Check-in [38771da1e8]
Overview
Comment:Merged in trunk
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | require-login-if-needed
Files: files | file ages | folders
SHA1:38771da1e8cec01085e8c8b035592f9708ad771f
User & Date: rkeene on 2015-07-15 20:10:57
Other Links: manifest | tags
Context
2015-07-15
20:10
Merged in trunk Leaf check-in: 38771da1e8 user: rkeene tags: require-login-if-needed
20:05
Added support for updating the PIN check-in: b5ecb7c2d6 user: rkeene tags: trunk
2015-05-04
16:02
Merged in trunk check-in: 6938f7a82c user: rkeene tags: require-login-if-needed
Changes

Modified build/builtin-certs-update from [5324a34988] to [9fea13231c].

4
5
6
7
8
9
10






11

ourdir="$(dirname "$(which "$0")")"
cd "${outdir}" || exit 1

make -C certs/dod distclean all
make -C certs/federal distclean all







./certs-to-c certs/*/*.crt > ../cackey_builtin_certs.h







>
>
>
>
>
>
|
4
5
6
7
8
9
10
11
12
13
14
15
16
17

ourdir="$(dirname "$(which "$0")")"
cd "${outdir}" || exit 1

make -C certs/dod distclean all
make -C certs/federal distclean all

if [ "$1" = '--commercial' ]; then
	commercial='commercial'
else
	commercial='SKIP'
fi

./certs-to-c certs/{dod,federal,$commercial}/*.crt > ../cackey_builtin_certs.h

Modified build/cackey_osx_build/Template_pmbuild/03libcackey.xml.in from [b6742d933b] to [afd3f433a1].

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
	<config>
		<identifier>mil.army.usace.cackeyForMacOsX@@OSXVERSION@@.cackey.pkg</identifier>
		<version>1</version>
		<description></description>
		<post-install type="none"/>
		<requireAuthorization/>
		<installFrom relative="true" mod="true">cackey.dylib</installFrom>
		<installTo mod="true" relocatable="true">/usr/lib/pkcs11</installTo>
		<flags></flags>
		<packageStore type="internal"></packageStore>
		<mod>parent</mod>
		<mod>scripts.postinstall.path</mod>
		<mod>scripts.scriptsDirectoryPath.isRelativeType</mod>
		<mod>scripts.scriptsDirectoryPath.path</mod>
		<mod>installTo.isAbsoluteType</mod>







|







2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
	<config>
		<identifier>mil.army.usace.cackeyForMacOsX@@OSXVERSION@@.cackey.pkg</identifier>
		<version>1</version>
		<description></description>
		<post-install type="none"/>
		<requireAuthorization/>
		<installFrom relative="true" mod="true">cackey.dylib</installFrom>
		<installTo mod="true" relocatable="true">/usr/local/lib/pkcs11</installTo>
		<flags></flags>
		<packageStore type="internal"></packageStore>
		<mod>parent</mod>
		<mod>scripts.postinstall.path</mod>
		<mod>scripts.scriptsDirectoryPath.isRelativeType</mod>
		<mod>scripts.scriptsDirectoryPath.path</mod>
		<mod>installTo.isAbsoluteType</mod>

Modified build/cackey_osx_build/Template_pmbuild/04pkcs11tokend.xml.in from [793db41bea] to [4eff712abd].

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
	<config>
		<identifier>mil.army.usace.cackeyForMacOsX@@OSXVERSION@@.PKCS11.pkg</identifier>
		<version>1</version>
		<description></description>
		<post-install type="none"/>
		<requireAuthorization/>
		<installFrom relative="true" mod="true">PKCS11.tokend</installFrom>
		<installTo mod="true" relocatable="true">/System/Library/Security/tokend/PKCS11.tokend</installTo>
		<flags></flags>
		<packageStore type="internal"></packageStore>
		<mod>parent</mod>
		<mod>scripts.postinstall.path</mod>
		<mod>scripts.scriptsDirectoryPath.isRelativeType</mod>
		<mod>scripts.scriptsDirectoryPath.path</mod>
		<mod>installTo.isAbsoluteType</mod>







|







2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
	<config>
		<identifier>mil.army.usace.cackeyForMacOsX@@OSXVERSION@@.PKCS11.pkg</identifier>
		<version>1</version>
		<description></description>
		<post-install type="none"/>
		<requireAuthorization/>
		<installFrom relative="true" mod="true">PKCS11.tokend</installFrom>
		<installTo mod="true" relocatable="true">/Library/Security/tokend/PKCS11.tokend</installTo>
		<flags></flags>
		<packageStore type="internal"></packageStore>
		<mod>parent</mod>
		<mod>scripts.postinstall.path</mod>
		<mod>scripts.scriptsDirectoryPath.isRelativeType</mod>
		<mod>scripts.scriptsDirectoryPath.path</mod>
		<mod>installTo.isAbsoluteType</mod>

Modified build/cackey_osx_build/Template_pmbuild/index.xml.in from [6d6f116270] to [75581e5581].

65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
{\fonttbl\f0\fnil\fcharset0 LucidaGrande;}
{\colortbl;\red255\green255\blue255;}
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural

\f0\fs26 \cf0 Thank you for choosing to install CACKey.\
\
To use CACKey, install /Library/CACKey/libcackey.dylib or\
/usr/lib/pkcs11/cackey.dylib as a security module into any application that can use a PKCS#11 provider.\
\
A PKCS11 Connector for Tokend (Keychain Access) will be installed in /System/Library/Security/tokend.\
To use, be sure to import the certificate authorities into Keychain Access.\
\
A debug version, /Library/CACKey/libcackey_g.dylib is provided if debug output is necessary.}]]>
			</resource>
		</locale>
	</resources>
	<requirements>







|

|







65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
{\fonttbl\f0\fnil\fcharset0 LucidaGrande;}
{\colortbl;\red255\green255\blue255;}
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural

\f0\fs26 \cf0 Thank you for choosing to install CACKey.\
\
To use CACKey, install /Library/CACKey/libcackey.dylib or\
/usr/local/lib/pkcs11/cackey.dylib as a security module into any application that can use a PKCS#11 provider.\
\
A PKCS11 Connector for Tokend (Keychain Access) will be installed in /Library/Security/tokend.\
To use, be sure to import the certificate authorities into Keychain Access.\
\
A debug version, /Library/CACKey/libcackey_g.dylib is provided if debug output is necessary.}]]>
			</resource>
		</locale>
	</resources>
	<requirements>

Modified build/cackey_osx_build/Template_pmbuild/scripts/03libcackey-post.sh from [1ca797dc96] to [a53c7a2b82].

