2006-02-14 22:09:10 +00:00
|
|
|
/*
|
|
|
|
|
* card-piv.c: Support for PIV-II from NIST SP800-73
|
|
|
|
|
* card-default.c: Support for cards with no driver
|
|
|
|
|
*
|
2006-12-19 21:32:31 +00:00
|
|
|
* Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi>
|
2010-02-05 06:16:37 +00:00
|
|
|
* Copyright (C) 2005,2006,2007,2008,2009,2010 Douglas E. Engert <deengert@anl.gov>
|
2007-03-10 10:46:32 +00:00
|
|
|
* Copyright (C) 2006, Identity Alliance, Thomas Harning <thomas.harning@identityalliance.com>
|
2007-06-21 07:07:49 +00:00
|
|
|
* Copyright (C) 2007, EMC, Russell Larner <rlarner@rsa.com>
|
2006-02-14 22:09:10 +00:00
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
|
*/
|
|
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "config.h"
|
2008-03-06 16:06:59 +00:00
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#ifdef ENABLE_OPENSSL /* empty file without openssl */
|
2008-03-06 16:06:59 +00:00
|
|
|
|
2007-06-21 11:07:00 +00:00
|
|
|
#include <ctype.h>
|
2006-02-14 22:09:10 +00:00
|
|
|
#include <string.h>
|
|
|
|
|
#include <fcntl.h>
|
2007-01-08 20:19:10 +00:00
|
|
|
#include <openssl/evp.h>
|
2006-02-14 22:09:10 +00:00
|
|
|
#include <openssl/bio.h>
|
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
|
#include <openssl/rsa.h>
|
2010-03-04 08:14:36 +00:00
|
|
|
|
|
|
|
|
#include "internal.h"
|
2006-02-14 22:09:10 +00:00
|
|
|
#include "asn1.h"
|
|
|
|
|
#include "cardctl.h"
|
2008-03-06 16:06:59 +00:00
|
|
|
#ifdef ENABLE_ZLIB
|
2007-03-10 10:46:32 +00:00
|
|
|
#include "compression.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
enum {
|
|
|
|
|
PIV_OBJ_CCC = 0,
|
|
|
|
|
PIV_OBJ_CHUI,
|
|
|
|
|
PIV_OBJ_UCHUI, /* new with 800-73-2 */
|
|
|
|
|
PIV_OBJ_X509_PIV_AUTH,
|
|
|
|
|
PIV_OBJ_CHF,
|
|
|
|
|
PIV_OBJ_PI,
|
|
|
|
|
PIV_OBJ_CHFI,
|
|
|
|
|
PIV_OBJ_X509_DS,
|
|
|
|
|
PIV_OBJ_X509_KM,
|
|
|
|
|
PIV_OBJ_X509_CARD_AUTH,
|
|
|
|
|
PIV_OBJ_SEC_OBJ,
|
|
|
|
|
PIV_OBJ_9B03,
|
|
|
|
|
PIV_OBJ_9A06,
|
|
|
|
|
PIV_OBJ_9C06,
|
|
|
|
|
PIV_OBJ_9D06,
|
|
|
|
|
PIV_OBJ_9E06,
|
|
|
|
|
PIV_OBJ_LAST_ENUM
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* flags in the piv_obj_cache */
|
|
|
|
|
|
|
|
|
|
#define PIV_OBJ_CACHE_VALID 1
|
|
|
|
|
|
|
|
|
|
typedef struct piv_obj_cache {
|
|
|
|
|
u8* obj_data;
|
|
|
|
|
size_t obj_len;
|
|
|
|
|
u8* internal_obj_data; /* like a cert in the object */
|
|
|
|
|
size_t internal_obj_len;
|
|
|
|
|
int flags;
|
|
|
|
|
} piv_obj_cache_t;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-03-10 10:46:32 +00:00
|
|
|
typedef struct piv_private_data {
|
2006-02-14 22:09:10 +00:00
|
|
|
struct sc_pin_cmd_pin pin_info;
|
|
|
|
|
sc_file_t *aid_file;
|
|
|
|
|
int enumtag;
|
|
|
|
|
int selected_obj; /* The index into the piv_objects last selected */
|
2007-11-09 08:35:23 +00:00
|
|
|
int return_only_cert; /* return the cert from the object */
|
2010-02-05 06:16:37 +00:00
|
|
|
int rwb_state; /* first time -1, 0, in middle, 1 at eof */
|
2006-02-14 22:09:10 +00:00
|
|
|
int key_ref; /* saved from set_security_env and */
|
2007-03-10 10:46:32 +00:00
|
|
|
int alg_id; /* used in decrypt, signature */
|
2010-02-05 06:16:37 +00:00
|
|
|
u8* w_buf; /* write_binary buffer */
|
|
|
|
|
size_t w_buf_len; /* length of w_buff */
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
piv_obj_cache_t obj_cache[PIV_OBJ_LAST_ENUM];
|
2007-03-10 10:46:32 +00:00
|
|
|
} piv_private_data_t;
|
|
|
|
|
|
|
|
|
|
#define PIV_DATA(card) ((piv_private_data_t*)card->drv_data)
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
struct piv_aid {
|
|
|
|
|
int enumtag;
|
|
|
|
|
size_t len_short; /* min lenght without version */
|
|
|
|
|
size_t len_long; /* With version and other stuff */
|
|
|
|
|
u8 *value;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* The Generic entry should be the "A0 00 00 03 08 00 00 01 00 "
|
|
|
|
|
* NIST published this on 10/6/2005
|
2007-11-09 08:35:23 +00:00
|
|
|
* 800-73-2 is due for release 11/2007.
|
|
|
|
|
* 800-73-2 Part 1 now refers to version "02 00"
|
|
|
|
|
* i.e. "A0 00 00 03 08 00 00 01 00 02 00".
|
|
|
|
|
* but we dont need the version number. but could get it from the PIX.
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
static struct piv_aid piv_aids[] = {
|
|
|
|
|
{SC_CARD_TYPE_PIV_II_GENERIC,
|
2007-11-09 08:35:23 +00:00
|
|
|
9, 9, (u8 *) "\xA0\x00\x00\x03\x08\x00\x00\x10\x00" },
|
2006-02-14 22:09:10 +00:00
|
|
|
{0, 9, 0, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* flags in the piv_object */
|
|
|
|
|
|
|
|
|
|
#define PIV_OBJECT_TYPE_CERT 1
|
|
|
|
|
#define PIV_OBJECT_TYPE_PUBKEY 2
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
struct piv_object {
|
|
|
|
|
int enumtag;
|
2006-02-23 18:43:14 +00:00
|
|
|
const char * name;
|
|
|
|
|
const char * oidstring;
|
|
|
|
|
size_t tag_len;
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 tag_value[3];
|
2006-02-23 18:43:14 +00:00
|
|
|
u8 containerid[2]; /* will use as relative paths for simulation */
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
int flags; /* object has some internal object like a cert */
|
2006-02-14 22:09:10 +00:00
|
|
|
};
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* Must be in order, and one per enumerated PIV_OBJ */
|
2006-02-14 22:09:10 +00:00
|
|
|
static struct piv_object piv_objects[] = {
|
|
|
|
|
{ PIV_OBJ_CCC, "Card Capability Container",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00", 0},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_CHUI, "Card Holder Unique Identifier",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00", 0},
|
|
|
|
|
{ PIV_OBJ_UCHUI, "Unsigned Card Holder Unique Identifier",
|
|
|
|
|
"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x04", "\x30\x10", 0},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_X509_PIV_AUTH, "X.509 Certificate for PIV Authentication",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01", PIV_OBJECT_TYPE_CERT} ,
|
2006-02-14 22:09:10 +00:00
|
|
|
/* extra 400 is hack for MultOS card which returns 2200 bytes */
|
2007-11-09 08:35:23 +00:00
|
|
|
{ PIV_OBJ_CHF, "Card Holder Fingerprints",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10", 0},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_PI, "Printed Information",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01", 0},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_CHFI, "Card Holder Facial Image",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30", 0},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_X509_DS, "X.509 Certificate for Digital Signature",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00", PIV_OBJECT_TYPE_CERT},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_X509_KM, "X.509 Certificate for Key Management",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02", PIV_OBJECT_TYPE_CERT},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_X509_CARD_AUTH, "X.509 Certificate for Card Authentication",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00", PIV_OBJECT_TYPE_CERT},
|
2006-02-14 22:09:10 +00:00
|
|
|
{ PIV_OBJ_SEC_OBJ, "Security Object",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00", 0},
|
2006-02-14 22:09:10 +00:00
|
|
|
/* following not standard , to be used by piv-tool only for testing */
|
|
|
|
|
{ PIV_OBJ_9B03, "3DES-ECB ADM",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0},
|
2007-06-21 07:07:49 +00:00
|
|
|
/* Only used when signing a cert req, usually from engine
|
|
|
|
|
* after piv-tool generated the key and saved the pub key
|
|
|
|
|
* to a file. Note RSA key can be 1024, 2048 or 3072
|
|
|
|
|
* but still use the "9x06" name.
|
|
|
|
|
*/
|
|
|
|
|
{ PIV_OBJ_9A06, "RSA 9A Pub key from last genkey",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY},
|
2007-06-21 07:07:49 +00:00
|
|
|
{ PIV_OBJ_9C06, "Pub 9C key from last genkey",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY},
|
2007-06-21 07:07:49 +00:00
|
|
|
{ PIV_OBJ_9D06, "Pub 9D key from last genkey",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY},
|
2007-06-21 07:07:49 +00:00
|
|
|
{ PIV_OBJ_9E06, "Pub 9E key from last genkey",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
"2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY},
|
|
|
|
|
{ PIV_OBJ_LAST_ENUM, "", "", 0, "", "", 0}
|
2006-02-14 22:09:10 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct sc_card_operations piv_ops;
|
|
|
|
|
|
|
|
|
|
static struct sc_card_driver piv_drv = {
|
|
|
|
|
"PIV-II for multiple cards",
|
|
|
|
|
"piv",
|
|
|
|
|
&piv_ops,
|
|
|
|
|
NULL, 0, NULL
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If ptr == NULL, just return the size of the tag and lenght and data
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
* otherwise, store tag and length at **ptr, and increment
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
|
2006-02-23 18:43:14 +00:00
|
|
|
static size_t put_tag_and_len(unsigned int tag, size_t len, u8 **ptr)
|
2006-02-14 22:09:10 +00:00
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
u8 *p;
|
|
|
|
|
|
|
|
|
|
if (len < 128) {
|
|
|
|
|
i = 2;
|
|
|
|
|
} else if (len < 256) {
|
|
|
|
|
i = 3;
|
|
|
|
|
} else {
|
|
|
|
|
i = 4;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ptr) {
|
|
|
|
|
p = *ptr;
|
2006-02-23 18:43:14 +00:00
|
|
|
*p++ = (u8)tag;
|
2006-02-14 22:09:10 +00:00
|
|
|
switch (i) {
|
|
|
|
|
case 2:
|
|
|
|
|
*p++ = len;
|
|
|
|
|
break;
|
|
|
|
|
case 3:
|
|
|
|
|
*p++ = 0x81;
|
|
|
|
|
*p++ = len;
|
|
|
|
|
break;
|
|
|
|
|
case 4:
|
|
|
|
|
*p++ = 0x82;
|
|
|
|
|
*p++ = (u8) (len >> 8);
|
|
|
|
|
*p++ = (u8) (len & 0xff);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
*ptr = p;
|
|
|
|
|
} else {
|
|
|
|
|
i += len;
|
|
|
|
|
}
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
* Send a command and receive data. There is always something to send.
|
2006-02-14 22:09:10 +00:00
|
|
|
* Used by GET DATA, PUT DATA, GENERAL AUTHENTICATE
|
|
|
|
|
* and GENERATE ASYMMETRIC KEY PAIR.
