Check-in [38771da1e8]
Overview
Comment:Merged in trunk
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | require-login-if-needed
Files: files | file ages | folders
SHA1:38771da1e8cec01085e8c8b035592f9708ad771f
User & Date: rkeene on 2015-07-15 20:10:57
Other Links: manifest | tags
Context
2015-07-15
20:10
Merged in trunk Leaf check-in: 38771da1e8 user: rkeene tags: require-login-if-needed
20:05
Added support for updating the PIN check-in: b5ecb7c2d6 user: rkeene tags: trunk
2015-05-04
16:02
Merged in trunk check-in: 6938f7a82c user: rkeene tags: require-login-if-needed
Changes

Modified build/builtin-certs-update from [5324a34988] to [9fea13231c].

     4      4   
     5      5   ourdir="$(dirname "$(which "$0")")"
     6      6   cd "${outdir}" || exit 1
     7      7   
     8      8   make -C certs/dod distclean all
     9      9   make -C certs/federal distclean all
    10     10   
    11         -./certs-to-c certs/*/*.crt > ../cackey_builtin_certs.h
           11  +if [ "$1" = '--commercial' ]; then
           12  +	commercial='commercial'
           13  +else
           14  +	commercial='SKIP'
           15  +fi
           16  +
           17  +./certs-to-c certs/{dod,federal,$commercial}/*.crt > ../cackey_builtin_certs.h

Modified build/cackey_osx_build/Template_pmbuild/03libcackey.xml.in from [b6742d933b] to [afd3f433a1].

     2      2   	<config>
     3      3   		<identifier>mil.army.usace.cackeyForMacOsX@@OSXVERSION@@.cackey.pkg</identifier>
     4      4   		<version>1</version>
     5      5   		<description></description>
     6      6   		<post-install type="none"/>
     7      7   		<requireAuthorization/>
     8      8   		<installFrom relative="true" mod="true">cackey.dylib</installFrom>
     9         -		<installTo mod="true" relocatable="true">/usr/lib/pkcs11</installTo>
            9  +		<installTo mod="true" relocatable="true">/usr/local/lib/pkcs11</installTo>
    10     10   		<flags></flags>
    11     11   		<packageStore type="internal"></packageStore>
    12     12   		<mod>parent</mod>
    13     13   		<mod>scripts.postinstall.path</mod>
    14     14   		<mod>scripts.scriptsDirectoryPath.isRelativeType</mod>
    15     15   		<mod>scripts.scriptsDirectoryPath.path</mod>
    16     16   		<mod>installTo.isAbsoluteType</mod>

Modified build/cackey_osx_build/Template_pmbuild/04pkcs11tokend.xml.in from [793db41bea] to [4eff712abd].

     2      2   	<config>
     3      3   		<identifier>mil.army.usace.cackeyForMacOsX@@OSXVERSION@@.PKCS11.pkg</identifier>
     4      4   		<version>1</version>
     5      5   		<description></description>
     6      6   		<post-install type="none"/>
     7      7   		<requireAuthorization/>
     8      8   		<installFrom relative="true" mod="true">PKCS11.tokend</installFrom>
     9         -		<installTo mod="true" relocatable="true">/System/Library/Security/tokend/PKCS11.tokend</installTo>
            9  +		<installTo mod="true" relocatable="true">/Library/Security/tokend/PKCS11.tokend</installTo>
    10     10   		<flags></flags>
    11     11   		<packageStore type="internal"></packageStore>
    12     12   		<mod>parent</mod>
    13     13   		<mod>scripts.postinstall.path</mod>
    14     14   		<mod>scripts.scriptsDirectoryPath.isRelativeType</mod>
    15     15   		<mod>scripts.scriptsDirectoryPath.path</mod>
    16     16   		<mod>installTo.isAbsoluteType</mod>

Modified build/cackey_osx_build/Template_pmbuild/index.xml.in from [6d6f116270] to [75581e5581].

    65     65   {\fonttbl\f0\fnil\fcharset0 LucidaGrande;}
    66     66   {\colortbl;\red255\green255\blue255;}
    67     67   \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
    68     68   
    69     69   \f0\fs26 \cf0 Thank you for choosing to install CACKey.\
    70     70   \
    71     71   To use CACKey, install /Library/CACKey/libcackey.dylib or\
    72         -/usr/lib/pkcs11/cackey.dylib as a security module into any application that can use a PKCS#11 provider.\
           72  +/usr/local/lib/pkcs11/cackey.dylib as a security module into any application that can use a PKCS#11 provider.\
    73     73   \
    74         -A PKCS11 Connector for Tokend (Keychain Access) will be installed in /System/Library/Security/tokend.\
           74  +A PKCS11 Connector for Tokend (Keychain Access) will be installed in /Library/Security/tokend.\
    75     75   To use, be sure to import the certificate authorities into Keychain Access.\
    76     76   \
    77     77   A debug version, /Library/CACKey/libcackey_g.dylib is provided if debug output is necessary.}]]>
    78     78   			</resource>
    79     79   		</locale>
    80     80   	</resources>
    81     81   	<requirements>

Modified build/cackey_osx_build/Template_pmbuild/scripts/03libcackey-post.sh from [1ca797dc96] to [a53c7a2b82].

     1      1   #!/bin/bash
     2         -chmod 755 /usr/lib/pkcs11
     3         -chown root:wheel /usr/lib/pkcs11
            2  +chmod 755 /usr/local/lib/pkcs11
            3  +chown root:wheel /usr/local/lib/pkcs11

Modified build/cackey_osx_build/Template_pmbuild/scripts/04pkcs11tokend-post.sh from [1f1313960f] to [022fa1323e].

     1      1   #!/bin/bash
     2         -chmod -R go+rX /System/Library/Security/tokend/PKCS11.tokend
     3         -chown -R root:wheel /System/Library/Security/tokend/PKCS11.tokend
            2  +chmod -R go+rX /Library/Security/tokend/PKCS11.tokend
            3  +chown -R root:wheel /Library/Security/tokend/PKCS11.tokend

Modified build/cackey_osx_build/build_osx.sh from [353b3acaa2] to [14980c7d5f].

