RuToken-ECP: profile option to allow the reset of User PIN with SoPIN
http://www.opensc-project.org/pipermail/opensc-devel/2011-May/016716.html git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5542 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
da0a77b8c0
commit
438cf4b2d4
|
@ -486,12 +486,36 @@ static int rtecp_reset_retry_counter(sc_card_t *card, unsigned int type,
|
||||||
sc_apdu_t apdu;
|
sc_apdu_t apdu;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
(void)type, (void)puk, (void)puklen, (void)newref, (void)newlen; /* no warning */
|
(void)type, (void)puk, (void)puklen; /* no warning */
|
||||||
assert(card && card->ctx);
|
assert(card && card->ctx);
|
||||||
|
|
||||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x2C, 0x03, ref_qualifier);
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x2C, 0x03, ref_qualifier);
|
||||||
r = sc_transmit_apdu(card, &apdu);
|
r = sc_transmit_apdu(card, &apdu);
|
||||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
|
||||||
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
||||||
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "Unblock card failed");
|
||||||
|
|
||||||
|
if (newref && newlen) {
|
||||||
|
u8 tmp[2], buf[SC_MAX_APDU_BUFFER_SIZE];
|
||||||
|
u8 *p = buf;
|
||||||
|
|
||||||
|
tmp[0] = (newlen >> 8) & 0xFF;
|
||||||
|
tmp[1] = newlen & 0xFF;
|
||||||
|
sc_asn1_put_tag(0x80, tmp, sizeof(tmp), p, sizeof(buf) - (p - buf), &p);
|
||||||
|
r = sc_asn1_put_tag(0xA5, newref, newlen, p, sizeof(buf) - (p - buf), &p);
|
||||||
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "Invalid new PIN length");
|
||||||
|
|
||||||
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x24, 0x01, ref_qualifier);
|
||||||
|
apdu.lc = p - buf;
|
||||||
|
apdu.data = buf;
|
||||||
|
apdu.datalen = p - buf;
|
||||||
|
|
||||||
|
r = sc_transmit_apdu(card, &apdu);
|
||||||
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
|
||||||
|
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
||||||
|
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "Set PIN failed");
|
||||||
|
}
|
||||||
|
|
||||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -168,12 +168,13 @@ static int rtecp_create_pin(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
|
||||||
{
|
{
|
||||||
sc_context_t *ctx;
|
sc_context_t *ctx;
|
||||||
sc_pkcs15_pin_info_t *pin_info;
|
sc_pkcs15_pin_info_t *pin_info;
|
||||||
sc_file_t *file;
|
sc_file_t *file = NULL;
|
||||||
/* GCHV min-length Flags Attempts Reserve */
|
/* GCHV min-length Flags Attempts Reserve */
|
||||||
unsigned char prop[] = { 0x01, '?', 0x01, '?', 0, 0 };
|
unsigned char prop[] = { 0x01, '?', 0x01, '?', 0, 0 };
|
||||||
/* AccessMode Unblock Change Delete */
|
/* AccessMode Unblock Change Delete */
|
||||||
unsigned char sec[15] = { 0x43, '?', '?', 0, 0, 0, 0, 0xFF };
|
unsigned char sec[15] = { 0x43, '?', '?', 0, 0, 0, 0, 0xFF };
|
||||||
int r;
|
char pin_sname[0x10];
|
||||||
|
int r, reset_by_sopin = 0;
|
||||||
|
|
||||||
(void)puk; /* no warning */
|
(void)puk; /* no warning */
|
||||||
if (!profile || !p15card || !p15card->card || !p15card->card->ctx || !df
|
if (!profile || !p15card || !p15card->card || !p15card->card->ctx || !df
|
||||||
|
@ -182,6 +183,7 @@ static int rtecp_create_pin(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
|
||||||
|
|
||||||
ctx = p15card->card->ctx;
|
ctx = p15card->card->ctx;
|
||||||
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE);
|
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE);