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
* GET DATA may call to get the first 128 bytes to get the lenght gfrom the tag.
|
|
|
|
|
*
|
|
|
|
|
* A caller may provide a buffer, and length to read. If not provided,
|
|
|
|
|
* an internal 4096 byte buffer is used, and a copy is returned to the
|
|
|
|
|
* caller. that need to be freed by the caller.
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int piv_general_io(sc_card_t *card, int ins, int p1, int p2,
|
|
|
|
|
const u8 * sendbuf, size_t sendbuflen, u8 ** recvbuf,
|
|
|
|
|
size_t * recvbuflen)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
|
|
|
|
sc_apdu_t apdu;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
u8 rbufinitbuf[4096];
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 *rbuf;
|
|
|
|
|
size_t rbuflen;
|
|
|
|
|
unsigned int cla_out, tag_out;
|
|
|
|
|
const u8 *body;
|
|
|
|
|
size_t bodylen;
|
|
|
|
|
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "%02x %02x %02x %d : %d %d\n",
|
2010-02-05 06:16:37 +00:00
|
|
|
ins, p1, p2, sendbuflen , card->max_send_size, card->max_recv_size);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
rbuf = rbufinitbuf;
|
|
|
|
|
rbuflen = sizeof(rbufinitbuf);
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* if caller provided a buffer end length */
|
|
|
|
|
if (recvbuf && *recvbuf && recvbuflen && *recvbuflen) {
|
|
|
|
|
rbuf = *recvbuf;
|
|
|
|
|
rbuflen = *recvbuflen;
|
|
|
|
|
}
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
r = sc_lock(card);
|
|
|
|
|
if (r != SC_SUCCESS)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
sc_format_apdu(card, &apdu,
|
|
|
|
|
recvbuf ? SC_APDU_CASE_4_SHORT: SC_APDU_CASE_3_SHORT,
|
|
|
|
|
ins, p1, p2);
|
|
|
|
|
apdu.flags |= SC_APDU_FLAGS_CHAINING;
|
|
|
|
|
|
|
|
|
|
apdu.lc = sendbuflen;
|
|
|
|
|
apdu.datalen = sendbuflen;
|
|
|
|
|
apdu.data = sendbuf;
|
|
|
|
|
|
|
|
|
|
if (recvbuf) {
|
|
|
|
|
apdu.resp = rbuf;
|
2010-02-05 06:16:37 +00:00
|
|
|
apdu.le = (card->max_recv_size <= rbuflen)? card->max_recv_size : rbuflen;
|
2006-02-14 22:09:10 +00:00
|
|
|
apdu.resplen = rbuflen;
|
|
|
|
|
} else {
|
|
|
|
|
apdu.resp = rbuf;
|
|
|
|
|
apdu.le = 0;
|
|
|
|
|
apdu.resplen = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"calling sc_transmit_apdu flags=%x le=%d, resplen=%d, resp=%p",
|
2006-02-14 22:09:10 +00:00
|
|
|
apdu.flags, apdu.le, apdu.resplen, apdu.resp);
|
|
|
|
|
|
|
|
|
|
/* with new adpu.c and chaining, this actually reads the whole object */
|
|
|
|
|
r = sc_transmit_apdu(card, &apdu);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"DEE r=%d apdu.resplen=%d sw1=%02x sw2=%02x",
|
2006-02-14 22:09:10 +00:00
|
|
|
r, apdu.resplen, apdu.sw1, apdu.sw2);
|
|
|
|
|
if (r < 0) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"Transmit failed");
|
2006-02-14 22:09:10 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/*TODO may be 6c nn if reading only the length */
|
|
|
|
|
/* TODO look later at tag vs size read too */
|
2006-02-14 22:09:10 +00:00
|
|
|
if (r < 0) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Card returned error ");
|
2006-02-14 22:09:10 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2007-06-21 07:07:49 +00:00
|
|
|
* See how much we read and make sure it is asn1
|
|
|
|
|
* if not, return 0 indicating no data found
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
|
|
|
|
|
rbuflen = 0; /* in case rseplen < 3 i.e. not parseable */
|
2006-02-14 22:09:10 +00:00
|
|
|
if ( recvbuflen && recvbuf && apdu.resplen > 3) {
|
|
|
|
|
*recvbuflen = 0;
|
|
|
|
|
/* we should have all the tag data, so we have to tell sc_asn1_find_tag
|
|
|
|
|
* the buffer is bigger, so it will not produce "ASN1.tag too long!" */
|
|
|
|
|
|
|
|
|
|
body = rbuf;
|
|
|
|
|
if (sc_asn1_read_tag(&body, 0xffff, &cla_out, &tag_out, &bodylen) != SC_SUCCESS) {
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* only early beta cards had this problem */
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "***** received buffer tag MISSING ");
|
2006-02-14 22:09:10 +00:00
|
|
|
body = rbuf;
|
|
|
|
|
/* some readers/cards might return 6c 00 */
|
|
|
|
|
if (apdu.sw1 == 0x61 || apdu.sw2 == 0x6c )
|
|
|
|
|
bodylen = 12000;
|
|
|
|
|
else
|
|
|
|
|
bodylen = apdu.resplen;
|
|
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
rbuflen = body - rbuf + bodylen;
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* if using internal buffer, alloc new one */
|
|
|
|
|
if (rbuf == rbufinitbuf) {
|
|
|
|
|
*recvbuf = (u8 *)malloc(rbuflen);
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE got buffer %p len %d",*recvbuf, rbuflen);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (*recvbuf == NULL) {
|
|
|
|
|
r = SC_ERROR_OUT_OF_MEMORY;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memcpy(*recvbuf, rbuf, rbuflen); /* copy tag too */
|
|
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (recvbuflen) {
|
|
|
|
|
*recvbuflen = rbuflen;
|
|
|
|
|
r = *recvbuflen;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
sc_unlock(card);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Add the PIV-II operations */
|
|
|
|
|
/* Should use our own keydata, actually should be common to all cards */
|
|
|
|
|
/* only do RSA for now */
|
|
|
|
|
|
|
|
|
|
static int piv_generate_key(sc_card_t *card,
|
|
|
|
|
struct sc_cardctl_cryptoflex_genkey_info *keydata)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
|
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen = 0;
|
|
|
|
|
size_t buf_len = 0;
|
|
|
|
|
u8 *buf_end;
|
|
|
|
|
u8 *p, *rp, *tag;
|
|
|
|
|
u8 tagbuf[16];
|
|
|
|
|
u8 outdata[3]; /* we could also add tag 81 for exponent */
|
|
|
|
|
size_t taglen, i;
|
|
|
|
|
size_t out_len;
|
|
|
|
|
size_t in_len;
|
|
|
|
|
unsigned int cla_out, tag_out;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
keydata->exponent = 0;
|
|
|
|
|
keydata->pubkey = NULL;
|
|
|
|
|
keydata->pubkey_len = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
out_len = 3;
|
|
|
|
|
outdata[0] = 0x80;
|
|
|
|
|
outdata[1] = 0x01;
|
|
|
|
|
switch (keydata->key_bits) {
|
|
|
|
|
case 1024: outdata[2] = 0x06; break;
|
|
|
|
|
case 2048: outdata[2] = 0x07; break;
|
|
|
|
|
case 3072: outdata[2] = 0x05; break;
|
|
|
|
|
default:
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INVALID_ARGUMENTS);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
p = tagbuf;
|
|
|
|
|
|
|
|
|
|
put_tag_and_len(0xAC, out_len, &p);
|
|
|
|
|
|
|
|
|
|
memcpy(p, outdata, out_len);
|
|
|
|
|
p+=out_len;
|
|
|
|
|
|
|
|
|
|
rp = rbuf;
|
|
|
|
|
buf_end = rp + buf_len;
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x47, 0x00, keydata->key_num,
|
|
|
|
|
tagbuf, p - tagbuf, &rbuf, &rbuflen);
|
|
|
|
|
|
|
|
|
|
if (r >= 0) {
|
|
|
|
|
const u8 *cp;
|
|
|
|
|
keydata->exponent = 0;
|
|
|
|
|
|
|
|
|
|
/* expected tag is 7f49. */
|
|
|
|
|
/* we will whatever tag is present */
|
|
|
|
|
|
|
|
|
|
cp = rbuf;
|
|
|
|
|
in_len = rbuflen;
|
|
|
|
|
|
|
|
|
|
r = sc_asn1_read_tag(&cp, rbuflen, &cla_out, &tag_out, &in_len);
|
|
|
|
|
if (r != SC_SUCCESS) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"Tag buffer not found");
|
2006-02-14 22:09:10 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, cp, in_len, 0x82, &taglen);
|
|
|
|
|
if (tag != NULL && taglen <= 4) {
|
|
|
|
|
keydata->exponent = 0;
|
|
|
|
|
for (i = 0; i < taglen;i++) {
|
|
|
|
|
keydata->exponent = (keydata->exponent<<8) + tag[i];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, cp, in_len, 0x81, &taglen);
|
|
|
|
|
|
|
|
|
|
if (tag != NULL && taglen > 0) {
|
|
|
|
|
keydata->pubkey = malloc(taglen);
|
|
|
|
|
if (keydata->pubkey == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2006-02-14 22:09:10 +00:00
|
|
|
keydata->pubkey_len = taglen;
|
|
|
|
|
memcpy (keydata->pubkey, tag, taglen);
|
|
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* TODO could add key to cache so could use engine to generate key, and */
|
2006-02-14 22:09:10 +00:00
|
|
|
r = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
if (rbuf)
|
|
|
|
|
free(rbuf);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
static int piv_select_aid(sc_card_t* card, u8* aid, size_t aidlen, u8* response, size_t *responselen)
|
|
|
|
|
{
|
|
|
|
|
sc_apdu_t apdu;
|
|
|
|
|
int r;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
|
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
|
|
|
|
|
"Got args: aid=%x, aidlen=%d, response=%x, responselen=%d\n",
|
|
|
|
|
aid, aidlen, response, *responselen);
|
2007-06-21 07:07:49 +00:00
|
|
|
|
|
|
|
|
sc_format_apdu(card, &apdu,
|
|
|
|
|
response == NULL ? SC_APDU_CASE_3_SHORT : SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);
|
|
|
|
|
apdu.lc = aidlen;
|
|
|
|
|
apdu.data = aid;
|
|
|
|
|
apdu.datalen = aidlen;
|
|
|
|
|
apdu.resp = response;
|
|
|
|
|
apdu.resplen = *responselen;
|
|
|
|
|
apdu.le = response == NULL ? 0 : 256; /* could be 21 for fci */
|
|
|
|
|
|
|
|
|
|
r = sc_transmit_apdu(card, &apdu);
|
|
|
|
|
*responselen = apdu.resplen;
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, 4, r);
|
|
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));
|
2007-06-21 07:07:49 +00:00
|
|
|
}
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
/* find the PIV AID on the card. If card->type already filled in,
|
|
|
|
|
* then look for specific AID only
|
|
|
|
|
* Assumes that priv may not be present
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int piv_find_aid(sc_card_t * card, sc_file_t *aid_file)
|
|
|
|
|
{
|
|
|
|
|
sc_apdu_t apdu;
|
|
|
|
|
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
|
|
|
|
int r,i;
|
|
|
|
|
u8 *tag;
|
|
|
|
|
size_t taglen;
|
|
|
|
|
u8 *pix;
|
|
|
|
|
size_t pixlen;
|
2007-06-21 07:07:49 +00:00
|
|
|
size_t resplen = sizeof(rbuf);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
/* first see if the default applcation will return a template
|
|
|
|
|
* that we know about.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if (card->type == SC_CARD_TYPE_PIV_II_GENERIC)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
r = piv_select_aid(card, piv_aids[0].value, piv_aids[0].len_short, rbuf, &resplen);
|
|
|
|
|
if (r >= 0 && resplen > 2 ) {
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, rbuf, resplen, 0x61, &taglen);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (tag != NULL) {
|
|
|
|
|
pix = (u8 *) sc_asn1_find_tag(card->ctx, tag, taglen, 0x4F, &pixlen);
|
|
|
|
|
if (pix != NULL ) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"found PIX");
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2006-04-11 20:50:13 +00:00
|
|
|
/* early cards returned full AID, rather then just the pix */
|
2007-11-09 08:35:23 +00:00
|
|
|
for (i = 0; piv_aids[i].len_long != 0; i++) {
|
|
|
|
|
if ((pixlen >= 6 && memcmp(pix, piv_aids[i].value + 5,