1
2
3
#!/bin/bash
chmod 755 /usr/lib/pkcs11
chown root:wheel /usr/lib/pkcs11

|
|
1
2
3
#!/bin/bash
chmod 755 /usr/local/lib/pkcs11
chown root:wheel /usr/local/lib/pkcs11

Modified build/cackey_osx_build/Template_pmbuild/scripts/04pkcs11tokend-post.sh from [1f1313960f] to [022fa1323e].

1
2
3
#!/bin/bash
chmod -R go+rX /System/Library/Security/tokend/PKCS11.tokend
chown -R root:wheel /System/Library/Security/tokend/PKCS11.tokend

|
|
1
2
3
#!/bin/bash
chmod -R go+rX /Library/Security/tokend/PKCS11.tokend
chown -R root:wheel /Library/Security/tokend/PKCS11.tokend

Modified build/cackey_osx_build/build_osx.sh from [353b3acaa2] to [14980c7d5f].

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
..
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
..
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
...
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
...
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
fi

# Usage function
usage() {
	echo "Usage: build_osx.sh <target>"
	echo Where target is one of:
	echo "    leopard  - (Builds Universal 10.5 Library for PPCG4/i386)"
	echo "    sltoyos - (Builds Universal 10.6/10.7/10.8/10.9/10.10 Library for i386/x86_64)"
	echo "    all - (Builds for all supported targets)"
	echo "    clean - (Cleans up)"
	echo "Run from CACKey Build Root."
	echo ""
	echo "NOTE:  Leopard build requires legacy XCode 3 components in"
	echo "       /Developer because of PowerPC support."
	echo "       All builds require gnutar, automake, and autoconf."
................................................................................
		LIBTOOLDIR=/Developer/usr/share/libtool
	else
		LIBTOOLDIR=/Developer/usr/share/libtool/config
	fi
	if [ ! -d macbuild ]; then
		mkdir macbuild
		mkdir macbuild/Leopard
		mkdir macbuild/Sltoyos
		mkdir macbuild/pkg
	fi
	if [ ! -f config.guess ]; then
		cp ${LIBTOOLDIR}/config.guess .
	fi
	if [ ! -f config.sub ]; then
		cp ${LIBTOOLDIR}/config.sub .
................................................................................
		genbuild
	done
	libbuild
	pkgbuild
}

# Build function for Snow Leopard/Lion/Mountain Lion/Mavericks/Yosemite
sltoyos() {
	makedir
	HEADERS=/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/PCSC.framework/Versions/A/Headers/
	LIBRARY=/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/PCSC.framework/PCSC
	LIB=""
	ARCHLIST=""
	DLIB=""
	DARCHLIST=""
	OSX=Sltoyos
	PKTARGETOS=3
	CUROSXVER=10.6
	for HOST in i386-apple-darwin10 x86_64-apple-darwin10; do
		genbuild
	done
	libbuild
	pkgbuild
................................................................................
		sed "s|@@TARGETOS@@|${PKTARGETOS}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
		sed "s|@@CUROSXVER@@|${CUROSXVER}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
		sed "s|@@LIBCACKEYG@@|${LIBCACKEYG}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1 > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}
		cp build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
		mv build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1 build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}
	done
	EXT=pkg
	if [ ${OSX} == "Sltoyos" ]; then
		cat build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml | sed 's|for Mac OS X Sltoyos|for Mac OS X SLtoYos|g' > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new
		mv build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml
	fi
	/Developer/Applications/Utilities/PackageMaker.app/Contents/MacOS/PackageMaker -d build/cackey_osx_build/${OSX}_pmbuild.pmdoc -o macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
	tar --create --directory macbuild/pkg/ --file macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}.tar CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
	gzip -9 macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}.tar
	rm -rf macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
	rm -f build/cackey_osx_build/cackey.dylib
................................................................................

	"leopard")
		./autogen.sh
		leopard
		exit $?
	;;

	"sltoyos")
		./autogen.sh
		sltoyos
		exit $?
	;;

	"all")
		./autogen.sh
		leopard
		sltoyos
		echo ""
		echo "All builds complete."
		exit $?
	;;

	"clean")
		clean







|







 







|







 







|







|







 







|
|







 







|

|






|







10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
..
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
..
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
...
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
...
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
fi

# Usage function
usage() {
	echo "Usage: build_osx.sh <target>"
	echo Where target is one of:
	echo "    leopard  - (Builds Universal 10.5 Library for PPCG4/i386)"
	echo "    slandup - (Builds Universal 10.6 and Up Library for i386/x86_64)"
	echo "    all - (Builds for all supported targets)"
	echo "    clean - (Cleans up)"
	echo "Run from CACKey Build Root."
	echo ""
	echo "NOTE:  Leopard build requires legacy XCode 3 components in"
	echo "       /Developer because of PowerPC support."
	echo "       All builds require gnutar, automake, and autoconf."
................................................................................
		LIBTOOLDIR=/Developer/usr/share/libtool
	else
		LIBTOOLDIR=/Developer/usr/share/libtool/config
	fi
	if [ ! -d macbuild ]; then
		mkdir macbuild
		mkdir macbuild/Leopard
		mkdir macbuild/Slandup
		mkdir macbuild/pkg
	fi
	if [ ! -f config.guess ]; then
		cp ${LIBTOOLDIR}/config.guess .
	fi
	if [ ! -f config.sub ]; then
		cp ${LIBTOOLDIR}/config.sub .
................................................................................
		genbuild
	done
	libbuild
	pkgbuild
}

# Build function for Snow Leopard/Lion/Mountain Lion/Mavericks/Yosemite
slandup() {
	makedir
	HEADERS=/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/PCSC.framework/Versions/A/Headers/
	LIBRARY=/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/PCSC.framework/PCSC
	LIB=""
	ARCHLIST=""
	DLIB=""
	DARCHLIST=""
	OSX=Slandup
	PKTARGETOS=3
	CUROSXVER=10.6
	for HOST in i386-apple-darwin10 x86_64-apple-darwin10; do
		genbuild
	done
	libbuild
	pkgbuild
................................................................................
		sed "s|@@TARGETOS@@|${PKTARGETOS}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
		sed "s|@@CUROSXVER@@|${CUROSXVER}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
		sed "s|@@LIBCACKEYG@@|${LIBCACKEYG}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1 > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}
		cp build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
		mv build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1 build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}
	done
	EXT=pkg
	if [ ${OSX} == "Slandup" ]; then
		cat build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml | sed 's|for Mac OS X Slandup|for Mac OS X SLandUp|g' > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new
		mv build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml
	fi
	/Developer/Applications/Utilities/PackageMaker.app/Contents/MacOS/PackageMaker -d build/cackey_osx_build/${OSX}_pmbuild.pmdoc -o macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
	tar --create --directory macbuild/pkg/ --file macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}.tar CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
	gzip -9 macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}.tar
	rm -rf macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
	rm -f build/cackey_osx_build/cackey.dylib
................................................................................

