/src/opensc/src/libopensc/card-cac.c
Line | Count | Source |
1 | | /* |
2 | | * card-cac.c: Support for CAC from NIST SP800-73 |
3 | | * card-default.c: Support for cards with no driver |
4 | | * |
5 | | * Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi> |
6 | | * Copyright (C) 2005,2006,2007,2008,2009,2010 Douglas E. Engert <deengert@anl.gov> |
7 | | * Copyright (C) 2006, Identity Alliance, Thomas Harning <thomas.harning@identityalliance.com> |
8 | | * Copyright (C) 2007, EMC, Russell Larner <rlarner@rsa.com> |
9 | | * Copyright (C) 2016 - 2018, Red Hat, Inc. |
10 | | * |
11 | | * CAC driver author: Robert Relyea <rrelyea@redhat.com> |
12 | | * Further work: Jakub Jelen <jjelen@redhat.com> |
13 | | * |
14 | | * This library is free software; you can redistribute it and/or |
15 | | * modify it under the terms of the GNU Lesser General Public |
16 | | * License as published by the Free Software Foundation; either |
17 | | * version 2.1 of the License, or (at your option) any later version. |
18 | | * |
19 | | * This library is distributed in the hope that it will be useful, |
20 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
22 | | * Lesser General Public License for more details. |
23 | | * |
24 | | * You should have received a copy of the GNU Lesser General Public |
25 | | * License along with this library; if not, write to the Free Software |
26 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
27 | | */ |
28 | | |
29 | | #ifdef HAVE_CONFIG_H |
30 | | #include "config.h" |
31 | | #endif |
32 | | |
33 | | #include <ctype.h> |
34 | | #include <fcntl.h> |
35 | | #include <limits.h> |
36 | | #include <stdlib.h> |
37 | | #include <string.h> |
38 | | |
39 | | #ifdef _WIN32 |
40 | | #include <io.h> |
41 | | #else |
42 | | #include <unistd.h> |
43 | | #endif |
44 | | |
45 | | #ifdef ENABLE_OPENSSL |
46 | | #include <openssl/sha.h> |
47 | | #endif /* ENABLE_OPENSSL */ |
48 | | |
49 | | #include "internal.h" |
50 | | #include "simpletlv.h" |
51 | | #include "cardctl.h" |
52 | | #include "iso7816.h" |
53 | | #include "card-cac-common.h" |
54 | | #include "pkcs15.h" |
55 | | |
56 | | /* |
57 | | * CAC hardware and APDU constants |
58 | | */ |
59 | 0 | #define CAC_MAX_CHUNK_SIZE 240 |
60 | 0 | #define CAC_INS_SIGN_DECRYPT 0x42 /* A crypto operation */ |
61 | 11.8k | #define CAC_INS_READ_FILE 0x52 /* read a TL or V file */ |
62 | 427 | #define CAC_INS_GET_ACR 0x4c |
63 | 608 | #define CAC_INS_GET_PROPERTIES 0x56 |
64 | 0 | #define CAC_P1_STEP 0x80 |
65 | 0 | #define CAC_P1_FINAL 0x00 |
66 | 2.05k | #define CAC_FILE_TAG 1 |
67 | 1.13k | #define CAC_FILE_VALUE 2 |
68 | | /* TAGS in a TL file */ |
69 | 1.41k | #define CAC_TAG_CERTIFICATE 0x70 |
70 | 1.41k | #define CAC_TAG_CERTINFO 0x71 |
71 | 1.41k | #define CAC_TAG_MSCUID 0x72 |
72 | 408 | #define CAC_TAG_CUID 0xF0 |
73 | 456 | #define CAC_TAG_CC_VERSION_NUMBER 0xF1 |
74 | 351 | #define CAC_TAG_GRAMMAR_VERION_NUMBER 0xF2 |
75 | 1.98k | #define CAC_TAG_CARDURL 0xF3 |
76 | 161 | #define CAC_TAG_PKCS15 0xF4 |
77 | 80 | #define CAC_TAG_ACCESS_CONTROL 0xF6 |
78 | 52 | #define CAC_TAG_DATA_MODEL 0xF5 |
79 | 38 | #define CAC_TAG_CARD_APDU 0xF7 |
80 | 213 | #define CAC_TAG_REDIRECTION 0xFA |
81 | 144 | #define CAC_TAG_CAPABILITY_TUPLES 0xFB |
82 | 188 | #define CAC_TAG_STATUS_TUPLES 0xFC |
83 | 476 | #define CAC_TAG_NEXT_CCC 0xFD |
84 | 238 | #define CAC_TAG_ERROR_CODES 0xFE |
85 | 601 | #define CAC_TAG_APPLET_FAMILY 0x01 |
86 | 421 | #define CAC_TAG_NUMBER_APPLETS 0x94 |
87 | 1.11k | #define CAC_TAG_APPLET_ENTRY 0x93 |
88 | | #define CAC_TAG_APPLET_AID 0x92 |
89 | 1.47k | #define CAC_TAG_APPLET_INFORMATION 0x01 |
90 | 2.16k | #define CAC_TAG_NUMBER_OF_OBJECTS 0x40 |
91 | 1.72k | #define CAC_TAG_TV_BUFFER 0x50 |
92 | 3.66k | #define CAC_TAG_PKI_OBJECT 0x51 |
93 | 1.98k | #define CAC_TAG_OBJECT_ID 0x41 |
94 | 1.69k | #define CAC_TAG_BUFFER_PROPERTIES 0x42 |
95 | 1.71k | #define CAC_TAG_PKI_PROPERTIES 0x43 |
96 | | |
97 | 166 | #define CAC_APP_TYPE_GENERAL 0x01 |
98 | 272 | #define CAC_APP_TYPE_SKI 0x02 |
99 | 766 | #define CAC_APP_TYPE_PKI 0x04 |
100 | | |
101 | | #define CAC_ACR_ACR 0x00 |
102 | | #define CAC_ACR_APPLET_OBJECT 0x10 |
103 | | #define CAC_ACR_AMP 0x20 |
104 | 427 | #define CAC_ACR_SERVICE 0x21 |
105 | | |
106 | 858 | #define CAC_MAX_CCC_DEPTH 16 |
107 | | |
108 | | /* hardware data structures (returned in the CCC) */ |
109 | | /* part of the card_url */ |
110 | | typedef struct cac_access_profile { |
111 | | u8 GCACR_listID; |
112 | | u8 GCACR_readTagListACRID; |
113 | | u8 GCACR_updatevalueACRID; |
114 | | u8 GCACR_readvalueACRID; |
115 | | u8 GCACR_createACRID; |
116 | | u8 GCACR_deleteACRID; |
117 | | u8 CryptoACR_listID; |
118 | | u8 CryptoACR_getChallengeACRID; |
119 | | u8 CryptoACR_internalAuthenicateACRID; |
120 | | u8 CryptoACR_pkiComputeACRID; |
121 | | u8 CryptoACR_readTagListACRID; |
122 | | u8 CryptoACR_updatevalueACRID; |
123 | | u8 CryptoACR_readvalueACRID; |
124 | | u8 CryptoACR_createACRID; |
125 | | u8 CryptoACR_deleteACRID; |
126 | | } cac_access_profile_t; |
127 | | |
128 | | /* part of the card url */ |
129 | | typedef struct cac_access_key_info { |
130 | | u8 keyFileID[2]; |
131 | | u8 keynumber; |
132 | | } cac_access_key_info_t; |
133 | | |
134 | | typedef struct cac_card_url { |
135 | | u8 rid[5]; |
136 | | u8 cardApplicationType; |
137 | | u8 objectID[2]; |
138 | | u8 applicationID[2]; |
139 | | cac_access_profile_t accessProfile; |
140 | | u8 pinID; /* not used for VM cards */ |
141 | | cac_access_key_info_t accessKeyInfo; /* not used for VM cards */ |
142 | | u8 keyCryptoAlgorithm; /* not used for VM cards */ |
143 | | } cac_card_url_t; |
144 | | |
145 | 3.10k | #define CAC_MAX_OBJECTS 16 |
146 | | |
147 | | typedef struct { |
148 | | /* OID has two bytes */ |
149 | | unsigned char oid[2]; |
150 | | /* Format is NOT SimpleTLV? */ |
151 | | unsigned char simpletlv; |
152 | | /* Is certificate object and private key is initialized */ |
153 | | unsigned char privatekey; |
154 | | } cac_properties_object_t; |
155 | | |
156 | | typedef struct { |
157 | | size_t num_objects; |
158 | | cac_properties_object_t objects[CAC_MAX_OBJECTS]; |
159 | | } cac_properties_t; |
160 | | |
161 | | /* |
162 | | * Flags for Current Selected Object Type |
163 | | * CAC files are TLV files, with TL and V separated. For generic |
164 | | * containers we reintegrate the TL anv V portions into a single |
165 | | * file to read. Certs are also TLV files, but pkcs15 wants the |
166 | | * actual certificate. At select time we know the patch which tells |
167 | | * us what time of files we want to read. We remember that type |
168 | | * so that read_binary can do the appropriate processing. |
169 | | */ |
170 | 2.08k | #define CAC_OBJECT_TYPE_CERT 1 |
171 | 121 | #define CAC_OBJECT_TYPE_TLV_FILE 4 |
172 | 7.18k | #define CAC_OBJECT_TYPE_GENERIC 5 |
173 | | |
174 | | /* |
175 | | * Set up the normal CAC paths |
176 | | */ |
177 | | #define CAC_2_RID "\xA0\x00\x00\x01\x16" |
178 | | |
179 | | static const sc_path_t cac_ACA_Path = { |
180 | | "", 0, |
181 | | 0,0,SC_PATH_TYPE_DF_NAME, |
182 | | { CAC_TO_AID(CAC_1_RID "\x10\x00") } |
183 | | }; |
184 | | |
185 | | static const sc_path_t cac_CCC_Path = { |
186 | | "", 0, |
187 | | 0,0,SC_PATH_TYPE_DF_NAME, |
188 | | { CAC_TO_AID(CAC_2_RID "\xDB\x00") } |
189 | | }; |
190 | | |
191 | | /* |
192 | | * CAC general objects defined in 4.3.1.2 of CAC Applet Developer Guide Version 1.0. |
193 | | * doubles as a source for CAC-2 labels. |
194 | | */ |
195 | | static const cac_object_t cac_objects[] = { |
196 | | { "Person Instance", 0x200, { { 0 }, 0, 0, 0, SC_PATH_TYPE_DF_NAME, |
197 | | { CAC_TO_AID(CAC_1_RID "\x02\x00") }}}, |
198 | | { "Personnel", 0x201, { { 0 }, 0, 0, 0, SC_PATH_TYPE_DF_NAME, |
199 | | { CAC_TO_AID(CAC_1_RID "\x02\x01") }}}, |
200 | | { "Benefits", 0x202, { { 0 }, 0, 0, 0, SC_PATH_TYPE_DF_NAME, |
201 | | { CAC_TO_AID(CAC_1_RID "\x02\x02") }}}, |
202 | | { "Other Benefits", 0x203, { { 0 }, 0, 0, 0, SC_PATH_TYPE_DF_NAME, |
203 | | { CAC_TO_AID(CAC_1_RID "\x02\x03") }}}, |
204 | | { "PKI Credential", 0x2FD, { { 0 }, 0, 0, 0, SC_PATH_TYPE_DF_NAME, |
205 | | { CAC_TO_AID(CAC_1_RID "\x02\xFD") }}}, |
206 | | { "PKI Certificate", 0x2FE, { { 0 }, 0, 0, 0, SC_PATH_TYPE_DF_NAME, |
207 | | { CAC_TO_AID(CAC_1_RID "\x02\xFE") }}}, |
208 | | }; |
209 | | |
210 | | static const int cac_object_count = sizeof(cac_objects)/sizeof(cac_objects[0]); |
211 | | |
212 | | /* |
213 | | * use the object id to find our object info on the object in our CAC-1 list |
214 | | */ |
215 | | static const cac_object_t *cac_find_obj_by_id(unsigned short object_id) |
216 | 166 | { |
217 | 166 | int i; |
218 | | |
219 | 1.07k | for (i = 0; i < cac_object_count; i++) { |
220 | 925 | if (cac_objects[i].fd == object_id) { |
221 | 16 | return &cac_objects[i]; |
222 | 16 | } |
223 | 925 | } |
224 | 150 | return NULL; |
225 | 166 | } |
226 | | |
227 | | /* |
228 | | * Lookup the path in the pki list to see if it is a cert path |
229 | | */ |
230 | | static int cac_is_cert(cac_private_data_t * priv, const sc_path_t *in_path) |
231 | 7.18k | { |
232 | 7.18k | cac_object_t test_obj = {0}; |
233 | 7.18k | test_obj.path = *in_path; |
234 | 7.18k | test_obj.path.index = 0; |
235 | 7.18k | test_obj.path.count = 0; |
236 | | |
237 | 7.18k | return (list_contains(&priv->pki_list, &test_obj) != 0); |
238 | 7.18k | } |
239 | | |
240 | | /* |
241 | | * Send a command and receive data. |
242 | | * |
243 | | * A caller may provide a buffer, and length to read. If not provided, |
244 | | * an internal 4096 byte buffer is used, and a copy is returned to the |
245 | | * caller. that need to be freed by the caller. |
246 | | * |
247 | | * modelled after a similar function in card-piv.c |
248 | | */ |
249 | | |
