/src/opensc/src/libopensc/pkcs15-itacns.c
Line | Count | Source |
1 | | /* |
2 | | * PKCS15 emulation layer for Italian CNS. |
3 | | * |
4 | | * Copyright (C) 2008, Emanuele Pucciarelli <ep@acm.org> |
5 | | * Many snippets have been taken out from other PKCS15 emulation layer |
6 | | * modules in this directory; their copyright is their authors'. |
7 | | * |
8 | | * This library is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public |
10 | | * License as published by the Free Software Foundation; either |
11 | | * version 2.1 of the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public |
19 | | * License along with this library; if not, write to the Free Software |
20 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
21 | | */ |
22 | | |
23 | | /* |
24 | | * Specifications for the development of this driver come from: |
25 | | * http://www.servizidemografici.interno.it/sitoCNSD/documentazioneRicerca.do?metodo=contenutoDocumento&servizio=documentazione&ID_DOCUMENTO=1043 |
26 | | */ |
27 | | |
28 | | |
29 | | #ifdef HAVE_CONFIG_H |
30 | | #include <config.h> |
31 | | #endif |
32 | | |
33 | | #include <stdlib.h> |
34 | | #include <string.h> |
35 | | #include <stdio.h> |
36 | | |
37 | | #include "internal.h" |
38 | | #include "pkcs15.h" |
39 | | #include "log.h" |
40 | | #include "cards.h" |
41 | | #include "itacns.h" |
42 | | #include "common/compat_strlcpy.h" |
43 | | #include "common/compat_strlcat.h" |
44 | | |
45 | | #ifdef ENABLE_OPENSSL |
46 | | #include <openssl/x509.h> |
47 | | #include <openssl/x509v3.h> |
48 | | #endif |
49 | | |
50 | | static const char path_serial[] = "10001003"; |
51 | | |
52 | | /* Manufacturers */ |
53 | | |
54 | | const char * itacns_mask_manufacturers[] = { |
55 | | "Unknown", |
56 | | "Kaitech", |
57 | | "Gemplus", |
58 | | "Ghirlanda", |
59 | | "Giesecke & Devrient", |
60 | | "IDEMIA (Oberthur)", |
61 | | "Orga", |
62 | | "Axalto", |
63 | | "Siemens", |
64 | | "STIncard", |
65 | | "GEP", |
66 | | "EPS Corp", |
67 | | "Athena", |
68 | | "Gemalto", |
69 | | }; |
70 | | |
71 | | const char * iso7816_ic_manufacturers[] = { |
72 | | "Unknown", |
73 | | "Motorola", |
74 | | "STMicroelectronics", |
75 | | "Hitachi", |
76 | | "NXP Semiconductors", |
77 | | "Infineon", |
78 | | "Cylinc", |
79 | | "Texas Instruments", |
80 | | "Fujitsu", |
81 | | "Matsushita", |
82 | | "NEC", |
83 | | "Oki", |
84 | | "Toshiba", |
85 | | "Mitsubishi", |
86 | | "Samsung", |
87 | | "Hynix", |
88 | | "LG", |
89 | | "Emosyn-EM", |
90 | | "INSIDE", |
91 | | "ORGA", |
92 | | "SHARP", |
93 | | "ATMEL", |
94 | | "EM Microelectronic-Marin", |
95 | | "KSW Microtec", |
96 | | "ZMD", |
97 | | "XICOR", |
98 | | "Sony", |
99 | | "Malaysia Microelectronic Solutions", |
100 | | "Emosyn", |
101 | | "Shanghai Fudan", |
102 | | "Magellan", |
103 | | "Melexis", |
104 | | "Renesas", |
105 | | "TAGSYS", |
106 | | "Transcore", |
107 | | "Shanghai belling", |
108 | | "Masktech", |
109 | | "Innovision", |
110 | | "Hitachi", |
111 | | "Cypak", |
112 | | "Ricoh", |
113 | | "ASK", |
114 | | "Unicore", |
115 | | "Dallas", |
116 | | "Impinj", |
117 | | "RightPlug Alliance", |
118 | | "Broadcom", |
119 | | "MStar", |
120 | | "BeeDar", |
121 | | "RFIDsec", |
122 | | "Schweizer Electronic", |
123 | | "AMIC Technology", |
124 | | "Mikron", |
125 | | "Fraunhofer", |
126 | | "IDS Microchip", |
127 | | "Kovio", |
128 | | "HMT Microelectronic", |
129 | | "Silicon Craft", |
130 | | "Advanced Film Device", |
131 | | "Nitecrest", |
132 | | "Verayo", |
133 | | "HID Gloval", |
134 | | "Productivity Engineering", |
135 | | "Austriamicrosystems", |
136 | | "Gemalto" |
137 | | }; |
138 | | |
139 | | /* Data files */ |
140 | | |
141 | | static const struct { |
142 | | const char *label; |
143 | | const char *path; |
144 | | int cie_only; |
145 | | } itacns_data_files[] = { |
146 | | { "EF_DatiProcessore", "3F0010001002", 0 }, |
147 | | { "EF_IDCarta", "3F0010001003", 0 }, |
148 | | { "EF_DatiSistema", "3F0010001004", 1 }, |
149 | | { "EF_DatiPersonali", "3F0011001102", 0 }, |
150 | | { "EF_DatiPersonali_Annotazioni", "3F0011001103", 1 }, |
