From 130305a1bee6469a75cadb1e17c93106e25fef12 Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Thu, 22 Aug 2024 07:37:57 +0200
Subject: [PATCH 1/9] YKCS11: Return CKA_EC_PARAMS for ED keys

---
 ykcs11/objects.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/ykcs11/objects.c b/ykcs11/objects.c
index 068f482b..d173fd65 100644
--- a/ykcs11/objects.c
+++ b/ykcs11/objects.c
@@ -740,11 +740,15 @@ static CK_RV get_proa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR templ
     ul_tmp = do_get_key_type(s->pkeys[piv_objects[obj].sub_id]); // Getting the info from the pubk
     if (ul_tmp == CKK_VENDOR_DEFINED)
       return CKR_FUNCTION_FAILED;
-    if (ul_tmp != CKK_EC)
+    if (ul_tmp == CKK_EC) {
+      if ((rv = do_get_curve_parameters(s->pkeys[piv_objects[obj].sub_id], b_tmp, &len)) != CKR_OK)
+        return rv;
+    } else if (ul_tmp == CKK_EC_EDWARDS) {
+      len = 14;
+      memcpy(b_tmp, ED25519OID, len);
+    } else {
       return CKR_ATTRIBUTE_TYPE_INVALID;
-
-    if ((rv = do_get_curve_parameters(s->pkeys[piv_objects[obj].sub_id], b_tmp, &len)) != CKR_OK)
-      return rv;
+    }
 
     data = b_tmp;
     break;
@@ -1043,11 +1047,15 @@ static CK_RV get_puoa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR templ
     ul_tmp = do_get_key_type(s->pkeys[piv_objects[obj].sub_id]); // Getting the info from the pubk
     if (ul_tmp == CKK_VENDOR_DEFINED)
       return CKR_FUNCTION_FAILED;
-    if (ul_tmp != CKK_EC)
+    if (ul_tmp == CKK_EC) {
+      if ((rv = do_get_curve_parameters(s->pkeys[piv_objects[obj].sub_id], b_tmp, &len)) != CKR_OK)
+        return rv;
+    } else if (ul_tmp == CKK_EC_EDWARDS) {
+      len = 14;
+      memcpy(b_tmp, ED25519OID, len);
+    } else {
       return CKR_ATTRIBUTE_TYPE_INVALID;
-
-    if ((rv = do_get_curve_parameters(s->pkeys[piv_objects[obj].sub_id], b_tmp, &len)) != CKR_OK)
-      return rv;
+    }
 
     data = b_tmp;
     break;
@@ -2805,6 +2813,14 @@ static CK_RV check_ed_pubkey_template(gen_info_t *gen, CK_ATTRIBUTE_PTR templ, C
       break;
 
       case CKA_EC_PARAMS:
+        if (templ[i].ulValueLen == 14 && memcmp((CK_BYTE_PTR)templ[i].pValue, ED25519OID, 14) == 0)
+          gen->algorithm = YKPIV_ALGO_ED25519;
+        else {
+          DBG("Bad CKA_EC_PARAMS");
+          return CKR_ATTRIBUTE_VALUE_INVALID;
+        }
+        break;
+
       case CKA_COPYABLE:
       case CKA_DESTROYABLE:
       case CKA_EXTRACTABLE:

From 6b3e15afef4e5dc5a35606464319a8d7a817256d Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Fri, 23 Aug 2024 11:16:33 +0200
Subject: [PATCH 2/9] YKCS11: Return CKA_EC_POINT for ED keys

---
 ykcs11/objects.c               | 4 ++--
 ykcs11/openssl_utils.c         | 6 ++++++
 ykcs11/tests/ykcs11_edx_test.c | 8 ++++++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ykcs11/objects.c b/ykcs11/objects.c
index d173fd65..da653c3a 100644
--- a/ykcs11/objects.c
+++ b/ykcs11/objects.c
@@ -723,7 +723,7 @@ static CK_RV get_proa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR templ
     ul_tmp = do_get_key_type(s->pkeys[piv_objects[obj].sub_id]); // Getting the info from the pubk
     if (ul_tmp == CKK_VENDOR_DEFINED)
       return CKR_FUNCTION_FAILED;
-    if (ul_tmp != CKK_EC)
+    if (ul_tmp == CKK_RSA)
       return CKR_ATTRIBUTE_TYPE_INVALID;
 
     if ((rv = do_get_public_key(s->pkeys[piv_objects[obj].sub_id], b_tmp, &len)) != CKR_OK)
@@ -1030,7 +1030,7 @@ static CK_RV get_puoa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR templ
     ul_tmp = do_get_key_type(s->pkeys[piv_objects[obj].sub_id]); // Getting the info from the pubk
     if (ul_tmp == CKK_VENDOR_DEFINED)
       return CKR_FUNCTION_FAILED;
-    if (ul_tmp != CKK_EC)
+    if (ul_tmp == CKK_RSA)
       return CKR_ATTRIBUTE_TYPE_INVALID;
 
     if ((rv = do_get_public_key(s->pkeys[piv_objects[obj].sub_id], b_tmp, &len)) != CKR_OK)
diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c
index 8d97bf51..0cd9cab0 100644
--- a/ykcs11/openssl_utils.c
+++ b/ykcs11/openssl_utils.c
@@ -694,6 +694,12 @@ CK_RV do_get_public_key(ykcs11_pkey_t *key, CK_BYTE_PTR data, CK_ULONG_PTR len)
     *len += 2;
 
     break;
+  case EVP_PKEY_ED25519:
+  case EVP_PKEY_X25519:
+    if(EVP_PKEY_get_raw_public_key(key, data, len) != 1) {
+      return CKR_FUNCTION_FAILED;
+    }
+    break;
 
   default:
     return CKR_FUNCTION_FAILED;
diff --git a/ykcs11/tests/ykcs11_edx_test.c b/ykcs11/tests/ykcs11_edx_test.c
index 4cf4757d..6dcb7847 100644
--- a/ykcs11/tests/ykcs11_edx_test.c
+++ b/ykcs11/tests/ykcs11_edx_test.c
@@ -261,12 +261,14 @@ static void test_xkey_attributes() {
   CK_BBOOL obj_token;
   CK_BBOOL obj_private;
   CK_ULONG obj_key_type;
+  CK_BYTE obj_point[64] = {0};
 