250 | | static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2, |
251 | | const u8 * sendbuf, size_t sendbuflen, u8 ** recvbuf, |
252 | | size_t * recvbuflen) |
253 | 13.4k | { |
254 | 13.4k | int r; |
255 | 13.4k | sc_apdu_t apdu = {0}; |
256 | 13.4k | u8 rbufinitbuf[CAC_MAX_SIZE]; |
257 | 13.4k | u8 *rbuf; |
258 | 13.4k | size_t rbuflen; |
259 | 13.4k | unsigned int apdu_case = SC_APDU_CASE_1; |
260 | | |
261 | | |
262 | 13.4k | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
263 | | |
264 | 13.4k | sc_log(card->ctx, |
265 | 13.4k | "%02x %02x %02x %"SC_FORMAT_LEN_SIZE_T"u : %"SC_FORMAT_LEN_SIZE_T"u %"SC_FORMAT_LEN_SIZE_T"u\n", |
266 | 13.4k | ins, p1, p2, sendbuflen, card->max_send_size, |
267 | 13.4k | card->max_recv_size); |
268 | | |
269 | 13.4k | rbuf = rbufinitbuf; |
270 | 13.4k | rbuflen = sizeof(rbufinitbuf); |
271 | | |
272 | | /* if caller provided a buffer and length */ |
273 | 13.4k | if (recvbuf && *recvbuf && recvbuflen && *recvbuflen) { |
274 | 12.4k | rbuf = *recvbuf; |
275 | 12.4k | rbuflen = *recvbuflen; |
276 | 12.4k | } |
277 | | |
278 | 13.4k | if (recvbuf) { |
279 | 13.4k | if (sendbuf) |
280 | 11.8k | apdu_case = SC_APDU_CASE_4_SHORT; |
281 | 1.69k | else |
282 | 1.69k | apdu_case = SC_APDU_CASE_2_SHORT; |
283 | 13.4k | } else if (sendbuf) |
284 | 0 | apdu_case = SC_APDU_CASE_3_SHORT; |
285 | | |
286 | | |
287 | 13.4k | sc_format_apdu(card, &apdu, apdu_case, ins, p1, p2); |
288 | | |
289 | 13.4k | apdu.lc = sendbuflen; |
290 | 13.4k | apdu.datalen = sendbuflen; |
291 | 13.4k | apdu.data = sendbuf; |
292 | | |
293 | 13.4k | if (recvbuf) { |
294 | 13.4k | apdu.resp = rbuf; |
295 | 13.4k | apdu.le = (rbuflen > 255) ? 255 : rbuflen; |
296 | 13.4k | apdu.resplen = rbuflen; |
297 | 13.4k | } else { |
298 | 0 | apdu.resp = rbuf; |
299 | 0 | apdu.le = 0; |
300 | 0 | apdu.resplen = 0; |
301 | 0 | } |
302 | | |
303 | 13.4k | sc_log(card->ctx, |
304 | 13.4k | "calling sc_transmit_apdu flags=%lx le=%"SC_FORMAT_LEN_SIZE_T"u, resplen=%"SC_FORMAT_LEN_SIZE_T"u, resp=%p", |
305 | 13.4k | apdu.flags, apdu.le, apdu.resplen, apdu.resp); |
306 | | |
307 | | /* with new adpu.c and chaining, this actually reads the whole object */ |
308 | 13.4k | r = sc_transmit_apdu(card, &apdu); |
309 | | |
310 | 13.4k | sc_log(card->ctx, |
311 | 13.4k | "result r=%d apdu.resplen=%"SC_FORMAT_LEN_SIZE_T"u sw1=%02x sw2=%02x", |
312 | 13.4k | r, apdu.resplen, apdu.sw1, apdu.sw2); |
313 | 13.4k | if (r < 0) { |
314 | 81 | sc_log(card->ctx, "Transmit failed"); |
315 | 81 | goto err; |
316 | 81 | } |
317 | | |
318 | 13.4k | r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
319 | | |
320 | 13.4k | if (r < 0) { |
321 | 817 | sc_log(card->ctx, "Card returned error "); |
322 | 817 | goto err; |
323 | 817 | } |
324 | | |
325 | 12.5k | if (recvbuflen) { |
326 | 12.5k | if (recvbuf && *recvbuf == NULL) { |
327 | 966 | *recvbuf = malloc(apdu.resplen); |
328 | 966 | if (*recvbuf == NULL) { |
329 | 0 | r = SC_ERROR_OUT_OF_MEMORY; |
330 | 0 | goto err; |
331 | 0 | } |
332 | 966 | memcpy(*recvbuf, rbuf, apdu.resplen); |
333 | 966 | } |
334 | 12.5k | *recvbuflen = apdu.resplen; |
335 | 12.5k | r = (int)*recvbuflen; |
336 | 12.5k | } |
337 | | |
338 | 13.4k | err: |
339 | 13.4k | LOG_FUNC_RETURN(card->ctx, r); |
340 | 13.4k | } |
341 | | |
342 | | /* |
343 | | * Get ACR of currently ACA applet identified by the acr_type |
344 | | * 5.3.3.5 Get ACR APDU |
345 | | */ |
346 | | static int |
347 | | cac_get_acr(sc_card_t *card, int acr_type, u8 **out_buf, size_t *out_len) |
348 | 427 | { |
349 | 427 | u8 *out = NULL; |
350 | | /* XXX assuming it will not be longer than 255 B */ |
351 | 427 | size_t len = 256; |
352 | 427 | int r; |
353 | | |
354 | 427 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
355 | | |
356 | | /* for simplicity we support only ACR without arguments now */ |
357 | 427 | if (acr_type != 0x00 && acr_type != 0x10 |
358 | 427 | && acr_type != 0x20 && acr_type != 0x21) { |
359 | 0 | return SC_ERROR_INVALID_ARGUMENTS; |
360 | 0 | } |
361 | | |
362 | 427 | r = cac_apdu_io(card, CAC_INS_GET_ACR, acr_type, 0, NULL, 0, &out, &len); |
363 | 427 | if (len == 0) { |
364 | 10 | r = SC_ERROR_FILE_NOT_FOUND; |
365 | 10 | } |
366 | 427 | if (r < 0) |
367 | 39 | goto fail; |
368 | | |
369 | 388 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
370 | 388 | "got %"SC_FORMAT_LEN_SIZE_T"u bytes out=%p", len, out); |
371 | | |
372 | 388 | *out_len = len; |
373 | 388 | *out_buf = out; |
374 | 388 | return SC_SUCCESS; |
375 | | |
376 | 39 | fail: |
377 | 39 | if (out) |
378 | 10 | free(out); |
379 | 39 | *out_buf = NULL; |
380 | 39 | *out_len = 0; |
381 | 39 | return r; |
382 | 427 | } |
383 | | |
384 | | /* |
385 | | * Read a CAC TLV file. Parameters specify if the TLV file is TL (Tag/Length) file or a V (value) file |
386 | | */ |
387 | 8.61k | #define HIGH_BYTE_OF_SHORT(x) (((x)>> 8) & 0xff) |
388 | 8.61k | #define LOW_BYTE_OF_SHORT(x) ((x) & 0xff) |
389 | | static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len) |
390 | 2.76k | { |
391 | 2.76k | u8 params[2]; |
392 | 2.76k | u8 count[2] = {0}; |
393 | 2.76k | u8 *out = NULL; |
394 | 2.76k | u8 *out_ptr = NULL; |
395 | 2.76k | size_t offset = 0; |
396 | 2.76k | size_t size = 0; |
397 | 2.76k | size_t left = 0; |
398 | 2.76k | size_t len = 0; |
399 | 2.76k | int r; |
400 | | |
401 | 2.76k | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
402 | | |
403 | 2.76k | params[0] = file_type; |
404 | 2.76k | params[1] = 2; |
405 | | |
406 | | /* get the size */ |
407 | 2.76k | len = sizeof(count); |
408 | 2.76k | out_ptr = count; |
409 | 2.76k | r = cac_apdu_io(card, CAC_INS_READ_FILE, 0, 0, ¶ms[0], sizeof(params), &out_ptr, &len); |
410 | 2.76k | if (len == 0) { |
411 | 221 | r = SC_ERROR_FILE_NOT_FOUND; |
412 | 221 | } |
413 | 2.76k | if (r < 0) |
414 | 433 | goto fail; |
415 | | |
416 | 2.32k | left = size = lebytes2ushort(count); |
417 | 2.32k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
418 | 2.32k | "got %"SC_FORMAT_LEN_SIZE_T"u bytes out_ptr=%p count&=%p count[0]=0x%02x count[1]=0x%02x, len=0x%04"SC_FORMAT_LEN_SIZE_T"x (%"SC_FORMAT_LEN_SIZE_T"u)", |
419 | 2.32k | len, out_ptr, &count, count[0], count[1], size, size); |
420 | 2.32k | out = out_ptr = malloc(size); |
421 | 2.32k | if (out == NULL) { |
422 | 0 | r = SC_ERROR_OUT_OF_MEMORY; |
423 | 0 | goto fail; |
424 | 0 | } |
425 | 10.8k | for (offset += 2; left > 0; offset += len, left -= len, out_ptr += len) { |
426 | 8.61k | len = MIN(left, CAC_MAX_CHUNK_SIZE); |
427 | 8.61k | params[1] = len; |
428 | 8.61k | r = cac_apdu_io(card, CAC_INS_READ_FILE, HIGH_BYTE_OF_SHORT(offset), LOW_BYTE_OF_SHORT(offset), |
429 | 8.61k | ¶ms[0], sizeof(params), &out_ptr, &len); |
430 | | /* if there is no data, assume there is no file */ |
431 | 8.61k | if (len == 0) { |
432 | 41 | r = SC_ERROR_FILE_NOT_FOUND; |
433 | 41 | } |
434 | 8.61k | if (r < 0) { |
435 | 136 | goto fail; |
436 | 136 | } |
437 | 8.61k | } |
438 | 2.19k | *out_len = size; |
439 | 2.19k | *out_buf = out; |
440 | 2.19k | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
441 | 569 | fail: |
442 | 569 | if (out) |
443 | 136 | free(out); |
444 | 569 | *out_len = 0; |
445 | 569 | LOG_FUNC_RETURN(card->ctx, r); |
446 | 569 | } |
447 | | |
448 | | |
449 | | /* |
450 | | * Callers of this may be expecting a certificate, |
451 | | * select file will have saved the object type for us |
452 | | * as well as set that we want the cert from the object. |
453 | | */ |
454 | | static int cac_read_binary(sc_card_t *card, unsigned int idx, |
455 | | unsigned char *buf, size_t count, unsigned long *flags) |
456 | 908 | { |
457 | 908 | cac_private_data_t * priv = CAC_DATA(card); |
458 | 908 | int r = 0; |
459 | 908 | u8 *tl = NULL, *val = NULL; |
460 | 908 | const u8 *tl_ptr, *val_ptr, *tl_start; |
461 | 908 | u8 *tlv_ptr; |
462 | 908 | const u8 *cert_ptr; |
463 | 908 | size_t tl_len = 0, val_len = 0, tlv_len; |
464 | 908 | size_t len, tl_head_len, cert_len; |
465 | 908 | u8 cert_type, tag; |
466 | | |
467 | 908 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
468 | | |
469 | | /* if we didn't return it all last time, return the remainder */ |
470 | 908 | if (priv->cached) { |
471 | 142 | sc_log(card->ctx, |
472 | 142 | "returning cached value idx=%d count=%"SC_FORMAT_LEN_SIZE_T"u", |
473 | 142 | idx, count); |
474 | 142 | if (idx > priv->cache_buf_len) { |
475 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_END_REACHED); |
476 | 0 | } |
477 | 142 | len = MIN(count, priv->cache_buf_len-idx); |
478 | 142 | memcpy(buf, &priv->cache_buf[idx], len); |
479 | 142 | LOG_FUNC_RETURN(card->ctx, (int)len); |
480 | 142 | } |
481 | | |
482 | 766 | sc_log(card->ctx, |
483 | 766 | "clearing cache idx=%d count=%"SC_FORMAT_LEN_SIZE_T"u", |
484 | 766 | idx, count); |
485 | 766 | if (priv->cache_buf) { |
486 | 0 | free(priv->cache_buf); |
487 | 0 | priv->cache_buf = NULL; |
488 | 0 | priv->cache_buf_len = 0; |
489 | 0 | } |
490 | | |
491 | | |
492 | 766 | if (priv->object_type <= 0) |
493 | 766 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
494 | | |
495 | 766 | r = cac_read_file(card, CAC_FILE_TAG, &tl, &tl_len); |
496 | 766 | if (r < 0) { |
497 | 368 | goto done; |
498 | 368 | } |
499 | | |
500 | 398 | r = cac_read_file(card, CAC_FILE_VALUE, &val, &val_len); |
501 | 398 | if (r < 0) |
502 | 69 | goto done; |
503 | | |
504 | 329 | switch (priv->object_type) { |
505 | 53 | case CAC_OBJECT_TYPE_TLV_FILE: |
506 | 53 | tlv_len = tl_len + val_len; |
507 | 53 | priv->cache_buf = malloc(tlv_len); |
508 | 53 | if (priv->cache_buf == NULL) { |
509 | 0 | r = SC_ERROR_OUT_OF_MEMORY; |
510 | 0 | goto done; |
511 | 0 | } |
512 | 53 | priv->cache_buf_len = tlv_len; |
513 | | |
514 | 53 | for (tl_ptr = tl, val_ptr = val, tlv_ptr = priv->cache_buf; |