151 | | { "EF_Impronte", "3F0011001104", 1 }, |
152 | | { "EF_Foto", "3F0011001104", 1 }, |
153 | | { "EF_DatiPersonaliAggiuntivi", "3F0012001201", 0 }, |
154 | | { "EF_MemoriaResidua", "3F0012001202", 0 }, |
155 | | { "EF_ServiziInstallati", "3F0012001203", 0 }, |
156 | | { "EF_INST_FILE", "3F0012004142", 0 }, |
157 | | { "EF_CardStatus", "3F003F02", 0 }, |
158 | | { "EF_GDO", "3F002F02", 0 }, |
159 | | { "EF_RootInstFile", "3F000405", 0 } |
160 | | }; |
161 | | |
162 | | |
163 | | /* |
164 | | * Utility functions |
165 | | */ |
166 | | |
167 | | static int loadFile(const sc_pkcs15_card_t *p15card, const sc_path_t *path, |
168 | | u8 *buf, const size_t buflen) |
169 | 390 | { |
170 | 390 | int sc_res; |
171 | 390 | SC_FUNC_CALLED(p15card->card->ctx, SC_LOG_DEBUG_NORMAL); |
172 | | |
173 | 390 | sc_res = sc_select_file(p15card->card, path, NULL); |
174 | 390 | if(sc_res != SC_SUCCESS) |
175 | 81 | return sc_res; |
176 | | |
177 | 309 | sc_res = sc_read_binary(p15card->card, 0, buf, buflen, 0); |
178 | 309 | return sc_res; |
179 | 390 | } |
180 | | |
181 | | /* |
182 | | * The following functions add objects to the card emulator. |
183 | | */ |
184 | | |
185 | | static int itacns_add_cert(sc_pkcs15_card_t *p15card, |
186 | | int type, int authority, const sc_path_t *path, |
187 | | const sc_pkcs15_id_t *id, const char *label, int obj_flags, |
188 | | int *ext_info_ok, int *key_usage, int *x_key_usage, size_t *modulus_len) |
189 | 263 | { |
190 | 263 | int r; |
191 | | /* const char *label = "Certificate"; */ |
192 | 263 | sc_pkcs15_cert_info_t info; |
193 | 263 | sc_pkcs15_object_t obj; |
194 | 263 | #ifdef ENABLE_OPENSSL |
195 | 263 | X509 *x509; |
196 | 263 | sc_pkcs15_cert_t *cert; |
197 | 263 | int private_obj; |
198 | 263 | #endif |
199 | | |
200 | 263 | SC_FUNC_CALLED(p15card->card->ctx, SC_LOG_DEBUG_NORMAL); |
201 | | |
202 | 263 | if(type != SC_PKCS15_TYPE_CERT_X509) { |
203 | 0 | sc_log(p15card->card->ctx, |
204 | 0 | "Cannot add a certificate of a type other than X.509"); |
205 | 0 | return 1; |
206 | 0 | } |
207 | | |
208 | 263 | *ext_info_ok = 0; |
209 | | |
210 | | |
211 | 263 | memset(&info, 0, sizeof(info)); |
212 | 263 | memset(&obj, 0, sizeof(obj)); |
213 | | |
214 | 263 | info.id = *id; |
215 | 263 | info.authority = authority; |
216 | 263 | if (path) |
217 | 263 | info.path = *path; |
218 | | |
219 | 263 | strlcpy(obj.label, label, sizeof(obj.label)); |
220 | | |
221 | | /* If we have OpenSSL, read keyUsage */ |
222 | 263 | #ifdef ENABLE_OPENSSL |
223 | 263 | private_obj = obj_flags & SC_PKCS15_CO_FLAG_PRIVATE; |
224 | 263 | r = sc_pkcs15_read_certificate(p15card, &info, private_obj, &cert); |
225 | 263 | LOG_TEST_RET(p15card->card->ctx, r, |
226 | 0 | "Could not read X.509 certificate"); |
227 | | |
228 | 0 | { |
229 | 0 | const u8 *throwaway = cert->data.value; |
230 | 0 | x509 = d2i_X509(NULL, &throwaway, cert->data.len); |
231 | 0 | } |
232 | |
|
233 | 0 | if (cert->key && cert->key->algorithm == SC_ALGORITHM_RSA) { |
234 | 0 | *modulus_len = cert->key->u.rsa.modulus.len * 8; |
235 | 0 | } |
236 | |
|
237 | 0 | sc_pkcs15_free_certificate(cert); |
238 | 0 | if (!x509) { |
239 | 0 | sc_log_openssl(p15card->card->ctx); |
240 | 0 | return SC_SUCCESS; |
241 | 0 | } |
242 | 0 | X509_check_purpose(x509, -1, 0); |
243 | |
|
244 | 0 | if(X509_get_extension_flags(x509) & EXFLAG_KUSAGE) { |
245 | 0 | *ext_info_ok = 1; |
246 | 0 | *key_usage = X509_get_key_usage(x509); |
247 | 0 | *x_key_usage = X509_get_extended_key_usage(x509); |
248 | 0 | } |
249 | 0 | OPENSSL_free(x509); |
250 | |
|
251 | 0 | #endif /* ENABLE_OPENSSL */ |
252 | |
|
253 | 0 | obj.flags = obj_flags; |
254 | 0 | r = sc_pkcs15emu_add_x509_cert(p15card, &obj, &info); |
255 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
256 | 0 | "Could not add X.509 certificate"); |
257 | | |
258 | 0 | return r; |
259 | 0 | } |
260 | | |
261 | | static int itacns_add_pubkey(sc_pkcs15_card_t *p15card, |
262 | | const sc_path_t *path, const sc_pkcs15_id_t *id, const char *label, |
263 | | int usage, int ref, int obj_flags, size_t modulus_len) |
