diff --git a/.gitignore b/.gitignore index d03eea6..3b06172 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opensc-0.14.0.tar.gz +SOURCES/opensc-0.16.0-git777e2a3.zip diff --git a/.opensc.metadata b/.opensc.metadata index e385c35..36a688c 100644 --- a/.opensc.metadata +++ b/.opensc.metadata @@ -1 +1 @@ -4a898e351b0a6d2a5d81576daa7ebed45baf9138 SOURCES/opensc-0.14.0.tar.gz +508b0ff2ed863ba71cda081b4df1ed00af428748 SOURCES/opensc-0.16.0-git777e2a3.zip diff --git a/SOURCES/opensc-0.16.0-cardos.patch b/SOURCES/opensc-0.16.0-cardos.patch new file mode 100644 index 0000000..0b7bdfa --- /dev/null +++ b/SOURCES/opensc-0.16.0-cardos.patch @@ -0,0 +1,240 @@ +From bc496dfa59c1cfbc5c47c76511d5c6b7eff5cc6c Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 26 Jan 2017 17:11:24 +0100 +Subject: [PATCH 1/4] Set security context for CardOS 5.3 with p1=0x41 (as + Coolkey does) + +--- + src/libopensc/card-cardos.c | 16 +++++++++++----- + src/libopensc/cards.h | 1 + + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 0c14b32..008ce5c 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -59,7 +59,7 @@ static struct sc_atr_table cardos_atrs[] = { + /* CardOS v5.0 */ + { "3b:d2:18:00:81:31:fe:58:c9:01:14", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL}, + /* CardOS v5.3 */ +- { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_0, 0, NULL}, ++ { "3b:d2:18:00:81:31:fe:58:c9:03:16", NULL, NULL, SC_CARD_TYPE_CARDOS_V5_3, 0, NULL}, + { NULL, NULL, NULL, 0, 0, NULL } + }; + +@@ -84,6 +84,8 @@ static int cardos_match_card(sc_card_t *card) + return 1; + if (card->type == SC_CARD_TYPE_CARDOS_V5_0) + return 1; ++ if (card->type == SC_CARD_TYPE_CARDOS_V5_3) ++ return 1; + if (card->type == SC_CARD_TYPE_CARDOS_M4_2) { + int rv; + sc_apdu_t apdu; +@@ -195,7 +197,8 @@ static int cardos_init(sc_card_t *card) + || card->type == SC_CARD_TYPE_CARDOS_M4_2B + || card->type == SC_CARD_TYPE_CARDOS_M4_2C + || card->type == SC_CARD_TYPE_CARDOS_M4_4 +- || card->type == SC_CARD_TYPE_CARDOS_V5_0) { ++ || card->type == SC_CARD_TYPE_CARDOS_V5_0 ++ || card->type == SC_CARD_TYPE_CARDOS_V5_3) { + rsa_2048 = 1; + card->caps |= SC_CARD_CAP_APDU_EXT; + } +@@ -230,7 +233,7 @@ static int cardos_init(sc_card_t *card) + _sc_card_add_rsa_alg(card, 2048, flags, 0); + } + +- if (card->type == SC_CARD_TYPE_CARDOS_V5_0) { ++ if (card->type >= SC_CARD_TYPE_CARDOS_V5_0) { + /* Starting with CardOS 5, the card supports PIN query commands */ + card->caps |= SC_CARD_CAP_ISO7816_PIN_INFO; + } +@@ -249,7 +252,7 @@ static const struct sc_card_error cardos_errors[] = { + { 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"}, + { 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"}, + +-/* the card doesn't now thic combination of ins+cla+p1+p2 */ ++/* the card doesn't now this combination of ins+cla+p1+p2 */ + /* i.e. command will never work */ + { 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"}, + { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, +@@ -781,6 +784,8 @@ cardos_set_security_env(sc_card_t *card, + if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) { + cardos_restore_security_env(card, 0x30); + apdu.p1 = 0xF1; ++ } else if (card->type == SC_CARD_TYPE_CARDOS_V5_3) { ++ apdu.p1 = 0x41; + } else { + apdu.p1 = 0x01; + } +@@ -1235,7 +1240,8 @@ cardos_logout(sc_card_t *card) + || card->type == SC_CARD_TYPE_CARDOS_M4_2C + || card->type == SC_CARD_TYPE_CARDOS_M4_3 + || card->type == SC_CARD_TYPE_CARDOS_M4_4 +- || card->type == SC_CARD_TYPE_CARDOS_V5_0) { ++ || card->type == SC_CARD_TYPE_CARDOS_V5_0 ++ || card->type == SC_CARD_TYPE_CARDOS_V5_3) { + sc_apdu_t apdu; + int r; + sc_path_t path; +diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h +index d71c02f..9f8f641 100644 +--- a/src/libopensc/cards.h ++++ b/src/libopensc/cards.h +@@ -47,6 +47,7 @@ enum { + SC_CARD_TYPE_CARDOS_CIE_V1, /* Italian CIE (eID) v1 */ + SC_CARD_TYPE_CARDOS_M4_4, + SC_CARD_TYPE_CARDOS_V5_0, ++ SC_CARD_TYPE_CARDOS_V5_3, + + /* flex/cyberflex drivers */ + SC_CARD_TYPE_FLEX_BASE = 2000, +-- +2.9.3 + + +From 5dec534cf07e45ffb0209a53d6145022ecd9259a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 30 Jan 2017 14:33:05 +0100 +Subject: [PATCH 2/4] Do not emulate signatures in CardOS 5.3 + +Remove the bogus SC_ALGORITHM_NEED_USAGE which prevents using the +actual implementation in cardos_compute_signature(). + +It might be bogus also in previous version, but I don't have a way +to verify against these cards. +--- + src/libopensc/card-cardos.