diff options
| author | Damien Miller <djm@mindrot.org> | 2003-08-25 10:58:26 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-08-25 10:58:26 +1000 |
| commit | 331b6af8fa96417cf126383de7e2ed024b7c7e2c (patch) | |
| tree | bda5850adf634e48f0d3cf6ce62a9e3271649542 | |
| parent | 49d32566c26005364958a87b16857ec5073739bf (diff) | |
- (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
larsch@trustcenter.de
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | scard-opensc.c | 24 |
2 files changed, 25 insertions, 5 deletions
| @@ -1,3 +1,7 @@ | |||
| 1 | 20030825 | ||
| 2 | - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from | ||
| 3 | larsch@trustcenter.de | ||
| 4 | |||
| 1 | 20030822 | 5 | 20030822 |
| 2 | - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal | 6 | - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal |
| 3 | -lbroken; ok dtucker | 7 | -lbroken; ok dtucker |
| @@ -851,4 +855,4 @@ | |||
| 851 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 855 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 852 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 856 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 853 | 857 | ||
| 854 | $Id: ChangeLog,v 1.2898 2003/08/22 08:43:48 dtucker Exp $ | 858 | $Id: ChangeLog,v 1.2899 2003/08/25 00:58:26 djm Exp $ |
diff --git a/scard-opensc.c b/scard-opensc.c index 4ab87ea8a..2489fec45 100644 --- a/scard-opensc.c +++ b/scard-opensc.c | |||
| @@ -110,7 +110,8 @@ err: | |||
| 110 | /* private key operations */ | 110 | /* private key operations */ |
| 111 | 111 | ||
| 112 | static int | 112 | static int |
| 113 | sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out) | 113 | sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out, |
| 114 | unsigned int usage) | ||
| 114 | { | 115 | { |
| 115 | int r; | 116 | int r; |
| 116 | struct sc_priv_data *priv; | 117 | struct sc_priv_data *priv; |
| @@ -130,7 +131,8 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out) | |||
| 130 | goto err; | 131 | goto err; |
| 131 | } | 132 | } |
| 132 | } | 133 | } |
| 133 | r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj); | 134 | r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, |
| 135 | usage, &key_obj); | ||
| 134 | if (r) { | 136 | if (r) { |
| 135 | error("Unable to find private key from SmartCard: %s", | 137 | error("Unable to find private key from SmartCard: %s", |
| 136 | sc_strerror(r)); | 138 | sc_strerror(r)); |
| @@ -176,6 +178,9 @@ err: | |||
| 176 | return -1; | 178 | return -1; |
| 177 | } | 179 | } |
| 178 | 180 | ||
| 181 | #define SC_USAGE_DECRYPT SC_PKCS15_PRKEY_USAGE_DECRYPT | \ | ||
| 182 | SC_PKCS15_PRKEY_USAGE_UNWRAP | ||
| 183 | |||
| 179 | static int | 184 | static int |
| 180 | sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, | 185 | sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, |
| 181 | int padding) | 186 | int padding) |
| @@ -185,7 +190,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, | |||
| 185 | 190 | ||
| 186 | if (padding != RSA_PKCS1_PADDING) | 191 | if (padding != RSA_PKCS1_PADDING) |
| 187 | return -1; | 192 | return -1; |
| 188 | r = sc_prkey_op_init(rsa, &key_obj); | 193 | r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT); |
| 189 | if (r) | 194 | if (r) |
| 190 | return -1; | 195 | return -1; |
| 191 | r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, | 196 | r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, |
| @@ -201,6 +206,9 @@ err: | |||
| 201 | return -1; | 206 | return -1; |
| 202 | } | 207 | } |
| 203 | 208 | ||
| 209 | #define SC_USAGE_SIGN SC_PKCS15_PRKEY_USAGE_SIGN | \ | ||
| 210 | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER | ||
| 211 | |||
| 204 | static int | 212 | static int |
| 205 | sc_sign(int type, u_char *m, unsigned int m_len, | 213 | sc_sign(int type, u_char *m, unsigned int m_len, |
| 206 | unsigned char *sigret, unsigned int *siglen, RSA *rsa) | 214 | unsigned char *sigret, unsigned int *siglen, RSA *rsa) |
| @@ -209,7 +217,15 @@ sc_sign(int type, u_char *m, unsigned int m_len, | |||
| 209 | int r; | 217 | int r; |
| 210 | unsigned long flags = 0; | 218 | unsigned long flags = 0; |
| 211 | 219 | ||
| 212 | r = sc_prkey_op_init(rsa, &key_obj); | 220 | /* XXX: sc_prkey_op_init will search for a pkcs15 private |
| 221 | * key object with the sign or signrecover usage flag set. | ||
| 222 | * If the signing key has only the non-repudiation flag set | ||
| 223 | * the key will be rejected as using a non-repudiation key | ||
| 224 | * for authentication is not recommended. Note: This does not | ||
| 225 | * prevent the use of a non-repudiation key for authentication | ||
| 226 | * if the sign or signrecover flag is set as well. | ||
| 227 | */ | ||
| 228 | r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN); | ||
| 213 | if (r) | 229 | if (r) |
| 214 | return -1; | 230 | return -1; |
| 215 | /* FIXME: length of sigret correct? */ | 231 | /* FIXME: length of sigret correct? */ |