   CK_ATTRIBUTE template[] = {
       {CKA_CLASS,    &obj_class,    sizeof(CK_ULONG)},
       {CKA_TOKEN,    &obj_token,    sizeof(CK_BBOOL)},
       {CKA_PRIVATE,  &obj_private,  sizeof(CK_BBOOL)},
       {CKA_KEY_TYPE, &obj_key_type, sizeof(CK_ULONG)},
+      {CKA_EC_POINT, obj_point, sizeof(obj_point)}
   };
 
   init_connection();
@@ -274,17 +276,19 @@ static void test_xkey_attributes() {
 
   generate_ex_key(funcs, session, &pubkey, &privkey);
 
-  asrt(funcs->C_GetAttributeValue(session, pubkey, template, 4), CKR_OK, "GET BASIC ATTRIBUTES");
+  asrt(funcs->C_GetAttributeValue(session, pubkey, template, 5), CKR_OK, "GET BASIC ATTRIBUTES");
   asrt(obj_class, CKO_PUBLIC_KEY, "CLASS");
   asrt(obj_token, CK_TRUE, "TOKEN");
   asrt(obj_private, CK_FALSE, "PRIVATE");
   asrt(obj_key_type, CKK_EC_MONTGOMERY, "KEY_TYPE");
+  asrt(template[4].ulValueLen, 32, "EC_POINT LEN");
 
-  asrt(funcs->C_GetAttributeValue(session, privkey, template, 4), CKR_OK, "GET BASIC ATTRIBUTES");
+  asrt(funcs->C_GetAttributeValue(session, privkey, template, 5), CKR_OK, "GET BASIC ATTRIBUTES");
   asrt(obj_class, CKO_PRIVATE_KEY, "CLASS");
   asrt(obj_token, CK_TRUE, "TOKEN");
   asrt(obj_private, CK_TRUE, "PRIVATE");
   asrt(obj_key_type, CKK_EC_MONTGOMERY, "KEY_TYPE");
+  asrt(template[4].ulValueLen, 32, "EC_POINT LEN");
 
   destroy_test_objects(funcs, session, &privkey, 1);
   asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");

From 7497143130dceacc2736d64a7eee6c5390d50ab1 Mon Sep 17 00:00:00 2001
From: Per Nilsson <per.nilsson@yubico.com>
Date: Tue, 27 Aug 2024 11:48:56 +0200
Subject: [PATCH 3/9] YKCS11: Encode ed & x25519 pubkeys as an octet string

---
 ykcs11/openssl_utils.c | 68 ++++++++++++++++++++++--------------------
 1 file changed, 35 insertions(+), 33 deletions(-)

diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c
index 0cd9cab0..50c1a531 100644
--- a/ykcs11/openssl_utils.c
+++ b/ykcs11/openssl_utils.c
@@ -653,51 +653,53 @@ CK_RV do_get_public_exponent(ykcs11_pkey_t *key, CK_BYTE_PTR data, CK_ULONG_PTR
 }
 
 CK_RV do_get_public_key(ykcs11_pkey_t *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
-  const RSA *rsa = NULL;
-  unsigned char *p;
-
-  const EC_KEY *eck = NULL;
-  const EC_GROUP *ecg; // Alternative solution is to get i2d_PUBKEY and manually offset
-  const EC_POINT *ecp;
-  point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
 
   switch(EVP_PKEY_base_id(key)) {
-  case EVP_PKEY_RSA:
+  case EVP_PKEY_RSA: {
+      const RSA *rsa = EVP_PKEY_get0_RSA(key);
 
-    rsa = EVP_PKEY_get0_RSA(key);
-
-    if ((CK_ULONG)RSA_size(rsa) > *len) {
-      return CKR_BUFFER_TOO_SMALL;
-    }
-
-    p = data;
+      if (RSA_size(rsa) > *len) {
+        return CKR_BUFFER_TOO_SMALL;
+      }
 
-    if ((*len = (CK_ULONG) i2d_RSAPublicKey(rsa, &p)) == 0) {
-      return CKR_FUNCTION_FAILED;
+      CK_BYTE_PTR p = data;
+      if ((*len = i2d_RSAPublicKey(rsa, &p)) == 0) {
+        return CKR_FUNCTION_FAILED;
+      }
     }
-
     break;
 
-  case EVP_PKEY_EC:
-    eck = EVP_PKEY_get0_EC_KEY(key);
-    ecg = EC_KEY_get0_group(eck);
-    ecp = EC_KEY_get0_public_key(eck);
+  case EVP_PKEY_EC: {
+      const EC_KEY *eck = EVP_PKEY_get0_EC_KEY(key);
+      const EC_GROUP *ecg = EC_KEY_get0_group(eck);
+      const EC_POINT *ecp = EC_KEY_get0_public_key(eck);
 
-    // Add the DER structure with length after extracting the point
-    data[0] = 0x04;
-
-    if ((*len = EC_POINT_point2oct(ecg, ecp, pcf, data + 2, *len - 2, NULL)) == 0) {
-      return CKR_FUNCTION_FAILED;
-    }
+      // Add the DER structure with length after extracting the point
+      data[0] = 0x04;
 
