add OpenSC package

OpenSC is a smart card middleware.
Patches for support of the GnuK USB token have been added.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

utils/opensc/Makefile

@@ -0,0 +1,224 @@
+#
+# Copyright (C) 2011-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=opensc
+PKG_VERSION:=20140317
+PKG_RELEASE:=1
+PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
+
+PKG_RELEASE=$(PKG_SOURCE_VERSION)
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/OpenSC/OpenSC.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=de6d61405b271e22244376e4817e16b49018e1ce
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_BUILD_DEPENDS:=+libpcsclite
+PKG_FIXUP:=libtool
+
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/libopensc
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=OpenSC libraries for smart cards
+  URL:=https://www.opensc-project.org/opensc/wiki/
+  DEPENDS:=+libopenssl +libpthread
+  MENU:=1
+endef
+
+define Package/libopensc/description
+  OpenSC provides a set of libraries and utilities to work with smart cards.
+  Its main focus is on cards that support cryptographic operations, and
+  facilitate their use in security applications such as authentication,
+  mail encryption and digital signatures.
+endef
+
+define Package/libopensc-pkcs11
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=OpenSC - PKCS11 provider
+  URL:=https://www.opensc-project.org/opensc/wiki/
+  DEPENDS:=libopensc
+endef
+
+define Package/libopensc-pkcs11/description
+  OpenSC PKCS#11 provider
+endef
+
+define Package/libpkcs11-spy
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=PKCS11 spying wrapper
+  URL:=https://www.opensc-project.org/opensc/wiki/
+endef
+
+define Package/libpkcs11-spy/dscription
+  PKCS#11 spying wrapper
+endef
+
+define Package/opensc-utils
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=OpenSC - tools for smart cards
+  URL:=https://www.opensc-project.org/opensc/wiki/
+  DEPENDS:=+libopensc
+  MENU:=1
+endef
+
+define Package/opensc-utils/description
+  OpenSC utilities
+endef
+
+define ToolGen
+define Package/opensc-utils-$(subst _,-,$(firstword $(subst :, ,$(1))))
+  TITLE:=$(firstword $(subst :, ,$(1))) utility from opensc
+  URL:=https://www.opensc-project.org/opensc/wiki/
+  SECTION:=utils
+  CATEGORY:=Utilities
+  DEPENDS:=opensc-utils $(wordlist 2,$(words $(subst :, ,$(1))),$(subst :, ,$(1)))
+endef
+endef
+
+define ProfileGen
+define Package/libopensc-profile-$(subst _,-,$(firstword $(subst :, ,$(1))))
+  TITLE:=$(firstword $(subst :, ,$(1))) card profile for opensc
+  URL:=https://www.opensc-project.org/opensc/wiki/
+  SECTION:=lib
+  CATEGORY:=Libraries
+  DEPENDS:=libopensc
+endef
+endef
+
+TOOLS:= \
+	cardos-tool \
+	cryptoflex-tool \
+	dnie-tool \
+	eidenv \
+	iasecc-tool \
+	netkey-tool \
+	openpgp-tool \
+	opensc-tool \
+	opensc-explorer:+libncurses:+libreadline \
+	piv-tool \
+	pkcs11-tool \
+	pkcs15-crypt \
+	pkcs15-init \
+	pkcs15-tool \
+	sc-hsm-tool \
+	westcos-tool
+
+PROFILES:= \
+	asepcos \
+	authentic \
+	cardos \
+	cyberflex \
+	entersafe \
+	epass2003 \
+	flex \
+	gpk \
+	ias_adele_admin1 \
+	ias_adele_admin2 \
+	ias_adele_common \
+	iasecc_admin_eid \
+	iasecc_generic_oberthur \
+	iasecc_generic_pki \
+	iasecc \
+	incrypto34 \
+	jcop \
+	miocos \
+	muscle \
+	myeid \
+	oberthur \
+	openpgp \
+	pkcs15 \
+	rutoken_ecp \
+	rutoken \
+	sc-hsm \
+	setcos \
+	starcos \
+	westcos
+
+$(foreach file,$(TOOLS),$(eval $(call ToolGen,$(file))))
+$(foreach file,$(PROFILES),$(eval $(call ProfileGen,$(file))))
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libopensc.{a,so}* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libsmm-local.{a,so}* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/opensc-pkcs11.so $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkcs11-spy.so $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkcs11
+	$(LN) ../pkcs11-spy.so $(1)/usr/lib/pkcs11/
+	$(LN) ../opensc-pkcs11.so $(1)/usr/lib/pkcs11/
+	$(INSTALL_DIR) $(1)/usr/share/opensc
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/opensc/* $(1)/usr/share/opensc/
+endef
+
+define Package/libopensc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libopensc.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libsmm-local.so* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/etc
+	$(CP) $(PKG_INSTALL_DIR)/etc/opensc.conf $(1)/etc/
+endef
+
+define Package/libopensc-pkcs11/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/opensc-pkcs11.so $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkcs11
+	$(LN) ../opensc-pkcs11.so $(1)/usr/lib/pkcs11/
+endef
+
+define Package/libpkcs11-spy/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkcs11-spy.so $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkcs11
+	$(LN) ../pkcs11-spy.so $(1)/usr/lib/pkcs11/
+endef
+
+define Package/opensc-card-profiles
+	$(INSTALL_DIR) $(1)/usr/share/opensc
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/opensc/* $(1)/usr/share/opensc/
+endef
+
+define Package/opensc-utils/install
+	true
+endef
+
+define ToolInstall
+define Package/opensc-utils-$(subst _,-,$(firstword $(subst :, ,$(1))))/install
+	$(INSTALL_DIR) $$(1)/usr/bin
+	$(INSTALL_BIN) \
+		$(PKG_INSTALL_DIR)/usr/bin/$(firstword $(subst :, ,$(1))) \
+		$$(1)/usr/bin/
+endef
+endef
+
+define ProfileInstall
+define Package/libopensc-profile-$(subst _,-,$(firstword $(subst :, ,$(1))))/install
+	$(INSTALL_DIR) $$(1)/usr/share/opensc
+	$(INSTALL_BIN) \
+		$(PKG_INSTALL_DIR)/usr/share/opensc/$(firstword $(subst :, ,$(1))).profile \
+		$$(1)/usr/share/opensc
+endef
+endef
+
+$(foreach file,$(TOOLS),$(eval $(call ToolInstall,$(file))))
+$(foreach file,$(PROFILES),$(eval $(call ProfileInstall,$(file))))
+
+$(eval $(call BuildPackage,libopensc))
+$(eval $(call BuildPackage,libopensc-pkcs11))
+$(eval $(call BuildPackage,libpkcs11-spy))
+
+$(eval $(call BuildPackage,opensc-utils))
+$(foreach file,$(TOOLS),$(eval $(call BuildPackage,opensc-utils-$(subst _,-,$(firstword $(subst :, ,$(file)))))))
+$(foreach file,$(PROFILES),$(eval $(call BuildPackage,libopensc-profile-$(subst _,-,$(firstword $(subst :, ,$(file)))))))

