Skip to content

EAC: Fix compatiility with OpenSSL 3.0 and remove "APDU firewall" #2674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
frankmorgner merged 7 commits into from
Jan 25, 2023
Merged

EAC: Fix compatiility with OpenSSL 3.0 and remove "APDU firewall" #2674

frankmorgner merged 7 commits into from
Jan 25, 2023

Conversation

@frankmorgner
Copy link
Member

@frankmorgner frankmorgner commented Jan 9, 2023

In #2646 the EAC implementation has been tested with OpenSSL 3.0 and it was found that the APDU encoding doesn't work for OpenSSL 3+ anymore (see this discussion). In order to fix this problem, the encoding/decoding has now been rewritten with OpenSC's ASN.1 parser.

Additionally this PR removes some sanity checks when transmitting encrypted APDUs. This is only useful when OpenSC is used as "transport layer" for communicating with a card, e.g. in ccid-emulator. Since this is a niche use case, sanity checks are removed from OpenSC and should now be done in the calling application if needed.

Also, note the small fixes to the build system.

Checklist
  • PKCS#11 module is tested
  • Windows minidriver is tested
  • macOS tokend is tested

@frankmorgner frankmorgner mentioned this pull request Jan 9, 2023
Closed
@llogar
Copy link
Contributor

llogar commented Jan 10, 2023

I can confirm this fixes the problem mentioned in #2646. I hope it gets accepted soon, so I can then rebase the eOI support.

@frankmorgner
SM/EAC: Removed checking of APDUs contents
002fad4 
The content of the APDUs is still verified by the card. In OpenSC,
checking the certificate validity, and the signatures matching some
portions of the content was implemented, but never enabled. Since this
is only useful in few corner cases, we now remove this functionality.
@frankmorgner
removed flawfinder comments
9cb5eb8
@frankmorgner
sm-eac: switched to OpenSC style ASN.1 parsing
ff60500
@frankmorgner
sm-eac: removed certificate description from sm context
8a11afe 
certificate description has no long term use anymore
@frankmorgner
sm-eac: avoid modifying card capabilities
84467a6 
opensc is now patched with all necessities in order to avoid this hack
@frankmorgner
fixed missing AC_SUBST for pkcs11-register flag
dcb3f15
@frankmorgner
fixed accepting parameters (files) to opensc-asn1 commandline
bf0c1b5
@frankmorgner frankmorgner mentioned this pull request Jan 23, 2023
Merged
4 tasks
@frankmorgner frankmorgner merged commit f2497d9 into OpenSC:master Jan 25, 2023
@llogar llogar mentioned this pull request Jan 27, 2023
Merged
5 tasks
@xhanulik xhanulik mentioned this pull request Jul 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@frankmorgner @llogar