|
|
|
|
|
piv_aids[i].len_long - 5 ) == 0)
|
2006-04-11 20:50:13 +00:00
|
|
|
|| ((pixlen >= piv_aids[i].len_short &&
|
2006-02-14 22:09:10 +00:00
|
|
|
memcmp(pix, piv_aids[i].value,
|
2006-04-11 20:50:13 +00:00
|
|
|
piv_aids[i].len_short) == 0))) {
|
2006-02-14 22:09:10 +00:00
|
|
|
if (card->type > SC_CARD_TYPE_PIV_II_BASE &&
|
|
|
|
|
card->type < SC_CARD_TYPE_PIV_II_BASE+1000 &&
|
|
|
|
|
card->type == piv_aids[i].enumtag) {
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, i);
|
2006-02-14 22:09:10 +00:00
|
|
|
} else {
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, i);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* for testing, we can force the use of a specific AID
|
|
|
|
|
* by using the card= parameter in conf file
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; piv_aids[i].len_long != 0; i++) {
|
|
|
|
|
if (card->type > SC_CARD_TYPE_PIV_II_BASE &&
|
|
|
|
|
card->type < SC_CARD_TYPE_PIV_II_BASE+1000 &&
|
|
|
|
|
card->type != piv_aids[i].enumtag) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);
|
|
|
|
|
apdu.lc = piv_aids[i].len_long;
|
|
|
|
|
apdu.data = piv_aids[i].value;
|
|
|
|
|
|
|
|
|
|
apdu.datalen = apdu.lc;
|
|
|
|
|
apdu.resp = rbuf;
|
|
|
|
|
apdu.resplen = sizeof(rbuf);
|
|
|
|
|
apdu.le = 256;
|
|
|
|
|
|
|
|
|
|
r = sc_transmit_apdu(card, &apdu);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (r) {
|
|
|
|
|
if (card->type != 0 && card->type == piv_aids[i].enumtag) {
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, i);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( apdu.resplen == 0 && r == 0) {
|
|
|
|
|
/* could be the MSU card */
|
|
|
|
|
continue; /* other cards will return a FCI */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (apdu.resp[0] != 0x6f || apdu.resp[1] > apdu.resplen - 2 )
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NO_CARD_SUPPORT);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
card->ops->process_fci(card, aid_file, apdu.resp+2, apdu.resp[1]);
|
|
|
|
|
if (aid_file->name == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_NO_CARD_SUPPORT);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, i);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_NO_CARD_SUPPORT);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* the tag is the PIV_OBJ_* */
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
static int piv_get_data(sc_card_t * card, int enumtag,
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 **buf, size_t *buf_len)
|
|
|
|
|
{
|
|
|
|
|
u8 *p;
|
|
|
|
|
int r = 0;
|
|
|
|
|
u8 tagbuf[8];
|
2006-02-23 18:43:14 +00:00
|
|
|
size_t tag_len;
|
2010-03-28 12:01:14 +00:00
|
|
|
const char * keyenvname = NULL;
|
2007-03-10 10:46:32 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
|
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "#%d \n", enumtag);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-06-11 07:35:45 +00:00
|
|
|
/* assert(enumtag >= 0 && enumtag < PIV_OBJ_LAST_ENUM); */
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
tag_len = piv_objects[enumtag].tag_len;
|
|
|
|
|
|
|
|
|
|
p = tagbuf;
|
|
|
|
|
put_tag_and_len(0x5c, tag_len, &p);
|
|
|
|
|
memcpy(p, piv_objects[enumtag].tag_value, tag_len);
|
|
|
|
|
p += tag_len;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* the PIV card will only recover the public key during a generate
|
|
|
|
|
* key operation. If the piv-tool was used it would save this
|
|
|
|
|
* as an OpenSSL EVP_KEY PEM using the -o parameter
|
2007-11-09 08:35:23 +00:00
|
|
|
* we will look to see if there is a file then load it
|
2006-02-14 22:09:10 +00:00
|
|
|
* this is ugly, and maybe the pkcs15 cache would work
|
2007-06-21 07:07:49 +00:00
|
|
|
* but we only need it to get the OpenSSL req with engine to work.
|
2007-11-09 08:35:23 +00:00
|
|
|
* Each of the 4 keys with certs has its own file.
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
switch (piv_objects[enumtag].enumtag) {
|
|
|
|
|
case PIV_OBJ_9A06:
|
|
|
|
|
keyenvname = "PIV_9A06_KEY";
|
|
|
|
|
break;
|
|
|
|
|
case PIV_OBJ_9C06:
|
|
|
|
|
keyenvname = "PIV_9C06_KEY";
|
|
|
|
|
break;
|
|
|
|
|
case PIV_OBJ_9D06:
|
|
|
|
|
keyenvname = "PIV_9D06_KEY";
|
|
|
|
|
break;
|
|
|
|
|
case PIV_OBJ_9E06:
|
|
|
|
|
keyenvname = "PIV_9E06_KEY";
|
|
|
|
|
break;
|
|
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
if (keyenvname) {
|
2006-02-14 22:09:10 +00:00
|
|
|
BIO * bp = NULL;
|
|
|
|
|
RSA * rsa = NULL;
|
2006-02-17 21:06:31 +00:00
|
|
|
u8 *q;
|
2006-02-14 22:09:10 +00:00
|
|
|
size_t derlen;
|
|
|
|
|
size_t taglen;
|
|
|
|
|
char * keyfilename = NULL;
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
keyfilename = getenv(keyenvname);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
if (keyfilename == NULL) {
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "USING PUB KEY FROM FILE %s",keyfilename);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
bp = BIO_new(BIO_s_file());
|
|
|
|
|
if (bp == NULL) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if (BIO_read_filename(bp, keyfilename) <= 0) {
|
|
|
|
|
BIO_free(bp);
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
rsa = PEM_read_bio_RSAPublicKey(bp, &rsa, NULL, NULL);
|
|
|
|
|
BIO_free(bp);
|
|
|
|
|
if (!rsa) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"Unable to load the public key");
|
2006-02-14 22:09:10 +00:00
|
|
|
r = SC_ERROR_DATA_OBJECT_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
derlen = i2d_RSAPublicKey(rsa, NULL);
|
|
|
|
|
if (derlen <= 0) {
|
|
|
|
|
r = SC_ERROR_DATA_OBJECT_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
taglen = put_tag_and_len(0x99, derlen, NULL);
|
|
|
|
|
*buf_len = put_tag_and_len(0x53, taglen, NULL);
|
|
|
|
|
|
|
|
|
|
*buf = (u8*) malloc(*buf_len);
|
|
|
|
|
if (*buf == NULL) {
|
|
|
|
|
r = SC_ERROR_OUT_OF_MEMORY;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2006-02-17 21:06:31 +00:00
|
|
|
q = *buf;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2006-02-17 21:06:31 +00:00
|
|
|
put_tag_and_len(0x53, taglen, &q);
|
|
|
|
|
put_tag_and_len(0x99, derlen, &q);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2006-02-17 21:06:31 +00:00
|
|
|
i2d_RSAPublicKey(rsa, &q);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
RSA_free(rsa);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
r = *buf_len;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
/* end of read PIV_OBJ_9A06 from file */
|
|
|
|
|
} else {
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (*buf_len == 1 && *buf == NULL) { /* we need to get the length */
|
|
|
|
|
u8 rbufinitbuf[8]; /* tag of 53 with 82 xx xx will fit in 4 */
|
|
|
|
|
u8 *rbuf;
|
|
|
|
|
size_t rbuflen;
|
|
|
|
|
size_t bodylen;
|
|
|
|
|
unsigned int cla_out, tag_out;
|
|
|
|
|
const u8 *body;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"get len of #%d", enumtag);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
rbuf = rbufinitbuf;
|
|
|
|
|
rbuflen = sizeof(rbufinitbuf);
|
|
|
|
|
r = piv_general_io(card, 0xCB, 0x3F, 0xFF, tagbuf, p - tagbuf,
|
|
|
|
|
&rbuf, &rbuflen);
|
|
|
|
|
if (r > 0) {
|
|
|
|
|
body = rbuf;
|
|
|
|
|
if (sc_asn1_read_tag(&body, 0xffff, &cla_out, &tag_out, &bodylen) != SC_SUCCESS) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "***** received buffer tag MISSING ");
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
*buf_len = r;
|
|
|
|
|
} else if ( r == 0) {
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
} else {
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"get buffer for #%d len %d", enumtag, *buf_len);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (*buf == NULL && *buf_len > 0) {
|
|
|
|
|
*buf = (u8*)malloc(*buf_len);
|
|
|
|
|
if (*buf == NULL ) {
|
|
|
|
|
r = SC_ERROR_OUT_OF_MEMORY;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
r = piv_general_io(card, 0xCB, 0x3F, 0xFF, tagbuf, p - tagbuf,
|
|
|
|
|
buf, buf_len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
2007-03-10 10:46:32 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
static int piv_get_cached_data(sc_card_t * card, int enumtag,
|
|
|
|
|
u8 **buf, size_t *buf_len)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
|
|
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
int r;
|
|
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
|
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "#%d", enumtag);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
assert(enumtag >= 0 && enumtag < PIV_OBJ_LAST_ENUM);
|
|
|
|
|
|
|
|
|
|
/* see if we have it cached */
|
|
|
|
|
if (priv->obj_cache[enumtag].flags & PIV_OBJ_CACHE_VALID) {
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"found #%d %p:%d %p:%d",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
enumtag,
|
|
|
|
|
priv->obj_cache[enumtag].obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].obj_len,
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (priv->obj_cache[enumtag].obj_len == 0) {
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"#%d found but len=0",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
enumtag);
|
|
|
|
|
goto err;
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
*buf = priv->obj_cache[enumtag].obj_data;
|
|
|
|
|
*buf_len = priv->obj_cache[enumtag].obj_len;
|
|
|
|
|
r = *buf_len;
|
|
|
|
|
goto ok;
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
/* not cached get it, piv_get_data will allocate a buf */
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"get #%d", enumtag);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
rbuflen = 1;
|
|
|
|
|
r = piv_get_data(card, enumtag, &rbuf, &rbuflen);
|
|
|
|
|
if (r > 0) {
|
|
|
|
|
priv->obj_cache[enumtag].flags = PIV_OBJ_CACHE_VALID;
|
|
|
|
|
priv->obj_cache[enumtag].obj_len = r;
|
|
|
|
|
priv->obj_cache[enumtag].obj_data = rbuf;
|
|
|
|
|
*buf = rbuf;
|
|
|
|
|
*buf_len = r;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"added #%d %p:%d %p:%d",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
enumtag,
|
|
|
|
|
priv->obj_cache[enumtag].obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].obj_len,
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len);
|
|
|
|
|
|
|
|
|
|
} else if (r == 0 || r == SC_ERROR_FILE_NOT_FOUND) {
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
priv->obj_cache[enumtag].flags = PIV_OBJ_CACHE_VALID;
|
|
|
|
|
priv->obj_cache[enumtag].obj_len = 0;
|
|
|
|
|
} else if ( r < 0) {
|
|
|
|
|
goto err;
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
ok:
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
static int piv_cache_internal_data(sc_card_t *card, int enumtag)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
|
|
|
|
u8* tag;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
u8* body;
|
2007-03-10 10:46:32 +00:00
|
|
|
size_t taglen;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
