000000 +0200
-@@ -385,7 +385,7 @@ static const int df_acl[9] = {
- SC_AC_OP_REHABILITATE, /* DF */
- SC_AC_OP_DELETE, /* DF */
-
-- -1, /* ADMIN DF */
-+ SC_AC_OP_UPDATE, /* ADMIN DF */
- SC_AC_OP_CREATE, /* Files */
- -1 /* Reserved */
- };
-@@ -400,7 +400,7 @@ static const int ef_acl[9] = {
-
- /* XXX: ADMIN should be an ACL type of its own, or mapped
- * to erase */
-- -1, /* ADMIN EF (modify meta information?) */
-+ SC_AC_OP_UPDATE, /* ADMIN EF (modify meta information?) */
- -1, /* INC (-> cylic fixed files) */
- -1 /* DEC */
- };
-diff -udrNPp --exclude=.svn opensc.orig/src/tools/pkcs15-tool.c opensc/src/tools/pkcs15-tool.c
---- opensc.orig/src/tools/pkcs15-tool.c 2007-06-30 10:55:57.000000000 +0200
-+++ opensc/src/tools/pkcs15-tool.c 2008-07-30 13:19:42.000000000 +0200
-@@ -2,6 +2,7 @@
- * pkcs15-tool.c: Tool for poking with PKCS #15 smart cards
- *
- * Copyright (C) 2001 Juha Yrjölä
-+ * Copyright (C) 2008 Andreas Jellinghaus
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
-@@ -90,6 +91,8 @@ static const struct option options[] = {
- #if defined(HAVE_OPENSSL) && (defined(_WIN32) || defined(HAVE_INTTYPES_H))
- { "read-ssh-key", required_argument, NULL, OPT_READ_SSH },
- #endif
-+ { "test-update", no_argument, NULL, 'T' },
-+ { "update", no_argument, NULL, 'U' },
- { "reader", required_argument, NULL, OPT_READER },
- { "pin", required_argument, NULL, OPT_PIN },
- { "new-pin", required_argument, NULL, OPT_NEWPIN },
-@@ -116,6 +119,8 @@ static const char *option_help[] = {
- "Lists public keys",
- "Reads public key with ID ",
- "Reads public key with ID , outputs ssh format",
-+ "Test if the card needs a security update",
-+ "Update the card with a security update",
- "Uses reader number ",
- "Specify PIN",
- "Specify New PIN (when changing or unblocking)",
-@@ -1175,6 +1180,176 @@ static int learn_card(void)
- return 0;
- }
-
-+static int test_update(sc_card_t *in_card)
-+{
-+ sc_apdu_t apdu;
-+ static u8 cmd1[2] = { 0x50, 0x15};
-+ u8 rbuf[258];
-+ int rc;
-+ int r;
-+ static u8 fci_bad[] = { 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-+ static u8 fci_good[] = { 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00 };
-+
-+
-+
-+ if (strcmp("cardos",in_card->driver->short_name) != 0) {
-+ printf("not using the cardos driver, card is fine.");
-+ rc = 0;
-+ goto end;
-+ }
-+
-+ /* first select file on 5015 and get fci */
-+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_4_SHORT, 0xa4, 0x08, 0x00);
-+ apdu.lc = sizeof(cmd1);
-+ apdu.datalen = sizeof(cmd1);
-+ apdu.data = cmd1;
-+ apdu.le = 256;
-+ apdu.resp = rbuf;
-+ apdu.resplen = sizeof(rbuf);
-+
-+ r = sc_transmit_apdu(card, &apdu);
-+ if (r < 0) {
-+ printf("selecting folder failed: %s\n", sc_strerror(r));
-+ rc = 2;
-+ goto end;
-+ }
-+
-+ if (apdu.sw1 != 0x90) {
-+ printf("apdu command select file: card returned %02X %02X\n",
-+ apdu.sw1, apdu.sw2);
-+ rc = 2;
-+ goto end;
-+
-+ }
-+
-+ if (apdu.resplen < 6) {
-+ printf("select file did not return enough data (length %d)\n",