-    data[1] = *len;
-    *len += 2;
+      if ((*len = EC_POINT_point2oct(ecg, ecp, POINT_CONVERSION_UNCOMPRESSED, data + 2, *len - 2, NULL)) == 0) {
+        return CKR_FUNCTION_FAILED;
+      }
 
+      data[1] = *len;
+      *len += 2;
+    }
     break;
   case EVP_PKEY_ED25519:
-  case EVP_PKEY_X25519:
-    if(EVP_PKEY_get_raw_public_key(key, data, len) != 1) {
-      return CKR_FUNCTION_FAILED;
+  case EVP_PKEY_X25519: {
+      size_t n = *len;
+      if(EVP_PKEY_get_raw_public_key(key, data, &n) != 1) {
+        return CKR_FUNCTION_FAILED;
+      }
+      ASN1_OCTET_STRING *a = ASN1_OCTET_STRING_new();
+      ASN1_OCTET_STRING_set(a, data, n);
+      if(i2d_ASN1_OCTET_STRING(a, NULL) > *len) {
+        ASN1_OCTET_STRING_free(a);
+        return CKR_BUFFER_TOO_SMALL;
+      }
+      CK_BYTE_PTR p = data;
+      *len = i2d_ASN1_OCTET_STRING(a, &p);
+      ASN1_OCTET_STRING_free(a);
     }
     break;
 

From cfc70b02d895cc894da5120a3b58c82b1342a149 Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Tue, 27 Aug 2024 12:39:49 +0200
Subject: [PATCH 4/9] Remove unnecessary length check

---
 ykcs11/objects.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/ykcs11/objects.c b/ykcs11/objects.c
index da653c3a..1ccf6fbb 100644
--- a/ykcs11/objects.c
+++ b/ykcs11/objects.c
@@ -2616,17 +2616,6 @@ CK_RV check_create_rsa_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
     return CKR_TEMPLATE_INCOMPLETE;
   }
 
-  if (*p_len != 64 && *p_len != 128 && *p_len != 192 && *p_len != 256) {
-    DBG("Invalid RSA component lengths");
-    return CKR_ATTRIBUTE_VALUE_INVALID;
-  }
-
-  if (*q_len != *p_len || *dp_len > *p_len ||
-      *dq_len > *p_len || *qinv_len > *p_len) {
-    DBG("Invalid RSA component lengths");
-    return CKR_ATTRIBUTE_VALUE_INVALID;
-  }
-
   return CKR_OK;
 }
 

From 4fadb53dadf5d8a016d6ec80724558db8a544818 Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Wed, 28 Aug 2024 14:56:29 +0200
Subject: [PATCH 5/9] YKCS11: Support returning X25519 key parameters

---
 ykcs11/objects.c                 | 46 ++++++++++++++++++++++++--------
 ykcs11/tests/ykcs11_edx_test.c   |  4 +--
 ykcs11/tests/ykcs11_tests_util.c |  6 +++--
 3 files changed, 41 insertions(+), 15 deletions(-)

diff --git a/ykcs11/objects.c b/ykcs11/objects.c
index 1ccf6fbb..5313dcf1 100644
--- a/ykcs11/objects.c
+++ b/ykcs11/objects.c
@@ -39,7 +39,8 @@
 
 #define PRIME256V1 "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07" // TODO: already define in mechanisms.c. Move
 #define SECP384R1 "\x06\x05\x2b\x81\x04\x00\x22" // TODO: already define in mechanisms.c. Move
-#define ED25519OID "\x13\x0c\x65\x64\x77\x61\x72\x64\x73\x32\x35\x35\x31\x39"
+#define ED25519 "\x13\x0c\x65\x64\x77\x61\x72\x64\x73\x32\x35\x35\x31\x39"
+#define X25519 "\x13\x0b\x63\x75\x72\x76\x65\x32\x35\x35\x31\x39"
 
 static CK_RV get_doa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR template);
 static CK_RV get_coa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR template);
@@ -745,7 +746,10 @@ static CK_RV get_proa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR templ
         return rv;
     } else if (ul_tmp == CKK_EC_EDWARDS) {
       len = 14;
-      memcpy(b_tmp, ED25519OID, len);
+      memcpy(b_tmp, ED25519, len);
+    } else if (ul_tmp == CKK_EC_MONTGOMERY) {
+      len = 12;
+      memcpy(b_tmp, X25519, len);
     } else {
       return CKR_ATTRIBUTE_TYPE_INVALID;
     }
@@ -1052,7 +1056,10 @@ static CK_RV get_puoa(ykcs11_slot_t *s, piv_obj_id_t obj, CK_ATTRIBUTE_PTR templ
         return rv;
     } else if (ul_tmp == CKK_EC_EDWARDS) {
       len = 14;
-      memcpy(b_tmp, ED25519OID, len);
+      memcpy(b_tmp, ED25519, len);
+    } else if (ul_tmp == CKK_EC_MONTGOMERY) {
+      len = 12;
+      memcpy(b_tmp, X25519, len);
     } else {
       return CKR_ATTRIBUTE_TYPE_INVALID;
     }
@@ -1706,7 +1713,10 @@ CK_RV check_create_x25519_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id
   CK_ULONG i;
   CK_BBOOL has_id = CK_FALSE;
   CK_BBOOL has_value = CK_FALSE;
+  CK_BBOOL has_params = CK_FALSE;
 
+  CK_BYTE_PTR ec_params = NULL;
+  CK_ULONG    ec_params_len = 0;
   CK_BYTE b_tmp;
 
   for (i = 0; i < n; i++) {
@@ -1740,10 +1750,11 @@ CK_RV check_create_x25519_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id
         *value_len = templ[i].ulValueLen;
         break;
 
