giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added (external) card driver for German ID card 

(Imported libcardnpa from https://github.com/frankmorgner/vsmartcard)

- Added generic SM implementation of ISO/IEC 7816-8
- Added implementation of extended access control as defined by
  - BSI TR-03110
  - ICAO Doc 9303
  - ISO/IEC 7501
- Added tool for German ID card (and other EAC tokens)
- renamed folder libsm to sm
This commit is contained in:
Frank Morgner 2015-11-06 08:24:16 +01:00 committed by Frank Morgner
parent dae323ea50
commit a4f64d9439
44 changed files with 9633 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -67,7 +67,7 @@ doc/tools/netkey-tool
doc/tools/openpgp-tool
doc/tools/opensc-explorer
doc/tools/opensc-tool
src/tools/gids-tool
doc/tools/gids-tool
doc/tools/piv-tool
doc/tools/pkcs11-tool
doc/tools/pkcs15-crypt
@ -76,7 +76,6 @@ doc/tools/pkcs15-tool
doc/tools/sc-hsm-tool
doc/tools/westcos-tool
doc/tools/dnie-tool
doc/tools/gids-tool
etc/opensc.conf.win
etc/opensc.conf
@ -101,7 +100,8 @@ src/tools/cryptoflex-tool
src/tools/netkey-tool
src/tools/pkcs11-tool
src/tools/dnie-tool
src/tools/gids-tool
src/tools/npa-tool
src/tools/sceac-example
win32/OpenSC.iss
win32/OpenSC.wxs

20
.travis.yml
View File

@ -13,6 +13,7 @@ addons:
- mingw-w64
- wine
- xsltproc
- gengetopt
coverity_scan:
project:
name: "OpenSC/OpenSC"
@ -45,6 +46,14 @@ matrix:
- os: linux
env: HOST=i686-w64-mingw32
before_install:
- if [ "$TRAVIS_OS_NAME" == "osx" ]; then
brew update;
brew uninstall libtool;
brew install libtool;
brew install gengetopt;
fi
before_script:
# we run a weekly cron job in travis on the coverity branch
# just synchronize it with master to get a new report
@ -53,7 +62,7 @@ before_script:
fi
- ./bootstrap
- if [ -z "$HOST" ]; then
CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
else
if [ ! -f "$(winepath 'C:/Program Files (x86)/Inno Setup 5/ISCC.exe')" ]; then
/sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16;
@ -90,13 +99,4 @@ after_script:
killall services.exe;
fi
before_install:
- if [ "$TRAVIS_OS_NAME" != "linux" ]; then
brew update;
brew uninstall libtool;
brew install libtool;
brew install libdvbpsi libhdhomerun;
fi
cache: ccache