size_t bodylen;
|
|
|
|
|
int compressed = 0;
|
|
|
|
|
|
|
|
|
|
/* if already cached */
|
|
|
|
|
if (priv->obj_cache[enumtag].internal_obj_data && priv->obj_cache[enumtag].internal_obj_len) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"#%d found internal %p:%d", enumtag,
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
priv->obj_cache[enumtag].internal_obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
body = (u8 *) sc_asn1_find_tag(card->ctx,
|
|
|
|
|
priv->obj_cache[enumtag].obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].obj_len,
|
|
|
|
|
0x53, &bodylen);
|
2007-03-10 10:46:32 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (body == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OBJECT_NOT_VALID);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
/* get the certificate out */
|
|
|
|
|
if (piv_objects[enumtag].flags & PIV_OBJECT_TYPE_CERT) {
|
|
|
|
|
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, body, bodylen, 0x71, &taglen);
|
|
|
|
|
/* 800-72-1 not clear if this is 80 or 01 Sent comment to NIST for 800-72-2 */
|
|
|
|
|
if (tag && (((*tag) & 0x80) || ((*tag) & 0x01))) {
|
|
|
|
|
compressed = 1;
|
|
|
|
|
}
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, body, bodylen, 0x70, &taglen);
|
|
|
|
|
if (tag == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OBJECT_NOT_VALID);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
if (taglen == 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
if(compressed) {
|
|
|
|
|
#ifdef ENABLE_ZLIB
|
|
|
|
|
size_t len;
|
|
|
|
|
u8* newBuf = NULL;
|
|
|
|
|
if(SC_SUCCESS != sc_decompress_alloc(&newBuf, &len, tag, taglen, COMPRESSION_AUTO)) {
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OBJECT_NOT_VALID);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
}
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_data = newBuf;
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len = len;
|
|
|
|
|
#else
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"PIV compression not supported, no zlib");
|
|
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_NOT_SUPPORTED);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
#endif
|
|
|
|
|
} else {
|
|
|
|
|
if (!(priv->obj_cache[enumtag].internal_obj_data = (u8*)malloc(taglen)))
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2007-06-21 07:07:49 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
memcpy(priv->obj_cache[enumtag].internal_obj_data, tag, taglen);
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len = taglen;
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
/* convert pub key to internal */
|
|
|
|
|
} else if (piv_objects[enumtag].flags & PIV_OBJECT_TYPE_PUBKEY) {
|
|
|
|
|
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, body, bodylen, *body, &taglen);
|
|
|
|
|
if (tag == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OBJECT_NOT_VALID);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
if (taglen == 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
if (!(priv->obj_cache[enumtag].internal_obj_data = (u8*)malloc(taglen)))
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
memcpy(priv->obj_cache[enumtag].internal_obj_data, tag, taglen);
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len = taglen;
|
|
|
|
|
} else {
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INTERNAL);
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"added #%d internal %p:%d", enumtag,
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
priv->obj_cache[enumtag].internal_obj_data,
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
/*
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
* Callers of this may be expecting a certificate,
|
|
|
|
|
* select file will have saved the object type for us
|
|
|
|
|
* as well as set that we want the cert from the object.
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
static int piv_read_binary(sc_card_t *card, unsigned int idx,
|
|
|
|
|
unsigned char *buf, size_t count, unsigned long flags)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
|
|
|
|
int enumtag;
|
2006-02-14 22:09:10 +00:00
|
|
|
int r;
|
|
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen = 0;
|
|
|
|
|
u8 *body;
|
|
|
|
|
size_t bodylen;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (priv->selected_obj < 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INTERNAL);
|
2007-03-10 10:46:32 +00:00
|
|
|
enumtag = piv_objects[priv->selected_obj].enumtag;
|
|
|
|
|
|
2010-02-05 06:16:37 +00:00
|
|
|
if (priv->rwb_state == 1) {
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
r = 0;
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-02-05 06:16:37 +00:00
|
|
|
if (priv->rwb_state == -1) {
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
r = piv_get_cached_data(card, enumtag, &rbuf, &rbuflen);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (r >=0) {
|
|
|
|
|
/* an object wih no data will be considered not found */
|
|
|
|
|
if (!rbuf || rbuf[0] == 0x00 || (rbuf[0] == 0x53 && rbuf[1] == 0x00)) {
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE rbuf=%p,rbuflen=%d,",rbuf, rbuflen);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
body = (u8 *) sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x53, &bodylen);
|
|
|
|
|
if (body == NULL) {
|
|
|
|
|
/* if missing, assume its the body */
|
|
|
|
|
/* DEE bug in the beta card */
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL," ***** tag 0x53 MISSING \n");
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
r = SC_ERROR_INVALID_DATA;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if (bodylen > body - rbuf + rbuflen) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL," ***** tag length > then data: %d>%d+%d",
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
bodylen , body - rbuf, rbuflen);
|
|
|
|
|
r = SC_ERROR_INVALID_DATA;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
/* if chached obj has internal interesting data (cert or pub key) */
|
|
|
|
|
if (priv->return_only_cert || piv_objects[enumtag].flags & PIV_OBJECT_TYPE_PUBKEY) {
|
|
|
|
|
r = piv_cache_internal_data(card, enumtag);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2007-06-21 07:07:49 +00:00
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
2010-02-05 06:16:37 +00:00
|
|
|
priv->rwb_state = 0;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (priv->return_only_cert || piv_objects[enumtag].flags & PIV_OBJECT_TYPE_PUBKEY) {
|
|
|
|
|
rbuf = priv->obj_cache[enumtag].internal_obj_data;
|
|
|
|
|
rbuflen = priv->obj_cache[enumtag].internal_obj_len;
|
|
|
|
|
} else {
|
|
|
|
|
rbuf = priv->obj_cache[enumtag].obj_data;
|
|
|
|
|
rbuflen = priv->obj_cache[enumtag].obj_len;
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* rbuf rbuflen has pointer and length to cached data */
|
|
|
|
|
|
|
|
|
|
if ( rbuflen < idx + count)
|
|
|
|
|
count = rbuflen - idx;
|
|
|
|
|
if (count <= 0) {
|
|
|
|
|
r = 0;
|
2010-02-05 06:16:37 +00:00
|
|
|
priv->rwb_state = 1;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
} else {
|
|
|
|
|
memcpy(buf, rbuf + idx, count);
|
|
|
|
|
r = count;
|
|
|
|
|
}
|
2006-04-11 20:50:13 +00:00
|
|
|
err:
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* the tag is the PIV_OBJ_*
|
|
|
|
|
* The buf should have the 0x53 tag+len+tags and data
|
|
|
|
|
*/
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
static int piv_put_data(sc_card_t *card, int tag,
|
2006-02-14 22:09:10 +00:00
|
|
|
const u8 *buf, size_t buf_len)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
|
|
|
|
u8 * sbuf;
|
|
|
|
|
size_t sbuflen;
|
|
|
|
|
u8 * p;
|
2006-02-23 18:43:14 +00:00
|
|
|
size_t tag_len;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
tag_len = piv_objects[tag].tag_len;
|
|
|
|
|
sbuflen = put_tag_and_len(0x5c, tag_len, NULL) + buf_len;
|
2006-02-23 18:43:14 +00:00
|
|
|
if (!(sbuf = (u8 *) malloc(sbuflen)))
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
p = sbuf;
|
|
|
|
|
put_tag_and_len(0x5c, tag_len, &p);
|
|
|
|
|
memcpy(p, piv_objects[tag].tag_value, tag_len);
|
|
|
|
|
p += tag_len;
|
|
|
|
|
|
|
|
|
|
memcpy(p, buf, buf_len);
|
|
|
|
|
p += buf_len;
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0xDB, 0x3F, 0xFF,
|
|
|
|
|
sbuf, p - sbuf, NULL, NULL);
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* TODO add to cache */
|
2006-02-14 22:09:10 +00:00
|
|
|
if (sbuf)
|
|
|
|
|
free(sbuf);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
2010-02-05 06:16:37 +00:00
|
|
|
|
2007-03-10 10:46:32 +00:00
|
|
|
static int piv_write_certificate(sc_card_t *card,
|
2010-02-05 06:16:37 +00:00
|
|
|
const u8* buf, size_t count,
|
2007-03-10 10:46:32 +00:00
|
|
|
unsigned long flags) {
|
|
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
int enumtag;
|
2007-03-10 10:46:32 +00:00
|
|
|
int r = SC_SUCCESS;
|
|
|
|
|
u8 *sbuf = NULL;
|
|
|
|
|
u8 *p;
|
|
|
|
|
size_t sbuflen;
|
|
|
|
|
size_t taglen;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"DEE cert len=%d",count);
|
2010-02-05 06:16:37 +00:00
|
|
|
taglen = put_tag_and_len(0x70, count, NULL)
|
2007-03-10 10:46:32 +00:00
|
|
|
+ put_tag_and_len(0x71, 1, NULL)
|
|
|
|
|
+ put_tag_and_len(0xFE, 0, NULL);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-03-10 10:46:32 +00:00
|
|
|
sbuflen = put_tag_and_len(0x53, taglen, NULL);
|
|
|
|
|
|
|
|
|
|
sbuf = (u8*) malloc(sbuflen);
|
|
|
|
|
if (sbuf == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2007-03-10 10:46:32 +00:00
|
|
|
p = sbuf;
|
|
|
|
|
put_tag_and_len(0x53, taglen, &p);
|
|
|
|
|
|
|
|
|
|
put_tag_and_len(0x70, count, &p);
|
|
|
|
|
memcpy(p, buf, count);
|
|
|
|
|
p += count;
|
|
|
|
|
put_tag_and_len(0x71, 1, &p);
|
2010-02-05 06:16:37 +00:00
|
|
|
*p++ = (flags)? 0x80:0x00; /* certinfo, i.e. gziped? */
|
2007-03-10 10:46:32 +00:00
|
|
|
put_tag_and_len(0xFE,0,&p); /* LRC tag */
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"DEE buf %p len %d %d", sbuf, p -sbuf, sbuflen);
|
2007-03-10 10:46:32 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
enumtag = piv_objects[priv->selected_obj].enumtag;
|
|
|
|
|
r = piv_put_data(card, enumtag, sbuf, sbuflen);
|
2007-03-10 10:46:32 +00:00
|
|
|
if (sbuf)
|
|
|
|
|
free(sbuf);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
2010-02-05 06:16:37 +00:00
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
/*
|
2010-02-05 06:16:37 +00:00
|
|
|
* For certs we need to add the 0x53 tag and other specific tags,
|
2006-02-14 22:09:10 +00:00
|
|
|
* and call the piv_put_data
|
|
|
|
|
* Note: the select file will have saved the object type for us
|
2010-02-05 06:16:37 +00:00
|
|
|
* Write is only used by piv-tool, so we will use flags:
|
|
|
|
|
* length << 8 | compress < 1 | cert
|
|
|
|
|
* to indicate we are writing a cert and if is compressed.