264 | 0 | { |
265 | 0 | int r; |
266 | 0 | sc_pkcs15_pubkey_info_t info; |
267 | 0 | sc_pkcs15_object_t obj; |
268 | |
|
269 | 0 | SC_FUNC_CALLED(p15card->card->ctx, SC_LOG_DEBUG_NORMAL); |
270 | |
|
271 | 0 | memset(&info, 0, sizeof(info)); |
272 | 0 | memset(&obj, 0, sizeof(obj)); |
273 | |
|
274 | 0 | info.id = *id; |
275 | 0 | if (path) |
276 | 0 | info.path = *path; |
277 | 0 | info.usage = usage; |
278 | 0 | info.key_reference = ref; |
279 | 0 | strlcpy(obj.label, label, sizeof(obj.label)); |
280 | 0 | obj.flags = obj_flags; |
281 | |
|
282 | 0 | info.modulus_length = modulus_len; |
283 | |
|
284 | 0 | r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info); |
285 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
286 | 0 | "Could not add pub key"); |
287 | 0 | return r; |
288 | 0 | } |
289 | | |
290 | | static int itacns_add_prkey(sc_pkcs15_card_t *p15card, |
291 | | const sc_pkcs15_id_t *id, |
292 | | const char *label, |
293 | | int type, size_t modulus_length, int usage, |
294 | | const sc_path_t *path, int ref, |
295 | | const sc_pkcs15_id_t *auth_id, int obj_flags) |
296 | 0 | { |
297 | 0 | sc_pkcs15_prkey_info_t info; |
298 | 0 | sc_pkcs15_object_t obj; |
299 | |
|
300 | 0 | SC_FUNC_CALLED(p15card->card->ctx, SC_LOG_DEBUG_NORMAL); |
301 | |
|
302 | 0 | if(type != SC_PKCS15_TYPE_PRKEY_RSA) { |
303 | 0 | sc_log(p15card->card->ctx, |
304 | 0 | "Cannot add a private key of a type other than RSA"); |
305 | 0 | return 1; |
306 | 0 | } |
307 | | |
308 | 0 | memset(&info, 0, sizeof(info)); |
309 | 0 | memset(&obj, 0, sizeof(obj)); |
310 | |
|
311 | 0 | info.id = *id; |
312 | 0 | info.modulus_length = modulus_length; |
313 | 0 | info.usage = usage; |
314 | 0 | info.native = 1; |
315 | 0 | info.key_reference = ref; |
316 | |
|
317 | 0 | if (path) |
318 | 0 | info.path = *path; |
319 | |
|
320 | 0 | obj.flags = obj_flags; |
321 | 0 | strlcpy(obj.label, label, sizeof(obj.label)); |
322 | 0 | if (auth_id != NULL) |
323 | 0 | obj.auth_id = *auth_id; |
324 | |
|
325 | 0 | return sc_pkcs15emu_add_rsa_prkey(p15card, &obj, &info); |
326 | 0 | } |
327 | | |
328 | | static int itacns_add_pin(sc_pkcs15_card_t *p15card, |
329 | | char *label, |
330 | | int id, |
331 | | int auth_id, |
332 | | int reference, |
333 | | sc_path_t *path, |
334 | | int flags) |
335 | 0 | { |
336 | 0 | struct sc_pkcs15_auth_info pin_info; |
337 | 0 | struct sc_pkcs15_object pin_obj; |
338 | |
|
339 | 0 | SC_FUNC_CALLED(p15card->card->ctx, SC_LOG_DEBUG_NORMAL); |
340 | |
|
341 | 0 | memset(&pin_info, 0, sizeof(pin_info)); |
342 | 0 | pin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN; |
343 | 0 | pin_info.auth_id.len = 1; |
344 | 0 | pin_info.auth_id.value[0] = id; |
345 | 0 | pin_info.attrs.pin.reference = reference; |
346 | 0 | pin_info.attrs.pin.flags = flags; |
347 | 0 | pin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC; |
348 | 0 | pin_info.attrs.pin.min_length = 5; |
349 | 0 | pin_info.attrs.pin.stored_length = 8; |
350 | 0 | pin_info.attrs.pin.max_length = 8; |
351 | 0 | pin_info.attrs.pin.pad_char = 0xff; |
352 | 0 | pin_info.logged_in = SC_PIN_STATE_UNKNOWN; |
353 | 0 | if(path) |
354 | 0 | pin_info.path = *path; |
355 | |
|
356 | 0 | memset(&pin_obj, 0, sizeof(pin_obj)); |
357 | 0 | strlcpy(pin_obj.label, label, sizeof(pin_obj.label)); |
358 | 0 | pin_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE | |
359 | 0 | (auth_id ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0); |
360 | 0 | if (auth_id) { |
361 | 0 | pin_obj.auth_id.len = 1; |
362 | 0 | pin_obj.auth_id.value[0] = auth_id; |
363 | 0 | } else |
364 | 0 | pin_obj.auth_id.len = 0; |
365 | |
|
366 | 0 | return sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info); |
367 | 0 | } |
368 | | |
369 | | static int hextoint(char *src, unsigned int len) |
370 | 64 | { |
371 | 64 | char hex[16]; |
372 | 64 | char *end; |
373 | 64 | int res; |
374 | | |
375 | 64 | if(len >= sizeof(hex)) |
376 | 0 | return -1; |
377 | 64 | strncpy(hex, src, len); |
378 | 64 | hex[len] = '\0'; |
379 | 64 | res = (int)strtol(hex, &end, 0x10); |
