From 93cc9bef1a8a498c469f69d83148476b085a67ed Mon Sep 17 00:00:00 2001 From: jps Date: Fri, 10 Jun 2011 09:14:02 +0000 Subject: [PATCH 1/5] For CardOS 4.3B and 4.4, the Verify Retry Counter Package can be loaded at ADMINISTRATION life cycle phase to change the behavior of the VERIFY command in regard to return codes. When that package is loaded, the return code of the VERIFY will be ISO7816-4 compliant (63Cx with x being the value of the remaining retry counter when required verification has failed). git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5565 c6295689-39f2-0310-b995-f0e70906c6a9 --- src/pkcs15init/pkcs15-cardos.c | 57 +++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c index dba0d66c..90771d14 100644 --- a/src/pkcs15init/pkcs15-cardos.c +++ b/src/pkcs15init/pkcs15-cardos.c @@ -62,6 +62,7 @@ static int cardos_extract_pubkey(sc_card_t *, sc_pkcs15_pubkey_t *, sc_file_t *, int); static int do_cardos_extract_pubkey(sc_card_t *card, int nr, u8 tag, sc_pkcs15_bignum_t *bn); +static int cardos_have_verifyrc_package(sc_card_t *card); /* Object IDs for PIN objects. * SO PIN = 0x01, SO PUK = 0x02 @@ -413,7 +414,7 @@ cardos_store_pin(sc_profile_t *profile, sc_card_t *card, unsigned char pinpadded[256]; struct tlv tlv; unsigned int attempts, minlen, maxlen; - int r; + int r, hasverifyrc; if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) return SC_ERROR_OBJECT_NOT_VALID; @@ -445,6 +446,10 @@ cardos_store_pin(sc_profile_t *profile, sc_card_t *card, /* parameters */ tlv_next(&tlv, 0x85); tlv_add(&tlv, 0x02); /* options byte */ + hasverifyrc = cardos_have_verifyrc_package(card); + if (hasverifyrc == 1) + /* Use 9 byte OCI parameters to be able to set VerifyRC bit */ + tlv_add(&tlv, 0x04); /* options_2 byte with bit 2 set to return CurrentErrorCounter */ tlv_add(&tlv, attempts & 0xf); /* flags byte */ tlv_add(&tlv, CARDOS_ALGO_PIN); /* algorithm = pin-test */ tlv_add(&tlv, attempts & 0xf); /* errcount = attempts */ @@ -786,6 +791,56 @@ static int cardos_extract_pubkey(sc_card_t *card, sc_pkcs15_pubkey_t *pubkey, return r; } +static int cardos_have_verifyrc_package(sc_card_t *card) +{ + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; + const u8 *p = rbuf, *q; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); + apdu.resp = rbuf; + apdu.resplen = sizeof(rbuf); + apdu.lc = 0; + apdu.le = 256; + r = sc_transmit_apdu(card, &apdu); + SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed"); + + if ((len = apdu.resplen) == 0) + /* looks like no package has been installed */ + return 0; + + while (len != 0) { + p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); + if (p == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ + q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) + return 1; + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ + q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) + return 1; + } else { + return 0; + } + p += tlen; + len -= tlen + 2; + } + + return 0; +} + static struct sc_pkcs15init_operations sc_pkcs15init_cardos_operations = { cardos_erase, NULL, /* init_card */ From a7607b8f30b7b186ca7e159b1c9122dcbdfdc680 Mon Sep 17 00:00:00 2001 From: vtarasov Date: Fri, 10 Jun 2011 16:41:04 +0000 Subject: [PATCH 2/5] pkcs11: framework-pkcs15: when storing private key, set the key usage from the object attributes git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5566 c6295689-39f2-0310-b995-f0e70906c6a9 --- src/pkcs11/framework-pkcs15.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index e3ed3a45..eb536c0b 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -1411,6 +1411,18 @@ static CK_RV pkcs15_init_pin(struct sc_pkcs11_card *p11card, return CKR_OK; } +static unsigned long +pkcs15_check_bool_cka(CK_ATTRIBUTE_PTR attr, unsigned long flag) +{ + if (attr->ulValueLen != sizeof(CK_BBOOL) || !attr->pValue) + return 0; + + if (*((CK_BBOOL *)attr->pValue)) + return flag; + + return 0; +} + static CK_RV pkcs15_create_private_key(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *slot, struct sc_profile *profile, @@ -1493,7 +1505,23 @@ static CK_RV pkcs15_create_private_key(struct sc_pkcs11_card *p11card, if (key_type == CKK_GOSTR3410) bn = &gost->d; break; - + case CKA_SIGN: + args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_SIGN); + break; + case CKA_SIGN_RECOVER: + args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_SIGNRECOVER); + break; + case CKA_DECRYPT: + args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_DECRYPT); + break; + case CKA_UNWRAP: + args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_UNWRAP); + break; + /* + case OPENSC_CKA_NON_REPUDIATION: + args.usage |= pkcs15_check_cka_flag(attr, SC_PKCS15_PRKEY_USAGE_NONREPUDIATION); + break; + */ default: /* ignore unknown attrs, or flag error? */ continue; From 986307284590b420dce2c29fd68ab519a4609cc3 Mon Sep 17 00:00:00 2001 From: vtarasov Date: Fri, 10 Jun 2011 16:46:41 +0000 Subject: [PATCH 3/5] pkcs11: framework-pkcs15: OpenSC specific 'non-repudiation' cryptoki attribute ... In PKCS#11 there is no CKA_ attribute dedicated to the NON-REPUDIATION flag. We need this flag in PKCS#15/libopensc to make dinstinction between 'signature' and 'qualified signature' key slots. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5567 c6295689-39f2-0310-b995-f0e70906c6a9 --- src/pkcs11/framework-pkcs15.c | 2 -- src/pkcs11/pkcs11-opensc.h | 6 ++++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index eb536c0b..6ccf0679 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -1517,11 +1517,9 @@ static CK_RV pkcs15_create_private_key(struct sc_pkcs11_card *p11card, case CKA_UNWRAP: args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_UNWRAP); break; - /* case OPENSC_CKA_NON_REPUDIATION: args.usage |= pkcs15_check_cka_flag(attr, SC_PKCS15_PRKEY_USAGE_NONREPUDIATION); break; - */ default: /* ignore unknown attrs, or flag error? */ continue; diff --git a/src/pkcs11/pkcs11-opensc.h b/src/pkcs11/pkcs11-opensc.h index 6ab95303..c262a49c 100644 --- a/src/pkcs11/pkcs11-opensc.h +++ b/src/pkcs11/pkcs11-opensc.h @@ -2,5 +2,11 @@ #define PKCS11_OPENSC_H /* OpenSC specific extensions */ +/* + * In PKCS#11 there is no CKA_ attribute dedicated to the NON-REPUDIATION flag. + * We need this flag in PKCS#15/libopensc to make dinstinction between + * 'signature' and 'qualified signature' key slots. + */ +#define OPENSC_CKA_NON_REPUDIATION (CKA_VENDOR_DEFINED | 1UL) #endif From ba64c5573ddca9e723f4356361793089ba3f876b Mon Sep 17 00:00:00 2001 From: vtarasov Date: Sat, 11 Jun 2011 20:17:30 +0000 Subject: [PATCH 4/5] pkcs11: framework-pkcs15: invalid function name git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5568 c6295689-39f2-0310-b995-f0e70906c6a9 --- src/pkcs11/framework-pkcs15.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index 6ccf0679..5db870a1 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -1518,7 +1518,7 @@ static CK_RV pkcs15_create_private_key(struct sc_pkcs11_card *p11card, args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_UNWRAP); break; case OPENSC_CKA_NON_REPUDIATION: - args.usage |= pkcs15_check_cka_flag(attr, SC_PKCS15_PRKEY_USAGE_NONREPUDIATION); + args.usage |= pkcs15_check_bool_cka(attr, SC_PKCS15_PRKEY_USAGE_NONREPUDIATION); break; default: /* ignore unknown attrs, or flag error? */ From a6b774308887a849b144c488951b3b28c3658c84 Mon Sep 17 00:00:00 2001 From: vtarasov Date: Mon, 13 Jun 2011 09:23:30 +0000 Subject: [PATCH 5/5] pkcs15: add comments for the authentication object data type git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5569 c6295689-39f2-0310-b995-f0e70906c6a9 --- src/libopensc/pkcs15.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h index ba9a7357..f608fdc3 100644 --- a/src/libopensc/pkcs15.h +++ b/src/libopensc/pkcs15.h @@ -70,26 +70,33 @@ typedef struct sc_pkcs15_id sc_pkcs15_id_t; #define SC_PKCS15_PIN_TYPE_ISO9564_1 4 #define SC_PKCS15_PIN_AUTH_TYPE_PIN 0 -#define SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY 1 -#define SC_PKCS15_PIN_AUTH_TYPE_SM_KEY 2 +#define SC_PKCS15_PIN_AUTH_TYPE_BIOMETRIC 1 +#define SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY 2 +#define SC_PKCS15_PIN_AUTH_TYPE_SM_KEY 3 +/* PinAttributes as they defined in PKCS#15 v1.1 for PIN authentication object */ struct sc_pkcs15_pin_attributes { unsigned int flags, type; size_t min_length, stored_length, max_length; int reference; u8 pad_char; }; +/* AuthKeyAttributes of the authKey authentication object */ struct sc_pkcs15_authkey_attributes { int derived; struct sc_pkcs15_id skey_id; }; +/* BiometricAttributes of the biometricTemplate authentication object */ struct sc_pkcs15_biometric_attributes { unsigned int flags; struct sc_object_id template_id; /* ... */ }; struct sc_pkcs15_auth_info { + /* CommonAuthenticationObjectAttributes */ struct sc_pkcs15_id auth_id; + + /* AuthObjectAttributes */ struct sc_path path; unsigned auth_type; union { @@ -97,7 +104,10 @@ struct sc_pkcs15_auth_info { struct sc_pkcs15_biometric_attributes bio; struct sc_pkcs15_authkey_attributes authkey; } attrs; + + /* authentication method: CHV, SEN, SYMBOLIC, ... */ unsigned int auth_method; + int tries_left, max_tries; }; typedef struct sc_pkcs15_auth_info sc_pkcs15_auth_info_t;