|
|
|
|
|
* if its not a cert its an object.
|
|
|
|
|
*
|
|
|
|
|
* Therefore when idx=0, we will get the length of the object
|
|
|
|
|
* and allocate a buffer, so we can support partial writes.
|
|
|
|
|
* When the last chuck of the data is sent, we will write it.
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int piv_write_binary(sc_card_t *card, unsigned int idx,
|
|
|
|
|
const u8 *buf, size_t count, unsigned long flags)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
2010-02-05 06:16:37 +00:00
|
|
|
int r;
|
|
|
|
|
int enumtag;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
if (priv->selected_obj < 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INTERNAL);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
enumtag = piv_objects[priv->selected_obj].enumtag;
|
|
|
|
|
|
|
|
|
|
if (priv->rwb_state == 1) /* trying to write at end */
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
if (priv->rwb_state == -1) {
|
|
|
|
|
|
|
|
|
|
/* if cached, remove old entry */
|
|
|
|
|
if (priv->obj_cache[enumtag].flags & PIV_OBJ_CACHE_VALID) {
|
|
|
|
|
priv->obj_cache[enumtag].flags = 0;
|
|
|
|
|
if (priv->obj_cache[enumtag].obj_data) {
|
|
|
|
|
free(priv->obj_cache[enumtag].obj_data);
|
|
|
|
|
priv->obj_cache[enumtag].obj_data = NULL;
|
|
|
|
|
priv->obj_cache[enumtag].obj_len = 0;
|
|
|
|
|
}
|
|
|
|
|
if (priv->obj_cache[enumtag].internal_obj_data) {
|
|
|
|
|
free(priv->obj_cache[enumtag].internal_obj_data);
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_data = NULL;
|
|
|
|
|
priv->obj_cache[enumtag].internal_obj_len = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (idx != 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_NO_CARD_SUPPORT);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
priv->w_buf_len = flags>>8;
|
|
|
|
|
if (priv->w_buf_len == 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INTERNAL);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
priv->w_buf = (u8 *)malloc(priv->w_buf_len);
|
|
|
|
|
priv-> rwb_state = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* on each pass make sure we have w_buf */
|
|
|
|
|
if (priv->w_buf == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
if (idx + count > priv->w_buf_len)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OBJECT_NOT_VALID);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
memcpy(priv->w_buf + idx, buf, count); /* copy one chunk */
|
|
|
|
|
|
|
|
|
|
/* if this was not the last chunk, return to get rest */
|
|
|
|
|
if (idx + count < priv->w_buf_len)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, count);
|
2010-02-05 06:16:37 +00:00
|
|
|
|
|
|
|
|
priv-> rwb_state = 1; /* at end of object */
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-02-05 06:16:37 +00:00
|
|
|
if ( flags & 1) {
|
|
|
|
|
r = piv_write_certificate(card, priv->w_buf, priv->w_buf_len,
|
|
|
|
|
flags & 0x02);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
} else {
|
2010-02-05 06:16:37 +00:00
|
|
|
r = piv_put_data(card, enumtag, priv->w_buf, priv->w_buf_len);
|
|
|
|
|
}
|
|
|
|
|
/* if it worked, will cache it */
|
|
|
|
|
if (r >= 0 && priv->w_buf) {
|
|
|
|
|
priv->obj_cache[enumtag].flags = PIV_OBJ_CACHE_VALID;
|
|
|
|
|
priv->obj_cache[enumtag].obj_data = priv->w_buf;
|
|
|
|
|
priv->obj_cache[enumtag].obj_len = priv->w_buf_len;
|
|
|
|
|
} else {
|
|
|
|
|
if (priv->w_buf)
|
|
|
|
|
free(priv->w_buf);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
2010-02-05 06:16:37 +00:00
|
|
|
priv->w_buf = NULL;
|
|
|
|
|
priv->w_buf_len = 0;
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, (r < 0)? r : count);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Card initialization is not standard.
|
|
|
|
|
* Some cards use mutual or external authentication using s 3des key. We
|
|
|
|
|
* will read in the key from a file.
|
|
|
|
|
* This is only needed during initialization/personalization of the card
|
|
|
|
|
*/
|
|
|
|
|
|
2007-01-08 20:19:10 +00:00
|
|
|
static int piv_get_3des_key(sc_card_t *card, u8 *key)
|
2006-02-14 22:09:10 +00:00
|
|
|
{
|
|
|
|
|
|
|
|
|
|
int r;
|
|
|
|
|
int f = -1;
|
2009-10-22 09:18:16 +00:00
|
|
|
char keybuf[24*3]; /* 3des key as three sets of xx:xx:xx:xx:xx:xx:xx:xx
|
2006-02-14 22:09:10 +00:00
|
|
|
* with a : between which is 71 bytes */
|
|
|
|
|
char * keyfilename = NULL;
|
|
|
|
|
size_t outlen;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
keyfilename = (char *)getenv("PIV_EXT_AUTH_KEY");
|
|
|
|
|
|
|
|
|
|
if (keyfilename == NULL) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
|
2006-02-14 22:09:10 +00:00
|
|
|
"Unable to get PIV_EXT_AUTH_KEY=filename for general_external_authenticate\n");
|
|
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if ((f = open(keyfilename, O_RDONLY)) < 0) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL," Unable to load 3des key for general_external_authenticate\n");
|
2006-02-14 22:09:10 +00:00
|
|
|
r = SC_ERROR_FILE_NOT_FOUND;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if (read(f, keybuf, 71) != 71) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL," Unable to read 3des key for general_external_authenticate\n");
|
2006-02-14 22:09:10 +00:00
|
|
|
r = SC_ERROR_WRONG_LENGTH;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
keybuf[23] = '\0';
|
|
|
|
|
keybuf[47] = '\0';
|
2009-10-22 09:18:16 +00:00
|
|
|
keybuf[71] = '\0';
|
2006-02-14 22:09:10 +00:00
|
|
|
outlen = 8;
|
2007-01-08 20:19:10 +00:00
|
|
|
r = sc_hex_to_bin(keybuf, key, &outlen);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (r) goto err;
|
|
|
|
|
outlen = 8;
|
2007-01-08 20:19:10 +00:00
|
|
|
r = sc_hex_to_bin(keybuf+24, key+8, &outlen);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (r) goto err;
|
|
|
|
|
outlen = 8;
|
2007-01-08 20:19:10 +00:00
|
|
|
r = sc_hex_to_bin(keybuf+48, key+16, &outlen);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (r) goto err;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
if (f >=0)
|
|
|
|
|
close(f);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* will only deal with 3des for now
|
2007-11-09 08:35:23 +00:00
|
|
|
* assumptions include:
|
|
|
|
|
* size of encrypted data is same as unencrypted
|
|
|
|
|
* challenges, nonces etc from card are less then 114 (keeps tags simple)
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int piv_general_mutual_authenticate(sc_card_t *card,
|
2006-02-23 18:43:14 +00:00
|
|
|
unsigned int key_ref, unsigned int alg_id)
|
2006-02-14 22:09:10 +00:00
|
|
|
{
|
|
|
|
|
int r;
|
2007-11-09 08:35:23 +00:00
|
|
|
int N;
|
|
|
|
|
int locked = 0, outl, outl2;
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen;
|
|
|
|
|
u8 nonce[8] = {0xDE, 0xE0, 0xDE, 0xE1, 0xDE, 0xE2, 0xDE, 0xE3};
|
2007-01-08 20:19:10 +00:00
|
|
|
u8 sbuf[255], key[24];
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 *p, *q;
|
2007-01-08 20:19:10 +00:00
|
|
|
EVP_CIPHER_CTX ctx;
|
2007-11-09 08:35:23 +00:00
|
|
|
const EVP_CIPHER *cipher;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-01-08 20:19:10 +00:00
|
|
|
EVP_CIPHER_CTX_init(&ctx);
|
|
|
|
|
|
2007-11-09 08:35:23 +00:00
|
|
|
switch (alg_id) {
|
|
|
|
|
case 1: cipher=EVP_des_ede3_ecb(); break;
|
|
|
|
|
case 2: cipher=EVP_des_ede3_cbc(); break;
|
|
|
|
|
case 3: cipher=EVP_des_ede3_ecb(); break;
|
|
|
|
|
case 4: cipher=EVP_des_ede3_cbc(); break;
|
|
|
|
|
default: cipher=EVP_des_ede3_ecb(); break;
|
|
|
|
|
}
|
|
|
|
|
|
2007-01-08 20:19:10 +00:00
|
|
|
r = piv_get_3des_key(card, key);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (r != SC_SUCCESS)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
r = sc_lock(card);
|
|
|
|
|
if (r != SC_SUCCESS)
|
|
|
|
|
goto err;
|
|
|
|
|
locked = 1;
|
|
|
|
|
|
|
|
|
|
p = sbuf;
|
|
|
|
|
q = rbuf;
|
|
|
|
|
*p++ = 0x7C;
|
|
|
|
|
*p++ = 0x02;
|
|
|
|
|
*p++ = 0x80;
|
|
|
|
|
*p++ = 0x00;
|
|
|
|
|
|
|
|
|
|
/* get the encrypted nonce */
