From 928fbf2f030f10df48c0fec7ade0c2391aa9036d Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Mon, 4 Feb 2019 16:00:45 +0100 Subject: [PATCH] goid-tool: implented PIN/FP verification for PAccess --- src/tools/goid-tool-cmdline.c | 17 +++++------ src/tools/goid-tool.c | 53 ++++++++++++++++++++++++++++++++++- src/tools/goid-tool.ggo.in | 18 ++++++------ 3 files changed, 68 insertions(+), 20 deletions(-) diff --git a/src/tools/goid-tool-cmdline.c b/src/tools/goid-tool-cmdline.c index 012af876..c191234d 100644 --- a/src/tools/goid-tool-cmdline.c +++ b/src/tools/goid-tool-cmdline.c @@ -37,11 +37,11 @@ const char *gengetopt_args_info_help[] = { " -V, --version Print version and exit", " -r, --reader=STRING Number of the reader to use. By default, the\n first reader with a present card is used. If\n the arguement is an ATR, the reader with a\n matching card will be chosen.", " -v, --verbose Use (several times) to be more verbose", - "\nReport bugs to https://github.com/OpenSC/OpenSC/issues\n\nWritten by Frank Morgner ", - "\n Mode: soc\n Options for SoCManager Applet", " -p, --verify-pin Verify PIN", " -b, --verify-bio Verify finger print", " --verify-pin-or-bio Verify PIN or finger print (user's choice)", + "\nReport bugs to https://github.com/OpenSC/OpenSC/issues\n\nWritten by Frank Morgner ", + "\n Mode: soc\n Options for SoCManager Applet", " --new-pin Change PIN", " --new-bio Use (several times) to change one or more\n biometric templates", " --info Dump Information about the SoCManager's\n configuration", @@ -173,9 +173,9 @@ void init_args_info(struct gengetopt_args_info *args_info) args_info->verbose_help = gengetopt_args_info_help[3] ; args_info->verbose_min = 0; args_info->verbose_max = 0; - args_info->verify_pin_help = gengetopt_args_info_help[6] ; - args_info->verify_bio_help = gengetopt_args_info_help[7] ; - args_info->verify_pin_or_bio_help = gengetopt_args_info_help[8] ; + args_info->verify_pin_help = gengetopt_args_info_help[4] ; + args_info->verify_bio_help = gengetopt_args_info_help[5] ; + args_info->verify_pin_or_bio_help = gengetopt_args_info_help[6] ; args_info->new_pin_help = gengetopt_args_info_help[9] ; args_info->new_bio_help = gengetopt_args_info_help[10] ; args_info->new_bio_min = 0; @@ -1832,7 +1832,6 @@ cmdline_parser_internal ( break; case 'p': /* Verify PIN. */ - args_info->soc_mode_counter += 1; if (update_arg( 0 , @@ -1845,7 +1844,6 @@ cmdline_parser_internal ( break; case 'b': /* Verify finger print. */ - args_info->soc_mode_counter += 1; if (update_arg( 0 , @@ -1885,7 +1883,6 @@ cmdline_parser_internal ( /* Verify PIN or finger print (user's choice). */ if (strcmp (long_options[option_index].name, "verify-pin-or-bio") == 0) { - args_info->soc_mode_counter += 1; if (update_arg( 0 , @@ -2212,8 +2209,8 @@ cmdline_parser_internal ( if (args_info->pxs_mode_counter && args_info->soc_mode_counter) { int pxs_given[] = {args_info->certificate_given, args_info->key_given, args_info->print_cardid_given, args_info->write_cardid_given, args_info->print_paccessid_given, args_info->write_paccessid_given, args_info->read_dg_given, args_info->out_file_given, args_info->write_dg_given, args_info->in_file_given, args_info->delete_dg_given, args_info->create_dg_given, args_info->new_size_given, args_info->new_read_ac_given, args_info->new_read_ac_chatbit_given, args_info->new_write_ac_given, args_info->new_write_ac_chatbit_given, -1}; const char *pxs_desc[] = {"--certificate", "--key", "--print-cardid", "--write-cardid", "--print-paccessid", "--write-paccessid", "--read-dg", "--out-file", "--write-dg", "--in-file", "--delete-dg", "--create-dg", "--new-size", "--new-read-ac", "--new-read-ac-chatbit", "--new-write-ac", "--new-write-ac-chatbit", 0}; - int soc_given[] = {args_info->verify_pin_given, args_info->verify_bio_given, args_info->verify_pin_or_bio_given, args_info->new_pin_given, args_info->new_bio_given, args_info->info_given, -1}; - const char *soc_desc[] = {"--verify-pin", "--verify-bio", "--verify-pin-or-bio", "--new-pin", "--new-bio", "--info", 0}; + int