-//      case CKA_EC_PARAMS:
-//        ec_params = (CK_BYTE_PTR)templ[i].pValue;
-//        ec_params_len = templ[i].ulValueLen;
-//        break;
+      case CKA_EC_PARAMS:
+        has_params = CK_TRUE;
+        ec_params = (CK_BYTE_PTR)templ[i].pValue;
+        ec_params_len = templ[i].ulValueLen;
+        break;
 
       case CKA_TOKEN:
         if (*((CK_BBOOL *)templ[i].pValue) != CK_TRUE) {
@@ -1909,10 +1920,15 @@ CK_RV check_create_x25519_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id
   }
 
   if (has_id == CK_FALSE ||
-      has_value == CK_FALSE) {
+      has_value == CK_FALSE ||
+      has_params == CK_FALSE) {
     return CKR_TEMPLATE_INCOMPLETE;
   }
 
+  if (ec_params_len != 12 || memcmp(ec_params, X25519, ec_params_len) != 0) {
+    return CKR_ATTRIBUTE_VALUE_INVALID;
+  }
+
   return CKR_OK;
 }
 
@@ -2129,7 +2145,7 @@ CK_RV check_create_ed_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
     return CKR_TEMPLATE_INCOMPLETE;
   }
 
-  if (ec_params_len != 14 || memcmp(ec_params, ED25519OID, ec_params_len) != 0) {
+  if (ec_params_len != 14 || memcmp(ec_params, ED25519, ec_params_len) != 0) {
     return CKR_ATTRIBUTE_VALUE_INVALID;
   }
 
@@ -2802,9 +2818,9 @@ static CK_RV check_ed_pubkey_template(gen_info_t *gen, CK_ATTRIBUTE_PTR templ, C
       break;
 
       case CKA_EC_PARAMS:
-        if (templ[i].ulValueLen == 14 && memcmp((CK_BYTE_PTR)templ[i].pValue, ED25519OID, 14) == 0)
+        if (templ[i].ulValueLen == 14 && memcmp((CK_BYTE_PTR)templ[i].pValue, ED25519, 14) == 0) {
           gen->algorithm = YKPIV_ALGO_ED25519;
-        else {
+        } else {
           DBG("Bad CKA_EC_PARAMS");
           return CKR_ATTRIBUTE_VALUE_INVALID;
         }
@@ -2868,6 +2884,14 @@ static CK_RV check_x_pubkey_template(gen_info_t *gen, CK_ATTRIBUTE_PTR templ, CK
         break;
 
       case CKA_EC_PARAMS:
+        if (templ[i].ulValueLen == 12 && memcmp((CK_BYTE_PTR)templ[i].pValue, X25519, 12) == 0) {
+          gen->algorithm = YKPIV_ALGO_X25519;
+        } else {
+          DBG("Bad CKA_EC_PARAMS");
+          return CKR_ATTRIBUTE_VALUE_INVALID;
+        }
+        break;
+
       case CKA_COPYABLE:
       case CKA_DESTROYABLE:
       case CKA_EXTRACTABLE:
diff --git a/ykcs11/tests/ykcs11_edx_test.c b/ykcs11/tests/ykcs11_edx_test.c
index 6dcb7847..9b941c74 100644
--- a/ykcs11/tests/ykcs11_edx_test.c
+++ b/ykcs11/tests/ykcs11_edx_test.c
@@ -281,14 +281,14 @@ static void test_xkey_attributes() {
   asrt(obj_token, CK_TRUE, "TOKEN");
   asrt(obj_private, CK_FALSE, "PRIVATE");
   asrt(obj_key_type, CKK_EC_MONTGOMERY, "KEY_TYPE");
-  asrt(template[4].ulValueLen, 32, "EC_POINT LEN");
+  asrt(template[4].ulValueLen, 34, "EC_POINT LEN");
 
   asrt(funcs->C_GetAttributeValue(session, privkey, template, 5), CKR_OK, "GET BASIC ATTRIBUTES");
   asrt(obj_class, CKO_PRIVATE_KEY, "CLASS");
   asrt(obj_token, CK_TRUE, "TOKEN");
   asrt(obj_private, CK_TRUE, "PRIVATE");
   asrt(obj_key_type, CKK_EC_MONTGOMERY, "KEY_TYPE");
-  asrt(template[4].ulValueLen, 32, "EC_POINT LEN");
+  asrt(template[4].ulValueLen, 34, "EC_POINT LEN");
 
   destroy_test_objects(funcs, session, &privkey, 1);
   asrt(funcs->C_CloseSession(session), CKR_OK, "CloseSession");
diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c
index 3106021e..cb2150ce 100644
--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -371,6 +371,7 @@ EVP_PKEY* import_edkey(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session
 void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE_PTR obj_cert,
                    CK_OBJECT_HANDLE_PTR obj_pvtkey) {
 
+  CK_BYTE     params[] = {0x13, 0x0b, 0x63, 0x75, 0x72, 0x76, 0x65, 0x32, 0x35, 0x35, 0x31, 0x39};
   CK_ULONG    class_k = CKO_PRIVATE_KEY;
   CK_ULONG    kt = CKK_EC_MONTGOMERY;
   CK_BYTE     id = 1;
@@ -382,6 +383,7 @@ void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session,
       {CKA_CLASS, &class_k, sizeof(class_k)},
       {CKA_KEY_TYPE, &kt, sizeof(kt)},
       {CKA_ID, &id, sizeof(id)},
+      {CKA_EC_PARAMS, params, sizeof(params)},
       {CKA_VALUE, pvt, pvt_len}
   };
 