515 | 9.10k | tl_len >= 2 && tlv_len > 0; |
516 | 9.05k | val_len -= len, tlv_len -= len, val_ptr += len, tlv_ptr += len) { |
517 | | /* get the tag and the length */ |
518 | 9.05k | tl_start = tl_ptr; |
519 | 9.05k | r = sc_simpletlv_read_tag(&tl_ptr, tl_len, &tag, &len); |
520 | 9.05k | if (r != SC_SUCCESS && r != SC_ERROR_TLV_END_OF_CONTENTS) |
521 | 1 | break; |
522 | 9.05k | tl_head_len = (tl_ptr - tl_start); |
523 | 9.05k | sc_simpletlv_put_tag(tag, len, tlv_ptr, tlv_len, &tlv_ptr); |
524 | 9.05k | tlv_len -= tl_head_len; |
525 | 9.05k | tl_len -= tl_head_len; |
526 | | |
527 | | /* don't crash on bad data */ |
528 | 9.05k | if (val_len < len) { |
529 | 6.79k | sc_log(card->ctx, "Received too long value %"SC_FORMAT_LEN_SIZE_T"u, " |
530 | 6.79k | "while only %"SC_FORMAT_LEN_SIZE_T"u left. Truncating", len, val_len); |
531 | 6.79k | len = val_len; |
532 | 6.79k | } |
533 | | /* if we run out of return space, truncate */ |
534 | 9.05k | if (tlv_len < len) { |
535 | 0 | len = tlv_len; |
536 | 0 | } |
537 | 9.05k | memcpy(tlv_ptr, val_ptr, len); |
538 | 9.05k | } |
539 | | /* fixup the cache_buf_le to reflect for the bad data ignored above */ |
540 | 53 | priv->cache_buf_len = (tlv_ptr - priv->cache_buf); |
541 | 53 | break; |
542 | | |
543 | 275 | case CAC_OBJECT_TYPE_CERT: |
544 | | /* read file */ |
545 | 275 | sc_log(card->ctx, |
546 | 275 | " obj= cert_file, val_len=%"SC_FORMAT_LEN_SIZE_T"u (0x%04"SC_FORMAT_LEN_SIZE_T"x)", |
547 | 275 | val_len, val_len); |
548 | 275 | cert_len = 0; |
549 | 275 | cert_ptr = NULL; |
550 | 275 | cert_type = 0; |
551 | 1.69k | for (tl_ptr = tl, val_ptr = val; tl_len >= 2; |
552 | 1.52k | val_len -= len, val_ptr += len, tl_len -= tl_head_len) { |
553 | 1.52k | tl_start = tl_ptr; |
554 | 1.52k | r = sc_simpletlv_read_tag(&tl_ptr, tl_len, &tag, &len); |
555 | 1.52k | if (r != SC_SUCCESS && r != SC_ERROR_TLV_END_OF_CONTENTS) |
556 | 12 | break; |
557 | 1.51k | tl_head_len = tl_ptr - tl_start; |
558 | | |
559 | | /* incomplete value */ |
560 | 1.51k | if (val_len < len) { |
561 | 93 | sc_log(card->ctx, "Read incomplete value %"SC_FORMAT_LEN_SIZE_T"u, " |
562 | 93 | "while only %"SC_FORMAT_LEN_SIZE_T"u left", len, val_len); |
563 | 93 | break; |
564 | 93 | } |
565 | | |
566 | 1.41k | if (tag == CAC_TAG_CERTIFICATE) { |
567 | 37 | cert_len = len; |
568 | 37 | cert_ptr = val_ptr; |
569 | 37 | } |
570 | 1.41k | if (tag == CAC_TAG_CERTINFO) { |
571 | 36 | if ((len >= 1) && (val_len >=1)) { |
572 | 26 | cert_type = *val_ptr; |
573 | 26 | } |
574 | 36 | } |
575 | 1.41k | if (tag == CAC_TAG_MSCUID) { |
576 | 14 | sc_log_hex(card->ctx, "MSCUID", val_ptr, len); |
577 | 14 | } |
578 | 1.41k | } |
579 | | /* if the info byte is 1, then the cert is compressed, decompress it */ |
580 | 275 | if ((cert_type & 0x3) == 1 && flags) { |
581 | 10 | *flags |= SC_FILE_FLAG_COMPRESSED_AUTO; |
582 | 10 | } |
583 | 275 | if (cert_len > 0) { |
584 | 18 | priv->cache_buf = malloc(cert_len); |
585 | 18 | if (priv->cache_buf == NULL) { |
586 | 0 | r = SC_ERROR_OUT_OF_MEMORY; |
587 | 0 | goto done; |
588 | 0 | } |
589 | 18 | priv->cache_buf_len = cert_len; |
590 | 18 | memcpy(priv->cache_buf, cert_ptr, cert_len); |
591 | 257 | } else { |
592 | 257 | sc_log(card->ctx, "Can't read zero-length certificate"); |
593 | 257 | goto done; |
594 | 257 | } |
595 | 18 | break; |
596 | 18 | case CAC_OBJECT_TYPE_GENERIC: |
597 | | /* TODO |
598 | | * We have some two buffers in unknown encoding that we |
599 | | * need to present in PKCS#15 layer. |
600 | | */ |
601 | 1 | default: |
602 | | /* Unknown object type */ |
603 | 1 | sc_log(card->ctx, "Unknown object type: %x", priv->object_type); |
604 | 1 | r = SC_ERROR_INTERNAL; |
605 | 1 | goto done; |
606 | 329 | } |
607 | | |
608 | | /* OK we've read the data, now copy the required portion out to the callers buffer */ |
609 | 71 | priv->cached = 1; |
610 | 71 | len = MIN(count, priv->cache_buf_len-idx); |
611 | 71 | memcpy(buf, &priv->cache_buf[idx], len); |
612 | 71 | r = (int)len; |
613 | 766 | done: |
614 | 766 | if (tl) |
615 | 398 | free(tl); |
616 | 766 | if (val) |
617 | 329 | free(val); |
618 | 766 | LOG_FUNC_RETURN(card->ctx, r); |
619 | 766 | } |
620 | | |
621 | | /* initialize getting a list and return the number of elements in the list */ |
622 | | static int cac_get_init_and_get_count(list_t *list, cac_object_t **entry, int *countp) |
623 | 1.79k | { |
624 | 1.79k | *countp = list_size(list); |
625 | 1.79k | list_iterator_start(list); |
626 | 1.79k | *entry = list_iterator_next(list); |
627 | 1.79k | return SC_SUCCESS; |
628 | 1.79k | } |
629 | | |
630 | | /* finalize the list iterator */ |
631 | | static int cac_final_iterator(list_t *list) |
632 | 1.79k | { |
633 | 1.79k | list_iterator_stop(list); |
634 | 1.79k | return SC_SUCCESS; |
635 | 1.79k | } |
636 | | |
637 | | /* fill in the obj_info for the current object on the list and advance to the next object */ |
638 | | static int cac_fill_object_info(list_t *list, cac_object_t **entry, sc_pkcs15_data_info_t *obj_info) |
639 | 2.73k | { |
640 | 2.73k | memset(obj_info, 0, sizeof(sc_pkcs15_data_info_t)); |
641 | 2.73k | if (*entry == NULL) { |
642 | 0 | return SC_ERROR_FILE_END_REACHED; |
643 | 0 | } |
644 | | |
645 | 2.73k | obj_info->path = (*entry)->path; |
646 | 2.73k | obj_info->path.count = CAC_MAX_SIZE-1; /* read something from the object */ |
647 | 2.73k | obj_info->id.value[0] = ((*entry)->fd >> 8) & 0xff; |
648 | 2.73k | obj_info->id.value[1] = (*entry)->fd & 0xff; |
649 | 2.73k | obj_info->id.len = 2; |
650 | 2.73k | strncpy(obj_info->app_label, (*entry)->name, SC_PKCS15_MAX_LABEL_SIZE-1); |
651 | 2.73k | *entry = list_iterator_next(list); |
652 | 2.73k | return SC_SUCCESS; |
653 | 2.73k | } |
654 | | |
655 | | static int cac_get_serial_nr_from_CUID(sc_card_t* card, sc_serial_number_t* serial) |
656 | 899 | { |
657 | 899 | cac_private_data_t * priv = CAC_DATA(card); |
658 | | |
659 | 899 | LOG_FUNC_CALLED(card->ctx); |
660 | 899 | if (card->serialnr.len) { |
661 | 0 | *serial = card->serialnr; |
662 | 0 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
663 | 0 | } |
664 | 899 | if (priv->cac_id_len) { |
665 | 205 | serial->len = MIN(priv->cac_id_len, SC_MAX_SERIALNR); |
666 | 205 | memcpy(serial->value, priv->cac_id, serial->len); |
667 | 205 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
668 | 205 | } |
669 | 694 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND); |
670 | 694 | } |
671 | | |
672 | | static int cac_get_ACA_path(sc_card_t *card, sc_path_t *path) |
673 | 899 | { |
674 | 899 | cac_private_data_t * priv = CAC_DATA(card); |
675 | | |
676 | 899 | LOG_FUNC_CALLED(card->ctx); |
677 | 899 | if (priv->aca_path) { |
678 | 368 | *path = *priv->aca_path; |
679 | 368 | } |
680 | 899 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
681 | 899 | } |
682 | | |
683 | | static int cac_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr) |
684 | 9.96k | { |
685 | 9.96k | cac_private_data_t * priv = CAC_DATA(card); |
686 | | |
687 | 9.96k | LOG_FUNC_CALLED(card->ctx); |
688 | 9.96k | sc_log(card->ctx, "cmd=%ld ptr=%p", cmd, ptr); |
689 | | |
690 | 9.96k | if (priv == NULL) { |
691 | 0 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL); |
692 | 0 | } |
693 | 9.96k | switch(cmd) { |
694 | 899 | case SC_CARDCTL_CAC_GET_ACA_PATH: |
695 | 899 | return cac_get_ACA_path(card, (sc_path_t *) ptr); |
696 | 899 | case SC_CARDCTL_GET_SERIALNR: |
697 | 899 | return cac_get_serial_nr_from_CUID(card, (sc_serial_number_t *) ptr); |
698 | 899 | case SC_CARDCTL_CAC_INIT_GET_GENERIC_OBJECTS: |
699 | 899 | return cac_get_init_and_get_count(&priv->general_list, &priv->general_current, (int *)ptr); |
700 | 899 | case SC_CARDCTL_CAC_INIT_GET_CERT_OBJECTS: |
701 | 899 | return cac_get_init_and_get_count(&priv->pki_list, &priv->pki_current, (int *)ptr); |
702 | 403 | case SC_CARDCTL_CAC_GET_NEXT_GENERIC_OBJECT: |
703 | 403 | return cac_fill_object_info(&priv->general_list, &priv->general_current, (sc_pkcs15_data_info_t *)ptr); |
704 | 2.33k | case SC_CARDCTL_CAC_GET_NEXT_CERT_OBJECT: |
705 | 2.33k | return cac_fill_object_info(&priv->pki_list, &priv->pki_current, (sc_pkcs15_data_info_t *)ptr); |
706 | 899 | case SC_CARDCTL_CAC_FINAL_GET_GENERIC_OBJECTS: |
707 | 899 | return cac_final_iterator(&priv->general_list); |
708 | 899 | case SC_CARDCTL_CAC_FINAL_GET_CERT_OBJECTS: |
709 | 899 | return cac_final_iterator(&priv->pki_list); |
710 | 9.96k | } |
711 | | |
712 | 1.83k | LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED); |
713 | 1.83k | } |
714 | | |
715 | | static int cac_get_challenge(sc_card_t *card, u8 *rnd, size_t len) |
716 | 656 | { |
717 | | /* CAC requires 8 byte response */ |
718 | 656 | u8 rbuf[8]; |
719 | 656 | u8 *rbufp = &rbuf[0]; |
720 | 656 | size_t out_len = sizeof rbuf; |
721 | 656 | int r; |
722 | | |
723 | 656 | LOG_FUNC_CALLED(card->ctx); |
724 | | |
725 | 656 | r = cac_apdu_io(card, 0x84, 0x00, 0x00, NULL, 0, &rbufp, &out_len); |
726 | 656 | LOG_TEST_RET(card->ctx, r, "Could not get challenge"); |
727 | | |
728 | 270 | if (len < out_len) { |
729 | 1 | out_len = len; |
730 | 1 | } |
731 | 270 | memcpy(rnd, rbuf, out_len); |
732 | | |
733 | 270 | LOG_FUNC_RETURN(card->ctx, (int) out_len); |
734 | 270 | } |
735 | | |
736 | | static int cac_set_security_env(sc_card_t *card, const sc_security_env_t *env, int se_num) |
737 | 0 | { |
738 | 0 | int r = SC_SUCCESS; |
739 | |
|
740 | 0 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
741 | |
|
742 | 0 | sc_log(card->ctx, |
743 | 0 | "flags=%08lx op=%d alg=%lu algf=%08lx algr=%08lx kr0=%02x, krfl=%"SC_FORMAT_LEN_SIZE_T"u\n", |
744 | 0 | env->flags, env->operation, env->algorithm, |
745 | 0 | env->algorithm_flags, env->algorithm_ref, env->key_ref[0], |
