From 986309db799e288082c1d9389147cd7277980766 Mon Sep 17 00:00:00 2001 From: "viktor.tarasov" Date: Mon, 25 Jan 2010 16:10:54 +0000 Subject: [PATCH] libopensc: new operations for access control git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3939 c6295689-39f2-0310-b995-f0e70906c6a9 --- src/libopensc/card-oberthur.c | 39 +++++++++++++++++++++++------------ src/libopensc/opensc.h | 26 ++++++++++++++--------- src/libopensc/types.h | 2 +- 3 files changed, 43 insertions(+), 24 deletions(-) diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c index abcd33bf..c7816a1f 100644 --- a/src/libopensc/card-oberthur.c +++ b/src/libopensc/card-oberthur.c @@ -431,15 +431,24 @@ auth_process_fci(struct sc_card *card, struct sc_file *file, switch (file->ef_structure) { case SC_CARDCTL_OBERTHUR_KEY_DES: add_acl_entry(card, file, SC_AC_OP_UPDATE, attr[0]); - add_acl_entry(card, file, SC_AC_OP_READ, attr[1]); + add_acl_entry(card, file, SC_AC_OP_PSO_DECRYPT, attr[1]); + add_acl_entry(card, file, SC_AC_OP_PSO_ENCRYPT, attr[2]); + add_acl_entry(card, file, SC_AC_OP_PSO_COMPUTE_CHECKSUM, attr[3]); + add_acl_entry(card, file, SC_AC_OP_PSO_VERIFY_CHECKSUM, attr[4]); + add_acl_entry(card, file, SC_AC_OP_INTERNAL_AUTHENTICATE, attr[5]); + add_acl_entry(card, file, SC_AC_OP_EXTERNAL_AUTHENTICATE, attr[6]); break; case SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC: add_acl_entry(card, file, SC_AC_OP_UPDATE, attr[0]); - add_acl_entry(card, file, SC_AC_OP_READ, attr[2]); + add_acl_entry(card, file, SC_AC_OP_PSO_ENCRYPT, attr[2]); + add_acl_entry(card, file, SC_AC_OP_PSO_VERIFY_SIGNATURE, attr[4]); + add_acl_entry(card, file, SC_AC_OP_EXTERNAL_AUTHENTICATE, attr[6]); break; case SC_CARDCTL_OBERTHUR_KEY_RSA_CRT: add_acl_entry(card, file, SC_AC_OP_UPDATE, attr[0]); - add_acl_entry(card, file, SC_AC_OP_READ, attr[1]); + add_acl_entry(card, file, SC_AC_OP_PSO_DECRYPT, attr[1]); + add_acl_entry(card, file, SC_AC_OP_PSO_COMPUTE_SIGNATURE, attr[3]); + add_acl_entry(card, file, SC_AC_OP_INTERNAL_AUTHENTICATE, attr[5]); break; } } @@ -705,7 +714,7 @@ static int acl_to_ac_byte(struct sc_card *card, const struct sc_acl_entry *e) { if (e == NULL) - return -1; + return SC_ERROR_OBJECT_NOT_FOUND; switch (e->method) { case SC_AC_NONE: @@ -874,25 +883,29 @@ encode_file_structure_V5(struct sc_card *card, const struct sc_file *file, if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_DES) { sc_debug(card->ctx, "EF_DES\n"); ops[0] = SC_AC_OP_UPDATE; - ops[1] = SC_AC_OP_CRYPTO; /* SC_AC_OP_DECRYPT */ - ops[2] = SC_AC_OP_CRYPTO; /* SC_AC_OP_ENCRYPT */ - ops[3] = SC_AC_OP_CRYPTO; /* SC_AC_OP_CHECKSUM */ - ops[4] = SC_AC_OP_CRYPTO; /* SC_AC_OP_CHECKSUM */ + ops[1] = SC_AC_OP_PSO_DECRYPT; + ops[2] = SC_AC_OP_PSO_ENCRYPT; + ops[3] = SC_AC_OP_PSO_COMPUTE_CHECKSUM; + ops[4] = SC_AC_OP_PSO_VERIFY_CHECKSUM; + ops[5] = SC_AC_OP_INTERNAL_AUTHENTICATE; + ops[6] = SC_AC_OP_EXTERNAL_AUTHENTICATE; } else