@@ -391,11 +393,11 @@ void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session,
   EVP_PKEY_keygen(ctx, &key);
   EVP_PKEY_CTX_free(ctx);
   asrt(EVP_PKEY_get_raw_private_key(key, pvt, &pvt_len), 1, "EXTRACTING PRIVATE ED25519 KEY");
-  privateKeyTemplate[3].ulValueLen = pvt_len;
+  privateKeyTemplate[4].ulValueLen = pvt_len;
 
   asrt(funcs->C_Login(session, CKU_SO, (CK_CHAR_PTR)"010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
 
-  asrt(funcs->C_CreateObject(session, privateKeyTemplate, 4, obj_pvtkey), CKR_OK, "IMPORT KEY");
+  asrt(funcs->C_CreateObject(session, privateKeyTemplate, 5, obj_pvtkey), CKR_OK, "IMPORT KEY");
   asrt(*obj_pvtkey, 86, "PRIVATE KEY HANDLE");
 
   asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");

From 3b3e1e2458eeca2855d6bac7851470dfa82ca2fb Mon Sep 17 00:00:00 2001
From: Per Nilsson <per.nilsson@yubico.com>
Date: Tue, 27 Aug 2024 14:26:18 +0200
Subject: [PATCH 6/9] misc: Refactor set_component

---
 common/util.c          | 19 +++++++++++--------
 common/util.h          |  2 +-
 lib/tests/api.c        | 41 ++++++++++++++++++++++++-----------------
 tool/yubico-piv-tool.c | 33 ++++++++++++++++++++-------------
 4 files changed, 56 insertions(+), 39 deletions(-)

diff --git a/common/util.c b/common/util.c
index 8701ae24..f0a9d5c9 100644
--- a/common/util.c
+++ b/common/util.c
@@ -382,8 +382,10 @@ int get_slot_hex(enum enum_slot slot_enum) {
   return slot;
 }
 
-bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len) {
-  return BN_bn2binpad(bn, in_ptr, element_len) == element_len;
+bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int *element_len) {
+  if(BN_num_bytes(bn) > *element_len) return false;
+  *element_len = BN_bn2bin(bn, in_ptr);
+  return true;
 }
 
 bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
@@ -612,26 +614,27 @@ int SSH_write_X509(FILE *fp, X509 *x) {
 
   switch (EVP_PKEY_base_id(pkey)) {
   case EVP_PKEY_RSA: {
-    RSA *rsa;
+    const RSA *rsa;
     unsigned char n[256] = {0};
     const BIGNUM *bn_n;
 
     char rsa_id[] = "\x00\x00\x00\x07ssh-rsa";
     char rsa_f4[] = "\x00\x00\x00\x03\x01\x00\x01";
 
-    rsa = EVP_PKEY_get1_RSA(pkey);
+    rsa = EVP_PKEY_get0_RSA(pkey);
     if(rsa == NULL) {
       break;
     }
     RSA_get0_key(rsa, &bn_n, NULL, NULL);
 
-    if (!set_component(n, bn_n, RSA_size(rsa))) {
+    int len = RSA_size(rsa);
+    if (!set_component(n, bn_n, &len)) {
       break;
     }
 
-    uint32_t bytes = BN_num_bytes(bn_n);
+    uint32_t bytes = len;
     char len_buf[5] = {0};
-    int len = 4;
+    len = 4;
 
     len_buf[0] = (bytes >> 24) & 0x000000ff;
     len_buf[1] = (bytes << 16) & 0x000000ff;
@@ -668,7 +671,7 @@ int SSH_write_X509(FILE *fp, X509 *x) {
       BIO_free_all(b64);
       break;
     }
-    if(BIO_write(b64, n, RSA_size(rsa)) <= 0) {
+    if(BIO_write(b64, n, bytes) <= 0) {
       fprintf(stderr, "Failed to write RSA n component\n");
       BIO_free_all(b64);
       break;
diff --git a/common/util.h b/common/util.h
index 6d59bd0d..cfe97821 100644
--- a/common/util.h
+++ b/common/util.h
@@ -54,7 +54,7 @@ X509_NAME *parse_name(const char*);
 unsigned char get_algorithm(EVP_PKEY*);
 FILE *open_file(const char *file_name, enum file_mode mode);
 int get_slot_hex(enum enum_slot slot_enum);
-bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len);
+bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int *element_len);
 bool prepare_rsa_signature(const unsigned char*, unsigned int, unsigned char*,
     unsigned int*, int);
 bool read_pw(const char*, char*, size_t, int, int);
diff --git a/lib/tests/api.c b/lib/tests/api.c
index 8919f4f9..9e6373e7 100644
--- a/lib/tests/api.c
+++ b/lib/tests/api.c
@@ -324,7 +324,7 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     EVP_PKEY *private_key = NULL;
     BIO *bio = NULL;
     RSA *rsa_private_key = NULL;
-    unsigned char e[4] = {0};
+    unsigned char e[3] = {0};
     unsigned char p[256] = {0};
     unsigned char q[256] = {0};
     unsigned char dmp1[256] = {0};
@@ -332,6 +332,7 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     unsigned char iqmp[256] = {0};
     int element_len = 256;
     const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp;
+    int e_len, p_len, q_len, dmp1_len, dmq1_len, iqmp_len;
 
     bio = BIO_new_mem_buf(private_key_pem, strlen(private_key_pem));
     private_key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
@@ -342,22 +343,28 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     RSA_get0_key(rsa_private_key, NULL, &bn_e, NULL);
     RSA_get0_factors(rsa_private_key, &bn_p, &bn_q);
     RSA_get0_crt_params(rsa_private_key, &bn_dmp1, &bn_dmq1, &bn_iqmp);
-    ck_assert(set_component(e, bn_e, 3));
-    ck_assert(set_component(p, bn_p, element_len));
-    ck_assert(set_component(q, bn_q, element_len));
-    ck_assert(set_component(dmp1, bn_dmp1, element_len));
-    ck_assert(set_component(dmq1, bn_dmq1, element_len));
-    ck_assert(set_component(iqmp, bn_iqmp, element_len));
+    e_len = sizeof(e);
+    ck_assert(set_component(e, bn_e, &e_len));
+    p_len = element_len;
+    ck_assert(set_component(p, bn_p, &p_len));
+    q_len = element_len;
+    ck_assert(set_component(q, bn_q, &q_len));
+    dmp1_len = element_len;
+    ck_assert(set_component(dmp1, bn_dmp1, &dmp1_len));
+    dmq1_len = element_len;
+    ck_assert(set_component(dmq1, bn_dmq1, &dmq1_len));
+    iqmp_len = element_len;
+    ck_assert(set_component(iqmp, bn_iqmp, &iqmp_len));
 