746 | 0 | env->key_ref_len); |
747 | |
|
748 | 0 | if (env->algorithm != SC_ALGORITHM_RSA) { |
749 | 0 | r = SC_ERROR_NO_CARD_SUPPORT; |
750 | 0 | } |
751 | | |
752 | |
|
753 | 0 | SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r); |
754 | 0 | } |
755 | | |
756 | | |
757 | | static int cac_restore_security_env(sc_card_t *card, int se_num) |
758 | 0 | { |
759 | 0 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
760 | |
|
761 | 0 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
762 | 0 | } |
763 | | |
764 | | |
765 | | static int cac_rsa_op(sc_card_t *card, |
766 | | const u8 * data, size_t datalen, |
767 | | u8 * out, size_t outlen) |
768 | 0 | { |
769 | 0 | int r; |
770 | 0 | u8 *outp, *rbuf; |
771 | 0 | size_t rbuflen, outplen; |
772 | |
|
773 | 0 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
774 | 0 | sc_log(card->ctx, |
775 | 0 | "datalen=%"SC_FORMAT_LEN_SIZE_T"u outlen=%"SC_FORMAT_LEN_SIZE_T"u\n", |
776 | 0 | datalen, outlen); |
777 | |
|
778 | 0 | outp = out; |
779 | 0 | outplen = outlen; |
780 | | |
781 | | /* Not strictly necessary. This code requires the caller to have selected the correct PKI container |
782 | | * and authenticated to that container with the verifyPin command... All of this under the reader lock. |
783 | | * The PKCS #15 higher level driver code does all this correctly (it's the same for all cards, just |
784 | | * different sets of APDU's that need to be called), so this call is really a little bit of paranoia */ |
785 | 0 | r = sc_lock(card); |
786 | 0 | if (r != SC_SUCCESS) |
787 | 0 | LOG_FUNC_RETURN(card->ctx, r); |
788 | | |
789 | | |
790 | 0 | rbuf = NULL; |
791 | 0 | rbuflen = 0; |
792 | 0 | for (; datalen > CAC_MAX_CHUNK_SIZE; data += CAC_MAX_CHUNK_SIZE, datalen -= CAC_MAX_CHUNK_SIZE) { |
793 | 0 | r = cac_apdu_io(card, CAC_INS_SIGN_DECRYPT, CAC_P1_STEP, 0, |
794 | 0 | data, CAC_MAX_CHUNK_SIZE, &rbuf, &rbuflen); |
795 | 0 | if (r < 0) { |
796 | 0 | break; |
797 | 0 | } |
798 | 0 | if (rbuflen != 0) { |
799 | 0 | size_t n = MIN(rbuflen, outplen); |
800 | 0 | memcpy(outp, rbuf, n); |
801 | 0 | outp += n; |
802 | 0 | outplen -= n; |
803 | 0 | } |
804 | 0 | free(rbuf); |
805 | 0 | rbuf = NULL; |
806 | 0 | rbuflen = 0; |
807 | 0 | } |
808 | 0 | if (r < 0) { |
809 | 0 | goto err; |
810 | 0 | } |
811 | 0 | rbuf = NULL; |
812 | 0 | rbuflen = 0; |
813 | 0 | r = cac_apdu_io(card, CAC_INS_SIGN_DECRYPT, CAC_P1_FINAL, 0, data, datalen, &rbuf, &rbuflen); |
814 | 0 | if (r < 0) { |
815 | 0 | goto err; |
816 | 0 | } |
817 | 0 | if (rbuflen != 0) { |
818 | 0 | size_t n = MIN(rbuflen, outplen); |
819 | 0 | memcpy(outp, rbuf, n); |
820 | | /*outp += n; unused */ |
821 | 0 | outplen -= n; |
822 | 0 | } |
823 | 0 | free(rbuf); |
824 | 0 | rbuf = NULL; |
825 | 0 | r = (int)(outlen - outplen); |
826 | |
|
827 | 0 | err: |
828 | 0 | sc_unlock(card); |
829 | 0 | if (r < 0) { |
830 | 0 | sc_mem_clear(out, outlen); |
831 | 0 | } |
832 | 0 | if (rbuf) { |
833 | 0 | free(rbuf); |
834 | 0 | } |
835 | |
|
836 | 0 | LOG_FUNC_RETURN(card->ctx, r); |
837 | 0 | } |
838 | | |
839 | | static int cac_compute_signature(sc_card_t *card, |
840 | | const u8 * data, size_t datalen, |
841 | | u8 * out, size_t outlen) |
842 | 0 | { |
843 | 0 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
844 | |
|
845 | 0 | SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, cac_rsa_op(card, data, datalen, out, outlen)); |
846 | 0 | } |
847 | | |
848 | | static int cac_decipher(sc_card_t *card, |
849 | | const u8 * data, size_t datalen, |
850 | | u8 * out, size_t outlen) |
851 | 0 | { |
852 | 0 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
853 | |
|
854 | 0 | SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, cac_rsa_op(card, data, datalen, out, outlen)); |
855 | 0 | } |
856 | | |
857 | | static int cac_parse_properties_object(sc_card_t *card, u8 type, |
858 | | const u8 *data, size_t data_len, cac_properties_object_t *object) |
859 | 3.08k | { |
860 | 3.08k | size_t len; |
861 | 3.08k | const u8 *val, *val_end; |
862 | 3.08k | u8 tag; |
863 | 3.08k | int parsed = 0; |
864 | | |
865 | 3.08k | if (data_len < 11) |
866 | 0 | return -1; |
867 | | |
868 | | /* Initialize: non-PKI applet */ |
869 | 3.08k | object->privatekey = 0; |
870 | | |
871 | 3.08k | val = data; |
872 | 3.08k | val_end = data + data_len; |
873 | 13.3k | for (; val < val_end; val += len) { |
874 | | /* get the tag and the length */ |
875 | 12.1k | if (sc_simpletlv_read_tag(&val, val_end - val, &tag, &len) != SC_SUCCESS) |
876 | 1.93k | break; |
877 | | |
878 | 10.2k | switch (tag) { |
879 | 1.98k | case CAC_TAG_OBJECT_ID: |
880 | 1.98k | if (len != 2) { |
881 | 737 | sc_log(card->ctx, "TAG: Object ID: " |
882 | 737 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
883 | 737 | break; |
884 | 737 | } |
885 | 1.25k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
886 | 1.25k | "TAG: Object ID = 0x%02x 0x%02x", val[0], val[1]); |
887 | 1.25k | memcpy(&object->oid, val, 2); |
888 | 1.25k | parsed++; |
889 | 1.25k | break; |
890 | | |
891 | 1.69k | case CAC_TAG_BUFFER_PROPERTIES: |
892 | 1.69k | if (len != 5) { |
893 | 428 | sc_log(card->ctx, "TAG: Buffer Properties: " |
894 | 428 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
895 | 428 | break; |
896 | 428 | } |
897 | | /* First byte is "Type of Tag Supported" */ |
898 | 1.26k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
899 | 1.26k | "TAG: Buffer Properties: Type of Tag Supported = 0x%02x", |
900 | 1.26k | val[0]); |
901 | 1.26k | object->simpletlv = val[0]; |
902 | 1.26k | parsed++; |
903 | 1.26k | break; |
904 | | |
905 | 1.71k | case CAC_TAG_PKI_PROPERTIES: |
906 | | /* 4th byte is "Private Key Initialized" */ |
907 | 1.71k | if (len != 4) { |
908 | 470 | sc_log(card->ctx, "TAG: PKI Properties: " |
909 | 470 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
910 | 470 | break; |
911 | 470 | } |
912 | 1.24k | if (type != CAC_TAG_PKI_OBJECT) { |
913 | 536 | sc_log(card->ctx, "TAG: PKI Properties outside of PKI Object"); |
914 | 536 | break; |
915 | 536 | } |
916 | 705 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
917 | 705 | "TAG: PKI Properties: Private Key Initialized = 0x%02x", |
918 | 705 | val[2]); |
919 | 705 | object->privatekey = val[2]; |
920 | 705 | parsed++; |
921 | 705 | break; |
922 | | |
923 | 4.87k | default: |
924 | | /* ignore tags we don't understand */ |
925 | 4.87k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
926 | 4.87k | "TAG: Unknown (0x%02x)",tag ); |
927 | 4.87k | break; |
928 | 10.2k | } |
929 | 10.2k | } |
930 | 3.08k | if (parsed < 2) |
931 | 2.04k | return SC_ERROR_INVALID_DATA; |
932 | | |
933 | 1.04k | return SC_SUCCESS; |
934 | 3.08k | } |
935 | | |
936 | | static int cac_get_properties(sc_card_t *card, cac_properties_t *prop) |
937 | 608 | { |
938 | 608 | u8 *rbuf = NULL; |
939 | 608 | size_t rbuflen = 0, len; |
940 | 608 | const u8 *val, *val_end; |
941 | 608 | u8 tag; |
942 | 608 | size_t i = 0; |
943 | 608 | int r; |
944 | 608 | prop->num_objects = 0; |
945 | | |
946 | 608 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
947 | | |
948 | 608 | r = cac_apdu_io(card, CAC_INS_GET_PROPERTIES, 0x01, 0x00, NULL, 0, |
949 | 608 | &rbuf, &rbuflen); |
950 | 608 | if (r < 0) |
951 | 40 | return r; |
952 | | |
953 | 568 | val = rbuf; |
954 | 568 | val_end = val + rbuflen; |
955 | 20.1k | for (; val < val_end; val += len) { |
956 | | /* get the tag and the length */ |
957 | 19.9k | if (sc_simpletlv_read_tag(&val, val_end - val, &tag, &len) != SC_SUCCESS) |
958 | 384 | break; |
959 | | |
960 | 19.6k | switch (tag) { |
961 | 1.47k | case CAC_TAG_APPLET_INFORMATION: |
962 | 1.47k | if (len != 5) { |
963 | 1.37k | sc_log(card->ctx, "TAG: Applet Information: " |
964 | 1.37k | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
965 | 1.37k | break; |
966 | 1.37k | } |
967 | 91 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
968 | 91 | "TAG: Applet Information: Family: 0x%0x", val[0]); |
969 | 91 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
970 | 91 | " Applet Version: 0x%02x 0x%02x 0x%02x 0x%02x", |
971 | 91 | val[1], val[2], val[3], val[4]); |
972 | 91 | break; |
973 | | |
974 | 2.16k | case CAC_TAG_NUMBER_OF_OBJECTS: |
975 | 2.16k | if (len != 1) { |
976 | 327 | sc_log(card->ctx, "TAG: Num objects: " |
977 | 327 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
978 | 327 | break; |
979 | 327 | } |
980 | 1.84k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
981 | 1.84k | "TAG: Num objects = %hhd", *val); |
982 | | /* make sure we do not overrun buffer */ |
983 | 1.84k | prop->num_objects = MIN(val[0], CAC_MAX_OBJECTS); |
984 | 1.84k | break; |
985 | | |
986 | 1.72k | case CAC_TAG_TV_BUFFER: |
987 | 1.72k | if (len != 17) { |
988 | 766 | sc_log(card->ctx, "TAG: TV Object: " |
989 | 766 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
990 | 766 | break; |
991 | 766 | } |
992 | 963 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
993 | 963 | "TAG: TV Object nr. %"SC_FORMAT_LEN_SIZE_T"u", i); |
994 | 963 | if (i >= CAC_MAX_OBJECTS) { |
995 | 8 | free(rbuf); |
996 | 8 | return SC_SUCCESS; |
997 | 8 | } |
998 | | |
999 | 955 | if (cac_parse_properties_object(card, tag, val, len, |
1000 | 955 | &prop->objects[i]) == SC_SUCCESS) |
1001 | 124 | i++; |
1002 | 955 | break; |
1003 | | |
1004 | 2.42k | case CAC_TAG_PKI_OBJECT: |
1005 | 2.42k | if (len != 17) { |
1006 | 281 | sc_log(card->ctx, "TAG: PKI Object: " |
1007 | 281 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1008 | 281 | break; |
1009 | 281 | } |
1010 | 2.14k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1011 | 2.14k | "TAG: PKI Object nr. %"SC_FORMAT_LEN_SIZE_T"u", i); |
1012 | 2.14k | if (i >= CAC_MAX_OBJECTS) { |
1013 | 13 | free(rbuf); |
1014 | 13 | return SC_SUCCESS; |