utils/opensc/patches/0001-OpenPGP-Detect-and-support-Gnuk-Token.patch

@@ -0,0 +1,267 @@
+From c706491fc9b08d4cc6d7b254cf936d6b8d8691bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Wed, 20 Feb 2013 11:54:30 +0700
+Subject: [PATCH 01/18] OpenPGP: Detect and support Gnuk Token.
+
+http://www.fsij.org/gnuk/
+---
+ src/libopensc/card-openpgp.c | 61 ++++++++++++++++++++++++++++++++++----------
+ src/libopensc/cards.h        |  1 +
+ src/tools/openpgp-tool.c     |  9 +++++--
+ 3 files changed, 56 insertions(+), 15 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 743e79c..716052b 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -43,6 +43,7 @@
+ static struct sc_atr_table pgp_atrs[] = {
+ 	{ "3b:fa:13:00:ff:81:31:80:45:00:31:c1:73:c0:01:00:00:90:00:b1", NULL, "OpenPGP card v1.0/1.1", SC_CARD_TYPE_OPENPGP_V1, 0, NULL },
+ 	{ "3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c", NULL, "CryptoStick v1.2 (OpenPGP v2.0)", SC_CARD_TYPE_OPENPGP_V2, 0, NULL },
++	{ "3b:da:11:ff:81:b1:fe:55:1f:03:00:31:84:73:80:01:80:00:90:00:e4", NULL, "Gnuk v1.0.x (OpenPGP v2.0)", SC_CARD_TYPE_OPENPGP_GNUK, 0, NULL },
+ 	{ NULL, NULL, NULL, 0, 0, NULL }
+ };
+ 
+@@ -307,6 +308,8 @@ pgp_init(sc_card_t *card)
+ 	int		r;
+ 	struct blob 	*child = NULL;
+ 
++	LOG_FUNC_CALLED(card->ctx);
++
+ 	priv = calloc (1, sizeof *priv);
+ 	if (!priv)
+ 		return SC_ERROR_OUT_OF_MEMORY;
+@@ -315,11 +318,11 @@ pgp_init(sc_card_t *card)
+ 	card->cla = 0x00;
+ 
+ 	/* set pointer to correct list of card objects */
+-	priv->pgp_objects = (card->type == SC_CARD_TYPE_OPENPGP_V2)
++	priv->pgp_objects = (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK)
+ 				? pgp2_objects : pgp1_objects;
+ 
+ 	/* set detailed card version */
+-	priv->bcd_version = (card->type == SC_CARD_TYPE_OPENPGP_V2)
++	priv->bcd_version = (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK)
+ 				? OPENPGP_CARD_2_0 : OPENPGP_CARD_1_1;
+ 
+ 	/* select application "OpenPGP" */
+@@ -428,7 +431,8 @@ pgp_get_card_features(sc_card_t *card)
+ 		if ((pgp_get_blob(card, blob73, 0x00c0, &blob) >= 0) &&
+ 		    (blob->data != NULL) && (blob->len > 0)) {
+ 			/* in v2.0 bit 0x04 in first byte means "algorithm attributes changeable */
+-			if ((blob->data[0] & 0x04) && (card->type == SC_CARD_TYPE_OPENPGP_V2))
++			if ((blob->data[0] & 0x04) &&
++			    (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK))
+ 				priv->ext_caps |= EXT_CAP_ALG_ATTR_CHANGEABLE;
+ 			/* bit 0x08 in first byte means "support for private use DOs" */
+ 			if (blob->data[0] & 0x08)
+@@ -445,7 +449,8 @@ pgp_get_card_features(sc_card_t *card)
+ 				priv->ext_caps |= EXT_CAP_GET_CHALLENGE;
+ 			}
+ 			/* in v2.0 bit 0x80 in first byte means "support Secure Messaging" */
+-			if ((blob->data[0] & 0x80) && (card->type == SC_CARD_TYPE_OPENPGP_V2))
++			if ((blob->data[0] & 0x80) &&
++			    (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK))
+ 				priv->ext_caps |= EXT_CAP_SM;
+ 
+ 			if ((priv->bcd_version >= OPENPGP_CARD_2_0) && (blob->len >= 10)) {
+@@ -1055,12 +1060,18 @@ static int
+ pgp_get_pubkey(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len)
+ {
+ 	sc_apdu_t	apdu;
++	u8 apdu_case = SC_APDU_CASE_4;
+ 	u8		idbuf[2];
+ 	int		r;
+ 
+ 	sc_log(card->ctx, "called, tag=%04x\n", tag);
+ 
+-	sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x47, 0x81, 0);
++	/* With Gnuk token, force to use short APDU */
++	if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) {
++		apdu_case = SC_APDU_CASE_4_SHORT;
++	}
++
++	sc_format_apdu(card, &apdu, apdu_case, 0x47, 0x81, 0);
+ 	apdu.lc = 2;
+ 	apdu.data = ushort2bebytes(idbuf, tag);
+ 	apdu.datalen = 2;
+@@ -1152,6 +1163,7 @@ pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len)
+ 	u8 ins = 0xDA;
+ 	u8 p1 = tag >> 8;
+ 	u8 p2 = tag & 0xFF;
++	u8 apdu_case = SC_APDU_CASE_3;
+ 	int r;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+@@ -1193,13 +1205,17 @@ pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len)
+ 
+ 	/* Build APDU */
+ 	if (buf != NULL && buf_len > 0) {
+-		sc_format_apdu(card, &apdu, SC_APDU_CASE_3, ins, p1, p2);
++		/* Force short APDU for Gnuk */
++		if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) {
++			apdu_case = SC_APDU_CASE_3_SHORT;
++		}
++		sc_format_apdu(card, &apdu, apdu_case, ins, p1, p2);
+ 
+ 		/* if card/reader does not support extended APDUs, but chaining, then set it */
+ 		if (((card->caps & SC_CARD_CAP_APDU_EXT) == 0) && (priv->ext_caps & EXT_CAP_CHAINING))
+ 			apdu.flags |= SC_APDU_FLAGS_CHAINING;
+ 
+-		apdu.data = buf;
++		apdu.data = (u8 *)buf;
+ 		apdu.datalen = buf_len;
+ 		apdu.lc = buf_len;
+ 	}
+@@ -1326,6 +1342,7 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
+ 	struct pgp_priv_data	*priv = DRVDATA(card);
+ 	sc_security_env_t	*env = &priv->sec_env;
+ 	sc_apdu_t		apdu;
++	u8 apdu_case = SC_APDU_CASE_4;
+ 	int			r;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+@@ -1334,14 +1351,19 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
+ 		LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS,
+ 				"invalid operation");
+ 
++	/* Force short APDU for Gnuk Token */
++	if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) {
++		apdu_case = SC_APDU_CASE_4_SHORT;
++	}
++
+ 	switch (env->key_ref[0]) {
+ 	case 0x00: /* signature key */
+ 		/* PSO SIGNATURE */
+-		sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A);
++		sc_format_apdu(card, &apdu, apdu_case, 0x2A, 0x9E, 0x9A);
+ 		break;
+ 	case 0x02: /* authentication key */
+ 		/* INTERNAL AUTHENTICATE */
+-		sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x88, 0, 0);
++		sc_format_apdu(card, &apdu, apdu_case, 0x88, 0, 0);
+ 		break;
+ 	case 0x01:
+ 	default:
+@@ -1350,7 +1372,7 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
+ 	}
+ 
+ 	apdu.lc = data_len;
+-	apdu.data = data;
++	apdu.data = (u8 *)data;
+ 	apdu.datalen = data_len;
+ 	apdu.le = ((outlen >= 256) && !(card->caps & SC_CARD_CAP_APDU_EXT)) ? 256 : outlen;
+ 	apdu.resp    = out;
+@@ -1374,6 +1396,7 @@ pgp_decipher(sc_card_t *card, const u8 *in, size_t inlen,
+ 	struct pgp_priv_data	*priv = DRVDATA(card);
+ 	sc_security_env_t	*env = &priv->sec_env;
+ 	sc_apdu_t	apdu;
++	u8 apdu_case = SC_APDU_CASE_4;
+ 	u8		*temp = NULL;
+ 	int		r;
+ 
+@@ -1398,7 +1421,7 @@ pgp_decipher(sc_card_t *card, const u8 *in, size_t inlen,
+ 	case 0x01: /* Decryption key */
+ 	case 0x02: /* authentication key */
+ 		/* PSO DECIPHER */
+-		sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x80, 0x86);
++		sc_format_apdu(card, &apdu, apdu_case, 0x2A, 0x80, 0x86);
+ 		break;
+ 	case 0x00: /* signature key */
+ 	default:
+@@ -1407,8 +1430,13 @@ pgp_decipher(sc_card_t *card, const u8 *in, size_t inlen,
+ 				"invalid key reference");
+ 	}
+ 
++	/* Gnuk only supports short APDU, so we need to use command chaining */
++	if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) {
++		apdu.flags |= SC_APDU_FLAGS_CHAINING;
++	}
++
+ 	apdu.lc = inlen;
+-	apdu.data = in;
++	apdu.data = (u8 *)in;
+ 	apdu.datalen = inlen;
+ 	apdu.le = ((outlen >= 256) && !(card->caps & SC_CARD_CAP_APDU_EXT)) ? 256 : outlen;
+ 	apdu.resp = out;
+@@ -1794,6 +1822,11 @@ static int pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_in
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
+ 	}
+ 
++	if (card->type == SC_CARD_TYPE_OPENPGP_GNUK && key_info->modulus_len != 2048) {
++		sc_log(card->ctx, "Gnuk does not support other key length than 2048.");
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
++	}
++
+ 	/* Set attributes for new-generated key */
+ 	r = pgp_update_new_algo_attr(card, key_info);
+ 	LOG_TEST_RET(card->ctx, r, "Cannot set attributes for new-generated key");
+@@ -1801,7 +1834,9 @@ static int pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_in
+ 	/* Test whether we will need extended APDU. 1900 is an
+ 	 * arbitrary modulus length which for sure fits into a short APDU.
+ 	 * This idea is borrowed from GnuPG code.  */
+-	if (card->caps & SC_CARD_CAP_APDU_EXT && key_info->modulus_len > 1900) {
++	if (card->caps & SC_CARD_CAP_APDU_EXT
++	    && key_info->modulus_len > 1900
++	    && card->type != SC_CARD_TYPE_OPENPGP_GNUK) {
+ 		/* We won't store to apdu variable yet, because it will be reset in
+ 		 * sc_format_apdu() */
+ 		apdu_le = card->max_recv_size;
+diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
+index 0fbf9ca..01b08fd 100644
+--- a/src/libopensc/cards.h
++++ b/src/libopensc/cards.h
+@@ -104,6 +104,7 @@ enum {
+ 	SC_CARD_TYPE_OPENPGP_BASE = 9000,
+ 	SC_CARD_TYPE_OPENPGP_V1,
+ 	SC_CARD_TYPE_OPENPGP_V2,
++	SC_CARD_TYPE_OPENPGP_GNUK,
+ 
+ 	/* jcop driver */
+ 	SC_CARD_TYPE_JCOP_BASE = 10000,
+diff --git a/src/tools/openpgp-tool.c b/src/tools/openpgp-tool.c
+index 7058aaa..8b5e327 100644
+--- a/src/tools/openpgp-tool.c
++++ b/src/tools/openpgp-tool.c
+@@ -32,6 +32,7 @@
+ #include "libopensc/asn1.h"
+ #include "libopensc/cards.h"
+ #include "libopensc/cardctl.h"
++#include "libopensc/log.h"
+ #include "util.h"
+ 
+ #define	OPT_RAW		256
+@@ -216,7 +217,7 @@ static void display_data(const struct ef_name_map *mapping, char *value)
+ 			} else {
+ 				const char *label = mapping->name;
+ 
+-				printf("%s:%*s%s\n", label, 10-strlen(label), "", value);
++				printf("%s:%*s%s\n", label, 10 - (int)strlen(label), "", value);
+ 			}
+ 		}
+ 	}
+@@ -390,6 +391,8 @@ int do_genkey(sc_card_t *card, u8 key_id, unsigned int key_len)
+ 	sc_path_t path;
+ 	sc_file_t *file;
+ 
++	LOG_FUNC_CALLED(card->ctx);
++
+ 	if (key_id < 1 || key_id > 3) {
+ 		printf("Unknown key ID %d.\n", key_id);
+ 		return 1;
+@@ -481,8 +484,10 @@ int main(int argc, char **argv)
+ 
+ 	/* check card type */
+ 	if ((card->type != SC_CARD_TYPE_OPENPGP_V1) &&
+-	    (card->type != SC_CARD_TYPE_OPENPGP_V2)) {
++	    (card->type != SC_CARD_TYPE_OPENPGP_V2) &&
++	    (card->type != SC_CARD_TYPE_OPENPGP_GNUK)) {
+ 		util_error("not an OpenPGP card");
++		sc_log(card->ctx, "Card type %X", card->type);
+ 		exit_status = EXIT_FAILURE;
+ 		goto out;
+ 	}
+-- 
+1.9.3
+

