sc-hsm: Add support for SoC

- eac: allow CA without EF.CardSecurity
- sc-hsm: implemented CA based on document PKI
- sc-hsm: adds receive limit for SoC card
- introduces dedicated card type for SoC card
- md: integrate card's PIN pad capabilities
- installer: added SC-HSM SoC card to registry
- pkcs15-tool: Added support for PIN entry on card
- change/unblock PIN: add support for PIN entry on card
- added OpenPACE to macOS build
- travis-ci: install gengetopt/help2man via brew
- sc-hsm: Cache EF.C_DevAut
- sc-hsm: Prevent unnecessary applet selection and state resets
- sc-hsm: added support for session pin
- sc-hsm: avoid multiple AID selection
- sc-hsm: Use the information from match_card for all subsequent selections of the applet
- sc-hsm: cache optional files as empty files (Decoding the files will reveal that they were not existing prior caching. This avoids selecting the file though we have already tried to cache the file before.)
- use dedicated directory for CVC trust anchors
- appveyor: added OpenPACE to windows build

.travis.yml

@@ -14,6 +14,7 @@ addons:
  - wine
  - xsltproc
  - gengetopt
+ - help2man
  coverity_scan:
  project:
  name: "OpenSC/OpenSC"
@@ -51,7 +52,7 @@ before_install:
  brew update;
  brew uninstall libtool;
  brew install libtool;
- brew install gengetopt;
+ brew install gengetopt help2man;
  fi
 
 before_script:

MacOSX/build-package.in

@@ -40,9 +40,24 @@ if ! pkg-config libcrypto --atleast-version=1.0.1; then
  export OPENSSL_LIBS="` env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --libs libcrypto`"
 fi
 
+if ! test -e $BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig; then
+ if ! test -e openpace; then
+ git clone --depth=1 https://github.com/frankmorgner/openpace.git
+ fi
+ cd openpace
+ autoreconf -vis
+ ./configure --disable-shared --prefix=$PREFIX CRYPTO_CFLAGS="$OPENSSL_CFLAGS" CRYPTO_LIBS="$OPENSSL_LIBS"
+ make DESTDIR=$BUILDPATH/openpace_bin install
+ cd ..
+ export OPENPACE_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --cflags libeac` $OPENSSL_CFLAGS"
+ export OPENPACE_LIBS="` env PKG_CONFIG_PATH=$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --libs libeac` $OPENSSL_LIBS"
+fi
+
 if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
  ./configure --prefix=$PREFIX \
  --sysconfdir=$PREFIX/etc \
+ --enable-cvcdir=$PREFIX/etc/cvc \
+ --enable-x509dir=$PREFIX/etc/x509 \
  --disable-dependency-tracking \
  --enable-shared \
  --disable-static \

appveyor.yml

@@ -30,6 +30,7 @@ install:
  - date /T & time /T
  - set PATH=C:\cygwin\bin;%PATH%
  - set OPENSSL_VER=1_0_2e
+ - set OPENPACE_VER=1.0.1
  - set ZLIB_VER_DOT=1.2.8
  - ps: $env:PACKAGE_NAME=(git describe --tags)
  - ps: >-
@@ -62,6 +63,11 @@ install:
  }
  7z x zlib.zip -oC:\
  Rename-Item -path "c:\zlib-${env:ZLIB_VER_DOT}" -newName "zlib"
+ If (!(Test-Path openpace.zip )) {
+ appveyor DownloadFile "https://github.com/frankmorgner/openpace/archive/${env:OPENPACE_VER}.zip" -FileName openpace.zip
+ }
+ 7z x openpace.zip -oC:\
+ Rename-Item -path "c:\openpace-${env:OPENPACE_VER}" -newName "openpace"
  }
  - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
  - echo "Using Visual Studio %VSVER%.0 at %VSCOMNTOOLS%"
@@ -72,9 +78,9 @@ install:
  - set
 
 build_script:
- # build zlib.lib as a static library
  - ps: >-
  if (!($env:Configuration -Like "*Light*")) {
+ # build zlib.lib as a static library
  cd C:\zlib
  (Get-Content win32/Makefile.msc).replace('-MD', '-MT') | Set-Content win32/Makefile.msc
  If ($env:Platform -Match "x86") {
@@ -83,7 +89,12 @@ build_script:
  nmake -f win32/Makefile.msc AS=ml64 LOC="-DASMV -DASMINF -I." OBJA="inffasx64.obj gvmat64.obj inffas8664.obj" zlib.lib
  }
  $env:NMAKE_EXTRA="ZLIBSTATIC_DEF=/DENABLE_ZLIB_STATIC ${env:NMAKE_EXTRA}"
- cd c:\projects\Opensc
+ # build libeac.lib as a static library
+ cd C:\openpace\src
+ cl /IC:\OpenSSL-${env:OPENSSL_PF}\include /I. /DX509DIR=\`"/\`" /DCVCDIR=\`"/\`" /W3 /D_CRT_SECURE_NO_DEPRECATE /DWIN32_LEAN_AND_MEAN /GS /MT /c ca_lib.c cv_cert.c cvc_lookup.c x509_lookup.c eac_asn1.c eac.c eac_ca.c eac_dh.c eac_ecdh.c eac_kdf.c eac_lib.c eac_print.c eac_util.c misc.c pace.c pace_lib.c pace_mappings.c ri.c ri_lib.c ta.c ta_lib.c objects.c
+ lib /out:libeac.lib ca_lib.obj cv_cert.obj cvc_lookup.obj x509_lookup.obj eac_asn1.obj eac.obj eac_ca.obj eac_dh.obj eac_ecdh.obj eac_kdf.obj eac_lib.obj eac_print.obj eac_util.obj misc.obj pace.obj pace_lib.obj pace_mappings.obj ri.obj ri_lib.obj ta.obj ta_lib.obj objects.obj
+ $env:NMAKE_EXTRA="OPENPACE_DEF=/DENABLE_OPENPACE ${env:NMAKE_EXTRA}"
+ cd C:\projects\OpenSC
  }
  - bash -c "exec 0</dev/null && ./bootstrap"
  # disable features to speed up the script