103
configure.ac
View File

@ -168,6 +168,13 @@ AC_ARG_ENABLE(
[enable_openssl="detect"]
)
AC_ARG_ENABLE(
[openpace],
[AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])],
,
[enable_openpace="detect"]
)
AC_ARG_ENABLE(
[openct],
[AS_HELP_STRING([--enable-openct],[enable openct linkage @<:@disabled@:>@])],
@ -354,7 +361,7 @@ AC_FUNC_ERROR_AT_LINE
AC_FUNC_STAT
AC_FUNC_VPRINTF
AC_CHECK_FUNCS([ \
getpass gettimeofday memset mkdir \
getpass gettimeofday getline memset mkdir \
strdup strerror getopt_long getopt_long_only \
strlcpy strlcat strnlen
])
@ -552,6 +559,88 @@ else
OPENSSL_LIBS=""
fi
PKG_CHECK_EXISTS([libeac], [PKG_CHECK_MODULES([OPENPACE], [libeac >= 0.9])],
[AC_MSG_WARN([libeac not found by pkg-config])])
saved_CPPFLAGS="$CPPFLAGS"
saved_LIBS="$LIBS"
CPPFLAGS="$CPPFLAGS $OPENPACE_CFLAGS"
LIBS="$LDFLAGS $OPENPACE_LIBS"
have_openpace="yes"
AC_CHECK_HEADERS(eac/eac.h, [],
[ AC_MSG_WARN([OpenPACE headers not found])
have_openpace="no" ])
AC_MSG_CHECKING([for EAC_CTX_init_pace])
AC_TRY_LINK_FUNC(EAC_CTX_init_pace, [ AC_MSG_RESULT([yes]) ],
[ AC_MSG_WARN([Cannot link against libeac])
have_openpace="no" ])
CPPFLAGS="$saved_CPPFLAGS"
LIBS="$saved_LIBS"
AC_ARG_ENABLE(cvcdir,
AC_HELP_STRING([--enable-cvcdir=DIR],
[directory containing CV certificates (default is determined by libeac)]),
[cvcdir="${enableval}"],
[cvcdir=false])
if test "${cvcdir}" = false ; then
cvcdir="`$PKG_CONFIG libeac --variable=cvcdir`"
fi
if test "${cvcdir}" = "" ; then
AC_MSG_WARN([use --enable-cvcdir=DIR])
fi
CVCDIR="${cvcdir}"
AC_SUBST(CVCDIR)
AC_ARG_ENABLE(x509dir,
AC_HELP_STRING([--enable-x509dir=DIR],
[directory containing X.509 certificates (default is determined by libeac)]),
[x509dir="${enableval}"],
[x509dir=false])
if test "${x509dir}" = false ; then
x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
fi
if test -z "${x509dir}"
then
x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
fi
if test -z "${x509dir}"
then
AC_MSG_WARN([use --enable-x509dir=DIR])
fi
X509DIR="${x509dir}"
AC_SUBST(X509DIR)
case "${enable_openpace}" in
no)
have_openpace="no"
;;
detect)
if test "${have_openpace}" = "yes"; then
enable_openpace="yes"
else
enable_openpace="no"
fi
;;
esac
if test "${enable_openpace}" = "yes"; then
if test "${have_openpace}" = "yes"; then
AC_DEFINE([ENABLE_OPENPACE], [1], [Use OpenPACE libraries and header files])
else
AC_MSG_ERROR([OpenPACE linkage required, but no OpenPACE was found])
fi
else
OPENPACE_CFLAGS=""
OPENPACE_LIBS=""
fi
if test "${enable_sm}" = "yes"; then
AC_DEFINE([ENABLE_SM], [1], [Enable secure messaging support])
@ -672,6 +761,13 @@ if test "${enable_man}" = "yes" -o "${enable_doc}" = "yes"; then
AC_MSG_RESULT([ok])
fi
AC_ARG_VAR([HELP2MAN],
[absolute path to help2man used for man page generation of npa-tool])
AC_PATH_PROG(HELP2MAN, help2man, not found)
AC_ARG_VAR([GENGETOPT],
[absolute path to gengetopt used for command line parsing of npa-tool])
AC_PATH_PROG(GENGETOPT, gengetopt, not found)
OPENSC_FEATURES=""
if test "${enable_thread_locking}" = "yes"; then
OPENSC_FEATURES="${OPENSC_FEATURES} locking"
@ -770,6 +866,7 @@ AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
AM_CONDITIONAL([ENABLE_SM], [test "${enable_sm}" = "yes"])
AM_CONDITIONAL([ENABLE_DNIE_UI], [test "${enable_dnie_ui}" = "yes"])
AM_CONDITIONAL([ENABLE_NPATOOL], [test "${ENABLE_NPATOOL}" = "yes"])
AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
if test "${enable_pedantic}" = "yes"; then
@ -796,7 +893,7 @@ AC_CONFIG_FILES([
src/Makefile
src/common/Makefile
src/libopensc/Makefile
src/libsm/Makefile
src/sm/Makefile
src/pkcs11/Makefile
src/pkcs11/versioninfo-pkcs11.rc
src/pkcs11/versioninfo-pkcs11-spy.rc
@ -877,6 +974,8 @@ ZLIB_CFLAGS: ${ZLIB_CFLAGS}
ZLIB_LIBS: ${ZLIB_LIBS}
OPENSSL_CFLAGS: ${OPENSSL_CFLAGS}
OPENSSL_LIBS: ${OPENSSL_LIBS}
OPENPACE_CFLAGS: ${OPENPACE_CFLAGS}
OPENPACE_LIBS: ${OPENPACE_LIBS}
OPENCT_CFLAGS: ${OPENCT_CFLAGS}
OPENCT_LIBS: ${OPENCT_LIBS}
PCSC_CFLAGS: ${PCSC_CFLAGS}

