/src/opensc/src/libopensc/pkcs15-esteid2025.c

Source
/*
 * PKCS15 emulation layer for EstEID card issued from December 2025.
 *
 * Copyright (C) 2025, Raul Metsma <raul@metsma.ee>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <ctype.h>
#include <stdlib.h>
#include <string.h>

#include "common/compat_strlcpy.h"

#include "internal.h"
#include "opensc.h"
#include "pkcs15.h"

static int
is_fin_eid(sc_pkcs15_card_t *p15card)
{
  return p15card->card->type == SC_CARD_TYPE_FINEID_2022 ||
         p15card->card->type == SC_CARD_TYPE_FINEID_2025;
}

static int
sc_pkcs15emu_esteid2025_init(sc_pkcs15_card_t *p15card)
{
  sc_card_t *card = p15card->card;
  int r, i;
  size_t field_length = 0;
  sc_path_t tmppath;
  static const u8 prkey_id[2] = {0x01, 0x02};
  static const u8 pin_authid[3] = {1, 2, 3};

  if (is_fin_eid(p15card)) {
    u8 buf[SC_MAX_APDU_BUFFER_SIZE];
    const u8 *tag;
    size_t taglen;

    sc_format_path("5032", &tmppath);
    r = sc_select_file(card, &tmppath, NULL);
    LOG_TEST_RET(card->ctx, r, "Selecting CIA path failed");

    r = sc_read_binary(p15card->card, 4, buf, sizeof(buf), 0);
    LOG_TEST_RET(card->ctx, r, "Reading tokeninfo file failed");

    tag = sc_asn1_find_tag(card->ctx, buf, r, 0x04, &taglen);
    if (tag == NULL)
      LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_CARD, "Finding document number tag failed");

    for (size_t j = 0; j < taglen; j++) {
      if (!isalnum(tag[j]))
        LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_CARD, "Invalid character in document number");
    }

    free(p15card->tokeninfo->serial_number);
    p15card->tokeninfo->serial_number = malloc(taglen + 1);
    if (p15card->tokeninfo->serial_number == NULL)
      LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
    p15card->tokeninfo->serial_number = memcpy(p15card->tokeninfo->serial_number, tag, taglen);
    p15card->tokeninfo->serial_number[taglen] = '\0';
  } else {
    u8 *buf;
    size_t buflen = 9;

    /* Read document number to be used as serial */
    sc_format_path("DFDD5007", &tmppath);
    r = sc_select_file(card, &tmppath, NULL);
    LOG_TEST_RET(card->ctx, r, "Selecting document number file failed");

    buf = malloc(buflen + 1);
    if (!buf)
      LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
    r = sc_read_binary(card, 0, buf, buflen, 0);
    if (r < 0) {
      free(buf);
      LOG_TEST_GOTO_ERR(card->ctx, r, "Reading document number failed");
    }

    for (int j = 0; j < r; j++) {
      if (!isalnum(buf[j])) {
        free(buf);
        LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_CARD, "Invalid character in document number");
      }
    }
    buf[r] = '\0';

    free(p15card->tokeninfo->serial_number);
    p15card->tokeninfo->serial_number = (char *)buf;
  }

  set_string(&p15card->tokeninfo->label, "ID-kaart");
  set_string(&p15card->tokeninfo->manufacturer_id, "Thales");
  p15card->tokeninfo->flags = SC_PKCS15_TOKEN_READONLY;

  /* add certificates */
  for (i = 0; i < 2; i++) {
    static const char *cert_names[2] = {"Isikutuvastus", "Allkirjastamine"};
    static const char *cert_paths[2][2] = {
        {"ADF1:3411", "ADF2:3421"},
        {"4331",   "5016:4332"},
    };

    struct sc_pkcs15_cert_info cert_info = {
        .id = {.len = 1, .value[0] = prkey_id[i]}
     };
    struct sc_pkcs15_object cert_obj = {0};

    strlcpy(cert_obj.label, cert_names[i], sizeof(cert_obj.label));
    sc_format_path(cert_paths[is_fin_eid(p15card)][i], &cert_info.path);
    r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
    LOG_TEST_GOTO_ERR(card->ctx, r, "Could not add cert object");

    if (i != 0)
      continue;

    sc_pkcs15_cert_t *cert = NULL;
    r = sc_pkcs15_read_certificate(p15card, &cert_info, 0, &cert);
    LOG_TEST_GOTO_ERR(card->ctx, r, "Could not read authentication certificate");