	"leopard")
		./autogen.sh
		leopard
		exit $?
	;;

	"slandup")
		./autogen.sh
		slandup
		exit $?
	;;

	"all")
		./autogen.sh
		leopard
		slandup
		echo ""
		echo "All builds complete."
		exit $?
	;;

	"clean")
		clean

Modified build/certs-to-c from [1cd87f2aca] to [e4223940e0].

1
2
3




4
5
6
7
8
9
10
11
12
13
14
15
16
17

18
19
20
21
22
23
24
25
26
27
#! /bin/bash

for file in "$@"; do




	rm -f tmpfile.x509
	if ! openssl x509 -in "${file}" -inform pem -noout -checkend 0 >/dev/null 2>/dev/null; then
		echo "warning: Skipping \"${file}\" as it is invalid or expired." >&2

		continue
	fi

	openssl x509 -in "${file}" -out tmpfile.x509 -inform pem -outform der

	pubkeylen="$(openssl x509 -in tmpfile.x509 -inform der -text -noout | grep 'RSA Public Key:' | sed 's@^.*(\([0-9][0-9]*\) bit).*$@\1@')"
	certlen="$(cat tmpfile.x509 | wc -c)"
	cert="$(( cat tmpfile.x509 | od -t x1 | cut -c 9- | tr "\n" ' '; echo ) | sed 's@ @@g;s@..@\\x&@g')"

	cat << _EOF_

	{
		CACKEY_ID_TYPE_CERT_ONLY, /* id_type */
		${certlen}, /* certificate_len */
		(unsigned char *) "${cert}", /* certificate */
		${pubkeylen} /* keysize */
	},
_EOF_
done

rm -f tmpfile.x509



>
>
>
>









|
|



>










1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#! /bin/bash

for file in "$@"; do
	if [ ! -f "${file}" ]; then
		continue
	fi

	rm -f tmpfile.x509
	if ! openssl x509 -in "${file}" -inform pem -noout -checkend 0 >/dev/null 2>/dev/null; then
		echo "warning: Skipping \"${file}\" as it is invalid or expired." >&2

		continue
	fi

	openssl x509 -in "${file}" -out tmpfile.x509 -inform pem -outform der

	pubkeylen="$(openssl x509 -in tmpfile.x509 -inform der -text -noout | grep 'Public[- ]Key:' | sed 's@^.*(\([0-9][0-9]*\) bit).*$@\1@')"
	certlen="$(cat tmpfile.x509 | wc -c | awk '{ print $1 }')"
	cert="$(( cat tmpfile.x509 | od -t x1 | cut -c 9- | tr "\n" ' '; echo ) | sed 's@ @@g;s@..@\\x&@g')"

	cat << _EOF_
	/* ${file} */
	{
		CACKEY_ID_TYPE_CERT_ONLY, /* id_type */
		${certlen}, /* certificate_len */
		(unsigned char *) "${cert}", /* certificate */
		${pubkeylen} /* keysize */
	},
_EOF_
done

rm -f tmpfile.x509

Modified build/certs/commercial/kps-ca-1.crt from [686485547a] to [cdf1ee5afa].

1
2
3
4
5
6
7
8
9
10


11
12
13
14
15
16
17
18
19
20
21
22
23
24


25
26
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBrDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYDVQQHEwZSZXN0b24xIDAeBgNVBAoTF0tu
aWdodFBvaW50IFN5c3RlbXMgTExDMRcwFQYDVQQLEw5LbmlnaHRQb2ludCBJVDEY
MBYGA1UECxMPS25pZ2h0UG9pbnQgUEtJMSQwIgYDVQQDExtLbmlnaHRQb2ludCBT
eXN0ZW1zIFJvb3QgQ0EwHhcNMTUwMTAxMDAwMDAwWhcNMTcwMTAxMDAwMDAwWjCB
qTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYDVQQHEwZSZXN0
b24xIDAeBgNVBAoTF0tuaWdodFBvaW50IFN5c3RlbXMgTExDMRcwFQYDVQQLEw5L
bmlnaHRQb2ludCBJVDEYMBYGA1UECxMPS25pZ2h0UG9pbnQgUEtJMSEwHwYDVQQD
ExhLbmlnaHRQb2ludCBTeXN0ZW1zIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB


DwAwggEKAoIBAQDFB0hZlCwZFIUn/fHk/Ubeia8/pnpC/yuWs+oicBs9SvhrZNMI
8aYmnUhyaMfE+bxJrZSCYdGffm9VJxWv/suJ+Cr+9gdxWBWpqncw78agCNa5Oo2l
tqjFIE6mTCd9QE6CnNJJUc1ysZaz9WmWuA1i9EQ4ybV+l7baOmvE7MNUf6sPew+W
42QjiWjri9xzpXTl3fhcYxNp/Dx5GXzJIpV+Eg5FlxKn+P75HUJpV2qpHzAzR5gM
Xiee1O1PogqS1ylWQsY60fS9eIiYx08R6JeN6SISr8MOsatWsepHa8lch+NSIVeW
4QhD9NOH3JUDgTGR8aB2StmuQFEO+9daMWMfAgMBAAGjYDBeMBIGA1UdEwEB/wQI
MAYBAf8CAQEwNwYDVR0fAQEABC0wKzApoCegJYYjaHR0cDovL3BraS5rbmlnaHRw
b2ludC5jb20vY3JsL3Jvb3QwDwYDVR0PAQH/BAUDAweGADANBgkqhkiG9w0BAQsF
AAOCAQEAFu5CYJqLuq3Ey/RBsP0tVF9s7HGDprLyhaOWSn558e4it6kLrionX+Qg
5szXlqx8LoQBj/Zq0ObGguns7C6EfwqyNXl2G+DdFNqOn491fFijvWmwl2Wotkgw
CieuVGaN8JCOmLtzPM1HOr2GSAWGz59uDB+axJVIvqSJLT5UAz5OzA5ECnND5qnQ
lk1FZvST8b8HZaetAFf4jZBY/2WQVyam45yNNIM5jAtr6CtUEDiWq+ReAFDHEN3p
J/QfPiavPnBjBAC1xJu6HtKXNGiEMWirc6MyT3QPlCj632PcC+/MpqDSFYV+qYRK
5te0SbUIziVyglsN5+oGeEDPyiyheQ==


