Back to the master plan.
Martin,
How do you plan on merging in the changes?
What assistance do you need to do this?
Would it help to for a developer to rebase their changes as you add other
changes?
Viktor said on 8/11/2011:
I guess that we should have some intermediate branch with a more or less common
commit access,
that can be fed by more then one person and that could be used as a fresh code
base for the patch/merge proposals.
This branch could be considered as 'almost sure' and normally could be merged
into the individual experimental branches without apprehension.
This branch should be the only one to be checked for the conflicts by proposals
authors.
I was thinking about something like 'proposal' branch of the OpenSC github.
A developer could rebase their changes against this 'proposal' branch
so making it easier to pull in the developers changes.
I am willing to do a rebase for the ECDH code.
There is one area that still needs to be addressed. The ecdh/derive
depends on much of the code that was introduced by the USE_PKCS15_INIT.
But USE_PKCS15_INIT is only defined if ENABLE_OPENSSL is defined,
and USE_PKCS_15_INIT ifdef's out much of the code that is needed by
derive even though the derive code does not use OpenSSL.
So I/we need a mode to change the #ifdefs for USE_PKCS15_INIT.
This could be done against the 'proposed' branch, and then
the ecdh code could be rebased on top of that.
What do you suggest?
See attachment with a first cut of the change that is based on
top of the ecdh code.
On 9/9/2011 3:07 AM, Viktor Tarasov wrote:
Le 09/09/2011 09:38, Martin Paljak a écrit :
Hello,
Autumn has started (at least in northern hemisphere) so it is time to
pull together next OpenSC release.
Things to do that should be cleaned up into hopefully self-contained
patches:
- secret key object signature (Viktor and Douglas have different
signatures) [1]
- secure messaging, at least in the minimal scope of what belongs to
apdu.c (card driver based wrap/unwrap?) [2]
- new drivers, that depend on secure messaging:
- DNIe [3]
- epass2k3 [4]
- ECDH support [5]
- Coverity fixes
- Minidriver updates [6]
- Proper reader detachments (only really affects PKCS#11) [8]
- Updates to installers
- Windows: incorporate automatic minidriver configuration for all (at
least select) cards
- Mac OS X: generic updates and settled 10.7 support (until further
information from Apple will be available)
- Separation of OpenSSL into a softcrypto mini-api with an alternative
backend (libgcrypt as it is LGPL for Debian) [7]
- Updates to the Git workflow that would make it more easy to
understand for brains, with a continuous staging branch (revertable).
But non-trivial changes should still go through separate branches...
Anything I missed? I'll put this to a wiki page as well with probably
more notes.
Coverity scan:
https://github.com/viktorTarasov/OpenSC/tree/coverity-scan<https://github.com/viktorTarasov/OpenSC/commits/coverity-scan>
[1]
https://github.com/dengert/OpenSC/commit/9f72469d7281ccc660cec4cc7cc96559ceb9f032#commitcomment-525973
[2] http://www.opensc-project.org/opensc/wiki/SecureMessaging
For secure messaging it's rather:
https://github.com/viktorTarasov/OpenSC/tree/secure-messaging<https://github.com/viktorTarasov/OpenSC/commits/secure-messaging>
[3] http://www.opensc-project.org/opensc/wiki/DNIe
[4] https://github.com/OpenSC/OpenSC/pull/1
[5] https://github.com/dengert/OpenSC/commits/ecdh
[6] https://github.com/viktorTarasov/OpenSC/tree/minidriver-write-mode
[7]
http://www.opensc-project.org/pipermail/opensc-devel/2011-August/017116.html
[8] https://github.com/viktorTarasov/OpenSC/tree/detach-reader
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 6f21828..ecdedf6 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -25,9 +25,9 @@
#include <string.h>
#include "sc-pkcs11.h"
-#ifdef USE_PKCS15_INIT
+//DEE#ifdef USE_PKCS15_INIT
#include "pkcs15init/pkcs15-init.h"
-#endif
+//DEE#endif
extern int hack_enabled;
@@ -252,7 +252,7 @@ static void pkcs15_init_token_info(struct sc_pkcs15_card
*p15card, CK_TOKEN_INFO
pToken->firmwareVersion.minor = 0;
}
-#ifdef USE_PKCS15_INIT
+//DEE #ifdef USE_PKCS15_INIT
static char *
set_cka_label(CK_ATTRIBUTE_PTR attr, char *label)
{
@@ -265,7 +265,7 @@ set_cka_label(CK_ATTRIBUTE_PTR attr, char *label)
label[len] = '\0';
return label;
}
-#endif
+//DEE #endif
static int
__pkcs15_create_object(struct pkcs15_fw_data *fw_data,
@@ -305,7 +305,7 @@ __pkcs15_release_object(struct pkcs15_any_object *obj)
return 0;
}
-#ifdef USE_PKCS15_INIT
+//DEE #ifdef USE_PKCS15_INIT
static int
__pkcs15_delete_object(struct pkcs15_fw_data *fw_data, struct
pkcs15_any_object *obj)
{
@@ -323,7 +323,7 @@ __pkcs15_delete_object(struct pkcs15_fw_data *fw_data,
struct pkcs15_any_object
}
return SC_ERROR_OBJECT_NOT_FOUND;
}
-#endif
+//DEE #endif
CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
{
@@ -1445,6 +1445,8 @@ static CK_RV pkcs15_init_pin(struct sc_pkcs11_card
*p11card,
return CKR_OK;
}
+#endif
+
static unsigned long
pkcs15_check_bool_cka(CK_ATTRIBUTE_PTR attr, unsigned long flag)
{
@@ -2027,7 +2029,7 @@ static CK_RV pkcs15_create_object(struct sc_pkcs11_card
*p11card,
{
struct sc_profile *profile = NULL;
CK_OBJECT_CLASS _class;
- CK_BBOOL _token = FALSE;
+ CK_BBOOL _token = FALSE; /* PKCS#11 says this is the default */
int rv, rc;
@@ -2036,19 +2038,13 @@ static CK_RV pkcs15_create_object(struct sc_pkcs11_card
*p11card,
return rv;
rv = attr_find(pTemplate, ulCount, CKA_TOKEN, &_token, NULL);
- if (rv == CKR_TEMPLATE_INCOMPLETE) {
- /* TODO OpenSC has not checked CKA_TOKEN == TRUE, so only
- * so only enforce for secret_key
- */
- if (_class != CKO_SECRET_KEY)
- _token = TRUE; /* default if not in template */
- } else if (rv != CKR_OK)
+ if (rv != CKR_OK && rv != CKR_TEMPLATE_INCOMPLETE)
return rv;
/* TODO The previous code does not check for CKA_TOKEN=TRUE
- * PKCS#11 CreatObject examples always have it, but
+ * Now that we support some session objects, we need to follow
+ * the standards
* PKCS#11 says the default is false.