    10     10   fi
    11     11   
    12     12   # Usage function
    13     13   usage() {
    14     14   	echo "Usage: build_osx.sh <target>"
    15     15   	echo Where target is one of:
    16     16   	echo "    leopard  - (Builds Universal 10.5 Library for PPCG4/i386)"
    17         -	echo "    sltoyos - (Builds Universal 10.6/10.7/10.8/10.9/10.10 Library for i386/x86_64)"
           17  +	echo "    slandup - (Builds Universal 10.6 and Up Library for i386/x86_64)"
    18     18   	echo "    all - (Builds for all supported targets)"
    19     19   	echo "    clean - (Cleans up)"
    20     20   	echo "Run from CACKey Build Root."
    21     21   	echo ""
    22     22   	echo "NOTE:  Leopard build requires legacy XCode 3 components in"
    23     23   	echo "       /Developer because of PowerPC support."
    24     24   	echo "       All builds require gnutar, automake, and autoconf."
................................................................................
    43     43   		LIBTOOLDIR=/Developer/usr/share/libtool
    44     44   	else
    45     45   		LIBTOOLDIR=/Developer/usr/share/libtool/config
    46     46   	fi
    47     47   	if [ ! -d macbuild ]; then
    48     48   		mkdir macbuild
    49     49   		mkdir macbuild/Leopard
    50         -		mkdir macbuild/Sltoyos
           50  +		mkdir macbuild/Slandup
    51     51   		mkdir macbuild/pkg
    52     52   	fi
    53     53   	if [ ! -f config.guess ]; then
    54     54   		cp ${LIBTOOLDIR}/config.guess .
    55     55   	fi
    56     56   	if [ ! -f config.sub ]; then
    57     57   		cp ${LIBTOOLDIR}/config.sub .
................................................................................
    77     77   		genbuild
    78     78   	done
    79     79   	libbuild
    80     80   	pkgbuild
    81     81   }
    82     82   
    83     83   # Build function for Snow Leopard/Lion/Mountain Lion/Mavericks/Yosemite
    84         -sltoyos() {
           84  +slandup() {
    85     85   	makedir
    86     86   	HEADERS=/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/PCSC.framework/Versions/A/Headers/
    87     87   	LIBRARY=/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks/PCSC.framework/PCSC
    88     88   	LIB=""
    89     89   	ARCHLIST=""
    90     90   	DLIB=""
    91     91   	DARCHLIST=""
    92         -	OSX=Sltoyos
           92  +	OSX=Slandup
    93     93   	PKTARGETOS=3
    94     94   	CUROSXVER=10.6
    95     95   	for HOST in i386-apple-darwin10 x86_64-apple-darwin10; do
    96     96   		genbuild
    97     97   	done
    98     98   	libbuild
    99     99   	pkgbuild
................................................................................
   165    165   		sed "s|@@TARGETOS@@|${PKTARGETOS}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
   166    166   		sed "s|@@CUROSXVER@@|${CUROSXVER}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
   167    167   		sed "s|@@LIBCACKEYG@@|${LIBCACKEYG}|g" build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1 > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}
   168    168   		cp build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC} build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1
   169    169   		mv build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}.1 build/cackey_osx_build/${OSX}_pmbuild.pmdoc/${PMDOC}
   170    170   	done
   171    171   	EXT=pkg
   172         -	if [ ${OSX} == "Sltoyos" ]; then
   173         -		cat build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml | sed 's|for Mac OS X Sltoyos|for Mac OS X SLtoYos|g' > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new
          172  +	if [ ${OSX} == "Slandup" ]; then
          173  +		cat build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml | sed 's|for Mac OS X Slandup|for Mac OS X SLandUp|g' > build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new
   174    174   		mv build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml.new build/cackey_osx_build/${OSX}_pmbuild.pmdoc/index.xml
   175    175   	fi
   176    176   	/Developer/Applications/Utilities/PackageMaker.app/Contents/MacOS/PackageMaker -d build/cackey_osx_build/${OSX}_pmbuild.pmdoc -o macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
   177    177   	tar --create --directory macbuild/pkg/ --file macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}.tar CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
   178    178   	gzip -9 macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}.tar
   179    179   	rm -rf macbuild/pkg/CACKey_${CACKEY_VERSION}_${OSX}.${EXT}
   180    180   	rm -f build/cackey_osx_build/cackey.dylib
................................................................................
   191    191   
   192    192   	"leopard")
   193    193   		./autogen.sh
   194    194   		leopard
   195    195   		exit $?
   196    196   	;;
   197    197   
   198         -	"sltoyos")
          198  +	"slandup")
   199    199   		./autogen.sh
   200         -		sltoyos
          200  +		slandup
   201    201   		exit $?
   202    202   	;;
   203    203   
   204    204   	"all")
   205    205   		./autogen.sh
   206    206   		leopard
   207         -		sltoyos
          207  +		slandup
   208    208   		echo ""
   209    209   		echo "All builds complete."
   210    210   		exit $?
   211    211   	;;
   212    212   
   213    213   	"clean")
   214    214   		clean

Modified build/certs-to-c from [1cd87f2aca] to [e4223940e0].

     1      1   #! /bin/bash
     2      2   
     3      3   for file in "$@"; do
            4  +	if [ ! -f "${file}" ]; then
            5  +		continue
            6  +	fi
            7  +
     4      8   	rm -f tmpfile.x509
     5      9   	if ! openssl x509 -in "${file}" -inform pem -noout -checkend 0 >/dev/null 2>/dev/null; then
     6     10   		echo "warning: Skipping \"${file}\" as it is invalid or expired." >&2
     7     11   
     8     12   		continue
     9     13   	fi
    10     14   
    11     15   	openssl x509 -in "${file}" -out tmpfile.x509 -inform pem -outform der
    12     16   
    13         -	pubkeylen="$(openssl x509 -in tmpfile.x509 -inform der -text -noout | grep 'RSA Public Key:' | sed 's@^.*(\([0-9][0-9]*\) bit).*$@\1@')"
    14         -	certlen="$(cat tmpfile.x509 | wc -c)"
           17  +	pubkeylen="$(openssl x509 -in tmpfile.x509 -inform der -text -noout | grep 'Public[- ]Key:' | sed 's@^.*(\([0-9][0-9]*\) bit).*$@\1@')"
           18  +	certlen="$(cat tmpfile.x509 | wc -c | awk '{ print $1 }')"
    15     19   	cert="$(( cat tmpfile.x509 | od -t x1 | cut -c 9- | tr "\n" ' '; echo ) | sed 's@ @@g;s@..@\\x&@g')"
    16     20   
    17     21   	cat << _EOF_
           22  +	/* ${file} */
    18     23   	{
    19     24   		CACKEY_ID_TYPE_CERT_ONLY, /* id_type */
    20     25   		${certlen}, /* certificate_len */
    21     26   		(unsigned char *) "${cert}", /* certificate */
    22     27   		${pubkeylen} /* keysize */
    23     28   	},
    24     29   _EOF_
    25     30   done
    26     31   
    27     32   rm -f tmpfile.x509

Modified build/certs/commercial/kps-ca-1.crt from [686485547a] to [cdf1ee5afa].