if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) { sc_debug(card->ctx, "EF_RSA_PUBLIC\n"); ops[0] = SC_AC_OP_UPDATE; - ops[2] = SC_AC_OP_CRYPTO; /* SC_AC_OP_ENCRYPT */ - ops[4] = SC_AC_OP_CRYPTO; /* SC_AC_OP_SIGN */ + ops[2] = SC_AC_OP_PSO_ENCRYPT; + ops[4] = SC_AC_OP_PSO_VERIFY_SIGNATURE; + ops[6] = SC_AC_OP_EXTERNAL_AUTHENTICATE; } else if (file->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_CRT) { sc_debug(card->ctx, "EF_RSA_PRIVATE\n"); ops[0] = SC_AC_OP_UPDATE; - ops[1] = SC_AC_OP_CRYPTO; /* SC_AC_OP_ENCRYPT */ - ops[3] = SC_AC_OP_CRYPTO; /* SC_AC_OP_SIGN */ + ops[1] = SC_AC_OP_PSO_DECRYPT; + ops[3] = SC_AC_OP_PSO_COMPUTE_SIGNATURE; + ops[5] = SC_AC_OP_INTERNAL_AUTHENTICATE; } } - + for (ii = 0; ii < sizeof(ops); ii++) { const struct sc_acl_entry *entry; diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h index 5a173d5c..1d27cfad 100644 --- a/src/libopensc/opensc.h +++ b/src/libopensc/opensc.h @@ -90,7 +90,7 @@ extern "C" { #define SC_AC_UNKNOWN 0xFFFFFFFE #define SC_AC_NEVER 0xFFFFFFFF -/* Operations relating to access control (in case of DF) */ +/* Operations relating to access control */ #define SC_AC_OP_SELECT 0 #define SC_AC_OP_LOCK 1 #define SC_AC_OP_DELETE 2 @@ -100,23 +100,29 @@ extern "C" { #define SC_AC_OP_LIST_FILES 6 #define SC_AC_OP_CRYPTO 7 #define SC_AC_OP_DELETE_SELF 8 +#define SC_AC_OP_PSO_DECRYPT 9 +#define SC_AC_OP_PSO_ENCRYPT 10 +#define SC_AC_OP_PSO_COMPUTE_SIGNATURE 11 +#define SC_AC_OP_PSO_VERIFY_SIGNATURE 12 +#define SC_AC_OP_PSO_COMPUTE_CHECKSUM 13 +#define SC_AC_OP_PSO_VERIFY_CHECKSUM 14 +#define SC_AC_OP_INTERNAL_AUTHENTICATE 15 +#define SC_AC_OP_EXTERNAL_AUTHENTICATE 16 +#define SC_AC_OP_PIN_DEFINE 17 +#define SC_AC_OP_PIN_CHANGE 18 +#define SC_AC_OP_PIN_RESET 19 + /* If you add more OPs here, make sure you increase * SC_MAX_AC_OPS in types.h */ -/* Operations relating to access control (in case of EF) */ +/* In case of EF re-use the OPs related to DF */ #define SC_AC_OP_READ 0 #define SC_AC_OP_UPDATE 1 +#define SC_AC_OP_WRITE 3 + /* the use of SC_AC_OP_ERASE is deprecated, SC_AC_OP_DELETE should be used * instead */ #define SC_AC_OP_ERASE SC_AC_OP_DELETE -#define SC_AC_OP_WRITE 3 -/* rehab and invalidate are the same as in DF case */ - -/* Special 'Oberthur IdOne AuthentIC's case: - * re-use the existing DF ACLs that are not relevant to this card. */ -#define SC_AC_OP_PIN_DEFINE SC_AC_OP_LOCK -#define SC_AC_OP_PIN_CHANGE SC_AC_OP_REHABILITATE -#define SC_AC_OP_PIN_RESET SC_AC_OP_DELETE_SELF /* various maximum values */ #define SC_MAX_READER_DRIVERS 6 diff --git a/src/libopensc/types.h b/src/libopensc/types.h index 5ede7de6..2c7d3f37 100644 --- a/src/libopensc/types.h +++ b/src/libopensc/types.h @@ -66,7 +66,7 @@ typedef struct sc_acl_entry { struct sc_acl_entry *next; } sc_acl_entry_t; -#define SC_MAX_AC_OPS 9 +#define SC_MAX_AC_OPS 20 typedef struct sc_file { struct sc_path path;