-----END CERTIFICATE-----


|
|
|
|
|
|
<
<
|
>
>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
>
>


1
2
3
4
5
6
7


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgICJxAwDQYJKoZIhvcNAQELBQAwgawxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UEBxMGUmVzdG9uMSAwHgYDVQQKExdL
bmlnaHRQb2ludCBTeXN0ZW1zIExMQzEXMBUGA1UECxMOS25pZ2h0UG9pbnQgSVQx
GDAWBgNVBAsTD0tuaWdodFBvaW50IFBLSTEkMCIGA1UEAxMbS25pZ2h0UG9pbnQg
U3lzdGVtcyBSb290IENBMB4XDTE1MDEwMTAwMDAwMFoXDTIwMDEwMTAwMDAwMFow
gakxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UEBxMGUmVz


dG9uMSAwHgYDVQQKExdLbmlnaHRQb2ludCBTeXN0ZW1zIExMQzEXMBUGA1UECxMO
S25pZ2h0UG9pbnQgSVQxGDAWBgNVBAsTD0tuaWdodFBvaW50IFBLSTEhMB8GA1UE
AxMYS25pZ2h0UG9pbnQgU3lzdGVtcyBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAxQdIWZQsGRSFJ/3x5P1G3omvP6Z6Qv8rlrPqInAbPUr4a2TT
CPGmJp1IcmjHxPm8Sa2UgmHRn35vVScVr/7Lifgq/vYHcVgVqap3MO/GoAjWuTqN
pbaoxSBOpkwnfUBOgpzSSVHNcrGWs/VplrgNYvREOMm1fpe22jprxOzDVH+rD3sP
luNkI4lo64vcc6V05d34XGMTafw8eRl8ySKVfhIORZcSp/j++R1CaVdqqR8wM0eY
DF4nntTtT6IKktcpVkLGOtH0vXiImMdPEeiXjekiEq/DDrGrVrHqR2vJXIfjUiFX
luEIQ/TTh9yVA4ExkfGgdkrZrkBRDvvXWjFjHwIDAQABo4GpMIGmMCAGA1UdDgEB
AAQWBBQ4LgWOLupZrGEOIQCvWkCBLwOTcDASBgNVHRMBAf8ECDAGAQH/AgEBMDcG
A1UdHwEBAAQtMCswKaAnoCWGI2h0dHA6Ly9wa2kua25pZ2h0cG9pbnQuY29tL2Ny
bC9yb290MA8GA1UdDwEB/wQFAwMHhgAwJAYDVR0jAQEABBowGKAWBBQ5k0zyzDhs
X4G3Lr8tKuBZMyEqnjANBgkqhkiG9w0BAQsFAAOCAQEAT6vuDz9WLADBLII9CJYc
9N69OOELuDb9E4bAj/93E9S5WpZsa/nMud5kgdLiLSlsD71Pu3lUaDxPi0lOnbI0
7g3JXNEpOvNSDBnVVD0jPC4nj2XpNFSVue1mpP5bWYHyzbruEjJtoTPzvE0an6Bp
Cl96uA5MFWyKsgWtwZSnX+Ru05vSLWI7jjcAkGW+atV/iPe0vwtFJR/RiQUKyqsa
We3Xyw+T0x0UwlpKMhS7d3A+f/4pVtaLtCvLZKYyLAaji+DxlIM4WIPZ0IOD/Xbb
YagEem5bnPlmugrnGCxovJW2mBKm3iSSvZi0nW2TEVigHaBULItFRrF9J+d+8aG+
TQ==
-----END CERTIFICATE-----

Modified build/certs/commercial/kps-root-ca.crt from [5d7e615d76] to [b0a7a486e8].

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16


17
18
19
20
21
22
23

24
-----BEGIN CERTIFICATE-----
MIID/jCCAuagAwIBAgIGAUvsEnbkMA0GCSqGSIb3DQEBCwUAMIGsMQswCQYDVQQG
EwJVUzERMA8GA1UECBMIVmlyZ2luaWExDzANBgNVBAcTBlJlc3RvbjEgMB4GA1UE
ChMXS25pZ2h0UG9pbnQgU3lzdGVtcyBMTEMxFzAVBgNVBAsTDktuaWdodFBvaW50
IElUMRgwFgYDVQQLEw9LbmlnaHRQb2ludCBQS0kxJDAiBgNVBAMTG0tuaWdodFBv
aW50IFN5c3RlbXMgUm9vdCBDQTAeFw0xNTAxMDEwMDAwMDBaFw0zNTAxMDEwMDAw
MDBaMIGsMQswCQYDVQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExDzANBgNVBAcT
BlJlc3RvbjEgMB4GA1UEChMXS25pZ2h0UG9pbnQgU3lzdGVtcyBMTEMxFzAVBgNV
BAsTDktuaWdodFBvaW50IElUMRgwFgYDVQQLEw9LbmlnaHRQb2ludCBQS0kxJDAi
BgNVBAMTG0tuaWdodFBvaW50IFN5c3RlbXMgUm9vdCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMqF1VSV4bYdl5Lq2qtB/KXf/DaNSlTmgjhWAMQT
1eS9UqiDEDvLHdoTpqCo02/dNDmWpb3GRCt8BIuPaLp/v4xaEStS8feGjlDlBVSv
vXf4rj7is923okBjjTqz4l25QeDtJAAz4VsNkopo8Fb2wMs8glF5rNnwaQm6PgqN
8/VF4eHM0fUuq8+WxzXdk9Z50pF9/RM4m4Nj7SeFGxwSWBxvRLjYv6z8k2G1PTnE
seCeWO3NAcPbxuPcpY8dQDRng22zS3HDW/0+nW1UFLu2UiD0yECWiNPYTah/FKiC
dp8+JkOqcbyfdu7sA287AXG43rniXA95HNtwRZh1Do5l1f8CAwEAAaMkMCIwDwYD


VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDB4YAMA0GCSqGSIb3DQEBCwUAA4IB
AQAcujWXZ3E3zS/7VSCTp6huc5bwDAncxWtcBjV8O0cJIbbqvYVlCfosI+VqtUAT
9lG2QVRwPTrz171WB0NXRJdIX0r8oemTV+lknE7KauwtoMiGKADxyH5XJuIvchwb
ykuPXnBPJ8KAUV5tFDWgjLcrICrBjadywSS6/EBCFzFjFb11Sw4eAhohrEow+keD
Dsow+NcpdRm3kwEa5mvdheIixPtemtC8UnB/iKjVlM2O+ihy85xdJLkqp9hZ4gro
W5AEzRV6pN8OBTMXCQieQcYMyPvEf0AUpcAqxxOciWQGRbdyF/4DetuFz7fOxAHD
3WRKCbxylVFQV4hzK5dJAJsg