     1      1   -----BEGIN CERTIFICATE-----
     2         -MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBrDELMAkGA1UEBhMCVVMx
     3         -ETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYDVQQHEwZSZXN0b24xIDAeBgNVBAoTF0tu
     4         -aWdodFBvaW50IFN5c3RlbXMgTExDMRcwFQYDVQQLEw5LbmlnaHRQb2ludCBJVDEY
     5         -MBYGA1UECxMPS25pZ2h0UG9pbnQgUEtJMSQwIgYDVQQDExtLbmlnaHRQb2ludCBT
     6         -eXN0ZW1zIFJvb3QgQ0EwHhcNMTUwMTAxMDAwMDAwWhcNMTcwMTAxMDAwMDAwWjCB
     7         -qTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMQ8wDQYDVQQHEwZSZXN0
     8         -b24xIDAeBgNVBAoTF0tuaWdodFBvaW50IFN5c3RlbXMgTExDMRcwFQYDVQQLEw5L
     9         -bmlnaHRQb2ludCBJVDEYMBYGA1UECxMPS25pZ2h0UG9pbnQgUEtJMSEwHwYDVQQD
    10         -ExhLbmlnaHRQb2ludCBTeXN0ZW1zIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
    11         -DwAwggEKAoIBAQDFB0hZlCwZFIUn/fHk/Ubeia8/pnpC/yuWs+oicBs9SvhrZNMI
    12         -8aYmnUhyaMfE+bxJrZSCYdGffm9VJxWv/suJ+Cr+9gdxWBWpqncw78agCNa5Oo2l
    13         -tqjFIE6mTCd9QE6CnNJJUc1ysZaz9WmWuA1i9EQ4ybV+l7baOmvE7MNUf6sPew+W
    14         -42QjiWjri9xzpXTl3fhcYxNp/Dx5GXzJIpV+Eg5FlxKn+P75HUJpV2qpHzAzR5gM
    15         -Xiee1O1PogqS1ylWQsY60fS9eIiYx08R6JeN6SISr8MOsatWsepHa8lch+NSIVeW
    16         -4QhD9NOH3JUDgTGR8aB2StmuQFEO+9daMWMfAgMBAAGjYDBeMBIGA1UdEwEB/wQI
    17         -MAYBAf8CAQEwNwYDVR0fAQEABC0wKzApoCegJYYjaHR0cDovL3BraS5rbmlnaHRw
    18         -b2ludC5jb20vY3JsL3Jvb3QwDwYDVR0PAQH/BAUDAweGADANBgkqhkiG9w0BAQsF
    19         -AAOCAQEAFu5CYJqLuq3Ey/RBsP0tVF9s7HGDprLyhaOWSn558e4it6kLrionX+Qg
    20         -5szXlqx8LoQBj/Zq0ObGguns7C6EfwqyNXl2G+DdFNqOn491fFijvWmwl2Wotkgw
    21         -CieuVGaN8JCOmLtzPM1HOr2GSAWGz59uDB+axJVIvqSJLT5UAz5OzA5ECnND5qnQ
    22         -lk1FZvST8b8HZaetAFf4jZBY/2WQVyam45yNNIM5jAtr6CtUEDiWq+ReAFDHEN3p
    23         -J/QfPiavPnBjBAC1xJu6HtKXNGiEMWirc6MyT3QPlCj632PcC+/MpqDSFYV+qYRK
    24         -5te0SbUIziVyglsN5+oGeEDPyiyheQ==
            2  +MIIEfTCCA2WgAwIBAgICJxAwDQYJKoZIhvcNAQELBQAwgawxCzAJBgNVBAYTAlVT
            3  +MREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UEBxMGUmVzdG9uMSAwHgYDVQQKExdL
            4  +bmlnaHRQb2ludCBTeXN0ZW1zIExMQzEXMBUGA1UECxMOS25pZ2h0UG9pbnQgSVQx
            5  +GDAWBgNVBAsTD0tuaWdodFBvaW50IFBLSTEkMCIGA1UEAxMbS25pZ2h0UG9pbnQg
            6  +U3lzdGVtcyBSb290IENBMB4XDTE1MDEwMTAwMDAwMFoXDTIwMDEwMTAwMDAwMFow
            7  +gakxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UEBxMGUmVz
            8  +dG9uMSAwHgYDVQQKExdLbmlnaHRQb2ludCBTeXN0ZW1zIExMQzEXMBUGA1UECxMO
            9  +S25pZ2h0UG9pbnQgSVQxGDAWBgNVBAsTD0tuaWdodFBvaW50IFBLSTEhMB8GA1UE
           10  +AxMYS25pZ2h0UG9pbnQgU3lzdGVtcyBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOC
           11  +AQ8AMIIBCgKCAQEAxQdIWZQsGRSFJ/3x5P1G3omvP6Z6Qv8rlrPqInAbPUr4a2TT
           12  +CPGmJp1IcmjHxPm8Sa2UgmHRn35vVScVr/7Lifgq/vYHcVgVqap3MO/GoAjWuTqN
           13  +pbaoxSBOpkwnfUBOgpzSSVHNcrGWs/VplrgNYvREOMm1fpe22jprxOzDVH+rD3sP
           14  +luNkI4lo64vcc6V05d34XGMTafw8eRl8ySKVfhIORZcSp/j++R1CaVdqqR8wM0eY
           15  +DF4nntTtT6IKktcpVkLGOtH0vXiImMdPEeiXjekiEq/DDrGrVrHqR2vJXIfjUiFX
           16  +luEIQ/TTh9yVA4ExkfGgdkrZrkBRDvvXWjFjHwIDAQABo4GpMIGmMCAGA1UdDgEB
           17  +AAQWBBQ4LgWOLupZrGEOIQCvWkCBLwOTcDASBgNVHRMBAf8ECDAGAQH/AgEBMDcG
           18  +A1UdHwEBAAQtMCswKaAnoCWGI2h0dHA6Ly9wa2kua25pZ2h0cG9pbnQuY29tL2Ny
           19  +bC9yb290MA8GA1UdDwEB/wQFAwMHhgAwJAYDVR0jAQEABBowGKAWBBQ5k0zyzDhs
           20  +X4G3Lr8tKuBZMyEqnjANBgkqhkiG9w0BAQsFAAOCAQEAT6vuDz9WLADBLII9CJYc
           21  +9N69OOELuDb9E4bAj/93E9S5WpZsa/nMud5kgdLiLSlsD71Pu3lUaDxPi0lOnbI0
           22  +7g3JXNEpOvNSDBnVVD0jPC4nj2XpNFSVue1mpP5bWYHyzbruEjJtoTPzvE0an6Bp
           23  +Cl96uA5MFWyKsgWtwZSnX+Ru05vSLWI7jjcAkGW+atV/iPe0vwtFJR/RiQUKyqsa
           24  +We3Xyw+T0x0UwlpKMhS7d3A+f/4pVtaLtCvLZKYyLAaji+DxlIM4WIPZ0IOD/Xbb
           25  +YagEem5bnPlmugrnGCxovJW2mBKm3iSSvZi0nW2TEVigHaBULItFRrF9J+d+8aG+
           26  +TQ==
    25     27   -----END CERTIFICATE-----
    26     28   