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 008ce5c..a21e67a 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -177,11 +177,13 @@ static int cardos_init(sc_card_t *card) + card->cla = 0x00; + + /* Set up algorithm info. */ +- flags = SC_ALGORITHM_NEED_USAGE +- | SC_ALGORITHM_RSA_RAW ++ flags = SC_ALGORITHM_RSA_RAW + | SC_ALGORITHM_RSA_HASH_NONE + | SC_ALGORITHM_ONBOARD_KEY_GEN + ; ++ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) ++ flags |= SC_ALGORITHM_NEED_USAGE; ++ + _sc_card_add_rsa_alg(card, 512, flags, 0); + _sc_card_add_rsa_alg(card, 768, flags, 0); + _sc_card_add_rsa_alg(card, 1024, flags, 0); +@@ -252,7 +254,7 @@ static const struct sc_card_error cardos_errors[] = { + { 0x6f82, SC_ERROR_CARD_CMD_FAILED, "not enough memory in xram"}, + { 0x6f84, SC_ERROR_CARD_CMD_FAILED, "general protection fault"}, + +-/* the card doesn't now this combination of ins+cla+p1+p2 */ ++/* the card doesn't know this combination of ins+cla+p1+p2 */ + /* i.e. command will never work */ + { 0x6881, SC_ERROR_NO_CARD_SUPPORT, "logical channel not supported"}, + { 0x6a86, SC_ERROR_INCORRECT_PARAMETERS,"p1/p2 invalid"}, +-- +2.9.3 + + +From 057197c7abf29715a2b7793045c35adf2a34dc17 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 10 Mar 2017 16:37:43 +0100 +Subject: [PATCH 3/4] Hack for returning the padding back in CardOS 5.3 + +--- + src/libopensc/card-cardos.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index a21e67a..39ec4ac 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -979,6 +979,30 @@ cardos_compute_signature(sc_card_t *card, const u8 *data, size_t datalen, + } + + static int ++cardos_decipher(struct sc_card *card, ++ const u8 * crgram, size_t crgram_len, ++ u8 * out, size_t outlen) ++{ ++ int r; ++ u8 *tmp = NULL; ++ size_t tmp_len = crgram_len; ++ ++ assert(card != NULL && crgram != NULL && out != NULL); ++ LOG_FUNC_CALLED(card->ctx); ++ ++ tmp = malloc(tmp_len); ++ r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len); ++ ++ /* add bogus padding, because the card removes it */ ++ if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, ++ tmp, r, out, &outlen, crgram_len) != SC_SUCCESS) ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); ++ out[1] = 0x02; /* this is encryption-padding */ ++ ++ LOG_FUNC_RETURN(card->ctx, outlen); ++} ++ ++static int + cardos_lifecycle_get(sc_card_t *card, int *mode) + { + sc_apdu_t apdu; +@@ -1278,6 +1302,7 @@ static struct sc_card_driver * sc_get_driver(void) + cardos_ops.set_security_env = cardos_set_security_env; + cardos_ops.restore_security_env = cardos_restore_security_env; + cardos_ops.compute_signature = cardos_compute_signature; ++ cardos_ops.decipher = cardos_decipher; + + cardos_ops.list_files = cardos_list_files; + cardos_ops.check_sw = cardos_check_sw; +-- +2.9.3 + + +From 515f761f5564e91302ce672d30a24d6e6738e349 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 13 Mar 2017 15:15:48 +0100 +Subject: [PATCH 4/4] With older cards, use iso decipher + +--- + src/libopensc/card-cardos.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 39ec4ac..d479065 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -992,10 +992,22 @@ cardos_decipher(struct sc_card *card, + + tmp = malloc(tmp_len); + r = iso_ops->decipher(card, crgram, crgram_len, tmp, tmp_len); ++ if (r < 0) ++ LOG_FUNC_RETURN(card->ctx, r); ++ ++ if (card->type != SC_CARD_TYPE_CARDOS_V5_3) { ++ /* XXX */ ++ memcpy(out, tmp, tmp_len); ++ outlen = tmp_len; ++ free(tmp); ++ LOG_FUNC_RETURN(card->ctx, r); ++ } + + /* add bogus padding, because the card removes it */ +- if (sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, +- tmp, r, out, &outlen, crgram_len) != SC_SUCCESS) ++ r = sc_pkcs1_encode(card->ctx, SC_ALGORITHM_RSA_HASH_NONE|SC_ALGORITHM_RSA_PAD_PKCS1, ++ tmp, r, out, &outlen, crgram_len); ++ free(tmp); ++ if (r != SC_SUCCESS) + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); + out[1] = 0x02; /* this is encryption-padding */ + +-- +2.9.3 + diff --git a/SOURCES/opensc-0.16.0-coverity.patch b/SOURCES/opensc-0.16.0-coverity.patch new file mode 100644 index 0000000..dbc3c1c --- /dev/null +++ b/SOURCES/opensc-0.16.0-coverity.patch @@ -0,0 +1,643 @@ +From 15163e6212aaf6b2dd5d7b432e5b13ca39496110 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 28 Feb 2017 16:12:31 +0100 +Subject: [PATCH 1/3] Coverity fixes for: + +card-cac.c + * CLANG_WARNING: The left operand of '<' is a garbage value +card-coolkey.c + * CLANG_WARNING: overwriting variable + * CPPCHECK_WARNING: memory leak / overwrite variable + * CLANG_WARNING: null pointer dereference + * UNUSED_VALUE: unused return value +card-gids.c + * CLANG_WARNING: Branch condition evaluates to a garbage value + * SIZEOF_MISMATCH: suspicious_sizeof +card-myeid.c + * RESOURCE_LEAK: Variable "buf" going out of scope leaks the storage it points to. + * CLANG_WARNING: overwriting variable + * (rewrite not to confuse coverity) +pkcs15-cac.c + * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to. +pkcs15-coolkey.c + * UNUSED_VALUE: unused return value +pkcs15-piv.c + * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to. +pkcs15-sc-hsm.c + * DEADCODE +pkcs11/framework-pkcs15.c + * RESOURCE_LEAK: Variable "p15_cert" going out of scope leaks the storage it points to. +pkcs15init/pkcs15-lib.c + * CLANG_WARNING: Assigned value is garbage or undefined +pkcs15init/pkcs15-myeid.c + * UNREACHABLE: Probably wrong placement of code block +tests/p15dump.c + * IDENTICAL_BRANCHES +pkcs15-init.c + * CLANG_WARNING: Potential leak of memory pointed to by 