Commit Graph

1273 Commits

Author SHA1 Message Date
Dave Pate 28189201a4 lib: use secure zero memory platform functions 2019-04-03 09:45:49 +02:00
Dave Pate 2e72c8f85c lib: resolves potential reads of uninitialized data 2019-04-03 09:45:44 +02:00
pedro martelletto 9a72ec1ba1 doc: set LC_CTYPE=C; fixes ef81d164 on MacOS 2019-03-07 07:50:08 +01:00
Alessio Di Mauro 33a10a5adb Merge pull request #187 from Yubico/pvs_remove_warnings
Remove some warnings
2019-03-06 15:27:40 +01:00
Gabriel Kihlman bc2f161c51 Initialize buf to 0 to make a code scanner happy 2019-03-06 15:16:56 +01:00
Gabriel Kihlman f60d2d4ff8 Do not assign variable twice 2019-03-06 14:32:42 +01:00
Gabriel Kihlman 3f7f2b633b Remove duplicate check on op_info.type != YKCS11_SIGN 2019-03-06 14:31:04 +01:00
Klas Lindfors 1f8a759894 Merge branch 'pr-186' 2019-03-05 08:16:44 +01:00
pedro martelletto ef81d16465 doc: rely on /dev/urandom's distribution to generate secrets
as per https://github.com/Yubico/developers.yubico.com/issues/87
2019-03-05 07:58:09 +01:00
Alessio Di Mauro bc72c7378f Merge PR#184 2019-02-20 16:09:32 +01:00
Gabriel Kihlman 5baf9347e1 Check return value of strdup 2019-02-20 16:02:19 +01:00
Klas Lindfors 2581c0b3c3 bump openssl version and don't include check binaries 2019-02-18 13:52:16 +01:00
Alessio Di Mauro 1d6ed20182 Merge PR#183 2019-02-15 16:05:38 +01:00
Klas Lindfors e4e3137556 tool: fix selfsigned extensions
previous code was on the naive side
2019-02-15 15:46:13 +01:00
Alessio Di Mauro 6264c6a578 Merge PR #182 2019-02-15 13:34:45 +01:00
Klas Lindfors 7ecb5fe0b8 tool: add extensions for selfsigned certificates to match openssl
this adds subjectKeyIdentifier, authorityKeyIdentifier and
basicConstraints (CA:TRUE) for selfsigned certificates to match with
openssl req
2019-02-15 12:59:38 +01:00
Alessio Di Mauro 5749371432 ykcs11: use a large enough buffer when writing EC signatures 2019-01-07 11:03:52 +01:00
Klas Lindfors 8b38f0c079 Merge branch 'pr-178' 2019-01-02 08:50:49 +01:00
Stacey Sheldon 811ddbb22d CHUID: fix the encoding of the FASC-N data element in the CHUID
This is the hard-coded FASC-N field being used by yubico-piv-tool
  [9999-9999-999999-0-1-0000000000300001]
  S9999F9999F999999F0F1F0000000000300001E

It should be encoded as this sequence of 5-bit values
 11010 (SS)
   10011 10011 10011 10011 (9999)
 10110 (FS)
   10011 10011 10011 10011 (9999)
 10110 (FS)
   10011 10011 10011 10011 10011 10011 (999999)
 10110 (FS)
   00001 (0)
 10110 (FS)
   10000 (1)
 10110 (FS)
   00001 00001 00001 00001 00001 00001 00001 00001 00001 00001 (0000000000)
   11001 (3)
   00001 00001 00001 00001 (0000)
   10000 (1)
 11111 (ES)
 01011 (LRC)

This packs into this 25-byte (200-bit) sequence of hex bytes:
 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08
 42 10 84 21 c8 42 10 c3 eb
2019-01-01 01:43:51 -05:00
Stacey Sheldon 421469b220 FASC-N: correct encoding of the packed 4-bit decimal format with odd parity
The BCD digits in the FASC-N credential are sent lsb first followed by an
odd parity.  Since this perl script is simply packing the bits in their
expected order, the encodings should exactly match figure 7 in
"Technical Implementation Guidance: Smart Card Enabled Physical Access
Control Systems Version 2.2".
2019-01-01 01:23:55 -05:00
Klas Lindfors 79b86cf9bd fix fasc-n value of 1
relates #177
2018-12-18 09:25:05 +01:00
Klas Lindfors 5d1d044982 Merge branch 'pr-165' 2018-09-21 10:34:09 +02:00
Klas Lindfors 898b85821c ykcs11: allow the pkcs11 module to find headers from tool/
fixes #166
2018-09-18 08:38:57 +02:00
Dave Pate cbd5ba5122 libykpiv/piv-tool 1.6.3
lib: promote get_serial to base API
lib: add ykpiv_get_serial to external API
tool: add serial number/version to status command
build: fix msvc build of case insensitive-reader (missing strncasecmp and cast warnings)
lib: consolidate neo/yk4 + yk5 serial number routines
lib: fix GCC 8 compilier warnings
lib: reimplement deauthenticate to select mgmt aid
build: disable -Waggregate-return
lib: fix warning differences between gcc and msvc
lib: add option to disable implicit card transactions
lib: remove application reselect prior to crypt operations
build: fix msvc warnings wrt length checking logic fixes
lib: fix error condition logic in untransacted internal functions
lib: create internal transactionless ykpiv_transfer_data
2018-09-14 14:29:39 -07:00
Klas Lindfors 311ba9b30c bump version to 1.6.3 2018-09-14 10:04:27 +02:00
Klas Lindfors 54ed4018b2 NEWS for 1.6.2 2018-09-14 09:24:05 +02:00
Klas Lindfors a24dd0a2ee tool: for openssl 1.1 rsa signatures include hash oid
the rsa signature has to be over hash oid + message digest, dropping the
oid from the hash leads to invalid certificate requests and selfsigned
certificates.