soc_given[] = {args_info->new_pin_given, args_info->new_bio_given, args_info->info_given, -1}; + const char *soc_desc[] = {"--new-pin", "--new-bio", "--info", 0}; error_occurred += check_modes(pxs_given, pxs_desc, soc_given, soc_desc); } diff --git a/src/tools/goid-tool.c b/src/tools/goid-tool.c index c2d01982..815ff869 100644 --- a/src/tools/goid-tool.c +++ b/src/tools/goid-tool.c @@ -340,7 +340,7 @@ int soc_main(struct sc_context *ctx, sc_card_t *card, struct gengetopt_args_info } if (cmdline->verify_pin_given) { sc_debug(ctx, SC_LOG_DEBUG_VERBOSE_TOOL, - "Verify finger print or PIN on the card."); + "Verify PIN on the card."); if (!soc_verify(card, SOCM_AUTHOBJECT_PIN)) goto err; soc_reset_authobject |= SOCM_AUTHOBJECT_PIN; @@ -493,6 +493,26 @@ err: return ok; } +#define PXS_AUTHOBJECT_PIN 0x80 +#define PXS_AUTHOBJECT_BIO 0x40 + +int +paccess_verify(sc_card_t *card, unsigned char p2) +{ + int ok = 0; + sc_apdu_t apdu; + sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x2E, 0x24, p2); + SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL, + sc_transmit_apdu(card, &apdu), + "Verification failed"); + SC_TEST_GOTO_ERR(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL, + sc_check_sw(card, apdu.sw1, apdu.sw2), + "Verification failed"); + ok = 1; +err: + return ok; +} + int paccess_main(struct sc_context *ctx, sc_card_t *card, struct gengetopt_args_info *cmdline) { int ok = 0, r; @@ -504,6 +524,7 @@ int paccess_main(struct sc_context *ctx, sc_card_t *card, struct gengetopt_args_ unsigned char auxiliary_data[] = {0x67, 0x00}; unsigned char paccess_minor = 0; unsigned char paccess_major = 0; + int pxs_reset_authobjects = 0; sc_path_set(&path, SC_PATH_TYPE_DF_NAME, paccess_aid, sizeof paccess_aid, 0, 0); SC_TEST_GOTO_ERR(ctx, SC_LOG_DEBUG_VERBOSE_TOOL, @@ -600,6 +621,28 @@ int paccess_main(struct sc_context *ctx, sc_card_t *card, struct gengetopt_args_ "Chip authentication failed."); } + if (cmdline->verify_pin_given) { + sc_debug(ctx, SC_LOG_DEBUG_VERBOSE_TOOL, + "Verify PIN on the card."); + if (!paccess_verify(card, PXS_AUTHOBJECT_PIN)) + goto err; + pxs_reset_authobjects++; + } + if (cmdline->verify_bio_given) { + sc_debug(ctx, SC_LOG_DEBUG_VERBOSE_TOOL, + "Verify finger print on the card."); + if (!paccess_verify(card, PXS_AUTHOBJECT_BIO)) + goto err; + pxs_reset_authobjects++; + } + if (cmdline->verify_pin_or_bio_given) { + sc_debug(ctx, SC_LOG_DEBUG_VERBOSE_TOOL, + "Verify finger print or PIN on the card."); + if (!paccess_verify(card, PXS_AUTHOBJECT_PIN|PXS_AUTHOBJECT_BIO)) + goto err; + pxs_reset_authobjects++; + } + for (i = 0; i < cmdline->delete_dg_given; i++) { int fid = 0x0100 | cmdline->delete_dg_arg[i]; @@ -791,6 +834,8 @@ int paccess_main(struct sc_context *ctx, sc_card_t *card, struct gengetopt_args_ ok = 1; err: + if (pxs_reset_authobjects) + sc_reset(card, 0); if (certs) { for (i = 0; certs[i]; i++) { free((unsigned char *) certs[i]); @@ -844,6 +889,12 @@ main(int argc, char **argv) goto err; if (cmdline.pxs_mode_counter && !paccess_main(ctx, card, &cmdline)) goto err; + if (cmdline.soc_mode_counter == 0 && cmdline.pxs_mode_counter == 0 + && (cmdline.verify_pin_given + || cmdline.verify_bio_given + || cmdline.verify_pin_or_bio_given) + && !soc_main(ctx, card, &cmdline)) + goto err; fail = 0; diff --git a/src/tools/goid-tool.ggo.in b/src/tools/goid-tool.ggo.in index b6461663..3034e56c 100644 --- a/src/tools/goid-tool.ggo.in +++ b/src/tools/goid-tool.ggo.in @@ -7,17 +7,17 @@ option "reader" r option "verbose" v "Use (several times) to be more verbose" multiple optional +option "verify-pin" p + "Verify PIN" + optional +option "verify-bio" b + "Verify finger print" + optional +option "verify-pin-or-bio" - + "Verify PIN or finger print (user's choice)" + optional defmode "soc" modedesc="Options for SoCManager Applet" -modeoption "verify-pin" p - "Verify PIN" - mode="soc" optional -modeoption "verify-bio" b - "Verify finger print" - mode="soc" optional -modeoption "verify-pin-or-bio" - - "Verify PIN or finger print (user's choice)" - mode="soc" optional modeoption "new-pin" - "Change PIN" mode="soc" optional