utils/opensc/patches/0002-OpenPGP-Add-Gnuk-in-pkcs15-emulation-layer.patch

@@ -0,0 +1,50 @@
+From ecc6460d17147b37def27a9b776e1fc5a61408d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Fri, 12 Apr 2013 17:24:00 +0700
+Subject: [PATCH 02/18] OpenPGP: Add Gnuk in pkcs15 emulation layer.
+
+---
+ src/libopensc/pkcs15-openpgp.c | 6 ++++--
+ src/libopensc/pkcs15-syn.c     | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
+index d9dc074..5a8a1ca 100644
+--- a/src/libopensc/pkcs15-openpgp.c
++++ b/src/libopensc/pkcs15-openpgp.c
+@@ -155,7 +155,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
+ 	u8		c4data[10];
+ 	u8		c5data[70];
+ 	int		r, i;
+-	const pgp_pin_cfg_t *pin_cfg = (card->type == SC_CARD_TYPE_OPENPGP_V2) ? pin_cfg_v2 : pin_cfg_v1;
++	const pgp_pin_cfg_t *pin_cfg = (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK)
++	                               ? pin_cfg_v2 : pin_cfg_v1;
+ 	sc_path_t path;
+ 	sc_file_t *file;
+ 
+@@ -367,7 +368,8 @@ failed:	sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to initialize OpenPGP e
+ 
+ static int openpgp_detect_card(sc_pkcs15_card_t *p15card)
+ {
+-	if (p15card->card->type == SC_CARD_TYPE_OPENPGP_V1 || p15card->card->type == SC_CARD_TYPE_OPENPGP_V2)
++	if (p15card->card->type == SC_CARD_TYPE_OPENPGP_V1 || p15card->card->type == SC_CARD_TYPE_OPENPGP_V2
++	    || p15card->card->type == SC_CARD_TYPE_OPENPGP_GNUK)
+ 		return SC_SUCCESS;
+ 	else
+ 		return SC_ERROR_WRONG_CARD;
+diff --git a/src/libopensc/pkcs15-syn.c b/src/libopensc/pkcs15-syn.c
+index e2f6004..a9f8c0b 100644
+--- a/src/libopensc/pkcs15-syn.c
++++ b/src/libopensc/pkcs15-syn.c
+@@ -112,6 +112,7 @@ int sc_pkcs15_is_emulation_only(sc_card_t *card)
+ 		case SC_CARD_TYPE_GEMSAFEV1_PTEID:
+ 		case SC_CARD_TYPE_OPENPGP_V1:
+ 		case SC_CARD_TYPE_OPENPGP_V2:
++		case SC_CARD_TYPE_OPENPGP_GNUK:
+ 		case SC_CARD_TYPE_SC_HSM:
+ 			return 1;
+ 		default:
+-- 
+1.9.3
+

utils/opensc/patches/0003-OpenPGP-Include-private-DO-to-filesystem-at-driver-i.patch

@@ -0,0 +1,30 @@
+From 5f751ba5628f9d85e9d8dca9939a93f49d2525d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Fri, 22 Mar 2013 17:37:16 +0700
+Subject: [PATCH 03/18] OpenPGP: Include private DO to filesystem at driver
+ initialization.
+
+In old implementation, the DOs which their access is restricted by
+PIN (like DOs 0101 -> 0104) were excluded from the fake filesystem,
+leading to that we cannot read their data later, even if we verified PIN.
+---
+ src/libopensc/card-openpgp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 716052b..ead07ae 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -357,7 +357,7 @@ pgp_init(sc_card_t *card)
+ 
+ 	/* Populate MF - add matching blobs listed in the pgp_objects table. */
+ 	for (info = priv->pgp_objects; (info != NULL) && (info->id > 0); info++) {
+-		if (((info->access & READ_MASK) == READ_ALWAYS) &&
++		if (((info->access & READ_MASK) != READ_NEVER) &&
+ 		    (info->get_fn != NULL)) {
+ 			child = pgp_new_blob(card, priv->mf, info->id, sc_file_new());
+ 
+-- 
+1.9.3
+

utils/opensc/patches/0004-PKCS15-OpenPGP-Declare-DATA-objects.patch

@@ -0,0 +1,82 @@
+From fbf8e392db4456de97796259a62ccb972fe24df8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Tue, 26 Feb 2013 17:37:16 +0700
+Subject: [PATCH 04/18] PKCS15-OpenPGP: Declare DATA objects.
+
+Begin to support read/write DATA object for PKCS-OpenPGP binding.
+This object is used by TrueCrypt.
+---
+ src/libopensc/pkcs15-openpgp.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
+index 5a8a1ca..9f239ef 100644
+--- a/src/libopensc/pkcs15-openpgp.c
++++ b/src/libopensc/pkcs15-openpgp.c
+@@ -36,6 +36,7 @@ typedef USHORT ushort;
+ #endif
+ 
+ int sc_pkcs15emu_openpgp_init_ex(sc_pkcs15_card_t *, sc_pkcs15emu_opt_t *);
++static int sc_pkcs15emu_openpgp_add_data(sc_pkcs15_card_t *);
+ 
+ 
+ #define	PGP_USER_PIN_FLAGS	(SC_PKCS15_PIN_FLAG_CASE_SENSITIVE \
+@@ -45,6 +46,8 @@ int sc_pkcs15emu_openpgp_init_ex(sc_pkcs15_card_t *, sc_pkcs15emu_opt_t *);
+ 				| SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED \
+ 				| SC_PKCS15_PIN_FLAG_SO_PIN)
+ 
++#define PGP_NUM_PRIVDO       4
++
+ typedef struct _pgp_pin_cfg {
+ 	const char	*label;
+ 	int		reference;
+@@ -359,6 +362,9 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
+ 			goto failed;
+ 	}
+ 
++	/* PKCS#15 DATA object from OpenPGP private DOs */
++	r = sc_pkcs15emu_openpgp_add_data(p15card);
++
+ 	return 0;
+ 
+ failed:	sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to initialize OpenPGP emulation: %s\n",
+@@ -366,6 +372,35 @@ failed:	sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to initialize OpenPGP e
+ 	return r;
+ }
+ 
++static int
++sc_pkcs15emu_openpgp_add_data(sc_pkcs15_card_t *p15card)
++{
++	sc_context_t *ctx = p15card->card->ctx;
++	int i, r;
++
++	LOG_FUNC_CALLED(ctx);
++	/* There is 4 private DO from 0101 to 0104 */
++	for (i = 1; i <= PGP_NUM_PRIVDO; i++) {
++		sc_pkcs15_data_info_t dat_info;
++		sc_pkcs15_object_t dat_obj;
++		char name[8];
++		char path[9];
++		memset(&dat_info, 0, sizeof(dat_info));
++		memset(&dat_obj, 0, sizeof(dat_obj));
++
++		sprintf(name, "PrivDO%d", i);
++		sprintf(path, "3F00010%d", i);
++
++		sc_format_path(path, &dat_info.path);
++		strlcpy(dat_obj.label, name, sizeof(dat_obj.label));
++		strlcpy(dat_info.app_label, name, sizeof(dat_info.app_label));
++
++		sc_log(ctx, "Add %s data object", name);
++		r = sc_pkcs15emu_add_data_object(p15card, &dat_obj, &dat_info);
++	}
++	LOG_FUNC_RETURN(ctx, r);
++}
++
+ static int openpgp_detect_card(sc_pkcs15_card_t *p15card)
+ {
+ 	if (p15card->card->type == SC_CARD_TYPE_OPENPGP_V1 || p15card->card->type == SC_CARD_TYPE_OPENPGP_V2
+-- 
+1.9.3
+