     // Try wrong algorithm, fail.
     res = ykpiv_import_private_key(g_state,
                                    slot,
                                    YKPIV_ALGO_RSA1024,
-                                   p, element_len,
-                                   q, element_len,
-                                   dmp1, element_len,
-                                   dmq1, element_len,
-                                   iqmp, element_len,
+                                   p, p_len,
+                                   q, q_len,
+                                   dmp1, dmp1_len,
+                                   dmq1, dmq1_len,
+                                   iqmp, iqmp_len,
                                    NULL, 0,
                                    pp, tp);
     ck_assert_int_eq(res, YKPIV_ALGORITHM_ERROR);
@@ -366,11 +373,11 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     res = ykpiv_import_private_key(g_state,
                                    slot,
                                    YKPIV_ALGO_RSA4096,
-                                   p, element_len,
-                                   q, element_len,
-                                   dmp1, element_len,
-                                   dmq1, element_len,
-                                   iqmp, element_len,
+                                   p, p_len,
+                                   q, q_len,
+                                   dmp1, dmp1_len,
+                                   dmq1, dmq1_len,
+                                   iqmp, iqmp_len,
                                    NULL, 0,
                                    pp, tp);
     ck_assert_int_eq(res, YKPIV_OK);
diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c
index d7e99a90..9fc0d650 100644
--- a/tool/yubico-piv-tool.c
+++ b/tool/yubico-piv-tool.c
@@ -515,13 +515,14 @@ static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
 
     if(YKPIV_IS_RSA(algorithm)) {
       RSA *rsa_private_key = EVP_PKEY_get1_RSA(private_key);
-      unsigned char e[4] = {0};
+      unsigned char e[3] = {0};
       unsigned char p[256] = {0};
       unsigned char q[256] = {0};
       unsigned char dmp1[256] = {0};
       unsigned char dmq1[256] = {0};
       unsigned char iqmp[256] = {0};
       const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp;
+      int len_e, len_p, len_q, len_dmp1, len_dmq1, len_iqmp;
 
       int element_len = 0;
       switch(algorithm) {
@@ -545,43 +546,49 @@ static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
       RSA_get0_key(rsa_private_key, NULL, &bn_e, NULL);
       RSA_get0_factors(rsa_private_key, &bn_p, &bn_q);
       RSA_get0_crt_params(rsa_private_key, &bn_dmp1, &bn_dmq1, &bn_iqmp);
-      if((set_component(e, bn_e, 3) == false) ||
+      len_e = sizeof(e);
+      if((set_component(e, bn_e, &len_e) == false) ||
          !(e[0] == 0x01 && e[1] == 0x00 && e[2] == 0x01)) {
         fprintf(stderr, "Invalid public exponent for import (only 0x10001 supported)\n");
         goto import_out;
       }
 
-      if(set_component(p, bn_p, element_len) == false) {
+      len_p = element_len;
+      if(set_component(p, bn_p, &len_p) == false) {
         fprintf(stderr, "Failed setting p component.\n");
         goto import_out;
       }
 
-      if(set_component(q, bn_q, element_len) == false) {
+      len_q = element_len;
+      if(set_component(q, bn_q, &len_q) == false) {
         fprintf(stderr, "Failed setting q component.\n");
         goto import_out;
       }
 
-      if(set_component(dmp1, bn_dmp1, element_len) == false) {
+      len_dmp1 = element_len;
+      if(set_component(dmp1, bn_dmp1, &len_dmp1) == false) {
         fprintf(stderr, "Failed setting dmp1 component.\n");
         goto import_out;
       }
 
-      if(set_component(dmq1, bn_dmq1, element_len) == false) {
+      len_dmq1 = element_len;
+      if(set_component(dmq1, bn_dmq1, &len_dmq1) == false) {
         fprintf(stderr, "Failed setting dmq1 component.\n");
         goto import_out;
       }
 
-      if(set_component(iqmp, bn_iqmp, element_len) == false) {
+      len_iqmp = element_len;
+      if(set_component(iqmp, bn_iqmp, &len_iqmp) == false) {
         fprintf(stderr, "Failed setting iqmp component.\n");
         goto import_out;
       }
 
       rc = ykpiv_import_private_key(state, key, algorithm,
-                                    p, element_len,
-                                    q, element_len,
-                                    dmp1, element_len,
-                                    dmq1, element_len,
-                                    iqmp, element_len,
+                                    p, len_p,
+                                    q, len_q,
+                                    dmp1, len_dmp1,
+                                    dmq1, len_dmq1,
+                                    iqmp, len_iqmp,
                                     NULL, 0,
                                     pp, tp);
     }
@@ -595,7 +602,7 @@ static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
         element_len = 48;
       }
 
-      if(set_component(s_ptr, s, element_len) == false) {
+      if(set_component(s_ptr, s, &element_len) == false) {
         fprintf(stderr, "Failed setting ec private key.\n");
         goto import_out;
       }