28
etc/opensc.conf.in
View File

@ -133,7 +133,7 @@ app default {
# Default: internal
# NOTE: When "internal" keyword is used, must be last entry
#
# card_drivers = customcos, internal;
card_drivers = npa, internal;
# Card driver configuration blocks.
@ -145,6 +145,32 @@ app default {
# module = @LIBDIR@@LIB_PRE@card_customcos@DYN_LIB_EXT@;
# }
card_driver npa {
# The location of the driver library
module = @LIBDIR@@LIB_PRE@cardnpa@DYN_LIB_EXT@;
# German ID card requires the CAN to be verified before QES PIN. This,
# however, is not part of the PKCS#15 profile of the card. So for
# verifying the QES PIN we actually need both. The CAN may be given
# here. If the CAN is not given here, it will be prompted on the
# command line or on the reader (depending on the reader's
# capabilities).
#
#can = 222222;
# QES is only possible with a Comfort Reader (CAT-K), which holds a
# cryptographic key to authenticate itself as signature terminal (ST).
# We usually will use the reader's capability to sign the data.
# However, during developement you may specify soft certificates and
# keys for a ST below.
# The following example EAC PKI can be found in vicc's example data:
# https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data
#
#st_dv_certificate = ZZSTDVCA00001.cvcert;
#st_certificate = ZZSTTERM00001.cvcert;
#st_key = ZZSTTERM00001.pkcs8;
}
# Force using specific card driver
#
# If this option is present, OpenSC will use the supplied

6
src/Makefile.am
View File

@ -2,9 +2,9 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
EXTRA_DIST = Makefile.mak
# Order IS important
SUBDIRS = common scconf pkcs15init libopensc pkcs11 \
tools tests minidriver
SUBDIRS = common scconf pkcs15init sm \
libopensc pkcs11 tools tests minidriver
if ENABLE_SM
SUBDIRS += libsm smm
SUBDIRS += smm
endif

3
src/Makefile.mak
View File

@ -1,6 +1,7 @@
TOPDIR = ..
SUBDIRS = common scconf libsm pkcs15init libopensc pkcs11 tools tests
SUBDIRS = common scconf sm pkcs15init \
libopensc pkcs11 tools tests
default: all

15
src/libopensc/Makefile.am
View File

@ -4,7 +4,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
EXTRA_DIST = Makefile.mak
lib_LTLIBRARIES = libopensc.la
lib_LTLIBRARIES = libopensc.la libcardnpa.la
noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.h \
internal-winscard.h p15card-helper.h pkcs15-syn.h \
opensc.h pkcs15.h \
@ -12,7 +12,7 @@ noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.
errors.h types.h compression.h itacns.h iso7816.h \
authentic.h iasecc.h iasecc-sdo.h sm.h card-sc-hsm.h \
pace.h cwa14890.h cwa-dnie.h card-gids.h aux-data.h \
jpki.h sc-ossl-compat.h
jpki.h sc-ossl-compat.h card-npa.h
AM_CPPFLAGS = -DOPENSC_CONF_PATH=\"$(sysconfdir)/opensc.conf\" \
-I$(top_srcdir)/src
@ -63,6 +63,7 @@ libopensc_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \
$(top_builddir)/src/pkcs15init/libpkcs15init.la \
$(top_builddir)/src/scconf/libscconf.la \
$(top_builddir)/src/common/libscdl.la \
$(top_builddir)/src/sm/libsmeac.la \
$(top_builddir)/src/common/libcompat.la
if WIN32
libopensc_la_LIBADD += -lws2_32
@ -72,6 +73,16 @@ libopensc_la_LDFLAGS = $(AM_LDFLAGS) \
-export-symbols "$(srcdir)/libopensc.exports" \
-no-undefined
libcardnpa_la_SOURCES = card-npa.c cardnpa.exports
libcardnpa_la_LIBADD = $(OPENPACE_LIBS) \
$(top_builddir)/src/common/libcompat.la \
libopensc.la
libcardnpa_la_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
libcardnpa_la_LDFLAGS = $(AM_LDFLAGS) \
-version-info @OPENSC_LT_CURRENT@:@OPENSC_LT_REVISION@:@OPENSC_LT_AGE@ \
-export-symbols "$(srcdir)/cardnpa.exports" \
-no-undefined
if WIN32
# def file required for MS users to build library
mylibdir=$(libdir)