    if (cert->key->algorithm == SC_ALGORITHM_EC)
      field_length = cert->key->u.ec.params.field_length;

    static const struct sc_object_id cn_oid = {
        {2, 5, 4, 3, -1}
    };
    u8 *cn_name = NULL;
    size_t cn_len = 0;
    r = sc_pkcs15_get_name_from_dn(card->ctx, cert->subject, cert->subject_len, &cn_oid, &cn_name, &cn_len);
    sc_pkcs15_free_certificate(cert);
    LOG_TEST_GOTO_ERR(card->ctx, r, "Could not read authentication certificate");
    if (cn_len > 0) {
      char *token_name = (char *)realloc(cn_name, cn_len + 1);
      if (token_name) {
        token_name[cn_len] = '\0';
        free(p15card->tokeninfo->label);
        p15card->tokeninfo->label = token_name;
      } else
        free(cn_name);
    }
  }

  /* add pins */
  for (i = 0; i < 3; i++) {
    static const char *pin_names[3] = {"PIN1", "PIN2", "PUK"};
    static const size_t pin_min[2][3] = {
        {4, 5, 8},
        {4, 6, 8},
    };
    static const int pin_ref[2][3] = {
        {0x81, 0x82, 0x83},
        {0x11, 0x82, 0x83},
    };

    static const unsigned int pin_flags[2][3] = {
        {SC_PKCS15_PIN_FLAG_NEEDS_PADDING | SC_PKCS15_PIN_TYPE_FLAGS_PIN_LOCAL,
          SC_PKCS15_PIN_FLAG_NEEDS_PADDING | SC_PKCS15_PIN_TYPE_FLAGS_PIN_LOCAL,
          SC_PKCS15_PIN_FLAG_NEEDS_PADDING | SC_PKCS15_PIN_TYPE_FLAGS_PUK_LOCAL},
        {SC_PKCS15_PIN_FLAG_NEEDS_PADDING | SC_PKCS15_PIN_TYPE_FLAGS_PIN_GLOBAL,
          SC_PKCS15_PIN_FLAG_NEEDS_PADDING | SC_PKCS15_PIN_TYPE_FLAGS_PIN_LOCAL,
          SC_PKCS15_PIN_FLAG_NEEDS_PADDING | SC_PKCS15_PIN_TYPE_FLAGS_PUK_LOCAL},
    };

    struct sc_pkcs15_auth_info pin_info = {
        .auth_id = {.len = 1, .value[0] = pin_authid[i]},
        .auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN,
        .attrs = {
            .pin = {
                .reference = pin_ref[is_fin_eid(p15card)][i],
                .flags = pin_flags[is_fin_eid(p15card)][i],
                .type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
                .min_length = pin_min[is_fin_eid(p15card)][i],
                .stored_length = 12,
                .max_length = 12,
                .pad_char = 0x00}},
        .tries_left = 3,
        .max_tries = 3
          };
    struct sc_pkcs15_object pin_obj = {.flags = pin_flags[is_fin_eid(p15card)][i]};

    strlcpy(pin_obj.label, pin_names[i], sizeof(pin_obj.label));

    /* Link normal PINs with PUK */
    if (i < 2) {
      pin_obj.auth_id.len = 1;
      pin_obj.auth_id.value[0] = 3;
    }

    r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);
    LOG_TEST_GOTO_ERR(card->ctx, r, "Could not add pin object");
  }

  // trigger PIN counter refresh via pin_cmd
  struct sc_pkcs15_object *objs[3];
  r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH, objs, 3);
  if (r != 3) {
    sc_log(card->ctx, "Can not get auth objects");
    goto err;
  }
  for (i = 0; i < r; i++) {
    r = sc_pkcs15_get_pin_info(p15card, objs[i]);
    LOG_TEST_GOTO_ERR(card->ctx, r, "Could not get pin object");
  }