utils/opensc/patches/0005-OpenPGP-Support-erasing-reset-card.patch

@@ -0,0 +1,173 @@
+From 4cdc5f3102f5ad93d263eea2f8206bb5e9fffc6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Mon, 4 Mar 2013 11:28:08 +0700
+Subject: [PATCH 05/18] OpenPGP: Support erasing (reset) card.
+
+Command: openpgp-tool --erase
+---
+ src/libopensc/card-openpgp.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
+ src/tools/openpgp-tool.c     | 23 +++++++++++++++-
+ 2 files changed, 86 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index ead07ae..42a9684 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2197,6 +2197,66 @@ out:
+ 
+ #endif /* ENABLE_OPENSSL */
+ 
++/**
++ * Erase card
++ **/
++static int pgp_erase_card(sc_card_t *card)
++{
++	sc_context_t *ctx = card->ctx;
++	u8 *apdustring[10] = {
++		"00:20:00:81:08:40:40:40:40:40:40:40:40",
++		"00:20:00:81:08:40:40:40:40:40:40:40:40",
++		"00:20:00:81:08:40:40:40:40:40:40:40:40",
++		"00:20:00:81:08:40:40:40:40:40:40:40:40",
++		"00:20:00:83:08:40:40:40:40:40:40:40:40",
++		"00:20:00:83:08:40:40:40:40:40:40:40:40",
++		"00:20:00:83:08:40:40:40:40:40:40:40:40",
++		"00:20:00:83:08:40:40:40:40:40:40:40:40",
++		"00:e6:00:00",
++		"00:44:00:00"
++	};
++	u8 buf[SC_MAX_APDU_BUFFER_SIZE];
++	u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
++	sc_apdu_t apdu;
++	size_t len0;
++	int commandsnum = 10;
++	int i, r;
++
++	LOG_FUNC_CALLED(ctx);
++
++	/* Check card version */
++	if (card->type != SC_CARD_TYPE_OPENPGP_V2) {
++		sc_log(ctx, "Card is not OpenPGP v2");
++		LOG_FUNC_RETURN(ctx, SC_ERROR_NO_CARD_SUPPORT);
++	}
++	sc_log(ctx, "Card is OpenPGP v2. Erase card.");
++
++	/* Iterate over 10 commands above */
++	for (i = 0; i < commandsnum; i++) {
++		/* Convert the string to binary array */
++		len0 = sizeof(buf);
++		sc_hex_to_bin(apdustring[i], buf, &len0);
++		printf("Sending: ");
++		for (r = 0; r < len0; r++)
++			printf("%02X ", buf[r]);
++		printf("\n");
++
++		/* Build APDU from binary array */
++		r = sc_bytes2apdu(card->ctx, buf, len0, &apdu);
++		if (r) {
++			sc_log(ctx, "Failed to build APDU");
++			LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
++		}
++		apdu.resp = rbuf;
++		apdu.resplen = sizeof(rbuf);
++
++		/* Send APDU to card */
++		r = sc_transmit_apdu(card, &apdu);
++		LOG_TEST_RET(ctx, r, "Transmiting APDU failed");
++	}
++	LOG_FUNC_RETURN(ctx, r);
++}
++
+ /* ABI: card ctl: perform special card-specific operations */
+ static int pgp_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ {
+@@ -2221,6 +2281,10 @@ static int pgp_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ 		LOG_FUNC_RETURN(card->ctx, r);
+ 		break;
+ #endif /* ENABLE_OPENSSL */
++	case SC_CARDCTL_ERASE_CARD:
++		r = pgp_erase_card(card);
++		LOG_FUNC_RETURN(card->ctx, r);
++		break;
+ 	}
+ 
+ 	LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+diff --git a/src/tools/openpgp-tool.c b/src/tools/openpgp-tool.c
+index 8b5e327..0d360a3 100644
+--- a/src/tools/openpgp-tool.c
++++ b/src/tools/openpgp-tool.c
+@@ -76,6 +76,7 @@ static int opt_verify = 0;
+ static char *verifytype = NULL;
+ static int opt_pin = 0;
+ static char *pin = NULL;
++static int opt_erase = 0;
+ 
+ static const char *app_name = "openpgp-tool";
+ 
+@@ -92,6 +93,7 @@ static const struct option options[] = {
+ 	{ "help",      no_argument,       NULL, 'h'        },
+ 	{ "verbose",   no_argument,       NULL, 'v'        },
+ 	{ "version",   no_argument,       NULL, 'V'        },
++	{ "erase",     no_argument,       NULL, 'E'        },
+ 	{ "verify",    required_argument, NULL, OPT_VERIFY },
+ 	{ "pin",       required_argument, NULL, OPT_PIN },
+ 	{ NULL, 0, NULL, 0 }
+@@ -110,6 +112,7 @@ static const char *option_help[] = {
+ /* h */	"Print this help message",
+ /* v */	"Verbose operation. Use several times to enable debug output.",
+ /* V */	"Show version number",
++/* E */	"Erase (reset) the card",
+ 	"Verify PIN (CHV1, CHV2, CHV3...)",
+ 	"PIN string"
+ };
+@@ -228,7 +231,7 @@ static int decode_options(int argc, char **argv)
+ {
+ 	int c;
+ 
+-	while ((c = getopt_long(argc, argv,"r:x:CUG:L:hwvV", options, (int *) 0)) != EOF) {
++	while ((c = getopt_long(argc, argv,"r:x:CUG:L:hwvVE", options, (int *) 0)) != EOF) {
+ 		switch (c) {
+ 		case 'r':
+ 			opt_reader = optarg;
+@@ -288,6 +291,9 @@ static int decode_options(int argc, char **argv)
+ 			show_version();
+ 			exit(EXIT_SUCCESS);
+ 			break;
++		case 'E':
++			opt_erase++;
++			break;
+ 		default:
+ 			util_print_usage_and_die(app_name, options, option_help, NULL);
+ 		}
+@@ -446,6 +452,18 @@ int do_verify(sc_card_t *card, u8 *type, u8* pin)
+ 	return r;
+ }
+ 
++int do_erase(sc_card_t *card)
++{
++	int r;
++	/* Check card version */
++	if (card->type != SC_CARD_TYPE_OPENPGP_V2) {
++		printf("Do not erase card which is not OpenPGP v2\n");
++	}
++	printf("Erase card\n");
++	r = sc_card_ctl(card, SC_CARDCTL_ERASE_CARD, NULL);
++	return r;
++}
++
+ int main(int argc, char **argv)
+ {
+ 	sc_context_t *ctx = NULL;
+@@ -521,6 +539,9 @@ int main(int argc, char **argv)
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	if (opt_erase)
++		exit_status != do_erase(card);
++
+ out:
+ 	sc_unlock(card);
+ 	sc_disconnect_card(card);
+-- 
+1.9.3
+