13
src/libopensc/Makefile.mak
View File

@ -40,9 +40,13 @@ OBJECTS = \
LIBS = $(TOPDIR)\src\scconf\scconf.lib \
$(TOPDIR)\src\common\common.lib \
$(TOPDIR)\src\common\libscdl.lib \
$(TOPDIR)\src\sm\libsmeac.lib \
$(TOPDIR)\src\pkcs15init\pkcs15init.lib
all: $(TOPDIR)\win32\versioninfo.res $(TARGET)
TARGET1 = cardnpa.dll
OBJECTS1 = card-npa.obj
all: $(TOPDIR)\win32\versioninfo.res $(TARGET) $(TARGET1)
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
@ -55,3 +59,10 @@ opensc.dll: $(OBJECTS) $(LIBS)
opensc_a.lib: $(OBJECTS) $(LIBS)
lib $(LIBFLAGS) /out:opensc_a.lib $(OBJECTS) $(LIBS) $(OPENSSL_LIB) $(ZLIB_LIB) user32.lib advapi32.lib ws2_32.lib
$(TARGET1): $(OBJECTS1) opensc_a.lib
echo LIBRARY $* > $*.def
echo EXPORTS >> $*.def
type $*.exports >> $*.def
link /dll $(LINKFLAGS) /def:$*.def /implib:$*.lib /out:$(TARGET1) $(OBJECTS1) opensc_a.lib $(ZLIB_LIB) $(OPENPACE_LIB) $(OPENSSL_LIB) ws2_32.lib gdi32.lib advapi32.lib Crypt32.lib User32.lib
if EXIST $(TARGET).manifest mt -manifest $(TARGET1).manifest -outputresource:$(TARGET1);2