|
||||||
|
|
||||||
if (puk_len != 0)
|
if (puk_len != 0)
|
||||||
{
|
{
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Do not enter User unblocking PIN (PUK): %s\n",
|
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Do not enter User unblocking PIN (PUK): %s\n",
|
||||||
|
@ -196,6 +198,25 @@ static int rtecp_create_pin(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
|
||||||
" (Rutoken ECP) PINs\n", pin_info->reference);
|
" (Rutoken ECP) PINs\n", pin_info->reference);
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
return SC_ERROR_NOT_SUPPORTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
snprintf(pin_sname, sizeof(pin_sname), "CHV%i", pin_info->reference);
|
||||||
|
if (pin_info->reference == RTECP_USER_PIN_REF) {
|
||||||
|
r = sc_profile_get_file(profile, pin_sname, &file);
|
||||||
|
if (!r) {
|
||||||
|
const struct sc_acl_entry *acl = NULL;
|
||||||
|
|
||||||
|
r = sc_pkcs15init_fixup_file(profile, p15card, file);
|
||||||
|
SC_TEST_RET(p15card->card->ctx, SC_LOG_DEBUG_NORMAL, r, "Cannot fixup the ACLs of PIN file");
|
||||||
|
|
||||||
|
acl = sc_file_get_acl_entry(file, SC_AC_OP_PIN_RESET);
|
||||||
|
if (acl && acl->method == SC_AC_CHV && acl->key_ref == RTECP_SO_PIN_REF) {
|
||||||
|
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Allow reset of User PIN with SoPIN\n");
|
||||||
|
reset_by_sopin = 1;
|
||||||
|
}
|
||||||
|
sc_file_free(file);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
file = sc_file_new();
|
file = sc_file_new();
|
||||||
if (!file)
|
if (!file)
|
||||||
SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
||||||
|
@ -203,7 +224,7 @@ static int rtecp_create_pin(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
|
||||||
file->size = pin_len;
|
file->size = pin_len;
|
||||||
assert(sizeof(sec)/sizeof(sec[0]) > 2);
|
assert(sizeof(sec)/sizeof(sec[0]) > 2);
|
||||||
sec[1] = (pin_info->reference == RTECP_SO_PIN_REF) ? 0xFF : RTECP_SO_PIN_REF;
|
sec[1] = (pin_info->reference == RTECP_SO_PIN_REF) ? 0xFF : RTECP_SO_PIN_REF;
|
||||||
sec[2] = (unsigned char)pin_info->reference;
|
sec[2] = (unsigned char)pin_info->reference | (reset_by_sopin ? RTECP_SO_PIN_REF : 0);
|
||||||
r = sc_file_set_sec_attr(file, sec, sizeof(sec));
|
r = sc_file_set_sec_attr(file, sec, sizeof(sec));
|
||||||
if (r == SC_SUCCESS)
|
if (r == SC_SUCCESS)
|
||||||
{
|
{
|
||||||
|
|
|
@ -23,6 +23,8 @@ pkcs15 {
|
||||||
encode-df-length = no;
|
encode-df-length = no;
|
||||||
# Have a lastUpdate field in the EF(TokenInfo)?
|
# Have a lastUpdate field in the EF(TokenInfo)?
|
||||||
do-last-update = yes;
|
do-last-update = yes;
|
||||||
|
|
||||||
|
pkcs15-id-style = mozilla;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Default settings.
|
# Default settings.
|
||||||
|
@ -45,8 +47,8 @@ option default {
|
||||||
PIN user-pin {
|
PIN user-pin {
|
||||||
auth-id = 2;
|
auth-id = 2;
|
||||||
reference = 2;
|
reference = 2;
|
||||||
attempts = 10;
|
attempts = 5;
|
||||||
min-length = 8;
|
min-length = 4;
|
||||||
max-length = 32;
|
max-length = 32;
|
||||||
flags = case-sensitive, initialized;
|
flags = case-sensitive, initialized;
|
||||||
}
|
}
|
||||||
|
@ -69,6 +71,10 @@ PIN so-puk {
|
||||||
}
|
}
|
||||||
|
|
||||||
filesystem {
|
filesystem {
|
||||||
|
EF CHV2 {
|
||||||
|
file-id = 0002;
|
||||||
|
ACL = *=NEVER, UPDATE=$SOPIN, PIN-RESET=$SOPIN;
|
||||||
|
}
|
||||||
|
|
||||||
DF MF {
|
DF MF {
|
||||||
path = 3F00;
|
path = 3F00;
|
||||||
|
|
Loading…
Reference in New Issue