380 | 64 | if(end != (char*)&hex[len]) |
381 | 11 | return -1; |
382 | 53 | return res; |
383 | 64 | } |
384 | | |
385 | | static int get_name_from_EF_DatiPersonali(unsigned char *EFdata, |
386 | | size_t EFdata_len, char name[], int name_len) |
387 | 156 | { |
388 | 156 | const unsigned int EF_personaldata_maxlen = 400; |
389 | 156 | const unsigned int tlv_length_size = 6; |
390 | 156 | char *file = NULL; |
391 | 156 | int file_size; |
392 | | |
393 | | /* |
394 | | * Bytes 0-5 contain the ASCII encoding of the following TLV |
395 | | * structure's total size, in base 16. |
396 | | */ |
397 | 156 | if (EFdata_len < tlv_length_size) { |
398 | | /* We need at least 6 bytes for file length here */ |
399 | 115 | return -1; |
400 | 115 | } |
401 | 41 | file_size = hextoint((char*)EFdata, tlv_length_size); |
402 | 41 | if (EFdata_len < (file_size + tlv_length_size)) { |
403 | | /* Inconsistent external file length and internal file length |
404 | | * suggests we are trying to process junk data. |
405 | | * If the internal data length is shorter, the data can be padded, |
406 | | * but we should be fine as we will not go behind the buffer limits */ |
407 | 18 | return -1; |
408 | 18 | } |
409 | 23 | file = (char*)&EFdata[tlv_length_size]; |
410 | | |
411 | 23 | enum { |
412 | 23 | f_issuer_code = 0, |
413 | 23 | f_issuing_date, |
414 | 23 | f_expiry_date, |
415 | 23 | f_last_name, |
416 | 23 | f_first_name, |
417 | 23 | f_birth_date, |
418 | 23 | f_sex, |
419 | 23 | f_height, |
420 | 23 | f_codice_fiscale, |
421 | 23 | f_citizenship_code, |
422 | 23 | f_birth_township_code, |
423 | 23 | f_birth_country, |
424 | 23 | f_birth_certificate, |
425 | 23 | f_residence_township_code, |
426 | 23 | f_residence_address, |
427 | 23 | f_expat_notes |
428 | 23 | }; |
429 | | |
430 | | /* Read the fields up to f_first_name */ |
431 | 23 | struct { |
432 | 23 | int len; |
433 | 23 | char value[256]; |
434 | 23 | } fields[f_first_name+1]; |
435 | 23 | int i=0; /* offset inside the file */ |
436 | 23 | int f; /* field number */ |
437 | | |
438 | 23 | if (file_size < 0) |
439 | 10 | return -1; |
440 | | |
441 | | /* |
442 | | * This shouldn't happen, but let us be protected against wrong |
443 | | * or malicious cards |
444 | | */ |
445 | 13 | if(file_size > (int)EF_personaldata_maxlen - (int)tlv_length_size) |
446 | 1 | file_size = EF_personaldata_maxlen - tlv_length_size; |
447 | | |
448 | | |
449 | 13 | memset(fields, 0, sizeof(fields)); |
450 | | |
451 | 25 | for(f=0; f<f_first_name+1; f++) { |
452 | 24 | int field_size; |
453 | | |
454 | | /* Don't read beyond the allocated buffer */ |
455 | 24 | if(i+2 > file_size) |
456 | 1 | return -1; |
457 | 23 | field_size = hextoint((char*) &file[i], 2); |
458 | 23 | i += 2; |
459 | | |
460 | 23 | if (field_size < 0 |
461 | 19 | || i + field_size > file_size |
462 | 12 | || field_size >= (int)sizeof(fields[f].value)) |
463 | 11 | return -1; |
464 | | |
465 | 12 | fields[f].len = field_size; |
466 | 12 | strncpy(fields[f].value, &file[i], field_size); |
467 | 12 | fields[f].value[field_size] = '\0'; |
468 | 12 | i += field_size; |
469 | 12 | } |
470 | | |
471 | 1 | if (fields[f_first_name].len + fields[f_last_name].len + 1 >= name_len) |
472 | 0 | return -1; |
473 | | |
474 | | /* the lengths are already checked that they will fit in buffer */ |
475 | 1 | snprintf(name, name_len, "%.*s %.*s", |
476 | 1 | fields[f_first_name].len, fields[f_first_name].value, |
477 | 1 | fields[f_last_name].len, fields[f_last_name].value); |
478 | 1 | return 0; |
479 | 1 | } |
480 | | |
481 | | static int itacns_add_data_files(sc_pkcs15_card_t *p15card) |
482 | 197 | { |
483 | 197 | const size_t array_size = |
484 | 197 | sizeof(itacns_data_files)/sizeof(itacns_data_files[0]); |
485 | 197 | unsigned int i; |
486 | 197 | int rv; |
487 | 197 | sc_pkcs15_data_t *p15_personaldata = NULL; |
488 | 197 | sc_pkcs15_data_info_t dinfo; |
489 | 197 | struct sc_pkcs15_object *objs[32]; |
490 | 197 | struct sc_pkcs15_data_info *cinfo; |
491 | 197 | int private_obj; |
492 | | |
493 | 2.95k | for(i=0; i < array_size; i++) { |