724
src/libopensc/card-npa.c Normal file
View File

@ -0,0 +1,724 @@
/*
* card-npa.c: Recognize known German identity cards
*
* Copyright (C) 2011-2015 Frank Morgner <frankmorgner@gmail.com>
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "card-npa.h"
#include "libopensc/internal.h"
#include "libopensc/opensc.h"
#include "libopensc/pace.h"
#include "libopensc/sm.h"
#include "sm/sm-eac.h"
#include <string.h>
#include "../tools/fread_to_eof.c"
struct npa_drv_data {
const char *can;
unsigned char *st_dv_certificate;
size_t st_dv_certificate_len;
unsigned char *st_certificate;
size_t st_certificate_len;
unsigned char *st_key;
size_t st_key_len;
unsigned char *ef_cardaccess;
size_t ef_cardaccess_length;
unsigned char *ef_cardsecurity;
size_t ef_cardsecurity_length;
};
static struct npa_drv_data *npa_drv_data_create(void)
{
struct npa_drv_data *drv_data = calloc(1, sizeof *drv_data);
return drv_data;
}
static void npa_drv_data_free(struct npa_drv_data *drv_data)
{
if (drv_data) {
free(drv_data->ef_cardaccess);
free(drv_data->ef_cardsecurity);
free(drv_data->st_certificate);
free(drv_data->st_dv_certificate);
free(drv_data->st_key);
free(drv_data);
}
}
static struct sc_atr_table npa_atrs[] = {
{"3B:8A:80:01:80:31:F8:73:F7:41:E0:82:90:00:75",
"FF:FF:FF:FF:FF:FF:00:FF:00:00:FF:FF:FF:FF:00",
"German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
{"3B:88:80:01:00:00:00:00:00:00:00:00:09", NULL,
"German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
{"3B:87:80:01:80:31:B8:73:84:01:E0:19", NULL,
"German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
{"3B:84:80:01:00:00:90:00:95", NULL,
"German ID card (Test neuer Personalausweis)", SC_CARD_TYPE_NPA_TEST, 0, NULL},
{"3B:88:80:01:00:E1:F3:5E:13:77:83:00:00",
"FF:FF:FF:FF:00:FF:FF:FF:FF:FF:FF:FF:00",
"German ID card (Test Online-Ausweisfunktion)", SC_CARD_TYPE_NPA_ONLINE, 0, NULL},
{NULL, NULL, NULL, 0, 0, NULL}
};
static struct sc_card_operations npa_ops;
static struct sc_card_driver npa_drv = {
"German ID card (neuer Personalausweis, nPA)",
"npa",
&npa_ops,
NULL, 0, NULL
};
static int npa_load_options(sc_context_t *ctx, struct npa_drv_data *drv_data)
{
int r;
size_t i, j;
scconf_block **found_blocks, *block;
const char *file;
if (!ctx || !drv_data) {
r = SC_ERROR_INTERNAL;
goto err;
}
for (i = 0; ctx->conf_blocks[i]; i++) {
found_blocks = scconf_find_blocks(ctx->conf, ctx->conf_blocks[i],
"card_driver", "npa");
if (!found_blocks)
continue;
for (j = 0, block = found_blocks[j]; block; j++, block = found_blocks[j]) {
if (!drv_data->can)
drv_data->can = scconf_get_str(block, "can", NULL);
if (!drv_data->st_dv_certificate
|| !drv_data->st_dv_certificate_len) {
file = scconf_get_str(block, "st_dv_certificate", NULL);
if (!fread_to_eof(file,
(unsigned char **) &drv_data->st_dv_certificate,
&drv_data->st_dv_certificate_len))
sc_log(ctx, "Waring: Could not read %s.\n", file);
}
if (!drv_data->st_certificate
|| !drv_data->st_certificate_len) {
file = scconf_get_str(block, "st_certificate", NULL);
if (!fread_to_eof(file,
(unsigned char **) &drv_data->st_certificate,
&drv_data->st_certificate_len))
sc_log(ctx, "Waring: Could not read %s.\n", file);
}
if (!drv_data->st_key
|| !drv_data->st_key_len) {
file = scconf_get_str(block, "st_key", NULL);
if (!fread_to_eof(file,
(unsigned char **) &drv_data->st_key,
&drv_data->st_key_len))
sc_log(ctx, "Waring: Could not read %s.\n", file);
}
}
free(found_blocks);
}
r = SC_SUCCESS;
err:
return r;
}
static int npa_match_card(sc_card_t * card)
{
if (_sc_match_atr(card, npa_atrs, &card->type) < 0)
return 0;
return 1;
}
static void npa_get_cached_pace_params(sc_card_t *card,
struct establish_pace_channel_input *pace_input,
struct establish_pace_channel_output *pace_output)
{
struct npa_drv_data *drv_data;
if (card->drv_data) {
drv_data = card->drv_data;
if (pace_output) {
pace_output->ef_cardaccess = drv_data->ef_cardaccess;
pace_output->ef_cardaccess_length = drv_data->ef_cardaccess_length;
}
if (pace_input && pace_input->pin_id == PACE_PIN_ID_CAN) {