-+ (int) apdu.resplen);
-+ goto bad_fci;
-+ }
-+
-+ if (rbuf[0] != 0x6f) {
-+ printf("select file did not return the information we need\n");
-+ goto bad_fci;
-+ }
-+
-+ if (rbuf[1] != apdu.resplen -2) {
-+ printf("select file did return inconsistent information\n");
-+ goto bad_fci;
-+ }
-+
-+ {
-+ int i=0;
-+ while(i < rbuf[1]) {
-+ if (rbuf[2+i] == 0x86) { /* found our buffer */
-+ break;
-+ }
-+ /* other tag */
-+ i += 2 + rbuf[2+i+1]; /* length of this tag*/
-+ }
-+ if (rbuf[2+i+1] < 9 || 2+i+2+9 > apdu.resplen) {
-+ printf("select file did return short fci\n");
-+ goto bad_fci;
-+ }
-+
-+ if (memcmp(&rbuf[2+i+2],fci_good,sizeof(fci_good)) == 0) {
-+ printf("fci is up-to-date, card is fine\n");
-+ rc = 0;
-+ goto end;
-+ }
-+
-+ if (memcmp(&rbuf[2+i+2],fci_bad,sizeof(fci_bad)) == 0) {
-+ printf("fci is out-off-date, card is vulnerable\n");
-+ rc = 1;
-+ goto end;
-+ }
-+
-+ printf("select file returned fci with unknown data\n");
-+ goto bad_fci;
-+ }
-+end:
-+ /* 0 = card ok, 1 = card vulnerable, 2 = problem! */
-+ return rc;
-+
-+bad_fci:
-+ hex_dump(stdout,rbuf,apdu.resplen," ");
-+ printf("\n");
-+ return 2;
-+}
-+
-+static int update(sc_card_t *in_card)
-+{
-+ sc_apdu_t apdu;
-+ static u8 cmd1[2] = { 0x50, 0x15};
-+ static u8 cmd3[11] = { 0x86, 0x09, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00,
-+ 0xff, 0x00, 0x00};
-+ int r;
-+
-+ /* first select file on 5015 */
-+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_3_SHORT, 0xa4, 0x08, 0x00);
-+ apdu.lc = sizeof(cmd1);
-+ apdu.datalen = sizeof(cmd1);
-+ apdu.data = cmd1;
-+
-+ r = sc_transmit_apdu(card, &apdu);
-+ if (r < 0) {
-+ printf("selecting folder failed: %s\n", sc_strerror(r));
-+ goto end;
-+ }
-+
-+ if (apdu.sw1 != 0x90) {
-+ printf("apdu command select file: card returned %02X %02X\n",
-+ apdu.sw1, apdu.sw2);
-+ goto end;
-+
-+ }
-+
-+ /* next phase control / change lifecycle to operational */
-+ memset(&apdu, 0, sizeof(apdu));
-+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_1, 0x10, 0x00, 0x00);
-+ apdu.cla = 0x80;
-+
-+ r = sc_transmit_apdu(card, &apdu);
-+ if (r < 0) {
-+ printf("change lifecycle failed: %s\n", sc_strerror(r));
-+ goto end;
-+ }
-+
-+ if (apdu.sw1 != 0x90) {
-+ printf("apdu command change lifecycle failed: card returned %02X %02X\n",
-+ apdu.sw1, apdu.sw2);
-+ goto end;
-+
-+ }
-+
-+ /* last update AC */
-+ memset(&apdu, 0, sizeof(apdu));
-+ sc_format_apdu(in_card, &apdu, SC_APDU_CASE_3_SHORT, 0xda, 0x01, 0x6f);
-+ apdu.lc = sizeof(cmd3);
-+ apdu.datalen = sizeof(cmd3);
-+ apdu.data = cmd3;
-+ apdu.le = 0;
-+ apdu.resplen = 0;
-+ apdu.resp = NULL;
-+
-+ r = sc_transmit_apdu(card, &apdu);
-+ if (r < 0) {
-+ printf("update fci failed: %s\n", sc_strerror(r));
-+ goto end;
-+ }
-+
-+ if (apdu.sw1 != 0x90) {
-+ printf("apdu command update fci failed: card returned %02X %02X\n",
-+ apdu.sw1, apdu.sw2);
-+ goto end;
-+
-+ }
-+
-+ printf("security update applied with success.\n");
-+end:
-+ return 0;