-----END CERTIFICATE-----

|













|
>
>
|
<
<
|
|
|
|
>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19


20
21
22
23
24
25
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIGAUvsEnbkMA0GCSqGSIb3DQEBCwUAMIGsMQswCQYDVQQG
EwJVUzERMA8GA1UECBMIVmlyZ2luaWExDzANBgNVBAcTBlJlc3RvbjEgMB4GA1UE
ChMXS25pZ2h0UG9pbnQgU3lzdGVtcyBMTEMxFzAVBgNVBAsTDktuaWdodFBvaW50
IElUMRgwFgYDVQQLEw9LbmlnaHRQb2ludCBQS0kxJDAiBgNVBAMTG0tuaWdodFBv
aW50IFN5c3RlbXMgUm9vdCBDQTAeFw0xNTAxMDEwMDAwMDBaFw0zNTAxMDEwMDAw
MDBaMIGsMQswCQYDVQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExDzANBgNVBAcT
BlJlc3RvbjEgMB4GA1UEChMXS25pZ2h0UG9pbnQgU3lzdGVtcyBMTEMxFzAVBgNV
BAsTDktuaWdodFBvaW50IElUMRgwFgYDVQQLEw9LbmlnaHRQb2ludCBQS0kxJDAi
BgNVBAMTG0tuaWdodFBvaW50IFN5c3RlbXMgUm9vdCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMqF1VSV4bYdl5Lq2qtB/KXf/DaNSlTmgjhWAMQT
1eS9UqiDEDvLHdoTpqCo02/dNDmWpb3GRCt8BIuPaLp/v4xaEStS8feGjlDlBVSv
vXf4rj7is923okBjjTqz4l25QeDtJAAz4VsNkopo8Fb2wMs8glF5rNnwaQm6PgqN
8/VF4eHM0fUuq8+WxzXdk9Z50pF9/RM4m4Nj7SeFGxwSWBxvRLjYv6z8k2G1PTnE
seCeWO3NAcPbxuPcpY8dQDRng22zS3HDW/0+nW1UFLu2UiD0yECWiNPYTah/FKiC
dp8+JkOqcbyfdu7sA287AXG43rniXA95HNtwRZh1Do5l1f8CAwEAAaNsMGowIAYD
VR0OAQEABBYEFDmTTPLMOGxfgbcuvy0q4FkzISqeMA8GA1UdEwEB/wQFMAMBAf8w
DwYDVR0PAQH/BAUDAweEADAkBgNVHSMBAQAEGjAYoBYEFDmTTPLMOGxfgbcuvy0q
4FkzISqeMA0GCSqGSIb3DQEBCwUAA4IBAQAGn+FTnF6HO8wfQHJG8Ge/6TNflj5t


92i6JOIx8AAy1ZfC5HWZJWjwEa+kIy5upRm0BE/we4WJKwmMDxPZP4jC6cC9BYE2
e6sqTThsTUEVI0e41bKBCF6ErHpRlp4EfHfmTNpiSjqBgNCK7kcyeQF0bPnUHO0Q
TPrY5WUpTnRBR2NnQBvmjl0nLBWDU1+2ib5bskZfnBRCPwVYGa393VmpaBDuIozG
P0vv2UuLetj5Xa5NDPv5c43s8+Z4pW5EEb2qH0Wfh5/g6qFWVMFVFkk9Jr+qVHf3
ueZlAL7HchQgaA2f+dY53CdnL7kX4Pv79uSHKzynxSIVMP/d0fdwvwKd
-----END CERTIFICATE-----

Modified build/certs/dod/Makefile from [678511107e] to [dcbc2db73e].

1
2
3
4
5


6
7
8
9
10
11
12
all: cert-0.crt

rel3_dodroot_2048.cac:
	wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
	mv "$@.new" "$@"



cert-%.crt: rel3_dodroot_2048.cac
	idx=0; \
	( \
		openssl pkcs7 -in rel3_dodroot_2048.cac -inform DER -print_certs -text; \
	) | while IFS='' read -r line; do \
		if [ -z "$${line}" ]; then \



|
|
>
>







1
2
3
4
5
6
7
8
9
10
11
12
13
14
all: cert-0.crt

rel3_dodroot_2048.cac:
	wget -O Certificates_PKCS7_v4.1_DoD.zip http://iasecontent.disa.mil/pki-pke/Certificates_PKCS7_v4.1_DoD.zip
	unzip Certificates_PKCS7_v4.1_DoD.zip Certificates_PKCS7_v4.1_DoD/Certificates_PKCS7_v4.1_DoD.der.p7b
	mv Certificates_PKCS7_v4.1_DoD/Certificates_PKCS7_v4.1_DoD.der.p7b "$@"
	rm -rf Certificates_PKCS7_v4.1_DoD Certificates_PKCS7_v4.1_DoD.zip

cert-%.crt: rel3_dodroot_2048.cac
	idx=0; \
	( \
		openssl pkcs7 -in rel3_dodroot_2048.cac -inform DER -print_certs -text; \
	) | while IFS='' read -r line; do \
		if [ -z "$${line}" ]; then \

Modified cackey.c from [60fa6fcd12] to [a802283a94].

81
82
83
84
85
86
87

88
89
90
91
92
93
94
....
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
....
3153
3154
3155
3156
3157
3158
3159

































































































3160
3161
3162
3163
3164
3165
3166
....
4186
4187
4188
4189
4190
4191
4192





















































4193
4194
4195
4196
4197
4198
4199
....
4999
5000
5001
5002
5003
5004
5005
5006
5007





5008
5009
5010
5011
5012
5013
5014
5015
5016



5017


















































































































5018















5019
5020
5021
5022
5023
5024
5025
....
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
....
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383

5384

5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
#define GSCIS_INSTR_READ_BINARY       0xB0
#define GSCIS_INSTR_UPDATE_BINARY     0xD6
#define GSCIS_INSTR_SELECT            0xA4
#define GSCIS_INSTR_EXTERNAL_AUTH     0x82
#define GSCIS_INSTR_GET_CHALLENGE     0x84
#define GSCIS_INSTR_INTERNAL_AUTH     0x88
#define GSCIS_INSTR_VERIFY            0x20

#define GSCIS_INSTR_SIGN              0x2A
#define GSCIS_INSTR_GET_PROP          0x56
#define GSCIS_INSTR_GET_ACR           0x4C
#define GSCIS_INSTR_READ_BUFFER       0x52
#define GSCIS_INSTR_SIGNDECRYPT       0x42

#define GSCIS_PARAM_SELECT_APPLET     0x04
................................................................................
			xmit_buf[xmit_len++] = le;
		}
	}

	/* Begin Smartcard Transaction */
	cackey_begin_transaction(slot);

	if (class == GSCIS_CLASS_ISO7816 && instruction == GSCIS_INSTR_VERIFY && p1 == 0x00) {
		CACKEY_DEBUG_PRINTF("Sending APDU: <<censored>>");
	} else {
		CACKEY_DEBUG_PRINTBUF("Sending APDU:", xmit_buf, xmit_len);
	}

	recv_len = sizeof(recv_buf);
	scard_xmit_ret = SCardTransmit(slot->pcsc_card, pioSendPci, xmit_buf, xmit_len, NULL, recv_buf, &recv_len);
................................................................................
 *
 * RETURN VALUE
 *     ...
 *
 * NOTES
 *     ...
 *

































































