configure.ac

@@ -609,10 +609,18 @@ if test "${cvcdir}" = false ; then
  cvcdir="`$PKG_CONFIG libeac --variable=cvcdir`"
 fi
 if test "${cvcdir}" = "" ; then
- AC_MSG_WARN([use --enable-cvcdir=DIR])
+ case "${host}" in
+ *-mingw*|*-winnt*|*-cygwin*)
+ cvcdir="%PROGRAMFILES%\\\OpenSC Project\\\OpenSC\\\cvc"
+ ;;
+ *)
+ AC_MSG_WARN([use --enable-cvcdir=DIR])
+ ;;
+ esac
 fi
 CVCDIR="${cvcdir}"
 AC_SUBST(CVCDIR)
+AC_DEFINE_UNQUOTED([CVCDIR], ["${CVCDIR}"], [CVC directory])
 
 AC_ARG_ENABLE(x509dir,
  AC_HELP_STRING([--enable-x509dir=DIR],
@@ -628,10 +636,18 @@ then
 fi
 if test -z "${x509dir}"
 then
- AC_MSG_WARN([use --enable-x509dir=DIR])
+ case "${host}" in
+ *-mingw*|*-winnt*|*-cygwin*)
+ x509dir="%PROGRAMFILES%\\\OpenSC Project\\\OpenSC\\\x509"
+ ;;
+ *)
+ AC_MSG_WARN([use --enable-x509dir=DIR])
+ ;;
+ esac
 fi
 X509DIR="${x509dir}"
 AC_SUBST(X509DIR)
+AC_DEFINE_UNQUOTED([X509DIR], ["${X509DIR}"], [CVC directory])
 
 case "${enable_openpace}" in
  no)
@@ -905,7 +921,9 @@ AM_CONDITIONAL([ENABLE_THREAD_LOCKING], [test "${enable_thread_locking}" = "yes"
 AM_CONDITIONAL([ENABLE_ZLIB], [test "${enable_zlib}" = "yes"])
 AM_CONDITIONAL([ENABLE_READLINE], [test "${enable_readline}" = "yes"])
 AM_CONDITIONAL([ENABLE_OPENSSL], [test "${enable_openssl}" = "yes"])
+AM_CONDITIONAL([ENABLE_OPENPACE], [test "${enable_openpace}" = "yes"])
 AM_CONDITIONAL([ENABLE_CRYPTOTOKENKIT], [test "${enable_cryptotokenkit}" = "yes"])
+AM_CONDITIONAL([ENABLE_OPENCT], [test "${enable_openct}" = "yes"])
 AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"])
 AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
 AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])

etc/Makefile.am

@@ -1,7 +1,9 @@
+CV_CERTS = UTSRCACC100001 DESRCACC100001
+
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 DISTCLEANFILES = opensc.conf
 
-EXTRA_DIST = Makefile.mak
+EXTRA_DIST = $(CV_CERTS) Makefile.mak
 
 SUFFIXES = .in
 
@@ -38,3 +40,12 @@ install-exec-hook: opensc.conf
 
 uninstall-hook: opensc.conf
  rm -f "$(DESTDIR)$(sysconfdir)/opensc.conf.new" "$(DESTDIR)$(sysconfdir)/opensc.conf"
+
+if ENABLE_OPENPACE
+install-data-local:
+ $(MKDIR_P) "$(DESTDIR)$(CVCDIR)"
+ for cert in $(CV_CERTS); do $(INSTALL_DATA) $(srcdir)/$${cert} "$(DESTDIR)$(CVCDIR)"; done
+
+uninstall-local:
+ for cert in $(CV_CERTS); do rm -f "$(DESTDIR)$(CVCDIR)/$${cert}"; done
+endif

src/libopensc/Makefile.am

@@ -73,8 +73,8 @@ libopensc_static_la_SOURCES = $(libopensc_la_SOURCES_BASE)
 if WIN32
 libopensc_la_SOURCES += $(top_builddir)/win32/versioninfo.rc
 endif
-libopensc_la_LIBADD = $(OPENPACE_LIBS) $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \
- $(OPTIONAL_ZLIB_LIBS) \
+libopensc_la_LIBADD = $(OPENPACE_LIBS) $(OPTIONAL_OPENSSL_LIBS) \
+ $(OPTIONAL_OPENCT_LIBS) $(OPTIONAL_ZLIB_LIBS) \
  $(top_builddir)/src/pkcs15init/libpkcs15init.la \
  $(top_builddir)/src/scconf/libscconf.la \
  $(top_builddir)/src/common/libscdl.la \

src/libopensc/Makefile.mak

@@ -41,6 +41,7 @@ OBJECTS = \
 LIBS = $(TOPDIR)\src\scconf\scconf.lib \
  $(TOPDIR)\src\common\common.lib \
  $(TOPDIR)\src\common\libscdl.lib \
+ $(TOPDIR)\src\sm\libsmiso.lib \
  $(TOPDIR)\src\sm\libsmeac.lib \
  $(TOPDIR)\src\pkcs15init\pkcs15init.lib