Modified build/certs/commercial/kps-root-ca.crt from [5d7e615d76] to [b0a7a486e8].

     1      1   -----BEGIN CERTIFICATE-----
     2         -MIID/jCCAuagAwIBAgIGAUvsEnbkMA0GCSqGSIb3DQEBCwUAMIGsMQswCQYDVQQG
            2  +MIIERjCCAy6gAwIBAgIGAUvsEnbkMA0GCSqGSIb3DQEBCwUAMIGsMQswCQYDVQQG
     3      3   EwJVUzERMA8GA1UECBMIVmlyZ2luaWExDzANBgNVBAcTBlJlc3RvbjEgMB4GA1UE
     4      4   ChMXS25pZ2h0UG9pbnQgU3lzdGVtcyBMTEMxFzAVBgNVBAsTDktuaWdodFBvaW50
     5      5   IElUMRgwFgYDVQQLEw9LbmlnaHRQb2ludCBQS0kxJDAiBgNVBAMTG0tuaWdodFBv
     6      6   aW50IFN5c3RlbXMgUm9vdCBDQTAeFw0xNTAxMDEwMDAwMDBaFw0zNTAxMDEwMDAw
     7      7   MDBaMIGsMQswCQYDVQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExDzANBgNVBAcT
     8      8   BlJlc3RvbjEgMB4GA1UEChMXS25pZ2h0UG9pbnQgU3lzdGVtcyBMTEMxFzAVBgNV
     9      9   BAsTDktuaWdodFBvaW50IElUMRgwFgYDVQQLEw9LbmlnaHRQb2ludCBQS0kxJDAi
    10     10   BgNVBAMTG0tuaWdodFBvaW50IFN5c3RlbXMgUm9vdCBDQTCCASIwDQYJKoZIhvcN
    11     11   AQEBBQADggEPADCCAQoCggEBAMqF1VSV4bYdl5Lq2qtB/KXf/DaNSlTmgjhWAMQT
    12     12   1eS9UqiDEDvLHdoTpqCo02/dNDmWpb3GRCt8BIuPaLp/v4xaEStS8feGjlDlBVSv
    13     13   vXf4rj7is923okBjjTqz4l25QeDtJAAz4VsNkopo8Fb2wMs8glF5rNnwaQm6PgqN
    14     14   8/VF4eHM0fUuq8+WxzXdk9Z50pF9/RM4m4Nj7SeFGxwSWBxvRLjYv6z8k2G1PTnE
    15     15   seCeWO3NAcPbxuPcpY8dQDRng22zS3HDW/0+nW1UFLu2UiD0yECWiNPYTah/FKiC
    16         -dp8+JkOqcbyfdu7sA287AXG43rniXA95HNtwRZh1Do5l1f8CAwEAAaMkMCIwDwYD
    17         -VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDB4YAMA0GCSqGSIb3DQEBCwUAA4IB
    18         -AQAcujWXZ3E3zS/7VSCTp6huc5bwDAncxWtcBjV8O0cJIbbqvYVlCfosI+VqtUAT
    19         -9lG2QVRwPTrz171WB0NXRJdIX0r8oemTV+lknE7KauwtoMiGKADxyH5XJuIvchwb
    20         -ykuPXnBPJ8KAUV5tFDWgjLcrICrBjadywSS6/EBCFzFjFb11Sw4eAhohrEow+keD
    21         -Dsow+NcpdRm3kwEa5mvdheIixPtemtC8UnB/iKjVlM2O+ihy85xdJLkqp9hZ4gro
    22         -W5AEzRV6pN8OBTMXCQieQcYMyPvEf0AUpcAqxxOciWQGRbdyF/4DetuFz7fOxAHD
    23         -3WRKCbxylVFQV4hzK5dJAJsg
           16  +dp8+JkOqcbyfdu7sA287AXG43rniXA95HNtwRZh1Do5l1f8CAwEAAaNsMGowIAYD
           17  +VR0OAQEABBYEFDmTTPLMOGxfgbcuvy0q4FkzISqeMA8GA1UdEwEB/wQFMAMBAf8w
           18  +DwYDVR0PAQH/BAUDAweEADAkBgNVHSMBAQAEGjAYoBYEFDmTTPLMOGxfgbcuvy0q
           19  +4FkzISqeMA0GCSqGSIb3DQEBCwUAA4IBAQAGn+FTnF6HO8wfQHJG8Ge/6TNflj5t
           20  +92i6JOIx8AAy1ZfC5HWZJWjwEa+kIy5upRm0BE/we4WJKwmMDxPZP4jC6cC9BYE2
           21  +e6sqTThsTUEVI0e41bKBCF6ErHpRlp4EfHfmTNpiSjqBgNCK7kcyeQF0bPnUHO0Q
           22  +TPrY5WUpTnRBR2NnQBvmjl0nLBWDU1+2ib5bskZfnBRCPwVYGa393VmpaBDuIozG
           23  +P0vv2UuLetj5Xa5NDPv5c43s8+Z4pW5EEb2qH0Wfh5/g6qFWVMFVFkk9Jr+qVHf3
           24  +ueZlAL7HchQgaA2f+dY53CdnL7kX4Pv79uSHKzynxSIVMP/d0fdwvwKd
    24     25   -----END CERTIFICATE-----

Modified build/certs/dod/Makefile from [678511107e] to [dcbc2db73e].