1015 | 13 | } |
1016 | | |
1017 | 2.12k | if (cac_parse_properties_object(card, tag, val, len, |
1018 | 2.12k | &prop->objects[i]) == SC_SUCCESS) |
1019 | 919 | i++; |
1020 | 2.12k | break; |
1021 | | |
1022 | 11.8k | default: |
1023 | | /* ignore tags we don't understand */ |
1024 | 11.8k | sc_log(card->ctx, "TAG: Unknown (0x%02x), len=%" |
1025 | 11.8k | SC_FORMAT_LEN_SIZE_T"u", tag, len); |
1026 | 11.8k | break; |
1027 | 19.6k | } |
1028 | 19.6k | } |
1029 | 547 | free(rbuf); |
1030 | | /* sanity */ |
1031 | 547 | if (i != prop->num_objects) |
1032 | 180 | sc_log(card->ctx, "The announced number of objects (%zu) " |
1033 | 547 | "did not match reality (%"SC_FORMAT_LEN_SIZE_T"u)", |
1034 | 547 | prop->num_objects, i); |
1035 | 547 | prop->num_objects = i; |
1036 | | |
1037 | 547 | return SC_SUCCESS; |
1038 | 568 | } |
1039 | | |
1040 | | /* |
1041 | | * CAC cards use SC_PATH_SELECT_OBJECT_ID rather than SC_PATH_SELECT_FILE_ID. In order to use more |
1042 | | * of the PKCS #15 structure, we call the selection SC_PATH_SELECT_FILE_ID, but we set p1 to 2 instead |
1043 | | * of 0. Also cac1 does not do any FCI, but it doesn't understand not selecting it. It returns invalid INS |
1044 | | * if it doesn't like anything about the select, so we always 'request' FCI for CAC1 |
1045 | | * |
1046 | | * The rest is just copied from iso7816_select_file |
1047 | | */ |
1048 | | static int cac_select_file_by_type(sc_card_t *card, const sc_path_t *in_path, sc_file_t **file_out) |
1049 | 77.7k | { |
1050 | 77.7k | struct sc_context *ctx; |
1051 | 77.7k | struct sc_apdu apdu; |
1052 | 77.7k | unsigned char buf[SC_MAX_APDU_BUFFER_SIZE]; |
1053 | 77.7k | unsigned char pathbuf[SC_MAX_PATH_SIZE], *path = pathbuf; |
1054 | 77.7k | int r, pathtype; |
1055 | 77.7k | size_t pathlen; |
1056 | 77.7k | struct sc_file *file = NULL; |
1057 | 77.7k | cac_private_data_t * priv = CAC_DATA(card); |
1058 | | |
1059 | 77.7k | assert(card != NULL && in_path != NULL); |
1060 | 77.7k | ctx = card->ctx; |
1061 | | |
1062 | 77.7k | SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE); |
1063 | | |
1064 | 77.7k | memcpy(path, in_path->value, in_path->len); |
1065 | 77.7k | pathlen = in_path->len; |
1066 | 77.7k | pathtype = in_path->type; |
1067 | | |
1068 | 77.7k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1069 | 77.7k | "path=%s, path->value=%s path->type=%d (%x)", |
1070 | 77.7k | sc_print_path(in_path), |
1071 | 77.7k | sc_dump_hex(in_path->value, in_path->len), |
1072 | 77.7k | in_path->type, in_path->type); |
1073 | 77.7k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "file_out=%p index=%d count=%d\n", |
1074 | 77.7k | file_out, in_path->index, in_path->count); |
1075 | | |
1076 | | /* Sigh, iso7816_select_file expects paths to keys to have specific |
1077 | | * formats. There is no override. We have to add some bytes to the |
1078 | | * path to make it happy. |
1079 | | * We only need to do this for private keys. |
1080 | | */ |
1081 | 77.7k | if ((pathlen > 2) && (pathlen <= 4) && memcmp(path, "\x3F\x00", 2) == 0) { |
1082 | 2.15k | path += 2; |
1083 | 2.15k | pathlen -= 2; |
1084 | 2.15k | } |
1085 | | |
1086 | | |
1087 | | /* CAC has multiple different type of objects that aren't PKCS #15. When we read |
1088 | | * them we need convert them to something PKCS #15 would understand. Find the object |
1089 | | * and object type here: |
1090 | | */ |
1091 | 77.7k | if (priv) { /* don't record anything if we haven't been initialized yet */ |
1092 | 7.18k | priv->object_type = CAC_OBJECT_TYPE_GENERIC; |
1093 | 7.18k | if (cac_is_cert(priv, in_path)) { |
1094 | 1.79k | priv->object_type = CAC_OBJECT_TYPE_CERT; |
1095 | 1.79k | } |
1096 | | |
1097 | | /* forget any old cached values */ |
1098 | 7.18k | if (priv->cache_buf) { |
1099 | 28 | free(priv->cache_buf); |
1100 | 28 | priv->cache_buf = NULL; |
1101 | 28 | } |
1102 | 7.18k | priv->cache_buf_len = 0; |
1103 | 7.18k | priv->cached = 0; |
1104 | 7.18k | } |
1105 | | |
1106 | 77.7k | if (in_path->aid.len) { |
1107 | 75.5k | if (!pathlen) { |
1108 | 74.3k | memcpy(path, in_path->aid.value, in_path->aid.len); |
1109 | 74.3k | pathlen = in_path->aid.len; |
1110 | 74.3k | pathtype = SC_PATH_TYPE_DF_NAME; |
1111 | 74.3k | } else { |
1112 | | /* First, select the application */ |
1113 | 1.25k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"select application" ); |
1114 | 1.25k | sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xA4, 4, 0); |
1115 | 1.25k | apdu.data = in_path->aid.value; |
1116 | 1.25k | apdu.datalen = in_path->aid.len; |
1117 | 1.25k | apdu.lc = in_path->aid.len; |
1118 | | |
1119 | 1.25k | r = sc_transmit_apdu(card, &apdu); |
1120 | 1.25k | LOG_TEST_RET(ctx, r, "APDU transmit failed"); |
1121 | 1.23k | r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
1122 | 1.23k | if (r) |
1123 | 1.23k | LOG_FUNC_RETURN(ctx, r); |
1124 | | |
1125 | 1.23k | } |
1126 | 75.5k | } |
1127 | | |
1128 | 77.3k | sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0, 0); |
1129 | | |
1130 | 77.3k | switch (pathtype) { |
1131 | | /* ideally we would had SC_PATH_TYPE_OBJECT_ID and add code to the iso7816 select. |
1132 | | * Unfortunately we'd also need to update the caching code as well. For now just |
1133 | | * use FILE_ID and change p1 here */ |
1134 | 856 | case SC_PATH_TYPE_FILE_ID: |
1135 | 856 | apdu.p1 = 2; |
1136 | 856 | if (pathlen != 2) |
1137 | 0 | return SC_ERROR_INVALID_ARGUMENTS; |
1138 | 856 | break; |
1139 | 74.3k | case SC_PATH_TYPE_DF_NAME: |
1140 | 74.3k | apdu.p1 = 4; |
1141 | 74.3k | break; |
1142 | 2.15k | default: |
1143 | 2.15k | LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS); |
1144 | 77.3k | } |
1145 | 75.1k | apdu.lc = pathlen; |
1146 | 75.1k | apdu.data = path; |
1147 | 75.1k | apdu.datalen = pathlen; |
1148 | 75.1k | apdu.resp = buf; |
1149 | 75.1k | apdu.resplen = sizeof(buf); |
1150 | 75.1k | apdu.le = sc_get_max_recv_size(card) < 256 ? sc_get_max_recv_size(card) : 256; |
1151 | | |
1152 | 75.1k | if (file_out != NULL) { |
1153 | 1.31k | apdu.p2 = 0; /* first record, return FCI */ |
1154 | 1.31k | } |
1155 | 73.8k | else { |
1156 | 73.8k | apdu.p2 = 0x0C; |
1157 | 73.8k | } |
1158 | | |
1159 | 75.1k | r = sc_transmit_apdu(card, &apdu); |
1160 | 75.1k | LOG_TEST_RET(ctx, r, "APDU transmit failed"); |
1161 | | |
1162 | 74.6k | if (file_out == NULL) { |
1163 | | /* For some cards 'SELECT' can be only with request to return FCI/FCP. */ |
1164 | 73.3k | r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
1165 | 73.3k | if (apdu.sw1 == 0x6A && apdu.sw2 == 0x86) { |
1166 | 90 | apdu.p2 = 0x00; |
1167 | 90 | apdu.resplen = sizeof(buf); |
1168 | 90 | if (sc_transmit_apdu(card, &apdu) == SC_SUCCESS) |
1169 | 36 | r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
1170 | 90 | } |
1171 | 73.3k | if (apdu.sw1 == 0x61) |
1172 | 73.3k | LOG_FUNC_RETURN(ctx, SC_SUCCESS); |
1173 | 73.3k | LOG_FUNC_RETURN(ctx, r); |
1174 | 73.3k | } |
1175 | | |
1176 | 1.31k | r = sc_check_sw(card, apdu.sw1, apdu.sw2); |
1177 | 1.31k | if (r) |
1178 | 1.31k | LOG_FUNC_RETURN(ctx, r); |
1179 | | |
1180 | | /* This needs to come after the applet selection */ |
1181 | 728 | if (priv && in_path->len >= 2) { |
1182 | | /* get applet properties to know if we can treat the |
1183 | | * buffer as SimpleLTV and if we have PKI applet. |
1184 | | * |
1185 | | * Do this only if we select applets for reading |
1186 | | * (not during driver initialization) |
1187 | | */ |
1188 | 384 | cac_properties_t prop = {0}; |
1189 | 384 | size_t i = -1; |
1190 | | |
1191 | 384 | r = cac_get_properties(card, &prop); |
1192 | 384 | if (r == SC_SUCCESS) { |
1193 | 461 | for (i = 0; i < prop.num_objects; i++) { |
1194 | 198 | sc_log(card->ctx, "Searching for our OID: 0x%02x 0x%02x = 0x%02x 0x%02x", |
1195 | 198 | prop.objects[i].oid[0], prop.objects[i].oid[1], |
1196 | 198 | in_path->value[0], in_path->value[1]); |
1197 | 198 | if (memcmp(prop.objects[i].oid, |
1198 | 198 | in_path->value, 2) == 0) |
1199 | 88 | break; |
1200 | 198 | } |
1201 | 351 | } |
1202 | 384 | if (i < prop.num_objects) { |
1203 | 88 | if (prop.objects[i].privatekey) |
1204 | 16 | priv->object_type = CAC_OBJECT_TYPE_CERT; |
1205 | 72 | else if (prop.objects[i].simpletlv == 0) |
1206 | 68 | priv->object_type = CAC_OBJECT_TYPE_TLV_FILE; |
1207 | 88 | } |
1208 | 384 | } |
1209 | | |
1210 | | /* CAC cards never return FCI, fake one */ |
1211 | 728 | file = sc_file_new(); |
1212 | 728 | if (file == NULL) |
1213 | 728 | LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); |
1214 | 728 | file->path = *in_path; |
1215 | 728 | file->size = CAC_MAX_SIZE; /* we don't know how big, just give a large size until we can read the file */ |
1216 | | |
1217 | 728 | *file_out = file; |
1218 | 728 | LOG_FUNC_RETURN(ctx, SC_SUCCESS); |
1219 | | |
1220 | 728 | } |
1221 | | |
1222 | | static int cac_select_file(sc_card_t *card, const sc_path_t *in_path, sc_file_t **file_out) |
1223 | 3.88k | { |
1224 | 3.88k | return cac_select_file_by_type(card, in_path, file_out); |
1225 | 3.88k | } |
1226 | | |
1227 | | static int cac_finish(sc_card_t *card) |
1228 | 719 | { |
1229 | 719 | cac_private_data_t * priv = CAC_DATA(card); |
1230 | | |
1231 | 719 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
1232 | 719 | if (priv) { |
1233 | 719 | cac_free_private_data(priv); |
1234 | 719 | } |
1235 | 719 | return SC_SUCCESS; |
1236 | 719 | } |
1237 | | |
1238 | | |
1239 | | /* select the Card Capabilities Container on CAC-2 */ |
1240 | | static int cac_select_CCC(sc_card_t *card) |
1241 | 5.43k | { |
1242 | 5.43k | return cac_select_file_by_type(card, &cac_CCC_Path, NULL); |
1243 | 5.43k | } |
1244 | | |
1245 | | /* Select ACA in non-standard location */ |
1246 | | static int cac_select_ACA(sc_card_t *card) |
