Klas Lindfors
a24dd0a2ee
tool: for openssl 1.1 rsa signatures include hash oid
...
the rsa signature has to be over hash oid + message digest, dropping the
oid from the hash leads to invalid certificate requests and selfsigned
certificates.
fixes #164
2018-09-10 10:24:32 +02:00
Klas Lindfors
228a04ad73
tool: only declare the static struct once in wrap_public_key()
...
and make sure to just set it once for both rsa and ec
2018-09-10 10:04:46 +02:00
Klas Lindfors
696894bc68
tool: handle error conditions from signing with openssl 1.1
...
relates #164
2018-09-10 08:52:39 +02:00
Klas Lindfors
45e74cfccf
tool: check length before trying to store cert in buffer
...
fixes #148
2018-08-16 14:49:32 +02:00
Jakub Jelen
d613b42b0c
Avoid unused variables and warnings when building against OpenSSL 1.1
2018-08-08 16:12:25 +02:00
quentin
c8372f27d7
Improve compatibility with OpenSSL 1.1.0
...
* add missing headers
* stop using deprecated APIs
2018-02-26 02:43:41 +01:00
Trevor Bentley
74e1a0885c
Merge pull request #136 from jmyreen/openssl-1.1-fixes
...
Fixed some bugs in the port to Openssl-1.1:
2018-01-02 13:24:53 +01:00
Johan Myréen
b0210e0710
Fixed some bugs in the port to Openssl-1.1:
...
- wrap_public_key() passed the address of the local stack variable
internal_key to RSA_meth_set0_data(), which was used long after
wrap_public_key() had returned. Changed to static.
- The callback functions yk_rsa_meth_sign and yk_ec_meth_sign 'siglen'
parameter has type (unisgned int *), which was cast to (size_t *)
before it was used to write a value in the caller's memory
space. This caused stack corruption on machines where size_t is
bigger than unsigned int.
- The callback function's 'siglen' parameter is output-only, not
in-out. The input value was assumed to contain the maximum size of
the output buffer as input, and a bogus value was compared to the
amount of data received from the token in function
_general_authenticate(). Changed to pass in the values returned by
RSA_size(rsa) and ECDSA_size(ec), which Openssl specifies as minimum
buffer sizes.
- The callback functions' return values were swapped; fixed to return
1 on success, 0 on failure.
2017-12-30 22:08:09 +02:00
Aloz1
866b6b1d9d
Added checks to allow building against LibreSSL
...
It seems that when OpenSSL 1.1.0 support was added, LibreSSL was broken
due to the way version checking was done. This adds extra checks for
LIBRESSL_VERSION_NUMBER where applicable.
2017-12-29 14:38:37 +11:00
Trevor Bentley
7ca0267ddf
Fix OpenSSL 1.1 compat layer
...
- Changes for latest ykpiv_util refactor
- Passes hw tests with openssl 1.0 and 1.1
- Passes valgrind
2017-11-21 17:08:38 +01:00
Trevor Bentley
4785e23bd1
Merge branch 'master' of https://github.com/Jakuje/yubico-piv-tool into Jakuje-master
2017-11-20 14:03:48 +01:00
Jakub Jelen
77c51a7317
Properly apply the OpenSSL version checks
2017-11-14 13:34:57 +01:00
Jakub Jelen
0a131a053d
Do not use the new API with the old OpenSSL
2017-11-14 10:54:47 +01:00
Jakub Jelen
4a847677cc
WIP:Use RSA/EC_KEY METHOD to provide X509 signatures using high-level OpenSSL API
2017-11-13 17:39:34 +01:00
Jakub Jelen
d2ffc41a6c
RAND_pseudo_bytes is deprecated in OpenSSL 1.1.0
2017-11-13 17:39:34 +01:00
Jakub Jelen
ad4e93a462
Few more OpenSSL 1.1.0 incompatibilities
2017-11-13 17:39:34 +01:00
Jakub Jelen
bd351261ec
Initial idea of openssl-1.1.0 compatibility (still missing some magic around certificates)
2017-11-13 17:39:34 +01:00
Trevor Bentley
c2f86d0a0f
Move YK4 insecure on-chip key generation prevention from yubico-piv-tool to libykpiv
2017-10-24 15:59:44 +02:00
Trevor Bentley
4c9004feeb
Remove artifact from rebase (bad local variable)
2017-10-23 16:28:57 +02:00
Trevor Bentley
90209997cc
Unit test for ykpiv_attest()
2017-10-23 16:25:53 +02:00
Trevor Bentley
5291bc4a63
Fix issue #123 - specify text/binary mode for open files
2017-10-23 16:25:50 +02:00
Trevor Bentley
79464a3d3e
Use slot enum consistently. Move slot->object translation into libykpiv.