     1      1   all: cert-0.crt
     2      2   
     3      3   rel3_dodroot_2048.cac:
     4         -	wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
     5         -	mv "$@.new" "$@"
            4  +	wget -O Certificates_PKCS7_v4.1_DoD.zip http://iasecontent.disa.mil/pki-pke/Certificates_PKCS7_v4.1_DoD.zip
            5  +	unzip Certificates_PKCS7_v4.1_DoD.zip Certificates_PKCS7_v4.1_DoD/Certificates_PKCS7_v4.1_DoD.der.p7b
            6  +	mv Certificates_PKCS7_v4.1_DoD/Certificates_PKCS7_v4.1_DoD.der.p7b "$@"
            7  +	rm -rf Certificates_PKCS7_v4.1_DoD Certificates_PKCS7_v4.1_DoD.zip
     6      8   
     7      9   cert-%.crt: rel3_dodroot_2048.cac
     8     10   	idx=0; \
     9     11   	( \
    10     12   		openssl pkcs7 -in rel3_dodroot_2048.cac -inform DER -print_certs -text; \
    11     13   	) | while IFS='' read -r line; do \
    12     14   		if [ -z "$${line}" ]; then \

Modified cackey.c from [60fa6fcd12] to [a802283a94].

    81     81   #define GSCIS_INSTR_READ_BINARY       0xB0
    82     82   #define GSCIS_INSTR_UPDATE_BINARY     0xD6
    83     83   #define GSCIS_INSTR_SELECT            0xA4
    84     84   #define GSCIS_INSTR_EXTERNAL_AUTH     0x82
    85     85   #define GSCIS_INSTR_GET_CHALLENGE     0x84
    86     86   #define GSCIS_INSTR_INTERNAL_AUTH     0x88
    87     87   #define GSCIS_INSTR_VERIFY            0x20
           88  +#define GSCIS_INSTR_CHANGE_REFERENCE  0x24
    88     89   #define GSCIS_INSTR_SIGN              0x2A
    89     90   #define GSCIS_INSTR_GET_PROP          0x56
    90     91   #define GSCIS_INSTR_GET_ACR           0x4C
    91     92   #define GSCIS_INSTR_READ_BUFFER       0x52
    92     93   #define GSCIS_INSTR_SIGNDECRYPT       0x42
    93     94   
    94     95   #define GSCIS_PARAM_SELECT_APPLET     0x04
................................................................................
  1547   1548   			xmit_buf[xmit_len++] = le;
  1548   1549   		}
  1549   1550   	}
  1550   1551   
  1551   1552   	/* Begin Smartcard Transaction */
  1552   1553   	cackey_begin_transaction(slot);
  1553   1554   
  1554         -	if (class == GSCIS_CLASS_ISO7816 && instruction == GSCIS_INSTR_VERIFY && p1 == 0x00) {
         1555  +	if (class == GSCIS_CLASS_ISO7816 && (instruction == GSCIS_INSTR_VERIFY || instruction == GSCIS_INSTR_CHANGE_REFERENCE) && p1 == 0x00) {
  1555   1556   		CACKEY_DEBUG_PRINTF("Sending APDU: <<censored>>");
  1556   1557   	} else {
  1557   1558   		CACKEY_DEBUG_PRINTBUF("Sending APDU:", xmit_buf, xmit_len);
  1558   1559   	}
  1559   1560   
  1560   1561   	recv_len = sizeof(recv_buf);
  1561   1562   	scard_xmit_ret = SCardTransmit(slot->pcsc_card, pioSendPci, xmit_buf, xmit_len, NULL, recv_buf, &recv_len);
................................................................................
  3153   3154    *
  3154   3155    * RETURN VALUE
  3155   3156    *     ...
  3156   3157    *
  3157   3158    * NOTES
  3158   3159    *     ...
  3159   3160    *
         3161  + */
         3162  +static cackey_ret cackey_set_pin(struct cackey_slot *slot, unsigned char *old_pin, unsigned long old_pin_len, unsigned char *pin, unsigned long pin_len) {
         3163  +	struct cackey_pcsc_identity *pcsc_identities;
         3164  +	unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
         3165  +	unsigned char old_cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
         3166  +	unsigned char pin_update[sizeof(cac_pin) + sizeof(old_cac_pin)];
         3167  +	unsigned long num_certs;
         3168  +	uint16_t response_code;
         3169  +	int tries_remaining;
         3170  +	int send_ret;
         3171  +	int key_reference = 0x00;
         3172  +
         3173  +	/* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */
         3174  +	if (pin_len >= 8) {
         3175  +		memcpy(cac_pin, pin, 8);
         3176  +	} else {
         3177  +		memcpy(cac_pin, pin, pin_len);
         3178  +	}
         3179  +
         3180  +	if (old_pin_len >= 8) {
         3181  +		memcpy(old_cac_pin, old_pin, 8);
         3182  +	} else {
         3183  +		memcpy(old_cac_pin, old_pin, old_pin_len);
         3184  +	}
         3185  +
         3186  +	/* Concatenate both PINs together to send as a single instruction */
         3187  +	memcpy(pin_update, old_cac_pin, sizeof(old_cac_pin));
         3188  +	memcpy(pin_update + sizeof(old_cac_pin), cac_pin, sizeof(cac_pin));
         3189  +
         3190  +	/* Reject PINs which are too short */
         3191  +	if (pin_len < 5) {
         3192  +		CACKEY_DEBUG_PRINTF("Rejecting New PIN which is too short (length = %lu, must be atleast 5)", pin_len);
         3193  +
         3194  +		return(CACKEY_PCSC_E_BADPIN);
         3195  +	}
         3196  +
         3197  +	if (old_pin_len < 5) {
         3198  +		CACKEY_DEBUG_PRINTF("Rejecting Old PIN which is too short (length = %lu, must be atleast 5)", old_pin_len);
         3199  +
         3200  +		return(CACKEY_PCSC_E_BADPIN);
         3201  +	}
         3202  +
         3203  +	/* PIV authentication uses a "key_reference" of 0x80 */
         3204  +	pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
         3205  +	if (num_certs > 0 && pcsc_identities != NULL) {
         3206  +		switch (pcsc_identities[0].id_type) {
         3207  +			case CACKEY_ID_TYPE_PIV:
         3208  +				CACKEY_DEBUG_PRINTF("We have PIV card, so we will attempt to authenticate using the PIV Application key reference");
         3209  +
         3210  +				key_reference = 0x80;