1247 | 4.30k | { |
1248 | 4.30k | return cac_select_file_by_type(card, &cac_ACA_Path, NULL); |
1249 | 4.30k | } |
1250 | | |
1251 | | static int cac_path_from_cardurl(sc_card_t *card, sc_path_t *path, cac_card_url_t *val, size_t len) |
1252 | 2.45k | { |
1253 | 2.45k | if (len < 10) { |
1254 | 15 | return SC_ERROR_INVALID_DATA; |
1255 | 15 | } |
1256 | 2.44k | sc_mem_clear(path, sizeof(sc_path_t)); |
1257 | 2.44k | memcpy(path->aid.value, &val->rid, sizeof(val->rid)); |
1258 | 2.44k | memcpy(&path->aid.value[5], val->applicationID, sizeof(val->applicationID)); |
1259 | 2.44k | path->aid.len = sizeof(val->rid) + sizeof(val->applicationID); |
1260 | 2.44k | memcpy(path->value, val->objectID, sizeof(val->objectID)); |
1261 | 2.44k | path->len = sizeof(val->objectID); |
1262 | 2.44k | path->type = SC_PATH_TYPE_FILE_ID; |
1263 | 2.44k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1264 | 2.44k | "path->aid=%x %x %x %x %x %x %x len=%"SC_FORMAT_LEN_SIZE_T"u, path->value = %x %x len=%"SC_FORMAT_LEN_SIZE_T"u path->type=%d (%x)", |
1265 | 2.44k | path->aid.value[0], path->aid.value[1], path->aid.value[2], |
1266 | 2.44k | path->aid.value[3], path->aid.value[4], path->aid.value[5], |
1267 | 2.44k | path->aid.value[6], path->aid.len, path->value[0], |
1268 | 2.44k | path->value[1], path->len, path->type, path->type); |
1269 | 2.44k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1270 | 2.44k | "rid=%x %x %x %x %x len=%"SC_FORMAT_LEN_SIZE_T"u appid= %x %x len=%"SC_FORMAT_LEN_SIZE_T"u objid= %x %x len=%"SC_FORMAT_LEN_SIZE_T"u", |
1271 | 2.44k | val->rid[0], val->rid[1], val->rid[2], val->rid[3], |
1272 | 2.44k | val->rid[4], sizeof(val->rid), val->applicationID[0], |
1273 | 2.44k | val->applicationID[1], sizeof(val->applicationID), |
1274 | 2.44k | val->objectID[0], val->objectID[1], sizeof(val->objectID)); |
1275 | | |
1276 | 2.44k | return SC_SUCCESS; |
1277 | 2.45k | } |
1278 | | |
1279 | | static int cac_parse_aid(sc_card_t *card, cac_private_data_t *priv, const u8 *aid, int aid_len) |
1280 | 592 | { |
1281 | 592 | cac_object_t new_object; |
1282 | 592 | cac_properties_t prop = {0}; |
1283 | 592 | size_t i; |
1284 | 592 | int r; |
1285 | | |
1286 | 592 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
1287 | | |
1288 | | /* Search for PKI applets (7 B). Ignore generic objects for now */ |
1289 | 592 | if (aid_len != 7 || (memcmp(aid, CAC_1_RID "\x01", 6) != 0 |
1290 | 385 | && memcmp(aid, CAC_1_RID "\x00", 6) != 0)) |
1291 | 355 | return SC_SUCCESS; |
1292 | | |
1293 | 237 | sc_mem_clear(&new_object.path, sizeof(sc_path_t)); |
1294 | 237 | memcpy(new_object.path.aid.value, aid, aid_len); |
1295 | 237 | new_object.path.aid.len = aid_len; |
1296 | | |
1297 | | /* Call without OID set will just select the AID without subsequent |
1298 | | * OID selection, which we need to figure out just now |
1299 | | */ |
1300 | 237 | r = cac_select_file_by_type(card, &new_object.path, NULL); |
1301 | 237 | LOG_TEST_RET(card->ctx, r, "Cannot select AID"); |
1302 | 224 | r = cac_get_properties(card, &prop); |
1303 | 224 | LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties"); |
1304 | | |
1305 | 603 | for (i = 0; i < prop.num_objects; i++) { |
1306 | | /* don't fail just because we have more certs than we can support */ |
1307 | 403 | if (priv->cert_next >= MAX_CAC_SLOTS) |
1308 | 17 | return SC_SUCCESS; |
1309 | | |
1310 | 386 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1311 | 386 | "ACA: pki_object found, cert_next=%d (%s), privkey=%d", |
1312 | 386 | priv->cert_next, get_cac_label(priv->cert_next), |
1313 | 386 | prop.objects[i].privatekey); |
1314 | | |
1315 | | /* If the private key is not initialized, we can safely |
1316 | | * ignore this object here, but increase the pointer to follow |
1317 | | * the certificate labels |
1318 | | */ |
1319 | 386 | if (!prop.objects[i].privatekey) { |
1320 | 156 | priv->cert_next++; |
1321 | 156 | continue; |
1322 | 156 | } |
1323 | | |
1324 | | /* OID here has always 2B */ |
1325 | 230 | memcpy(new_object.path.value, &prop.objects[i].oid, 2); |
1326 | 230 | new_object.path.len = 2; |
1327 | 230 | new_object.path.type = SC_PATH_TYPE_FILE_ID; |
1328 | 230 | new_object.name = get_cac_label(priv->cert_next); |
1329 | 230 | new_object.fd = priv->cert_next+1; |
1330 | 230 | cac_add_object_to_list(&priv->pki_list, &new_object); |
1331 | 230 | priv->cert_next++; |
1332 | 230 | } |
1333 | | |
1334 | 200 | return SC_SUCCESS; |
1335 | 217 | } |
1336 | | |
1337 | | static int cac_parse_cardurl(sc_card_t *card, cac_private_data_t *priv, cac_card_url_t *val, size_t len) |
1338 | 1.98k | { |
1339 | 1.98k | cac_object_t new_object; |
1340 | 1.98k | const cac_object_t *obj; |
1341 | 1.98k | unsigned short object_id; |
1342 | 1.98k | int r; |
1343 | | |
1344 | 1.98k | r = cac_path_from_cardurl(card, &new_object.path, val, len); |
1345 | 1.98k | if (r != SC_SUCCESS) { |
1346 | 12 | return r; |
1347 | 12 | } |
1348 | 1.96k | switch (val->cardApplicationType) { |
1349 | 766 | case CAC_APP_TYPE_PKI: |
1350 | | /* we don't want to overflow the cac_label array. This test could |
1351 | | * go way if we create a label function that will create a unique label |
1352 | | * from a cert index. |
1353 | | */ |
1354 | 766 | if (priv->cert_next >= MAX_CAC_SLOTS) |
1355 | 122 | break; /* don't fail just because we have more certs than we can support */ |
1356 | 644 | new_object.name = get_cac_label(priv->cert_next); |
1357 | 644 | new_object.fd = priv->cert_next+1; |
1358 | 644 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"CARDURL: pki_object found, cert_next=%d (%s),", priv->cert_next, new_object.name); |
1359 | 644 | cac_add_object_to_list(&priv->pki_list, &new_object); |
1360 | 644 | priv->cert_next++; |
1361 | 644 | break; |
1362 | 166 | case CAC_APP_TYPE_GENERAL: |
1363 | 166 | object_id = bebytes2ushort(val->objectID); |
1364 | 166 | obj = cac_find_obj_by_id(object_id); |
1365 | 166 | if (obj == NULL) |
1366 | 150 | break; /* don't fail just because we don't recognize the object */ |
1367 | 16 | new_object.name = obj->name; |
1368 | 16 | new_object.fd = 0; |
1369 | 16 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"CARDURL: gen_object found, objectID=%x (%s),", object_id, new_object.name); |
1370 | 16 | cac_add_object_to_list(&priv->general_list, &new_object); |
1371 | 16 | break; |
1372 | 272 | case CAC_APP_TYPE_SKI: |
1373 | 272 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"CARDURL: ski_object found"); |
1374 | 272 | break; |
1375 | 764 | default: |
1376 | 764 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"CARDURL: unknown object_object found (type=0x%02x)", val->cardApplicationType); |
1377 | | /* don't fail just because there is an unknown object in the CCC */ |
1378 | 764 | break; |
1379 | 1.96k | } |
1380 | 1.96k | return SC_SUCCESS; |
1381 | 1.96k | } |
1382 | | |
1383 | | static int cac_parse_cuid(sc_card_t *card, cac_private_data_t *priv, cac_cuid_t *val, size_t len) |
1384 | 408 | { |
1385 | 408 | size_t card_id_len; |
1386 | | |
1387 | 408 | if (len < sizeof(cac_cuid_t)) { |
1388 | 3 | return SC_ERROR_INVALID_DATA; |
1389 | 3 | } |
1390 | | |
1391 | 405 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "gsc_rid=%s", sc_dump_hex(val->gsc_rid, sizeof(val->gsc_rid))); |
1392 | 405 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "manufacture id=%x", val->manufacturer_id); |
1393 | 405 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "cac_type=%d", val->card_type); |
1394 | 405 | card_id_len = len - (&val->card_id - (u8 *)val); |
1395 | 405 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1396 | 405 | "card_id=%s (%"SC_FORMAT_LEN_SIZE_T"u)", |
1397 | 405 | sc_dump_hex(&val->card_id, card_id_len), |
1398 | 405 | card_id_len); |
1399 | 405 | priv->cuid = *val; |
1400 | 405 | free(priv->cac_id); |
1401 | 405 | priv->cac_id = malloc(card_id_len); |
1402 | 405 | if (priv->cac_id == NULL) { |
1403 | 0 | return SC_ERROR_OUT_OF_MEMORY; |
1404 | 0 | } |
1405 | 405 | memcpy(priv->cac_id, &val->card_id, card_id_len); |
1406 | 405 | priv->cac_id_len = card_id_len; |
1407 | 405 | return SC_SUCCESS; |
1408 | 405 | } |
1409 | | static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth); |
1410 | | |
1411 | | static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, const u8 *tl, |
1412 | | size_t tl_len, u8 *val, size_t val_len, int depth) |
1413 | 725 | { |
1414 | 725 | size_t len = 0; |
1415 | 725 | const u8 *tl_end = tl + tl_len; |
1416 | 725 | const u8 *val_end = val + val_len; |
1417 | 725 | sc_path_t new_path; |
1418 | 725 | int r; |
1419 | | |
1420 | | |
1421 | 7.25k | for (; (tl < tl_end) && (val< val_end); val += len) { |
1422 | | /* get the tag and the length */ |
1423 | 7.13k | u8 tag; |
1424 | 7.13k | r = sc_simpletlv_read_tag(&tl, tl_end - tl, &tag, &len); |
1425 | 7.13k | if (r != SC_SUCCESS && r != SC_ERROR_TLV_END_OF_CONTENTS) { |
1426 | 34 | sc_log(card->ctx, "Failed to parse tag from buffer"); |
1427 | 34 | break; |
1428 | 34 | } |
1429 | 7.10k | if (val + len > val_end) { |
1430 | 296 | sc_log(card->ctx, "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1431 | 296 | break; |
1432 | 296 | } |
1433 | 6.80k | switch (tag) { |
1434 | 408 | case CAC_TAG_CUID: |
1435 | 408 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:CUID"); |
1436 | 408 | r = cac_parse_cuid(card, priv, (cac_cuid_t *)val, len); |
1437 | 408 | if (r < 0) |
1438 | 3 | return r; |
1439 | 405 | break; |
1440 | 456 | case CAC_TAG_CC_VERSION_NUMBER: |
1441 | 456 | if (len != 1) { |
1442 | 33 | sc_log(card->ctx, "TAG: CC Version: " |
1443 | 33 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1444 | 33 | break; |
1445 | 33 | } |
1446 | | /* ignore the version numbers for now */ |