utils/opensc/patches/0006-openpgp-tool-Support-deleting-key-in-Gnuk.patch

@@ -0,0 +1,210 @@
+From bbbedd3b358f80a7f98df2b22cf541cb007dd62e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Mon, 4 Mar 2013 18:13:03 +0700
+Subject: [PATCH 06/18] openpgp-tool: Support deleting key in Gnuk.
+
+---
+ src/tools/openpgp-tool.c | 144 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 143 insertions(+), 1 deletion(-)
+
+diff --git a/src/tools/openpgp-tool.c b/src/tools/openpgp-tool.c
+index 0d360a3..239c86b 100644
+--- a/src/tools/openpgp-tool.c
++++ b/src/tools/openpgp-tool.c
+@@ -39,6 +39,7 @@
+ #define	OPT_PRETTY	257
+ #define	OPT_VERIFY	258
+ #define	OPT_PIN	    259
++#define	OPT_DELKEY  260
+ 
+ /* define structures */
+ struct ef_name_map {
+@@ -77,6 +78,7 @@ static char *verifytype = NULL;
+ static int opt_pin = 0;
+ static char *pin = NULL;
+ static int opt_erase = 0;
++static int opt_delkey = 0;
+ 
+ static const char *app_name = "openpgp-tool";
+ 
+@@ -96,6 +98,7 @@ static const struct option options[] = {
+ 	{ "erase",     no_argument,       NULL, 'E'        },
+ 	{ "verify",    required_argument, NULL, OPT_VERIFY },
+ 	{ "pin",       required_argument, NULL, OPT_PIN },
++	{ "del-key",   required_argument, NULL, OPT_DELKEY },
+ 	{ NULL, 0, NULL, 0 }
+ };
+ 
+@@ -114,7 +117,8 @@ static const char *option_help[] = {
+ /* V */	"Show version number",
+ /* E */	"Erase (reset) the card",
+ 	"Verify PIN (CHV1, CHV2, CHV3...)",
+-	"PIN string"
++	"PIN string",
++	"Delete key (1, 2, 3 or all)"
+ };
+ 
+ static const struct ef_name_map openpgp_data[] = {
+@@ -294,6 +298,14 @@ static int decode_options(int argc, char **argv)
+ 		case 'E':
+ 			opt_erase++;
+ 			break;
++		case OPT_DELKEY:
++			opt_delkey++;
++			if (strcmp(optarg, "all") != 0)   /* Arg string is not 'all' */
++				key_id = optarg[0] - '0';
++			else                              /* Arg string is 'all' */
++				key_id = 'a';
++			actions++;
++			break;
+ 		default:
+ 			util_print_usage_and_die(app_name, options, option_help, NULL);
+ 		}
+@@ -452,6 +464,133 @@ int do_verify(sc_card_t *card, u8 *type, u8* pin)
+ 	return r;
+ }
+ 
++/**
++ * Delete key, for Gnuk.
++ **/
++int delete_key_gnuk(sc_card_t *card, u8 key_id)
++{
++	sc_context_t *ctx = card->ctx;
++	int r = SC_SUCCESS;
++	u8 *data = NULL;
++
++	/* Delete fingerprint */
++	sc_log(ctx, "Delete fingerprints");
++	r |= sc_put_data(card, 0xC6 + key_id, NULL, 0);
++	/* Delete creation time */
++	sc_log(ctx, "Delete creation time");
++	r |= sc_put_data(card, 0xCD + key_id, NULL, 0);
++
++	/* Rewrite Extended Header List */
++	sc_log(ctx, "Rewrite Extended Header List");
++
++	if (key_id == 1)
++		data = "\x4D\x02\xB6";
++	else if (key_id == 2)
++		data = "\x4D\x02\xB8";
++	else if (key_id == 3)
++		data = "\x4D\x02\xA4";
++	else
++		return SC_ERROR_INVALID_ARGUMENTS;
++
++	r |= sc_put_data(card, 0x4D, data, strlen(data) + 1);
++	return r;
++}
++
++/**
++ * Delete key, for OpenPGP card.
++ * This function is not complete and is reserved for future version (> 2) of OpenPGP card.
++ **/
++int delete_key_openpgp(sc_card_t *card, u8 key_id)
++{
++	sc_context_t *ctx = card->ctx;
++	char *del_fingerprint = "00:DA:00:C6:14:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00";
++	char *del_creationtime = "00:DA:00:CD:04:00:00:00:00";
++	/* We need to replace the 4th byte later */
++	char *apdustring = NULL;
++	u8 buf[SC_MAX_APDU_BUFFER_SIZE];
++	u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
++	sc_apdu_t apdu;
++	size_t len0;
++	int i;
++	int r = SC_SUCCESS;
++
++	for (i = 0; i < 2; i++) {
++		if (i == 0)    /* Reset fingerprint */
++			apdustring = del_fingerprint;
++		else           /* Reset creation time */
++			apdustring = del_creationtime;
++		/* Convert the string to binary array */
++		len0 = sizeof(buf);
++		sc_hex_to_bin(apdustring, buf, &len0);
++
++		/* Replace DO tag, subject to key ID */
++		buf[3] = buf[3] + key_id;
++
++		/* Build APDU from binary array */
++		r = sc_bytes2apdu(card->ctx, buf, len0, &apdu);
++		if (r) {
++			sc_log(ctx, "Failed to build APDU");
++			LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
++		}
++		apdu.resp = rbuf;
++		apdu.resplen = sizeof(rbuf);
++
++		/* Send APDU to card */
++		r = sc_transmit_apdu(card, &apdu);
++		LOG_TEST_RET(ctx, r, "Transmiting APDU failed");
++	}
++	/* TODO: Rewrite Extended Header List.
++	 * Not support by OpenGPG v2 yet */
++	LOG_FUNC_RETURN(ctx, r);
++}
++
++int delete_key(sc_card_t *card, u8 key_id)
++{
++	sc_context_t *ctx = card->ctx;
++	int r;
++
++	LOG_FUNC_CALLED(ctx);
++	/* Check key ID */
++	if (key_id < 1 || key_id > 3) {
++		sc_log(ctx, "Invalid key ID %d", key_id);
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
++	}
++
++	if (card->type == SC_CARD_TYPE_OPENPGP_GNUK)
++		r = delete_key_gnuk(card, key_id);
++	else
++		r = delete_key_openpgp(card, key_id);
++
++	LOG_FUNC_RETURN(ctx, r);
++}
++
++int do_delete_key(sc_card_t *card, u8 key_id)
++{
++	sc_context_t *ctx = card->ctx;
++	int r = SC_SUCCESS;
++
++	/* Currently, only Gnuk supports deleting keys */
++	if (card->type != SC_CARD_TYPE_OPENPGP_GNUK) {
++		printf("Only Gnuk supports deleting keys. General OpenPGP doesn't.");
++		return SC_ERROR_NOT_SUPPORTED;
++	}
++
++	if (key_id < 1 || (key_id > 3 && key_id != 'a')) {
++		printf("Error: Invalid key id %d", key_id);
++		return SC_ERROR_INVALID_ARGUMENTS;
++	}
++	if (key_id == 1 || key_id == 'a') {
++		r |= delete_key(card, 1);
++	}
++	if (key_id == 2 || key_id == 'a') {
++		r |= delete_key(card, 2);
++	}
++	if (key_id == 3 || key_id == 'a') {
++		r |= delete_key(card, 3);
++	}
++	return r;
++}
++
+ int do_erase(sc_card_t *card)
+ {
+ 	int r;
+@@ -539,6 +678,9 @@ int main(int argc, char **argv)
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	if (opt_delkey)
++		exit_status != do_delete_key(card, key_id);
++
+ 	if (opt_erase)
+ 		exit_status != do_erase(card);
+ 
+-- 
+1.9.3
+

utils/opensc/patches/0007-OpenPGP-Correct-building-Extended-Header-List-when-i.patch

@@ -0,0 +1,27 @@
+From b6bc7a497e1fe20104f923de1092a35d137ba553 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Mon, 4 Mar 2013 18:14:51 +0700
+Subject: [PATCH 07/18] OpenPGP: Correct building Extended Header List when
+ importing keys.
+
+---
+ src/libopensc/card-openpgp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 42a9684..47c1938 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -1978,7 +1978,7 @@ pgp_build_extended_header_list(sc_card_t *card, sc_cardctl_openpgp_keystore_info
+ 	u8 *p = NULL;
+ 	u8 *components[] = {key_info->e, key_info->p, key_info->q, key_info->n};
+ 	size_t componentlens[] = {key_info->e_len, key_info->p_len, key_info->q_len, key_info->n_len};
+-	unsigned int componenttags[] = {0x91, 0x92, 0x93, 0x95};
++	unsigned int componenttags[] = {0x91, 0x92, 0x93, 0x97};
+ 	char *componentnames[] = {
+ 		"public exponent",
+ 		"prime p",
+-- 
+1.9.3
+

utils/opensc/patches/0008-OpenPGP-Read-some-empty-DOs-from-Gnuk.patch

@@ -0,0 +1,58 @@
+From d1b8d3588336abac4876c1d537d8e8e5e578bc02 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Mon, 25 Mar 2013 11:58:38 +0700
+Subject: [PATCH 08/18] OpenPGP: Read some empty DOs from Gnuk.
+
+In Gnuk, some empty DOs are returned as not exist, instead of existing with empty value.
+So, we will consider them exist in driver.
+---
+ src/libopensc/card-openpgp.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 47c1938..9b08bbb 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -813,6 +813,23 @@ pgp_get_blob(sc_card_t *card, struct blob *blob, unsigned int id,
+ 		}
+ 	}
+ 
++	/* This part is for "NOT FOUND" cases */
++
++	/* Special case:
++	 * Gnuk does not have default value for children of DO 65 (DOs 5B, 5F2D, 5F35)
++	 * So, if these blob was not found, we create it. */
++	if (blob->id == 0x65 && (id == 0x5B || id == 0x5F2D || id == 0x5F35)) {
++		sc_log(card->ctx, "Create blob %X under %X", id, blob->id);
++		child = pgp_new_blob(card, blob, id, sc_file_new());
++		if (child) {
++			pgp_set_blob(child, NULL, 0);
++			*ret = child;
++			return SC_SUCCESS;
++		}
++		else
++			sc_log(card->ctx, "Not enough memory to create blob for DO %X");
++	}
++
+ 	return SC_ERROR_FILE_NOT_FOUND;
+ }
+ 
+@@ -1147,6 +1164,14 @@ pgp_get_data(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len)
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+ 
+ 	r = sc_check_sw(card, apdu.sw1, apdu.sw2);
++
++	/* For Gnuk card, if there is no certificate, it returns error instead of empty data.
++	 * So, for this case, we ignore error and consider success */
++	if (r == SC_ERROR_DATA_OBJECT_NOT_FOUND && card->type == SC_CARD_TYPE_OPENPGP_GNUK
++        && (tag == DO_CERT || tag == 0x0101 || tag == 0x0102 || tag == 0x0103 || tag == 0x0104)) {
++		r = SC_SUCCESS;
++		apdu.resplen = 0;
++	}
+ 	LOG_TEST_RET(card->ctx, r, "Card returned error");
+ 
+ 	LOG_FUNC_RETURN(card->ctx, apdu.resplen);
+-- 
+1.9.3
+

utils/opensc/patches/0009-PKCS15-OpenPGP-Do-not-show-empty-DO-in-pkcs15-emu_in.patch

@@ -0,0 +1,53 @@
+From 6a4457cde65ef44f05b0689415ae7165b06fb8bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Wed, 27 Mar 2013 11:38:42 +0700
+Subject: [PATCH 09/18] PKCS15-OpenPGP: Do not show empty DO in pkcs15
+ emu_init.
+
+---
+ src/libopensc/pkcs15-openpgp.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
+index 9f239ef..850dd74 100644
+--- a/src/libopensc/pkcs15-openpgp.c
++++ b/src/libopensc/pkcs15-openpgp.c
+@@ -385,16 +385,34 @@ sc_pkcs15emu_openpgp_add_data(sc_pkcs15_card_t *p15card)
+ 		sc_pkcs15_object_t dat_obj;
+ 		char name[8];
+ 		char path[9];
++		u8 content[254];
+ 		memset(&dat_info, 0, sizeof(dat_info));
+ 		memset(&dat_obj, 0, sizeof(dat_obj));
+ 
+ 		sprintf(name, "PrivDO%d", i);
+ 		sprintf(path, "3F00010%d", i);
+ 
++		/* Check if the DO can be read.
++		 * We won't expose pkcs15 DATA object if DO is empty.
++		 */
++		r = read_file(p15card->card, path, content, sizeof(content));
++		if (r <= 0 ) {
++			sc_log(ctx, "Cannot read DO 010%d or there is no data in it", i);
++			/* Skip */
++			continue;
++		}
+ 		sc_format_path(path, &dat_info.path);
+ 		strlcpy(dat_obj.label, name, sizeof(dat_obj.label));
+ 		strlcpy(dat_info.app_label, name, sizeof(dat_info.app_label));
+ 
++		/* Add DATA object to slot protected by PIN2 (PW1 with Ref 0x82) */
++		dat_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE | SC_PKCS15_CO_FLAG_MODIFIABLE;
++		dat_obj.auth_id.len = 1;
++		if (i == 1 || i == 3)
++			dat_obj.auth_id.value[0] = 2;
++		else
++			dat_obj.auth_id.value[0] = 3;
++
+ 		sc_log(ctx, "Add %s data object", name);
+ 		r = sc_pkcs15emu_add_data_object(p15card, &dat_obj, &dat_info);
+ 	}
+-- 
+1.9.3
+

utils/opensc/patches/0010-PKCS15-OpenPGP-Allow-to-store-data-to-pkcs15-data-ob.patch

