Commit Graph

179 Commits

Author SHA1 Message Date
Johan Myréen b0210e0710 Fixed some bugs in the port to Openssl-1.1:
- wrap_public_key() passed the address of the local stack variable
  internal_key to RSA_meth_set0_data(), which was used long after
  wrap_public_key() had returned. Changed to static.

- The callback functions yk_rsa_meth_sign and yk_ec_meth_sign 'siglen'
  parameter has type (unisgned int *), which was cast to (size_t *)
  before it was used to write a value in the caller's memory
  space. This caused stack corruption on machines where size_t is
  bigger than unsigned int.

- The callback function's 'siglen' parameter is output-only, not
  in-out. The input value was assumed to contain the maximum size of
  the output buffer as input, and a bogus value was compared to the
  amount of data received from the token in function
  _general_authenticate(). Changed to pass in the values returned by
  RSA_size(rsa) and ECDSA_size(ec), which Openssl specifies as minimum
  buffer sizes.

- The callback functions' return values were swapped; fixed to return
  1 on success, 0 on failure.
2017-12-30 22:08:09 +02:00
Trevor Bentley 7ca0267ddf Fix OpenSSL 1.1 compat layer
- Changes for latest ykpiv_util refactor
 - Passes hw tests with openssl 1.0 and 1.1
 - Passes valgrind
2017-11-21 17:08:38 +01:00
Trevor Bentley 4785e23bd1 Merge branch 'master' of https://github.com/Jakuje/yubico-piv-tool into Jakuje-master 2017-11-20 14:03:48 +01:00
Jakub Jelen 77c51a7317 Properly apply the OpenSSL version checks 2017-11-14 13:34:57 +01:00
Jakub Jelen 0a131a053d Do not use the new API with the old OpenSSL 2017-11-14 10:54:47 +01:00
Jakub Jelen 4a847677cc WIP:Use RSA/EC_KEY METHOD to provide X509 signatures using high-level OpenSSL API 2017-11-13 17:39:34 +01:00
Jakub Jelen d2ffc41a6c RAND_pseudo_bytes is deprecated in OpenSSL 1.1.0 2017-11-13 17:39:34 +01:00
Jakub Jelen ad4e93a462 Few more OpenSSL 1.1.0 incompatibilities 2017-11-13 17:39:34 +01:00
Jakub Jelen bd351261ec Initial idea of openssl-1.1.0 compatibility (still missing some magic around certificates) 2017-11-13 17:39:34 +01:00
Trevor Bentley c2f86d0a0f Move YK4 insecure on-chip key generation prevention from yubico-piv-tool to libykpiv 2017-10-24 15:59:44 +02:00
Trevor Bentley 4c9004feeb Remove artifact from rebase (bad local variable) 2017-10-23 16:28:57 +02:00
Trevor Bentley 90209997cc Unit test for ykpiv_attest() 2017-10-23 16:25:53 +02:00
Trevor Bentley 5291bc4a63 Fix issue #123 - specify text/binary mode for open files 2017-10-23 16:25:50 +02:00
Trevor Bentley 79464a3d3e Use slot enum consistently. Move slot->object translation into libykpiv. 2017-10-23 16:25:47 +02:00
Trevor Bentley 2e818dd914 Add ykpiv_util_(get/set)_cccid(), and use in yubico-piv-tool 2017-10-23 16:25:44 +02:00
Trevor Bentley f6b817f056 Add ykpiv_attest() and use it in yubico-piv-tool 2017-10-23 16:25:38 +02:00
Trevor Bentley 248980fe27 yubico-piv-tool: use ykpiv_util_read_cert 2017-10-23 16:25:35 +02:00
Trevor Bentley 3bca63c39c yubico-piv-tool: use ykpiv_util_delete_cert 2017-10-23 16:25:32 +02:00
Trevor Bentley ded78751a0 Add gzip support to ykpiv_util_import_certificate(), and use in yubico-piv-tool 2017-10-23 16:25:20 +02:00
Trevor Bentley 8135a55200 yubico-piv-tool: Switch to ykpiv_set_pin_retries() 2017-10-23 16:25:17 +02:00
Trevor Bentley ec8e2786e6 yubico-piv-tool: use ykpiv_util_reset() 2017-10-23 16:25:13 +02:00
Trevor Bentley 12f35b8884 yubico-piv-tool: use util function for key generation 2017-10-23 16:25:10 +02:00