         3211  +				break;
         3212  +			default:
         3213  +				break;
         3214  +		}
         3215  +
         3216  +		cackey_free_certs(pcsc_identities, num_certs, 1);
         3217  +	}
         3218  +
         3219  +	/* Issue a Set PIN (CHANGE REFERENCE) */
         3220  +	send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_CHANGE_REFERENCE, 0x00, key_reference, sizeof(pin_update), pin_update, 0x00, &response_code, NULL, NULL);
         3221  +
         3222  +	if (send_ret != CACKEY_PCSC_S_OK) {
         3223  +		if ((response_code & 0x63C0) == 0x63C0) {
         3224  +			tries_remaining = (response_code & 0xF);
         3225  +
         3226  +			CACKEY_DEBUG_PRINTF("PIN Verification failed, %i tries remaining", tries_remaining);
         3227  +
         3228  +			return(CACKEY_PCSC_E_BADPIN);
         3229  +		}
         3230  +
         3231  +		if (response_code == 0x6983) {
         3232  +			CACKEY_DEBUG_PRINTF("Unable to set PIN, device is locked or changing the PIN is disabled");
         3233  +
         3234  +			return(CACKEY_PCSC_E_LOCKED);
         3235  +		}
         3236  +
         3237  +		return(CACKEY_PCSC_E_GENERIC);
         3238  +	}
         3239  +
         3240  +	CACKEY_DEBUG_PRINTF("PIN Change succeeded");
         3241  +
         3242  +	return(CACKEY_PCSC_S_OK);
         3243  +}
         3244  +
         3245  +/*
         3246  + * SYNPOSIS
         3247  + *     ...
         3248  + *
         3249  + * ARGUMENTS
         3250  + *     ...
         3251  + *
         3252  + * RETURN VALUE
         3253  + *     ...
         3254  + *
         3255  + * NOTES
         3256  + *     ...
         3257  + *
  3160   3258    */
  3161   3259   static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) {
  3162   3260   	struct cackey_pcsc_identity *pcsc_identities;
  3163   3261   	unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
  3164   3262   	unsigned long num_certs;
  3165   3263   	uint16_t response_code;
  3166   3264   	int tries_remaining;
................................................................................
  4186   4284   		return(identities);
  4187   4285   	}
  4188   4286   
  4189   4287   
  4190   4288   	*ids_found = 0;
  4191   4289   	return(NULL);
  4192   4290   }
         4291  +
         4292  +static cackey_ret cackey_get_pin(char *pinbuf) {
         4293  +	FILE *pinfd;
         4294  +	char *fgets_ret;
         4295  +	int pclose_ret;
         4296  +
         4297  +	if (cackey_pin_command == NULL) {
         4298  +		return(CACKEY_PCSC_E_GENERIC);
         4299  +	}
         4300  +
         4301  +	if (pinbuf == NULL) {
         4302  +		return(CACKEY_PCSC_E_GENERIC);
         4303  +	}
         4304  +
         4305  +	CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", cackey_pin_command);
         4306  +
         4307  +	pinfd = popen(cackey_pin_command, "r");
         4308  +	if (pinfd == NULL) {
         4309  +		CACKEY_DEBUG_PRINTF("Error.  %s: Unable to run", cackey_pin_command);
         4310  +
         4311  +		return(CACKEY_PCSC_E_BADPIN);
         4312  +	}
         4313  +
         4314  +	fgets_ret = fgets(pinbuf, 32, pinfd);
         4315  +	if (fgets_ret == NULL) {
         4316  +		pinbuf[0] = '\0';
         4317  +	}
         4318  +
         4319  +	pclose_ret = pclose(pinfd);
         4320  +	if (pclose_ret == -1 && errno == ECHILD) {
         4321  +		CACKEY_DEBUG_PRINTF("Notice.  pclose() indicated it could not get the status of the child, assuming it succeeeded !");
         4322  +
         4323  +		pclose_ret = 0;
         4324  +	}
         4325  +
         4326  +	if (pclose_ret != 0) {
         4327  +		CACKEY_DEBUG_PRINTF("Error.  %s: exited with non-zero status of %i", cackey_pin_command, pclose_ret);
         4328  +
         4329  +		return(CACKEY_PCSC_E_BADPIN);
         4330  +	}
         4331  +
         4332  +	if (strlen(pinbuf) < 1) {
         4333  +		CACKEY_DEBUG_PRINTF("Error.  %s: returned no data", cackey_pin_command);
         4334  +
         4335  +		return(CACKEY_PCSC_E_BADPIN);
         4336  +	}
         4337  +
         4338  +	if (pinbuf[strlen(pinbuf) - 1] == '\n') {
         4339  +		pinbuf[strlen(pinbuf) - 1] = '\0';
         4340  +	}
         4341  +
         4342  +	return(CACKEY_PCSC_S_OK);
         4343  +}
  4193   4344   
  4194   4345   CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
  4195   4346   	CK_C_INITIALIZE_ARGS CK_PTR args;
  4196   4347   	uint32_t idx, highest_slot;
  4197   4348   	int mutex_init_ret;
  4198   4349   	int include_dod_certs;
  4199   4350   
................................................................................
  4999   5150   	}
  5000   5151   
  5001   5152   	CACKEY_DEBUG_PRINTF("Returning CKR_TOKEN_WRITE_PROTECTED (%i)", CKR_TOKEN_WRITE_PROTECTED);
  5002   5153   
  5003   5154   	return(CKR_TOKEN_WRITE_PROTECTED);
  5004   5155   }
  5005   5156   
  5006         -/* We don't support this method. */
  5007   5157   CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen) {
  5008         -	CACKEY_DEBUG_PRINTF("Called.");
  5009         -
  5010         -	if (!cackey_initialized) {
  5011         -		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");
  5012         -
  5013         -		return(CKR_CRYPTOKI_NOT_INITIALIZED);
  5014         -	}
  5015         -
  5016         -	CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
  5017         -
  5018         -	return(CKR_FUNCTION_NOT_SUPPORTED);
