/src/opensc/src/libopensc/pkcs15-pin.c
Line | Count | Source |
1 | | /* |
2 | | * pkcs15-pin.c: PKCS #15 PIN functions |
3 | | * |
4 | | * Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi> |
5 | | * |
6 | | * This library is free software; you can redistribute it and/or |
7 | | * modify it under the terms of the GNU Lesser General Public |
8 | | * License as published by the Free Software Foundation; either |
9 | | * version 2.1 of the License, or (at your option) any later version. |
10 | | * |
11 | | * This library is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
14 | | * Lesser General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU Lesser General Public |
17 | | * License along with this library; if not, write to the Free Software |
18 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
19 | | */ |
20 | | |
21 | | #ifdef HAVE_CONFIG_H |
22 | | #include "config.h" |
23 | | #endif |
24 | | |
25 | | #include <assert.h> |
26 | | #include <string.h> |
27 | | #include <stdlib.h> |
28 | | #include <stdio.h> |
29 | | |
30 | | #include "internal.h" |
31 | | #include "asn1.h" |
32 | | #include "pkcs15.h" |
33 | | #include "ui/notify.h" |
34 | | |
35 | | int _sc_pkcs15_verify_pin(struct sc_pkcs15_card *, struct sc_pkcs15_object *, |
36 | | const unsigned char *, size_t); |
37 | | |
38 | | static const struct sc_asn1_entry c_asn1_com_ao_attr[] = { |
39 | | { "authId", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL }, |
40 | | { NULL, 0, 0, 0, NULL, NULL } |
41 | | }; |
42 | | |
43 | | /* PIN attributes */ |
44 | | static const struct sc_asn1_entry c_asn1_pin_attr[] = { |
45 | | { "pinFlags", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL }, |
46 | | { "pinType", SC_ASN1_ENUMERATED, SC_ASN1_TAG_ENUMERATED, 0, NULL, NULL }, |
47 | | { "minLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, |
48 | | { "storedLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, |
49 | | { "maxLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, |
50 | | { "pinReference", SC_ASN1_INTEGER, SC_ASN1_CTX | 0, SC_ASN1_OPTIONAL, NULL, NULL }, |
51 | | { "padChar", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_OPTIONAL, NULL, NULL }, |
52 | | { "lastPinChange",SC_ASN1_GENERALIZEDTIME, SC_ASN1_TAG_GENERALIZEDTIME, SC_ASN1_OPTIONAL, NULL, NULL }, |
53 | | { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
54 | | { NULL, 0, 0, 0, NULL, NULL } |
55 | | }; |
56 | | static const struct sc_asn1_entry c_asn1_type_pin_attr[] = { |
57 | | { "pinAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, |
58 | | { NULL, 0, 0, 0, NULL, NULL } |
59 | | }; |
60 | | |
61 | | /* Auth Key attributes */ |
62 | | static const struct sc_asn1_entry c_asn1_authkey_attr[] = { |
63 | | { "derivedKey", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, NULL, NULL }, |
64 | | { "authKeyId", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL }, |
65 | | { NULL, 0, 0, 0, NULL, NULL } |
66 | | }; |
67 | | static const struct sc_asn1_entry c_asn1_type_authkey_attr[] = { |
68 | | { "authKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, |
69 | | { NULL, 0, 0, 0, NULL, NULL } |
70 | | }; |
71 | | static const struct sc_asn1_entry c_asn1_auth_type[] = { |
72 | | { "authType", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, |
73 | | { NULL, 0, 0, 0, NULL, NULL } |
74 | | }; |
75 | | static const struct sc_asn1_entry c_asn1_auth_type_choice[] = { |
76 | | { "pin", SC_ASN1_PKCS15_OBJECT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
77 | | { "biometricTemplate", SC_ASN1_PKCS15_OBJECT, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
78 | | { "authKey", SC_ASN1_PKCS15_OBJECT, SC_ASN1_CTX | 1 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
79 | | { NULL, 0, 0, 0, NULL, NULL } |
80 | | }; |
81 | | |
82 | | |
83 | | int |
84 | | sc_pkcs15_decode_aodf_entry(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *obj, |
85 | | const u8 ** buf, size_t *buflen) |
86 | 0 | { |
87 | 0 | sc_context_t *ctx = p15card->card->ctx; |
88 | 0 | struct sc_pkcs15_auth_info info; |
89 | 0 | int r; |
90 | 0 | size_t flags_len = sizeof(info.attrs.pin.flags); |
91 | 0 | size_t derived_len = sizeof(info.attrs.authkey.derived); |
92 | 0 | size_t padchar_len = 1; |
93 | 0 | struct sc_asn1_entry asn1_com_ao_attr[2]; |
94 | 0 | struct sc_asn1_entry asn1_pin_attr[10], asn1_type_pin_attr[2]; |
95 | 0 | struct sc_asn1_entry asn1_authkey_attr[3], asn1_type_authkey_attr[2]; |
96 | 0 | struct sc_asn1_entry asn1_auth_type[2]; |
97 | 0 | struct sc_asn1_entry asn1_auth_type_choice[4]; |
98 | 0 | struct sc_asn1_pkcs15_object pin_obj = { obj, asn1_com_ao_attr, NULL, asn1_type_pin_attr }; |
99 | 0 | struct sc_asn1_pkcs15_object authkey_obj = { obj, asn1_com_ao_attr, NULL, asn1_type_authkey_attr }; |
100 | |
|
101 | 0 | SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_ASN1); |
102 | |
|
103 | 0 | sc_copy_asn1_entry(c_asn1_auth_type, asn1_auth_type); |
104 | 0 | sc_copy_asn1_entry(c_asn1_auth_type_choice, asn1_auth_type_choice); |
105 | |
|
106 | 0 | sc_copy_asn1_entry(c_asn1_com_ao_attr, asn1_com_ao_attr); |
107 | |
|
108 | 0 | sc_copy_asn1_entry(c_asn1_type_pin_attr, asn1_type_pin_attr); |
109 | 0 | sc_copy_asn1_entry(c_asn1_pin_attr, asn1_pin_attr); |
110 | |
|
111 | 0 | sc_copy_asn1_entry(c_asn1_type_authkey_attr, asn1_type_authkey_attr); |
112 | 0 | sc_copy_asn1_entry(c_asn1_authkey_attr, asn1_authkey_attr); |
113 | |
|
114 | 0 | sc_format_asn1_entry(asn1_auth_type + 0, asn1_auth_type_choice, NULL, 0); |
115 | 0 | sc_format_asn1_entry(asn1_auth_type_choice + 0, &pin_obj, NULL, 0); /* 'pin' */ |
116 | 0 | sc_format_asn1_entry(asn1_auth_type_choice + 2, &authkey_obj, NULL, 0); /* 'authKey' */ |
117 | | |
118 | | /* pinAttributes */ |
119 | 0 | sc_format_asn1_entry(asn1_type_pin_attr + 0, asn1_pin_attr, NULL, 0); |
120 | 0 | sc_format_asn1_entry(asn1_pin_attr + 0, &info.attrs.pin.flags, &flags_len, 0); |
121 | 0 | sc_format_asn1_entry(asn1_pin_attr + 1, &info.attrs.pin.type, NULL, 0); |
122 | 0 | sc_format_asn1_entry(asn1_pin_attr + 2, &info.attrs.pin.min_length, NULL, 0); |
123 | 0 | sc_format_asn1_entry(asn1_pin_attr + 3, &info.attrs.pin.stored_length, NULL, 0); |
124 | 0 | sc_format_asn1_entry(asn1_pin_attr + 4, &info.attrs.pin.max_length, NULL, 0); |
125 | 0 | sc_format_asn1_entry(asn1_pin_attr + 5, &info.attrs.pin.reference, NULL, 0); |
126 | 0 | sc_format_asn1_entry(asn1_pin_attr + 6, &info.attrs.pin.pad_char, &padchar_len, 0); |
127 | | |
128 | | /* authKeyAttributes */ |
129 | 0 | sc_format_asn1_entry(asn1_type_authkey_attr + 0, asn1_authkey_attr, NULL, 0); |
130 | 0 | sc_format_asn1_entry(asn1_authkey_attr + 0, &info.attrs.authkey.derived, &derived_len, 0); |
131 | 0 | sc_format_asn1_entry(asn1_authkey_attr + 1, &info.attrs.authkey.skey_id, NULL, 0); |
132 | | |
133 | | /* We don't support lastPinChange yet. */ |
134 | 0 | sc_format_asn1_entry(asn1_pin_attr + 8, &info.path, NULL, 0); |
135 | |
|
136 | 0 | sc_format_asn1_entry(asn1_com_ao_attr + 0, &info.auth_id, NULL, 0); |
137 | | |
138 | | /* Fill in defaults */ |
139 | 0 | memset(&info, 0, sizeof(info)); |
140 | 0 | info.tries_left = -1; |
141 | 0 | info.logged_in = SC_PIN_STATE_UNKNOWN; |
142 | |
|
143 | 0 | r = sc_asn1_decode(ctx, asn1_auth_type, *buf, *buflen, buf, buflen); |
144 | 0 | if (r == SC_ERROR_ASN1_END_OF_CONTENTS) |
145 | 0 | return r; |
146 | 0 | LOG_TEST_RET(ctx, r, "ASN.1 decoding failed"); |
147 | | |
148 | 0 | if (asn1_auth_type_choice[0].flags & SC_ASN1_PRESENT) { |
149 | 0 | sc_log(ctx, "AuthType: PIN"); |
150 | 0 | obj->type = SC_PKCS15_TYPE_AUTH_PIN; |
151 | 0 | info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN; |
152 | 0 | info.auth_method = SC_AC_CHV; |
153 | |
|
154 | 0 | if (info.attrs.pin.max_length == 0) { |
155 | 0 | if (p15card->card->max_pin_len != 0) |
156 | 0 | info.attrs.pin.max_length = p15card->card->max_pin_len; |
157 | 0 | else if (info.attrs.pin.stored_length != 0) |
158 | 0 | info.attrs.pin.max_length = info.attrs.pin.type != SC_PKCS15_PIN_TYPE_BCD ? |
159 | 0 | info.attrs.pin.stored_length : 2 * info.attrs.pin.stored_length; |
160 | 0 | else |
161 | 0 | info.attrs.pin.max_length = 8; /* shouldn't happen */ |
162 | 0 | } |
163 | | |
164 | | /* OpenSC 0.11.4 and older encoded "pinReference" as a negative |
165 | | value. Fixed in 0.11.5 we need to add a hack, so old cards |
166 | | continue to work. |
167 | | The same invalid encoding has some models of the proprietary PKCS#15 cards. |
168 | | */ |
169 | 0 | if (info.attrs.pin.reference < 0) |
170 | 0 | info.attrs.pin.reference += 256; |
171 | |
|
172 | 0 | if (info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_LOCAL) { |
173 | | /* In OpenSC pkcs#15 framework 'path' is mandatory for the 'Local' PINs. |
174 | | * If 'path' do not present in PinAttributes, derive it from the PKCS#15 context. */ |
175 | 0 | if (!info.path.len) { |
176 | | /* Give priority to AID defined in the application DDO */ |
177 | 0 | if (p15card->app && p15card->app->ddo.aid.len) |
178 | 0 | info.path.aid = p15card->app->ddo.aid; |
179 | 0 | else if (p15card->file_app && p15card->file_app->path.len) |
180 | 0 | info.path = p15card->file_app->path; |
181 | 0 | else |
182 | 0 | return SC_ERROR_INTERNAL; |
183 | 0 | } |
184 | 0 | } |
185 | 0 | sc_debug(ctx, SC_LOG_DEBUG_ASN1, "decoded PIN(ref:%X,path:%s)", info.attrs.pin.reference, sc_print_path(&info.path)); |
186 | 0 | } |
187 | 0 | else if (asn1_auth_type_choice[1].flags & SC_ASN1_PRESENT) { |
188 | 0 | LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "BIO authentication object not yet supported"); |
189 | 0 | } |
190 | 0 | else if (asn1_auth_type_choice[2].flags & SC_ASN1_PRESENT) { |
191 | 0 | sc_log(ctx, "AuthType: AuthKey"); |
192 | 0 | obj->type = SC_PKCS15_TYPE_AUTH_AUTHKEY; |
193 | 0 | info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY; |
194 | 0 | info.auth_method = SC_AC_AUT; |
195 | 0 | if (!(asn1_authkey_attr[0].flags & SC_ASN1_PRESENT)) |
196 | 0 | info.attrs.authkey.derived = 1; |
197 | 0 | } |
198 | 0 | else { |
199 | 0 | LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unknown authentication type"); |
200 | 0 | } |
201 | | |
202 | 0 | obj->data = malloc(sizeof(info)); |
203 | 0 | if (obj->data == NULL) |
204 | 0 | LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); |
205 | 0 | memcpy(obj->data, &info, sizeof(info)); |
206 | |
|
207 | 0 | SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_ASN1, SC_SUCCESS); |
208 | 0 | } |
209 | | |
210 | | int sc_pkcs15_encode_aodf_entry(sc_context_t *ctx, |
211 | | const struct sc_pkcs15_object *obj, |
212 | | u8 **buf, size_t *buflen) |
213 | 0 | { |
214 | 0 | struct sc_asn1_entry asn1_com_ao_attr[2], asn1_pin_attr[10], asn1_type_pin_attr[2]; |
215 | 0 | struct sc_asn1_entry asn1_auth_type[2]; |
216 | 0 | struct sc_asn1_entry asn1_auth_type_choice[4]; |
217 | 0 | struct sc_pkcs15_auth_info *info = (struct sc_pkcs15_auth_info *) obj->data; |
218 | 0 | struct sc_asn1_pkcs15_object pin_obj = { (struct sc_pkcs15_object *) obj, |
219 | 0 | asn1_com_ao_attr, NULL, asn1_type_pin_attr }; |
220 | 0 | int r; |
221 | 0 | size_t flags_len; |
222 | 0 | size_t padchar_len = 1; |
223 | |
|
224 | 0 | if (info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
225 | 0 | return SC_ERROR_NOT_SUPPORTED; |
226 | | |
227 | 0 | sc_copy_asn1_entry(c_asn1_auth_type, asn1_auth_type); |
228 | 0 | sc_copy_asn1_entry(c_asn1_auth_type_choice, asn1_auth_type_choice); |
229 | 0 | sc_copy_asn1_entry(c_asn1_type_pin_attr, asn1_type_pin_attr); |
230 | 0 | sc_copy_asn1_entry(c_asn1_pin_attr, asn1_pin_attr); |
231 | 0 | sc_copy_asn1_entry(c_asn1_com_ao_attr, asn1_com_ao_attr); |
232 | |
|
233 | 0 | sc_format_asn1_entry(asn1_auth_type + 0, asn1_auth_type_choice, NULL, 1); |
234 | 0 | sc_format_asn1_entry(asn1_auth_type_choice + 0, &pin_obj, NULL, 1); |
235 | |
|
236 | 0 | sc_format_asn1_entry(asn1_type_pin_attr + 0, asn1_pin_attr, NULL, 1); |
237 | |
|
238 | 0 | flags_len = sizeof(info->attrs.pin.flags); |
239 | 0 | sc_format_asn1_entry(asn1_pin_attr + 0, &info->attrs.pin.flags, &flags_len, 1); |
240 | 0 | sc_format_asn1_entry(asn1_pin_attr + 1, &info->attrs.pin.type, NULL, 1); |
241 | 0 | sc_format_asn1_entry(asn1_pin_attr + 2, &info->attrs.pin.min_length, NULL, 1); |
242 | 0 | sc_format_asn1_entry(asn1_pin_attr + 3, &info->attrs.pin.stored_length, NULL, 1); |
243 | 0 | if (info->attrs.pin.max_length > 0) |
244 | 0 | sc_format_asn1_entry(asn1_pin_attr + 4, &info->attrs.pin.max_length, NULL, 1); |
245 | 0 | if (info->attrs.pin.reference >= 0) |
246 | 0 | sc_format_asn1_entry(asn1_pin_attr + 5, &info->attrs.pin.reference, NULL, 1); |
247 | | /* FIXME: check if pad_char present */ |
248 | 0 | sc_format_asn1_entry(asn1_pin_attr + 6, &info->attrs.pin.pad_char, &padchar_len, 1); |
249 | 0 | sc_format_asn1_entry(asn1_pin_attr + 8, &info->path, NULL, info->path.len ? 1 : 0); |
250 | |
|
251 | 0 | sc_format_asn1_entry(asn1_com_ao_attr + 0, &info->auth_id, NULL, 1); |
252 | |
|
253 | 0 | r = sc_asn1_encode(ctx, asn1_auth_type, buf, buflen); |
254 | |
|
255 | 0 | return r; |
256 | 0 | } |
257 | | |
258 | | |
259 | | static int |
260 | | _validate_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_auth_info *auth_info, size_t pinlen) |
261 | 0 | { |
262 | 0 | size_t max_length; |
263 | 0 | if (p15card == NULL) { |
264 | 0 | return SC_ERROR_INVALID_ARGUMENTS; |
265 | 0 | } |
266 | | |
267 | | /* Ignore validation of the non-PIN authentication objects */ |
268 | 0 | if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
269 | 0 | return SC_SUCCESS; |
270 | | |
271 | | /* prevent buffer overflow from hostile card */ |
272 | 0 | if (auth_info->attrs.pin.stored_length > SC_MAX_PIN_SIZE) |
273 | 0 | return SC_ERROR_BUFFER_TOO_SMALL; |
274 | | |
275 | | /* if we use pinpad, no more checks are needed */ |
276 | 0 | if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
277 | 0 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH) |
278 | 0 | && !pinlen) |
279 | 0 | return SC_SUCCESS; |
280 | | |
281 | | /* If pin is given, make sure it is within limits */ |
282 | 0 | max_length = auth_info->attrs.pin.max_length != 0 ? auth_info->attrs.pin.max_length : SC_MAX_PIN_SIZE; |
283 | 0 | if (pinlen > max_length || pinlen < auth_info->attrs.pin.min_length) |
284 | 0 | return SC_ERROR_INVALID_PIN_LENGTH; |
285 | | |
286 | 0 | return SC_SUCCESS; |
287 | 0 | } |
288 | | |
289 | | /* |
290 | | * Verify a PIN. |
291 | | * |
292 | | * If the code given to us has zero length, this means we |
293 | | * should ask the card reader to obtain the PIN from the |
294 | | * reader's PIN pad |
295 | | */ |
296 | | int |
297 | | sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj, |
298 | | const unsigned char *pincode, size_t pinlen) |
299 | 0 | { |
300 | 0 | struct sc_context *ctx = p15card->card->ctx; |
301 | 0 | struct sc_pkcs15_auth_info *auth_info; |
302 | 0 | int r; |
303 | |
|
304 | 0 | LOG_FUNC_CALLED(ctx); |
305 | |
|
306 | 0 | if (!pin_obj || !pin_obj->data) |
307 | 0 | LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); |
308 | 0 | auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
309 | | |
310 | | /* Check the provided pin matches pin requirements */ |
311 | 0 | r = _validate_pin(p15card, auth_info, pinlen); |
312 | |
|
313 | 0 | if (r) |
314 | 0 | LOG_FUNC_RETURN(ctx, r); |
315 | | |
316 | 0 | r = _sc_pkcs15_verify_pin(p15card, pin_obj, pincode, pinlen); |
317 | |
|
318 | 0 | if (r == SC_SUCCESS) |
319 | 0 | sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen); |
320 | |
|
321 | 0 | LOG_FUNC_RETURN(ctx, r); |
322 | 0 | } |
323 | | |
324 | | |
325 | | int |
326 | | _sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj, |
327 | | const unsigned char *pincode, size_t pinlen) |
328 | 0 | { |
329 | 0 | return sc_pkcs15_verify_pin_with_session_pin(p15card, pin_obj, pincode, |
330 | 0 | pinlen, NULL, NULL); |
331 | 0 | } |
332 | | |
333 | | /* |
334 | | * Verify a PIN and generate a session PIN |
335 | | * |
336 | | * If the code given to us has zero length, this means we |
337 | | * should ask the card reader to obtain the PIN from the |
338 | | * reader's PIN pad |
339 | | */ |
340 | | int sc_pkcs15_verify_pin_with_session_pin(struct sc_pkcs15_card *p15card, |
341 | | struct sc_pkcs15_object *pin_obj, |
342 | | const unsigned char *pincode, size_t pinlen, |
343 | | const unsigned char *sessionpin, size_t *sessionpinlen) |
344 | 0 | { |
345 | 0 | struct sc_context *ctx = p15card->card->ctx; |
346 | 0 | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
347 | 0 | int r; |
348 | 0 | sc_card_t *card; |
349 | 0 | struct sc_pin_cmd_data data; |
350 | |
|
351 | 0 | LOG_FUNC_CALLED(ctx); |
352 | 0 | sc_log(ctx, |
353 | 0 | "PIN(type:%X; method:%X; value(%p:%"SC_FORMAT_LEN_SIZE_T"u)", |
354 | 0 | auth_info->auth_type, auth_info->auth_method, |
355 | 0 | pincode, pinlen); |
356 | 0 | card = p15card->card; |
357 | |
|
358 | 0 | if (pinlen > SC_MAX_PIN_SIZE) { |
359 | 0 | sc_notify_id(card->ctx, &card->reader->atr, p15card, |
360 | 0 | NOTIFY_PIN_BAD); |
361 | 0 | LOG_TEST_RET(ctx, SC_ERROR_INVALID_PIN_LENGTH, "Invalid PIN size"); |
362 | 0 | } |
363 | | |
364 | | /* Initialize arguments */ |
365 | 0 | memset(&data, 0, sizeof(data)); |
366 | 0 | data.pin_type = auth_info->auth_method; |
367 | |
|
368 | 0 | if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_PIN) { |
369 | 0 | data.pin_reference = auth_info->attrs.pin.reference; |
370 | 0 | data.pin1.min_length = auth_info->attrs.pin.min_length; |
371 | 0 | data.pin1.max_length = auth_info->attrs.pin.max_length; |
372 | 0 | data.pin1.pad_length = auth_info->attrs.pin.stored_length; |
373 | 0 | data.pin1.pad_char = auth_info->attrs.pin.pad_char; |
374 | 0 | data.pin1.data = pincode; |
375 | 0 | data.pin1.len = pinlen; |
376 | |
|
377 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) |
378 | 0 | data.flags |= SC_PIN_CMD_NEED_PADDING; |
379 | |
|
380 | 0 | switch (auth_info->attrs.pin.type) { |
381 | 0 | case SC_PKCS15_PIN_TYPE_BCD: |
382 | 0 | data.pin1.encoding = SC_PIN_ENCODING_BCD; |
383 | 0 | break; |
384 | 0 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
385 | 0 | data.pin1.encoding = SC_PIN_ENCODING_ASCII; |
386 | 0 | break; |
387 | 0 | default: |
388 | | /* assume/hope the card driver knows how to encode the pin */ |
389 | 0 | data.pin1.encoding = 0; |
390 | 0 | } |
391 | 0 | } |
392 | 0 | else if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY) { |
393 | 0 | struct sc_pkcs15_object *skey_obj = NULL; |
394 | 0 | struct sc_pkcs15_id *skey_id = &auth_info->attrs.authkey.skey_id; |
395 | 0 | struct sc_pkcs15_skey_info *skey_info = NULL; |
396 | |
|
397 | 0 | r = sc_pkcs15_find_skey_by_id(p15card, skey_id, &skey_obj); |
398 | 0 | if (r) { |
399 | 0 | sc_log(ctx, "cannot find secret key with id:%s", sc_pkcs15_print_id(skey_id)); |
400 | 0 | LOG_FUNC_RETURN(ctx, r); |
401 | 0 | } |
402 | 0 | skey_info = (struct sc_pkcs15_skey_info *)skey_obj->data; |
403 | |
|
404 | 0 | sc_log(ctx, "found secret key '%s'", skey_obj->label); |
405 | 0 | data.pin_reference = skey_info->key_reference; |
406 | 0 | } |
407 | | |
408 | 0 | if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
409 | 0 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) { |
410 | 0 | if (!pincode && !pinlen) |
411 | 0 | data.flags |= SC_PIN_CMD_USE_PINPAD; |
412 | |
|
413 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) |
414 | 0 | data.pin1.prompt = "Please enter SO PIN"; |
415 | 0 | else |
416 | 0 | data.pin1.prompt = "Please enter PIN"; |
417 | 0 | } |
418 | |
|
419 | 0 | if (card->caps & SC_CARD_CAP_SESSION_PIN && sessionpin && sessionpinlen) { |
420 | | /* session pin is requested and supported with standard verification*/ |
421 | 0 | data.cmd = SC_PIN_CMD_GET_SESSION_PIN; |
422 | 0 | memcpy(&data.pin2, &data.pin1, sizeof (data.pin1)); |
423 | 0 | data.pin2.data = sessionpin; |
424 | 0 | data.pin2.len = *sessionpinlen; |
425 | 0 | } else { |
426 | | /* perform a standard verify */ |
427 | 0 | data.cmd = SC_PIN_CMD_VERIFY; |
428 | 0 | if (sessionpinlen) |
429 | 0 | *sessionpinlen = 0; |
430 | 0 | } |
431 | |
|
432 | 0 | r = sc_lock(card); |
433 | 0 | LOG_TEST_RET(ctx, r, "sc_lock() failed"); |
434 | | |
435 | | /* the path in the pin object is optional */ |
436 | 0 | if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) { |
437 | 0 | r = sc_select_file(card, &auth_info->path, NULL); |
438 | 0 | if (r) |
439 | 0 | goto out; |
440 | 0 | } |
441 | | |
442 | 0 | r = sc_pin_cmd(card, &data, &auth_info->tries_left); |
443 | 0 | sc_log(ctx, "PIN cmd result %i", r); |
444 | 0 | if (r == SC_SUCCESS) { |
445 | 0 | sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen); |
446 | 0 | if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) { |
447 | 0 | *sessionpinlen = data.pin2.len; |
448 | 0 | } |
449 | 0 | } else { |
450 | 0 | sc_notify_id(card->ctx, &card->reader->atr, p15card, |
451 | 0 | NOTIFY_PIN_BAD); |
452 | 0 | if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) { |
453 | 0 | *sessionpinlen = 0; |
454 | 0 | } |
455 | 0 | } |
456 | |
|
457 | 0 | if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_PIN |
458 | 0 | && auth_info->auth_method != SC_AC_SESSION) { |
459 | 0 | sc_notify_id(card->ctx, &card->reader->atr, p15card, |
460 | 0 | r == SC_SUCCESS ? NOTIFY_PIN_GOOD : NOTIFY_PIN_BAD); |
461 | 0 | } |
462 | |
|
463 | 0 | out: |
464 | 0 | sc_unlock(card); |
465 | 0 | LOG_FUNC_RETURN(ctx, r); |
466 | 0 | } |
467 | | |
468 | | |
469 | | |
470 | | /* |
471 | | * Change a PIN. |
472 | | */ |
473 | | int sc_pkcs15_change_pin(struct sc_pkcs15_card *p15card, |
474 | | struct sc_pkcs15_object *pin_obj, |
475 | | const u8 *oldpin, size_t oldpinlen, |
476 | | const u8 *newpin, size_t newpinlen) |
477 | 0 | { |
478 | 0 | struct sc_context *ctx = p15card->card->ctx; |
479 | 0 | struct sc_pin_cmd_data data; |
480 | 0 | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
481 | 0 | struct sc_card *card; |
482 | 0 | int r; |
483 | |
|
484 | 0 | LOG_FUNC_CALLED(ctx); |
485 | 0 | if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
486 | 0 | LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED); |
487 | | |
488 | | /* make sure the pins are in valid range */ |
489 | 0 | r = _validate_pin(p15card, auth_info, oldpinlen); |
490 | 0 | LOG_TEST_RET(ctx, r, "Old PIN value do not conform PIN policy"); |
491 | | |
492 | 0 | r = _validate_pin(p15card, auth_info, newpinlen); |
493 | 0 | LOG_TEST_RET(ctx, r, "New PIN value do not conform PIN policy"); |
494 | | |
495 | 0 | card = p15card->card; |
496 | 0 | r = sc_lock(card); |
497 | 0 | LOG_TEST_RET(ctx, r, "sc_lock() failed"); |
498 | | /* the path in the pin object is optional */ |
499 | 0 | if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) { |
500 | 0 | r = sc_select_file(card, &auth_info->path, NULL); |
501 | 0 | if (r) |
502 | 0 | goto out; |
503 | 0 | } |
504 | | |
505 | | /* set pin_cmd data */ |
506 | 0 | memset(&data, 0, sizeof(data)); |
507 | 0 | data.cmd = SC_PIN_CMD_CHANGE; |
508 | 0 | data.pin_type = SC_AC_CHV; |
509 | 0 | data.pin_reference = auth_info->attrs.pin.reference; |
510 | 0 | data.pin1.data = oldpin; |
511 | 0 | data.pin1.len = oldpinlen; |
512 | 0 | data.pin1.pad_char = auth_info->attrs.pin.pad_char; |
513 | 0 | data.pin1.min_length = auth_info->attrs.pin.min_length; |
514 | 0 | data.pin1.max_length = auth_info->attrs.pin.max_length; |
515 | 0 | data.pin1.pad_length = auth_info->attrs.pin.stored_length; |
516 | 0 | data.pin2.data = newpin; |
517 | 0 | data.pin2.len = newpinlen; |
518 | 0 | data.pin2.pad_char = auth_info->attrs.pin.pad_char; |
519 | 0 | data.pin2.min_length = auth_info->attrs.pin.min_length; |
520 | 0 | data.pin2.max_length = auth_info->attrs.pin.max_length; |
521 | 0 | data.pin2.pad_length = auth_info->attrs.pin.stored_length; |
522 | |
|
523 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) |
524 | 0 | data.flags |= SC_PIN_CMD_NEED_PADDING; |
525 | |
|
526 | 0 | switch (auth_info->attrs.pin.type) { |
527 | 0 | case SC_PKCS15_PIN_TYPE_BCD: |
528 | 0 | data.pin1.encoding = SC_PIN_ENCODING_BCD; |
529 | 0 | data.pin2.encoding = SC_PIN_ENCODING_BCD; |
530 | 0 | break; |
531 | 0 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
532 | 0 | data.pin1.encoding = SC_PIN_ENCODING_ASCII; |
533 | 0 | data.pin2.encoding = SC_PIN_ENCODING_ASCII; |
534 | 0 | break; |
535 | 0 | } |
536 | | |
537 | 0 | if((!oldpin || !newpin) |
538 | 0 | && (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
539 | 0 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) { |
540 | 0 | data.flags |= SC_PIN_CMD_USE_PINPAD; |
541 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) { |
542 | 0 | data.pin1.prompt = "Please enter SO PIN"; |
543 | 0 | data.pin2.prompt = "Please enter new SO PIN"; |
544 | 0 | } |
545 | 0 | else { |
546 | 0 | data.pin1.prompt = "Please enter PIN"; |
547 | 0 | data.pin2.prompt = "Please enter new PIN"; |
548 | 0 | } |
549 | 0 | } |
550 | |
|
551 | 0 | r = sc_pin_cmd(card, &data, &auth_info->tries_left); |
552 | 0 | if (r == SC_SUCCESS) |
553 | 0 | sc_pkcs15_pincache_add(p15card, pin_obj, newpin, newpinlen); |
554 | |
|
555 | 0 | out: |
556 | 0 | sc_unlock(card); |
557 | 0 | return r; |
558 | 0 | } |
559 | | |
560 | | /* |
561 | | * Unblock a PIN. |
562 | | */ |
563 | | int sc_pkcs15_unblock_pin(struct sc_pkcs15_card *p15card, |
564 | | struct sc_pkcs15_object *pin_obj, |
565 | | const u8 *puk, size_t puklen, |
566 | | const u8 *newpin, size_t newpinlen) |
567 | 0 | { |
568 | 0 | struct sc_context *ctx = p15card->card->ctx; |
569 | 0 | struct sc_pin_cmd_data data; |
570 | 0 | struct sc_pkcs15_object *puk_obj; |
571 | 0 | struct sc_pkcs15_auth_info *puk_info = NULL; |
572 | 0 | int pukref = 0; |
573 | 0 | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
574 | 0 | struct sc_card *card = p15card->card; |
575 | 0 | int r; |
576 | |
|
577 | 0 | LOG_FUNC_CALLED(ctx); |
578 | 0 | if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
579 | 0 | LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED); |
580 | | |
581 | | /* make sure the pins are in valid range */ |
582 | 0 | r = _validate_pin(p15card, auth_info, newpinlen); |
583 | 0 | LOG_TEST_RET(ctx, r, "New PIN value do not conform PIN policy"); |
584 | | |
585 | | /* get pin_info object of the puk (this is a little bit complicated |
586 | | * as we don't have the id of the puk (at least now)) |
587 | | * note: for compatibility reasons we give no error if no puk object |
588 | | * is found */ |
589 | | /* first step: try to get the pkcs15 object of the puk */ |
590 | 0 | r = sc_pkcs15_find_pin_by_auth_id(p15card, &pin_obj->auth_id, &puk_obj); |
591 | 0 | if (r >= 0 && puk_obj) { |
592 | | /* second step: get the pkcs15 info object of the puk */ |
593 | 0 | puk_info = (struct sc_pkcs15_auth_info *)puk_obj->data; |
594 | 0 | pukref = puk_info->attrs.pin.reference; |
595 | 0 | } |
596 | |
|
597 | 0 | if (!puk_info) { |
598 | 0 | sc_log(ctx, "Unable to get puk object, using pin object instead!"); |
599 | 0 | puk_info = auth_info; |
600 | 0 | } |
601 | | /* make sure the puk is in valid range */ |
602 | 0 | r = _validate_pin(p15card, puk_info, puklen); |
603 | 0 | LOG_TEST_RET(ctx, r, "PIN do not conforms PIN policy"); |
604 | | |
605 | | /* |
606 | | * With the current card driver interface we have no way of specifying different padding |
607 | | * flags for the PIN and the PUK. Therefore reject this case. |
608 | | */ |
609 | 0 | if ((auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) != |
610 | 0 | (puk_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING)) { |
611 | 0 | LOG_TEST_RET(ctx, r, "Padding mismatch for PIN/PUK"); |
612 | 0 | } |
613 | | |
614 | 0 | r = sc_lock(card); |
615 | 0 | LOG_TEST_RET(ctx, r, "sc_lock() failed"); |
616 | | |
617 | | /* the path in the pin object is optional */ |
618 | 0 | if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) { |
619 | 0 | r = sc_select_file(card, &auth_info->path, NULL); |
620 | 0 | if (r) |
621 | 0 | goto out; |
622 | 0 | } |
623 | | |
624 | | /* set pin_cmd data */ |
625 | 0 | memset(&data, 0, sizeof(data)); |
626 | 0 | data.cmd = SC_PIN_CMD_UNBLOCK; |
627 | 0 | data.pin_type = SC_AC_CHV; |
628 | 0 | data.pin_reference = auth_info->attrs.pin.reference; |
629 | 0 | data.puk_reference = pukref; |
630 | 0 | data.pin1.data = puk; |
631 | 0 | data.pin1.len = puklen; |
632 | 0 | data.pin1.pad_char = puk_info->attrs.pin.pad_char; |
633 | 0 | data.pin1.min_length = puk_info->attrs.pin.min_length; |
634 | 0 | data.pin1.max_length = puk_info->attrs.pin.max_length; |
635 | 0 | data.pin1.pad_length = puk_info->attrs.pin.stored_length; |
636 | 0 | data.pin2.data = newpin; |
637 | 0 | data.pin2.len = newpinlen; |
638 | 0 | data.pin2.pad_char = auth_info->attrs.pin.pad_char; |
639 | 0 | data.pin2.min_length = auth_info->attrs.pin.min_length; |
640 | 0 | data.pin2.max_length = auth_info->attrs.pin.max_length; |
641 | 0 | data.pin2.pad_length = auth_info->attrs.pin.stored_length; |
642 | |
|
643 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) |
644 | 0 | data.flags |= SC_PIN_CMD_NEED_PADDING; |
645 | |
|
646 | 0 | switch (auth_info->attrs.pin.type) { |
647 | 0 | case SC_PKCS15_PIN_TYPE_BCD: |
648 | 0 | data.pin1.encoding = SC_PIN_ENCODING_BCD; |
649 | 0 | break; |
650 | 0 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
651 | 0 | data.pin1.encoding = SC_PIN_ENCODING_ASCII; |
652 | 0 | break; |
653 | 0 | } |
654 | | |
655 | 0 | switch (puk_info->attrs.pin.type) { |
656 | 0 | case SC_PKCS15_PIN_TYPE_BCD: |
657 | 0 | data.pin2.encoding = SC_PIN_ENCODING_BCD; |
658 | 0 | break; |
659 | 0 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
660 | 0 | data.pin2.encoding = SC_PIN_ENCODING_ASCII; |
661 | 0 | break; |
662 | 0 | } |
663 | | |
664 | 0 | if((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
665 | 0 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) { |
666 | 0 | data.flags |= SC_PIN_CMD_USE_PINPAD; |
667 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) { |
668 | 0 | data.pin1.prompt = "Please enter PUK"; |
669 | 0 | data.pin2.prompt = "Please enter new SO PIN"; |
670 | 0 | } |
671 | 0 | else { |
672 | 0 | data.pin1.prompt = "Please enter PUK"; |
673 | 0 | data.pin2.prompt = "Please enter new PIN"; |
674 | 0 | } |
675 | 0 | } |
676 | |
|
677 | 0 | r = sc_pin_cmd(card, &data, &auth_info->tries_left); |
678 | 0 | if (r == SC_SUCCESS) |
679 | 0 | sc_pkcs15_pincache_add(p15card, pin_obj, newpin, newpinlen); |
680 | |
|
681 | 0 | out: |
682 | 0 | sc_unlock(card); |
683 | 0 | LOG_FUNC_RETURN(ctx, r); |
684 | 0 | } |
685 | | |
686 | | int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card, |
687 | | struct sc_pkcs15_object *pin_obj) |
688 | 0 | { |
689 | 0 | int r; |
690 | 0 | struct sc_pin_cmd_data data; |
691 | 0 | struct sc_card *card = p15card->card; |
692 | 0 | struct sc_context *ctx = card->ctx; |
693 | 0 | struct sc_pkcs15_auth_info *pin_info = (struct sc_pkcs15_auth_info *) pin_obj->data; |
694 | |
|
695 | 0 | LOG_FUNC_CALLED(ctx); |
696 | |
|
697 | 0 | r = sc_lock(card); |
698 | 0 | if (r != SC_SUCCESS) |
699 | 0 | return r; |
700 | | |
701 | 0 | if (pin_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) { |
702 | 0 | r = SC_ERROR_INVALID_DATA; |
703 | 0 | goto out; |
704 | 0 | } |
705 | | |
706 | | /* the path in the pin object is optional */ |
707 | 0 | if ((pin_info->path.len > 0) || ((pin_info->path.aid.len > 0))) { |
708 | 0 | r = sc_select_file(card, &pin_info->path, NULL); |
709 | 0 | if (r) |
710 | 0 | goto out; |
711 | 0 | } |
712 | | |
713 | | /* Try to update PIN info from card */ |
714 | 0 | memset(&data, 0, sizeof(data)); |
715 | 0 | data.cmd = SC_PIN_CMD_GET_INFO; |
716 | 0 | data.pin_type = pin_info->auth_method; |
717 | 0 | data.pin_reference = pin_info->attrs.pin.reference; |
718 | |
|
719 | 0 | r = sc_pin_cmd(card, &data, NULL); |
720 | 0 | if (r == SC_SUCCESS) { |
721 | 0 | if (data.pin1.max_tries > 0) |
722 | 0 | pin_info->max_tries = data.pin1.max_tries; |
723 | | /* tries_left must be supported or sc_pin_cmd should not return SC_SUCCESS */ |
724 | 0 | pin_info->tries_left = data.pin1.tries_left; |
725 | 0 | pin_info->logged_in = data.pin1.logged_in; |
726 | 0 | } |
727 | |
|
728 | 0 | out: |
729 | 0 | sc_unlock(card); |
730 | 0 | LOG_FUNC_RETURN(ctx, r); |
731 | 0 | } |
732 | | |
733 | | |
734 | | void sc_pkcs15_free_auth_info(sc_pkcs15_auth_info_t *auth_info) |
735 | 0 | { |
736 | 0 | free(auth_info); |
737 | 0 | } |
738 | | |
739 | | |
740 | | /* Add a PIN to the PIN cache related to the card. Some operations can trigger re-authentication later. */ |