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x87, alg_id, key_ref, sbuf, p - sbuf, &rbuf, &rbuflen);
|
|
|
|
|
|
|
|
|
|
if (r < 0) goto err;
|
|
|
|
|
q = rbuf;
|
|
|
|
|
if ( (*q++ != 0x7C)
|
|
|
|
|
|| (*q++ != rbuflen - 2)
|
|
|
|
|
|| (*q++ != 0x80)
|
|
|
|
|
|| (*q++ != rbuflen - 4)) {
|
|
|
|
|
r = SC_ERROR_INVALID_DATA;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2007-11-09 08:35:23 +00:00
|
|
|
N = *(rbuf + 3); /* assuming N + sizeof(nonce) + 6 < 128 */
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
/* prepare the response */
|
|
|
|
|
p = sbuf;
|
|
|
|
|
*p++ = 0x7c;
|
2007-11-09 08:35:23 +00:00
|
|
|
*p++ = N + sizeof(nonce)+ 4;
|
2006-02-14 22:09:10 +00:00
|
|
|
*p++ = 0x80;
|
2006-02-23 18:43:14 +00:00
|
|
|
*p++ = (u8)N;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-11-09 08:35:23 +00:00
|
|
|
/* decrypt the data from the card */
|
|
|
|
|
if (!EVP_DecryptInit(&ctx, cipher, key, NULL)) {
|
|
|
|
|
/* may fail if des parity of key is wrong. depends on OpenSSL options */
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
EVP_CIPHER_CTX_set_padding(&ctx,0);
|
|
|
|
|
if (!EVP_DecryptUpdate(&ctx, p, &outl, q, N)) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if(!EVP_DecryptFinal(&ctx, p+outl, &outl2)) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (outl+outl2 != N) {
|
2007-01-08 20:19:10 +00:00
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
p += N;
|
|
|
|
|
|
|
|
|
|
*p++ = 0x81;
|
2007-11-09 08:35:23 +00:00
|
|
|
*p++ = sizeof(nonce);
|
|
|
|
|
memcpy(p, &nonce, sizeof(nonce)); /* we use a fixed nonce for now */
|
|
|
|
|
p += sizeof(nonce);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
free(rbuf);
|
|
|
|
|
rbuf = NULL;
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x87, alg_id, key_ref, sbuf, p - sbuf, &rbuf, &rbuflen);
|
|
|
|
|
if (r < 0) goto err;
|
|
|
|
|
q = rbuf;
|
|
|
|
|
if ( (*q++ != 0x7C)
|
|
|
|
|
|| (*q++ != rbuflen - 2)
|
|
|
|
|
|| ((*q++ | 0x02) != 0x82) /* SP800-73 not clear if 80 or 82 */
|
|
|
|
|
|| (*q++ != rbuflen - 4)) {
|
|
|
|
|
r = SC_ERROR_INVALID_DATA;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2007-11-09 08:35:23 +00:00
|
|
|
N = *(rbuf + 3);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
p = sbuf;
|
2007-11-09 08:35:23 +00:00
|
|
|
|
|
|
|
|
EVP_CIPHER_CTX_cleanup(&ctx);
|
|
|
|
|
EVP_CIPHER_CTX_init(&ctx);
|
|
|
|
|
|
|
|
|
|
if (!EVP_DecryptInit(&ctx, cipher, key, NULL)) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
EVP_CIPHER_CTX_set_padding(&ctx,0);
|
|
|
|
|
if (!EVP_DecryptUpdate(&ctx, p, &outl, q, N)) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if(!EVP_DecryptFinal(&ctx, p+outl, &outl2)) {
|
2007-01-08 20:19:10 +00:00
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-11-09 08:35:23 +00:00
|
|
|
if (outl+outl2 != sizeof(nonce) || memcmp(nonce, p, sizeof(nonce)) != 0) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "mutual authentication failed, card returned wrong value");
|
2006-02-14 22:09:10 +00:00
|
|
|
r = SC_ERROR_DECRYPT_FAILED;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2007-01-08 20:19:10 +00:00
|
|
|
r = SC_SUCCESS;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
err:
|
2007-01-08 20:19:10 +00:00
|
|
|
EVP_CIPHER_CTX_cleanup(&ctx);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (locked)
|
|
|
|
|
sc_unlock(card);
|
|
|
|
|
if (rbuf)
|
|
|
|
|
free(rbuf);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int piv_general_external_authenticate(sc_card_t *card,
|
2006-02-23 18:43:14 +00:00
|
|
|
unsigned int key_ref, unsigned int alg_id)
|
2006-02-14 22:09:10 +00:00
|
|
|
{
|
2007-06-21 11:07:00 +00:00
|
|
|
/* unused: piv_private_data_t * priv = PIV_DATA(card); */
|
2007-11-09 08:35:23 +00:00
|
|
|
int r, outl, outl2;
|
|
|
|
|
int N;
|
|
|
|
|
int locked = 0;
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen;
|
2007-01-08 20:19:10 +00:00
|
|
|
u8 sbuf[255], key[24];
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 *p, *q;
|
2007-01-08 20:19:10 +00:00
|
|
|
EVP_CIPHER_CTX ctx;
|
2007-11-09 08:35:23 +00:00
|
|
|
const EVP_CIPHER *cipher;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-01-08 20:19:10 +00:00
|
|
|
EVP_CIPHER_CTX_init(&ctx);
|
|
|
|
|
|
2007-11-09 08:35:23 +00:00
|
|
|
switch (alg_id) {
|
|
|
|
|
case 1: cipher=EVP_des_ede3_ecb(); break;
|
|
|
|
|
case 2: cipher=EVP_des_ede3_cbc(); break;
|
|
|
|
|
case 3: cipher=EVP_des_ede3_ecb(); break;
|
|
|
|
|
case 4: cipher=EVP_des_ede3_cbc(); break;
|
|
|
|
|
default: cipher=EVP_des_ede3_ecb(); break;
|
|
|
|
|
}
|
|
|
|
|
|
2007-01-08 20:19:10 +00:00
|
|
|
r = piv_get_3des_key(card, key);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (r != SC_SUCCESS)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
r = sc_lock(card);
|
|
|
|
|
if (r != SC_SUCCESS)
|
|
|
|
|
goto err;
|
2007-11-09 08:35:23 +00:00
|
|
|
locked = 1;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
p = sbuf;
|
|
|
|
|
q = rbuf;
|
|
|
|
|
*p++ = 0x7C;
|
|
|
|
|
*p++ = 0x02;
|
|
|
|
|
*p++ = 0x81;
|
|
|
|
|
*p++ = 0x00;
|
|
|
|
|
|
|
|
|
|
/* get a challenge */
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x87, 0x00, 0x00, sbuf, p - sbuf, &rbuf, &rbuflen);
|
|
|
|
|
|
|
|
|
|
if (r < 0) goto err;
|
|
|
|
|
q = rbuf;
|
|
|
|
|
if ( (*q++ != 0x7C)
|
|
|
|
|
|| (*q++ != rbuflen - 2)
|
|
|
|
|
|| (*q++ != 0x81)
|
|
|
|
|
|| (*q++ != rbuflen - 4)) {
|
|
|
|
|
r = SC_ERROR_INVALID_DATA;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-09 08:35:23 +00:00
|
|
|
/* assuming challenge and response are same size i.e. des3 */
|
2006-02-14 22:09:10 +00:00
|
|
|
p = sbuf;
|
|
|
|
|
*p++ = 0x7c;
|
|
|
|
|
*p++ = *(rbuf + 1);
|
|
|
|
|
*p++ = 0x82;
|
|
|
|
|
*p++ = *(rbuf + 3);
|
2007-11-09 08:35:23 +00:00
|
|
|
N = *(rbuf + 3); /* assuming 2 * N + 6 < 128 */
|
2007-01-08 20:19:10 +00:00
|
|
|
|
2007-11-09 08:35:23 +00:00
|
|
|
if (!EVP_EncryptInit(&ctx, cipher, key, NULL)) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
EVP_CIPHER_CTX_set_padding(&ctx,0);
|
|
|
|
|
if (!EVP_EncryptUpdate(&ctx, p, &outl, q, N)) {
|
2007-01-08 20:19:10 +00:00
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2007-11-09 08:35:23 +00:00
|
|
|
if(!EVP_EncryptFinal(&ctx, p+outl, &outl2)) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if (outl+outl2 != N) {
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
p += N;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x87, alg_id, key_ref, sbuf, p - sbuf, NULL, NULL);
|
|
|
|
|
|
|
|
|
|
err:
|
2007-11-09 08:35:23 +00:00
|
|
|
if (locked)
|
|
|
|
|
sc_unlock(card);
|
2007-01-08 20:19:10 +00:00
|
|
|
EVP_CIPHER_CTX_cleanup(&ctx);
|
|
|
|
|
sc_mem_clear(key, sizeof(key));
|
2006-02-14 22:09:10 +00:00
|
|
|
if (rbuf)
|
|
|
|
|
free(rbuf);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
static int piv_get_serial_nr_from_CHUI(sc_card_t* card, sc_serial_number_t* serial)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
2010-02-05 06:16:37 +00:00
|
|
|
int i;
|
|
|
|
|
u8 gbits;
|
2007-06-21 07:07:49 +00:00
|
|
|
u8 *rbuf = NULL;
|
2010-02-05 06:16:37 +00:00
|
|
|
u8 *body, *fascn, *guid;
|
|
|
|
|
size_t rbuflen = 0, bodylen, fascnlen, guidlen;
|
2007-06-21 07:07:49 +00:00
|
|
|
u8 temp[2000];
|
|
|
|
|
size_t templen = sizeof(temp);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2007-06-21 07:07:49 +00:00
|
|
|
|
|
|
|
|
/* ensure we've got the PIV selected, and nothing else is in process */
|
|
|
|
|
/* This fixes several problems due to previous incomplete APDUs during card detection */
|
|
|
|
|
/* Note: We need the temp because (some?) Oberthur cards don't like selecting an applet without response data */
|
2010-02-05 06:16:37 +00:00
|
|
|
/* 800-73-3 part1 draft, and CIO Council docs imply for PIV Compatible card
|
|
|
|
|
* The FASC-N Agency code should be 9999 and there should be a GUID
|
|
|
|
|
* based on RFC 4122. RIf so and the GUID is not all 0's
|
|
|
|
|
* we will use the GUID as the serial number.
