Commit Graph

1213 Commits

Author SHA1 Message Date
Gabriel Kihlman 5baf9347e1 Check return value of strdup 2019-02-20 16:02:19 +01:00
Klas Lindfors 2581c0b3c3 bump openssl version and don't include check binaries 2019-02-18 13:52:16 +01:00
Alessio Di Mauro 1d6ed20182 Merge PR#183 2019-02-15 16:05:38 +01:00
Klas Lindfors e4e3137556 tool: fix selfsigned extensions
previous code was on the naive side
2019-02-15 15:46:13 +01:00
Alessio Di Mauro 6264c6a578 Merge PR #182 2019-02-15 13:34:45 +01:00
Klas Lindfors 7ecb5fe0b8 tool: add extensions for selfsigned certificates to match openssl
this adds subjectKeyIdentifier, authorityKeyIdentifier and
basicConstraints (CA:TRUE) for selfsigned certificates to match with
openssl req
2019-02-15 12:59:38 +01:00
Alessio Di Mauro 5749371432 ykcs11: use a large enough buffer when writing EC signatures 2019-01-07 11:03:52 +01:00
Klas Lindfors 8b38f0c079 Merge branch 'pr-178' 2019-01-02 08:50:49 +01:00
Stacey Sheldon 811ddbb22d CHUID: fix the encoding of the FASC-N data element in the CHUID
This is the hard-coded FASC-N field being used by yubico-piv-tool
  [9999-9999-999999-0-1-0000000000300001]
  S9999F9999F999999F0F1F0000000000300001E

It should be encoded as this sequence of 5-bit values
 11010 (SS)
   10011 10011 10011 10011 (9999)
 10110 (FS)
   10011 10011 10011 10011 (9999)
 10110 (FS)
   10011 10011 10011 10011 10011 10011 (999999)
 10110 (FS)
   00001 (0)
 10110 (FS)
   10000 (1)
 10110 (FS)
   00001 00001 00001 00001 00001 00001 00001 00001 00001 00001 (0000000000)
   11001 (3)
   00001 00001 00001 00001 (0000)
   10000 (1)
 11111 (ES)
 01011 (LRC)

This packs into this 25-byte (200-bit) sequence of hex bytes:
 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08
 42 10 84 21 c8 42 10 c3 eb
2019-01-01 01:43:51 -05:00
Stacey Sheldon 421469b220 FASC-N: correct encoding of the packed 4-bit decimal format with odd parity
The BCD digits in the FASC-N credential are sent lsb first followed by an
odd parity.  Since this perl script is simply packing the bits in their
expected order, the encodings should exactly match figure 7 in
"Technical Implementation Guidance: Smart Card Enabled Physical Access
Control Systems Version 2.2".
2019-01-01 01:23:55 -05:00
Klas Lindfors 79b86cf9bd fix fasc-n value of 1
relates #177
2018-12-18 09:25:05 +01:00
Klas Lindfors 5d1d044982 Merge branch 'pr-165' 2018-09-21 10:34:09 +02:00
Klas Lindfors 898b85821c ykcs11: allow the pkcs11 module to find headers from tool/
fixes #166
2018-09-18 08:38:57 +02:00
Dave Pate cbd5ba5122 libykpiv/piv-tool 1.6.3
lib: promote get_serial to base API
lib: add ykpiv_get_serial to external API
tool: add serial number/version to status command
build: fix msvc build of case insensitive-reader (missing strncasecmp and cast warnings)
lib: consolidate neo/yk4 + yk5 serial number routines
lib: fix GCC 8 compilier warnings
lib: reimplement deauthenticate to select mgmt aid
build: disable -Waggregate-return
lib: fix warning differences between gcc and msvc
lib: add option to disable implicit card transactions
lib: remove application reselect prior to crypt operations
build: fix msvc warnings wrt length checking logic fixes
lib: fix error condition logic in untransacted internal functions
lib: create internal transactionless ykpiv_transfer_data
2018-09-14 14:29:39 -07:00
Klas Lindfors 311ba9b30c bump version to 1.6.3 2018-09-14 10:04:27 +02:00
Klas Lindfors 54ed4018b2 NEWS for 1.6.2 2018-09-14 09:24:05 +02:00
Klas Lindfors a24dd0a2ee tool: for openssl 1.1 rsa signatures include hash oid
the rsa signature has to be over hash oid + message digest, dropping the
oid from the hash leads to invalid certificate requests and selfsigned
certificates.

