From 129946ca969f39ce7d7f1c8a6642f4e80e7aec4a Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Mon, 16 Jul 2018 22:19:24 +0200
Subject: [PATCH] pkcs11: CKF_WRITE_PROTECTED based on card's read_only flag

uses `md_read_only` as `read_only` for both, PKCS#11 and Minidriver
---
 doc/files/opensc.conf.5.xml.in |  4 ++--
 etc/opensc.conf.example.in     | 42 +++++++++++++++++-----------------
 src/minidriver/minidriver.c    |  2 +-
 src/pkcs11/framework-pkcs15.c  | 15 ++++++++++++
 4 files changed, 39 insertions(+), 24 deletions(-)

diff --git a/doc/files/opensc.conf.5.xml.in b/doc/files/opensc.conf.5.xml.in
index b0cb4e75..f703ce71 100644
--- a/doc/files/opensc.conf.5.xml.in
+++ b/doc/files/opensc.conf.5.xml.in
@@ -822,11 +822,11 @@ app <replaceable>application</replaceable> {
 					</varlistentry>
 					<varlistentry>
 						<term>
-							<option>md_read_only = <replaceable>bool</replaceable>;</option>
+							<option>read_only = <replaceable>bool</replaceable>;</option>
 						</term>
 						<listitem><para>
 								Mark card as read/only card in
-								Minidriver/BaseCSP interface
+								PKCS#11/Minidriver/BaseCSP interface
 								(Default: <literal>false</literal>).
 						</para></listitem>
 					</varlistentry>
diff --git a/etc/opensc.conf.example.in b/etc/opensc.conf.example.in
index d8abb8f8..dc3b5bd8 100644
--- a/etc/opensc.conf.example.in
+++ b/etc/opensc.conf.example.in
@@ -282,7 +282,7 @@ app default {
 
 		# Context: minidriver
 		#
-		# md_read_only: Mark card as read/only card in Minidriver/BaseCSP interface (Default: false)
+		# read_only: Mark card as read/only card in Minidriver/BaseCSP interface (Default: false)
 		# md_supports_X509_enrollment: Indicate X509 enrollment support at Minidriver/BaseCSP interface (Default: false)
 		# md_guid_as_id: Use the GUID generated for the key as id in the PKCS#15 structure (Default: false, i.e. auto generated)
 		# md_guid_as_label: Use the GUID generated for the key as label in the PKCS#15 structure (Default: false, i.e. no label set)
@@ -396,7 +396,7 @@ app default {
 		name = "Gemalto MultiApp IAS/ECC v1.0.1";
 		secure_messaging = local_gemalto_iam;
 		# secure_messaging = local_adele;
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 	}
 	card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 {
@@ -404,7 +404,7 @@ app default {
 		driver = "iasecc";
 		name = "Gemalto MultiApp IAS/ECC v1.0.1";
 		secure_messaging = local_gemalto_iam;
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 	}
 	#card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE {
@@ -423,7 +423,7 @@ app default {
 	#	type = 25005;
 	#	driver = "iasecc";
 	#	name = "Morpho MI IAS/ECC v1.0.1";
-	#	md_read_only = false;
+	#	read_only = false;
 	#	md_supports_X509_enrollment = true;
 	#	secure_messaging = local_morpho_mi;
 	#}
@@ -431,7 +431,7 @@ app default {
 		type = 25004;
 		driver = "iasecc";
 		name = "Amos IAS/ECC v1.0.1";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		secure_messaging = local_amos;
 	}
@@ -439,7 +439,7 @@ app default {
 		type = 25004;
 		driver = "iasecc";
 		name = "Amos IAS/ECC v1.0.1";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		secure_messaging = local_amos_eid;
 	}
@@ -447,7 +447,7 @@ app default {
 	# SmartCard-HSM with contact-based interface or USB-Stick
 	card_atr 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA {
 		driver = "sc-hsm";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -456,7 +456,7 @@ app default {
 	# SmartCard-HSM with contact-less interface
 	card_atr 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18 {
 		driver = "sc-hsm";
-		md_read_only = false;
+		read_only = false;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -465,7 +465,7 @@ app default {
 	# SmartCard-HSM with fingerprint sensor and PIN pad
 	card_atr 3B:80:80:01:01 {
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -489,7 +489,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -512,7 +512,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -535,7 +535,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -558,7 +558,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -581,7 +581,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -604,7 +604,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -627,7 +627,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -650,7 +650,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -673,7 +673,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -697,7 +697,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -721,7 +721,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
@@ -745,7 +745,7 @@ app default {
 		atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00:00:00";
 		driver = "sc-hsm";
 		force_protocol = "t1";
-		md_read_only = false;
+		read_only = true;
 		md_supports_X509_enrollment = true;
 		md_supports_container_key_gen = true;
 		md_guid_as_label = true;
diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index fc57ff09..3570a07b 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -699,7 +699,7 @@ md_is_read_only(PCARD_DATA pCardData)
 		}
 	}
 
-	return md_get_config_bool(pCardData, "md_read_only", ret);
+	return md_get_config_bool(pCardData, "read_only", ret);
 }
 
 
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 3e881e66..cc4b1e80 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -1045,6 +1045,8 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
 	struct pkcs15_slot_data *fw_data;
 	struct sc_pkcs15_auth_info *pin_info = NULL;
 	char label[(sizeof auth->label) + 10];
+	int write_protected;
+	scconf_block *atrblock;
 
 	sc_log(context, "Called");
 	pkcs15_init_token_info(p15card, &slot->token_info);
@@ -1058,6 +1060,19 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
 	if (p15card->card->caps & SC_CARD_CAP_RNG && p15card->card->ops->get_challenge != NULL)
 		slot->token_info.flags |= CKF_RNG;
 
+	if (p15card->tokeninfo && p15card->tokeninfo->flags & SC_PKCS15_TOKEN_READONLY) {
+		write_protected = 1;
+	} else {
+		write_protected = 0;
+	}
+	atrblock = _sc_match_atr_block(p15card->card->ctx, NULL, &p15card->card->atr);
+	if (atrblock) {
+		write_protected = scconf_get_bool(atrblock, "read_only", write_protected);
+	}
+	if (write_protected) {
+		slot->token_info.flags |= CKF_WRITE_PROTECTED;
+	}
+
 	slot->fw_data = fw_data = calloc(1, sizeof(*fw_data));
 	if (!fw_data) {
 		return;