'args.der_encoded.value' +pkcs15-tool.c + * RESOURCE_LEAK: Variable "cert" going out of scope leaks the storage it points to. + * MISSING_BREAK: The above case falls through to this one. +sc-hsm-tool.c + * CLANG_WARNING: Potential leak of memory pointed to by 'sp' +westcos-tool.c + * FORWARD_NULL: Passing null pointer "pin" to "unlock_pin", which dereferences it. + * (rewrite not to confuse coverity) +--- + src/libopensc/card-cac.c | 2 +- + src/libopensc/card-coolkey.c | 7 +++++-- + src/libopensc/card-entersafe.c | 2 +- + src/libopensc/card-gids.c | 7 ++++++- + src/libopensc/card-myeid.c | 20 ++++++++++++-------- + src/libopensc/iso7816.c | 1 + + src/libopensc/pkcs15-cac.c | 5 ++++- + src/libopensc/pkcs15-coolkey.c | 2 ++ + src/libopensc/pkcs15-piv.c | 3 ++- + src/libopensc/pkcs15-sc-hsm.c | 6 ++---- + src/pkcs11/framework-pkcs15.c | 7 ++++++- + src/pkcs15init/pkcs15-lib.c | 2 +- + src/pkcs15init/pkcs15-myeid.c | 4 ++-- + src/tests/p15dump.c | 3 +-- + src/tools/pkcs15-init.c | 4 +++- + src/tools/pkcs15-tool.c | 11 ++++++++--- + src/tools/sc-hsm-tool.c | 2 ++ + src/tools/westcos-tool.c | 6 +++--- + 18 files changed, 62 insertions(+), 32 deletions(-) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index d5f8585..788fb52 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -467,7 +467,7 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l + size_t left = 0; + size_t len, next_len; + sc_apdu_t apdu; +- int r; ++ int r = SC_SUCCESS; + + + /* get the size */ +diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c +index c44febe..7672028 100644 +--- a/src/libopensc/card-coolkey.c ++++ b/src/libopensc/card-coolkey.c +@@ -1369,7 +1369,7 @@ coolkey_fill_object(sc_card_t *card, sc_cardctl_coolkey_object_t *obj) + { + int r; + size_t buf_len = obj->length; +- u8 *new_obj_data = malloc(buf_len); ++ u8 *new_obj_data = NULL; + sc_cardctl_coolkey_object_t *obj_entry; + coolkey_private_data_t * priv = COOLKEY_DATA(card); + +@@ -1413,7 +1413,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut + const u8 *obj = attribute->object->data; + const u8 *attr = NULL; + size_t buf_len = attribute->object->length; +- coolkey_object_header_t *object_head = (coolkey_object_header_t *)obj; ++ coolkey_object_header_t *object_head; + int attribute_count,i; + attribute->attribute_data_type = SC_CARDCTL_COOLKEY_ATTR_TYPE_STRING; + attribute->attribute_length = 0; +@@ -1434,6 +1434,7 @@ coolkey_find_attribute(sc_card_t *card, sc_cardctl_coolkey_attribute_t *attribut + if (buf_len <= sizeof(coolkey_v0_object_header_t)) { + return SC_ERROR_CORRUPTED_DATA; + } ++ object_head = (coolkey_object_header_t *)obj; + object_record_type = object_head->record_type; + /* make sure it's a type we recognize */ + if ((object_record_type != COOLKEY_V1_OBJECT) && (object_record_type != COOLKEY_V0_OBJECT)) { +@@ -2183,6 +2184,8 @@ static int coolkey_initialize(sc_card_t *card) + continue; + } + r = coolkey_add_object(priv, object_id, NULL, object_len, 0); ++ if (r != SC_SUCCESS) ++ sc_log(card->ctx, "coolkey_add_object() returned %d", r); + + } + if (r != SC_ERROR_FILE_END_REACHED) { +diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c +index 6e18252..1fe4102 100644 +--- a/src/libopensc/card-entersafe.c ++++ b/src/libopensc/card-entersafe.c +@@ -487,7 +487,7 @@ static int entersafe_select_fid(sc_card_t *card, + sc_file_t **file_out) + { + int r; +- sc_file_t *file=0; ++ sc_file_t *file = NULL; + sc_path_t path; + + memset(&path, 0, sizeof(sc_path_t)); +diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c +index 51db9af..4db09f5 100644 +--- a/src/libopensc/card-gids.c ++++ b/src/libopensc/card-gids.c +@@ -668,6 +668,7 @@ static int gids_get_crypto_identifier_from_key_ref(sc_card_t *card, const unsign + if (index >= recordsnum) { + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS); + } ++ *cryptoidentifier = 0x00; /* initialize to zero */ + if (records[index].wKeyExchangeKeySizeBits == 1024 || records[index].wSigKeySizeBits == 1024) { + *cryptoidentifier = GIDS_RSA_1024_IDENTIFIER; + return SC_SUCCESS; +@@ -878,12 +879,16 @@ static int gids_read_public_key (struct sc_card *card , unsigned int algorithm, + if (keydata != NULL) { + rsa_key.modulus.data = (u8*) keydata; + rsa_key.modulus.len = len; ++ } else { ++ rsa_key.modulus.len = 0; + } + + keydata = sc_asn1_find_tag(card->ctx, keytemplate, tlen, GIDS_PUBKEY_TAG_EXPONENT, &len); + if (keydata != NULL) { + rsa_key.exponent.data = (u8*) keydata; + rsa_key.exponent.len = len; ++ } else { ++ rsa_key.exponent.len = 0; + } + + if (rsa_key.exponent.len && rsa_key.modulus.len) { +@@ -1453,7 +1458,7 @@ static int gids_import_key(sc_card_t *card, sc_pkcs15_object_t *object, sc_pkcs1 + SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_NORMAL, r, "unable to put the private key - key greater than 2048 bits ?"); + r = SC_SUCCESS; + err: +- sc_mem_clear(buffer, sizeof(buffer)); ++ sc_mem_clear(buffer, buflen); + LOG_FUNC_RETURN(card->ctx, r); + } + +diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c +index 