@@ -0,0 +1,91 @@
+From 88ded8fc5802c073caa71b649cee5a3116699b2a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Wed, 27 Mar 2013 11:39:33 +0700
+Subject: [PATCH 10/18] PKCS15-OpenPGP: Allow to store data to pkcs15 data
+ object.
+
+Only one DO is supported now.
+---
+ src/libopensc/pkcs15-openpgp.c  |  2 +-
+ src/pkcs15init/pkcs15-openpgp.c | 38 +++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-openpgp.c b/src/libopensc/pkcs15-openpgp.c
+index 850dd74..b701041 100644
+--- a/src/libopensc/pkcs15-openpgp.c
++++ b/src/libopensc/pkcs15-openpgp.c
+@@ -397,7 +397,7 @@ sc_pkcs15emu_openpgp_add_data(sc_pkcs15_card_t *p15card)
+ 		 */
+ 		r = read_file(p15card->card, path, content, sizeof(content));
+ 		if (r <= 0 ) {
+-			sc_log(ctx, "Cannot read DO 010%d or there is no data in it", i);
++			sc_log(ctx, "No data get from DO 010%d", i);
+ 			/* Skip */
+ 			continue;
+ 		}
+diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c
+index f3a4962..1455580 100755
+--- a/src/pkcs15init/pkcs15-openpgp.c
++++ b/src/pkcs15init/pkcs15-openpgp.c
+@@ -236,13 +236,16 @@ static int openpgp_emu_update_tokeninfo(sc_profile_t *profile, sc_pkcs15_card_t
+ }
+ 
+ static int openpgp_store_data(struct sc_pkcs15_card *p15card, struct sc_profile *profile,
+-                              struct sc_pkcs15_object *obj,	struct sc_pkcs15_der *content,
++                              struct sc_pkcs15_object *obj, struct sc_pkcs15_der *content,
+                               struct sc_path *path)
+ {
+ 	sc_card_t *card = p15card->card;
++	sc_context_t *ctx = card->ctx;
+ 	sc_file_t *file;
+ 	sc_pkcs15_cert_info_t *cinfo;
+ 	sc_pkcs15_id_t *cid;
++	sc_pkcs15_data_info_t *dinfo;
++	u8 buf[254];
+ 	int r;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+@@ -282,6 +285,39 @@ static int openpgp_store_data(struct sc_pkcs15_card *p15card, struct sc_profile
+ 			                     content->len, 0);
+ 		break;
+ 
++	case SC_PKCS15_TYPE_DATA_OBJECT:
++		dinfo = (sc_pkcs15_data_info_t *) obj->data;
++		/* dinfo->app_label contains filename */
++		sc_log(ctx, "===== App label %s", dinfo->app_label);
++		/* Currently, we only support DO 0101. The reason is that when initializing this
++		 * pkcs15 emulation, PIN authentication is not applied and we can expose only this DO,
++		 * which is "read always".
++		 * If we support other DOs, they will not be exposed, and not helpful to user.
++		 * I haven't found a way to refresh the list of exposed DOs after verifying PIN yet.
++		 * http://sourceforge.net/mailarchive/message.php?msg_id=30646373
++		 **/
++		sc_log(ctx, "About to write to DO 0101");
++		sc_format_path("0101", path);
++		r = sc_select_file(card, path, &file);
++		LOG_TEST_RET(card->ctx, r, "Cannot select private DO");
++		r = sc_read_binary(card, 0, buf, sizeof(buf), 0);
++		if (r < 0) {
++			sc_log(ctx, "Cannot read DO 0101");
++			break;
++		}
++		if (r > 0) {
++			sc_log(ctx, "DO 0101 is full.");
++			r = SC_ERROR_TOO_MANY_OBJECTS;
++			break;
++		}
++		r = sc_pkcs15init_authenticate(profile, p15card, file, SC_AC_OP_UPDATE);
++		if (r >= 0 && content->len) {
++			r = sc_update_binary(p15card->card, 0,
++			                     (const unsigned char *) content->value,
++			                     content->len, 0);
++		}
++		break;
++
+ 	default:
+ 		r = SC_ERROR_NOT_IMPLEMENTED;
+ 	}
+-- 
+1.9.3
+

utils/opensc/patches/0011-OpenPGP-Provide-enough-buffer-to-read-pubkey-from-Gn.patch

@@ -0,0 +1,87 @@
+From 7231ee09bb628f0401939778decce818ef6e3665 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Fri, 5 Apr 2013 17:18:50 +0700
+Subject: [PATCH 11/18] OpenPGP: Provide enough buffer to read pubkey from
+ Gnuk.
+
+---
+ src/libopensc/card-openpgp.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 9b08bbb..8a1a270 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -263,7 +263,12 @@ static struct do_info		pgp2_objects[] = {	/* OpenPGP card spec 2.0 */
+ 
+ /* The DO holding X.509 certificate is constructed but does not contain child DO.
+  * We should notice this when building fake file system later. */
+-#define DO_CERT		0x7f21
++#define DO_CERT                  0x7f21
++/* Maximum length for response buffer when reading pubkey. This value is calculated with
++ * 4096-bit key length */
++#define MAXLEN_RESP_PUBKEY       527
++/* Gnuk only support 1 key length (2048 bit) */
++#define MAXLEN_RESP_PUBKEY_GNUK  271
+ 
+ #define DRVDATA(card)        ((struct pgp_priv_data *) ((card)->drv_data))
+ struct pgp_priv_data {
+@@ -729,6 +734,14 @@ pgp_read_blob(sc_card_t *card, struct blob *blob)
+ 		u8 	buffer[2048];
+ 		size_t	buf_len = (card->caps & SC_CARD_CAP_APDU_EXT)
+ 				  ? sizeof(buffer) : 256;
++
++		/* Buffer length for Gnuk pubkey */
++		if (card->type == SC_CARD_TYPE_OPENPGP_GNUK &&
++		    (blob->id == 0xa400 || blob->id == 0xb600 || blob->id == 0xb800
++		     || blob->id == 0xa401 || blob->id == 0xb601 || blob->id == 0xb801)) {
++			buf_len = MAXLEN_RESP_PUBKEY_GNUK;
++		}
++
+ 		int	r = blob->info->get_fn(card, blob->id, buffer, buf_len);
+ 
+ 		if (r < 0) {	/* an error occurred */
+@@ -1830,6 +1843,7 @@ static int pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_in
+ 	u8 apdu_case;
+ 	u8 *apdu_data;
+ 	size_t apdu_le;
++	size_t resplen = 0;
+ 	int r = SC_SUCCESS;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+@@ -1868,23 +1882,27 @@ static int pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_in
+ 		apdu_case = SC_APDU_CASE_4_EXT;
+ 	}
+ 	else {
+-		apdu_le = 256;
+ 		apdu_case = SC_APDU_CASE_4_SHORT;
++		apdu_le = 256;
++		resplen = MAXLEN_RESP_PUBKEY;
++	}
++	if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) {
++		resplen = MAXLEN_RESP_PUBKEY_GNUK;
+ 	}
+ 
+ 	/* Prepare APDU */
+-	sc_format_apdu(card, &apdu, apdu_case, 0x47, 0x80,  0);
++	sc_format_apdu(card, &apdu, apdu_case, 0x47, 0x80, 0);
+ 	apdu.data = apdu_data;
+ 	apdu.datalen = 2;  /* Data = B600 */
+ 	apdu.lc = 2;
+ 	apdu.le = apdu_le;
+ 
+ 	/* Buffer to receive response */
+-	apdu.resp = calloc(apdu.le, 1);
++	apdu.resplen = (resplen > 0) ? resplen : apdu_le;
++	apdu.resp = calloc(apdu.resplen, 1);
+ 	if (apdu.resp == NULL) {
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_ENOUGH_MEMORY);
+ 	}
+-	apdu.resplen = apdu.le;
+ 
+ 	/* Send */
+ 	sc_log(card->ctx, "Waiting for the card to generate key...");
+-- 
+1.9.3
+