  /* add private keys */
  for (i = 0; i < 2; i++) {
    static const u8 prkey_ref[2][2] = {
        {0x01, 0x05},
        {0x01, 0x02},
    };
    static const char *prkey_name[2] = {"Isikutuvastus", "Allkirjastamine"};
    static const unsigned int prkey_usage[2] = {SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_DERIVE,
        SC_PKCS15_PRKEY_USAGE_NONREPUDIATION};
    static const int prkey_consent[2] = {0, 1};

    struct sc_pkcs15_prkey_info prkey_info = {
        .id = {.len = 1, .value[0] = prkey_id[i]},
        .native = 1,
        .key_reference = prkey_ref[is_fin_eid(p15card)][i],
        .field_length = field_length,
        .usage = prkey_usage[i]
           };
    struct sc_pkcs15_object prkey_obj = {
        .auth_id = {.len = 1, .value[0] = pin_authid[i]},
        .user_consent = prkey_consent[i],
        .flags = SC_PKCS15_CO_FLAG_PRIVATE
      };

    strlcpy(prkey_obj.label, prkey_name[i], sizeof(prkey_obj.label));

    r = sc_pkcs15emu_add_ec_prkey(p15card, &prkey_obj, &prkey_info);
    LOG_TEST_GOTO_ERR(card->ctx, r, "Could not add private key object");
  }

  return SC_SUCCESS;
err:
  sc_pkcs15_card_clear(p15card);
  LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
}

int
sc_pkcs15emu_esteid2025_init_ex(sc_pkcs15_card_t *p15card, struct sc_aid *aid)
{
  if (p15card->card->type == SC_CARD_TYPE_ESTEID_2025 || is_fin_eid(p15card))
    return sc_pkcs15emu_esteid2025_init(p15card);
  return SC_ERROR_WRONG_CARD;
}

Coverage Report

Created: 2026-01-10 06:04

Line	Count	Source
1		/*
2		* PKCS15 emulation layer for EstEID card issued from December 2025.
3		*
4		* Copyright (C) 2025, Raul Metsma <raul@metsma.ee>
5		*
6		* This library is free software; you can redistribute it and/or
7		* modify it under the terms of the GNU Lesser General Public
8		* License as published by the Free Software Foundation; either
9		* version 2.1 of the License, or (at your option) any later version.
10		*
11		* This library is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14		* Lesser General Public License for more details.
15		*
16		* You should have received a copy of the GNU Lesser General Public
17		* License along with this library; if not, write to the Free Software
18		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
19		*/
20
21		#ifdef HAVE_CONFIG_H
22		#include "config.h"
23		#endif
24
25		#include <ctype.h>
26		#include <stdlib.h>
27		#include <string.h>
28
29		#include "common/compat_strlcpy.h"
30
31		#include "internal.h"
32		#include "opensc.h"
33		#include "pkcs15.h"
34
35		static int
36		is_fin_eid(sc_pkcs15_card_t *p15card)
37	7.41k	{
38	7.41k	return p15card->card->type == SC_CARD_TYPE_FINEID_2022 \|\|
39	7.41k	p15card->card->type == SC_CARD_TYPE_FINEID_2025;
40	7.41k	}
41
42		static int
43		sc_pkcs15emu_esteid2025_init(sc_pkcs15_card_t *p15card)
44	0	{
45	0	sc_card_t *card = p15card->card;
46	0	int r, i;
47	0	size_t field_length = 0;
48	0	sc_path_t tmppath;
49	0	static const u8 prkey_id[2] = {0x01, 0x02};
50	0	static const u8 pin_authid[3] = {1, 2, 3};
51
52	0	if (is_fin_eid(p15card)) {
53	0	u8 buf[SC_MAX_APDU_BUFFER_SIZE];
54	0	const u8 *tag;
55	0	size_t taglen;
56
57	0	sc_format_path("5032", &tmppath);
58	0	r = sc_select_file(card, &tmppath, NULL);
59	0	LOG_TEST_RET(card->ctx, r, "Selecting CIA path failed");
60
61	0	r = sc_read_binary(p15card->card, 4, buf, sizeof(buf), 0);
62	0	LOG_TEST_RET(card->ctx, r, "Reading tokeninfo file failed");
63
64	0	tag = sc_asn1_find_tag(card->ctx, buf, r, 0x04, &taglen);
65	0	if (tag == NULL)
66	0	LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_CARD, "Finding document number tag failed");
67
68	0	for (size_t j = 0; j < taglen; j++) {
69	0	if (!isalnum(tag[j]))
70	0	LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_CARD, "Invalid character in document number");
71	0	}
72
73	0	free(p15card->tokeninfo->serial_number);
74	0	p15card->tokeninfo->serial_number = malloc(taglen + 1);
75	0	if (p15card->tokeninfo->serial_number == NULL)
76	0	LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
77	0	p15card->tokeninfo->serial_number = memcpy(p15card->tokeninfo->serial_number, tag, taglen);
78	0	p15card->tokeninfo->serial_number[taglen] = '\0';
79	0	} else {
80	0	u8 *buf;
81	0	size_t buflen = 9;
82
83		/* Read document number to be used as serial */
84	0	sc_format_path("DFDD5007", &tmppath);
85	0	r = sc_select_file(card, &tmppath, NULL);
86	0	LOG_TEST_RET(card->ctx, r, "Selecting document number file failed");
87
88	0	buf = malloc(buflen + 1);
89	0	if (!buf)
90	0	LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
91	0	r = sc_read_binary(card, 0, buf, buflen, 0);
92	0	if (r < 0) {
93	0	free(buf);
94	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Reading document number failed");
95	0	}
96
97	0	for (int j = 0; j < r; j++) {
98	0	if (!isalnum(buf[j])) {
99	0	free(buf);
100	0	LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_CARD, "Invalid character in document number");
101	0	}
102	0	}
103	0	buf[r] = '\0';
104
105	0	free(p15card->tokeninfo->serial_number);
106	0	p15card->tokeninfo->serial_number = (char *)buf;
107	0	}
108
109	0	set_string(&p15card->tokeninfo->label, "ID-kaart");
110	0	set_string(&p15card->tokeninfo->manufacturer_id, "Thales");
111	0	p15card->tokeninfo->flags = SC_PKCS15_TOKEN_READONLY;
112
113		/* add certificates */
114	0	for (i = 0; i < 2; i++) {
115	0	static const char *cert_names[2] = {"Isikutuvastus", "Allkirjastamine"};
116	0	static const char *cert_paths[2][2] = {
117	0	{"ADF1:3411", "ADF2:3421"},
118	0	{"4331", "5016:4332"},
119	0	};
120
121	0	struct sc_pkcs15_cert_info cert_info = {
122	0	.id = {.len = 1, .value[0] = prkey_id[i]}
123	0	};
124	0	struct sc_pkcs15_object cert_obj = {0};
125
126	0	strlcpy(cert_obj.label, cert_names[i], sizeof(cert_obj.label));
127	0	sc_format_path(cert_paths[is_fin_eid(p15card)][i], &cert_info.path);
128	0	r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
129	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Could not add cert object");
130
131	0	if (i != 0)
132	0	continue;
133
134	0	sc_pkcs15_cert_t *cert = NULL;
135	0	r = sc_pkcs15_read_certificate(p15card, &cert_info, 0, &cert);