0e75486..65c108f 100644 +--- a/src/libopensc/card-myeid.c ++++ b/src/libopensc/card-myeid.c +@@ -846,20 +846,24 @@ myeid_convert_ec_signature(struct sc_context *ctx, size_t s_len, unsigned char * + if (sig_len != (datalen - len_size - 1)) /* validate size of the DER structure */ + return SC_ERROR_INVALID_DATA; + +- buf = calloc(1, (s_len + 7)/8*2); ++ /* test&fail early */ ++ buflen = (s_len + 7)/8*2; ++ if (buflen > datalen) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ ++ buf = calloc(1, buflen); + if (!buf) + LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); +- buflen = (s_len + 7)/8*2; + + r = sc_asn1_sig_value_sequence_to_rs(ctx, data, datalen, buf, buflen); +- if (r < 0) ++ if (r < 0) { + free(buf); +- LOG_TEST_RET(ctx, r, "Failed to cenvert Sig-Value to the raw RS format"); +- +- if (buflen > datalen) +- LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ sc_log(ctx, "Failed to convert Sig-Value to the raw RS format"); ++ return r; ++ } + + memmove(data, buf, buflen); ++ free(buf); + return buflen; + } + +@@ -868,7 +872,7 @@ static int + myeid_compute_signature(struct sc_card *card, const u8 * data, size_t datalen, + u8 * out, size_t outlen) + { +- struct sc_context *ctx = card->ctx; ++ struct sc_context *ctx; + struct sc_apdu apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + u8 sbuf[SC_MAX_APDU_BUFFER_SIZE]; +diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c +index 296cf69..2539d1c 100644 +--- a/src/libopensc/iso7816.c ++++ b/src/libopensc/iso7816.c +@@ -392,6 +392,7 @@ iso7816_process_fci(struct sc_card *card, struct sc_file *file, + sc_log(ctx, " type: %s", type); + sc_log(ctx, " EF structure: %d", byte & 0x07); + sc_log(ctx, " tag 0x82: 0x%02x", byte); ++ /* FIXME: check return value? */ + sc_file_set_type_attr(file, &byte, 1); + } + } +diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c +index 4894fe4..e0fa50b 100644 +--- a/src/libopensc/pkcs15-cac.c ++++ b/src/libopensc/pkcs15-cac.c +@@ -292,7 +292,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + struct sc_pkcs15_object pubkey_obj; + struct sc_pkcs15_object prkey_obj; + sc_pkcs15_der_t cert_der; +- sc_pkcs15_cert_t *cert_out; ++ sc_pkcs15_cert_t *cert_out = NULL; + + r = (card->ops->card_ctl)(card, SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT, &obj_info); + +@@ -352,12 +352,14 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + + r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info); + if (r < 0) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, " Failed to add cert obj r=%d",r); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + /* set the token name to the name of the CN of the first certificate */ +@@ -393,6 +395,7 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + usage, pubkey_info.usage, prkey_info.usage); + if (cert_out->key->algorithm != SC_ALGORITHM_RSA) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"unsupported key.algorithm %d", cert_out->key->algorithm); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } else { + pubkey_info.modulus_length = cert_out->key->u.rsa.modulus.len * 8; +diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c +index 487be19..de4920b 100644 +--- a/src/libopensc/pkcs15-coolkey.c ++++ b/src/libopensc/pkcs15-coolkey.c +@@ -667,6 +667,8 @@ static int sc_pkcs15emu_coolkey_init(sc_pkcs15_card_t *p15card) + } + + r = sc_pkcs15emu_object_add(p15card, obj_type, &obj_obj, obj_info); ++ if (r != SC_SUCCESS) ++ sc_log(card->ctx, "sc_pkcs15emu_object_add() returned %d", r); + fail: + if (key) { sc_pkcs15_free_pubkey(key); } + +diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c +index bf72df0..5bd0fdf 100644 +--- a/src/libopensc/pkcs15-piv.c ++++ b/src/libopensc/pkcs15-piv.c +@@ -710,7 +710,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + struct sc_pkcs15_cert_info cert_info; + struct sc_pkcs15_object cert_obj; + sc_pkcs15_der_t cert_der; +- sc_pkcs15_cert_t *cert_out; ++ sc_pkcs15_cert_t *cert_out = NULL; + + ckis[i].cert_found = 0; + ckis[i].key_alg = -1; +@@ -761,6 +761,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + /* +diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c +index 938ea9d..3f6b6e4 100644 +--- a/src/libopensc/pkcs15-sc-hsm.c ++++ b/src/libopensc/pkcs15-sc-hsm.c +@@ -460,6 +460,7 @@ static int sc_pkcs15emu_sc_hsm_get_ec_public_key(struct sc_context *ctx, sc_cvc_ + memcpy(pubkey->u.ec.params.der.value, ecp->der.value, ecp->der.len); + pubkey->u.ec.params.der.len = ecp->der.len; + ++ /* FIXME: check return value? */ + sc_pkcs15_fix_ec_parameters(ctx, &pubkey->u.ec.params); + + return SC_SUCCESS; +@@ -627,11 +628,8 @@ static int sc_pkcs15emu_sc_hsm_add_prkd(sc_pkcs15_card_t * p15card, u8 keyid) { + + len = sizeof efbin; + r = read_file(p15card, fid, efbin, &len); +- LOG_TEST_RET(card->ctx, r, "Could not read EF"); + +- if (r < 0) { +- return SC_SUCCESS; +- } ++ LOG_TEST_RET(card->ctx, r, "Could not read EF"); + + if (efbin[0] == 0x67) { /* Decode CSR and create public key object */ + sc_pkcs15emu_sc_hsm_add_pubkey(p15card, efbin, len, key_info, prkd.label); +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 0c89d47..732e1e5 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -571,8 +571,11 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj + /* Certificate object */ + rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object, + cert, &pkcs15_cert_ops, sizeof(struct pkcs15_cert_object)); +- if (rv < 0) ++ if (rv < 0) { ++ if (p15_cert != NULL) ++ sc_pkcs15_free_certificate(p15_cert); + return rv; ++ } + + object->cert_info = p15_info; + object->cert_data = p15_cert; +@@ -643,6 +646,8 @@ __pkcs15_create_pubkey_object(struct pkcs15_fw_data *fw_data, + object->pub_data = p15_key; + if (p15_key && object->pub_info->modulus_length == 0 && p15_key->algorithm == SC_ALGORITHM_RSA) + object->pub_info->modulus_length = 8 * p15_key->u.rsa.modulus.len; ++ } else if (pubkey->emulated && (fw_data->p15_card->flags & SC_PKCS15_CARD_FLAG_EMULATED)) { ++ sc_pkcs15_free_pubkey(p15_key); + } + + if (pubkey_object != NULL) +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index c2fc2df..d1558e2 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -760,7 +760,7 @@ sc_pkcs15init_add_app(struct sc_card *card, struct sc_profile *profile, + struct sc_pkcs15_object *pin_obj = NULL; + struct sc_app_info *app; + struct sc_file *df = profile->df_info->file; +- int r; ++ int r = SC_SUCCESS; + + LOG_FUNC_CALLED(ctx); + p15card->card = card; +diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c +index 9ed515d..6c93545 100644 +--- a/src/pkcs15init/pkcs15-myeid.c ++++ b/src/pkcs15init/pkcs15-myeid.c +@@ -510,10 +510,10 @@ myeid_store_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card, + keybits = key_info->field_length; + else + key_info->field_length = keybits; +- break; +- ++ + if (sc_card_find_ec_alg(p15card->card, keybits, &prkey->u.ec.params.id) == NULL) + LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unsupported algorithm or key size"); ++ break; + default: + LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Store key failed: Unsupported key type"); + break; +diff --git a/src/tests/p15dump.c b/src/tests/p15dump.c +index 17ab86b..da8b4a3 100644 +--- a/src/tests/p15dump.c ++++ b/src/tests/p15dump.c +@@ -30,8 +30,7 @@ static int dump_objects(const char *what, int type) + printf("failed.\n"); + fprintf(stderr, "Error enumerating %s: %s\n", + what, sc_strerror(count)); +- if (SC_SUCCESS != sc_unlock(card)) +- return 1; ++ sc_unlock(card); + return 1; + } + if (count == 0) { +diff --git a/src/tools/pkcs15-init.c b/src/tools/pkcs15-init.c +index a1b183d..a4fb1a9 100644 +--- a/src/tools/pkcs15-init.c ++++ b/src/tools/pkcs15-init.c +@@ -1318,8 +1318,10 @@ do_store_data_object(struct sc_profile *profile) + args.der_encoded.value = data; + args.der_encoded.len = datalen; + r = sc_lock(p15card->card); +- if (r < 0) ++ if (r < 0) { ++ free(data); + return r; ++ } + r = sc_pkcs15init_store_data_object(p15card, profile, &args, NULL); + sc_unlock(p15card->card); + } +diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c +index 092b9d9..e146753 100644 +--- a/src/tools/pkcs15-tool.c ++++ b/src/tools/pkcs15-tool.c +@@ -793,15 +793,18 @@ static int read_public_key(void) + + if (r == SC_ERROR_OBJECT_NOT_FOUND) { + fprintf(stderr, "Public key with ID '%s' not found.\n", opt_pubkey); +- return 2; ++ r = 2; ++ goto out; + } + if (r < 0) { + fprintf(stderr, "Public key enumeration failed: %s\n", sc_strerror(r)); +- return 1; ++ r = 1; ++ goto out; + } + if (!pubkey) { + fprintf(stderr, "Public key not available\n"); +- return 1; ++ r = 1; ++ goto out; + } + + r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len); +@@ -813,6 +816,7 @@ static int read_public_key(void) + free(pem_key.value); + } + ++out: + if (cert) + sc_pkcs15_free_certificate(cert); + else if (pubkey) +@@ -2097,6 +2101,7 @@ int main(int argc, char * const argv[]) + break; + case OPT_USE_PINPAD_DEPRECATED: + fprintf(stderr, "'--no-prompt' is deprecated , use '--use-pinpad' instead.\n"); ++ /* fallthrough */ + case OPT_USE_PINPAD: + opt_use_pinpad = 1; + break; +diff --git a/src/tools/sc-hsm-tool.c b/src/tools/sc-hsm-tool.c +index cce855f..029d991 100644 +--- a/src/tools/sc-hsm-tool.c ++++ b/src/tools/sc-hsm-tool.c +@@ -697,6 +697,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas + memset(inbuf, 0, sizeof(inbuf)); + if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) { + fprintf(stderr, "Input aborted\n"); ++ free(shares); + return -1; + } + p = (sp->x); +@@ -706,6 +707,7 @@ static int recreate_password_from_shares(char **pwd, int *pwdlen, int num_of_pas + memset(inbuf, 0, sizeof(inbuf)); + if (fgets(inbuf, sizeof(inbuf), stdin) == NULL) { + fprintf(stderr, "Input aborted\n"); ++ free(shares); + return -1; + } + binlen = 64; +diff --git a/src/tools/westcos-tool.c b/src/tools/westcos-tool.c +index 29b75dd..ff3d5e6 100644 +--- a/src/tools/westcos-tool.c ++++ b/src/tools/westcos-tool.c +@@ -91,8 +91,6 @@ static int finalize = 0; + static int install_pin = 0; + static int