 */
static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) {
	struct cackey_pcsc_identity *pcsc_identities;
	unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
	unsigned long num_certs;
	uint16_t response_code;
	int tries_remaining;
................................................................................
		return(identities);
	}


	*ids_found = 0;
	return(NULL);
}






















































CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
	CK_C_INITIALIZE_ARGS CK_PTR args;
	uint32_t idx, highest_slot;
	int mutex_init_ret;
	int include_dod_certs;

................................................................................
	}

	CACKEY_DEBUG_PRINTF("Returning CKR_TOKEN_WRITE_PROTECTED (%i)", CKR_TOKEN_WRITE_PROTECTED);

	return(CKR_TOKEN_WRITE_PROTECTED);
}

/* We don't support this method. */
CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen) {





	CACKEY_DEBUG_PRINTF("Called.");

	if (!cackey_initialized) {
		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");

		return(CKR_CRYPTOKI_NOT_INITIALIZED);
	}

	CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);






















































































































	return(CKR_FUNCTION_NOT_SUPPORTED);















}

CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY notify, CK_SESSION_HANDLE_PTR phSession) {
	unsigned long idx;
	int mutex_retval;
	int found_session = 0;

................................................................................
	CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);

	return(CKR_FUNCTION_NOT_SUPPORTED);
}

CK_DEFINE_FUNCTION(CK_RV, _C_LoginMutexArg)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, int lock_mutex) {
	CK_SLOT_ID slotID;
	FILE *pinfd;
	char *pincmd, pinbuf[64], *fgets_ret;
	int mutex_retval;
	int tries_remaining;
	int login_ret;
	int pclose_ret;

	CACKEY_DEBUG_PRINTF("Called.");

	if (!cackey_initialized) {
		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");

		return(CKR_CRYPTOKI_NOT_INITIALIZED);
................................................................................
		if (lock_mutex) {
			cackey_mutex_unlock(cackey_biglock);
		}

		return(CKR_GENERAL_ERROR);
	}

	pincmd = cackey_pin_command;
	if (pincmd != NULL) {
		CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", pincmd);

		if (pPin != NULL) {
			CACKEY_DEBUG_PRINTF("Protected authentication path in effect and PIN provided !?");
		}

		pinfd = popen(pincmd, "r");
		if (pinfd == NULL) {

			CACKEY_DEBUG_PRINTF("Error.  %s: Unable to run", pincmd);


			if (lock_mutex) {
				cackey_mutex_unlock(cackey_biglock);
			}

			CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);

			return(CKR_PIN_INCORRECT);
		}

		fgets_ret = fgets(pinbuf, sizeof(pinbuf), pinfd);
		if (fgets_ret == NULL) {
			pinbuf[0] = '\0';
		}

		pclose_ret = pclose(pinfd);
		if (pclose_ret == -1 && errno == ECHILD) {
			CACKEY_DEBUG_PRINTF("Notice.  pclose() indicated it could not get the status of the child, assuming it succeeeded !");

			pclose_ret = 0;
		}

		if (pclose_ret != 0) {
			CACKEY_DEBUG_PRINTF("Error.  %s: exited with non-zero status of %i", pincmd, pclose_ret);

			if (lock_mutex) {
				cackey_mutex_unlock(cackey_biglock);
			}

			CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);

			return(CKR_PIN_INCORRECT);
		}

		if (strlen(pinbuf) < 1) {
			CACKEY_DEBUG_PRINTF("Error.  %s: returned no data", pincmd);

			if (lock_mutex) {
				cackey_mutex_unlock(cackey_biglock);
			}

			CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);

			return(CKR_PIN_INCORRECT);
		}

		if (pinbuf[strlen(pinbuf) - 1] == '\n') {
			pinbuf[strlen(pinbuf) - 1] = '\0';
		}

		pPin = (CK_UTF8CHAR_PTR) pinbuf;
		ulPinLen = strlen(pinbuf);
	}

	login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
	if (login_ret != CACKEY_PCSC_S_OK) {
		if (lock_mutex) {







>







 







|







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







<

>
>
>
>
>








<
>
>
>

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







|
|



<







 







|
<
<
<




|
<
>
|
>





<
<



<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<







81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
....
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
....
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
....
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
....
5150
5151
5152
5153
5154
5155
5156

5157
5158
5159
5160
5161
5162
5163
5164
5165
5166
5167
5168
5169
5170

5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221
5222
5223
5224
5225
5226
5227
5228
5229
5230
5231
5232
5233
5234
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279
5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
....
5585
5586
5587
5588
5589
5590
5591
5592
5593
5594
5595
5596

5597
5598
5599
5600
5601
5602
5603
....
5652
5653
5654
5655
5656
5657
5658
5659



5660
5661
5662
5663
5664

5665
5666
5667
5668
5669
5670
5671
5672


5673
5674
5675








































5676
5677
5678
5679
5680
5681
5682
#define GSCIS_INSTR_READ_BINARY       0xB0
#define GSCIS_INSTR_UPDATE_BINARY     0xD6
#define GSCIS_INSTR_SELECT            0xA4
#define GSCIS_INSTR_EXTERNAL_AUTH     0x82
#define GSCIS_INSTR_GET_CHALLENGE     0x84
#define GSCIS_INSTR_INTERNAL_AUTH     0x88
#define GSCIS_INSTR_VERIFY            0x20
#define GSCIS_INSTR_CHANGE_REFERENCE  0x24
#define GSCIS_INSTR_SIGN              0x2A
#define GSCIS_INSTR_GET_PROP          0x56
#define GSCIS_INSTR_GET_ACR           0x4C
#define GSCIS_INSTR_READ_BUFFER       0x52
#define GSCIS_INSTR_SIGNDECRYPT       0x42

#define GSCIS_PARAM_SELECT_APPLET     0x04
................................................................................
			xmit_buf[xmit_len++] = le;
		}
	}

	/* Begin Smartcard Transaction */
	cackey_begin_transaction(slot);

	if (class == GSCIS_CLASS_ISO7816 && (instruction == GSCIS_INSTR_VERIFY || instruction == GSCIS_INSTR_CHANGE_REFERENCE) && p1 == 0x00) {
		CACKEY_DEBUG_PRINTF("Sending APDU: <<censored>>");
	} else {
		CACKEY_DEBUG_PRINTBUF("Sending APDU:", xmit_buf, xmit_len);
	}

	recv_len = sizeof(recv_buf);
	scard_xmit_ret = SCardTransmit(slot->pcsc_card, pioSendPci, xmit_buf, xmit_len, NULL, recv_buf, &recv_len);
................................................................................
 *
 * RETURN VALUE
 *     ...
 *
 * NOTES
 *     ...
 *
 */
static cackey_ret cackey_set_pin(struct cackey_slot *slot, unsigned char *old_pin, unsigned long old_pin_len, unsigned char *pin, unsigned long pin_len) {
	struct cackey_pcsc_identity *pcsc_identities;
	unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
	unsigned char old_cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
	unsigned char pin_update[sizeof(cac_pin) + sizeof(old_cac_pin)];
	unsigned long num_certs;
	uint16_t response_code;
	int tries_remaining;
	int send_ret;
	int key_reference = 0x00;