|
|
|
|
|
*/
|
2007-06-21 07:07:49 +00:00
|
|
|
piv_select_aid(card, piv_aids[0].value, piv_aids[0].len_short, temp, &templen);
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
r = piv_get_cached_data(card, PIV_OBJ_CHUI, &rbuf, &rbuflen);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "Failure retrieving CHUI");
|
2007-06-21 07:07:49 +00:00
|
|
|
|
|
|
|
|
r = SC_ERROR_INTERNAL;
|
|
|
|
|
if (rbuflen != 0) {
|
|
|
|
|
body = (u8 *)sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x53, &bodylen); /* Pass the outer wrapper asn1 */
|
|
|
|
|
if (body != NULL && bodylen != 0) {
|
|
|
|
|
fascn = (u8 *)sc_asn1_find_tag(card->ctx, body, bodylen, 0x30, &fascnlen); /* Find the FASC-N data */
|
2010-02-05 06:16:37 +00:00
|
|
|
guid = (u8 *)sc_asn1_find_tag(card->ctx, body, bodylen, 0x34, &guidlen);
|
|
|
|
|
|
|
|
|
|
gbits = 0; /* if guid is valid, gbits will not be zero */
|
|
|
|
|
if (guid && guidlen == 16) {
|
|
|
|
|
for (i = 0; i < 16; i++) {
|
|
|
|
|
gbits = gbits | guid[i]; /* if all are zero, gbits will be zero */
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"fascn=%p,fascnlen=%d,guid=%p,guidlen=%d,gbits=%2.2x\n",
|
2010-02-05 06:16:37 +00:00
|
|
|
fascn, fascnlen, guid, guidlen, gbits);
|
|
|
|
|
|
|
|
|
|
if (fascn && fascnlen == 25) {
|
|
|
|
|
/* test if guid and the fascn starts with ;9999 (in ISO 4bit + partiy code) */
|
|
|
|
|
if (!(gbits && fascn[0] == 0xD4 && fascn[1] == 0xE7
|
|
|
|
|
&& fascn[2] == 0x39 && (fascn[3] | 0x7F) == 0xFF)) {
|
|
|
|
|
serial->len = fascnlen < SC_MAX_SERIALNR ? fascnlen : SC_MAX_SERIALNR;
|
|
|
|
|
memcpy (serial->value, fascn, serial->len);
|
|
|
|
|
r = SC_SUCCESS;
|
|
|
|
|
gbits = 0; /* set to skip using guid below */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (guid && gbits) {
|
|
|
|
|
serial->len = guidlen < SC_MAX_SERIALNR ? guidlen : SC_MAX_SERIALNR;
|
|
|
|
|
memcpy (serial->value, guid, serial->len);
|
2007-06-21 07:07:49 +00:00
|
|
|
r = SC_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2007-06-21 07:07:49 +00:00
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
static int piv_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
|
|
|
|
|
{
|
|
|
|
|
u8 * opts; /* A or M, key_ref, alg_id */
|
|
|
|
|
|
|
|
|
|
opts = (u8 *)ptr;
|
|
|
|
|
|
|
|
|
|
switch(cmd) {
|
|
|
|
|
case SC_CARDCTL_LIFECYCLE_SET:
|
|
|
|
|
switch (*opts) {
|
|
|
|
|
case 'A':
|
|
|
|
|
return piv_general_external_authenticate(card,
|
|
|
|
|
*(opts+1), *(opts+2));
|
|
|
|
|
break;
|
|
|
|
|
case'M':
|
|
|
|
|
return piv_general_mutual_authenticate(card,
|
|
|
|
|
*(opts+1), *(opts+2));
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case SC_CARDCTL_CRYPTOFLEX_GENERATE_KEY:
|
|
|
|
|
return piv_generate_key(card,
|
|
|
|
|
(struct sc_cardctl_cryptoflex_genkey_info *) ptr);
|
|
|
|
|
break;
|
2007-06-21 07:07:49 +00:00
|
|
|
case SC_CARDCTL_GET_SERIALNR:
|
|
|
|
|
return piv_get_serial_nr_from_CHUI(card, (sc_serial_number_t *) ptr);
|
|
|
|
|
break;
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return SC_ERROR_NOT_SUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int piv_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
|
|
|
|
|
{
|
|
|
|
|
u8 sbuf[16];
|
|
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen = 0;
|
|
|
|
|
u8 *p, *q;
|
|
|
|
|
int r;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"challenge len=%d",len);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
sc_lock(card);
|
|
|
|
|
|
|
|
|
|
p = sbuf;
|
|
|
|
|
*p++ = 0x7c;
|
|
|
|
|
*p++ = 0x02;
|
|
|
|
|
*p++ = 0x81;
|
|
|
|
|
*p++ = 0x00;
|
|
|
|
|
|
|
|
|
|
/* assuming 8 byte response ? */
|
|
|
|
|
/* should take what the card returns */
|
|
|
|
|
while (len > 0) {
|
|
|
|
|
size_t n = len > 8 ? 8 : len;
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x87, 0x00, 0x00, sbuf, p - sbuf,
|
|
|
|
|
&rbuf, &rbuflen);
|
2007-06-21 07:07:49 +00:00
|
|
|
if (r < 0) {
|
|
|
|
|
sc_unlock(card);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2007-06-21 07:07:49 +00:00
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
q = rbuf;
|
|
|
|
|
if ( (*q++ != 0x7C)
|
|
|
|
|
|| (*q++ != rbuflen - 2)
|
|
|
|
|
|| (*q++ != 0x81)
|
|
|
|
|
|| (*q++ != rbuflen - 4)) {
|
|
|
|
|
r = SC_ERROR_INVALID_DATA;
|
2007-06-21 07:07:49 +00:00
|
|
|
sc_unlock(card);
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
memcpy(rnd, q, n);
|
|
|
|
|
len -= n;
|
|
|
|
|
rnd += n;
|
|
|
|
|
free(rbuf);
|
|
|
|
|
rbuf = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sc_unlock(card);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int piv_set_security_env(sc_card_t *card,
|
|
|
|
|
const sc_security_env_t *env,
|
|
|
|
|
int se_num)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"flags=%08x op=%d alg=%d algf=%08x algr=%08x kr0=%02x, krfl=%d\n",
|
2006-02-14 22:09:10 +00:00
|
|
|
env->flags, env->operation, env->algorithm, env->algorithm_flags,
|
|
|
|
|
env->algorithm_ref, env->key_ref[0], env->key_ref_len);
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
if (env->algorithm == SC_ALGORITHM_RSA)
|
|
|
|
|
priv->alg_id = 0x06; /* Say it is RSA, set 5, 6, 7 later */
|
2006-02-14 22:09:10 +00:00
|
|
|
else
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NO_CARD_SUPPORT);
|
2006-02-14 22:09:10 +00:00
|
|
|
priv->key_ref = env->key_ref[0];
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, 0);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int piv_restore_security_env(sc_card_t *card, int se_num)
|
|
|
|
|
{
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int piv_validate_general_authentication(sc_card_t *card,
|
|
|
|
|
const u8 * data, size_t datalen,
|
|
|
|
|
u8 * out, size_t outlen)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
2006-02-14 22:09:10 +00:00
|
|
|
int r;
|
|
|
|
|
u8 *p;
|
|
|
|
|
u8 *tag;
|
|
|
|
|
size_t taglen;
|
|
|
|
|
u8 *body;
|
|
|
|
|
size_t bodylen;
|
2007-06-21 07:07:49 +00:00
|
|
|
unsigned int real_alg_id;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
u8 sbuf[4096]; /* needs work. for 3072 keys, needs 384+10 or so */
|
2006-02-14 22:09:10 +00:00
|
|
|
u8 *rbuf = NULL;
|
|
|
|
|
size_t rbuflen;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
/* should assume large send data */
|
|
|
|
|
p = sbuf;
|
|
|
|
|
put_tag_and_len(0x7c, (2 + put_tag_and_len(0, datalen, NULL)) , &p);
|
|
|
|
|
put_tag_and_len(0x82, 0, &p);
|
|
|
|
|
put_tag_and_len(0x81, datalen, &p);
|
|
|
|
|
|
|
|
|
|
memcpy(p, data, datalen);
|
|
|
|
|
p += datalen;
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
/*
|
|
|
|
|
* alg_id=06 is a place holder for all RSA keys.
|
|
|
|
|
* Derive the real alg_id based on the size of the
|
|
|
|
|
* the data, as we are always using raw mode.
|
|
|
|
|
* Non RSA keys needs some work in thia area.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
real_alg_id = priv->alg_id;
|
|
|
|
|
if (priv->alg_id == 0x06) {
|
|
|
|
|
switch (datalen) {
|
|
|
|
|
case 128: real_alg_id = 0x06; break;
|
|
|
|
|
case 256: real_alg_id = 0x07; break;
|
|
|
|
|
case 384: real_alg_id = 0x05; break;
|
|
|
|
|
default:
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NO_CARD_SUPPORT);
|
2007-06-21 07:07:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = piv_general_io(card, 0x87, real_alg_id, priv->key_ref,
|
2006-02-14 22:09:10 +00:00
|
|
|
sbuf, p - sbuf, &rbuf, &rbuflen);
|
|
|
|
|
|
|
|
|
|
if ( r >= 0) {
|
|
|
|
|
body = (u8 *) sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x7c, &bodylen);
|
|
|
|
|
|
|
|
|
|
if (body) {
|
|
|
|
|
tag = (u8 *) sc_asn1_find_tag(card->ctx, body, bodylen, 0x82, &taglen);
|
|
|
|
|
if (tag) {
|
|
|
|
|
memcpy(out, tag, taglen);
|
|
|
|
|
r = taglen;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
r = SC_ERROR_INVALID_DATA;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rbuf)
|
|
|
|
|
free(rbuf);
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int piv_compute_signature(sc_card_t *card,
|
|
|
|
|
const u8 * data, size_t datalen,
|
|
|
|
|
u8 * out, size_t outlen)
|
|
|
|
|
{
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
|
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, piv_validate_general_authentication(card, data, datalen, out, outlen));
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int piv_decipher(sc_card_t *card,
|
|
|
|
|
const u8 * data, size_t datalen,
|
|
|
|
|
u8 * out, size_t outlen)
|
|
|
|
|
{
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, piv_validate_general_authentication(card, data, datalen, out, outlen));
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int piv_find_obj_by_containerid(sc_card_t *card, const u8 * str)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
|
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "str=0x%02X%02X\n", str[0], str[1]);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
for (i = 0; piv_objects[i].enumtag < PIV_OBJ_LAST_ENUM; i++) {
|
2006-02-14 22:09:10 +00:00
|
|
|
if ( str[0] == piv_objects[i].containerid[0]
|
|
|
|
|
&& str[1] == piv_objects[i].containerid[1])
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, i);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, -1);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* the PIV-II does not always support files, but we will simulate
|
|
|
|
|
* files and reading/writing using get/put_data
|
|
|
|
|
* The path is the containerID number
|
|
|
|
|
* We can use this to determine the type of data requested, like a cert
|
|
|
|
|
* or pub key.