overwrite = 0; + +-static const char *pin = NULL; +-static const char *puk = NULL; + static char *cert = NULL; + + static int keylen = 0; +@@ -260,7 +258,7 @@ static int unlock_pin(sc_card_t *card, + } + else + { +- if(pin == NULL || puk == NULL) ++ if(pin_value == NULL || puk_value == NULL) + { + return SC_ERROR_INVALID_ARGUMENTS; + } +@@ -372,6 +370,8 @@ int main(int argc, char *argv[]) + RSA *rsa = NULL; + BIGNUM *bn = NULL; + BIO *mem = NULL; ++ static const char *pin = NULL; ++ static const char *puk = NULL; + + while (1) + { + +From e73b2ad2e01cbcc3fdee471ce9692ab95a83b8a0 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 1 Mar 2017 09:45:17 +0100 +Subject: [PATCH 2/3] Sanitize call to sc_pkcs15_free_certificate() + +--- + src/libopensc/pkcs15-cac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c +index e0fa50b..61c6430 100644 +--- a/src/libopensc/pkcs15-cac.c ++++ b/src/libopensc/pkcs15-cac.c +@@ -352,7 +352,8 @@ static int sc_pkcs15emu_cac_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); +- sc_pkcs15_free_certificate(cert_out); ++ if (cert_out != NULL) ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + + +From bdf452210f7fdbefe91df910025142b2e48b8ebc Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 1 Mar 2017 15:23:17 +0100 +Subject: [PATCH 3/3] Sanitize call to sc_pkcs15_free_certificate() in PIV too + +--- + src/libopensc/pkcs15-piv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c +index 5bd0fdf..f6b6742 100644 +--- a/src/libopensc/pkcs15-piv.c ++++ b/src/libopensc/pkcs15-piv.c +@@ -761,7 +761,8 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) + r = sc_pkcs15_read_certificate(p15card, &cert_info, &cert_out); + if (r < 0 || cert_out->key == NULL) { + sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read/parse the certificate r=%d",r); +- sc_pkcs15_free_certificate(cert_out); ++ if (cert_out != NULL) ++ sc_pkcs15_free_certificate(cert_out); + continue; + } + /* +From 389ffe590986c6ed42fa810874a52a51bac3ca26 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 23 Mar 2017 12:16:46 +0100 +Subject: [PATCH 1/3] Coverity: FORWARD_NULL -- copy&paste error + +--- + src/tools/gids-tool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/gids-tool.c b/src/tools/gids-tool.c +index 029c53f..84073b6 100644 +--- a/src/tools/gids-tool.c ++++ b/src/tools/gids-tool.c +@@ -277,7 +277,7 @@ static int changeAdminKey(sc_card_t* card, const char *so_pin, const char* new_k + + if (new_key == NULL) { + printf("Enter new admin key (48 hexadecimal characters) : "); +- util_getpass(&_so_pin, NULL, stdin); ++ util_getpass(&_new_key, NULL, stdin); + printf("\n"); + } else { + _new_key = (char *)new_key; +-- +2.9.3 + + +From 1133efa4fe4d9a0267486cadbd3f6d144c584645 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 23 Mar 2017 15:14:35 +0100 +Subject: [PATCH 2/3] CLANG_WARNING: Call to 'malloc' has an allocation size of + 0 bytes + +--- + src/scconf/scconf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/scconf/scconf.c b/src/scconf/scconf.c +index 7fcc301..678df3e 100644 +--- a/src/scconf/scconf.c ++++ b/src/scconf/scconf.c +@@ -411,6 +411,8 @@ char *scconf_list_strdup(const scconf_list * list, const char *filler) + if (filler) { + len += scconf_list_array_length(list) * (strlen(filler) + 1); + } ++ if (len == 0) ++ return NULL; + buf = malloc(len); + if (!buf) { + return NULL; +-- +2.9.3 + + +From f82bc2008d58348cafcbba30623fcb55dab5cb3a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 23 Mar 2017 15:46:42 +0100 +Subject: [PATCH 3/3] Avoid malloc with 0 argument + +--- + src/libopensc/card-cac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c +index 788fb52..6a5b5af 100644 +--- a/src/libopensc/card-cac.c ++++ b/src/libopensc/card-cac.c +@@ -670,12 +670,12 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx, + r = sc_decompress_alloc(&priv->cache_buf, &priv->cache_buf_len, + cert_ptr, cert_len, COMPRESSION_AUTO); + #else +- sc_log(card->ctx, "PIV compression not supported, no zlib"); ++ sc_log(card->ctx, "CAC compression not supported, no zlib"); + r = SC_ERROR_NOT_SUPPORTED; + #endif + if (r) + goto done; +- } else { ++ } else if (cert_len > 0) { + priv->cache_buf = malloc(cert_len); + if (priv->cache_buf == NULL) { + r = SC_ERROR_OUT_OF_MEMORY; +@@ -683,6 +683,9 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx, + } + priv->cache_buf_len = cert_len; + memcpy(priv->cache_buf, cert_ptr, cert_len); ++ } else { ++ sc_log(card->ctx, "Can't read zero-length certificate"); ++ goto done; + } + break; + default: +-- +2.9.3 + + diff --git a/SOURCES/opensc-0.16.0-lock.patch b/SOURCES/opensc-0.16.0-lock.patch new file mode 100644 index 0000000..aff8653 --- /dev/null +++ b/SOURCES/opensc-0.16.0-lock.patch @@ -0,0 +1,59 @@ +From 6b36a341c372f3dcec13c5ddee52fdb907a255a9 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 12 Apr 2017 17:42:54 +0200 +Subject: [PATCH 1/2] Make sure the lock is released when returning + +--- + src/pkcs11/framework-pkcs15.