pace_input->pin = (const unsigned char *) drv_data->can;
pace_input->pin_length = drv_data->can ? strlen(drv_data->can) : 0;
}
}
}
static void npa_get_cached_ta_params(sc_card_t *card,
const unsigned char *certs[2], size_t certs_lens[2],
const unsigned char **st_key, size_t *st_key_len)
{
struct npa_drv_data *drv_data;
size_t i;
if (card->drv_data) {
drv_data = card->drv_data;
if (certs && certs_lens) {
i = 0;
if (drv_data->st_dv_certificate) {
certs[i] = drv_data->st_dv_certificate;
certs_lens[i] = drv_data->st_dv_certificate_len;
i++;
}
if (drv_data->st_certificate) {
certs[i] = drv_data->st_certificate;
certs_lens[i] = drv_data->st_certificate_len;
}
}
if (st_key && st_key_len) {
*st_key = drv_data->st_key;
*st_key_len = drv_data->st_key_len;
}
}
}
static void npa_get_cached_ca_params(sc_card_t *card,
unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_length)
{
struct npa_drv_data *drv_data;
if (card->drv_data) {
drv_data = card->drv_data;
if (ef_cardsecurity && ef_cardsecurity_length) {
*ef_cardsecurity = drv_data->ef_cardsecurity;
*ef_cardsecurity_length = drv_data->ef_cardsecurity_length;
}
}
}
static void npa_cache_or_free(sc_card_t *card,
unsigned char **ef_cardaccess, size_t *ef_cardaccess_length,
unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_length)
{
struct npa_drv_data *drv_data;
if (card && card->drv_data) {
drv_data = card->drv_data;
if (ef_cardaccess && ef_cardaccess_length
&& *ef_cardaccess && *ef_cardaccess_length) {
drv_data->ef_cardaccess = *ef_cardaccess;
drv_data->ef_cardaccess_length = *ef_cardaccess_length;
*ef_cardaccess = NULL;
*ef_cardaccess_length = 0;
}
if (ef_cardsecurity && ef_cardsecurity_length
&& *ef_cardsecurity && *ef_cardsecurity_length) {
drv_data->ef_cardsecurity = *ef_cardsecurity;
drv_data->ef_cardsecurity_length = *ef_cardsecurity_length;
*ef_cardsecurity = NULL;
*ef_cardsecurity_length = 0;
}
} else {
if (ef_cardaccess && ef_cardaccess_length) {
free(*ef_cardaccess);
*ef_cardaccess = NULL;
*ef_cardaccess_length = 0;
}
if (ef_cardsecurity && ef_cardsecurity_length) {
free(*ef_cardsecurity);
*ef_cardsecurity = NULL;
*ef_cardsecurity_length = 0;
}
}
}
static int npa_unlock_esign(sc_card_t *card)
{
int r = SC_ERROR_INTERNAL;
struct establish_pace_channel_input pace_input;
struct establish_pace_channel_output pace_output;
const unsigned char *certs[] = { NULL, NULL };
size_t certs_lens[] = { 0, 0};
const unsigned char *st_key = NULL;
size_t st_key_len = 0;
unsigned char *ef_cardsecurity = NULL;
size_t ef_cardsecurity_len = 0;
memset(&pace_input, 0, sizeof pace_input);
memset(&pace_output, 0, sizeof pace_output);
if (!card) {
r = SC_ERROR_INVALID_CARD;
goto err;
}
sc_log(card->ctx, "Will verify CAN first for unlocking eSign application.\n");
pace_input.chat = esign_chat;
pace_input.chat_length = sizeof esign_chat;
pace_input.pin_id = PACE_PIN_ID_CAN;
npa_get_cached_pace_params(card, &pace_input, &pace_output);
npa_get_cached_ta_params(card, certs, certs_lens, &st_key, &st_key_len);
npa_get_cached_ca_params(card, &ef_cardsecurity, &ef_cardsecurity_len);
if (!(card->reader && (card->reader->capabilities & SC_READER_CAP_PACE_ESIGN))
&& (!st_key || !st_key_len)) {
sc_log(card->ctx, "QES requires a comfort reader (CAT-K) or a ST certificate.\n");
r = SC_ERROR_NOT_SUPPORTED;
goto err;
}
/* FIXME set flags with opensc.conf */
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_ALL;
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_TA;
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_CA;
/* FIXME show an alert to the user if can == NULL */
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
if (SC_SUCCESS != r) {
sc_log(card->ctx, "Error verifying CAN.\n");
goto err;
}
if (card->reader->capabilities & SC_READER_CAP_PACE_ESIGN) {
sc_log(card->ctx, "Proved Access rights to eSign application with comfort reader (CAT-K).\n");
} else {
r = perform_terminal_authentication(card, certs, certs_lens, st_key,
st_key_len, NULL, 0);
if (r != SC_SUCCESS) {
sc_log(card->ctx, "Error authenticating as signature terminal.\n");