494 | 2.75k | sc_path_t path; |
495 | 2.75k | sc_pkcs15_data_info_t data; |
496 | 2.75k | sc_pkcs15_object_t obj; |
497 | | |
498 | 2.75k | if (itacns_data_files[i].cie_only && |
499 | 788 | p15card->card->type != SC_CARD_TYPE_ITACNS_CIE_V2) |
500 | 768 | continue; |
501 | | |
502 | 1.99k | sc_format_path(itacns_data_files[i].path, &path); |
503 | | |
504 | 1.99k | memset(&data, 0, sizeof(data)); |
505 | 1.99k | memset(&obj, 0, sizeof(obj)); |
506 | 1.99k | strlcpy(data.app_label, itacns_data_files[i].label, |
507 | 1.99k | sizeof(data.app_label)); |
508 | 1.99k | strlcpy(obj.label, itacns_data_files[i].label, |
509 | 1.99k | sizeof(obj.label)); |
510 | 1.99k | data.path = path; |
511 | 1.99k | rv = sc_pkcs15emu_add_data_object(p15card, &obj, &data); |
512 | 1.99k | LOG_TEST_RET(p15card->card->ctx, rv, |
513 | 1.99k | "Could not add data file"); |
514 | 1.99k | } |
515 | | |
516 | | /* |
517 | | * If we got this far, we can read the Personal Data file and glean |
518 | | * the user's full name. Thus we can use it to put together a |
519 | | * user-friendlier card name. |
520 | | */ |
521 | 197 | memset(&dinfo, 0, sizeof(dinfo)); |
522 | 197 | strlcpy(dinfo.app_label, "EF_DatiPersonali", sizeof(dinfo.app_label)); |
523 | | |
524 | | /* Find EF_DatiPersonali */ |
525 | | |
526 | 197 | rv = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_DATA_OBJECT, |
527 | 197 | objs, 32); |
528 | 197 | if(rv < 0) { |
529 | 0 | sc_log(p15card->card->ctx, |
530 | 0 | "Data enumeration failed"); |
531 | 0 | return SC_SUCCESS; |
532 | 0 | } |
533 | | |
534 | 596 | for(i=0; i<32; i++) { |
535 | 596 | cinfo = (struct sc_pkcs15_data_info *) objs[i]->data; |
536 | 596 | if(!strcmp("EF_DatiPersonali", objs[i]->label)) |
537 | 197 | break; |
538 | 596 | } |
539 | | |
540 | 197 | if(i>=32) { |
541 | 0 | sc_log(p15card->card->ctx, |
542 | 0 | "Could not find EF_DatiPersonali: " |
543 | 0 | "keeping generic card name"); |
544 | 0 | return SC_SUCCESS; |
545 | 0 | } |
546 | | |
547 | 197 | private_obj = objs[i]->flags & SC_PKCS15_CO_FLAG_PRIVATE; |
548 | 197 | rv = sc_pkcs15_read_data_object(p15card, cinfo, private_obj, &p15_personaldata); |
549 | 197 | if (rv) { |
550 | 38 | sc_log(p15card->card->ctx, |
551 | 38 | "Could not read EF_DatiPersonali: " |
552 | 38 | "keeping generic card name"); |
553 | 38 | return SC_SUCCESS; |
554 | 38 | } |
555 | | |
556 | 159 | if (p15_personaldata->data) { |
557 | 156 | char fullname[160]; |
558 | 156 | if (get_name_from_EF_DatiPersonali(p15_personaldata->data, |
559 | 156 | p15_personaldata->data_len, fullname, sizeof(fullname))) { |
560 | 155 | sc_log(p15card->card->ctx, |
561 | 155 | "Could not parse EF_DatiPersonali: " |
562 | 155 | "keeping generic card name"); |
563 | 155 | sc_pkcs15_free_data_object(p15_personaldata); |
564 | 155 | free(cinfo->data.value); |
565 | 155 | cinfo->data.value = NULL; |
566 | 155 | return SC_SUCCESS; |
567 | 155 | } |
568 | 1 | set_string(&p15card->tokeninfo->label, fullname); |
569 | 1 | } |
570 | 4 | free(cinfo->data.value); |
571 | 4 | cinfo->data.value = NULL; |
572 | 4 | sc_pkcs15_free_data_object(p15_personaldata); |
573 | 4 | return SC_SUCCESS; |
574 | 159 | } |
575 | | |
576 | | static int itacns_add_keyset(sc_pkcs15_card_t *p15card, |
577 | | const char *label, int sec_env, sc_pkcs15_id_t *cert_id, |
578 | | const char *pubkey_path, const char *prkey_path, |
579 | | unsigned int pubkey_usage_flags, unsigned int prkey_usage_flags, |
580 | | u8 pin_ref, size_t modulus_len) |
581 | 0 | { |
582 | 0 | int r; |
583 | 0 | sc_path_t path; |
584 | 0 | sc_path_t *private_path = NULL; |
585 | 0 | char pinlabel[16]; |
586 | 0 | int fake_puk_authid, pin_flags; |
587 | | |
588 | | |
589 | | /* Public key; not really needed */ |
590 | | /* FIXME: set usage according to the certificate. */ |
591 | 0 | if (pubkey_path) { |
592 | 0 | sc_format_path(pubkey_path, &path); |
593 | 0 | r = itacns_add_pubkey(p15card, &path, cert_id, label, |
594 | 0 | pubkey_usage_flags, sec_env, 0, modulus_len); |
595 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