	/* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */
	if (pin_len >= 8) {
		memcpy(cac_pin, pin, 8);
	} else {
		memcpy(cac_pin, pin, pin_len);
	}

	if (old_pin_len >= 8) {
		memcpy(old_cac_pin, old_pin, 8);
	} else {
		memcpy(old_cac_pin, old_pin, old_pin_len);
	}

	/* Concatenate both PINs together to send as a single instruction */
	memcpy(pin_update, old_cac_pin, sizeof(old_cac_pin));
	memcpy(pin_update + sizeof(old_cac_pin), cac_pin, sizeof(cac_pin));

	/* Reject PINs which are too short */
	if (pin_len < 5) {
		CACKEY_DEBUG_PRINTF("Rejecting New PIN which is too short (length = %lu, must be atleast 5)", pin_len);

		return(CACKEY_PCSC_E_BADPIN);
	}

	if (old_pin_len < 5) {
		CACKEY_DEBUG_PRINTF("Rejecting Old PIN which is too short (length = %lu, must be atleast 5)", old_pin_len);

		return(CACKEY_PCSC_E_BADPIN);
	}

	/* PIV authentication uses a "key_reference" of 0x80 */
	pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
	if (num_certs > 0 && pcsc_identities != NULL) {
		switch (pcsc_identities[0].id_type) {
			case CACKEY_ID_TYPE_PIV:
				CACKEY_DEBUG_PRINTF("We have PIV card, so we will attempt to authenticate using the PIV Application key reference");

				key_reference = 0x80;
				break;
			default:
				break;
		}

		cackey_free_certs(pcsc_identities, num_certs, 1);
	}

	/* Issue a Set PIN (CHANGE REFERENCE) */
	send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_CHANGE_REFERENCE, 0x00, key_reference, sizeof(pin_update), pin_update, 0x00, &response_code, NULL, NULL);

	if (send_ret != CACKEY_PCSC_S_OK) {
		if ((response_code & 0x63C0) == 0x63C0) {
			tries_remaining = (response_code & 0xF);

			CACKEY_DEBUG_PRINTF("PIN Verification failed, %i tries remaining", tries_remaining);

			return(CACKEY_PCSC_E_BADPIN);
		}

		if (response_code == 0x6983) {
			CACKEY_DEBUG_PRINTF("Unable to set PIN, device is locked or changing the PIN is disabled");

			return(CACKEY_PCSC_E_LOCKED);
		}

		return(CACKEY_PCSC_E_GENERIC);
	}

	CACKEY_DEBUG_PRINTF("PIN Change succeeded");

	return(CACKEY_PCSC_S_OK);
}

/*
 * SYNPOSIS
 *     ...
 *
 * ARGUMENTS
 *     ...
 *
 * RETURN VALUE
 *     ...
 *
 * NOTES
 *     ...
 *
 */
static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) {
	struct cackey_pcsc_identity *pcsc_identities;
	unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
	unsigned long num_certs;
	uint16_t response_code;
	int tries_remaining;
................................................................................
		return(identities);
	}


	*ids_found = 0;
	return(NULL);
}

static cackey_ret cackey_get_pin(char *pinbuf) {
	FILE *pinfd;
	char *fgets_ret;
	int pclose_ret;

	if (cackey_pin_command == NULL) {
		return(CACKEY_PCSC_E_GENERIC);
	}

	if (pinbuf == NULL) {
		return(CACKEY_PCSC_E_GENERIC);
	}

	CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", cackey_pin_command);

	pinfd = popen(cackey_pin_command, "r");
	if (pinfd == NULL) {
		CACKEY_DEBUG_PRINTF("Error.  %s: Unable to run", cackey_pin_command);

		return(CACKEY_PCSC_E_BADPIN);
	}

	fgets_ret = fgets(pinbuf, 32, pinfd);
	if (fgets_ret == NULL) {
		pinbuf[0] = '\0';
	}

	pclose_ret = pclose(pinfd);
	if (pclose_ret == -1 && errno == ECHILD) {
		CACKEY_DEBUG_PRINTF("Notice.  pclose() indicated it could not get the status of the child, assuming it succeeeded !");

		pclose_ret = 0;
	}

	if (pclose_ret != 0) {
		CACKEY_DEBUG_PRINTF("Error.  %s: exited with non-zero status of %i", cackey_pin_command, pclose_ret);

		return(CACKEY_PCSC_E_BADPIN);
	}

	if (strlen(pinbuf) < 1) {
		CACKEY_DEBUG_PRINTF("Error.  %s: returned no data", cackey_pin_command);

		return(CACKEY_PCSC_E_BADPIN);
	}

	if (pinbuf[strlen(pinbuf) - 1] == '\n') {
		pinbuf[strlen(pinbuf) - 1] = '\0';
	}

	return(CACKEY_PCSC_S_OK);
}

CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
	CK_C_INITIALIZE_ARGS CK_PTR args;
	uint32_t idx, highest_slot;
	int mutex_init_ret;
	int include_dod_certs;

................................................................................
	}

	CACKEY_DEBUG_PRINTF("Returning CKR_TOKEN_WRITE_PROTECTED (%i)", CKR_TOKEN_WRITE_PROTECTED);

	return(CKR_TOKEN_WRITE_PROTECTED);
}


CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen) {
	char oldpinbuf[64], newpinbuf[64];
	cackey_ret set_pin_ret, get_pin_ret;
	CK_SLOT_ID slotID;
	int mutex_retval;

	CACKEY_DEBUG_PRINTF("Called.");

	if (!cackey_initialized) {
		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");

		return(CKR_CRYPTOKI_NOT_INITIALIZED);
	}


	mutex_retval = cackey_mutex_lock(cackey_biglock);
	if (mutex_retval != 0) {
		CACKEY_DEBUG_PRINTF("Error.  Locking failed.");

		return(CKR_GENERAL_ERROR);
	}

	if (!cackey_sessions[hSession].active) {
		cackey_mutex_unlock(cackey_biglock);