         5158  +	char oldpinbuf[64], newpinbuf[64];
         5159  +	cackey_ret set_pin_ret, get_pin_ret;
         5160  +	CK_SLOT_ID slotID;
         5161  +	int mutex_retval;
         5162  +
         5163  +	CACKEY_DEBUG_PRINTF("Called.");
         5164  +
         5165  +	if (!cackey_initialized) {
         5166  +		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");
         5167  +
         5168  +		return(CKR_CRYPTOKI_NOT_INITIALIZED);
         5169  +	}
         5170  +
         5171  +	mutex_retval = cackey_mutex_lock(cackey_biglock);
         5172  +	if (mutex_retval != 0) {
         5173  +		CACKEY_DEBUG_PRINTF("Error.  Locking failed.");
         5174  +
         5175  +		return(CKR_GENERAL_ERROR);
         5176  +	}
         5177  +
         5178  +	if (!cackey_sessions[hSession].active) {
         5179  +		cackey_mutex_unlock(cackey_biglock);
         5180  +
         5181  +		CACKEY_DEBUG_PRINTF("Error.  Session not active.");
         5182  +		
         5183  +		return(CKR_SESSION_HANDLE_INVALID);
         5184  +	}
         5185  +
         5186  +	slotID = cackey_sessions[hSession].slotID;
         5187  +
         5188  +	if (slotID < 0 || slotID >= (sizeof(cackey_slots) / sizeof(cackey_slots[0]))) {
         5189  +		CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), outside of valid range", slotID);
         5190  +
         5191  +		cackey_mutex_unlock(cackey_biglock);
         5192  +
         5193  +		return(CKR_GENERAL_ERROR);
         5194  +	}
         5195  +
         5196  +	if (cackey_slots[slotID].active == 0) {
         5197  +		CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID);
         5198  +
         5199  +		cackey_mutex_unlock(cackey_biglock);
         5200  +
         5201  +		return(CKR_GENERAL_ERROR);
         5202  +	}
         5203  +
         5204  +	if (cackey_pin_command != NULL) {
         5205  +		/* Get old PIN */
         5206  +		get_pin_ret = cackey_get_pin(oldpinbuf);
         5207  +
         5208  +		if (get_pin_ret != CACKEY_PCSC_S_OK) {
         5209  +			CACKEY_DEBUG_PRINTF("Error while getting Old PIN, returning CKR_PIN_INCORRECT.");
         5210  +
         5211  +			cackey_mutex_unlock(cackey_biglock);
         5212  +			
         5213  +			return(CKR_PIN_INCORRECT);
         5214  +		}
         5215  +
         5216  +		pOldPin = (CK_UTF8CHAR_PTR) oldpinbuf;
         5217  +		ulOldPinLen = strlen(oldpinbuf);
         5218  +
         5219  +		/* Get new PIN */
         5220  +		get_pin_ret = cackey_get_pin(newpinbuf);
         5221  +
         5222  +		if (get_pin_ret != CACKEY_PCSC_S_OK) {
         5223  +			CACKEY_DEBUG_PRINTF("Error while getting New PIN, returning CKR_PIN_INVALID.");
         5224  +
         5225  +			cackey_mutex_unlock(cackey_biglock);
         5226  +			
         5227  +			return(CKR_PIN_INVALID);
         5228  +		}
         5229  +
         5230  +		pNewPin = (CK_UTF8CHAR_PTR) newpinbuf;
         5231  +		ulNewPinLen = strlen(newpinbuf);
         5232  +	}
         5233  +
         5234  +	if (pOldPin == NULL) {
         5235  +		CACKEY_DEBUG_PRINTF("Old PIN value is wrong (null).");
         5236  +
         5237  +		cackey_mutex_unlock(cackey_biglock);
         5238  +
         5239  +		return(CKR_PIN_INCORRECT);
         5240  +	}
         5241  +
         5242  +	if (ulOldPinLen == 0 || ulOldPinLen > 8) {
         5243  +		CACKEY_DEBUG_PRINTF("Old PIN length is wrong: %lu.", (unsigned long) ulOldPinLen);
         5244  +
         5245  +		cackey_mutex_unlock(cackey_biglock);
         5246  +
         5247  +		return(CKR_PIN_INCORRECT);
         5248  +	}
         5249  +
         5250  +	if (pNewPin == NULL) {
         5251  +		CACKEY_DEBUG_PRINTF("New PIN value is wrong (either NULL, or too long/short).");
         5252  +
         5253  +		cackey_mutex_unlock(cackey_biglock);
         5254  +
         5255  +		return(CKR_PIN_INVALID);
         5256  +	}
         5257  +
         5258  +	if (ulNewPinLen < 5 || ulNewPinLen > 8) {
         5259  +		CACKEY_DEBUG_PRINTF("New PIN length is wrong: %lu, must be atleast 5 and no more than 8.", (unsigned long) ulNewPinLen);
         5260  +
         5261  +		cackey_mutex_unlock(cackey_biglock);
         5262  +
         5263  +		return(CKR_PIN_LEN_RANGE);
         5264  +	}
         5265  +
         5266  +	set_pin_ret = cackey_set_pin(&cackey_slots[slotID], pOldPin, ulOldPinLen, pNewPin, ulNewPinLen);
         5267  +
         5268  +	if (set_pin_ret != CACKEY_PCSC_S_OK) {
         5269  +		if (cackey_pin_command == NULL) {
         5270  +			cackey_slots[slotID].token_flags |= CKF_LOGIN_REQUIRED;
         5271  +		}
         5272  +
         5273  +		if (set_pin_ret == CACKEY_PCSC_E_LOCKED) {
         5274  +			cackey_slots[slotID].token_flags |= CKF_USER_PIN_LOCKED;
         5275  +		}
         5276  +	}
         5277  +
         5278  +	mutex_retval = cackey_mutex_unlock(cackey_biglock);
         5279  +	if (mutex_retval != 0) {
         5280  +		CACKEY_DEBUG_PRINTF("Error.  Unlocking failed.");
         5281  +
         5282  +		return(CKR_GENERAL_ERROR);
         5283  +	}
         5284  +
         5285  +	switch (set_pin_ret) {
         5286  +		case CACKEY_PCSC_S_OK:
         5287  +			CACKEY_DEBUG_PRINTF("Successfully set PIN.");
         5288  +
         5289  +			return(CKR_OK);
         5290  +		case CACKEY_PCSC_E_BADPIN:
         5291  +			CACKEY_DEBUG_PRINTF("PIN was invalid.");
         5292  +
         5293  +			return(CKR_PIN_INVALID);