596 | 0 | "Could not add public key"); |
597 | 0 | } |
598 | | |
599 | | /* |
600 | | * FIXME: usage should be inferred from the X.509 certificate, and not |
601 | | * from whether the key needs Secure Messaging. |
602 | | */ |
603 | 0 | if (prkey_path) { |
604 | 0 | sc_format_path(prkey_path, &path); |
605 | 0 | private_path = &path; |
606 | 0 | } |
607 | 0 | r = itacns_add_prkey(p15card, cert_id, label, SC_PKCS15_TYPE_PRKEY_RSA, |
608 | 0 | modulus_len, |
609 | 0 | prkey_usage_flags, |
610 | 0 | private_path, sec_env, cert_id, SC_PKCS15_CO_FLAG_PRIVATE); |
611 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
612 | 0 | "Could not add private key"); |
613 | | |
614 | | /* PIN and PUK */ |
615 | 0 | strlcpy(pinlabel, "PIN ", sizeof(pinlabel)); |
616 | 0 | strlcat(pinlabel, label, sizeof(pinlabel)); |
617 | | |
618 | | /* We are making up ID 0x90+ to link the PIN and the PUK. */ |
619 | 0 | fake_puk_authid = 0x90 + pin_ref; |
620 | 0 | pin_flags = SC_PKCS15_PIN_FLAG_CASE_SENSITIVE |
621 | 0 | | SC_PKCS15_PIN_FLAG_INITIALIZED; |
622 | 0 | r = itacns_add_pin(p15card, pinlabel, sec_env, fake_puk_authid, pin_ref, |
623 | 0 | private_path, pin_flags); |
624 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
625 | 0 | "Could not add PIN"); |
626 | | |
627 | 0 | strlcpy(pinlabel, "PUK ", sizeof(pinlabel)); |
628 | 0 | strlcat(pinlabel, label, sizeof(pinlabel)); |
629 | | /* |
630 | | * Looking at pkcs15-tcos.c and pkcs15-framework.c, it seems that the |
631 | | * right thing to do here is to define a PUK as a SO PIN. Can anybody |
632 | | * comment on this? |
633 | | */ |
634 | 0 | pin_flags |= SC_PKCS15_PIN_FLAG_UNBLOCKING_PIN |
635 | 0 | | SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED; |
636 | 0 | r = itacns_add_pin(p15card, pinlabel, fake_puk_authid, 0, pin_ref+1, |
637 | 0 | private_path, pin_flags); |
638 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
639 | 0 | "Could not add PUK"); |
640 | | |
641 | 0 | return 0; |
642 | 0 | } |
643 | | |
644 | | /* |
645 | | * itacns_check_and_add_keyset() checks for the existence and correctness |
646 | | * of an X.509 certificate. If it is all right, it adds the related keys; |
647 | | * otherwise it aborts. |
648 | | */ |
649 | | |
650 | | static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card, |
651 | | const char *label, int sec_env, size_t cert_offset, |
652 | | const char *cert_path, const char *pubkey_path, const char *prkey_path, |
653 | | u8 pin_ref, int *found_certificates) |
654 | 427 | { |
655 | 427 | int r; |
656 | 427 | sc_path_t path; |
657 | 427 | sc_pkcs15_id_t cert_id; |
658 | 427 | int ext_info_ok; |
659 | 427 | int ku = 0, xku = 0; |
660 | 427 | size_t modulus_len = 0; |
661 | 427 | int pubkey_usage_flags = 0, prkey_usage_flags = 0; |
662 | | |
663 | 427 | cert_id.len = 1; |
664 | 427 | cert_id.value[0] = sec_env; |
665 | 427 | *found_certificates = 0; |
666 | | |
667 | | /* Certificate */ |
668 | 427 | if (!cert_path) { |
669 | 0 | sc_log(p15card->card->ctx, |
670 | 0 | "We cannot use keys without a matching certificate"); |
671 | 0 | return SC_ERROR_NOT_SUPPORTED; |
672 | 0 | } |
673 | | |
674 | 427 | sc_format_path(cert_path, &path); |
675 | 427 | r = sc_select_file(p15card->card, &path, NULL); |
676 | 427 | if (r == SC_ERROR_FILE_NOT_FOUND) |
677 | 25 | return 0; |
678 | 402 | if (r != SC_SUCCESS) { |
679 | 128 | sc_log(p15card->card->ctx, |
680 | 128 | "Could not find certificate for %s", label); |
681 | 128 | return r; |
682 | 128 | } |
683 | | |
684 | | /* |
685 | | * Infocamere 1204 (and others?) store a more complex structure. We |
686 | | * are going to read the first bytes to guess its length, and invoke |
687 | | * itacns_add_cert so that it only reads the certificate. |
688 | | */ |
689 | 274 | if (cert_offset) { |
690 | 108 | u8 certlen[3]; |
691 | 108 | memset(certlen, 0, sizeof certlen); |
692 | 108 | r = loadFile(p15card, &path, certlen, sizeof(certlen)); |
693 | 108 | LOG_TEST_RET(p15card->card->ctx, r, |
694 | 104 | "Could not read certificate file"); |
695 | 104 | if (r < 3) |
696 | 5 | return SC_ERROR_INVALID_DATA; |
