Attachment 1555 Details for Bug 1498 – patch so that OpenSC uses public keys instead of certificates

[patch] patch so that OpenSC uses public keys instead of certificates

use-public-keys-instead-of-certs-with-opensc.patch (text/plain), 5.38 KB, created by Daniel Kahn Gillmor on 2008-08-01 07:46:40 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Daniel Kahn Gillmor

Created: 2008-08-01 07:46:40 AEST

Size: 5.38 KB

patch

obsolete

>--- openssh-4.7p1/scard-opensc.c	2007-03-12 16:35:39.000000000 -0400
>+++ openssh-4.7p1.dkg/scard-opensc.c	2008-06-20 01:49:58.000000000 -0400
>@@ -28,9 +28,6 @@
> 
> #include <sys/types.h>
> 
>-#include <openssl/evp.h>
>-#include <openssl/x509.h>
>-
> #include <stdarg.h>
> #include <string.h>
> 
>@@ -65,7 +62,7 @@
> 
> struct sc_priv_data
> {
>-	struct sc_pkcs15_id cert_id;
>+	struct sc_pkcs15_id pubkey_id;
> 	int ref_count;
> };
> 
>@@ -136,7 +133,7 @@
> 			goto err;
> 		}
> 	}
>-	r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id,
>+	r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->pubkey_id,
> 		usage, &key_obj);
> 	if (r) {
> 		error("Unable to find private key from SmartCard: %s",
>@@ -343,52 +340,48 @@
> }
> 
> static int
>-sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
>+sc_read_pubkey(Key * k, const struct sc_pkcs15_object *pubkey_obj)
> {
> 	int r;
>-	sc_pkcs15_cert_t *cert = NULL;
>+	sc_pkcs15_pubkey_t *pkey = NULL;
> 	struct sc_priv_data *priv = NULL;
>-	sc_pkcs15_cert_info_t *cinfo = cert_obj->data;
>+	sc_pkcs15_pubkey_info_t *cinfo = pubkey_obj->data;
> 
>-	X509 *x509 = NULL;
>-	EVP_PKEY *pubkey = NULL;
>-	u8 *p;
> 	char *tmp;
> 
>-	debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]);
>-	r = sc_pkcs15_read_certificate(p15card, cinfo, &cert);
>+	debug("sc_read_pubkey() with pubkey id %02X", cinfo->id.value[0]);
>+	r = sc_pkcs15_read_pubkey(p15card, pubkey_obj, &pkey);
> 	if (r) {
>-		logit("Certificate read failed: %s", sc_strerror(r));
>-		goto err;
>-	}
>-	x509 = X509_new();
>-	if (x509 == NULL) {
>-		r = -1;
>-		goto err;
>-	}
>-	p = cert->data;
>-	if (!d2i_X509(&x509, &p, cert->data_len)) {
>-		logit("Unable to parse X.509 certificate");
>-		r = -1;
>+		logit("Public key read failed: %s", sc_strerror(r));
> 		goto err;
> 	}
>-	sc_pkcs15_free_certificate(cert);
>-	cert = NULL;
>-	pubkey = X509_get_pubkey(x509);
>-	X509_free(x509);
>-	x509 = NULL;
>-	if (pubkey->type != EVP_PKEY_RSA) {
>-		logit("Public key is of unknown type");
>+	
>+	if (pkey->algorithm != SC_ALGORITHM_RSA) {
>+		logit("Smartcard key is not RSA");
> 		r = -1;
>-		goto err;
>+ 		goto err;
> 	}
>-	k->rsa = EVP_PKEY_get1_RSA(pubkey);
>-	EVP_PKEY_free(pubkey);
>+
>+	k->rsa = RSA_new();
>+
>+	/* this is only a pubkey, so wipe secret values: */
>+	k->rsa->d = NULL;
>+	k->rsa->p = NULL;
>+	k->rsa->q = NULL;
>+	k->rsa->dmp1 = NULL;
>+	k->rsa->dmq1 = NULL;
>+	k->rsa->iqmp = NULL;
>+
>+	k->rsa->n = BN_bin2bn(pkey->u.rsa.modulus.data, pkey->u.rsa.modulus.len, NULL);
>+	k->rsa->e = BN_bin2bn(pkey->u.rsa.exponent.data, pkey->u.rsa.exponent.len, NULL);
>+
>+	sc_pkcs15_free_pubkey(pkey);
>+	pkey = NULL;
> 
