From 4e2e1af3eda97b432b53801775e46afc97e005a7 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 25 Aug 2003 00:58:26 +0000 Subject: [PATCH] - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from larsch@trustcenter.de --- ChangeLog | 4 ++++ scard-opensc.c | 24 ++++++++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 63f466ac..0b96b476 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20030825 + - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from + larsch@trustcenter.de + 20030822 - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal -lbroken; ok dtucker diff --git a/scard-opensc.c b/scard-opensc.c index 4ab87ea8..2489fec4 100644 --- a/scard-opensc.c +++ b/scard-opensc.c @@ -110,7 +110,8 @@ err: /* private key operations */ static int -sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out) +sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out, + unsigned int usage) { int r; struct sc_priv_data *priv; @@ -130,7 +131,8 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out) goto err; } } - r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj); + r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, + usage, &key_obj); if (r) { error("Unable to find private key from SmartCard: %s", sc_strerror(r)); @@ -176,6 +178,9 @@ err: return -1; } +#define SC_USAGE_DECRYPT SC_PKCS15_PRKEY_USAGE_DECRYPT | \ + SC_PKCS15_PRKEY_USAGE_UNWRAP + static int sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, int padding) @@ -185,7 +190,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, if (padding != RSA_PKCS1_PADDING) return -1; - r = sc_prkey_op_init(rsa, &key_obj); + r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT); if (r) return -1; r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, @@ -201,6 +206,9 @@ err: return -1; } +#define SC_USAGE_SIGN SC_PKCS15_PRKEY_USAGE_SIGN | \ + SC_PKCS15_PRKEY_USAGE_SIGNRECOVER + static int sc_sign(int type, u_char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, RSA *rsa) @@ -209,7 +217,15 @@ sc_sign(int type, u_char *m, unsigned int m_len, int r; unsigned long flags = 0; - r = sc_prkey_op_init(rsa, &key_obj); + /* XXX: sc_prkey_op_init will search for a pkcs15 private + * key object with the sign or signrecover usage flag set. + * If the signing key has only the non-repudiation flag set + * the key will be rejected as using a non-repudiation key + * for authentication is not recommended. Note: This does not + * prevent the use of a non-repudiation key for authentication + * if the sign or signrecover flag is set as well. + */ + r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN); if (r) return -1; /* FIXME: length of sigret correct? */ -- 2.45.2