fixes #164
2018-09-10 10:24:32 +02:00
Klas Lindfors 228a04ad73 tool: only declare the static struct once in wrap_public_key()
and make sure to just set it once for both rsa and ec
2018-09-10 10:04:46 +02:00
Klas Lindfors 696894bc68 tool: handle error conditions from signing with openssl 1.1
relates #164
2018-09-10 08:52:39 +02:00
Alessio Di Mauro d0ba708260 Merge PR #163 2018-09-07 13:58:18 +02:00
Klas Lindfors 6e51db8c80 lib: make the reader comparison case-insensitive
sadly strcasestr is a GNU/BSD extension, not part of posix so we have to
do our own thing here or do different things on different platforms.
2018-09-07 12:57:10 +02:00
Klas Lindfors 62142a1b74 bump openssl versions to 1.0.2p 2018-08-17 09:45:39 +02:00
Klas Lindfors 945a0f314d bump version to 1.6.2 2018-08-17 09:45:20 +02:00
Klas Lindfors ff12f8baf3 NEWS for 1.6.1 2018-08-17 09:22:18 +02:00
Klas Lindfors 5bbce58cee update NEWS for more changes that happened in 1.6.0 2018-08-17 09:20:36 +02:00
Klas Lindfors 23a4d008c6 finish up version bump to 1.6.1, LT_REVISION has to increase 2018-08-17 09:14:32 +02:00
Klas Lindfors 45e74cfccf tool: check length before trying to store cert in buffer
fixes #148
2018-08-16 14:49:32 +02:00
Klas Lindfors 16d539041e ykpiv: when decoding an object compare lengths correctly
the length comparison when reading an object out was messed up, this
fixes it to compare correctly.

relates #154
2018-08-16 14:25:31 +02:00
Klas Lindfors c15efbfdd7 ykpiv: fix length when encoding exactly 0xff bytes
this should be encoded as 81 ff, not 82 00 ff

relates #154
2018-08-16 14:25:14 +02:00
Klas Lindfors 7b1c8197fb Merge branch 'pr-157' 2018-08-09 10:23:52 +02:00
Jakub Jelen d613b42b0c Avoid unused variables and warnings when building against OpenSSL 1.1 2018-08-08 16:12:25 +02:00
Thordur Bjornsson 419d0da8bc Revert the configure.ac portion of c31a0425.
Bugfixes don't change the libtool versions, so revert back.
2018-08-08 15:25:09 +02:00
Thordur Bjornsson c31a042595 Bump version to 1.6.1 unreleased 2018-08-08 10:42:20 +02:00
Thordur Bjornsson 5258920cff release: 1.6.0 2018-08-06 17:31:55 +02:00
Klas Lindfors 80d47c82f0 lib: in _ykpiv_fetch_object() handle bogus length by returning
otherwise we might memmove() to much data

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
2018-08-03 10:51:46 +02:00
Klas Lindfors 01a127a44a lib: in ykpiv_transfer_data() handle overflow by exiting
this is detected and printed, but we never exit the function

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
2018-08-03 10:51:00 +02:00
Alessio Di Mauro 5877998f03 ykcs11: ignore more attributes when creating objects 2018-05-15 11:45:00 +02:00
Alessio Di Mauro bdfe49f223 Make slot 9e private so that OpenSSL can ask for a PIN 2018-05-09 16:34:08 +02:00
Alessio Di Mauro 3758cecdd9 Remove 384 from the supported lengths for EC key generation in ykcs11
Closes #149
2018-05-07 13:35:05 +02:00
Alessio Di Mauro 7533e7fb56 Ignore CKA_PRIVATE in ykcs11
Newer version of pkcs11-tool set the CKA_PRIVATE attribute during
generation making the operation fail. The attribute is now ignored.
2018-05-03 10:20:02 +02:00
Alessio Di Mauro 15aef8957d Update key generation in ykcs11 to work with OpenSSL 1.1
Manually setting a signature for a certificate is not possible in
OpenSSL 1.1 because some of the structs have become opaque. Use
X509_sign() with a bogus key instead.
2018-05-03 10:20:00 +02:00
Klas Lindfors 0bae4b53ce Merge branch 'pr-144' 2018-03-25 17:36:12 +02:00
James Alseth 9d8f8f3f2b Fixed slot argument error in attestation verification example. 2018-03-23 14:53:27 -07:00
Alessio Di Mauro a2005eac92 Add check as a dependency to the Vagrant provision script
Closes #142.
2018-03-19 09:08:10 +01:00
Trevor Bentley b4201cb605 Merge pull request #139 from notdpate/master
Libykpiv ROCA mitigation changes for PIV tool/Minidriver - Release 1.5.2
2018-03-06 12:46:46 +00:00
Dave Pate 7aa8228985 Release 1.5.2
Bump libtool version
2018-03-05 14:17:47 -08:00
Dave Pate 775eaacc9f Merge upstream master commits 2018-03-05 11:32:25 -08:00
Dave Pate b98f97ef62 Fixes linux/osx build warnings
Clarify logic for configuration file
2018-03-05 11:28:52 -08:00
Trevor Bentley 8b99accf58 Merge pull request #138 from Jakuje/master
Compiler warnings and compatibility with older check versions
2018-02-27 15:00:09 +00:00
Jakub Jelen bbd92009fc libcheck 0.9 compatibility for RHEL7 2018-02-27 15:40:31 +01:00