> 	k->rsa->flags |= RSA_FLAG_SIGN_VER;
> 	RSA_set_method(k->rsa, sc_get_rsa_method());
> 	priv = xmalloc(sizeof(struct sc_priv_data));
>-	priv->cert_id = cinfo->id;
>+	priv->pubkey_id = cinfo->id;
> 	priv->ref_count = 1;
> 	RSA_set_app_data(k->rsa, priv);
> 
>@@ -399,12 +392,8 @@
> 
> 	return 0;
> err:
>-	if (cert)
>-		sc_pkcs15_free_certificate(cert);
>-	if (pubkey)
>-		EVP_PKEY_free(pubkey);
>-	if (x509)
>-		X509_free(x509);
>+	if (pkey)
>+		sc_pkcs15_free_pubkey(pkey);
> 	return r;
> }
> 
>@@ -413,8 +402,8 @@
> {
> 	Key *k, **keys;
> 	int i, r, real_count = 0, key_count;
>-	sc_pkcs15_id_t cert_id;
>-	sc_pkcs15_object_t *certs[32];
>+	sc_pkcs15_id_t pubkey_id;
>+	sc_pkcs15_object_t *pubkeys[32];
> 	char *buf = xstrdup(id), *p;
> 
> 	debug("sc_get_keys called: id = %s", id);
>@@ -423,11 +412,11 @@
> 		xfree(sc_pin);
> 	sc_pin = (pin == NULL) ? NULL : xstrdup(pin);
> 
>-	cert_id.len = 0;
>+	pubkey_id.len = 0;
> 	if ((p = strchr(buf, ':')) != NULL) {
> 		*p = 0;
> 		p++;
>-		sc_pkcs15_hex_string_to_id(p, &cert_id);
>+		sc_pkcs15_hex_string_to_id(p, &pubkey_id);
> 	}
> 	r = sscanf(buf, "%d", &sc_reader_id);
> 	xfree(buf);
>@@ -441,20 +430,20 @@
> 			goto err;
> 		}
> 	}
>-	if (cert_id.len) {
>-		r = sc_pkcs15_find_cert_by_id(p15card, &cert_id, &certs[0]);
>+	if (pubkey_id.len) {
>+		r = sc_pkcs15_find_pubkey_by_id(p15card, &pubkey_id, &pubkeys[0]);
> 		if (r < 0)
> 			goto err;
> 		key_count = 1;
> 	} else {
>-		r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509,
>-					  certs, 32);
>+		r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_PUBKEY,
>+					  pubkeys, 32);
> 		if (r == 0) {
>-			logit("No certificates found on smartcard");
>+			logit("No public keys found on smartcard");
> 			r = -1;
> 			goto err;
> 		} else if (r < 0) {
>-			error("Certificate enumeration failed: %s",
>+			error("Public key enumeration failed: %s",
> 			      sc_strerror(r));
> 			goto err;
> 		}
>@@ -465,15 +454,15 @@
> 	keys = xcalloc(key_count * 2 + 1, sizeof(Key *));
> 	for (i = 0; i < key_count; i++) {
> 		sc_pkcs15_object_t *tmp_obj = NULL;
>-		cert_id = ((sc_pkcs15_cert_info_t *)(certs[i]->data))->id;
>-		if (sc_pkcs15_find_prkey_by_id(p15card, &cert_id, &tmp_obj))
>-			/* skip the public key (certificate) if no
>+		pubkey_id = ((sc_pkcs15_pubkey_info_t *)(pubkeys[i]->data))->id;
>+		if (sc_pkcs15_find_prkey_by_id(p15card, &pubkey_id, &tmp_obj))
>+			/* skip the public key if no
> 			 * corresponding private key is present */
> 			continue;
> 		k = key_new(KEY_RSA);
> 		if (k == NULL)
> 			break;
>-		r = sc_read_pubkey(k, certs[i]);
>+		r = sc_read_pubkey(k, pubkeys[i]);
> 		if (r) {
> 			error("sc_read_pubkey failed: %s", sc_strerror(r));
> 			key_free(k);
>@@ -516,7 +505,7 @@
> 		/* internal error => return default label */
> 		return xstrdup("smartcard key");
> 	}
>-	r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
>+	r = sc_pkcs15_find_prkey_by_id(p15card, &priv->pubkey_id, &key_obj);
> 	if (r) {
> 		logit("Unable to find private key from SmartCard: %s",
> 		      sc_strerror(r));

Actions: View | Diff

Attachments on bug 1498: 1555