-+}
-+
- int main(int argc, char * const argv[])
- {
- int err = 0, r, c, long_optind = 0;
-@@ -1193,11 +1374,13 @@ int main(int argc, char * const argv[])
- int do_change_pin = 0;
- int do_unblock_pin = 0;
- int do_learn_card = 0;
-+ int do_test_update = 0;
-+ int do_update = 0;
- int action_count = 0;
- sc_context_param_t ctx_param;
-
- while (1) {
-- c = getopt_long(argc, argv, "r:cuko:va:LR:CwD", options, &long_optind);
-+ c = getopt_long(argc, argv, "r:cuko:va:LR:CwDTU", options, &long_optind);
- if (c == -1)
- break;
- if (c == '?')
-@@ -1261,6 +1444,14 @@ int main(int argc, char * const argv[])
- do_learn_card = 1;
- action_count++;
- break;
-+ case 'T':
-+ do_test_update = 1;
-+ action_count++;
-+ break;
-+ case 'U':
-+ do_update = 1;
-+ action_count++;
-+ break;
- case OPT_READER:
- opt_reader = atoi(optarg);
- break;
-@@ -1388,6 +1579,18 @@ int main(int argc, char * const argv[])
- goto end;
- action_count--;
- }
-+ if (do_test_update || do_update) {
-+ err = test_update(card);
-+ action_count--;
-+ if (err == 2) { /* problem */
-+ err =1;
-+ goto end;
-+ }
-+ if (do_update && err == 1) { /* card vulnerable */
-+ if ((err = update(card)))
-+ goto end;
-+ }
-+ }
- end:
- if (p15card)
- sc_pkcs15_unbind(p15card);
diff --git a/opensc-code-fixes.patch b/opensc-code-fixes.patch
new file mode 100644
index 0000000..345d7fc
--- /dev/null
+++ b/opensc-code-fixes.patch
@@ -0,0 +1,22 @@
+--- src/libopensc/card-entersafe.c
++++ src/libopensc/card-entersafe.c
+@@ -913,7 +913,7 @@
+ return entersafe_compute_with_prkey(card,crgram,crgram_len,out,outlen);
+ }
+
+-static int entersafe_init_pin_info(struct sc_pin_cmd_pin *pin, unsigned int num)
++static void entersafe_init_pin_info(struct sc_pin_cmd_pin *pin, unsigned int num)
+ {
+ pin->encoding = SC_PIN_ENCODING_ASCII;
+ pin->min_length = 4;
+--- src/libopensc/card-gemsafeV1.c
++++ src/libopensc/card-gemsafeV1.c
+@@ -332,7 +332,7 @@
+
+ tag = sc_asn1_find_tag(ctx, p, len, 0x8C, &tlen);
+ if (tag) {
+- r = gemsafe_setacl(card, file, tag, type == "DF" ? 1 : 0);
++ r = gemsafe_setacl(card, file, tag, strcmp(type, "DF") ? 0 : 1);
+ if (r < 0) {
+ sc_debug(ctx, "unable to set ACL\n");
+ return SC_ERROR_INTERNAL;
diff --git a/opensc-rpmlintrc b/opensc-rpmlintrc
index ff6b87d..4f1d9b9 100644
--- a/opensc-rpmlintrc
+++ b/opensc-rpmlintrc
@@ -1,4 +1,4 @@
-addFilter("opensc devel-file-in-non-devel-package")
-addFilter("opensc shlib-policy-devel-file")
-addFilter("opensc shlib-policy-nonversioned-dir")
-addFilter("opensc shlib-policy-missing-suffix")
+addFilter("devel-file-in-non-devel-package")
+addFilter("shlib-policy-devel-file")
+addFilter("shlib-policy-nonversioned-dir")
+addFilter("shlib-policy-missing-suffix")
diff --git a/opensc.changes b/opensc.changes
index e4b52c4..3628d41 100644
--- a/opensc.changes
+++ b/opensc.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Sep 10 13:46:44 CEST 2008 - sbrabec@suse.cz
+
+- Updated to version 0.11.6:
+ * New support for Feitian ePass3000.
