1 files changed, 185 insertions, 0 deletions

diff --git a/master/opensc-fix-piv-consent b/master/opensc-fix-piv-consent
new file mode 100644
index 0000000..2012f82
--- /dev/null
+++ b/master/opensc-fix-piv-consent
@@ -0,0 +1,185 @@
+diff --git a/feeds/packages/utils/opensc/patches/fix-piv-consent.patch b/feeds/packages/utils/opensc/patches/fix-piv-consent.patch
+new file mode 100644
+index 0000000..0cebec0
+--- /dev/null
++++ b/feeds/packages/utils/opensc/patches/fix-piv-consent.patch
+@@ -0,0 +1,179 @@
++commit d7d674129ec021454b5f6285a213da912a50a39f
++Author: Doug Engert <deengert@gmail.com>
++Date:   Mon Apr 16 10:08:43 2018 -0500
++
++    PIV History Object Related Changes - Fixes #1330
++    
++    && is replaced by || in the test of valid key references
++    for retired keys found in the Historic object.
++    
++    For retired keys, the user_consent flag was being set by default.
++    Thus a C_Login(CKU_CONTEXT_SPECIFIC) would be required.
++    NIST 800-73 only requires PIN_Always on the Sign Key.
++    
++    To extend the usefullnes of "retired keys" on non government
++    issued PIV-like cards, code had already been added
++    to use the certificate keyUsage flags to override the NIST
++    defined key usage flags. The NONREPUDATION  flag is now used
++    to set the user_consent flag.
++    
++    So rather then always requiring C_Login(CKU_CONTEXT_SPECIFIC)
++    for any retured key, the code only requires it for non government
++    cards where teh certificate has NONREPUDATION.
++    
++     Changes to be committed:
++            modified:   card-piv.c
++            modified:   pkcs15-piv.c
++
++diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
++index 8f7c4ebb..c8b39adf 100644
++--- a/src/libopensc/card-piv.c
+++++ b/src/libopensc/card-piv.c
++@@ -2871,7 +2871,7 @@ piv_process_history(sc_card_t *card)
++ 			}
++ 			keyref = sc_asn1_find_tag(card->ctx, seq, seqlen, 0x04, &keyreflen);
++ 			if (!keyref || keyreflen != 1 ||
++-					(*keyref < 0x82 && *keyref > 0x95)) {
+++					(*keyref < 0x82 || *keyref > 0x95)) {
++ 				sc_log(card->ctx, "DER problem");
++ 				r = SC_ERROR_INVALID_ASN1_OBJECT;
++ 				goto err;
++diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
++index 62a58123..1401ea4d 100644
++--- a/src/libopensc/pkcs15-piv.c
+++++ b/src/libopensc/pkcs15-piv.c
++@@ -528,83 +528,83 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
++ 		{ "05", "Retired KEY MAN 1",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x82, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x82, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "06", "Retired KEY MAN 2",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x83, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x83, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "07", "Retired KEY MAN 3",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x84, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x84, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "08", "Retired KEY MAN 4",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x85, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x85, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "09", "Retired KEY MAN 5",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x86, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x86, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "10", "Retired KEY MAN 6",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x87, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x87, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "11", "Retired KEY MAN 7",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x88, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x88, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "12", "Retired KEY MAN 8",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x89, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x89, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "13", "Retired KEY MAN 9",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x8A, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x8A, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "14", "Retired KEY MAN 10",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x8B, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x8B, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "15", "Retired KEY MAN 11",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x8C, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x8C, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "16", "Retired KEY MAN 12",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x8D, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x8D, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "17", "Retired KEY MAN 13",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x8E, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x8E, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "18", "Retired KEY MAN 14",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x8F, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x8F, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "19", "Retired KEY MAN 15",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x90, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x90, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "20", "Retired KEY MAN 16",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x91, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x91, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "21", "Retired KEY MAN 17",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x92, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x92, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "22", "Retired KEY MAN 18",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x93, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x93, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "23", "Retired KEY MAN 19",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x94, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+++			"", 0x94, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
++ 		{ "24", "Retired KEY MAN 20",
++ 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
++ 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
++-			"", 0x95, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1}
+++			"", 0x95, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0}
++ 	};
++ 
++ 	int    r, i;
++@@ -1142,7 +1142,7 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
++ 
++ 		strncpy(prkey_obj.label, prkeys[i].label, SC_PKCS15_MAX_LABEL_SIZE - 1);
++ 		prkey_obj.flags = prkeys[i].obj_flags;
++-		prkey_obj.user_consent = prkeys[i].user_consent;
+++		prkey_obj.user_consent = prkeys[i].user_consent; /* only Sign key */
++ 
++ 		if (prkeys[i].auth_id)
++ 			sc_pkcs15_format_id(prkeys[i].auth_id, &prkey_obj.auth_id);
++@@ -1165,6 +1165,10 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
++ 			case SC_ALGORITHM_RSA:
++ 				if(ckis[i].cert_keyUsage_present) {
++ 					prkey_info.usage |= ckis[i].priv_usage;
+++					/* If retired key and non gov cert has NONREPUDIATION, treat as user_consent */
+++					if (i >= 4 && (ckis[i].priv_usage & SC_PKCS15_PRKEY_USAGE_NONREPUDIATION)) {
+++						prkey_obj.user_consent = 1;
+++					}
++ 				} else {
++ 					prkey_info.usage |= prkeys[i].usage_rsa;
++ 				}
++@@ -1174,6 +1178,10 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
++ 			case SC_ALGORITHM_EC:
++ 				if (ckis[i].cert_keyUsage_present) {
++ 					prkey_info.usage  |= ckis[i].priv_usage;
+++					/* If retired key and non gov cert has NONREPUDIATION, treat as user_consent */
+++					if (i >= 4 && (ckis[i].priv_usage & SC_PKCS15_PRKEY_USAGE_NONREPUDIATION)) {
+++						prkey_obj.user_consent = 1;
+++					}
++ 				} else {
++ 					prkey_info.usage  |= prkeys[i].usage_ec;
++ 				}