From c51fe443dcbb91b17e639ca30516c3ace6f3e55d Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Thu, 12 Sep 2024 10:40:50 +0200
Subject: [PATCH 7/9] YKCS11: Test: Increase test coverage of X25519 keys

---
 ykcs11/tests/ykcs11_tests_util.c | 51 +++++++++++++++++++++++++++++---
 1 file changed, 47 insertions(+), 4 deletions(-)

diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c
index cb2150ce..1ca30172 100644
--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -373,8 +373,10 @@ void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session,
 
   CK_BYTE     params[] = {0x13, 0x0b, 0x63, 0x75, 0x72, 0x76, 0x65, 0x32, 0x35, 0x35, 0x31, 0x39};
   CK_ULONG    class_k = CKO_PRIVATE_KEY;
+  CK_ULONG    class_c = CKO_CERTIFICATE;
   CK_ULONG    kt = CKK_EC_MONTGOMERY;
   CK_BYTE     id = 1;
+  CK_BYTE     value_c[255] = {0};
   CK_CHAR     pvt[255] = {0};
   size_t    pvt_len  = sizeof(pvt);
 
@@ -387,21 +389,62 @@ void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session,
       {CKA_VALUE, pvt, pvt_len}
   };
 
-  EVP_PKEY *key = NULL;
+  CK_ATTRIBUTE certTemplate[] = {
+      {CKA_CLASS, &class_c, sizeof(class_c)},
+      {CKA_ID, &id, sizeof(id)},
+      {CKA_VALUE, value_c, sizeof(value_c)}
+  };
+
+  EVP_PKEY *xkey = NULL;
   EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
   EVP_PKEY_keygen_init(ctx);
-  EVP_PKEY_keygen(ctx, &key);
+  EVP_PKEY_keygen(ctx, &xkey);
   EVP_PKEY_CTX_free(ctx);
-  asrt(EVP_PKEY_get_raw_private_key(key, pvt, &pvt_len), 1, "EXTRACTING PRIVATE ED25519 KEY");
+  asrt(EVP_PKEY_get_raw_private_key(xkey, pvt, &pvt_len), 1, "EXTRACTING PRIVATE ED25519 KEY");
   privateKeyTemplate[4].ulValueLen = pvt_len;
 
+
+  // Generate a dummy ED25519 to sign an X509certificate for the X25519 keyt
+  EVP_PKEY *ed_key = NULL;
+  EVP_PKEY_CTX *ed_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
+  EVP_PKEY_keygen_init(ed_ctx);
+  EVP_PKEY_keygen(ed_ctx, &ed_key);
+  EVP_PKEY_CTX_free(ed_ctx);
+
+  X509 *cert = X509_new();
+  X509_set_version(cert, 2); // Version 3
+  X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
+  X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
+  ASN1_INTEGER_set(X509_get_serialNumber(cert), 0);
+  X509_gmtime_adj(X509_get_notBefore(cert), 0);
+  X509_gmtime_adj(X509_get_notAfter(cert), 0);
+
+  if (X509_set_pubkey(cert, xkey) == 0) {
+    exit(EXIT_FAILURE);
+  }
+
+  if (X509_sign(cert, ed_key, NULL) == 0) {
+    exit(EXIT_FAILURE);
+  }
+  EVP_PKEY_free(ed_key);
+
+  CK_ULONG cert_len;
+  unsigned char *p = value_c;
+  if ((cert_len = (CK_ULONG) i2d_X509(cert, &p)) == 0 || cert_len > sizeof(value_c))
+    exit(EXIT_FAILURE);
+
+  certTemplate[2].ulValueLen = cert_len;
+
   asrt(funcs->C_Login(session, CKU_SO, (CK_CHAR_PTR)"010203040506070801020304050607080102030405060708", 48), CKR_OK, "Login SO");
 
+  asrt(funcs->C_CreateObject(session, certTemplate, 3, obj_cert), CKR_OK, "IMPORT CERT");
+  asrt(*obj_cert, 37, "CERTIFICATE HANDLE");
   asrt(funcs->C_CreateObject(session, privateKeyTemplate, 5, obj_pvtkey), CKR_OK, "IMPORT KEY");
   asrt(*obj_pvtkey, 86, "PRIVATE KEY HANDLE");
 
   asrt(funcs->C_Logout(session), CKR_OK, "Logout SO");
-  EVP_PKEY_free(key);
+  X509_free(cert);
+  EVP_PKEY_free(xkey);
 }
 
 EC_KEY* import_ec_key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session, CK_BYTE n_keys, int curve, CK_ULONG key_len,

From 07d4803bc9380bc1772fa85a6b3173490ccb57f0 Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Thu, 12 Sep 2024 10:48:13 +0200
Subject: [PATCH 8/9] Githubactions: Update actions version

---
 .github/workflows/windows_build.yml   | 36 +++++++++++++--------------
 .github/workflows/windows_release.yml | 32 +++++++++++-------------
 2 files changed, 32 insertions(+), 36 deletions(-)

diff --git a/.github/workflows/windows_build.yml b/.github/workflows/windows_build.yml
index 0b55af4b..890b5ace 100644
--- a/.github/workflows/windows_build.yml
+++ b/.github/workflows/windows_build.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install prerequisites
         run: |
@@ -21,13 +21,13 @@ jobs:
           set -x
           ./resources/make_src_dist.sh
           cd ..
-          mkdir artifact
-          mv $GITHUB_WORKSPACE/yubico-piv-tool-.tar.gz artifact/
+          mkdir $GITHUB_WORKSPACE/artifact
+          mv $GITHUB_WORKSPACE/yubico-piv-tool-.tar.gz $GITHUB_WORKSPACE/artifact/
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-src
-          path: ../artifact
+          path: artifact
 
   build:
     name: Build and Test on Windows
@@ -52,14 +52,13 @@ jobs:
 
     steps:
       - name: Download source from source work
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-.tar.gz
 