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 2f78a63..3441b99 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -487,12 +487,16 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) + goto out; + } + +- if (slot->p11card == NULL) +- return CKR_TOKEN_NOT_PRESENT; ++ if (slot->p11card == NULL) { ++ rv = CKR_TOKEN_NOT_PRESENT; ++ goto out; ++ } + + fw_data = (struct pkcs15_fw_data *) slot->p11card->fws_data[slot->fw_data_idx]; +- if (!fw_data) +- return sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); ++ if (!fw_data) { ++ rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); ++ goto out; ++ } + p15card = fw_data->p15_card; + + /* User PIN flags are cleared before re-calculation */ + +From 8e8f0ffdcc959f9dd7ea9036aea887917e961bd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 12 Apr 2017 17:43:32 +0200 +Subject: [PATCH 2/2] pkcs11-tool: Do not use unitialized data when + C_GetTokenInfo() failed + +--- + src/tools/pkcs11-tool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index ef5d2a6..555029d 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -1105,6 +1105,9 @@ static void show_token(CK_SLOT_ID slot) + if (rv == CKR_TOKEN_NOT_RECOGNIZED) { + printf(" (token not recognized)\n"); + return; ++ } else if (rv != CKR_OK) { ++ printf("C_GetTokenInfo() failed: rv = %s\n", CKR2Str(rv)); ++ return; + } + if (!(info.flags & CKF_TOKEN_INITIALIZED) && (!verbose)) { + printf(" token state: uninitialized\n"); diff --git a/SOURCES/opensc-export-symbols.patch b/SOURCES/opensc-export-symbols.patch deleted file mode 100644 index baa1e21..0000000 --- a/SOURCES/opensc-export-symbols.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/src/pkcs11/pkcs11-spy.exports b/src/pkcs11/pkcs11-spy.exports -index 562ecea..9b9b01c 100644 ---- a/src/pkcs11/pkcs11-spy.exports -+++ b/src/pkcs11/pkcs11-spy.exports -@@ -1 +1,70 @@ -+C_Initialize -+C_Finalize -+C_GetInfo - C_GetFunctionList -+C_GetSlotList -+C_GetSlotInfo -+C_GetTokenInfo -+C_GetMechanismList -+C_GetMechanismInfo -+C_InitToken -+C_InitPIN -+C_SetPIN -+C_OpenSession -+C_CloseSession -+C_CloseAllSessions -+C_GetSessionInfo -+C_GetOperationState -+C_SetOperationState -+C_Login -+C_Logout -+C_CreateObject -+C_CopyObject -+C_DestroyObject -+C_GetObjectSize -+C_GetAttributeValue -+C_SetAttributeValue -+C_FindObjectsInit -+C_FindObjects -+C_FindObjectsFinal -+C_EncryptInit -+C_Encrypt -+C_EncryptUpdate -+C_EncryptFinal -+C_DecryptInit -+C_Decrypt -+C_DecryptUpdate -+C_DecryptFinal -+C_DigestInit -+C_Digest -+C_DigestUpdate -+C_DigestKey -+C_DigestFinal -+C_SignInit -+C_Sign -+C_SignUpdate -+C_SignFinal -+C_SignRecoverInit -+C_SignRecover -+C_VerifyInit -+C_Verify -+C_VerifyUpdate -+C_VerifyFinal -+C_VerifyRecoverInit -+C_VerifyRecover -+C_DigestEncryptUpdate -+C_DecryptDigestUpdate -+C_SignEncryptUpdate -+C_DecryptVerifyUpdate -+C_GenerateKey -+C_GenerateKeyPair -+C_WrapKey -+C_UnwrapKey -+C_DeriveKey -+C_SeedRandom -+C_GenerateRandom -+C_GetFunctionStatus -+C_CancelFunction -+C_WaitForSlotEvent -+C_Initialize -+C_Finalize diff --git a/SOURCES/pkcs11-switch.sh b/SOURCES/pkcs11-switch.sh new file mode 100755 index 0000000..f29565c --- /dev/null +++ b/SOURCES/pkcs11-switch.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +# Paths, names and functions definitions +NSSDB="/etc/pki/nssdb/" +COOLKEY_NAME="CoolKey PKCS #11 Module" +COOLKEY_LIBRARY="libcoolkeypk11.so" +OPENSC_NAME="OpenSC PKCS #11 Module" +OPENSC_LIBRARY="opensc-pkcs11.so" + +add_module() { + NAME="$1" + LIBRARY="$2" + modutil -add "$NAME" -dbdir "$NSSDB" -libfile "$LIBRARY" +} +remove_module() { + NAME="$1" + modutil -delete "$NAME" -dbdir "$NSSDB" -force +} + +# Parse arguments. If wrong, print usage +TARGET="$1" +if [ "$TARGET" = "" ]; then + # Print currently installed module + PRINT_CURRENT="1" +elif [ "$TARGET" = "opensc" ] || [ "$TARGET" = "coolkey" ]; then + : # Correct arguments +else + echo "Simple tool to switch between OpenSC and Coolkey PKCS#11 modules in main NSS DB." + echo "Usage: $0 [coolkey|opensc]" + echo " [coolkey|opensc] says which of the modules should be used." + echo " The other one will be removed from database." + echo + echo " If there is no argument specified, prints the current module in NSS DB" + exit 255 +fi + +if [ ! -x /usr/bin/modutil ]; then + echo "The modutil is not installed. Please install package nss-util" + exit 255 +fi + +# Find the current library in NSS DB +CURRENT="" # none +LIBS=$(modutil -rawlist -dbdir "$NSSDB" | grep "^library=") +if echo "$LIBS" | grep "$COOLKEY_NAME" > /dev/null; then + CURRENT="coolkey" +fi +if echo "$LIBS" | grep "$OPENSC_NAME" > /dev/null; then + if [ -n "$CURRENT" ]; then + CURRENT="opensc coolkey" + echo "There are both modules in NSS DB, which is not recommended." + echo "I will remove the other." + else + CURRENT="opensc" + fi +fi + +if [ "$PRINT_CURRENT" = "1" ]; then + echo "$CURRENT" + exit 0 +fi + +# Do we need to change something? +if [ "$CURRENT" = "$TARGET" ]; then + echo "The requested module is already in the NSS DB" + exit 0 +fi + +# Do the actual change +if [ "$TARGET" = "opensc" ]; then + add_module "$OPENSC_NAME" "$OPENSC_LIBRARY" + remove_module "$COOLKEY_NAME" +fi +if [ "$TARGET" = "coolkey" ]; then + add_module "$COOLKEY_NAME" "$COOLKEY_LIBRARY" + remove_module "$OPENSC_NAME" +fi diff --git a/SPECS/opensc.spec b/SPECS/opensc.spec index ed16966..576d4ee 100644 --- a/SPECS/opensc.spec +++ b/SPECS/opensc.spec @@ -1,20 +1,27 @@ +%global commit0 777e2a3751e3f6d53f056c98e9e20e42af674fb1 +%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) + Name: opensc -Version: 0.14.0 -Release: 2%{?dist} +Version: 0.16.0 +Release: 5.20170227git%{shortcommit0}%{?dist} Summary: Smart card library and applications Group: System Environment/Libraries License: LGPLv2+ URL: https://github.com/OpenSC/OpenSC/wiki -Source0: http://downloads.sourceforge.net/project/opensc/OpenSC/opensc-%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/OpenSC/OpenSC/archive/%{commit0}.zip#/%{name}-%{version}-git%{shortcommit0}.zip Source1: opensc.module -Patch0: opensc-export-symbols.patch +Source2: pkcs11-switch.sh +Patch0: opensc-0.16.0-coverity.patch +Patch1: opensc-0.16.0-cardos.patch +Patch2: opensc-0.16.0-lock.patch BuildRequires: pcsc-lite-devel BuildRequires: readline-devel BuildRequires: openssl-devel BuildRequires: /usr/bin/xsltproc BuildRequires: docbook-style-xsl +BuildRequires: autoconf automake libtool Requires: pcsc-lite-libs%{?_isa} Requires: pcsc-lite Obsoletes: mozilla-opensc-signer < 0.12.0 @@ -31,12 +38,11 @@ every software/card that does so, too. %prep -%setup -q - -%patch0 -p1 -b .spy-symbols +%setup -q -n OpenSC-%{commit0} +%patch0 -p1 -b .coverity +%patch1 -p1 -b .cardos +%patch2 -p1 -b .lock -sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in -sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths cp -p src/pkcs15init/README ./README.pkcs15init cp -p src/scconf/README.scconf . # No {_libdir} here to avoid multilib conflicts; it's just an example @@ -44,6 +50,9 @@ sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.in %build +autoreconf -fvi +sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in +sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths %configure --disable-static \ --disable-assert \ --enable-pcsc \ @@ -57,6 +66,7 @@ make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module +install -Dpm 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/pkcs11-switch # use NEWS file timestamp as reference for configuration file touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf @@ -69,6 +79,9 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc # Remove the symlink as nothing is supposed to link against libopensc. rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so +%if 0%{?rhel} +rm -rf %{buildroot}%{_sysconfdir}/bash_completion.d/ +%endif %post -p /sbin/ldconfig @@ -79,18 +92,25 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so %files %defattr(-,root,root,-) %doc COPYING NEWS README* + +%if ! 0%{?rhel} +%{_sysconfdir}/bash_completion.d/* +%endif + %config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf %{_datadir}/p11-kit/modules/opensc.module %{_bindir}/cardos-tool %{_bindir}/cryptoflex-tool %{_bindir}/eidenv %{_bindir}/iasecc-tool +%{_bindir}/gids-tool %{_bindir}/netkey-tool %{_bindir}/openpgp-tool %{_bindir}/opensc-explorer %{_bindir}/opensc-tool %{_bindir}/piv-tool %{_bindir}/pkcs11-tool +%{_bindir}/pkcs11-switch %{_bindir}/pkcs15-crypt %{_bindir}/pkcs15-init %{_bindir}/pkcs15-tool @@ -101,7 +121,8 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so %{_libdir}/opensc-pkcs11.so %{_libdir}/pkcs11-spy.so %{_libdir}/onepin-opensc-pkcs11.so -%dir %{_libdir}/pkcs11 +%{_libdir}/pkgconfig/*.pc +%%dir %{_libdir}/pkcs11 %{_libdir}/pkcs11/opensc-pkcs11.so %{_libdir}/pkcs11/onepin-opensc-pkcs11.so %{_libdir}/pkcs11/pkcs11-spy.so @@ -109,6 +130,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so %{_mandir}/man1/cardos-tool.1* %{_mandir}/man1/cryptoflex-tool.1* %{_mandir}/man1/eidenv.1* +%{_mandir}/man1/gids-tool.1* %{_mandir}/man1/iasecc-tool.1* %{_mandir}/man1/netkey-tool.1* %{_mandir}/man1/openpgp-tool.1* @@ -121,10 +143,28 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so %{_mandir}/man1/pkcs15-tool.1* %{_mandir}/man1/sc-hsm-tool.1* %{_mandir}/man1/westcos-tool.1* +%{_mandir}/man1/dnie-tool.1* %{_mandir}/man5/*.5* %changelog +* Thu May 18 2017 Jakub Jelen - 0.16.0-5.20170227git +- Add missing pkcs11-switch script + +* Thu Apr 13 2017 Jakub Jelen - 0.16.0-4.20170227git +- Release aquired lock for uninitialized ASEPCOS cards (#1376090) + +* Thu Mar 23 2017 Jakub Jelen - 0.16.0-3.20170227git +- Fix more issues identified by Coverity scan + +* Thu Mar 23 2017 Jakub Jelen - 0.16.0-2.20170227git +- Add support for CardOS 5.3 +- Fix coverity issues +- Provide simple tool to swith PKCS#11 library in NSS DB + +* Tue Jan 10 2017 Jakub Jelen - 0.16.0-1.20170110git +- Rebase to OpenSC master with support for CAC cards (#1373164) + * Thu Feb 25 2016 Nikos Mavrogiannopoulos 0.14.0-2 - Export PKCS#11 symbols from spy library (#1283305)