697 | 99 | path.index = (int)cert_offset; |
698 | 99 | path.count = (certlen[1] << 8) + certlen[2]; |
699 | | /* If those bytes are 00, then we are probably dealing with an |
700 | | * empty file. */ |
701 | 99 | if (path.count == 0) |
702 | 2 | return 0; |
703 | 99 | } |
704 | | |
705 | 263 | r = itacns_add_cert(p15card, SC_PKCS15_TYPE_CERT_X509, 0, |
706 | 263 | &path, &cert_id, label, 0, &ext_info_ok, &ku, &xku, &modulus_len); |
707 | 263 | if (r == SC_ERROR_INVALID_ASN1_OBJECT) |
708 | 210 | return 0; |
709 | 53 | LOG_TEST_RET(p15card->card->ctx, r, |
710 | 0 | "Could not add certificate"); |
711 | 0 | (*found_certificates)++; |
712 | | |
713 | | /* Set usage flags */ |
714 | 0 | if(ext_info_ok) { |
715 | 0 | #ifdef ENABLE_OPENSSL |
716 | 0 | if (ku & KU_DIGITAL_SIGNATURE) { |
717 | 0 | pubkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_VERIFY; |
718 | 0 | prkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_SIGN; |
719 | 0 | } |
720 | 0 | if (ku & KU_NON_REPUDIATION) { |
721 | 0 | pubkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_VERIFY; |
722 | 0 | prkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION; |
723 | 0 | } |
724 | 0 | if (ku & KU_KEY_ENCIPHERMENT || ku & KU_KEY_AGREEMENT |
725 | 0 | || xku & XKU_SSL_CLIENT) { |
726 | 0 | pubkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_WRAP; |
727 | 0 | prkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_UNWRAP; |
728 | 0 | } |
729 | 0 | if (ku & KU_DATA_ENCIPHERMENT || xku & XKU_SMIME) { |
730 | 0 | pubkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_ENCRYPT; |
731 | 0 | prkey_usage_flags |= SC_PKCS15_PRKEY_USAGE_DECRYPT; |
732 | 0 | } |
733 | | #else /* ENABLE_OPENSSL */ |
734 | | sc_log(p15card->card->ctx, |
735 | | "Extended certificate info retrieved without OpenSSL. " |
736 | | "How is this possible?"); |
737 | | return SC_ERROR_INTERNAL; |
738 | | #endif /* ENABLE_OPENSSL */ |
739 | 0 | } else { |
740 | | /* Certificate info not retrieved; fall back onto defaults */ |
741 | 0 | pubkey_usage_flags = |
742 | 0 | SC_PKCS15_PRKEY_USAGE_VERIFY |
743 | 0 | | SC_PKCS15_PRKEY_USAGE_WRAP; |
744 | 0 | prkey_usage_flags = |
745 | 0 | SC_PKCS15_PRKEY_USAGE_SIGN |
746 | 0 | | SC_PKCS15_PRKEY_USAGE_UNWRAP; |
747 | 0 | } |
748 | |
|
749 | 0 | r = itacns_add_keyset(p15card, label, sec_env, &cert_id, |
750 | 0 | pubkey_path, prkey_path, pubkey_usage_flags, prkey_usage_flags, |
751 | 0 | pin_ref, modulus_len); |
752 | 0 | LOG_TEST_RET(p15card->card->ctx, r, |
753 | 0 | "Could not add keys for this certificate"); |
754 | | |
755 | 0 | return r; |
756 | 0 | } |
757 | | |
758 | | /* Initialization. */ |
759 | | |
760 | | static int itacns_init(sc_pkcs15_card_t *p15card) |
761 | 282 | { |
762 | 282 | int r; |
763 | 282 | sc_path_t path; |
764 | 282 | int certificate_count = 0; |
765 | 282 | int found_certs; |
766 | 282 | int card_is_cie_v1, cns0_secenv; |
767 | | |
768 | 282 | SC_FUNC_CALLED(p15card->card->ctx, SC_LOG_DEBUG_NORMAL); |
769 | | |
770 | 282 | set_string(&p15card->tokeninfo->label, p15card->card->name); |
771 | 282 | if(p15card->card->drv_data) { |
772 | 282 | unsigned int mask_code, ic_code; |
773 | 282 | char buffer[256]; |
774 | 282 | itacns_drv_data_t *data = |
775 | 282 | (itacns_drv_data_t*) p15card->card->drv_data; |
776 | 282 | mask_code = data->mask_manufacturer_code; |
777 | 282 | if (mask_code >= sizeof(itacns_mask_manufacturers) |
778 | 282 | /sizeof(itacns_mask_manufacturers[0])) |
779 | 95 | mask_code = 0; |
780 | 282 | ic_code = data->ic_manufacturer_code; |
781 | 282 | if (ic_code >= sizeof(iso7816_ic_manufacturers) |
782 | 282 | /sizeof(iso7816_ic_manufacturers[0])) |
783 | 257 | ic_code = 0; |
784 | 282 | snprintf(buffer, sizeof(buffer), "IC: %s; mask: %s", |
785 | 282 | iso7816_ic_manufacturers[ic_code], |
786 | 282 | itacns_mask_manufacturers[mask_code]); |
787 | 282 | set_string(&p15card->tokeninfo->manufacturer_id, buffer); |
788 | 282 | } |
789 | | |
790 | | /* Read and set serial */ |
791 | 282 | { |
792 | 282 | u8 serial[17]; |
793 | 282 | int bytes; |
