/src/opensc/src/libopensc/pkcs15-pin.c
Line | Count | Source |
1 | | /* |
2 | | * pkcs15-pin.c: PKCS #15 PIN functions |
3 | | * |
4 | | * Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi> |
5 | | * |
6 | | * This library is free software; you can redistribute it and/or |
7 | | * modify it under the terms of the GNU Lesser General Public |
8 | | * License as published by the Free Software Foundation; either |
9 | | * version 2.1 of the License, or (at your option) any later version. |
10 | | * |
11 | | * This library is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
14 | | * Lesser General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU Lesser General Public |
17 | | * License along with this library; if not, write to the Free Software |
18 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
19 | | */ |
20 | | |
21 | | #ifdef HAVE_CONFIG_H |
22 | | #include "config.h" |
23 | | #endif |
24 | | |
25 | | #include <assert.h> |
26 | | #include <string.h> |
27 | | #include <stdlib.h> |
28 | | #include <stdio.h> |
29 | | |
30 | | #include "internal.h" |
31 | | #include "asn1.h" |
32 | | #include "pkcs15.h" |
33 | | #include "ui/notify.h" |
34 | | |
35 | | int _sc_pkcs15_verify_pin(struct sc_pkcs15_card *, struct sc_pkcs15_object *, |
36 | | const unsigned char *, size_t); |
37 | | |
38 | | static const struct sc_asn1_entry c_asn1_com_ao_attr[] = { |
39 | | { "authId", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL }, |
40 | | { NULL, 0, 0, 0, NULL, NULL } |
41 | | }; |
42 | | |
43 | | /* PIN attributes */ |
44 | | static const struct sc_asn1_entry c_asn1_pin_attr[] = { |
45 | | { "pinFlags", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL }, |
46 | | { "pinType", SC_ASN1_ENUMERATED, SC_ASN1_TAG_ENUMERATED, 0, NULL, NULL }, |
47 | | { "minLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, |
48 | | { "storedLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, |
49 | | { "maxLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, |
50 | | { "pinReference", SC_ASN1_INTEGER, SC_ASN1_CTX | 0, SC_ASN1_OPTIONAL, NULL, NULL }, |
51 | | { "padChar", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_OPTIONAL, NULL, NULL }, |
52 | | { "lastPinChange",SC_ASN1_GENERALIZEDTIME, SC_ASN1_TAG_GENERALIZEDTIME, SC_ASN1_OPTIONAL, NULL, NULL }, |
53 | | { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
54 | | { NULL, 0, 0, 0, NULL, NULL } |
55 | | }; |
56 | | static const struct sc_asn1_entry c_asn1_type_pin_attr[] = { |
57 | | { "pinAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, |
58 | | { NULL, 0, 0, 0, NULL, NULL } |
59 | | }; |
60 | | |
61 | | /* Auth Key attributes */ |
62 | | static const struct sc_asn1_entry c_asn1_authkey_attr[] = { |
63 | | { "derivedKey", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, NULL, NULL }, |
64 | | { "authKeyId", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL }, |
65 | | { NULL, 0, 0, 0, NULL, NULL } |
66 | | }; |
67 | | static const struct sc_asn1_entry c_asn1_type_authkey_attr[] = { |
68 | | { "authKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, |
69 | | { NULL, 0, 0, 0, NULL, NULL } |
70 | | }; |
71 | | static const struct sc_asn1_entry c_asn1_auth_type[] = { |
72 | | { "authType", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, |
73 | | { NULL, 0, 0, 0, NULL, NULL } |
74 | | }; |
75 | | static const struct sc_asn1_entry c_asn1_auth_type_choice[] = { |
76 | | { "pin", SC_ASN1_PKCS15_OBJECT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
77 | | { "biometricTemplate", SC_ASN1_PKCS15_OBJECT, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
78 | | { "authKey", SC_ASN1_PKCS15_OBJECT, SC_ASN1_CTX | 1 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL }, |
79 | | { NULL, 0, 0, 0, NULL, NULL } |
80 | | }; |
81 | | |
82 | | |
83 | | int |
84 | | sc_pkcs15_decode_aodf_entry(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *obj, |
85 | | const u8 ** buf, size_t *buflen) |
86 | 4.68k | { |
87 | 4.68k | sc_context_t *ctx = p15card->card->ctx; |
88 | 4.68k | struct sc_pkcs15_auth_info info; |
89 | 4.68k | int r; |
90 | 4.68k | size_t flags_len = sizeof(info.attrs.pin.flags); |
91 | 4.68k | size_t derived_len = sizeof(info.attrs.authkey.derived); |
92 | 4.68k | size_t padchar_len = 1; |
93 | 4.68k | struct sc_asn1_entry asn1_com_ao_attr[2]; |
94 | 4.68k | struct sc_asn1_entry asn1_pin_attr[10], asn1_type_pin_attr[2]; |
95 | 4.68k | struct sc_asn1_entry asn1_authkey_attr[3], asn1_type_authkey_attr[2]; |
96 | 4.68k | struct sc_asn1_entry asn1_auth_type[2]; |
97 | 4.68k | struct sc_asn1_entry asn1_auth_type_choice[4]; |
98 | 4.68k | struct sc_asn1_pkcs15_object pin_obj = { obj, asn1_com_ao_attr, NULL, asn1_type_pin_attr }; |
99 | 4.68k | struct sc_asn1_pkcs15_object authkey_obj = { obj, asn1_com_ao_attr, NULL, asn1_type_authkey_attr }; |
100 | | |
101 | 4.68k | SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_ASN1); |
102 | | |
103 | 4.68k | sc_copy_asn1_entry(c_asn1_auth_type, asn1_auth_type); |
104 | 4.68k | sc_copy_asn1_entry(c_asn1_auth_type_choice, asn1_auth_type_choice); |
105 | | |
106 | 4.68k | sc_copy_asn1_entry(c_asn1_com_ao_attr, asn1_com_ao_attr); |
107 | | |
108 | 4.68k | sc_copy_asn1_entry(c_asn1_type_pin_attr, asn1_type_pin_attr); |
109 | 4.68k | sc_copy_asn1_entry(c_asn1_pin_attr, asn1_pin_attr); |
110 | | |
111 | 4.68k | sc_copy_asn1_entry(c_asn1_type_authkey_attr, asn1_type_authkey_attr); |
112 | 4.68k | sc_copy_asn1_entry(c_asn1_authkey_attr, asn1_authkey_attr); |
113 | | |
114 | 4.68k | sc_format_asn1_entry(asn1_auth_type + 0, asn1_auth_type_choice, NULL, 0); |
115 | 4.68k | sc_format_asn1_entry(asn1_auth_type_choice + 0, &pin_obj, NULL, 0); /* 'pin' */ |
116 | 4.68k | sc_format_asn1_entry(asn1_auth_type_choice + 2, &authkey_obj, NULL, 0); /* 'authKey' */ |
117 | | |
118 | | /* pinAttributes */ |
119 | 4.68k | sc_format_asn1_entry(asn1_type_pin_attr + 0, asn1_pin_attr, NULL, 0); |
120 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 0, &info.attrs.pin.flags, &flags_len, 0); |
121 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 1, &info.attrs.pin.type, NULL, 0); |
122 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 2, &info.attrs.pin.min_length, NULL, 0); |
123 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 3, &info.attrs.pin.stored_length, NULL, 0); |
124 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 4, &info.attrs.pin.max_length, NULL, 0); |
125 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 5, &info.attrs.pin.reference, NULL, 0); |
126 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 6, &info.attrs.pin.pad_char, &padchar_len, 0); |
127 | | |
128 | | /* authKeyAttributes */ |
129 | 4.68k | sc_format_asn1_entry(asn1_type_authkey_attr + 0, asn1_authkey_attr, NULL, 0); |
130 | 4.68k | sc_format_asn1_entry(asn1_authkey_attr + 0, &info.attrs.authkey.derived, &derived_len, 0); |
131 | 4.68k | sc_format_asn1_entry(asn1_authkey_attr + 1, &info.attrs.authkey.skey_id, NULL, 0); |
132 | | |
133 | | /* We don't support lastPinChange yet. */ |
134 | 4.68k | sc_format_asn1_entry(asn1_pin_attr + 8, &info.path, NULL, 0); |
135 | | |
136 | 4.68k | sc_format_asn1_entry(asn1_com_ao_attr + 0, &info.auth_id, NULL, 0); |
137 | | |
138 | | /* Fill in defaults */ |
139 | 4.68k | memset(&info, 0, sizeof(info)); |
140 | 4.68k | info.tries_left = -1; |
141 | 4.68k | info.logged_in = SC_PIN_STATE_UNKNOWN; |
142 | | |
143 | 4.68k | r = sc_asn1_decode(ctx, asn1_auth_type, *buf, *buflen, buf, buflen); |
144 | 4.68k | if (r == SC_ERROR_ASN1_END_OF_CONTENTS) |
145 | 1.02k | return r; |
146 | 3.65k | LOG_TEST_RET(ctx, r, "ASN.1 decoding failed"); |
147 | | |
148 | 397 | if (asn1_auth_type_choice[0].flags & SC_ASN1_PRESENT) { |
149 | 340 | sc_log(ctx, "AuthType: PIN"); |
150 | 340 | obj->type = SC_PKCS15_TYPE_AUTH_PIN; |
151 | 340 | info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN; |
152 | 340 | info.auth_method = SC_AC_CHV; |
153 | | |
154 | 340 | if (info.attrs.pin.max_length == 0) { |
155 | 282 | if (p15card->card->max_pin_len != 0) |
156 | 0 | info.attrs.pin.max_length = p15card->card->max_pin_len; |
157 | 282 | else if (info.attrs.pin.stored_length != 0) |
158 | 269 | info.attrs.pin.max_length = info.attrs.pin.type != SC_PKCS15_PIN_TYPE_BCD ? |
159 | 234 | info.attrs.pin.stored_length : 2 * info.attrs.pin.stored_length; |
160 | 13 | else |
161 | 13 | info.attrs.pin.max_length = 8; /* shouldn't happen */ |
162 | 282 | } |
163 | | |
164 | | /* OpenSC 0.11.4 and older encoded "pinReference" as a negative |
165 | | value. Fixed in 0.11.5 we need to add a hack, so old cards |
166 | | continue to work. |
167 | | The same invalid encoding has some models of the proprietary PKCS#15 cards. |
168 | | */ |
169 | 340 | if (info.attrs.pin.reference < 0) |
170 | 97 | info.attrs.pin.reference += 256; |
171 | | |
172 | 340 | if (info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_LOCAL) { |
173 | | /* In OpenSC pkcs#15 framework 'path' is mandatory for the 'Local' PINs. |
174 | | * If 'path' do not present in PinAttributes, derive it from the PKCS#15 context. */ |
175 | 98 | if (!info.path.len) { |
176 | | /* Give priority to AID defined in the application DDO */ |
177 | 89 | if (p15card->app && p15card->app->ddo.aid.len) |
178 | 0 | info.path.aid = p15card->app->ddo.aid; |
179 | 89 | else if (p15card->file_app && p15card->file_app->path.len) |
180 | 67 | info.path = p15card->file_app->path; |
181 | 22 | else |
182 | 22 | return SC_ERROR_INTERNAL; |
183 | 89 | } |
184 | 98 | } |
185 | 318 | sc_debug(ctx, SC_LOG_DEBUG_ASN1, "decoded PIN(ref:%X,path:%s)", info.attrs.pin.reference, sc_print_path(&info.path)); |
186 | 318 | } |
187 | 57 | else if (asn1_auth_type_choice[1].flags & SC_ASN1_PRESENT) { |
188 | 56 | LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "BIO authentication object not yet supported"); |
189 | 56 | } |
190 | 1 | else if (asn1_auth_type_choice[2].flags & SC_ASN1_PRESENT) { |
191 | 1 | sc_log(ctx, "AuthType: AuthKey"); |
192 | 1 | obj->type = SC_PKCS15_TYPE_AUTH_AUTHKEY; |
193 | 1 | info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY; |
194 | 1 | info.auth_method = SC_AC_AUT; |
195 | 1 | if (!(asn1_authkey_attr[0].flags & SC_ASN1_PRESENT)) |
196 | 1 | info.attrs.authkey.derived = 1; |
197 | 1 | } |
198 | 0 | else { |
199 | 0 | LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unknown authentication type"); |
200 | 0 | } |
201 | | |
202 | 319 | obj->data = malloc(sizeof(info)); |
203 | 319 | if (obj->data == NULL) |
204 | 319 | LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); |
205 | 319 | memcpy(obj->data, &info, sizeof(info)); |
206 | | |
207 | 319 | SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_ASN1, SC_SUCCESS); |
208 | 319 | } |
209 | | |
210 | | int sc_pkcs15_encode_aodf_entry(sc_context_t *ctx, |
211 | | const struct sc_pkcs15_object *obj, |
212 | | u8 **buf, size_t *buflen) |
213 | 3.55k | { |
214 | 3.55k | struct sc_asn1_entry asn1_com_ao_attr[2], asn1_pin_attr[10], asn1_type_pin_attr[2]; |
215 | 3.55k | struct sc_asn1_entry asn1_auth_type[2]; |
216 | 3.55k | struct sc_asn1_entry asn1_auth_type_choice[4]; |
217 | 3.55k | struct sc_pkcs15_auth_info *info = (struct sc_pkcs15_auth_info *) obj->data; |
218 | 3.55k | struct sc_asn1_pkcs15_object pin_obj = { (struct sc_pkcs15_object *) obj, |
219 | 3.55k | asn1_com_ao_attr, NULL, asn1_type_pin_attr }; |
220 | 3.55k | int r; |
221 | 3.55k | size_t flags_len; |
222 | 3.55k | size_t padchar_len = 1; |
223 | | |
224 | 3.55k | if (info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
225 | 0 | return SC_ERROR_NOT_SUPPORTED; |
226 | | |
227 | 3.55k | sc_copy_asn1_entry(c_asn1_auth_type, asn1_auth_type); |
228 | 3.55k | sc_copy_asn1_entry(c_asn1_auth_type_choice, asn1_auth_type_choice); |
229 | 3.55k | sc_copy_asn1_entry(c_asn1_type_pin_attr, asn1_type_pin_attr); |
230 | 3.55k | sc_copy_asn1_entry(c_asn1_pin_attr, asn1_pin_attr); |
231 | 3.55k | sc_copy_asn1_entry(c_asn1_com_ao_attr, asn1_com_ao_attr); |
232 | | |
233 | 3.55k | sc_format_asn1_entry(asn1_auth_type + 0, asn1_auth_type_choice, NULL, 1); |
234 | 3.55k | sc_format_asn1_entry(asn1_auth_type_choice + 0, &pin_obj, NULL, 1); |
235 | | |
236 | 3.55k | sc_format_asn1_entry(asn1_type_pin_attr + 0, asn1_pin_attr, NULL, 1); |
237 | | |
238 | 3.55k | flags_len = sizeof(info->attrs.pin.flags); |
239 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 0, &info->attrs.pin.flags, &flags_len, 1); |
240 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 1, &info->attrs.pin.type, NULL, 1); |
241 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 2, &info->attrs.pin.min_length, NULL, 1); |
242 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 3, &info->attrs.pin.stored_length, NULL, 1); |
243 | 3.55k | if (info->attrs.pin.max_length > 0) |
244 | 3.45k | sc_format_asn1_entry(asn1_pin_attr + 4, &info->attrs.pin.max_length, NULL, 1); |
245 | 3.55k | if (info->attrs.pin.reference >= 0) |
246 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 5, &info->attrs.pin.reference, NULL, 1); |
247 | | /* FIXME: check if pad_char present */ |
248 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 6, &info->attrs.pin.pad_char, &padchar_len, 1); |
249 | 3.55k | sc_format_asn1_entry(asn1_pin_attr + 8, &info->path, NULL, info->path.len ? 1 : 0); |
250 | | |
251 | 3.55k | sc_format_asn1_entry(asn1_com_ao_attr + 0, &info->auth_id, NULL, 1); |
252 | | |
253 | 3.55k | r = sc_asn1_encode(ctx, asn1_auth_type, buf, buflen); |
254 | | |
255 | 3.55k | return r; |
256 | 3.55k | } |
257 | | |
258 | | |
259 | | static int |
260 | | _validate_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_auth_info *auth_info, size_t pinlen) |
261 | 19.8k | { |
262 | 19.8k | size_t max_length; |
263 | 19.8k | if (p15card == NULL) { |
264 | 0 | return SC_ERROR_INVALID_ARGUMENTS; |
265 | 0 | } |
266 | | |
267 | | /* Ignore validation of the non-PIN authentication objects */ |
268 | 19.8k | if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
269 | 0 | return SC_SUCCESS; |
270 | | |
271 | | /* prevent buffer overflow from hostile card */ |
272 | 19.8k | if (auth_info->attrs.pin.stored_length > SC_MAX_PIN_SIZE) |
273 | 15 | return SC_ERROR_BUFFER_TOO_SMALL; |
274 | | |
275 | | /* if we use pinpad, no more checks are needed */ |
276 | 19.8k | if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
277 | 19.8k | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH) |
278 | 0 | && !pinlen) |
279 | 0 | return SC_SUCCESS; |
280 | | |
281 | | /* If pin is given, make sure it is within limits */ |
282 | 19.8k | max_length = auth_info->attrs.pin.max_length != 0 ? auth_info->attrs.pin.max_length : SC_MAX_PIN_SIZE; |
283 | 19.8k | if (pinlen > max_length || pinlen < auth_info->attrs.pin.min_length) |
284 | 17.0k | return SC_ERROR_INVALID_PIN_LENGTH; |
285 | | |
286 | 2.77k | return SC_SUCCESS; |
287 | 19.8k | } |
288 | | |
289 | | /* |
290 | | * Verify a PIN. |
291 | | * |
292 | | * If the code given to us has zero length, this means we |
293 | | * should ask the card reader to obtain the PIN from the |
294 | | * reader's PIN pad |
295 | | */ |
296 | | int |
297 | | sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj, |
298 | | const unsigned char *pincode, size_t pinlen) |
299 | 6.80k | { |
300 | 6.80k | struct sc_context *ctx = p15card->card->ctx; |
301 | 6.80k | struct sc_pkcs15_auth_info *auth_info; |
302 | 6.80k | int r; |
303 | | |
304 | 6.80k | LOG_FUNC_CALLED(ctx); |
305 | | |
306 | 6.80k | if (!pin_obj || !pin_obj->data) |
307 | 6.80k | LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); |
308 | 6.80k | auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
309 | | |
310 | | /* Check the provided pin matches pin requirements */ |
311 | 6.80k | r = _validate_pin(p15card, auth_info, pinlen); |
312 | | |
313 | 6.80k | if (r) |
314 | 6.80k | LOG_FUNC_RETURN(ctx, r); |
315 | | |
316 | 1.08k | r = _sc_pkcs15_verify_pin(p15card, pin_obj, pincode, pinlen); |
317 | | |
318 | 1.08k | if (r == SC_SUCCESS) |
319 | 418 | sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen); |
320 | | |
321 | 1.08k | LOG_FUNC_RETURN(ctx, r); |
322 | 1.08k | } |
323 | | |
324 | | |
325 | | int |
326 | | _sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj, |
327 | | const unsigned char *pincode, size_t pinlen) |
328 | 1.40k | { |
329 | 1.40k | return sc_pkcs15_verify_pin_with_session_pin(p15card, pin_obj, pincode, |
330 | 1.40k | pinlen, NULL, NULL); |
331 | 1.40k | } |
332 | | |
333 | | /* |
334 | | * Verify a PIN and generate a session PIN |
335 | | * |
336 | | * If the code given to us has zero length, this means we |
337 | | * should ask the card reader to obtain the PIN from the |
338 | | * reader's PIN pad |
339 | | */ |
340 | | int sc_pkcs15_verify_pin_with_session_pin(struct sc_pkcs15_card *p15card, |
341 | | struct sc_pkcs15_object *pin_obj, |
342 | | const unsigned char *pincode, size_t pinlen, |
343 | | const unsigned char *sessionpin, size_t *sessionpinlen) |
344 | 1.40k | { |
345 | 1.40k | struct sc_context *ctx = p15card->card->ctx; |
346 | 1.40k | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
347 | 1.40k | int r; |
348 | 1.40k | sc_card_t *card; |
349 | 1.40k | struct sc_pin_cmd_data data; |
350 | | |
351 | 1.40k | LOG_FUNC_CALLED(ctx); |
352 | 1.40k | sc_log(ctx, |
353 | 1.40k | "PIN(type:%X; method:%X; value(%p:%"SC_FORMAT_LEN_SIZE_T"u)", |
354 | 1.40k | auth_info->auth_type, auth_info->auth_method, |
355 | 1.40k | pincode, pinlen); |
356 | 1.40k | card = p15card->card; |
357 | | |
358 | 1.40k | if (pinlen > SC_MAX_PIN_SIZE) { |
359 | 0 | sc_notify_id(card->ctx, &card->reader->atr, p15card, |
360 | 0 | NOTIFY_PIN_BAD); |
361 | 0 | LOG_TEST_RET(ctx, SC_ERROR_INVALID_PIN_LENGTH, "Invalid PIN size"); |
362 | 0 | } |
363 | | |
364 | | /* Initialize arguments */ |
365 | 1.40k | memset(&data, 0, sizeof(data)); |
366 | 1.40k | data.pin_type = auth_info->auth_method; |
367 | | |
368 | 1.40k | if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_PIN) { |
369 | 1.40k | data.pin_reference = auth_info->attrs.pin.reference; |
370 | 1.40k | data.pin1.min_length = auth_info->attrs.pin.min_length; |
371 | 1.40k | data.pin1.max_length = auth_info->attrs.pin.max_length; |
372 | 1.40k | data.pin1.pad_length = auth_info->attrs.pin.stored_length; |
373 | 1.40k | data.pin1.pad_char = auth_info->attrs.pin.pad_char; |
374 | 1.40k | data.pin1.data = pincode; |
375 | 1.40k | data.pin1.len = pinlen; |
376 | | |
377 | 1.40k | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) |
378 | 505 | data.flags |= SC_PIN_CMD_NEED_PADDING; |
379 | | |
380 | 1.40k | switch (auth_info->attrs.pin.type) { |
381 | 16 | case SC_PKCS15_PIN_TYPE_BCD: |
382 | 16 | data.pin1.encoding = SC_PIN_ENCODING_BCD; |
383 | 16 | break; |
384 | 1.11k | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
385 | 1.11k | data.pin1.encoding = SC_PIN_ENCODING_ASCII; |
386 | 1.11k | break; |
387 | 277 | default: |
388 | | /* assume/hope the card driver knows how to encode the pin */ |
389 | 277 | data.pin1.encoding = 0; |
390 | 1.40k | } |
391 | 1.40k | } |
392 | 0 | else if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY) { |
393 | 0 | struct sc_pkcs15_object *skey_obj = NULL; |
394 | 0 | struct sc_pkcs15_id *skey_id = &auth_info->attrs.authkey.skey_id; |
395 | 0 | struct sc_pkcs15_skey_info *skey_info = NULL; |
396 | |
|
397 | 0 | r = sc_pkcs15_find_skey_by_id(p15card, skey_id, &skey_obj); |
398 | 0 | if (r) { |
399 | 0 | sc_log(ctx, "cannot find secret key with id:%s", sc_pkcs15_print_id(skey_id)); |
400 | 0 | LOG_FUNC_RETURN(ctx, r); |
401 | 0 | } |
402 | 0 | skey_info = (struct sc_pkcs15_skey_info *)skey_obj->data; |
403 | |
|
404 | 0 | sc_log(ctx, "found secret key '%s'", skey_obj->label); |
405 | 0 | data.pin_reference = skey_info->key_reference; |
406 | 0 | } |
407 | | |
408 | 1.40k | if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
409 | 1.40k | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) { |
410 | 0 | if (!pincode && !pinlen) |
411 | 0 | data.flags |= SC_PIN_CMD_USE_PINPAD; |
412 | |
|
413 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) |
414 | 0 | data.pin1.prompt = "Please enter SO PIN"; |
415 | 0 | else |
416 | 0 | data.pin1.prompt = "Please enter PIN"; |
417 | 0 | } |
418 | | |
419 | 1.40k | if (card->caps & SC_CARD_CAP_SESSION_PIN && sessionpin && sessionpinlen) { |
420 | | /* session pin is requested and supported with standard verification*/ |
421 | 0 | data.cmd = SC_PIN_CMD_GET_SESSION_PIN; |
422 | 0 | memcpy(&data.pin2, &data.pin1, sizeof (data.pin1)); |
423 | 0 | data.pin2.data = sessionpin; |
424 | 0 | data.pin2.len = *sessionpinlen; |
425 | 1.40k | } else { |
426 | | /* perform a standard verify */ |
427 | 1.40k | data.cmd = SC_PIN_CMD_VERIFY; |
428 | 1.40k | if (sessionpinlen) |
429 | 0 | *sessionpinlen = 0; |
430 | 1.40k | } |
431 | | |
432 | 1.40k | r = sc_lock(card); |
433 | 1.40k | LOG_TEST_RET(ctx, r, "sc_lock() failed"); |
434 | | |
435 | | /* the path in the pin object is optional */ |
436 | 1.40k | if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) { |
437 | 322 | r = sc_select_file(card, &auth_info->path, NULL); |
438 | 322 | if (r) |
439 | 72 | goto out; |
440 | 322 | } |
441 | | |
442 | 1.33k | r = sc_pin_cmd(card, &data, &auth_info->tries_left); |
443 | 1.33k | sc_log(ctx, "PIN cmd result %i", r); |
444 | 1.33k | if (r == SC_SUCCESS) { |
445 | 712 | sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen); |
446 | 712 | if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) { |
447 | 0 | *sessionpinlen = data.pin2.len; |
448 | 0 | } |
449 | 712 | } else { |
450 | 619 | sc_notify_id(card->ctx, &card->reader->atr, p15card, |
451 | 619 | NOTIFY_PIN_BAD); |
452 | 619 | if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) { |
453 | 0 | *sessionpinlen = 0; |
454 | 0 | } |
455 | 619 | } |
456 | | |
457 | 1.33k | if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_PIN |
458 | 1.33k | && auth_info->auth_method != SC_AC_SESSION) { |
459 | 1.33k | sc_notify_id(card->ctx, &card->reader->atr, p15card, |
460 | 1.33k | r == SC_SUCCESS ? NOTIFY_PIN_GOOD : NOTIFY_PIN_BAD); |
461 | 1.33k | } |
462 | | |
463 | 1.40k | out: |
464 | 1.40k | sc_unlock(card); |
465 | 1.40k | LOG_FUNC_RETURN(ctx, r); |
466 | 1.40k | } |
467 | | |
468 | | |
469 | | |
470 | | /* |
471 | | * Change a PIN. |
472 | | */ |
473 | | int sc_pkcs15_change_pin(struct sc_pkcs15_card *p15card, |
474 | | struct sc_pkcs15_object *pin_obj, |
475 | | const u8 *oldpin, size_t oldpinlen, |
476 | | const u8 *newpin, size_t newpinlen) |
477 | 6.06k | { |
478 | 6.06k | struct sc_context *ctx = p15card->card->ctx; |
479 | 6.06k | struct sc_pin_cmd_data data; |
480 | 6.06k | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
481 | 6.06k | struct sc_card *card; |
482 | 6.06k | int r; |
483 | | |
484 | 6.06k | LOG_FUNC_CALLED(ctx); |
485 | 6.06k | if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
486 | 6.06k | LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED); |
487 | | |
488 | | /* make sure the pins are in valid range */ |
489 | 6.06k | r = _validate_pin(p15card, auth_info, oldpinlen); |
490 | 6.06k | LOG_TEST_RET(ctx, r, "Old PIN value do not conform PIN policy"); |
491 | | |
492 | 683 | r = _validate_pin(p15card, auth_info, newpinlen); |
493 | 683 | LOG_TEST_RET(ctx, r, "New PIN value do not conform PIN policy"); |
494 | | |
495 | 426 | card = p15card->card; |
496 | 426 | r = sc_lock(card); |
497 | 426 | LOG_TEST_RET(ctx, r, "sc_lock() failed"); |
498 | | /* the path in the pin object is optional */ |
499 | 426 | if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) { |
500 | 107 | r = sc_select_file(card, &auth_info->path, NULL); |
501 | 107 | if (r) |
502 | 58 | goto out; |
503 | 107 | } |
504 | | |
505 | | /* set pin_cmd data */ |
506 | 368 | memset(&data, 0, sizeof(data)); |
507 | 368 | data.cmd = SC_PIN_CMD_CHANGE; |
508 | 368 | data.pin_type = SC_AC_CHV; |
509 | 368 | data.pin_reference = auth_info->attrs.pin.reference; |
510 | 368 | data.pin1.data = oldpin; |
511 | 368 | data.pin1.len = oldpinlen; |
512 | 368 | data.pin1.pad_char = auth_info->attrs.pin.pad_char; |
513 | 368 | data.pin1.min_length = auth_info->attrs.pin.min_length; |
514 | 368 | data.pin1.max_length = auth_info->attrs.pin.max_length; |
515 | 368 | data.pin1.pad_length = auth_info->attrs.pin.stored_length; |
516 | 368 | data.pin2.data = newpin; |
517 | 368 | data.pin2.len = newpinlen; |
518 | 368 | data.pin2.pad_char = auth_info->attrs.pin.pad_char; |
519 | 368 | data.pin2.min_length = auth_info->attrs.pin.min_length; |
520 | 368 | data.pin2.max_length = auth_info->attrs.pin.max_length; |
521 | 368 | data.pin2.pad_length = auth_info->attrs.pin.stored_length; |
522 | | |
523 | 368 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) |
524 | 190 | data.flags |= SC_PIN_CMD_NEED_PADDING; |
525 | | |
526 | 368 | switch (auth_info->attrs.pin.type) { |
527 | 4 | case SC_PKCS15_PIN_TYPE_BCD: |
528 | 4 | data.pin1.encoding = SC_PIN_ENCODING_BCD; |
529 | 4 | data.pin2.encoding = SC_PIN_ENCODING_BCD; |
530 | 4 | break; |
531 | 336 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
532 | 336 | data.pin1.encoding = SC_PIN_ENCODING_ASCII; |
533 | 336 | data.pin2.encoding = SC_PIN_ENCODING_ASCII; |
534 | 336 | break; |
535 | 368 | } |
536 | | |
537 | 368 | if((!oldpin || !newpin) |
538 | 0 | && (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
539 | 0 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) { |
540 | 0 | data.flags |= SC_PIN_CMD_USE_PINPAD; |
541 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) { |
542 | 0 | data.pin1.prompt = "Please enter SO PIN"; |
543 | 0 | data.pin2.prompt = "Please enter new SO PIN"; |
544 | 0 | } |
545 | 0 | else { |
546 | 0 | data.pin1.prompt = "Please enter PIN"; |
547 | 0 | data.pin2.prompt = "Please enter new PIN"; |
548 | 0 | } |
549 | 0 | } |
550 | | |
551 | 368 | r = sc_pin_cmd(card, &data, &auth_info->tries_left); |
552 | 368 | if (r == SC_SUCCESS) |
553 | 60 | sc_pkcs15_pincache_add(p15card, pin_obj, newpin, newpinlen); |
554 | | |
555 | 426 | out: |
556 | 426 | sc_unlock(card); |
557 | 426 | return r; |
558 | 368 | } |
559 | | |
560 | | /* |
561 | | * Unblock a PIN. |
562 | | */ |
563 | | int sc_pkcs15_unblock_pin(struct sc_pkcs15_card *p15card, |
564 | | struct sc_pkcs15_object *pin_obj, |
565 | | const u8 *puk, size_t puklen, |
566 | | const u8 *newpin, size_t newpinlen) |
567 | 5.92k | { |
568 | 5.92k | struct sc_context *ctx = p15card->card->ctx; |
569 | 5.92k | struct sc_pin_cmd_data data; |
570 | 5.92k | struct sc_pkcs15_object *puk_obj; |
571 | 5.92k | struct sc_pkcs15_auth_info *puk_info = NULL; |
572 | 5.92k | int pukref = 0; |
573 | 5.92k | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
574 | 5.92k | struct sc_card *card = p15card->card; |
575 | 5.92k | int r; |
576 | | |
577 | 5.92k | LOG_FUNC_CALLED(ctx); |
578 | 5.92k | if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) |
579 | 5.92k | LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED); |
580 | | |
581 | | /* make sure the pins are in valid range */ |
582 | 5.92k | r = _validate_pin(p15card, auth_info, newpinlen); |
583 | 5.92k | LOG_TEST_RET(ctx, r, "New PIN value do not conform PIN policy"); |
584 | | |
585 | | /* get pin_info object of the puk (this is a little bit complicated |
586 | | * as we don't have the id of the puk (at least now)) |
587 | | * note: for compatibility reasons we give no error if no puk object |
588 | | * is found */ |
589 | | /* first step: try to get the pkcs15 object of the puk */ |
590 | 357 | r = sc_pkcs15_find_pin_by_auth_id(p15card, &pin_obj->auth_id, &puk_obj); |
591 | 357 | if (r >= 0 && puk_obj) { |
592 | | /* second step: get the pkcs15 info object of the puk */ |
593 | 136 | puk_info = (struct sc_pkcs15_auth_info *)puk_obj->data; |
594 | 136 | pukref = puk_info->attrs.pin.reference; |
595 | 136 | } |
596 | | |
597 | 357 | if (!puk_info) { |
598 | 221 | sc_log(ctx, "Unable to get puk object, using pin object instead!"); |
599 | 221 | puk_info = auth_info; |
600 | 221 | } |
601 | | /* make sure the puk is in valid range */ |
602 | 357 | r = _validate_pin(p15card, puk_info, puklen); |
603 | 357 | LOG_TEST_RET(ctx, r, "PIN do not conforms PIN policy"); |
604 | | |
605 | | /* |
606 | | * With the current card driver interface we have no way of specifying different padding |
607 | | * flags for the PIN and the PUK. Therefore reject this case. |
608 | | */ |
609 | 225 | if ((auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) != |
610 | 225 | (puk_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING)) { |
611 | 0 | LOG_TEST_RET(ctx, r, "Padding mismatch for PIN/PUK"); |
612 | 0 | } |
613 | | |
614 | 225 | r = sc_lock(card); |
615 | 225 | LOG_TEST_RET(ctx, r, "sc_lock() failed"); |
616 | | |
617 | | /* the path in the pin object is optional */ |
618 | 225 | if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) { |
619 | 93 | r = sc_select_file(card, &auth_info->path, NULL); |
620 | 93 | if (r) |