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
* We only support write from the piv_tool with file_out==NULL
|
|
|
|
|
* All other requests should be to read.
|
|
|
|
|
* Only if file_out != null, will we read to get length.
|
2006-02-14 22:09:10 +00:00
|
|
|
*/
|
|
|
|
|
static int piv_select_file(sc_card_t *card, const sc_path_t *in_path,
|
|
|
|
|
sc_file_t **file_out)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
int r;
|
2006-02-14 22:09:10 +00:00
|
|
|
int i;
|
|
|
|
|
const u8 *path;
|
|
|
|
|
int pathlen;
|
|
|
|
|
sc_file_t *file = NULL;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
u8 * rbuf = NULL;
|
|
|
|
|
size_t rbuflen = 0;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
path = in_path->value;
|
|
|
|
|
pathlen = in_path->len;
|
|
|
|
|
|
|
|
|
|
/* only support single EF in current application */
|
|
|
|
|
|
|
|
|
|
if (pathlen > 2 && memcmp(path, "\x3F\x00", 2) == 0) {
|
|
|
|
|
path += 2;
|
|
|
|
|
pathlen -= 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
i = piv_find_obj_by_containerid(card, path);
|
|
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (i < 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
|
2007-11-09 08:35:23 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* pkcs15 will use a 2 byte path or a 4 byte path
|
|
|
|
|
* with cece added to path to request only the cert from the cert obj
|
|
|
|
|
* PIV "Container ID" is used as the path, and are two bytes long
|
|
|
|
|
*/
|
|
|
|
|
priv->return_only_cert = (pathlen == 4 && path[2] == 0xce && path[3] == 0xce);
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
priv->selected_obj = i;
|
2010-02-05 06:16:37 +00:00
|
|
|
priv->rwb_state = -1;
|
2007-03-10 10:46:32 +00:00
|
|
|
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* make it look like the file was found. */
|
|
|
|
|
/* We don't want to read it now unless we need the length */
|
2007-03-10 10:46:32 +00:00
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
if (file_out) {
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* we need to read it now, to get length into cache */
|
|
|
|
|
r = piv_get_cached_data(card, i, &rbuf, &rbuflen);
|
|
|
|
|
|
|
|
|
|
if (r < 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_FILE_NOT_FOUND);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
|
|
|
|
|
/* get the cert or the pub key out and into the cache too */
|
|
|
|
|
if (priv->return_only_cert || piv_objects[i].flags & PIV_OBJECT_TYPE_PUBKEY) {
|
|
|
|
|
r = piv_cache_internal_data(card, i);
|
|
|
|
|
if (r < 0)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
}
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
file = sc_file_new();
|
|
|
|
|
if (file == NULL)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
file->path = *in_path;
|
|
|
|
|
/* this could be like the FCI */
|
|
|
|
|
file->type = SC_FILE_TYPE_DF;
|
|
|
|
|
file->shareable = 0;
|
2007-03-10 10:46:32 +00:00
|
|
|
file->ef_structure = 0;
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
if (priv->return_only_cert)
|
|
|
|
|
file->size = priv->obj_cache[i].internal_obj_len;
|
|
|
|
|
else
|
|
|
|
|
file->size = priv->obj_cache[i].obj_len;
|
2007-03-10 10:46:32 +00:00
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
file->id = (piv_objects[i].containerid[0]<<8) + piv_objects[i].containerid[1];
|
|
|
|
|
|
|
|
|
|
*file_out = file;
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, 0);
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int piv_finish(sc_card_t *card)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t * priv = PIV_DATA(card);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
int i;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2006-02-14 22:09:10 +00:00
|
|
|
if (priv) {
|
|
|
|
|
if (priv->aid_file)
|
|
|
|
|
sc_file_free(priv->aid_file);
|
2010-02-05 06:16:37 +00:00
|
|
|
if (priv->w_buf)
|
|
|
|
|
free(priv->w_buf);
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
for (i = 0; i < PIV_OBJ_LAST_ENUM - 1; i++) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"DEE freeing #%d, %p:%d %p:%d", i,
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
priv->obj_cache[i].obj_data, priv->obj_cache[i].obj_len,
|
|
|
|
|
priv->obj_cache[i].internal_obj_data, priv->obj_cache[i].internal_obj_len);
|
|
|
|
|
if (priv->obj_cache[i].obj_data)
|
|
|
|
|
free(priv->obj_cache[i].obj_data);
|
|
|
|
|
if (priv->obj_cache[i].internal_obj_data)
|
|
|
|
|
free(priv->obj_cache[i].internal_obj_data);
|
2007-03-10 10:46:32 +00:00
|
|
|
}
|
2006-02-14 22:09:10 +00:00
|
|
|
free(priv);
|
|
|
|
|
}
|
Douglas E. Engert: major update for the PIV smartcard.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it. Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3710 c6295689-39f2-0310-b995-f0e70906c6a9
2009-07-22 10:09:21 +00:00
|
|
|
/* TODO temp see piv_init */
|
2006-02-14 22:09:10 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int piv_match_card(sc_card_t *card)
|
|
|
|
|
{
|
2007-03-10 10:46:32 +00:00
|
|
|
int i;
|
|
|
|
|
sc_file_t aidfile;
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2007-03-10 10:46:32 +00:00
|
|
|
/* Since we send an APDU, the card's logout function may be called...
|
|
|
|
|
* however it may be in dirty memory */
|
|
|
|
|
card->ops->logout = NULL;
|
|
|
|
|
|
|
|
|
|
/* Detect by selecting applet */
|
|
|
|
|
i = !(piv_find_aid(card, &aidfile));
|
|
|
|
|
return i; /* never match */
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int piv_init(sc_card_t *card)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
2006-02-23 11:49:22 +00:00
|
|
|
unsigned long flags;
|
2007-03-10 10:46:32 +00:00
|
|
|
piv_private_data_t *priv;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
2007-03-10 10:46:32 +00:00
|
|
|
priv = (piv_private_data_t *) calloc(1, sizeof(piv_private_data_t));
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
if (!priv)
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
2006-02-14 22:09:10 +00:00
|
|
|
priv->aid_file = sc_file_new();
|
|
|
|
|
priv->selected_obj = -1;
|
2010-02-05 06:16:37 +00:00
|
|
|
/* priv->max_recv_size = 256; */
|
2008-04-28 07:57:03 +00:00
|
|
|
/* priv->max_recv_size = card->max_recv_size; */
|
2010-02-05 06:16:37 +00:00
|
|
|
/* priv->max_send_size = card->max_send_size; */
|
2006-02-14 22:09:10 +00:00
|
|
|
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Max send = %d recv = %d\n",
|
2006-02-14 22:09:10 +00:00
|
|
|
card->max_send_size, card->max_recv_size);
|
|
|
|
|
card->drv_data = priv;
|
|
|
|
|
card->cla = 0x00;
|
|
|
|
|
card->name = "PIV-II card";
|
|
|
|
|
|
|
|
|
|
r = piv_find_aid(card, priv->aid_file);
|
|
|
|
|
if (r < 0) {
|
2010-03-15 12:17:13 +00:00
|
|
|
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to initialize %s\n", card->name);
|
|
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
priv->enumtag = piv_aids[r].enumtag;
|
|
|
|
|
card->type = piv_aids[r].enumtag;
|
|
|
|
|
|
|
|
|
|
flags = SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN;
|
|
|
|
|
|
|
|
|
|
_sc_card_add_rsa_alg(card, 1024, flags, 0); /* manditory */
|
|
|
|
|
_sc_card_add_rsa_alg(card, 2048, flags, 0); /* optional */
|
|
|
|
|
_sc_card_add_rsa_alg(card, 3072, flags, 0); /* optional */
|
|
|
|
|
|
|
|
|
|
card->caps |= SC_CARD_CAP_RNG;
|
|
|
|
|
|
|
|
|
|
if (r > 0)
|
|
|
|
|
r = 0;
|
2010-03-15 12:17:13 +00:00
|
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
2006-02-14 22:09:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-06-21 07:07:49 +00:00
|
|
|
static int piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
|
|
|
|
|
int *tries_left)
|
|
|
|
|
{
|
|
|
|
|
/* Extra validation of (new) PIN during a PIN change request, to
|
|
|
|
|
* ensure it's not outside the FIPS 201 4.1.6.1 (numeric only) and
|
|
|
|
|
* FIPS 140-2 (6 character minimum) requirements.
|
|
|
|
|
*/
|
|
|
|
|
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
|
|
|
|
|
if (data->cmd == SC_PIN_CMD_CHANGE) {
|
|
|
|
|
int i = 0;
|
|
|
|
|
if (data->pin2.len < 6) {
|
|
|
|
|
return SC_ERROR_INVALID_PIN_LENGTH;
|
|
|
|
|
}
|
|
|
|
|
for(i=0; i < data->pin2.len; ++i) {
|
|
|
|
|
if (!isdigit(data->pin2.data[i])) {
|
|
|
|
|
return SC_ERROR_INVALID_DATA;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return iso_drv->ops->pin_cmd(card, data, tries_left);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2006-02-14 22:09:10 +00:00
|
|
|
static struct sc_card_driver * sc_get_driver(void)
|
|
|
|
|
{
|
|
|
|
|
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
|
|
|
|
|
|
|
|
|
|
piv_ops = *iso_drv->ops;
|
|
|
|
|
piv_ops.match_card = piv_match_card;
|
|
|
|
|
piv_ops.init = piv_init;
|
|
|
|
|
piv_ops.finish = piv_finish;
|
|
|
|
|
|
|
|
|
|
piv_ops.select_file = piv_select_file; /* must use get/put, could emulate? */
|
|
|
|
|
piv_ops.get_challenge = piv_get_challenge;
|
|
|
|
|
piv_ops.read_binary = piv_read_binary;
|
|
|
|
|
piv_ops.write_binary = piv_write_binary;
|
|
|
|
|
piv_ops.set_security_env = piv_set_security_env;
|
|
|
|
|
piv_ops.restore_security_env = piv_restore_security_env;
|
|
|
|
|
piv_ops.compute_signature = piv_compute_signature;
|
|
|
|
|
piv_ops.decipher = piv_decipher;
|
|
|
|
|
piv_ops.card_ctl = piv_card_ctl;
|
2007-06-21 07:07:49 +00:00
|
|
|
piv_ops.pin_cmd = piv_pin_cmd;
|
2006-02-14 22:09:10 +00:00
|
|
|
|
|
|
|
|
return &piv_drv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#if 1
|
|
|
|
|
struct sc_card_driver * sc_get_piv_driver(void)
|
|
|
|
|
{
|
|
|
|
|
return sc_get_driver();
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2008-03-06 16:06:59 +00:00
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#endif /* ENABLE_OPENSSL */
|