+ * GemSafeV1 improved to handle key_ref other than 3.
+ * Build system rewritten.
+ * ruToken now supported.
+ * Allow specifying application name for data objects.
+ * Basic reader hotplug support.
+ * PC/SC library is dynamically linked.
+ * PKCS#11 provider is now installed at LIBDIR/pkcs11.
+ * PKCS#11 - Number of virtual slots moved into configuration.
+ * PKCS#11 - Fix fork() compliance.
+ * make sign_with_decrypt hack configureable for siemens cards.
+
-------------------------------------------------------------------
Mon Sep 1 14:06:17 CEST 2008 - sbrabec@suse.cz
diff --git a/opensc.spec b/opensc.spec
index af1bc79..90eeb00 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -1,5 +1,5 @@
#
-# spec file for package opensc (Version 0.11.4)
+# spec file for package opensc (Version 0.11.6)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -19,7 +19,7 @@
Name: opensc
-BuildRequires: openssl-devel pcsc-lite-devel pkg-config readline-devel xorg-x11-devel
+BuildRequires: libusb-devel openssl-devel pcsc-lite-devel pkg-config readline-devel xorg-x11-devel
%if %suse_version > 1020
BuildRequires: libassuan-devel
%else
@@ -29,16 +29,15 @@ BuildRequires: libassuan
BuildRequires: openct-devel
%endif
Url: http://www.opensc-project.org/opensc/
-Version: 0.11.4
-Release: 79
+Version: 0.11.6
+Release: 1
Group: Productivity/Security
Summary: OpenSC Smart Card Library
License: LGPL v2.1 or later
Requires: libopensc2 = %{version} pcsc-lite
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source: %{name}-%{version}.tar.bz2
-Source1: http://www.opensc.org/files/doc/init_perso_guide.html
-Patch: opensc-cardos-CVE-2008-2235.patch
+Patch: opensc-code-fixes.patch
# Supress all ugly warnings related to required .so and .la files in the main package:
Source2: %{name}-rpmlintrc
# and also skip-check-libtool-deps (and add these dependencies to the devel package)
@@ -52,6 +51,13 @@ API. Applications supporting this API, such as Mozilla Firefox and
Thunderbird, can use it. OpenSC implements the PKCS#15 standard and
aims to be compatible with every software that does so, too.
+Before purchasing any cards, please read carefully documentation in
+/usr/share/doc/packages/opensc/wiki/index.html - only some cards are
+supported. Not only card type matters, but also card version, card OS
+version and preloaded applet. Only subset of possible operations may be
+supported for your card. Card initialization may require third party
+proprietary software.
+
Authors:
@@ -69,13 +75,20 @@ Requires: %{name} >= %{version}
%description -n libopensc2
OpenSC provides a set of libraries and utilities to access smart cards.
-Its main focus is on cards that support cryptographic operations. It
+It mainly focuses on cards that support cryptographic operations. It
facilitates their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11
-API so applications supporting this API, such as Mozilla Firefox and
+API. Applications supporting this API, such as Mozilla Firefox and
Thunderbird, can use it. OpenSC implements the PKCS#15 standard and
aims to be compatible with every software that does so, too.