621 | 56 | goto out; |
622 | 93 | } |
623 | | |
624 | | /* set pin_cmd data */ |
625 | 169 | memset(&data, 0, sizeof(data)); |
626 | 169 | data.cmd = SC_PIN_CMD_UNBLOCK; |
627 | 169 | data.pin_type = SC_AC_CHV; |
628 | 169 | data.pin_reference = auth_info->attrs.pin.reference; |
629 | 169 | data.puk_reference = pukref; |
630 | 169 | data.pin1.data = puk; |
631 | 169 | data.pin1.len = puklen; |
632 | 169 | data.pin1.pad_char = puk_info->attrs.pin.pad_char; |
633 | 169 | data.pin1.min_length = puk_info->attrs.pin.min_length; |
634 | 169 | data.pin1.max_length = puk_info->attrs.pin.max_length; |
635 | 169 | data.pin1.pad_length = puk_info->attrs.pin.stored_length; |
636 | 169 | data.pin2.data = newpin; |
637 | 169 | data.pin2.len = newpinlen; |
638 | 169 | data.pin2.pad_char = auth_info->attrs.pin.pad_char; |
639 | 169 | data.pin2.min_length = auth_info->attrs.pin.min_length; |
640 | 169 | data.pin2.max_length = auth_info->attrs.pin.max_length; |
641 | 169 | data.pin2.pad_length = auth_info->attrs.pin.stored_length; |
642 | | |
643 | 169 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) |
644 | 121 | data.flags |= SC_PIN_CMD_NEED_PADDING; |
645 | | |
646 | 169 | switch (auth_info->attrs.pin.type) { |
647 | 4 | case SC_PKCS15_PIN_TYPE_BCD: |
648 | 4 | data.pin1.encoding = SC_PIN_ENCODING_BCD; |
649 | 4 | break; |
650 | 140 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
651 | 140 | data.pin1.encoding = SC_PIN_ENCODING_ASCII; |
652 | 140 | break; |
653 | 169 | } |
654 | | |
655 | 169 | switch (puk_info->attrs.pin.type) { |
656 | 4 | case SC_PKCS15_PIN_TYPE_BCD: |
657 | 4 | data.pin2.encoding = SC_PIN_ENCODING_BCD; |
658 | 4 | break; |
659 | 140 | case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC: |
660 | 140 | data.pin2.encoding = SC_PIN_ENCODING_ASCII; |
661 | 140 | break; |
662 | 169 | } |
663 | | |
664 | 169 | if((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
665 | 169 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) { |
666 | 0 | data.flags |= SC_PIN_CMD_USE_PINPAD; |
667 | 0 | if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) { |
668 | 0 | data.pin1.prompt = "Please enter PUK"; |
669 | 0 | data.pin2.prompt = "Please enter new SO PIN"; |
670 | 0 | } |
671 | 0 | else { |
672 | 0 | data.pin1.prompt = "Please enter PUK"; |
673 | 0 | data.pin2.prompt = "Please enter new PIN"; |
674 | 0 | } |
675 | 0 | } |
676 | | |
677 | 169 | r = sc_pin_cmd(card, &data, &auth_info->tries_left); |
678 | 169 | if (r == SC_SUCCESS) |
679 | 38 | sc_pkcs15_pincache_add(p15card, pin_obj, newpin, newpinlen); |
680 | | |
681 | 225 | out: |
682 | 225 | sc_unlock(card); |
683 | 225 | LOG_FUNC_RETURN(ctx, r); |
684 | 225 | } |
685 | | |
686 | | int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card, |
687 | | struct sc_pkcs15_object *pin_obj) |
688 | 7.03k | { |
689 | 7.03k | int r; |
690 | 7.03k | struct sc_pin_cmd_data data; |
691 | 7.03k | struct sc_card *card = p15card->card; |
692 | 7.03k | struct sc_context *ctx = card->ctx; |
693 | 7.03k | struct sc_pkcs15_auth_info *pin_info = (struct sc_pkcs15_auth_info *) pin_obj->data; |
694 | | |
695 | 7.03k | LOG_FUNC_CALLED(ctx); |
696 | | |
697 | 7.03k | r = sc_lock(card); |
698 | 7.03k | if (r != SC_SUCCESS) |
699 | 0 | return r; |
700 | | |
701 | 7.03k | if (pin_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) { |
702 | 0 | r = SC_ERROR_INVALID_DATA; |
703 | 0 | goto out; |
704 | 0 | } |
705 | | |
706 | | /* the path in the pin object is optional */ |
707 | 7.03k | if ((pin_info->path.len > 0) || ((pin_info->path.aid.len > 0))) { |
708 | 725 | r = sc_select_file(card, &pin_info->path, NULL); |
709 | 725 | if (r) |
710 | 566 | goto out; |
711 | 725 | } |
712 | | |
713 | | /* Try to update PIN info from card */ |
714 | 6.47k | memset(&data, 0, sizeof(data)); |
715 | 6.47k | data.cmd = SC_PIN_CMD_GET_INFO; |
716 | 6.47k | data.pin_type = pin_info->auth_method; |
717 | 6.47k | data.pin_reference = pin_info->attrs.pin.reference; |
718 | | |
719 | 6.47k | r = sc_pin_cmd(card, &data, NULL); |
720 | 6.47k | if (r == SC_SUCCESS) { |
721 | 1.42k | if (data.pin1.max_tries > 0) |
722 | 6 | pin_info->max_tries = data.pin1.max_tries; |
723 | | /* tries_left must be supported or sc_pin_cmd should not return SC_SUCCESS */ |
724 | 1.42k | pin_info->tries_left = data.pin1.tries_left; |
725 | 1.42k | pin_info->logged_in = data.pin1.logged_in; |
726 | 1.42k | } |
727 | | |
728 | 7.03k | out: |
729 | 7.03k | sc_unlock(card); |
730 | 7.03k | LOG_FUNC_RETURN(ctx, r); |
731 | 7.03k | } |
732 | | |
733 | | |
734 | | void sc_pkcs15_free_auth_info(sc_pkcs15_auth_info_t *auth_info) |
735 | 33.2k | { |
736 | 33.2k | free(auth_info); |
737 | 33.2k | } |
738 | | |
739 | | |
740 | | /* Add a PIN to the PIN cache related to the card. Some operations can trigger re-authentication later. */ |