- * for backward compatability, will default to TRUE
*/
/* Dont need profile id creating session only objects */
@@ -2358,7 +2354,7 @@ kpgen_done:
return rv;
}
-#endif
+//DEE #endif
static CK_RV pkcs15_skey_destroy(struct sc_pkcs11_session *session, void
*object)
{
struct pkcs15_data_object *obj = (struct pkcs15_data_object*) object;
@@ -2388,9 +2384,9 @@ static CK_RV pkcs15_skey_destroy(struct sc_pkcs11_session
*session, void *object
static CK_RV pkcs15_any_destroy(struct sc_pkcs11_session *session, void
*object)
{
-#ifndef USE_PKCS15_INIT
- return CKR_FUNCTION_NOT_SUPPORTED;
-#else
+//DEE #ifndef USE_PKCS15_INIT
+//DEE return CKR_FUNCTION_NOT_SUPPORTED;
+//DEE #else
struct pkcs15_data_object *obj = (struct pkcs15_data_object*) object;
struct pkcs15_any_object *any_obj = (struct pkcs15_any_object*) object;
struct sc_pkcs11_card *card = session->slot->card;
@@ -2426,7 +2422,7 @@ static CK_RV pkcs15_any_destroy(struct sc_pkcs11_session
*session, void *object)
return sc_to_cryptoki_error(rv, "C_DestroyObject");
return CKR_OK;
-#endif
+//DEE #endif
}
@@ -2452,12 +2448,14 @@ struct sc_pkcs11_framework_ops framework_pkcs15 = {
NULL, /* init_token */
#ifdef USE_PKCS15_INIT
pkcs15_init_pin,
+#else
+ NULL,
+#endif
pkcs15_create_object,
+#ifdef USE_PKCS15_INIT
pkcs15_gen_keypair,
#else
NULL,
- NULL,
- NULL,
#endif
pkcs15_get_random
};
@@ -2466,9 +2464,9 @@ static CK_RV pkcs15_set_attrib(struct sc_pkcs11_session
*session,
struct sc_pkcs15_object *p15_object,
CK_ATTRIBUTE_PTR attr)
{
-#ifndef USE_PKCS15_INIT
+//DEE #ifndef USE_PKCS15_INIT
return CKR_FUNCTION_NOT_SUPPORTED;
-#else
+//DEE #else
struct sc_profile *profile = NULL;
struct sc_pkcs11_card *p11card = session->slot->card;
struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *)
p11card->fw_data;
@@ -2516,7 +2514,7 @@ set_attr_done:
sc_unlock(p11card->card);
return rv;
-#endif
+//DEE #endif
}
/*
@@ -3914,6 +3912,11 @@ static int register_ec_mechanisms(struct sc_pkcs11_card
*p11card, int flags,
if (rc != CKR_OK)
return rc;
+ /* PKCS#11 may try and create ephemeral session keys if this
+ * flag is set. Some cards might be able to do this, but not
+ * most
+ */
+
if (flags & SC_ALGORITHM_ONBOARD_KEY_GEN) {
mech_info.flags = CKF_HW | CKF_GENERATE_KEY_PAIR;
mech_info.flags |= ec_flags;
diff --git a/src/pkcs11/sc-pkcs11.h b/src/pkcs11/sc-pkcs11.h
index 84e4dfe..1367a17 100644
--- a/src/pkcs11/sc-pkcs11.h
+++ b/src/pkcs11/sc-pkcs11.h
@@ -60,7 +60,7 @@ extern CK_RV C_UnloadModule(void *module);
/* Decide whether to use pkcs11 for initialization support */
#ifdef ENABLE_OPENSSL
-#define USE_PKCS15_INIT
+#define USE_PKCS15_INIT_DEE_TEST_WITHOUT
#endif
#ifdef __cplusplus
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel