/src/opensc/src/libopensc/card-esteid2018.c
Line | Count | Source |
1 | | /* |
2 | | * Driver for EstEID card issued from December 2018. |
3 | | * |
4 | | * Copyright (C) 2019, Martin Paljak <martin@martinpaljak.net> |
5 | | * |
6 | | * This library is free software; you can redistribute it and/or |
7 | | * modify it under the terms of the GNU Lesser General Public |
8 | | * License as published by the Free Software Foundation; either |
9 | | * version 2.1 of the License, or (at your option) any later version. |
10 | | * |
11 | | * This library is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
14 | | * Lesser General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU Lesser General Public |
17 | | * License along with this library; if not, write to the Free Software |
18 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
19 | | */ |
20 | | |
21 | | #ifdef HAVE_CONFIG_H |
22 | | #include "config.h" |
23 | | #endif |
24 | | |
25 | | #include <ctype.h> |
26 | | #include <stdlib.h> |
27 | | #include <string.h> |
28 | | |
29 | | #include "asn1.h" |
30 | | #include "gp.h" |
31 | | #include "internal.h" |
32 | | |
33 | | /* Helping defines */ |
34 | 0 | #define SIGNATURE_PAYLOAD_SIZE 0x30 |
35 | 0 | #define AUTH_REF 0x81 |
36 | 0 | #define SIGN_REF 0x9f |
37 | 0 | #define PIN1_REF 0x01 |
38 | 0 | #define PIN2_REF 0x85 |
39 | 0 | #define PUK_REF 0x02 |
40 | | |
41 | | static const struct sc_atr_table esteid_atrs[] = { |
42 | | {"3b:db:96:00:80:b1:fe:45:1f:83:00:12:23:3f:53:65:49:44:0f:90:00:f1", NULL, "EstEID 2018", SC_CARD_TYPE_ESTEID_2018, 0, NULL}, |
43 | | {"3b:dc:96:00:80:b1:fe:45:1f:83:00:12:23:3f:54:65:49:44:32:0f:90:00:c3", NULL, "EstEID 2018 v2", SC_CARD_TYPE_ESTEID_2018_V2_2025, 0, NULL}, |
44 | | {NULL, NULL, NULL, 0, 0, NULL} |
45 | | }; |
46 | | |
47 | | static const struct sc_aid IASECC_AID = { |
48 | | {0xA0, 0x00, 0x00, 0x00, 0x77, 0x01, 0x08, 0x00, 0x07, 0x00, 0x00, 0xFE, 0x00, 0x00, 0x01, 0x00}, |
49 | | 16 |
50 | | }; |
51 | | |
52 | | static const struct sc_path MF = { |
53 | | {0x3f, 0x00, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, |
54 | | 2, 0, 0, SC_PATH_TYPE_PATH, {{0}, 0} |
55 | | }; |
56 | | |
57 | | static const struct sc_path adf2 = { |
58 | | {0x3f, 0x00, 0xAD, 0xF2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, |
59 | | 4, 0, 0, SC_PATH_TYPE_PATH, {{0}, 0} |
60 | | }; |
61 | | |
62 | | static const struct sc_card_operations *iso_ops = NULL; |
63 | | static struct sc_card_operations esteid_ops; |
64 | | |
65 | | static struct sc_card_driver esteid2018_driver = {"EstEID 2018", "esteid2018", &esteid_ops, NULL, 0, NULL}; |
66 | | |
67 | | struct esteid_priv_data { |
68 | | sc_security_env_t sec_env; /* current security environment */ |
69 | | }; |
70 | | |
71 | 0 | #define DRVDATA(card) ((struct esteid_priv_data *)((card)->drv_data)) |
72 | | |
73 | | #define SC_TRANSMIT_TEST_RET(card, apdu, text) \ |
74 | 0 | do { \ |
75 | 0 | LOG_TEST_RET(card->ctx, sc_transmit_apdu(card, &apdu), "APDU transmit failed"); \ |
76 | 0 | LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), text); \ |
77 | 0 | } while (0) |
78 | | |
79 | 0 | static int esteid_match_card(sc_card_t *card) { |
80 | 0 | int i = _sc_match_atr(card, esteid_atrs, &card->type); |
81 | |
|
82 | 0 | if (i >= 0 && gp_select_aid(card, &IASECC_AID) == SC_SUCCESS) { |
83 | 0 | card->name = esteid_atrs[i].name; |
84 | 0 | return 1; |
85 | 0 | } |
86 | 0 | return 0; |
87 | 0 | } |
88 | | |
89 | 0 | static int esteid_select_file(struct sc_card *card, const struct sc_path *in_path, struct sc_file **file_out) { |
90 | 0 | const u8 *path = in_path->value; |
91 | 0 | u8 resp[SC_MAX_APDU_RESP_SIZE]; |
92 | 0 | size_t resplen = sizeof(resp); |
93 | 0 | int r; |
94 | 0 | struct sc_file *file = NULL; |
95 | 0 | struct sc_apdu apdu; |
96 | |
|
97 | 0 | LOG_FUNC_CALLED(card->ctx); |
98 | | |
99 | | // Only support full paths |
100 | 0 | if (in_path->type != SC_PATH_TYPE_PATH) { |
101 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); |
102 | 0 | } |
103 | 0 | if (in_path->len % 2 != 0) { |
104 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); |
105 | 0 | } |
106 | | |
107 | 0 | for (size_t pathlen = in_path->len; pathlen >= 2; pathlen -= 2, path += 2) { |
108 | 0 | if (memcmp(path, "\x3F\x00", 2) == 0) { |
109 | 0 | sc_format_apdu_ex(&apdu, card->cla, 0xA4, 0x00, 0x0C, path, 0, NULL, 0); |
110 | 0 | SC_TRANSMIT_TEST_RET(card, apdu, "MF select failed"); |
111 | 0 | } else if (pathlen == 2 && path[0] == 0xAD) { |
112 | 0 | sc_format_apdu_ex(&apdu, card->cla, 0xA4, 0x01, 0x0C, path, 2, NULL, 0); |
113 | 0 | SC_TRANSMIT_TEST_RET(card, apdu, "DF select failed"); |
114 | 0 | } else { |
115 | 0 | sc_format_apdu_ex(&apdu, card->cla, 0xA4, 0x09, 0x04, path, pathlen, resp, resplen); |
116 | 0 | SC_TRANSMIT_TEST_RET(card, apdu, "EF select failed"); |
117 | | |
118 | 0 | if (file_out != NULL) { |
119 | 0 | file = sc_file_new(); |
120 | 0 | if (file == NULL) |
121 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY); |
122 | 0 | r = iso_ops->process_fci(card, file, resp, resplen); |
123 | 0 | if (r != SC_SUCCESS) { |
124 | 0 | sc_file_free(file); |
125 | 0 | } else { |
126 | 0 | *file_out = file; |
127 | 0 | } |
128 | 0 | LOG_TEST_RET(card->ctx, r, "Process fci failed"); |
129 | 0 | } |
130 | 0 | break; |
131 | 0 | } |
132 | 0 | } |
133 | 0 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
134 | 0 | } |
135 | | |
136 | 0 | static int esteid_set_security_env(sc_card_t *card, const sc_security_env_t *env, int se_num) { |
137 | 0 | struct esteid_priv_data *priv; |
138 | 0 | struct sc_apdu apdu; |
139 | |
|
140 | 0 | static const u8 cse_crt_aut[] = {0x80, 0x04, 0xFF, 0x20, 0x08, 0x00, 0x84, 0x01, AUTH_REF}; |
141 | 0 | static const u8 cse_crt_sig[] = {0x80, 0x04, 0xFF, 0x15, 0x08, 0x00, 0x84, 0x01, SIGN_REF}; |
142 | 0 | static const u8 cse_crt_dec[] = {0x80, 0x04, 0xFF, 0x30, 0x04, 0x00, 0x84, 0x01, AUTH_REF}; |
143 | |
|
144 | 0 | LOG_FUNC_CALLED(card->ctx); |
145 | |
|
146 | 0 | if (env == NULL || env->key_ref_len != 1) |
147 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
148 | | |
149 | 0 | sc_log(card->ctx, "algo: %lu operation: %d keyref: %d", env->algorithm, env->operation, env->key_ref[0]); |
150 | |
|
151 | 0 | if (env->algorithm == SC_ALGORITHM_EC && env->operation == SC_SEC_OPERATION_SIGN && env->key_ref[0] == AUTH_REF) { |
152 | 0 | sc_format_apdu_ex(&apdu, 0x00, 0x22, 0x41, 0xA4, cse_crt_aut, sizeof(cse_crt_aut), NULL, 0); |
153 | 0 | } else if (env->algorithm == SC_ALGORITHM_EC && env->operation == SC_SEC_OPERATION_SIGN && env->key_ref[0] == SIGN_REF) { |
154 | 0 | sc_format_apdu_ex(&apdu, 0x00, 0x22, 0x41, 0xB6, cse_crt_sig, sizeof(cse_crt_sig), NULL, 0); |
155 | 0 | } else if (env->algorithm == SC_ALGORITHM_EC && env->operation == SC_SEC_OPERATION_DERIVE && env->key_ref[0] == AUTH_REF) { |
156 | 0 | sc_format_apdu_ex(&apdu, 0x00, 0x22, 0x41, 0xB8, cse_crt_dec, sizeof(cse_crt_dec), NULL, 0); |
157 | 0 | } else { |
158 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED); |
159 | 0 | } |
160 | 0 | SC_TRANSMIT_TEST_RET(card, apdu, "SET SECURITY ENV failed"); |
161 | | |
162 | 0 | priv = DRVDATA(card); |
163 | 0 | priv->sec_env = *env; |
164 | 0 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
165 | 0 | } |
166 | | |
167 | 0 | static int esteid_compute_signature(sc_card_t *card, const u8 *data, size_t datalen, u8 *out, size_t outlen) { |
168 | 0 | struct esteid_priv_data *priv = DRVDATA(card); |
169 | 0 | struct sc_security_env *env = NULL; |
170 | 0 | struct sc_apdu apdu; |
171 | 0 | u8 sbuf[SIGNATURE_PAYLOAD_SIZE] = {0}; |
172 | 0 | size_t le = MIN(SC_MAX_APDU_RESP_SIZE, MIN(SIGNATURE_PAYLOAD_SIZE * 2, outlen)); |
173 | |
|
174 | 0 | LOG_FUNC_CALLED(card->ctx); |
175 | 0 | if (data == NULL || out == NULL || datalen > SIGNATURE_PAYLOAD_SIZE) |
176 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); |
177 | | |
178 | 0 | env = &priv->sec_env; |
179 | | // left-pad if necessary |
180 | 0 | memcpy(&sbuf[SIGNATURE_PAYLOAD_SIZE - datalen], data, MIN(datalen, SIGNATURE_PAYLOAD_SIZE)); |
181 | 0 | datalen = SIGNATURE_PAYLOAD_SIZE; |
182 | |
|
183 | 0 | switch (env->key_ref[0]) { |
184 | 0 | case AUTH_REF: |
185 | 0 | sc_format_apdu_ex(&apdu, 0x00, 0x88, 0, 0, sbuf, datalen, out, le); |
186 | 0 | break; |
187 | 0 | default: |
188 | 0 | sc_format_apdu_ex(&apdu, 0x00, 0x2A, 0x9E, 0x9A, sbuf, datalen, out, le); |
189 | 0 | } |
190 | | |
191 | 0 | SC_TRANSMIT_TEST_RET(card, apdu, "PSO CDS/INTERNAL AUTHENTICATE failed"); |
192 | | |
193 | 0 | LOG_FUNC_RETURN(card->ctx, (int)apdu.resplen); |
194 | 0 | } |
195 | | |
196 | 0 | static int esteid_get_pin_remaining_tries(sc_card_t *card, int pin_reference) { |
197 | 0 | const u8 get_pin_info[] = {0x4D, 0x08, 0x70, 0x06, 0xBF, 0x81, pin_reference & 0x0F, 0x02, 0xA0, 0x80}; // mask out local/global |
198 | 0 | struct sc_apdu apdu; |
199 | 0 | u8 apdu_resp[SC_MAX_APDU_RESP_SIZE]; |
200 | 0 | LOG_FUNC_CALLED(card->ctx); |
201 | | |
202 | | // We don't get the file information here, so we need to be ugly |
203 | 0 | if (pin_reference == PIN1_REF || pin_reference == PUK_REF) { |
204 | 0 | LOG_TEST_RET(card->ctx, esteid_select_file(card, &MF, NULL), "Cannot select MF"); |
205 | 0 | } else if (pin_reference == PIN2_REF) { |
206 | 0 | LOG_TEST_RET(card->ctx, esteid_select_file(card, &adf2, NULL), "Cannot select QSCD AID"); |
207 | 0 | } else { |
208 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
209 | 0 | } |
210 | | |
211 | 0 | sc_format_apdu_ex(&apdu, 0x00, 0xCB, 0x3F, 0xFF, get_pin_info, sizeof(get_pin_info), apdu_resp, sizeof(apdu_resp)); |
212 | 0 | SC_TRANSMIT_TEST_RET(card, apdu, "GET DATA(pin info) failed"); |
213 | 0 | if (apdu.resplen < 32) { |
214 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
215 | 0 | } |
216 | | |
217 | | // XXX: sc_asn1_find_tag with the following payload (to get to tag 0x9B): |
218 | | // https://lapo.it/asn1js/#cB6_gQEaoBiaAQObAQOhEIwG8wAAc0MAnAbzAABzQwA |
219 | 0 | return (int)apdu_resp[13]; |
220 | 0 | } |
221 | | |
222 | 0 | static int esteid_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left) { |
223 | 0 | int r; |
224 | 0 | struct sc_pin_cmd_data tmp; |
225 | 0 | LOG_FUNC_CALLED(card->ctx); |
226 | 0 | sc_log(card->ctx, "PIN CMD is %d", data->cmd); |
227 | 0 | if (data->cmd == SC_PIN_CMD_GET_INFO) { |
228 | 0 | sc_log(card->ctx, "SC_PIN_CMD_GET_INFO for %d", data->pin_reference); |