741 | | void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj, |
742 | | const u8 *pin, size_t pinlen) |
743 | 0 | { |
744 | 0 | struct sc_context *ctx = p15card->card->ctx; |
745 | 0 | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
746 | 0 | struct sc_pkcs15_object *obj = NULL; |
747 | 0 | int r; |
748 | |
|
749 | 0 | LOG_FUNC_CALLED(ctx); |
750 | |
|
751 | 0 | if (!pin || !pinlen) { |
752 | 0 | sc_log(ctx, "No cache for zero length PIN"); |
753 | 0 | return; |
754 | 0 | } |
755 | 0 | else if (!p15card->opts.use_pin_cache) { |
756 | 0 | sc_log(ctx, "PIN caching not enabled"); |
757 | 0 | return; |
758 | 0 | } |
759 | 0 | else if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) { |
760 | 0 | sc_log(ctx, "only 'PIN' auth. object can be cached"); |
761 | 0 | return; |
762 | 0 | } |
763 | | |
764 | | /* If the PIN protects an object with user consent, don't cache it */ |
765 | | |
766 | 0 | obj = p15card->obj_list; |
767 | 0 | while (obj != NULL) { |
768 | | /* Compare 'sc_pkcs15_object.auth_id' with 'sc_pkcs15_pin_info.auth_id'. |
769 | | * In accordance with PKCS#15 "6.1.8 CommonObjectAttributes" and |
770 | | * "6.1.16 CommonAuthenticationObjectAttributes" with the exception that |
771 | | * "CommonObjectAttributes.accessControlRules" are not taken into account. */ |
772 | |
|
773 | 0 | if (sc_pkcs15_compare_id(&obj->auth_id, &auth_info->auth_id)) { |
774 | | /* Caching is refused, if the protected object requires user consent */ |
775 | 0 | if (!p15card->opts.pin_cache_ignore_user_consent) { |
776 | 0 | if (obj->user_consent > 0) { |
777 | 0 | sc_log(ctx, "caching refused (user consent)"); |
778 | 0 | return; |
779 | 0 | } |
780 | 0 | } |
781 | 0 | } |
782 | | |
783 | 0 | obj = obj->next; |
784 | 0 | } |
785 | | |
786 | 0 | r = sc_pkcs15_allocate_object_content(ctx, pin_obj, pin, pinlen); |
787 | 0 | if (r != SC_SUCCESS) { |
788 | 0 | sc_log(ctx, "Failed to allocate object content"); |
789 | 0 | return; |
790 | 0 | } |
791 | | |
792 | 0 | pin_obj->usage_counter = 0; |
793 | 0 | sc_log(ctx, "PIN(%s) cached", pin_obj->label); |
794 | 0 | } |
795 | | |
796 | | /* Validate the PIN code associated with an object */ |
797 | | int |
798 | | sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs15_object_t *obj) |
799 | 0 | { |
800 | 0 | struct sc_context *ctx = p15card->card->ctx; |
801 | 0 | sc_pkcs15_object_t *pin_obj; |
802 | 0 | int r; |
803 | |
|
804 | 0 | LOG_FUNC_CALLED(ctx); |
805 | 0 | if (!p15card->opts.use_pin_cache) |
806 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
807 | | |
808 | | /* Apps that do not support CK_ALWAYS_AUTHENTICATE |
809 | | * may need pin_cache_ignore_user_consent = 1 */ |
810 | 0 | if (!p15card->opts.pin_cache_ignore_user_consent) { |
811 | 0 | if (obj->user_consent) |
812 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
813 | 0 | } |
814 | | |
815 | 0 | if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
816 | 0 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) |
817 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
818 | | |
819 | 0 | r = sc_pkcs15_find_pin_by_auth_id(p15card, &obj->auth_id, &pin_obj); |
820 | 0 | if (r != SC_SUCCESS) { |
821 | 0 | sc_log(ctx, "Could not find pin object for auth_id %s", sc_pkcs15_print_id(&obj->auth_id)); |
822 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
823 | 0 | } |
824 | | |
825 | 0 | if (pin_obj->usage_counter >= p15card->opts.pin_cache_counter) { |
826 | 0 | sc_pkcs15_free_object_content(pin_obj); |
827 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
828 | 0 | } |
829 | | |
830 | 0 | if (!pin_obj->content.value || !pin_obj->content.len) |
831 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
832 | | |
833 | 0 | pin_obj->usage_counter++; |
834 | 0 | r = _sc_pkcs15_verify_pin(p15card, pin_obj, pin_obj->content.value, pin_obj->content.len); |
835 | 0 | if (r != SC_SUCCESS) { |
836 | | /* Ensure that wrong PIN isn't used again */ |
837 | 0 | sc_pkcs15_free_object_content(pin_obj); |
838 | |
|
839 | 0 | sc_log(ctx, "Verify PIN error %i", r); |
840 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
841 | 0 | } |
842 | | |
843 | 0 | LOG_FUNC_RETURN(ctx, SC_SUCCESS); |
844 | 0 | } |
845 | | |
846 | | void sc_pkcs15_pincache_clear(struct sc_pkcs15_card *p15card) |
847 | 0 | { |
848 | 0 | struct sc_pkcs15_object *objs[32]; |
849 | 0 | int i, r; |
850 | |
|
851 | 0 | LOG_FUNC_CALLED(p15card->card->ctx); |
852 | 0 | r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 32); |
853 | 0 | for (i = 0; i < r; i++) |
854 | 0 | sc_pkcs15_free_object_content(objs[i]); |
855 | 0 | } |
856 | | |