+Before purchasing any cards, please read carefully documentation in
+/usr/share/doc/packages/opensc/wiki/index.html - only some cards are
+supported. Not only card type matters, but also card version, card OS
+version and preloaded applet. Only subset of possible operations may be
+supported for your card. Card initialization may require third party
+proprietary software.
+
Authors:
@@ -89,7 +102,8 @@ Authors:
License: GPL v2 or later
Group: Development/Libraries/C and C++
Summary: Additional files needed for OpenSC development
-Requires: %{name} = %{version} glibc-devel openct-devel libopenssl-devel pcsc-lite-devel
+# FIXME: Change to libtool-devel for the next libtool version:
+Requires: %{name} = %{version} glibc-devel openct-devel libopenssl-devel zlib-devel libtool
%description devel
This package contains files required to develop applications using the
@@ -106,23 +120,23 @@ Authors:
%prep
%setup -q
-%patch -p1
-chmod -x doc/svn2cl.xsl
+%patch
%build
-#cp -a /usr/share/gettext/config.rpath .
autoreconf -f -i
%configure\
- --with-plugin-dir=%{_libdir}/browser-plugins
+ --docdir=%{_docdir}/%{name}\
+ --disable-static\
+ --enable-doc\
+ --enable-pcsc\
+ --enable-openct\
+ --enable-nsplugin\
+ --with-plugindir=%{_libdir}/browser-plugins
make %{?jobs:-j%jobs}
%install
%makeinstall
-# Install opensc.conf
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}
-install -m 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}
-# Copy init_perso.html to docs so it's installed
-cp %{SOURCE1} .
+cp COPYING doc/nonpersistent/ChangeLog $RPM_BUILD_ROOT%{_docdir}/%{name}
%clean
rm -rf $RPM_BUILD_ROOT
@@ -133,7 +147,13 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
-%doc COPYING NEWS README doc/*.css doc/*.gif doc/*.html doc/ChangeLog init_perso_guide.html
+%doc %dir %{_docdir}/%{name}
+%doc %{_docdir}/%{name}/ChangeLog
+%doc %{_docdir}/%{name}/COPYING
+%doc %{_docdir}/%{name}/NEWS
+%doc %{_docdir}/%{name}/README
+%doc %{_docdir}/%{name}/tools.html
+%doc %{_docdir}/%{name}/wiki
%{_bindir}/*
%exclude %{_bindir}/*-config
%{_datadir}/opensc
@@ -141,6 +161,8 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/*.la
%{_libdir}/*.so
%{_libdir}/browser-plugins/*.so
+%dir %{_libdir}/pkcs11
+%{_libdir}/pkcs11/*.so
%doc %{_mandir}/man?/*.*
%config %{_sysconfdir}/opensc.conf
@@ -150,12 +172,25 @@ rm -rf $RPM_BUILD_ROOT
%files devel
%defattr(-,root,root)
+%doc %{_docdir}/%{name}/api.html
%{_bindir}/*-config
%{_includedir}/opensc
-%{_libdir}/*.a
%{_libdir}/pkgconfig/*.pc
%changelog
+* Wed Sep 10 2008 sbrabec@suse.cz
+- Updated to version 0.11.6:
+ * New support for Feitian ePass3000.
+ * GemSafeV1 improved to handle key_ref other than 3.
+ * Build system rewritten.
+ * ruToken now supported.
+ * Allow specifying application name for data objects.
+ * Basic reader hotplug support.
+ * PC/SC library is dynamically linked.
+ * PKCS#11 provider is now installed at LIBDIR/pkcs11.
+ * PKCS#11 - Number of virtual slots moved into configuration.
+ * PKCS#11 - Fix fork() compliance.
+ * make sign_with_decrypt hack configureable for siemens cards.
* Mon Sep 01 2008 sbrabec@suse.cz
- Check validity of SSL certificates for all Siemens CardOS M4
cards (SCA and SCB are affected as well, bnc#413496#c6).