		CACKEY_DEBUG_PRINTF("Error.  Session not active.");
		
		return(CKR_SESSION_HANDLE_INVALID);
	}

	slotID = cackey_sessions[hSession].slotID;

	if (slotID < 0 || slotID >= (sizeof(cackey_slots) / sizeof(cackey_slots[0]))) {
		CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), outside of valid range", slotID);

		cackey_mutex_unlock(cackey_biglock);

		return(CKR_GENERAL_ERROR);
	}

	if (cackey_slots[slotID].active == 0) {
		CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID);

		cackey_mutex_unlock(cackey_biglock);

		return(CKR_GENERAL_ERROR);
	}

	if (cackey_pin_command != NULL) {
		/* Get old PIN */
		get_pin_ret = cackey_get_pin(oldpinbuf);

		if (get_pin_ret != CACKEY_PCSC_S_OK) {
			CACKEY_DEBUG_PRINTF("Error while getting Old PIN, returning CKR_PIN_INCORRECT.");

			cackey_mutex_unlock(cackey_biglock);
			
			return(CKR_PIN_INCORRECT);
		}

		pOldPin = (CK_UTF8CHAR_PTR) oldpinbuf;
		ulOldPinLen = strlen(oldpinbuf);

		/* Get new PIN */
		get_pin_ret = cackey_get_pin(newpinbuf);

		if (get_pin_ret != CACKEY_PCSC_S_OK) {
			CACKEY_DEBUG_PRINTF("Error while getting New PIN, returning CKR_PIN_INVALID.");

			cackey_mutex_unlock(cackey_biglock);
			
			return(CKR_PIN_INVALID);
		}

		pNewPin = (CK_UTF8CHAR_PTR) newpinbuf;
		ulNewPinLen = strlen(newpinbuf);
	}

	if (pOldPin == NULL) {
		CACKEY_DEBUG_PRINTF("Old PIN value is wrong (null).");

		cackey_mutex_unlock(cackey_biglock);

		return(CKR_PIN_INCORRECT);
	}

	if (ulOldPinLen == 0 || ulOldPinLen > 8) {
		CACKEY_DEBUG_PRINTF("Old PIN length is wrong: %lu.", (unsigned long) ulOldPinLen);

		cackey_mutex_unlock(cackey_biglock);

		return(CKR_PIN_INCORRECT);
	}

	if (pNewPin == NULL) {
		CACKEY_DEBUG_PRINTF("New PIN value is wrong (either NULL, or too long/short).");

		cackey_mutex_unlock(cackey_biglock);

		return(CKR_PIN_INVALID);
	}

	if (ulNewPinLen < 5 || ulNewPinLen > 8) {
		CACKEY_DEBUG_PRINTF("New PIN length is wrong: %lu, must be atleast 5 and no more than 8.", (unsigned long) ulNewPinLen);

		cackey_mutex_unlock(cackey_biglock);

		return(CKR_PIN_LEN_RANGE);
	}

	set_pin_ret = cackey_set_pin(&cackey_slots[slotID], pOldPin, ulOldPinLen, pNewPin, ulNewPinLen);

	if (set_pin_ret != CACKEY_PCSC_S_OK) {
		if (cackey_pin_command == NULL) {
			cackey_slots[slotID].token_flags |= CKF_LOGIN_REQUIRED;
		}

		if (set_pin_ret == CACKEY_PCSC_E_LOCKED) {
			cackey_slots[slotID].token_flags |= CKF_USER_PIN_LOCKED;
		}
	}

	mutex_retval = cackey_mutex_unlock(cackey_biglock);
	if (mutex_retval != 0) {
		CACKEY_DEBUG_PRINTF("Error.  Unlocking failed.");

		return(CKR_GENERAL_ERROR);
	}

	switch (set_pin_ret) {
		case CACKEY_PCSC_S_OK:
			CACKEY_DEBUG_PRINTF("Successfully set PIN.");

			return(CKR_OK);
		case CACKEY_PCSC_E_BADPIN:
			CACKEY_DEBUG_PRINTF("PIN was invalid.");

			return(CKR_PIN_INVALID);
		case CACKEY_PCSC_E_LOCKED:
			CACKEY_DEBUG_PRINTF("Token is locked or this change is not permitted.");

			return(CKR_PIN_LOCKED);
		default:
			CACKEY_DEBUG_PRINTF("Something else went wrong changing the PIN: %i", set_pin_ret);

			return(CKR_GENERAL_ERROR);
	}

	return(CKR_GENERAL_ERROR);
}

CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY notify, CK_SESSION_HANDLE_PTR phSession) {
	unsigned long idx;
	int mutex_retval;
	int found_session = 0;

................................................................................
	CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);

	return(CKR_FUNCTION_NOT_SUPPORTED);
}

CK_DEFINE_FUNCTION(CK_RV, _C_LoginMutexArg)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, int lock_mutex) {
	CK_SLOT_ID slotID;
	cackey_ret get_pin_ret;
	char pinbuf[64];
	int mutex_retval;
	int tries_remaining;
	int login_ret;


	CACKEY_DEBUG_PRINTF("Called.");

	if (!cackey_initialized) {
		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");

		return(CKR_CRYPTOKI_NOT_INITIALIZED);
................................................................................
		if (lock_mutex) {
			cackey_mutex_unlock(cackey_biglock);
		}

		return(CKR_GENERAL_ERROR);
	}

	if (cackey_pin_command != NULL) {



		if (pPin != NULL) {
			CACKEY_DEBUG_PRINTF("Protected authentication path in effect and PIN provided !?");
		}

		get_pin_ret = cackey_get_pin(pinbuf);


		if (get_pin_ret != CACKEY_PCSC_S_OK) {
			CACKEY_DEBUG_PRINTF("cackey_get_pin() returned in failure, assuming the PIN was incorrect.");

			if (lock_mutex) {
				cackey_mutex_unlock(cackey_biglock);
			}



			return(CKR_PIN_INCORRECT);
		}









































		pPin = (CK_UTF8CHAR_PTR) pinbuf;
		ulPinLen = strlen(pinbuf);
	}

	login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
	if (login_ret != CACKEY_PCSC_S_OK) {
		if (lock_mutex) {

Modified cackey_builtin_certs.h from [9c64b878c6] to [cffe24d77b].

cannot compute difference between binary files

Modified configure.ac from [76a04092ae] to [60c4628f66].

1
2
3
4
5
6
7
8
AC_INIT(cackey, 0.7.1) 
AC_CONFIG_HEADERS(config.h)

dnl Locate standard tools
AC_PROG_CC
AC_PROG_MAKE_SET
AC_PROG_INSTALL
AC_AIX
|







1
2
3
4
5
6
7
8
AC_INIT(cackey, 0.7.3) 
AC_CONFIG_HEADERS(config.h)

dnl Locate standard tools
AC_PROG_CC
AC_PROG_MAKE_SET
AC_PROG_INSTALL
AC_AIX