utils/opensc/patches/0012-OpenPGP-Support-write-certificate-for-Gnuk.patch

@@ -0,0 +1,220 @@
+From d8f63eb6fcc1441c12a44850da2fa22a6fe81634 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Thu, 11 Apr 2013 11:47:51 +0700
+Subject: [PATCH 12/18] OpenPGP: Support write certificate for Gnuk.
+
+---
+ src/libopensc/card-openpgp.c | 158 +++++++++++++++++++++++++++++++++----------
+ 1 file changed, 123 insertions(+), 35 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 8a1a270..d9db948 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -725,6 +725,8 @@ pgp_iterate_blobs(struct blob *blob, int level, void (*func)())
+ static int
+ pgp_read_blob(sc_card_t *card, struct blob *blob)
+ {
++	struct pgp_priv_data *priv = DRVDATA (card);
++
+ 	if (blob->data != NULL)
+ 		return SC_SUCCESS;
+ 	if (blob->info == NULL)
+@@ -735,6 +737,11 @@ pgp_read_blob(sc_card_t *card, struct blob *blob)
+ 		size_t	buf_len = (card->caps & SC_CARD_CAP_APDU_EXT)
+ 				  ? sizeof(buffer) : 256;
+ 
++		/* Buffer length for certificate */
++		if (blob->id == DO_CERT && priv->max_cert_size > 0) {
++			buf_len = MIN(priv->max_cert_size, sizeof(buffer));
++		}
++
+ 		/* Buffer length for Gnuk pubkey */
+ 		if (card->type == SC_CARD_TYPE_OPENPGP_GNUK &&
+ 		    (blob->id == 0xa400 || blob->id == 0xb600 || blob->id == 0xb800
+@@ -1190,49 +1197,75 @@ pgp_get_data(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len)
+ 	LOG_FUNC_RETURN(card->ctx, apdu.resplen);
+ }
+ 
+-/* ABI: PUT DATA */
+-static int
+-pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len)
++
++/* Internal: Write certificate for Gnuk */
++static int gnuk_write_certificate(sc_card_t *card, const u8 *buf, size_t length)
+ {
++	sc_context_t *ctx = card->ctx;
++	size_t i = 0;
+ 	sc_apdu_t apdu;
++	u8 *part;
++	size_t plen;
++	int r = SC_SUCCESS;
++
++	LOG_FUNC_CALLED(ctx);
++
++	/* If null data is passed, delete certificate */
++	if (buf == NULL || length == 0) {
++		sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xD6, 0x85, 0);
++		r = sc_transmit_apdu(card, &apdu);
++		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
++		/* Check response */
++		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
++		LOG_FUNC_RETURN(card->ctx, length);
++	}
++
++	/* Ref: gnuk_put_binary_libusb.py and gnuk_token.py in Gnuk source tree */
++	/* Split data to segments of 256 bytes. Send each segment via command chaining,
++	 * with particular P1 byte for each segment */
++	while (i*256 < length) {
++		part = (u8 *)buf + i*256;
++		plen = MIN(length - i*256, 256);
++
++		sc_log(card->ctx, "Write part %d from offset 0x%X, len %d", i+1, part, plen);
++
++		if (i == 0) {
++			sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xD6, 0x85, 0);
++		}
++		else {
++			sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xD6, i, 0);
++		}
++		apdu.flags |= SC_APDU_FLAGS_CHAINING;
++		apdu.data = part;
++		apdu.datalen = apdu.lc = plen;
++
++		r = sc_transmit_apdu(card, &apdu);
++		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
++		/* Check response */
++		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
++		LOG_TEST_RET(card->ctx, r, "UPDATE BINARY returned error");
++
++		/* To next part */
++		i++;
++	}
++	LOG_FUNC_RETURN(card->ctx, length);
++}
++
++
++/* Internal: Use PUT DATA command to write */
++static int
++pgp_put_data_plain(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len)
++{
+ 	struct pgp_priv_data *priv = DRVDATA(card);
+-	struct blob *affected_blob = NULL;
+-	struct do_info *dinfo = NULL;
++	sc_context_t *ctx = card->ctx;
++	sc_apdu_t apdu;
+ 	u8 ins = 0xDA;
+ 	u8 p1 = tag >> 8;
+ 	u8 p2 = tag & 0xFF;
+ 	u8 apdu_case = SC_APDU_CASE_3;
+ 	int r;
+ 
+-	LOG_FUNC_CALLED(card->ctx);
+-
+-	/* Check if the tag is writable */
+-	affected_blob = pgp_find_blob(card, tag);
+-
+-	/* Non-readable DOs have no represented blob, we have to check from pgp_get_info_by_tag */
+-	if (affected_blob == NULL)
+-		dinfo = pgp_get_info_by_tag(card, tag);
+-	else
+-		dinfo = affected_blob->info;
+-
+-	if (dinfo == NULL) {
+-		sc_log(card->ctx, "The DO %04X does not exist.", tag);
+-		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
+-	}
+-	else if ((dinfo->access & WRITE_MASK) == WRITE_NEVER) {
+-		sc_log(card->ctx, "DO %04X is not writable.", tag);
+-		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_ALLOWED);
+-	}
+-
+-	/* Check data size.
+-	 * We won't check other DOs than 7F21 (certificate), because their capacity
+-	 * is hard-codded and may change in various version of the card. If we check here,
+-	 * the driver may be sticked to a limit version number of card.
+-	 * 7F21 size is soft-coded, so we can check it. */
+-	if (tag == DO_CERT && buf_len > priv->max_cert_size) {
+-		sc_log(card->ctx, "Data size %ld exceeds DO size limit %ld.", buf_len, priv->max_cert_size);
+-		LOG_FUNC_RETURN(card->ctx, SC_ERROR_WRONG_LENGTH);
+-	}
++	LOG_FUNC_CALLED(ctx);
+ 
+ 	/* Extended Header list (004D DO) needs a variant of PUT DATA command */
+ 	if (tag == 0x004D) {
+@@ -1258,15 +1291,70 @@ pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len)
+ 		apdu.lc = buf_len;
+ 	}
+ 	else {
++		/* This case is to empty DO */
+ 		sc_format_apdu(card, &apdu, SC_APDU_CASE_1, ins, p1, p2);
+ 	}
+ 
+ 	/* Send APDU to card */
+ 	r = sc_transmit_apdu(card, &apdu);
+-	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
++	LOG_TEST_RET(ctx, r, "APDU transmit failed");
+ 	/* Check response */
+ 	r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ 
++	if (r < 0)
++		LOG_FUNC_RETURN(ctx, r);
++
++	LOG_FUNC_RETURN(ctx, buf_len);
++}
++
++/* ABI: PUT DATA */
++static int
++pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len)
++{
++	struct pgp_priv_data *priv = DRVDATA(card);
++	struct blob *affected_blob = NULL;
++	struct do_info *dinfo = NULL;
++	int r;
++
++	LOG_FUNC_CALLED(card->ctx);
++
++	/* Check if the tag is writable */
++	if (priv->current->id != tag)
++		affected_blob = pgp_find_blob(card, tag);
++
++	/* Non-readable DOs have no represented blob, we have to check from pgp_get_info_by_tag */
++	if (affected_blob == NULL)
++		dinfo = pgp_get_info_by_tag(card, tag);
++	else
++		dinfo = affected_blob->info;
++
++	if (dinfo == NULL) {
++		sc_log(card->ctx, "The DO %04X does not exist.", tag);
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
++	}
++	else if ((dinfo->access & WRITE_MASK) == WRITE_NEVER) {
++		sc_log(card->ctx, "DO %04X is not writable.", tag);
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_ALLOWED);
++	}
++
++	/* Check data size.
++	 * We won't check other DOs than 7F21 (certificate), because their capacity
++	 * is hard-codded and may change in various version of the card. If we check here,
++	 * the driver may be sticked to a limit version number of card.
++	 * 7F21 size is soft-coded, so we can check it. */
++	if (tag == DO_CERT && buf_len > priv->max_cert_size) {
++		sc_log(card->ctx, "Data size %ld exceeds DO size limit %ld.", buf_len, priv->max_cert_size);
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_WRONG_LENGTH);
++	}
++
++	if (tag == DO_CERT && card->type == SC_CARD_TYPE_OPENPGP_GNUK) {
++		/* Gnuk need a special way to write certificate. */
++		r = gnuk_write_certificate(card, buf, buf_len);
++	}
++	else {
++		r = pgp_put_data_plain(card, tag, buf, buf_len);
++	}
++
+ 	/* Instruct more in case of error */
+ 	if (r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
+ 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Please verify PIN first.");
+-- 
+1.9.3
+

utils/opensc/patches/0013-pkcs15-openpgp-Change-to-sc_put_data-instead-of-sc_u.patch

@@ -0,0 +1,31 @@
+From e5c94d3f1f7e6a96a98815d6e51190498c357fb6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Wed, 10 Apr 2013 18:35:58 +0700
+Subject: [PATCH 13/18] pkcs15-openpgp: Change to sc_put_data instead of
+ sc_update_binary when writing certificate.
+
+---
+ src/pkcs15init/pkcs15-openpgp.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c
+index 1455580..be1291e 100755
+--- a/src/pkcs15init/pkcs15-openpgp.c
++++ b/src/pkcs15init/pkcs15-openpgp.c
+@@ -279,10 +279,9 @@ static int openpgp_store_data(struct sc_pkcs15_card *p15card, struct sc_profile
+ 		r = sc_select_file(card, path, &file);
+ 		LOG_TEST_RET(card->ctx, r, "Cannot select cert file");
+ 		r = sc_pkcs15init_authenticate(profile, p15card, file, SC_AC_OP_UPDATE);
++		sc_log(card->ctx, "Data to write is %d long", content->len);
+ 		if (r >= 0 && content->len)
+-			r = sc_update_binary(p15card->card, 0,
+-			                     (const unsigned char *) content->value,
+-			                     content->len, 0);
++			r = sc_put_data(p15card->card, 0x7F21, (const unsigned char *) content->value, content->len);
+ 		break;
+ 
+ 	case SC_PKCS15_TYPE_DATA_OBJECT:
+-- 
+1.9.3
+

utils/opensc/patches/0014-OpenPGP-Overcome-the-restriction-of-even-data-length.patch