goto err;
}
r = perform_chip_authentication(card, &ef_cardsecurity, &ef_cardsecurity_len);
if ( SC_SUCCESS != r) {
sc_log(card->ctx, "Error verifying the chips authenticy.\n");
}
sc_log(card->ctx, "Proved Access rights to eSign application with configured key as ST.\n");
}
err:
npa_cache_or_free(card, &pace_output.ef_cardaccess,
&pace_output.ef_cardaccess_length,
&ef_cardsecurity, &ef_cardsecurity_len);
free(pace_output.recent_car);
free(pace_output.previous_car);
free(pace_output.id_icc);
free(pace_output.id_pcd);
return r;
}
static int npa_init(sc_card_t * card)
{
int flags = SC_ALGORITHM_ECDSA_RAW;
int ext_flags = 0;
int r;
if (!card) {
r = SC_ERROR_INVALID_CARD;
goto err;
}
card->caps |= SC_CARD_CAP_APDU_EXT | SC_CARD_CAP_RNG;
/* 1520 bytes is the minimum lenght of the communication buffer in all
* Chip/OS variants */
card->max_recv_size = 1520;
card->max_send_size = 1520;
#ifdef ENABLE_SM
memset(&card->sm_ctx, 0, sizeof card->sm_ctx);
#endif
r = _sc_card_add_ec_alg(card, 192, flags, ext_flags, NULL);
if (r != SC_SUCCESS)
goto err;
r = _sc_card_add_ec_alg(card, 224, flags, ext_flags, NULL);
if (r != SC_SUCCESS)
goto err;
r = _sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
if (r != SC_SUCCESS)
goto err;
/* nPA does not encode the proprietary fieldSize in PrivateECKeyAttributes,
* which leaves it at 0 for OpenSC, so we need to add 0x00 as supported
* field_length */
r = _sc_card_add_ec_alg(card, 0, flags, ext_flags, NULL);
if (r != SC_SUCCESS)
goto err;
#ifdef ENABLE_OPENPACE
EAC_init();
#endif
card->drv_data = npa_drv_data_create();
r = npa_load_options(card->ctx, card->drv_data);
if (r != SC_SUCCESS)
goto err;
/* unlock the eSign application for reading the certificates
* by the PKCS#15 layer (i.e. sc_pkcs15_bind_internal) */
if (SC_SUCCESS != npa_unlock_esign(card))
sc_log(card->ctx, "Propably not all functionality will be available.\n");
err:
return r;
}
static int npa_finish(sc_card_t * card)
{
sc_sm_stop(card);
npa_drv_data_free(card->drv_data);
card->drv_data = NULL;
#ifdef ENABLE_OPENPACE
EAC_cleanup();
#endif
return SC_SUCCESS;
}
static int npa_set_security_env(struct sc_card *card,
const struct sc_security_env *env, int se_num)
{
int r;
struct sc_card_driver *iso_drv;
struct sc_security_env fixed_env;
iso_drv = sc_get_iso7816_driver();
if (!env || !iso_drv || !iso_drv->ops || !iso_drv->ops->set_security_env) {
r = SC_ERROR_INTERNAL;
} else {
memcpy(&fixed_env, env, sizeof fixed_env);
if (env->operation == SC_SEC_OPERATION_SIGN) {
/* The pkcs#15 layer assumes that the field_size of the private key
* object is correctly initialized and wants to include it as
* algorithm reference. We disable it here */
fixed_env.flags &= ~SC_SEC_ENV_ALG_REF_PRESENT;
}
r = iso_drv->ops->set_security_env(card, &fixed_env, se_num);
}
return r;
}
static int npa_pin_cmd_get_info(struct sc_card *card,
struct sc_pin_cmd_data *data, int *tries_left)
{
int r;
u8 pin_reference;
if (!data || data->pin_type != SC_AC_CHV || !tries_left) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
pin_reference = data->pin_reference;
switch (data->pin_reference) {
case PACE_PIN_ID_CAN:
case PACE_PIN_ID_MRZ:
/* usually unlimited number of retries */
*tries_left = -1;
data->pin1.max_tries = -1;
data->pin1.tries_left = -1;
r = SC_SUCCESS;
break;
case PACE_PIN_ID_PUK:
/* usually 10 tries */
*tries_left = 10;
data->pin1.max_tries = 10;
r = npa_pace_get_tries_left(card,
pin_reference, tries_left);
data->pin1.tries_left = *tries_left;
break;
case PACE_PIN_ID_PIN:
/* usually 3 tries */
*tries_left = 3;
data->pin1.max_tries = 3;
r = npa_pace_get_tries_left(card,
pin_reference, tries_left);
data->pin1.tries_left = *tries_left;
break;
default:
r = SC_ERROR_OBJECT_NOT_FOUND;
goto err;
}
err:
return r;
}
static int npa_pace_verify(struct sc_card *card,
unsigned char pin_reference, struct sc_pin_cmd_pin *pin,
const unsigned char *chat, size_t chat_length, int *tries_left)
{
int r;
struct establish_pace_channel_input pace_input;