       - name: install prerequisites
@@ -81,11 +80,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
       - name: Build with YKCS11_DBG is set
@@ -97,11 +96,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           rm -r build; mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows -DYKCS11_DBG=3 ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
       - name: Build only library (no CLI and no ykcs11)
@@ -113,11 +112,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           rm -r build; mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows -DBUILD_ONLY_LIB=ON ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
       - name: Build only dynamic libaries
@@ -129,11 +128,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           rm -r build; mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows -DBUILD_STATIC_LIB=OFF ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
   build_no_zlib:
@@ -159,14 +158,13 @@ jobs:
 
     steps:
       - name: Download source from source work
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-.tar.gz
 
       - name: install prerequisites
@@ -187,9 +185,9 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DENABLE_CERT_COMPRESS=OFF -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
diff --git a/.github/workflows/windows_release.yml b/.github/workflows/windows_release.yml
index 5698556e..ad0ef689 100644
--- a/.github/workflows/windows_release.yml
+++ b/.github/workflows/windows_release.yml
@@ -15,7 +15,7 @@ jobs:
       RELEASE_VERSION: 2.6.0
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install prerequisites
         run: |
@@ -27,13 +27,13 @@ jobs:
 
           ./resources/make_src_dist.sh $RELEASE_VERSION
           cd ..
-          mkdir artifact
-          mv $GITHUB_WORKSPACE/yubico-piv-tool-$RELEASE_VERSION.tar.gz artifact/
+          mkdir $GITHUB_WORKSPACE/artifact
+          mv $GITHUB_WORKSPACE/yubico-piv-tool-$RELEASE_VERSION.tar.gz $GITHUB_WORKSPACE/artifact/
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-src
-          path: ../artifact
+          path: artifact
 
   job_2:
     name: Build Windows x86
@@ -43,20 +43,19 @@ jobs:
       RELEASE_VERSION: 2.6.0
     steps:
       - name: Download source from job_1
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-$env:RELEASE_VERSION.tar.gz
 
       - name: Make release binaries
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
 
           cd $PIVTOOL_SRC_DIR/resources/win
           ./make_release_binaries.ps1 $env:RELEASE_VERSION Win32 C:/vcpkg
@@ -71,7 +70,7 @@ jobs:
       - name: Create Windows Installer
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
           $MERGEDPATH = Get-ChildItem "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Redist\MSVC\v143\MergeModules\Microsoft_VC143_CRT_x86.msm"
 
           cd $PIVTOOL_SRC_DIR/resources/win
@@ -81,12 +80,12 @@ jobs:
       - name: Install yubico-piv-tool
         run: |
           Set-PSDebug -Trace 1
-          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
+          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
           msiexec /i yubico-piv-tool-$env:RELEASE_VERSION-x86.msi /quiet /log $env:GITHUB_WORKSPACE/artifact/log_x86.txt
           Start-Sleep -s 5
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-win32
           path: artifact
@@ -99,20 +98,19 @@ jobs:
       RELEASE_VERSION: 2.6.0
     steps:
       - name: Download source from job_1
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-$env:RELEASE_VERSION.tar.gz
 
       - name: Make release binaries
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
 
           cd $PIVTOOL_SRC_DIR/resources/win
           ./make_release_binaries.ps1 $env:RELEASE_VERSION x64 C:/vcpkg
@@ -127,7 +125,7 @@ jobs:
       - name: Create Windows Installer for x64 architecture
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
           $MERGEDPATH = Get-ChildItem "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Redist\MSVC\v143\MergeModules\Microsoft_VC143_CRT_x64.msm"
 
           cd $PIVTOOL_SRC_DIR/resources/win
@@ -137,11 +135,11 @@ jobs:
       - name: Install yubico-piv-tool
         run: |
           Set-PSDebug -Trace 1
-          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
+          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
           msiexec /i yubico-piv-tool-$env:RELEASE_VERSION-x64.msi /quiet
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-win64
           path: artifact
\ No newline at end of file

From 95358841a51c360f45de1151b14081a5b22f3436 Mon Sep 17 00:00:00 2001
From: Aveen Ismail <aveen.ismail@yubico.com>
Date: Thu, 12 Sep 2024 11:12:37 +0200
Subject: [PATCH 9/9] Update MacOS release script

---
 .github/workflows/macos_release.yml      |  2 +-
 resources/macos/make_release_binaries.sh | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/macos_release.yml b/.github/workflows/macos_release.yml
index 059e1656..38243384 100644
--- a/.github/workflows/macos_release.yml
+++ b/.github/workflows/macos_release.yml
@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
+          - os: macos-14-large
             arch: amd
           - os: macos-latest-xlarge
             arch: arm
diff --git a/resources/macos/make_release_binaries.sh b/resources/macos/make_release_binaries.sh
index 5b5d52a5..3bb768da 100755
--- a/resources/macos/make_release_binaries.sh
+++ b/resources/macos/make_release_binaries.sh
@@ -25,7 +25,16 @@ echo "Working directory: $PWD"
 
 set -x
 
-BREW_LIB="/opt/homebrew/opt"
+if [ "$ARCH" == "amd" ]; then
+  BREW_LIB="/usr/local/opt"
+  #BREW_CELLAR="/usr/local/Cellar"
+elif [ "$ARCH" == "arm" ]; then
+  BREW_LIB="/opt/homebrew/opt"
+  #BREW_CELLAR="/opt/homebrew/Cellar"
+else
+  echo "Unknown architecture"
+  exit
+fi
 
 PACKAGE=yubico-piv-tool
 CFLAGS="-mmacosx-version-min=10.6"