feat(pkcs11-tool): don't limit object size to 5000 bytes #3174
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AlexandreGonzalo
force-pushed
the
trustonic_pkcs11_unlimited_object_size
branch
from
931267e to
c187eb8
Compare
Jakuje
reviewed
Jun 11, 2024
src/tools/pkcs11-tool.c
Outdated
Comment on lines
4597
to
4600
| if (contents) | ||
| free(contents); | ||
| if (certdata) | ||
| free(certdata); |
Member
There was a problem hiding this comment.
nit: No need to check for null here. If it is null, the free() is no-op anyway (and if it was freed or is uninitialized you are screwed anyway).
Suggested change
| if (contents) | |
| free(contents); | |
| if (certdata) | |
| free(certdata); | |
| free(contents); | |
| free(certdata); |
src/tools/pkcs11-tool.c
Outdated
| util_fatal("malloc() failure\n"); | ||
| if (fseek(f, 0L, SEEK_SET) != 0) | ||
| util_fatal("Couldn't set file position to the beginning of the file \"%s\"", opt_file_to_write); | ||
| size_t ret = fread(contents, 1, contents_len, f); |
Member
There was a problem hiding this comment.
I would prefer to have the declaration at the beginning of the block. Sounds like no CI we run enforces this, but it is a good practice to avoid shadowing the variable declarations (such as you do on line 4084) and getting unexpected errors.
AlexandreGonzalo
force-pushed
the
trustonic_pkcs11_unlimited_object_size
branch
from
c187eb8 to
1a4dec1
Compare
Jakuje
approved these changes
Jun 11, 2024
frankmorgner
approved these changes
Jun 12, 2024
|
OpenEmbedded/Yocto uses pkscs11-tool --write-object /proc/self/fd/0 to convert PEM files to DER format while importing keys into SoftHSM. Since this change, it fails with Do you consider importing objects from stdin (to avoid writing the to a temporary file) as a valid use-case? |
Member
AFAIK the pkcs11-tool already knows to convert the PEM files to DER when writing them to the object so the use case could be simplified. The only issue might be if the PEM is password protected (not sure how this is exactly handled by pkcs11-tool).
I think it is valid use case, but I am not sure if there is a good way to have both flexibility to handle large objects and not doing |
dangowrt
added a commit
to dangowrt/packages
that referenced
this pull request
Apr 26, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC#openwrt#3248)
Signed-off-by: Daniel Golle <[email protected]>
dangowrt
added a commit
to dangowrt/packages
that referenced
this pull request
Apr 26, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC#openwrt#3248)
Signed-off-by: Daniel Golle <[email protected]>
dangowrt
added a commit
to dangowrt/packages
that referenced
this pull request
Apr 26, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC#openwrt#3248)
Signed-off-by: Daniel Golle <[email protected]>
dangowrt
added a commit
to openwrt/packages
that referenced
this pull request
Apr 27, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC##3248)
Signed-off-by: Daniel Golle <[email protected]>
LeSpocky
pushed a commit
to LeSpocky/ptxdist
that referenced
this pull request
Jun 9, 2025
With OpenSC/OpenSC#3174 which is part of 0.26.0, OpenSC does not support reading (DER) data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly. This we can use for simply replacing and simplifying the stdin piping in cs_import_cert_from_pem(). Only for password-protected files we still have to use OpenSSL for conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism for providing passwords. For these cases, we store the converted PEM into a temporary file. The file is opened and then deleted from the filesystem. This way, the file is gone when the import is done. This handling is sufficient, since SoftHSM import should be used for example keys only and SoftHSM also doesn't protect the keys in any way. Signed-off-by: Michael Olbrich <[email protected]>
kraj
pushed a commit
to YoeDistro/meta-openembedded
that referenced
this pull request
Jul 2, 2025
With OpenSC/OpenSC#3174 which is part of 0.26.0, OpenSC does not support reading the (DER-converted) object data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly. This we can use for simply replacing and simplifying the stdin piping in signing_import_cert_from_pem(). Only for password-protected files we still have to use OpenSSL for conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism for providing passwords. For these cases, we store the converted PEM into a simple temporary file. This handling is sufficient, since SoftHSM import should be used for example keys only and SoftHSM also doesn't protect the keys in any way. Keys which actually need to be protected are stored in HSMs and accessed via their PKCS#11 URIs. Signed-off-by: Enrico Jörns <[email protected]> Signed-off-by: Khem Raj <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 1, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly, which can be used to replace the stdin piping. Instead of piping, the converted PEM file in the temp directory is stored in the temp directory and then read later on. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 1, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly, which can be used to replace the stdin piping. Instead of piping, the converted PEM file in the temp directory is stored in the temp directory and then read later on. 01.09.2025 11:00-11:45 Only for password-protected files we still have to use OpenSSL for conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism for providing passwords. For these cases, we store the converted PEM into a simple temporary file. This handling is sufficient, since SoftHSM import should be used for example keys only and SoftHSM also doesn't protect the keys in any way. Keys which actually need to be protected are stored in HSMs and accessed via their PKCS#11 URIs. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 1, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly, which can be used to replace the stdin piping. Instead of piping, the converted PEM file in the temp directory is stored in the temp directory and then read later on. 01.09.2025 11:00-11:45 Only for password-protected files we still have to use OpenSSL for conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism for providing passwords. For these cases, we store the converted PEM into a simple temporary file. This handling is sufficient, since SoftHSM import should be used for example keys only and SoftHSM also doesn't protect the keys in any way. Keys which actually need to be protected are stored in HSMs and accessed via their PKCS[rauc#11](rauc#11) URIs. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 1, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. Replace the previous approach of converting PEM to DER and piping through stdin with direct PEM file loading. Since pkcs11-tool cannot extract public keys from private keys, explicitly extract the public key using openssl and store it temporarily before loading. This maintains test functionality while being compatible with both old and new OpenSC versions. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 1, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. Replace the previous approach of converting PEM to DER and piping through stdin with direct PEM file loading. Since pkcs11-tool cannot extract public keys from private keys, explicitly extract the public key using openssl and store it temporarily before loading. This maintains test functionality while being compatible with both old and new OpenSC versions. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 2, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. Replace the previous approach of converting PEM to DER and piping through stdin with direct PEM file loading. Since pkcs11-tool cannot extract public keys from private keys, explicitly extract the public key using openssl and store it temporarily before loading. This maintains test functionality while being compatible with both old and new OpenSC versions. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 5, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. Replace the previous approach of converting PEM to DER and piping through stdin with direct PEM file loading. Since pkcs11-tool cannot extract public keys from private keys, explicitly extract the public key using openssl and store it temporarily before loading. This maintains test functionality while being compatible with both old and new OpenSC versions. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 9, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. Replace the previous approach of converting PEM to DER and piping through stdin with direct PEM file loading. Since pkcs11-tool cannot extract public keys from private keys, explicitly extract the public key using openssl and store it temporarily before loading. This maintains test functionality while being compatible with both old and new OpenSC versions. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
zentax-dev
pushed a commit
to zentax-dev/rauc
that referenced
this pull request
Sep 9, 2025
OpenSC 0.26.0 includes OpenSC/OpenSC#3174. As a result, OpenSC does not support reading the (DER-converted) object data from stdin anymore. Replace the previous approach of converting PEM to DER and piping through stdin with direct PEM file loading. Since pkcs11-tool cannot extract public keys from private keys, explicitly extract the public key using openssl and store it temporarily before loading. This maintains test functionality while being compatible with both old and new OpenSC versions. See: https://git.openembedded.org/meta-openembedded/commit/meta-oe/classes/signing.bbclass?id=2d1d128a41abb698874e2d0b8e59cb5ae0416937 Signed-off-by: Lars Schmidt <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
The goal of this PR is to remove the limit of 5000 bytes when an object is imported.
In the current version, the object size is silently truncated to 5000 bytes.
Objects such as certificates or CKO_DATA can be larger than 5000 bytes and I suggest that we should dynamically allocate the buffers instead of using a hard coded 5000 bytes buffer.
I checked the patch with the Trustonic TEE HSM.
Regards,
Alexandre.