         5294  +		case CACKEY_PCSC_E_LOCKED:
         5295  +			CACKEY_DEBUG_PRINTF("Token is locked or this change is not permitted.");
         5296  +
         5297  +			return(CKR_PIN_LOCKED);
         5298  +		default:
         5299  +			CACKEY_DEBUG_PRINTF("Something else went wrong changing the PIN: %i", set_pin_ret);
         5300  +
         5301  +			return(CKR_GENERAL_ERROR);
         5302  +	}
         5303  +
         5304  +	return(CKR_GENERAL_ERROR);
  5019   5305   }
  5020   5306   
  5021   5307   CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY notify, CK_SESSION_HANDLE_PTR phSession) {
  5022   5308   	unsigned long idx;
  5023   5309   	int mutex_retval;
  5024   5310   	int found_session = 0;
  5025   5311   
................................................................................
  5299   5585   	CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
  5300   5586   
  5301   5587   	return(CKR_FUNCTION_NOT_SUPPORTED);
  5302   5588   }
  5303   5589   
  5304   5590   CK_DEFINE_FUNCTION(CK_RV, _C_LoginMutexArg)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, int lock_mutex) {
  5305   5591   	CK_SLOT_ID slotID;
  5306         -	FILE *pinfd;
  5307         -	char *pincmd, pinbuf[64], *fgets_ret;
         5592  +	cackey_ret get_pin_ret;
         5593  +	char pinbuf[64];
  5308   5594   	int mutex_retval;
  5309   5595   	int tries_remaining;
  5310   5596   	int login_ret;
  5311         -	int pclose_ret;
  5312   5597   
  5313   5598   	CACKEY_DEBUG_PRINTF("Called.");
  5314   5599   
  5315   5600   	if (!cackey_initialized) {
  5316   5601   		CACKEY_DEBUG_PRINTF("Error.  Not initialized.");
  5317   5602   
  5318   5603   		return(CKR_CRYPTOKI_NOT_INITIALIZED);
................................................................................
  5367   5652   		if (lock_mutex) {
  5368   5653   			cackey_mutex_unlock(cackey_biglock);
  5369   5654   		}
  5370   5655   
  5371   5656   		return(CKR_GENERAL_ERROR);
  5372   5657   	}
  5373   5658   
  5374         -	pincmd = cackey_pin_command;
  5375         -	if (pincmd != NULL) {
  5376         -		CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", pincmd);
  5377         -
         5659  +	if (cackey_pin_command != NULL) {
  5378   5660   		if (pPin != NULL) {
  5379   5661   			CACKEY_DEBUG_PRINTF("Protected authentication path in effect and PIN provided !?");
  5380   5662   		}
  5381   5663   
  5382         -		pinfd = popen(pincmd, "r");
  5383         -		if (pinfd == NULL) {
  5384         -			CACKEY_DEBUG_PRINTF("Error.  %s: Unable to run", pincmd);
         5664  +		get_pin_ret = cackey_get_pin(pinbuf);
         5665  +
         5666  +		if (get_pin_ret != CACKEY_PCSC_S_OK) {
         5667  +			CACKEY_DEBUG_PRINTF("cackey_get_pin() returned in failure, assuming the PIN was incorrect.");
  5385   5668   
  5386   5669   			if (lock_mutex) {
  5387   5670   				cackey_mutex_unlock(cackey_biglock);
  5388   5671   			}
  5389   5672   
  5390         -			CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
  5391         -
  5392   5673   			return(CKR_PIN_INCORRECT);
  5393   5674   		}
  5394   5675   
  5395         -		fgets_ret = fgets(pinbuf, sizeof(pinbuf), pinfd);
  5396         -		if (fgets_ret == NULL) {
  5397         -			pinbuf[0] = '\0';
  5398         -		}
  5399         -
  5400         -		pclose_ret = pclose(pinfd);
  5401         -		if (pclose_ret == -1 && errno == ECHILD) {
  5402         -			CACKEY_DEBUG_PRINTF("Notice.  pclose() indicated it could not get the status of the child, assuming it succeeeded !");
  5403         -
  5404         -			pclose_ret = 0;
  5405         -		}
  5406         -
  5407         -		if (pclose_ret != 0) {
  5408         -			CACKEY_DEBUG_PRINTF("Error.  %s: exited with non-zero status of %i", pincmd, pclose_ret);
  5409         -
  5410         -			if (lock_mutex) {
  5411         -				cackey_mutex_unlock(cackey_biglock);
  5412         -			}
  5413         -
  5414         -			CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
  5415         -
  5416         -			return(CKR_PIN_INCORRECT);
  5417         -		}
  5418         -
  5419         -		if (strlen(pinbuf) < 1) {
  5420         -			CACKEY_DEBUG_PRINTF("Error.  %s: returned no data", pincmd);
  5421         -
  5422         -			if (lock_mutex) {
  5423         -				cackey_mutex_unlock(cackey_biglock);
  5424         -			}
  5425         -
  5426         -			CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
  5427         -
  5428         -			return(CKR_PIN_INCORRECT);
  5429         -		}
  5430         -
  5431         -		if (pinbuf[strlen(pinbuf) - 1] == '\n') {
  5432         -			pinbuf[strlen(pinbuf) - 1] = '\0';
  5433         -		}
  5434         -
  5435   5676   		pPin = (CK_UTF8CHAR_PTR) pinbuf;
  5436   5677   		ulPinLen = strlen(pinbuf);
  5437   5678   	}
  5438   5679   
  5439   5680   	login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
  5440   5681   	if (login_ret != CACKEY_PCSC_S_OK) {
  5441   5682   		if (lock_mutex) {

Modified cackey_builtin_certs.h from [9c64b878c6] to [cffe24d77b].

cannot compute difference between binary files

Modified configure.ac from [76a04092ae] to [60c4628f66].

     1         -AC_INIT(cackey, 0.7.1) 
            1  +AC_INIT(cackey, 0.7.3) 
     2      2   AC_CONFIG_HEADERS(config.h)
     3      3   
     4      4   dnl Locate standard tools
     5      5   AC_PROG_CC
     6      6   AC_PROG_MAKE_SET
     7      7   AC_PROG_INSTALL
     8      8   AC_AIX