229 | 0 | r = esteid_get_pin_remaining_tries(card, data->pin_reference); |
230 | 0 | LOG_TEST_RET(card->ctx, r, "GET DATA(pin info) failed"); |
231 | | |
232 | 0 | data->pin1.tries_left = r; |
233 | 0 | data->pin1.max_tries = -1; // "no support, which means the one set in PKCS#15 emulation sticks |
234 | 0 | data->pin1.logged_in = SC_PIN_STATE_UNKNOWN; |
235 | 0 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
236 | 0 | } else if (data->cmd == SC_PIN_CMD_UNBLOCK) { |
237 | | // Verify PUK, then issue UNBLOCK |
238 | | // VERIFY |
239 | 0 | tmp = *data; |
240 | 0 | tmp.cmd = SC_PIN_CMD_VERIFY; |
241 | 0 | tmp.pin_reference = PUK_REF; |
242 | 0 | tmp.pin2.len = 0; |
243 | 0 | r = iso_ops->pin_cmd(card, &tmp, tries_left); |
244 | 0 | LOG_TEST_RET(card->ctx, r, "VERIFY during unblock failed"); |
245 | | |
246 | 0 | if (data->pin_reference == PIN2_REF) { |
247 | 0 | LOG_TEST_RET(card->ctx, esteid_select_file(card, &adf2, NULL), "Cannot select QSCD AID"); |
248 | 0 | } |
249 | | // UNBLOCK |
250 | 0 | tmp = *data; |
251 | 0 | tmp.cmd = SC_PIN_CMD_UNBLOCK; |
252 | 0 | tmp.pin1.len = 0; |
253 | 0 | r = iso_ops->pin_cmd(card, &tmp, tries_left); |
254 | 0 | sc_mem_clear(&tmp, sizeof(tmp)); |
255 | 0 | LOG_FUNC_RETURN(card->ctx, r); |
256 | 0 | } |
257 | | |
258 | 0 | LOG_FUNC_RETURN(card->ctx, iso_ops->pin_cmd(card, data, tries_left)); |
259 | 0 | } |
260 | | |
261 | 0 | static int esteid_init(sc_card_t *card) { |
262 | 0 | unsigned long flags, ext_flags; |
263 | 0 | struct esteid_priv_data *priv; |
264 | |
|
265 | 0 | priv = calloc(1, sizeof *priv); |
266 | 0 | if (!priv) |
267 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY); |
268 | 0 | card->drv_data = priv; |
269 | 0 | card->max_recv_size = 233; // XXX: empirical, not documented |
270 | | // Workaround for the 2018 v2 card, with reader Alcor Micro AU9540 |
271 | 0 | if (card->type == SC_CARD_TYPE_ESTEID_2018_V2_2025) { |
272 | 0 | card->max_recv_size = 0xC0; |
273 | 0 | } |
274 | |
|
275 | 0 | flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ECDSA_HASH_NONE; |
276 | 0 | ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES; |
277 | |
|
278 | 0 | _sc_card_add_ec_alg(card, 384, flags, ext_flags, NULL); |
279 | |
|
280 | 0 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
281 | 0 | } |
282 | | |
283 | 0 | static int esteid_finish(sc_card_t *card) { |
284 | 0 | if (card != NULL) |
285 | 0 | free(DRVDATA(card)); |
286 | 0 | return 0; |
287 | 0 | } |
288 | | |
289 | 0 | static int esteid_logout(sc_card_t *card) { |
290 | 0 | return gp_select_aid(card, &IASECC_AID); |
291 | 0 | } |
292 | | |
293 | 279 | struct sc_card_driver *sc_get_esteid2018_driver(void) { |
294 | 279 | struct sc_card_driver *iso_drv = sc_get_iso7816_driver(); |
295 | | |
296 | 279 | if (iso_ops == NULL) |
297 | 1 | iso_ops = iso_drv->ops; |
298 | | |
299 | 279 | esteid_ops = *iso_drv->ops; |
300 | 279 | esteid_ops.match_card = esteid_match_card; |
301 | 279 | esteid_ops.init = esteid_init; |
302 | 279 | esteid_ops.finish = esteid_finish; |
303 | | |
304 | 279 | esteid_ops.select_file = esteid_select_file; |
305 | | |
306 | 279 | esteid_ops.set_security_env = esteid_set_security_env; |
307 | 279 | esteid_ops.compute_signature = esteid_compute_signature; |
308 | 279 | esteid_ops.pin_cmd = esteid_pin_cmd; |
309 | 279 | esteid_ops.logout = esteid_logout; |
310 | | |
311 | 279 | return &esteid2018_driver; |
312 | 279 | } |