1447 | 423 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1448 | 423 | "TAG: CC Version = 0x%02x", *val); |
1449 | 423 | break; |
1450 | 351 | case CAC_TAG_GRAMMAR_VERION_NUMBER: |
1451 | 351 | if (len != 1) { |
1452 | 51 | sc_log(card->ctx, "TAG: Grammar Version: " |
1453 | 51 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1454 | 51 | break; |
1455 | 51 | } |
1456 | | /* ignore the version numbers for now */ |
1457 | 300 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1458 | 300 | "TAG: Grammar Version = 0x%02x", *val); |
1459 | 300 | break; |
1460 | 1.98k | case CAC_TAG_CARDURL: |
1461 | 1.98k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:CARDURL"); |
1462 | 1.98k | r = cac_parse_cardurl(card, priv, (cac_card_url_t *)val, len); |
1463 | 1.98k | if (r < 0) |
1464 | 12 | return r; |
1465 | 1.96k | break; |
1466 | | /* |
1467 | | * The following are really for file systems cards. This code only cares about CAC VM cards |
1468 | | */ |
1469 | 1.96k | case CAC_TAG_PKCS15: |
1470 | 161 | if (len != 1) { |
1471 | 38 | sc_log(card->ctx, "TAG: PKCS15: " |
1472 | 38 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1473 | 38 | break; |
1474 | 38 | } |
1475 | | /* TODO should verify that this is '0'. If it's not |
1476 | | * zero, we should drop out of here and let the PKCS 15 |
1477 | | * code handle this card */ |
1478 | 123 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG: PKCS15 = 0x%02x", *val); |
1479 | 123 | break; |
1480 | 52 | case CAC_TAG_DATA_MODEL: |
1481 | 52 | if (len != 1) { |
1482 | 20 | sc_log(card->ctx, "TAG: Registered Data Model Number: " |
1483 | 20 | "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1484 | 20 | break; |
1485 | 20 | } |
1486 | 32 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG: Registered Data Model Number (0x%02x)", *val); |
1487 | 32 | break; |
1488 | 38 | case CAC_TAG_CARD_APDU: |
1489 | 144 | case CAC_TAG_CAPABILITY_TUPLES: |
1490 | 188 | case CAC_TAG_STATUS_TUPLES: |
1491 | 213 | case CAC_TAG_REDIRECTION: |
1492 | 238 | case CAC_TAG_ERROR_CODES: |
1493 | 238 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG: FSSpecific(0x%02x)", tag); |
1494 | 238 | break; |
1495 | 80 | case CAC_TAG_ACCESS_CONTROL: |
1496 | | /* TODO handle access control later */ |
1497 | 80 | sc_log_hex(card->ctx, "TAG:ACCESS Control", val, len); |
1498 | 80 | break; |
1499 | 476 | case CAC_TAG_NEXT_CCC: |
1500 | 476 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:NEXT CCC"); |
1501 | 476 | r = cac_path_from_cardurl(card, &new_path, (cac_card_url_t *)val, len); |
1502 | 476 | if (r < 0) |
1503 | 3 | return r; |
1504 | | |
1505 | 473 | r = cac_select_file_by_type(card, &new_path, NULL); |
1506 | 473 | if (r < 0) |
1507 | 33 | return r; |
1508 | | |
1509 | | /* Increase depth to avoid infinite recursion */ |
1510 | 440 | r = cac_process_CCC(card, priv, depth + 1); |
1511 | 440 | if (r < 0) |
1512 | 229 | return r; |
1513 | 211 | break; |
1514 | 2.60k | default: |
1515 | | /* ignore tags we don't understand */ |
1516 | 2.60k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:Unknown (0x%02x)",tag ); |
1517 | 2.60k | break; |
1518 | 6.80k | } |
1519 | 6.80k | } |
1520 | 445 | return SC_SUCCESS; |
1521 | 725 | } |
1522 | | |
1523 | | static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth) |
1524 | 858 | { |
1525 | 858 | u8 *tl = NULL, *val = NULL; |
1526 | 858 | size_t tl_len = 0, val_len = 0; |
1527 | 858 | int r; |
1528 | | |
1529 | 858 | if (depth > CAC_MAX_CCC_DEPTH) { |
1530 | 1 | sc_log(card->ctx, "Too much recursive CCC found. Exiting"); |
1531 | 1 | return SC_ERROR_INVALID_CARD; |
1532 | 1 | } |
1533 | | |
1534 | 857 | r = cac_read_file(card, CAC_FILE_TAG, &tl, &tl_len); |
1535 | 857 | if (r < 0) |
1536 | 116 | goto done; |
1537 | | |
1538 | 741 | r = cac_read_file(card, CAC_FILE_VALUE, &val, &val_len); |
1539 | 741 | if (r < 0) |
1540 | 16 | goto done; |
1541 | | |
1542 | 725 | r = cac_parse_CCC(card, priv, tl, tl_len, val, val_len, depth); |
1543 | 857 | done: |
1544 | 857 | if (tl) |
1545 | 741 | free(tl); |
1546 | 857 | if (val) |
1547 | 725 | free(val); |
1548 | 857 | return r; |
1549 | 725 | } |
1550 | | |
1551 | | /* Service Applet Table (Table 5-21) should list all the applets on the |
1552 | | * card, which is a good start if we don't have CCC |
1553 | | */ |
1554 | | static int cac_parse_ACA_service(sc_card_t *card, cac_private_data_t *priv, |
1555 | | const u8 *val, size_t val_len) |
1556 | 388 | { |
1557 | 388 | size_t len = 0; |
1558 | 388 | const u8 *val_end = val + val_len; |
1559 | 388 | int r; |
1560 | | |
1561 | 388 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
1562 | | |
1563 | 4.80k | for (; val < val_end; val += len) { |
1564 | | /* get the tag and the length */ |
1565 | 4.74k | u8 tag; |
1566 | 4.74k | if (sc_simpletlv_read_tag(&val, val_end - val, &tag, &len) != SC_SUCCESS) |
1567 | 313 | break; |
1568 | | |
1569 | 4.43k | switch (tag) { |
1570 | 601 | case CAC_TAG_APPLET_FAMILY: |
1571 | 601 | if (len != 5) { |
1572 | 407 | sc_log(card->ctx, "TAG: Applet Information: " |
1573 | 407 | "bad length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1574 | 407 | break; |
1575 | 407 | } |
1576 | 194 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1577 | 194 | "TAG: Applet Information: Family: 0x%02x", val[0]); |
1578 | 194 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1579 | 194 | " Applet Version: 0x%02x 0x%02x 0x%02x 0x%02x", |
1580 | 194 | val[1], val[2], val[3], val[4]); |
1581 | 194 | break; |
1582 | 421 | case CAC_TAG_NUMBER_APPLETS: |
1583 | 421 | if (len != 1) { |
1584 | 350 | sc_log(card->ctx, "TAG: Num applets: " |
1585 | 350 | "bad length %"SC_FORMAT_LEN_SIZE_T"u", len); |
1586 | 350 | break; |
1587 | 350 | } |
1588 | 71 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1589 | 71 | "TAG: Num applets = %hhd", *val); |
1590 | 71 | break; |
1591 | 1.11k | case CAC_TAG_APPLET_ENTRY: |
1592 | | /* Make sure we match the outer length */ |
1593 | 1.11k | if (len < 3 || val[2] != len - 3) { |
1594 | 524 | sc_log(card->ctx, "TAG: Applet Entry: " |
1595 | 524 | "bad length (%"SC_FORMAT_LEN_SIZE_T |
1596 | 524 | "u) or length of internal buffer", len); |
1597 | 524 | break; |
1598 | 524 | } |
1599 | 592 | sc_debug_hex(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1600 | 592 | "TAG: Applet Entry: AID", val + 3, val[2]); |
1601 | | /* This is SimpleTLV prefixed with applet ID (1B) */ |
1602 | 592 | r = cac_parse_aid(card, priv, val + 3, val[2]); |
1603 | 592 | if (r < 0) |
1604 | 20 | return r; |
1605 | 572 | break; |
1606 | 2.29k | default: |
1607 | | /* ignore tags we don't understand */ |
1608 | 2.29k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1609 | 2.29k | "TAG: Unknown (0x%02x)", tag); |
1610 | 2.29k | break; |
1611 | 4.43k | } |
1612 | 4.43k | } |
1613 | 368 | return SC_SUCCESS; |
1614 | 388 | } |
1615 | | |
1616 | | /* select a CAC pki applet by index */ |
1617 | | static int cac_select_pki_applet(sc_card_t *card, int index) |
1618 | 62.4k | { |
1619 | 62.4k | sc_path_t applet_path = cac_cac_pki_obj.path; |
1620 | 62.4k | applet_path.aid.value[applet_path.aid.len-1] = index; |
1621 | 62.4k | return cac_select_file_by_type(card, &applet_path, NULL); |
1622 | 62.4k | } |
1623 | | |
1624 | | /* |
1625 | | * Find the first existing CAC applet. If none found, then this isn't a CAC |
1626 | | */ |
1627 | | static int cac_find_first_pki_applet(sc_card_t *card, int *index_out) |
1628 | 3.89k | { |
1629 | 3.89k | int r, i; |
1630 | 63.8k | for (i = 0; i < MAX_CAC_SLOTS; i++) { |
1631 | 60.1k | r = cac_select_pki_applet(card, i); |
1632 | 60.1k | if (r == SC_SUCCESS) { |
1633 | | /* Try to read first two bytes of the buffer to |
1634 | | * make sure it is not just malfunctioning card |
1635 | | */ |
1636 | 429 | u8 params[2] = {CAC_FILE_TAG, 2}; |
1637 | 429 | u8 data[2], *out_ptr = data; |
1638 | 429 | size_t len = 2; |
1639 | 429 | r = cac_apdu_io(card, CAC_INS_READ_FILE, 0, 0, |
1640 | 429 | ¶ms[0], sizeof(params), &out_ptr, &len); |
1641 | 429 | if (r != 2) |
1642 | 251 | continue; |
1643 | | |
1644 | 178 | *index_out = i; |
1645 | 178 | return SC_SUCCESS; |
1646 | 429 | } |
1647 | 60.1k | } |
1648 | 3.71k | return SC_ERROR_OBJECT_NOT_FOUND; |
1649 | 3.89k | } |
1650 | | |
1651 | | /* |
1652 | | * This emulates CCC for Alt tokens, that do not come with CCC nor ACA applets |
1653 | | */ |
1654 | | static int cac_populate_cac_alt(sc_card_t *card, int index, cac_private_data_t *priv) |
1655 | 159 | { |
1656 | 159 | int r, i; |
1657 | 159 | cac_object_t pki_obj = cac_cac_pki_obj; |
1658 | 159 | u8 buf[100]; |
1659 | 159 | u8 *val; |
1660 | | |
1661 | | /* populate PKI objects */ |
1662 | 2.34k | for (i = index; i < MAX_CAC_SLOTS; i++) { |
1663 | 2.18k | r = cac_select_pki_applet(card, i); |
1664 | 2.18k | if (r == SC_SUCCESS) { |
1665 | 1.02k | pki_obj.name = get_cac_label(i); |
1666 | 1.02k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1667 | 1.02k | "CAC: pki_object found, cert_next=%d (%s),", i, pki_obj.name); |
1668 | 1.02k | pki_obj.path.aid.value[pki_obj.path.aid.len-1] = i; |
1669 | 1.02k | pki_obj.fd = i+1; /* don't use id of zero */ |
1670 | 1.02k | cac_add_object_to_list(&priv->pki_list, &pki_obj); |
1671 | 1.02k | } |
1672 | 2.18k | } |
1673 | | |
1674 | | /* populate non-PKI objects */ |
1675 | 1.11k | for (i=0; i < cac_object_count; i++) { |
1676 | 954 | r = cac_select_file_by_type(card, &cac_objects[i].path, NULL); |
1677 | 954 | if (r == SC_SUCCESS) { |
1678 | 422 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1679 | 422 | "CAC: obj_object found, cert_next=%d (%s),", |
1680 | 422 | i, cac_objects[i].name); |
1681 | 422 | cac_add_object_to_list(&priv->general_list, &cac_objects[i]); |
1682 | 422 | } |
1683 | 954 | } |
1684 | | |
1685 | | /* |