@@ -0,0 +1,53 @@
+From df8a78e3c8c9d9d591c0d3fa31db7e010eb2c8c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Thu, 11 Apr 2013 16:18:31 +0700
+Subject: [PATCH 14/18] OpenPGP: Overcome the restriction of even data length
+ of Gnuk.
+
+When write certificate with odd length to Gnuk, we add zero padding to make it even.
+---
+ src/libopensc/card-openpgp.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index d9db948..a666163 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -1206,6 +1206,10 @@ static int gnuk_write_certificate(sc_card_t *card, const u8 *buf, size_t length)
+ 	sc_apdu_t apdu;
+ 	u8 *part;
+ 	size_t plen;
++	/* Two round_ variables below are to build APDU data
++	 * with even length for Gnuk */
++	u8 roundbuf[256];
++	size_t roundlen = 0;
+ 	int r = SC_SUCCESS;
+ 
+ 	LOG_FUNC_CALLED(ctx);
+@@ -1236,8 +1240,20 @@ static int gnuk_write_certificate(sc_card_t *card, const u8 *buf, size_t length)
+ 			sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xD6, i, 0);
+ 		}
+ 		apdu.flags |= SC_APDU_FLAGS_CHAINING;
+-		apdu.data = part;
+-		apdu.datalen = apdu.lc = plen;
++
++		/* If the last part has odd length, we add zero padding to make it even.
++		 * Gnuk does not allow data with odd length */
++		if (plen < 256 && (plen % 2) != 0) {
++			roundlen = plen + 1;
++			memset(roundbuf, 0, roundlen);
++			memcpy(roundbuf, part, plen);
++			apdu.data = roundbuf;
++			apdu.datalen = apdu.lc = roundlen;
++		}
++		else {
++			apdu.data = part;
++			apdu.datalen = apdu.lc = plen;
++		}
+ 
+ 		r = sc_transmit_apdu(card, &apdu);
+ 		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+-- 
+1.9.3
+

utils/opensc/patches/0015-OpenPGP-Delete-key-as-file-for-Gnuk.patch

@@ -0,0 +1,92 @@
+From 693b3ac5a53e89a0cdeab0f728d24a6e16864f5c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Fri, 12 Apr 2013 15:33:31 +0700
+Subject: [PATCH 15/18] OpenPGP: Delete key as file, for Gnuk.
+
+---
+ src/libopensc/card-openpgp.c | 51 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 50 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index a666163..19d3b04 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2437,6 +2437,44 @@ static int pgp_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
+ 	LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+ }
+ 
++
++/* Internal: Delete key */
++static int
++gnuk_delete_key(sc_card_t *card, u8 key_id)
++{
++	sc_context_t *ctx = card->ctx;
++	int r = SC_SUCCESS;
++	u8 *data = NULL;
++
++	LOG_FUNC_CALLED(ctx);
++
++	/* Delete fingerprint */
++	sc_log(ctx, "Delete fingerprints");
++	r = pgp_put_data(card, 0xC6 + key_id, NULL, 0);
++	LOG_TEST_RET(ctx, r, "Failed to delete fingerprints");
++	/* Delete creation time */
++	sc_log(ctx, "Delete creation time");
++	r = pgp_put_data(card, 0xCD + key_id, NULL, 0);
++	LOG_TEST_RET(ctx, r, "Failed to delete creation time");
++
++	/* Rewrite Extended Header List */
++	sc_log(ctx, "Rewrite Extended Header List");
++
++	if (key_id == 1)
++		data = "\x4D\x02\xB6";
++	else if (key_id == 2)
++		data = "\x4D\x02\xB8";
++	else if (key_id == 3)
++		data = "\x4D\x02\xA4";
++	else
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
++
++	r = pgp_put_data(card, 0x4D, data, strlen(data) + 1);
++
++	LOG_FUNC_RETURN(ctx, r);
++}
++
++
+ /* ABI: DELETE FILE */
+ static int
+ pgp_delete_file(sc_card_t *card, const sc_path_t *path)
+@@ -2444,6 +2482,7 @@ pgp_delete_file(sc_card_t *card, const sc_path_t *path)
+ 	struct pgp_priv_data *priv = DRVDATA(card);
+ 	struct blob *blob;
+ 	sc_file_t *file;
++	u8 key_id;
+ 	int r;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+@@ -2459,10 +2498,20 @@ pgp_delete_file(sc_card_t *card, const sc_path_t *path)
+ 	if (blob == priv->mf)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED);
+ 
+-	if (file->id == 0xB601 || file->id == 0xB801 || file->id == 0xA401) {
++	if (card->type != SC_CARD_TYPE_OPENPGP_GNUK &&
++	    (file->id == 0xB601 || file->id == 0xB801 || file->id == 0xA401)) {
+ 		/* These tags are just symbolic. We don't really delete it. */
+ 		r = SC_SUCCESS;
+ 	}
++	else if (card->type == SC_CARD_TYPE_OPENPGP_GNUK && file->id == 0xB601) {
++		r = gnuk_delete_key(card, 1);
++	}
++	else if (card->type == SC_CARD_TYPE_OPENPGP_GNUK && file->id == 0xB801) {
++		r = gnuk_delete_key(card, 2);
++	}
++	else if (card->type == SC_CARD_TYPE_OPENPGP_GNUK && file->id == 0xA401) {
++		r = gnuk_delete_key(card, 3);
++	}
+ 	else {
+ 		/* call pgp_put_data() with zero-sized NULL-buffer to zap the DO contents */
+ 		r = pgp_put_data(card, file->id, NULL, 0);
+-- 
+1.9.3
+

utils/opensc/patches/0016-OpenPGP-Correct-parameter-checking.patch

@@ -0,0 +1,47 @@
+From f96f7536a8c2efd0ba41fd94fe3334e5fa556854 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Tue, 16 Apr 2013 10:19:34 +0700
+Subject: [PATCH 16/18] OpenPGP: Correct parameter checking.
+
+---
+ src/libopensc/card-openpgp.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 19d3b04..196c094 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -1221,6 +1221,8 @@ static int gnuk_write_certificate(sc_card_t *card, const u8 *buf, size_t length)
+ 		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+ 		/* Check response */
+ 		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
++		if (r < 0)
++			LOG_FUNC_RETURN(card->ctx, r);
+ 		LOG_FUNC_RETURN(card->ctx, length);
+ 	}
+ 
+@@ -2448,6 +2450,11 @@ gnuk_delete_key(sc_card_t *card, u8 key_id)
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
++	if (key_id < 1 || key_id > 3) {
++		sc_log(ctx, "Key ID %d is invalid. Should be 1, 2 or 3.", key_id);
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
++	}
++
+ 	/* Delete fingerprint */
+ 	sc_log(ctx, "Delete fingerprints");
+ 	r = pgp_put_data(card, 0xC6 + key_id, NULL, 0);
+@@ -2466,8 +2473,6 @@ gnuk_delete_key(sc_card_t *card, u8 key_id)
+ 		data = "\x4D\x02\xB8";
+ 	else if (key_id == 3)
+ 		data = "\x4D\x02\xA4";
+-	else
+-		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
+ 
+ 	r = pgp_put_data(card, 0x4D, data, strlen(data) + 1);
+ 
+-- 
+1.9.3
+

utils/opensc/patches/0017-OpenPGP-Make-code-neater.patch

@@ -0,0 +1,39 @@
+From 8a69525a60391b46db4994033527d219d2adaa4e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Tue, 16 Apr 2013 16:02:17 +0700
+Subject: [PATCH 17/18] OpenPGP: Make code neater
+
+---
+ src/libopensc/card-openpgp.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index 196c094..c4ef3b6 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -1220,10 +1220,7 @@ static int gnuk_write_certificate(sc_card_t *card, const u8 *buf, size_t length)
+ 		r = sc_transmit_apdu(card, &apdu);
+ 		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+ 		/* Check response */
+-		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-		if (r < 0)
+-			LOG_FUNC_RETURN(card->ctx, r);
+-		LOG_FUNC_RETURN(card->ctx, length);
++		LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), "Certificate writing failed");
+ 	}
+ 
+ 	/* Ref: gnuk_put_binary_libusb.py and gnuk_token.py in Gnuk source tree */
+@@ -1260,8 +1257,7 @@ static int gnuk_write_certificate(sc_card_t *card, const u8 *buf, size_t length)
+ 		r = sc_transmit_apdu(card, &apdu);
+ 		LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+ 		/* Check response */
+-		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-		LOG_TEST_RET(card->ctx, r, "UPDATE BINARY returned error");
++		LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), "UPDATE BINARY returned error");
+ 
+ 		/* To next part */
+ 		i++;
+-- 
+1.9.3
+

utils/opensc/patches/0018-Move-declaration-to-top-of-block.patch

@@ -0,0 +1,34 @@
+From a099f951d085d3abfefeead14a4af06913cb67d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?=
+ <ng.hong.quan@gmail.com>
+Date: Wed, 8 May 2013 16:51:21 +0700
+Subject: [PATCH 18/18] Move declaration to top of block.
+
+---
+ src/libopensc/card-openpgp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index c4ef3b6..7f2006e 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -736,6 +736,7 @@ pgp_read_blob(sc_card_t *card, struct blob *blob)
+ 		u8 	buffer[2048];
+ 		size_t	buf_len = (card->caps & SC_CARD_CAP_APDU_EXT)
+ 				  ? sizeof(buffer) : 256;
++		int r = SC_SUCCESS;
+ 
+ 		/* Buffer length for certificate */
+ 		if (blob->id == DO_CERT && priv->max_cert_size > 0) {
+@@ -749,7 +750,7 @@ pgp_read_blob(sc_card_t *card, struct blob *blob)
+ 			buf_len = MAXLEN_RESP_PUBKEY_GNUK;
+ 		}
+ 
+-		int	r = blob->info->get_fn(card, blob->id, buffer, buf_len);
++		r = blob->info->get_fn(card, blob->id, buffer, buf_len);
+ 
+ 		if (r < 0) {	/* an error occurred */
+ 			blob->status = r;
+-- 
+1.9.3
+