Klas Lindfors cd11196535 disable rsa keygen for yubikey4 before 4.3.5
point at https://yubi.co/ysa201701/
2017-10-16 15:32:25 +02:00
Klas Lindfors e6a7517050 add a new hidden flag --stdin-input for straight stdin input 2017-04-18 13:05:27 +02:00
Klas Lindfors 621bad8acd make sure to return RSA keys with ASN1_NULL as parameter 2016-08-17 10:32:04 +02:00
Simon Josefsson 89bec1260a Improve license headers. 2016-08-12 15:30:06 +02:00
Klas Lindfors b052250a1b make certificate serial number random by default 2016-08-10 10:12:32 +02:00
Alessio Di Mauro 3f4cb12702 Add SSH export for RSA public key 2016-07-12 13:54:22 +02:00
Michael Scherer 24534bcfcf Replace magic number for status word by constants
Most come from NIST special publication 800-73-4, section 5.6,
except one which I assume to be a custom one for yubikey.
2016-05-09 09:38:37 +02:00
Klas Lindfors bbde9f91f9 Merge branch 'fix_typo' of ssh://github.com/mscherer/yubico-piv-tool into mscherer-fix_typo 2016-05-09 09:01:28 +02:00
Klas Lindfors fc5e1536ef Merge pull request #74 from mscherer/fix_constant_name
Fix error in the define name YKPIV_INS_GENERATE_ASYMMERTRIC
2016-05-09 08:58:39 +02:00
Klas Lindfors b712600727 Merge pull request #71 from mscherer/small_cleanup
Do not repeat the size of certdata
2016-05-09 08:57:22 +02:00
Michael Scherer ff67119447 Do not repeat the size of certdata 2016-05-05 01:11:46 +02:00
Michael Scherer 099c55e90a Fix various errors messages 2016-05-05 01:11:37 +02:00
Michael Scherer fd9a0a324d Fix error in the define name YKPIV_INS_GENERATE_ASYMMERTRIC 2016-05-05 01:11:33 +02:00
Michael Scherer 6e4266c886 Add YKPIV_ALGO_TAG
Replace the magic constant 0x80 when sending a packet to the key
2016-05-05 01:11:18 +02:00
Klas Lindfors ebf31d73f8 Merge branch 'attestation2' 2016-05-03 09:24:14 +02:00
Klas Lindfors b1139a516b don't continue processing after list-readers action
it fell through into write-object
2016-04-22 09:41:41 +02:00
Klas Lindfors b512077c21 enforce minimum 6 digits of pin when changing in the tool 2016-04-19 14:19:33 +02:00
Klas Lindfors d1c454ca02 error isn't an iso error, run ykpiv_strerror() on it 2016-04-19 14:16:01 +02:00
Klas Lindfors 4c74ebdc56 actually open output_file in attest() 2016-03-17 10:21:18 +01:00
Klas Lindfors bfc3185e9b Merge branch 'master' into attestation2 2016-03-10 15:34:25 +01:00
Klas Lindfors 53667a22b0 Move asking for PKCS12 password outside of import_key()
also restructure a bit when deciding to do authentication

relates #66
2016-02-15 09:24:36 +01:00
Klas Lindfors d3a75cc6ee Merge pull request #65 from mattmoyer/add-self-signed-cert-options
Add options for configuring self-signed certs.
2016-02-15 08:48:19 +01:00
Klas Lindfors a233ff53ae if the password supplied for PKCS12 doesn't verify ask for a new one
or if it's NULL and the mac doesn't verify with that either..

fixes #66
2016-02-15 08:43:45 +01:00
Matt Moyer d39b697d49 Drop const from these these int parameters. 2016-02-12 09:01:12 -06:00
Matt Moyer f91cf3379a Add a --serial parameter to yubico-piv-tool.
Allows the serial number of self signed certificates to be configured.
2016-02-10 17:40:12 -06:00
Matt Moyer 98f843e7e7 Add a --valid-days parameter to yubico-piv-tool.
Allows the expiration date (notAfter) value of self signed certificates to be configured.
2016-02-10 17:35:21 -06:00
Alessio Di Mauro b08de95597 Remove some clutter. 2015-12-24 10:50:36 +01:00
Alessio Di Mauro ecfc71fab0 Print CCC with status action. Relates to #57. 2015-12-24 10:50:05 +01:00