1686 | | * create a cuid to simulate the cac 2 cuid. |
1687 | | */ |
1688 | 159 | priv->cuid = cac_cac_cuid; |
1689 | | /* create a serial number by hashing the first 100 bytes of the |
1690 | | * first certificate on the card */ |
1691 | 159 | r = cac_select_pki_applet(card, index); |
1692 | 159 | if (r < 0) { |
1693 | 42 | return r; /* shouldn't happen unless the card has been removed or is malfunctioning */ |
1694 | 42 | } |
1695 | 117 | val = buf; |
1696 | 117 | r = cac_read_binary(card, 0, val, sizeof(buf), 0); |
1697 | 117 | if (r > 0) { |
1698 | 1 | #ifdef ENABLE_OPENSSL |
1699 | 1 | size_t val_len = r; |
1700 | 1 | free(priv->cac_id); |
1701 | 1 | priv->cac_id = malloc(20); |
1702 | 1 | if (priv->cac_id == NULL) { |
1703 | 0 | return SC_ERROR_OUT_OF_MEMORY; |
1704 | 0 | } |
1705 | 1 | SHA1(val, val_len, priv->cac_id); |
1706 | 1 | priv->cac_id_len = 20; |
1707 | 1 | sc_debug_hex(card->ctx, SC_LOG_DEBUG_VERBOSE, |
1708 | 1 | "cuid", priv->cac_id, priv->cac_id_len); |
1709 | | #else |
1710 | | sc_log(card->ctx, "OpenSSL Required"); |
1711 | | return SC_ERROR_NOT_SUPPORTED; |
1712 | | #endif /* ENABLE_OPENSSL */ |
1713 | 1 | } |
1714 | 117 | return SC_SUCCESS; |
1715 | 117 | } |
1716 | | |
1717 | | static int cac_process_ACA(sc_card_t *card, cac_private_data_t *priv) |
1718 | 427 | { |
1719 | 427 | int r; |
1720 | 427 | u8 *val = NULL; |
1721 | 427 | size_t val_len; |
1722 | | |
1723 | 427 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
1724 | | |
1725 | | /* Assuming ACA is already selected */ |
1726 | 427 | r = cac_get_acr(card, CAC_ACR_SERVICE, &val, &val_len); |
1727 | 427 | if (r < 0) |
1728 | 39 | goto done; |
1729 | | |
1730 | 388 | r = cac_parse_ACA_service(card, priv, val, val_len); |
1731 | 388 | if (r == SC_SUCCESS) { |
1732 | 368 | priv->aca_path = malloc(sizeof(sc_path_t)); |
1733 | 368 | if (!priv->aca_path) { |
1734 | 0 | r = SC_ERROR_OUT_OF_MEMORY; |
1735 | 0 | goto done; |
1736 | 0 | } |
1737 | 368 | memcpy(priv->aca_path, &cac_ACA_Path, sizeof(sc_path_t)); |
1738 | 368 | } |
1739 | 427 | done: |
1740 | 427 | if (val) |
1741 | 388 | free(val); |
1742 | 427 | LOG_FUNC_RETURN(card->ctx, r); |
1743 | 427 | } |
1744 | | |
1745 | | /* |
1746 | | * Look for a CAC card. If it exists, initialize our data structures |
1747 | | */ |
1748 | | static int cac_find_and_initialize(sc_card_t *card, int initialize) |
1749 | 5.43k | { |
1750 | 5.43k | int r, index; |
1751 | 5.43k | cac_private_data_t *priv = NULL; |
1752 | | |
1753 | | /* already initialized? */ |
1754 | 5.43k | if (card->drv_data) { |
1755 | 0 | return SC_SUCCESS; |
1756 | 0 | } |
1757 | | |
1758 | | /* is this a CAC-2 specified in NIST Interagency Report 6887 - |
1759 | | * "Government Smart Card Interoperability Specification v2.1 July 2003" */ |
1760 | 5.43k | r = cac_select_CCC(card); |
1761 | 5.43k | if (r == SC_SUCCESS) { |
1762 | 1.31k | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "CCC found, is CAC-2"); |
1763 | 1.31k | if (!initialize) /* match card only */ |
1764 | 898 | return r; |
1765 | | |
1766 | 418 | priv = cac_new_private_data(); |
1767 | 418 | if (!priv) |
1768 | 0 | return SC_ERROR_OUT_OF_MEMORY; |
1769 | 418 | r = cac_process_CCC(card, priv, 0); |
1770 | 418 | if (r == SC_SUCCESS) { |
1771 | 234 | card->type = SC_CARD_TYPE_CAC_II; |
1772 | 234 | card->drv_data = priv; |
1773 | 234 | return r; |
1774 | 234 | } |
1775 | 418 | } |
1776 | | |
1777 | | /* Even some ALT tokens can be missing CCC so we should try with ACA */ |
1778 | 4.30k | r = cac_select_ACA(card); |
1779 | 4.30k | if (r == SC_SUCCESS) { |
1780 | 464 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "ACA found, is CAC-2 without CCC"); |
1781 | 464 | if (!initialize) /* match card only */ |
1782 | 37 | return r; |
1783 | | |
1784 | 427 | if (!priv) { |
1785 | 389 | priv = cac_new_private_data(); |
1786 | 389 | if (!priv) |
1787 | 0 | return SC_ERROR_OUT_OF_MEMORY; |
1788 | 389 | } |
1789 | 427 | r = cac_process_ACA(card, priv); |
1790 | 427 | if (r == SC_SUCCESS) { |
1791 | 368 | card->type = SC_CARD_TYPE_CAC_ALT_HID; |
1792 | 368 | card->drv_data = priv; |
1793 | 368 | return r; |
1794 | 368 | } |
1795 | 427 | } |
1796 | | |
1797 | | /* is this a CAC Alt token without any accompanying structures */ |
1798 | 3.89k | r = cac_find_first_pki_applet(card, &index); |
1799 | 3.89k | if (r == SC_SUCCESS) { |
1800 | 178 | sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "PKI applet found, is bare CAC Alt"); |
1801 | 178 | if (!initialize) /* match card only */ |
1802 | 19 | return r; |
1803 | | |
1804 | 159 | if (!priv) { |
1805 | 124 | priv = cac_new_private_data(); |
1806 | 124 | if (!priv) |
1807 | 0 | return SC_ERROR_OUT_OF_MEMORY; |
1808 | 124 | } |
1809 | 159 | card->drv_data = priv; /* needed for the read_binary() */ |
1810 | 159 | r = cac_populate_cac_alt(card, index, priv); |
1811 | 159 | if (r == SC_SUCCESS) { |
1812 | 117 | card->type = SC_CARD_TYPE_CAC_II; |
1813 | 117 | return r; |
1814 | 117 | } |
1815 | 42 | card->drv_data = NULL; /* reset on failure */ |
1816 | 42 | } |
1817 | 3.75k | if (priv) { |
1818 | 212 | cac_free_private_data(priv); |
1819 | 212 | } |
1820 | 3.75k | return r; |
1821 | 3.89k | } |
1822 | | |
1823 | | |
1824 | | /* NOTE: returns a bool, 1 card matches, 0 it does not */ |
1825 | | static int cac_match_card(sc_card_t *card) |
1826 | 4.47k | { |
1827 | 4.47k | int r; |
1828 | 4.47k | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
1829 | | |
1830 | 4.47k | r = cac_find_and_initialize(card, 0); |
1831 | 4.47k | return (r == SC_SUCCESS); /* never match */ |
1832 | 4.47k | } |
1833 | | |
1834 | | |
1835 | | static int cac_init(sc_card_t *card) |
1836 | 954 | { |
1837 | 954 | int r; |
1838 | 954 | unsigned long flags; |
1839 | | |
1840 | 954 | SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); |
1841 | | |
1842 | 954 | r = cac_find_and_initialize(card, 1); |
1843 | 954 | if (r < 0) { |
1844 | 235 | LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_CARD); |
1845 | 235 | } |
1846 | 719 | flags = SC_ALGORITHM_RSA_RAW; |
1847 | | |
1848 | 719 | _sc_card_add_rsa_alg(card, 1024, flags, 0); /* mandatory */ |
1849 | 719 | _sc_card_add_rsa_alg(card, 2048, flags, 0); /* optional */ |
1850 | 719 | _sc_card_add_rsa_alg(card, 3072, flags, 0); /* optional */ |
1851 | | |
1852 | 719 | card->caps |= SC_CARD_CAP_RNG | SC_CARD_CAP_ISO7816_PIN_INFO; |
1853 | | |
1854 | 719 | LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); |
1855 | 719 | } |
1856 | | |
1857 | | static int cac_logout(sc_card_t *card) |
1858 | 0 | { |
1859 | 0 | int index; |
1860 | 0 | return cac_find_first_pki_applet(card, &index); |
1861 | 0 | } |
1862 | | |
1863 | | static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left) |
1864 | 98 | { |
1865 | | /* CAC, like PIV needs Extra validation of (new) PIN during |
1866 | | * a PIN change request, to ensure it's not outside the |
1867 | | * FIPS 201 4.1.6.1 (numeric only) and * FIPS 140-2 |
1868 | | * (6 character minimum) requirements. |
1869 | | */ |
1870 | 98 | sc_apdu_t apdu; |
1871 | 98 | u8 sbuf[SC_MAX_APDU_BUFFER_SIZE]; |
1872 | 98 | struct sc_card_driver *iso_drv = sc_get_iso7816_driver(); |
1873 | 98 | int rv; |
1874 | | |
1875 | 98 | if (data->cmd == SC_PIN_CMD_CHANGE) { |
1876 | 12 | size_t i = 0; |
1877 | 12 | if (data->pin2.len < 6) { |
1878 | 3 | return SC_ERROR_INVALID_PIN_LENGTH; |
1879 | 3 | } |
1880 | 53 | for(i=0; i < data->pin2.len; ++i) { |
1881 | 47 | if (!isdigit(data->pin2.data[i])) { |
1882 | 3 | return SC_ERROR_INVALID_DATA; |
1883 | 3 | } |
1884 | 47 | } |
1885 | | |
1886 | | /* We can change the PIN of Giesecke & Devrient CAC ALT tokens |
1887 | | * with a bit non-standard APDU */ |
1888 | 6 | if (card->type == SC_CARD_TYPE_CAC_ALT_HID) { |
1889 | 2 | int r = 0; |
1890 | 2 | r = iso7816_build_pin_apdu(card, &apdu, data, sbuf, sizeof(sbuf)); |
1891 | 2 | if (r < 0) |
1892 | 0 | return r; |
1893 | | /* it requires P1 = 0x01 completely against the ISO specs */ |
1894 | 2 | apdu.p1 = 0x01; |
1895 | 2 | data->apdu = &apdu; |
1896 | 2 | } |
1897 | 6 | } |
1898 | | |
1899 | 92 | rv = iso_drv->ops->pin_cmd(card, data, tries_left); |
1900 | | |
1901 | 92 | data->apdu = NULL; |
1902 | 92 | return rv; |
1903 | 98 | } |
1904 | | |
1905 | | static struct sc_card_operations cac_ops; |
1906 | | |
1907 | | static struct sc_card_driver cac_drv = { |
1908 | | "Common Access Card (CAC)", |
1909 | | "cac", |
1910 | | &cac_ops, |
1911 | | NULL, 0, NULL |
1912 | | }; |
1913 | | |
1914 | | static struct sc_card_driver * sc_get_driver(void) |
1915 | 29.6k | { |
1916 | 29.6k | struct sc_card_driver *iso_drv = sc_get_iso7816_driver(); |
1917 | | |
1918 | 29.6k | cac_ops = *iso_drv->ops; |
1919 | 29.6k | cac_ops.match_card = cac_match_card; |
1920 | 29.6k | cac_ops.init = cac_init; |
1921 | 29.6k | cac_ops.finish = cac_finish; |
1922 | | |
1923 | 29.6k | cac_ops.select_file = cac_select_file; /* need to record object type */ |
1924 | 29.6k | cac_ops.get_challenge = cac_get_challenge; |
1925 | 29.6k | cac_ops.read_binary = cac_read_binary; |
1926 | | /* CAC driver is read only */ |
1927 | 29.6k | cac_ops.write_binary = NULL; |
1928 | 29.6k | cac_ops.set_security_env = cac_set_security_env; |
1929 | 29.6k | cac_ops.restore_security_env = cac_restore_security_env; |
1930 | 29.6k | cac_ops.compute_signature = cac_compute_signature; |
1931 | 29.6k | cac_ops.decipher = cac_decipher; |
1932 | 29.6k | cac_ops.card_ctl = cac_card_ctl; |
1933 | 29.6k | cac_ops.pin_cmd = cac_pin_cmd; |
1934 | 29.6k | cac_ops.logout = cac_logout; |
1935 | | |
1936 | 29.6k | return &cac_drv; |
1937 | 29.6k | } |
1938 | | |
1939 | | |
1940 | | struct sc_card_driver * sc_get_cac_driver(void) |
1941 | 29.6k | { |
1942 | 29.6k | return sc_get_driver(); |
1943 | 29.6k | } |