2017-10-23 16:25:47 +02:00
Trevor Bentley
2e818dd914
Add ykpiv_util_(get/set)_cccid(), and use in yubico-piv-tool
2017-10-23 16:25:44 +02:00
Trevor Bentley
f6b817f056
Add ykpiv_attest() and use it in yubico-piv-tool
2017-10-23 16:25:38 +02:00
Trevor Bentley
248980fe27
yubico-piv-tool: use ykpiv_util_read_cert
2017-10-23 16:25:35 +02:00
Trevor Bentley
3bca63c39c
yubico-piv-tool: use ykpiv_util_delete_cert
2017-10-23 16:25:32 +02:00
Trevor Bentley
ded78751a0
Add gzip support to ykpiv_util_import_certificate(), and use in yubico-piv-tool
2017-10-23 16:25:20 +02:00
Trevor Bentley
8135a55200
yubico-piv-tool: Switch to ykpiv_set_pin_retries()
2017-10-23 16:25:17 +02:00
Trevor Bentley
ec8e2786e6
yubico-piv-tool: use ykpiv_util_reset()
2017-10-23 16:25:13 +02:00
Trevor Bentley
12f35b8884
yubico-piv-tool: use util function for key generation
2017-10-23 16:25:10 +02:00
Klas Lindfors
cd11196535
disable rsa keygen for yubikey4 before 4.3.5
...
point at https://yubi.co/ysa201701/
2017-10-16 15:32:25 +02:00
Klas Lindfors
e6a7517050
add a new hidden flag --stdin-input for straight stdin input
2017-04-18 13:05:27 +02:00
Klas Lindfors
621bad8acd
make sure to return RSA keys with ASN1_NULL as parameter
2016-08-17 10:32:04 +02:00
Simon Josefsson
89bec1260a
Improve license headers.
2016-08-12 15:30:06 +02:00
Klas Lindfors
b052250a1b
make certificate serial number random by default
2016-08-10 10:12:32 +02:00
Alessio Di Mauro
3f4cb12702
Add SSH export for RSA public key
2016-07-12 13:54:22 +02:00
Michael Scherer
24534bcfcf
Replace magic number for status word by constants
...
Most come from NIST special publication 800-73-4, section 5.6,
except one which I assume to be a custom one for yubikey.
2016-05-09 09:38:37 +02:00
Klas Lindfors
bbde9f91f9
Merge branch 'fix_typo' of ssh://github.com/mscherer/yubico-piv-tool into mscherer-fix_typo
2016-05-09 09:01:28 +02:00
Klas Lindfors
fc5e1536ef
Merge pull request #74 from mscherer/fix_constant_name
...
Fix error in the define name YKPIV_INS_GENERATE_ASYMMERTRIC
2016-05-09 08:58:39 +02:00
Klas Lindfors
b712600727
Merge pull request #71 from mscherer/small_cleanup
...
Do not repeat the size of certdata
2016-05-09 08:57:22 +02:00
Michael Scherer
ff67119447
Do not repeat the size of certdata
2016-05-05 01:11:46 +02:00
Michael Scherer
099c55e90a
Fix various errors messages
2016-05-05 01:11:37 +02:00
Michael Scherer
fd9a0a324d
Fix error in the define name YKPIV_INS_GENERATE_ASYMMERTRIC
2016-05-05 01:11:33 +02:00
Michael Scherer
6e4266c886
Add YKPIV_ALGO_TAG
...
Replace the magic constant 0x80 when sending a packet to the key
2016-05-05 01:11:18 +02:00
Klas Lindfors
ebf31d73f8
Merge branch 'attestation2'
2016-05-03 09:24:14 +02:00
Klas Lindfors
b1139a516b
don't continue processing after list-readers action
...
it fell through into write-object
2016-04-22 09:41:41 +02:00
Klas Lindfors
b512077c21
enforce minimum 6 digits of pin when changing in the tool
2016-04-19 14:19:33 +02:00
Klas Lindfors
d1c454ca02
error isn't an iso error, run ykpiv_strerror() on it
2016-04-19 14:16:01 +02:00
Klas Lindfors
4c74ebdc56
actually open output_file in attest()
2016-03-17 10:21:18 +01:00
Klas Lindfors
bfc3185e9b
Merge branch 'master' into attestation2
2016-03-10 15:34:25 +01:00