794 | 282 | sc_format_path(path_serial, &path); |
795 | 282 | bytes = loadFile(p15card, &path, serial, 16); |
796 | 282 | if (bytes < 0) return bytes; |
797 | 197 | if (bytes > 16) return -1; |
798 | 197 | serial[bytes] = '\0'; |
799 | 197 | set_string(&p15card->tokeninfo->serial_number, (char*)serial); |
800 | 197 | } |
801 | | |
802 | | /* Is the card a CIE v1? */ |
803 | 0 | card_is_cie_v1 = |
804 | 197 | (p15card->card->type == SC_CARD_TYPE_ITACNS_CIE_V1) |
805 | 67 | || (p15card->card->type == SC_CARD_TYPE_CARDOS_CIE_V1); |
806 | 197 | cns0_secenv = (card_is_cie_v1 ? 0x31 : 0x01); |
807 | | |
808 | | /* If it's a Siemens CIE v1 card, set algo flags accordingly. */ |
809 | 197 | if (card_is_cie_v1) { |
810 | 130 | int i; |
811 | 260 | for (i = 0; i < p15card->card->algorithm_count; i++) { |
812 | 130 | sc_algorithm_info_t *info = |
813 | 130 | &p15card->card->algorithms[i]; |
814 | | |
815 | 130 | if (info->algorithm != SC_ALGORITHM_RSA) |
816 | 0 | continue; |
817 | 130 | info->flags &= ~(SC_ALGORITHM_RSA_RAW |
818 | 130 | | SC_ALGORITHM_RSA_HASH_NONE); |
819 | 130 | info->flags |= (SC_ALGORITHM_RSA_PAD_PKCS1 |
820 | 130 | | SC_ALGORITHM_RSA_HASHES); |
821 | 130 | } |
822 | 130 | } |
823 | | |
824 | | /* Data files */ |
825 | 197 | r = itacns_add_data_files(p15card); |
826 | 197 | LOG_TEST_GOTO_ERR(p15card->card->ctx, r, |
827 | 197 | "Could not add data files"); |
828 | | |
829 | | /*** Certificate and keys. ***/ |
830 | | /* Standard CNS */ |
831 | 197 | r = itacns_check_and_add_keyset(p15card, "CNS0", cns0_secenv, |
832 | 197 | 0, "3F0011001101", "3F003F01", NULL, |
833 | 197 | 0x10, &found_certs); |
834 | 197 | LOG_TEST_GOTO_ERR(p15card->card->ctx, r, |
835 | 131 | "Could not add CNS0"); |
836 | 131 | certificate_count += found_certs; |
837 | | |
838 | | /* Infocamere 1204 */ |
839 | 131 | r = itacns_check_and_add_keyset(p15card, "CNS01", 0x21, |
840 | 131 | 5, "3F002FFF8228", NULL, "3F002FFF0000", |
841 | 131 | 0x10, &found_certs); |
842 | 131 | LOG_TEST_GOTO_ERR(p15card->card->ctx, r, |
843 | 78 | "Could not add CNS01"); |
844 | 78 | certificate_count += found_certs; |
845 | | |
846 | | /* Digital signature */ |
847 | 78 | r = itacns_check_and_add_keyset(p15card, "CNS1", 0x10, |
848 | 78 | 0, "3F0014009010", "3F00140081108010", "3F0014008110", |
849 | 78 | 0x1a, &found_certs); |
850 | 78 | LOG_TEST_GOTO_ERR(p15card->card->ctx, r, |
851 | 21 | "Could not add CNS1"); |
852 | 21 | certificate_count += found_certs; |
853 | | |
854 | | /* Idemia card */ |
855 | 21 | r = itacns_check_and_add_keyset(p15card, "CNS1", 0x02, |
856 | 21 | 0, "3F00140090012002", "3F0011001102", "3F0014009002", |
857 | 21 | 0x10, &found_certs); |
858 | 21 | LOG_TEST_RET(p15card->card->ctx, r, |
859 | 7 | "Could not add CNS1"); |
860 | 7 | certificate_count += found_certs; |
861 | | |
862 | | /* Did we find anything? */ |
863 | 7 | if (certificate_count == 0) |
864 | 7 | sc_debug(p15card->card->ctx, SC_LOG_DEBUG_NORMAL, |
865 | 7 | "Warning: no certificates found!"); |
866 | | |
867 | | /* Back to Master File */ |
868 | 7 | sc_format_path("3F00", &path); |
869 | 7 | r = sc_select_file(p15card->card, &path, NULL); |
870 | 7 | LOG_TEST_GOTO_ERR(p15card->card->ctx, r, |
871 | 2 | "Could not select master file again"); |
872 | | |
873 | 2 | LOG_FUNC_RETURN(p15card->card->ctx, r); |
874 | | |
875 | 181 | err: |
876 | 181 | sc_pkcs15_card_clear(p15card); |
877 | 181 | LOG_FUNC_RETURN(p15card->card->ctx, r); |
878 | 181 | } |
879 | | |
880 | | int sc_pkcs15emu_itacns_init_ex(sc_pkcs15_card_t *p15card, struct sc_aid *aid) |
881 | 9.97k | { |
882 | 9.97k | sc_card_t *card = p15card->card; |
883 | 9.97k | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL); |
884 | | |
885 | | /* Check card */ |
886 | 9.97k | if (! ( |
887 | 9.97k | (card->type > SC_CARD_TYPE_ITACNS_BASE && |
888 | 3.74k | card->type < SC_CARD_TYPE_ITACNS_BASE + 1000) |
889 | 9.68k | || card->type == SC_CARD_TYPE_CARDOS_CIE_V1) |
890 | 9.97k | ) |
891 | 9.68k | return SC_ERROR_WRONG_CARD; |
892 | | |
893 | | /* Init card */ |
894 | 282 | return itacns_init(p15card); |
895 | 9.97k | } |