diff options
Diffstat (limited to 'scard-opensc.c')
-rw-r--r-- | scard-opensc.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/scard-opensc.c b/scard-opensc.c index 4ab87ea8a..2489fec45 100644 --- a/scard-opensc.c +++ b/scard-opensc.c | |||
@@ -110,7 +110,8 @@ err: | |||
110 | /* private key operations */ | 110 | /* private key operations */ |
111 | 111 | ||
112 | static int | 112 | static int |
113 | sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out) | 113 | sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out, |
114 | unsigned int usage) | ||
114 | { | 115 | { |
115 | int r; | 116 | int r; |
116 | struct sc_priv_data *priv; | 117 | struct sc_priv_data *priv; |
@@ -130,7 +131,8 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out) | |||
130 | goto err; | 131 | goto err; |
131 | } | 132 | } |
132 | } | 133 | } |
133 | r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj); | 134 | r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, |
135 | usage, &key_obj); | ||
134 | if (r) { | 136 | if (r) { |
135 | error("Unable to find private key from SmartCard: %s", | 137 | error("Unable to find private key from SmartCard: %s", |
136 | sc_strerror(r)); | 138 | sc_strerror(r)); |
@@ -176,6 +178,9 @@ err: | |||
176 | return -1; | 178 | return -1; |
177 | } | 179 | } |
178 | 180 | ||
181 | #define SC_USAGE_DECRYPT SC_PKCS15_PRKEY_USAGE_DECRYPT | \ | ||
182 | SC_PKCS15_PRKEY_USAGE_UNWRAP | ||
183 | |||
179 | static int | 184 | static int |
180 | sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, | 185 | sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, |
181 | int padding) | 186 | int padding) |
@@ -185,7 +190,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, | |||
185 | 190 | ||
186 | if (padding != RSA_PKCS1_PADDING) | 191 | if (padding != RSA_PKCS1_PADDING) |
187 | return -1; | 192 | return -1; |
188 | r = sc_prkey_op_init(rsa, &key_obj); | 193 | r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT); |
189 | if (r) | 194 | if (r) |
190 | return -1; | 195 | return -1; |
191 | r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, | 196 | r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, |
@@ -201,6 +206,9 @@ err: | |||
201 | return -1; | 206 | return -1; |
202 | } | 207 | } |
203 | 208 | ||
209 | #define SC_USAGE_SIGN SC_PKCS15_PRKEY_USAGE_SIGN | \ | ||
210 | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER | ||
211 | |||
204 | static int | 212 | static int |
205 | sc_sign(int type, u_char *m, unsigned int m_len, | 213 | sc_sign(int type, u_char *m, unsigned int m_len, |
206 | unsigned char *sigret, unsigned int *siglen, RSA *rsa) | 214 | unsigned char *sigret, unsigned int *siglen, RSA *rsa) |
@@ -209,7 +217,15 @@ sc_sign(int type, u_char *m, unsigned int m_len, | |||
209 | int r; | 217 | int r; |
210 | unsigned long flags = 0; | 218 | unsigned long flags = 0; |
211 | 219 | ||
212 | r = sc_prkey_op_init(rsa, &key_obj); | 220 | /* XXX: sc_prkey_op_init will search for a pkcs15 private |
221 | * key object with the sign or signrecover usage flag set. | ||
222 | * If the signing key has only the non-repudiation flag set | ||
223 | * the key will be rejected as using a non-repudiation key | ||
224 | * for authentication is not recommended. Note: This does not | ||
225 | * prevent the use of a non-repudiation key for authentication | ||
226 | * if the sign or signrecover flag is set as well. | ||
227 | */ | ||
228 | r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN); | ||
213 | if (r) | 229 | if (r) |
214 | return -1; | 230 | return -1; |
215 | /* FIXME: length of sigret correct? */ | 231 | /* FIXME: length of sigret correct? */ |