741 | | void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj, |
742 | | const u8 *pin, size_t pinlen) |
743 | 1.29k | { |
744 | 1.29k | struct sc_context *ctx = p15card->card->ctx; |
745 | 1.29k | struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; |
746 | 1.29k | struct sc_pkcs15_object *obj = NULL; |
747 | 1.29k | int r; |
748 | | |
749 | 1.29k | LOG_FUNC_CALLED(ctx); |
750 | | |
751 | 1.29k | if (!pin || !pinlen) { |
752 | 10 | sc_log(ctx, "No cache for zero length PIN"); |
753 | 10 | return; |
754 | 10 | } |
755 | 1.28k | else if (!p15card->opts.use_pin_cache) { |
756 | 9 | sc_log(ctx, "PIN caching not enabled"); |
757 | 9 | return; |
758 | 9 | } |
759 | 1.27k | else if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) { |
760 | 0 | sc_log(ctx, "only 'PIN' auth. object can be cached"); |
761 | 0 | return; |
762 | 0 | } |
763 | | |
764 | | /* If the PIN protects an object with user consent, don't cache it */ |
765 | | |
766 | 1.27k | obj = p15card->obj_list; |
767 | 9.80k | while (obj != NULL) { |
768 | | /* Compare 'sc_pkcs15_object.auth_id' with 'sc_pkcs15_pin_info.auth_id'. |
769 | | * In accordance with PKCS#15 "6.1.8 CommonObjectAttributes" and |
770 | | * "6.1.16 CommonAuthenticationObjectAttributes" with the exception that |
771 | | * "CommonObjectAttributes.accessControlRules" are not taken into account. */ |
772 | | |
773 | 8.57k | if (sc_pkcs15_compare_id(&obj->auth_id, &auth_info->auth_id)) { |
774 | | /* Caching is refused, if the protected object requires user consent */ |
775 | 1.67k | if (!p15card->opts.pin_cache_ignore_user_consent) { |
776 | 1.67k | if (obj->user_consent > 0) { |
777 | 46 | sc_log(ctx, "caching refused (user consent)"); |
778 | 46 | return; |
779 | 46 | } |
780 | 1.67k | } |
781 | 1.67k | } |
782 | | |
783 | 8.52k | obj = obj->next; |
784 | 8.52k | } |
785 | | |
786 | 1.23k | r = sc_pkcs15_allocate_object_content(ctx, pin_obj, pin, pinlen); |
787 | 1.23k | if (r != SC_SUCCESS) { |
788 | 0 | sc_log(ctx, "Failed to allocate object content"); |
789 | 0 | return; |
790 | 0 | } |
791 | | |
792 | 1.23k | pin_obj->usage_counter = 0; |
793 | 1.23k | sc_log(ctx, "PIN(%s) cached", pin_obj->label); |
794 | 1.23k | } |
795 | | |
796 | | /* Validate the PIN code associated with an object */ |
797 | | int |
798 | | sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs15_object_t *obj) |
799 | 410 | { |
800 | 410 | struct sc_context *ctx = p15card->card->ctx; |
801 | 410 | sc_pkcs15_object_t *pin_obj; |
802 | 410 | int r; |
803 | | |
804 | 410 | LOG_FUNC_CALLED(ctx); |
805 | 410 | if (!p15card->opts.use_pin_cache) |
806 | 6 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
807 | | |
808 | | /* Apps that do not support CK_ALWAYS_AUTHENTICATE |
809 | | * may need pin_cache_ignore_user_consent = 1 */ |
810 | 404 | if (!p15card->opts.pin_cache_ignore_user_consent) { |
811 | 404 | if (obj->user_consent) |
812 | 12 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
813 | 404 | } |
814 | | |
815 | 392 | if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD |
816 | 392 | || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) |
817 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
818 | | |
819 | 392 | r = sc_pkcs15_find_pin_by_auth_id(p15card, &obj->auth_id, &pin_obj); |
820 | 392 | if (r != SC_SUCCESS) { |
821 | 19 | sc_log(ctx, "Could not find pin object for auth_id %s", sc_pkcs15_print_id(&obj->auth_id)); |
822 | 19 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
823 | 19 | } |
824 | | |
825 | 373 | if (pin_obj->usage_counter >= p15card->opts.pin_cache_counter) { |
826 | 0 | sc_pkcs15_free_object_content(pin_obj); |
827 | 0 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
828 | 0 | } |
829 | | |
830 | 373 | if (!pin_obj->content.value || !pin_obj->content.len) |
831 | 50 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
832 | | |
833 | 323 | pin_obj->usage_counter++; |
834 | 323 | r = _sc_pkcs15_verify_pin(p15card, pin_obj, pin_obj->content.value, pin_obj->content.len); |
835 | 323 | if (r != SC_SUCCESS) { |
836 | | /* Ensure that wrong PIN isn't used again */ |
837 | 29 | sc_pkcs15_free_object_content(pin_obj); |
838 | | |
839 | 29 | sc_log(ctx, "Verify PIN error %i", r); |
840 | 29 | return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; |
841 | 29 | } |
842 | | |
843 | 294 | LOG_FUNC_RETURN(ctx, SC_SUCCESS); |
844 | 294 | } |
845 | | |
846 | | void sc_pkcs15_pincache_clear(struct sc_pkcs15_card *p15card) |
847 | 17.7k | { |
848 | 17.7k | struct sc_pkcs15_object *objs[32]; |
849 | 17.7k | int i, r; |
850 | | |
851 | 17.7k | LOG_FUNC_CALLED(p15card->card->ctx); |
852 | 17.7k | r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 32); |
853 | 29.7k | for (i = 0; i < r; i++) |
854 | 11.9k | sc_pkcs15_free_object_content(objs[i]); |
855 | 17.7k | } |
856 | | |