Back to the master plan.
Martin,
 How do you plan on merging in the changes?

 What assistance do you need to do this?

 Would it help to for a developer to rebase their changes  as you add other 
changes?

Viktor said on 8/11/2011:
I guess that we should have some intermediate branch with a more or less common 
commit access,
that can be fed by more then one person and that could be used as a fresh code 
base for the patch/merge proposals.
This branch could be considered as 'almost sure' and normally could be merged 
into the individual experimental branches without apprehension.
This branch should be the only one to be checked for the conflicts by proposals 
authors.

I was thinking about something like 'proposal' branch of the OpenSC github.

A developer could rebase their changes against this 'proposal' branch
so making it easier to pull in the developers changes.

I am willing to do a rebase for the ECDH code.

There is one area that still needs to be addressed. The ecdh/derive
depends on much of the code that was introduced by the USE_PKCS15_INIT.

But USE_PKCS15_INIT is only defined if ENABLE_OPENSSL is defined,
and USE_PKCS_15_INIT ifdef's out much of the code that is needed by
derive even though the derive code does not use OpenSSL.

So I/we need a mode to change the #ifdefs for USE_PKCS15_INIT.
This could be done against the 'proposed' branch, and then
the ecdh code could be rebased on top of that.

What do you suggest?

See attachment with a first cut of the change that is based on
top of the ecdh code.


On 9/9/2011 3:07 AM, Viktor Tarasov wrote:
Le 09/09/2011 09:38, Martin Paljak a écrit :
Hello,

Autumn has started (at least in northern hemisphere) so it is time to
pull together next OpenSC release.

Things to do that should be cleaned up into hopefully self-contained
patches:
   - secret key object signature (Viktor and Douglas have different
signatures) [1]
   - secure messaging, at least in the minimal scope of what belongs to
apdu.c (card driver based wrap/unwrap?) [2]
   - new drivers, that depend on secure messaging:
    - DNIe [3]
    - epass2k3 [4]
   - ECDH support [5]
   - Coverity fixes
   - Minidriver updates [6]
   - Proper reader detachments (only really affects PKCS#11) [8]
   - Updates to installers
    - Windows: incorporate automatic minidriver configuration for all (at
least select) cards
    - Mac OS X: generic updates and settled 10.7 support (until further
information from Apple will be available)
   - Separation of OpenSSL into a softcrypto mini-api with an alternative
backend (libgcrypt as it is LGPL for Debian) [7]
   - Updates to the Git workflow that would make it more easy to
understand for brains, with a continuous staging branch (revertable).
But non-trivial changes should still go through separate branches...

Anything I missed? I'll put this to a wiki page as well with probably
more notes.

Coverity scan:
https://github.com/viktorTarasov/OpenSC/tree/coverity-scan<https://github.com/viktorTarasov/OpenSC/commits/coverity-scan>

[1]
https://github.com/dengert/OpenSC/commit/9f72469d7281ccc660cec4cc7cc96559ceb9f032#commitcomment-525973
[2] http://www.opensc-project.org/opensc/wiki/SecureMessaging

For secure messaging it's rather:
https://github.com/viktorTarasov/OpenSC/tree/secure-messaging<https://github.com/viktorTarasov/OpenSC/commits/secure-messaging>


[3] http://www.opensc-project.org/opensc/wiki/DNIe
[4] https://github.com/OpenSC/OpenSC/pull/1
[5] https://github.com/dengert/OpenSC/commits/ecdh
[6] https://github.com/viktorTarasov/OpenSC/tree/minidriver-write-mode
[7]
http://www.opensc-project.org/pipermail/opensc-devel/2011-August/017116.html
[8] https://github.com/viktorTarasov/OpenSC/tree/detach-reader
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel


_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel



--

 Douglas E. Engert  <deeng...@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 6f21828..ecdedf6 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -25,9 +25,9 @@
 #include <string.h>
 
 #include "sc-pkcs11.h"
-#ifdef USE_PKCS15_INIT
+//DEE#ifdef USE_PKCS15_INIT
 #include "pkcs15init/pkcs15-init.h"
-#endif
+//DEE#endif
 
 extern int hack_enabled;
 
@@ -252,7 +252,7 @@ static void pkcs15_init_token_info(struct sc_pkcs15_card 
*p15card, CK_TOKEN_INFO
        pToken->firmwareVersion.minor = 0;
 }
 
-#ifdef USE_PKCS15_INIT
+//DEE #ifdef USE_PKCS15_INIT
 static char *
 set_cka_label(CK_ATTRIBUTE_PTR attr, char *label) 
 { 
@@ -265,7 +265,7 @@ set_cka_label(CK_ATTRIBUTE_PTR attr, char *label)
        label[len] = '\0'; 
        return label; 
 } 
-#endif
+//DEE #endif
 
 static int
 __pkcs15_create_object(struct pkcs15_fw_data *fw_data,
@@ -305,7 +305,7 @@ __pkcs15_release_object(struct pkcs15_any_object *obj)
        return 0;
 }
 
-#ifdef USE_PKCS15_INIT
+//DEE #ifdef USE_PKCS15_INIT
 static int
 __pkcs15_delete_object(struct pkcs15_fw_data *fw_data, struct 
pkcs15_any_object *obj)
 {
@@ -323,7 +323,7 @@ __pkcs15_delete_object(struct pkcs15_fw_data *fw_data, 
struct pkcs15_any_object
                }
        return SC_ERROR_OBJECT_NOT_FOUND;
 }
-#endif
+//DEE #endif
 
 CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 {
@@ -1445,6 +1445,8 @@ static CK_RV pkcs15_init_pin(struct sc_pkcs11_card 
*p11card,
        return CKR_OK;
 }
 
+#endif
+
 static unsigned long
 pkcs15_check_bool_cka(CK_ATTRIBUTE_PTR attr, unsigned long flag)
 {
@@ -2027,7 +2029,7 @@ static CK_RV pkcs15_create_object(struct sc_pkcs11_card 
*p11card,
 {
        struct sc_profile *profile = NULL;
        CK_OBJECT_CLASS _class;
-       CK_BBOOL _token = FALSE;
+       CK_BBOOL _token = FALSE; /* PKCS#11 says this is the default */
 
        int rv, rc;
 
@@ -2036,19 +2038,13 @@ static CK_RV pkcs15_create_object(struct sc_pkcs11_card 
*p11card,
                return rv;
 
        rv = attr_find(pTemplate, ulCount, CKA_TOKEN, &_token, NULL);
-       if (rv == CKR_TEMPLATE_INCOMPLETE) { 
-           /* TODO OpenSC has not checked CKA_TOKEN == TRUE, so only
-            * so only enforce for secret_key
-            */ 
-           if (_class != CKO_SECRET_KEY) 
-               _token = TRUE; /* default if not in template */
-        } else if (rv != CKR_OK)
+       if (rv != CKR_OK && rv != CKR_TEMPLATE_INCOMPLETE)
                return rv;
 
        /* TODO The previous code does not check for CKA_TOKEN=TRUE
-        * PKCS#11 CreatObject examples always have it, but
+        * Now that we support some session objects, we need to follow
+         * the standards 
         * PKCS#11 says the default is false. 
-        * for backward compatability, will default to TRUE
         */
 
        /* Dont need profile id creating session only objects */
@@ -2358,7 +2354,7 @@ kpgen_done:
 
        return rv;
 }
-#endif
+//DEE #endif
 static CK_RV pkcs15_skey_destroy(struct sc_pkcs11_session *session, void 
*object)
 {
        struct pkcs15_data_object *obj = (struct pkcs15_data_object*) object;
@@ -2388,9 +2384,9 @@ static CK_RV pkcs15_skey_destroy(struct sc_pkcs11_session 
*session, void *object
 
 static CK_RV pkcs15_any_destroy(struct sc_pkcs11_session *session, void 
*object)
 {
-#ifndef USE_PKCS15_INIT
-       return CKR_FUNCTION_NOT_SUPPORTED;
-#else
+//DEE #ifndef USE_PKCS15_INIT
+//DEE  return CKR_FUNCTION_NOT_SUPPORTED;
+//DEE #else
        struct pkcs15_data_object *obj = (struct pkcs15_data_object*) object;
        struct pkcs15_any_object *any_obj = (struct pkcs15_any_object*) object;
        struct sc_pkcs11_card *card = session->slot->card;
@@ -2426,7 +2422,7 @@ static CK_RV pkcs15_any_destroy(struct sc_pkcs11_session 
*session, void *object)
                return sc_to_cryptoki_error(rv, "C_DestroyObject");
 
        return CKR_OK;
-#endif
+//DEE #endif
 }
 
 
@@ -2452,12 +2448,14 @@ struct sc_pkcs11_framework_ops framework_pkcs15 = {
        NULL,                   /* init_token */
 #ifdef USE_PKCS15_INIT
        pkcs15_init_pin,
+#else
+       NULL,
+#endif
        pkcs15_create_object,
+#ifdef USE_PKCS15_INIT
        pkcs15_gen_keypair,
 #else
        NULL,
-       NULL,
-       NULL,
 #endif
        pkcs15_get_random
 };
@@ -2466,9 +2464,9 @@ static CK_RV pkcs15_set_attrib(struct sc_pkcs11_session 
*session,
                                struct sc_pkcs15_object *p15_object,
                                CK_ATTRIBUTE_PTR attr)
 {
-#ifndef USE_PKCS15_INIT
+//DEE #ifndef USE_PKCS15_INIT
        return CKR_FUNCTION_NOT_SUPPORTED;
-#else
+//DEE #else
        struct sc_profile *profile = NULL;
        struct sc_pkcs11_card *p11card = session->slot->card;
        struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) 
p11card->fw_data;
@@ -2516,7 +2514,7 @@ set_attr_done:
        sc_unlock(p11card->card);
        
        return rv;
-#endif
+//DEE #endif
 }
 
 /*
@@ -3914,6 +3912,11 @@ static int register_ec_mechanisms(struct sc_pkcs11_card 
*p11card, int flags,
        if (rc != CKR_OK)
            return rc;
 
+        /* PKCS#11 may try and create ephemeral session keys if this 
+         * flag is set. Some cards might be able to do this, but not 
+         * most
+        */
+
        if (flags & SC_ALGORITHM_ONBOARD_KEY_GEN) {
                mech_info.flags = CKF_HW | CKF_GENERATE_KEY_PAIR;
                mech_info.flags |= ec_flags;
diff --git a/src/pkcs11/sc-pkcs11.h b/src/pkcs11/sc-pkcs11.h
index 84e4dfe..1367a17 100644
--- a/src/pkcs11/sc-pkcs11.h
+++ b/src/pkcs11/sc-pkcs11.h
@@ -60,7 +60,7 @@ extern CK_RV C_UnloadModule(void *module);
 
 /* Decide whether to use pkcs11 for initialization support */
 #ifdef ENABLE_OPENSSL
-#define USE_PKCS15_INIT
+#define USE_PKCS15_INIT_DEE_TEST_WITHOUT
 #endif
 
 #ifdef __cplusplus
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to