fixes #164
2018-09-10 10:24:32 +02:00
Klas Lindfors 228a04ad73 tool: only declare the static struct once in wrap_public_key()
and make sure to just set it once for both rsa and ec
2018-09-10 10:04:46 +02:00
Klas Lindfors 696894bc68 tool: handle error conditions from signing with openssl 1.1
relates #164
2018-09-10 08:52:39 +02:00
Alessio Di Mauro d0ba708260 Merge PR #163 2018-09-07 13:58:18 +02:00
Klas Lindfors 6e51db8c80 lib: make the reader comparison case-insensitive
sadly strcasestr is a GNU/BSD extension, not part of posix so we have to
do our own thing here or do different things on different platforms.
2018-09-07 12:57:10 +02:00
Klas Lindfors 62142a1b74 bump openssl versions to 1.0.2p 2018-08-17 09:45:39 +02:00
Klas Lindfors 945a0f314d bump version to 1.6.2 2018-08-17 09:45:20 +02:00
Klas Lindfors ff12f8baf3 NEWS for 1.6.1 2018-08-17 09:22:18 +02:00
Klas Lindfors 5bbce58cee update NEWS for more changes that happened in 1.6.0 2018-08-17 09:20:36 +02:00
Klas Lindfors 23a4d008c6 finish up version bump to 1.6.1, LT_REVISION has to increase 2018-08-17 09:14:32 +02:00
Klas Lindfors 45e74cfccf tool: check length before trying to store cert in buffer
fixes #148
2018-08-16 14:49:32 +02:00
Klas Lindfors 16d539041e ykpiv: when decoding an object compare lengths correctly
the length comparison when reading an object out was messed up, this
fixes it to compare correctly.

relates #154
2018-08-16 14:25:31 +02:00
Klas Lindfors c15efbfdd7 ykpiv: fix length when encoding exactly 0xff bytes
this should be encoded as 81 ff, not 82 00 ff

relates #154
2018-08-16 14:25:14 +02:00
Klas Lindfors 7b1c8197fb Merge branch 'pr-157' 2018-08-09 10:23:52 +02:00
Jakub Jelen d613b42b0c Avoid unused variables and warnings when building against OpenSSL 1.1 2018-08-08 16:12:25 +02:00
Thordur Bjornsson 419d0da8bc Revert the configure.ac portion of c31a0425.
Bugfixes don't change the libtool versions, so revert back.
2018-08-08 15:25:09 +02:00
Thordur Bjornsson c31a042595 Bump version to 1.6.1 unreleased 2018-08-08 10:42:20 +02:00
Thordur Bjornsson 5258920cff release: 1.6.0 2018-08-06 17:31:55 +02:00
Klas Lindfors 80d47c82f0 lib: in _ykpiv_fetch_object() handle bogus length by returning
otherwise we might memmove() to much data

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
2018-08-03 10:51:46 +02:00
Klas Lindfors 01a127a44a lib: in ykpiv_transfer_data() handle overflow by exiting
this is detected and printed, but we never exit the function

Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
2018-08-03 10:51:00 +02:00
Alessio Di Mauro 5877998f03 ykcs11: ignore more attributes when creating objects 2018-05-15 11:45:00 +02:00
Alessio Di Mauro bdfe49f223 Make slot 9e private so that OpenSSL can ask for a PIN 2018-05-09 16:34:08 +02:00
Alessio Di Mauro 3758cecdd9 Remove 384 from the supported lengths for EC key generation in ykcs11
Closes #149
2018-05-07 13:35:05 +02:00
Alessio Di Mauro 7533e7fb56 Ignore CKA_PRIVATE in ykcs11
Newer version of pkcs11-tool set the CKA_PRIVATE attribute during
generation making the operation fail. The attribute is now ignored.
2018-05-03 10:20:02 +02:00