Fix reading EstEID certificates with T=0

[metsma]

Fixes #1190

Signed-off-by: Raul Metsma [email protected]

Checklist

• Documentation is added or updated
• New files have a LGPL 2.1 license statement
• Tested with the following card: EstEID
  • tested PKCS#11
  • tested Windows Minidriver
  • tested macOS Tokend

[frankmorgner]

Why do you need the global flag SC_CARD_CAP_READ_BINARY_NO_BREAK if you solve the problem with GET RESPONSE at the card driver level?

[metsma]

#1190 (comment)
As dengert suggested to avoid spliting sc_read_binary

if (count > max_le && !(card->caps & SC_CARD_CAP_READ_BINARY_NO_BREAK)) {
Then your version of read_binary would get control with the original count and would simplify your drivers version of read_binary.
So it looks like you need a read_binary routine in your card driver. The problem is sc_read_binary will try and break up any read_binary into multiple read_binary commands where the second one will have an index != 0. sc_read_binary before you get control. max_le = sc_get_max_recv_size(card);

[dengert]

@frankmorgner The name SC_CARD_CAP_READ_BINARY_NO_BREAK could be changed if you want.
I was surprised how many card drivers have their own version of read_binary. read_binary is not a standard as one might expect. The SC_CARD_CAP_READ_BINARY_NO_BREAK tells sc_read_binary to just call the card's version.

[metsma]

Any suggestion? I copied from dengert comment

[frankmorgner]

A long time ago I thought about putting all this GET RESPONSE magic from apdu.c into iso7816.c. If i remember correctly, there are many more extensions from ISO 7816 that seeped through to the generic layers of OpenSC. With such separation, you would have an easier job of modifying the card specific behavior before some ISO 7816 mechanism kicks in. I think this would be the right way to go in terms of establishing long term software quality. However, this has a lot of potential to break things.

Introducing more complexity (read: hacks) doesn't solve the problem in the long run. I'd suggest to either start working on the refactoring now, which could then be included in 0.19.0 or to solve this problem exclusively on the card driver level.

[dengert]

The problem the card driver does not get control until after sc_read_binary has screwed thing up.

And sc_read_binary is called from non-card driver files card-.c, pkcs15-.c and pkcs15init/* ./libopensc/pkcs15.c calls it 5 times, ./libopensc/dir.c, /libopensc/iso7816.c, ./libopensc/card.c, ./tools/opensc-tool.c, ./tools/netkey-tool.c,
./tools/cryptoflex-tool.c, ./tools/westcos-tool.c and ./tools/opensc-explorer.c.
It is also called from card driver files: card-.c, pkcs15-.c and pkcs15init/*

So, refracting looks like a big project.

[frankmorgner]

What happens if you use max_recv_len = 255 in opensc.conf (or in the code for the card's read_binary)? Does the card still respond with 61 00?

[dengert]

Is this an issue with T=0 and T=1 or the reader. IIRC, with T=0 the card does not see the Le, only the
reader does. Would a PCSC trace show more?

https://github.com/metsma, to you have another reader that does T=0 , or can you force T=0 to see if it fails or works?

[metsma]

Yes seems like it helps
Default: https://www.dropbox.com/s/4oavydmuuxm4hc2/opensc-debug.log.broken?dl=0
Modified config: https://www.dropbox.com/s/igfqkp4pdp9f5rl/opensc-debug.log.config?dl=0

[frankmorgner]

please fix the indenting

[metsma]

It is fixing indenting, before there was spaces and tabs mixed

[metsma]

or you mean leave the mixed indenting as it is?

[frankmorgner]

There are too many tabs. Look at GitHub's diff, you'll see the problem.

[frankmorgner]

please add a comment why you're doing the workaround

[frankmorgner]

indenting

[metsma]

Same here, spaces and tabs mixed before and do I leave as it is?

[frankmorgner]

thanks