136	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Could not read authentication certificate");
137
138	0	if (cert->key->algorithm == SC_ALGORITHM_EC)
139	0	field_length = cert->key->u.ec.params.field_length;
140
141	0	static const struct sc_object_id cn_oid = {
142	0	{2, 5, 4, 3, -1}
143	0	};
144	0	u8 *cn_name = NULL;
145	0	size_t cn_len = 0;
146	0	r = sc_pkcs15_get_name_from_dn(card->ctx, cert->subject, cert->subject_len, &cn_oid, &cn_name, &cn_len);
147	0	sc_pkcs15_free_certificate(cert);
148	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Could not read authentication certificate");
149	0	if (cn_len > 0) {
150	0	char token_name = (char )realloc(cn_name, cn_len + 1);
151	0	if (token_name) {
152	0	token_name[cn_len] = '\0';
153	0	free(p15card->tokeninfo->label);
154	0	p15card->tokeninfo->label = token_name;
155	0	} else
156	0	free(cn_name);
157	0	}
158	0	}
159
160		/* add pins */
161	0	for (i = 0; i < 3; i++) {
162	0	static const char *pin_names[3] = {"PIN1", "PIN2", "PUK"};
163	0	static const size_t pin_min[2][3] = {
164	0	{4, 5, 8},
165	0	{4, 6, 8},
166	0	};
167	0	static const int pin_ref[2][3] = {
168	0	{0x81, 0x82, 0x83},
169	0	{0x11, 0x82, 0x83},
170	0	};
171
172	0	static const unsigned int pin_flags[2][3] = {
173	0	{SC_PKCS15_PIN_FLAG_NEEDS_PADDING \| SC_PKCS15_PIN_TYPE_FLAGS_PIN_LOCAL,
174	0	SC_PKCS15_PIN_FLAG_NEEDS_PADDING \| SC_PKCS15_PIN_TYPE_FLAGS_PIN_LOCAL,
175	0	SC_PKCS15_PIN_FLAG_NEEDS_PADDING \| SC_PKCS15_PIN_TYPE_FLAGS_PUK_LOCAL},
176	0	{SC_PKCS15_PIN_FLAG_NEEDS_PADDING \| SC_PKCS15_PIN_TYPE_FLAGS_PIN_GLOBAL,
177	0	SC_PKCS15_PIN_FLAG_NEEDS_PADDING \| SC_PKCS15_PIN_TYPE_FLAGS_PIN_LOCAL,
178	0	SC_PKCS15_PIN_FLAG_NEEDS_PADDING \| SC_PKCS15_PIN_TYPE_FLAGS_PUK_LOCAL},
179	0	};
180
181	0	struct sc_pkcs15_auth_info pin_info = {
182	0	.auth_id = {.len = 1, .value[0] = pin_authid[i]},
183	0	.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN,
184	0	.attrs = {
185	0	.pin = {
186	0	.reference = pin_ref[is_fin_eid(p15card)][i],
187	0	.flags = pin_flags[is_fin_eid(p15card)][i],
188	0	.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
189	0	.min_length = pin_min[is_fin_eid(p15card)][i],
190	0	.stored_length = 12,
191	0	.max_length = 12,
192	0	.pad_char = 0x00}},
193	0	.tries_left = 3,
194	0	.max_tries = 3
195	0	};
196	0	struct sc_pkcs15_object pin_obj = {.flags = pin_flags[is_fin_eid(p15card)][i]};
197
198	0	strlcpy(pin_obj.label, pin_names[i], sizeof(pin_obj.label));
199
200		/* Link normal PINs with PUK */
201	0	if (i < 2) {
202	0	pin_obj.auth_id.len = 1;
203	0	pin_obj.auth_id.value[0] = 3;
204	0	}
205
206	0	r = sc_pkcs15emu_add_pin_obj(p15card, &pin_obj, &pin_info);
207	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Could not add pin object");
208	0	}
209
210		// trigger PIN counter refresh via pin_cmd
211	0	struct sc_pkcs15_object *objs[3];
212	0	r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH, objs, 3);
213	0	if (r != 3) {
214	0	sc_log(card->ctx, "Can not get auth objects");
215	0	goto err;
216	0	}
217	0	for (i = 0; i < r; i++) {
218	0	r = sc_pkcs15_get_pin_info(p15card, objs[i]);
219	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Could not get pin object");
220	0	}
221
222		/* add private keys */
223	0	for (i = 0; i < 2; i++) {
224	0	static const u8 prkey_ref[2][2] = {
225	0	{0x01, 0x05},
226	0	{0x01, 0x02},
227	0	};
228	0	static const char *prkey_name[2] = {"Isikutuvastus", "Allkirjastamine"};
229	0	static const unsigned int prkey_usage[2] = {SC_PKCS15_PRKEY_USAGE_SIGN \| SC_PKCS15_PRKEY_USAGE_DERIVE,
230	0	SC_PKCS15_PRKEY_USAGE_NONREPUDIATION};
231	0	static const int prkey_consent[2] = {0, 1};
232
233	0	struct sc_pkcs15_prkey_info prkey_info = {
234	0	.id = {.len = 1, .value[0] = prkey_id[i]},
235	0	.native = 1,
236	0	.key_reference = prkey_ref[is_fin_eid(p15card)][i],
237	0	.field_length = field_length,
238	0	.usage = prkey_usage[i]
239	0	};
240	0	struct sc_pkcs15_object prkey_obj = {
241	0	.auth_id = {.len = 1, .value[0] = pin_authid[i]},
242	0	.user_consent = prkey_consent[i],
243	0	.flags = SC_PKCS15_CO_FLAG_PRIVATE
244	0	};
245
246	0	strlcpy(prkey_obj.label, prkey_name[i], sizeof(prkey_obj.label));
247
248	0	r = sc_pkcs15emu_add_ec_prkey(p15card, &prkey_obj, &prkey_info);
249	0	LOG_TEST_GOTO_ERR(card->ctx, r, "Could not add private key object");
250	0	}
251
252	0	return SC_SUCCESS;
253	0	err:
254	0	sc_pkcs15_card_clear(p15card);
255	0	LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
256	0	}
257
258		int
259		sc_pkcs15emu_esteid2025_init_ex(sc_pkcs15_card_t p15card, struct sc_aid aid)
260	7.41k	{
261	7.41k	if (p15card->card->type == SC_CARD_TYPE_ESTEID_2025 \|\| is_fin_eid(p15card))
262	0	return sc_pkcs15emu_esteid2025_init(p15card);
263	7.41k	return SC_ERROR_WRONG_CARD;
264	7.41k	}