struct establish_pace_channel_output pace_output;
memset(&pace_input, 0, sizeof pace_input);
memset(&pace_output, 0, sizeof pace_output);
if (chat) {
pace_input.chat = chat;
pace_input.chat_length = chat_length;
}
pace_input.pin_id = pin_reference;
if (pin) {
pace_input.pin = pin->data;
pace_input.pin_length = pin->len;
}
npa_get_cached_pace_params(card, &pace_input, &pace_output);
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
if (tries_left) {
if (pace_output.mse_set_at_sw1 == 0x63
&& (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0) {
*tries_left = pace_output.mse_set_at_sw2 & 0x0f;
} else {
*tries_left = -1;
}
}
/* resume the PIN if needed */
if (pin_reference == PACE_PIN_ID_PIN
&& r != SC_SUCCESS
&& pace_output.mse_set_at_sw1 == 0x63
&& (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0
&& (pace_output.mse_set_at_sw2 & 0x0f) <= UC_PIN_SUSPENDED) {
/* TODO ask for user consent when automatically resuming the PIN */
sc_log(card->ctx, "%s is suspended. Will try to resume it with %s.\n",
npa_secret_name(pin_reference), npa_secret_name(PACE_PIN_ID_CAN));
pace_input.pin_id = PACE_PIN_ID_CAN;
pace_input.pin = NULL;
pace_input.pin_length = 0;
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
if (r == SC_SUCCESS) {
pace_input.pin_id = pin_reference;
if (pin) {
pace_input.pin = pin->data;
pace_input.pin_length = pin->len;
}
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
if (r == SC_SUCCESS) {
sc_log(card->ctx, "%s resumed.\n");
if (tries_left) {
*tries_left = MAX_PIN_TRIES;
}
} else {
if (tries_left) {
if (pace_output.mse_set_at_sw1 == 0x63
&& (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0) {
*tries_left = pace_output.mse_set_at_sw2 & 0x0f;
} else {
*tries_left = -1;
}
}
}
}
}
if (pin_reference == PACE_PIN_ID_PIN && tries_left) {
if (*tries_left == 0) {
sc_log(card->ctx, "%s is suspended and must be resumed.\n",
npa_secret_name(pin_reference));
} else if (*tries_left == 1) {
sc_log(card->ctx, "%s is blocked and must be unblocked.\n",
npa_secret_name(pin_reference));
}
}
npa_cache_or_free(card, &pace_output.ef_cardaccess,
&pace_output.ef_cardaccess_length, NULL, NULL);
free(pace_output.recent_car);
free(pace_output.previous_car);
free(pace_output.id_icc);
free(pace_output.id_pcd);
return r;
}
static int npa_standard_pin_cmd(struct sc_card *card,
struct sc_pin_cmd_data *data, int *tries_left)
{
int r;
struct sc_card_driver *iso_drv;
iso_drv = sc_get_iso7816_driver();
if (!iso_drv || !iso_drv->ops || !iso_drv->ops->pin_cmd) {
r = SC_ERROR_INTERNAL;
} else {
r = iso_drv->ops->pin_cmd(card, data, tries_left);
}
return r;
}
static int npa_pin_cmd(struct sc_card *card,
struct sc_pin_cmd_data *data, int *tries_left)
{
int r;
if (!data) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
if (data->pin_type != SC_AC_CHV) {
r = SC_ERROR_NOT_SUPPORTED;
goto err;
}
switch (data->cmd) {
case SC_PIN_CMD_GET_INFO:
r = npa_pin_cmd_get_info(card, data, tries_left);
if (r != SC_SUCCESS)
goto err;
break;
case SC_PIN_CMD_UNBLOCK:
#ifdef ENABLE_SM
/* opensc-explorer unblocks the PIN by only sending
* SC_PIN_CMD_UNBLOCK whereas the PKCS#15 framework first verifies
* the PUK with SC_PIN_CMD_VERIFY and then calls with
* SC_PIN_CMD_UNBLOCK.
*
* Here we determine whether the PUK has been verified or not by
* checking if an SM channel has been established. */
if (card->sm_ctx.sm_mode != SM_MODE_TRANSMIT) {
/* PUK has not yet been verified */
r = npa_pace_verify(card, PACE_PIN_ID_PUK, &(data->pin1), NULL,
0, NULL);
if (r != SC_SUCCESS)
goto err;
}
#endif
r = npa_reset_retry_counter(card, data->pin_reference, 0,
NULL, 0);
if (r != SC_SUCCESS)
goto err;
break;
case SC_PIN_CMD_CHANGE:
case SC_PIN_CMD_VERIFY:
switch (data->pin_reference) {
case PACE_PIN_ID_CAN:
case PACE_PIN_ID_PUK:
case PACE_PIN_ID_MRZ:
case PACE_PIN_ID_PIN:
r = npa_pace_verify(card, data->pin_reference,
&(data->pin1), NULL, 0, tries_left);
if (r != SC_SUCCESS)
goto err;
break;
default:
/* assuming QES PIN */
/* We assume that the eSign application has already been
* unlocked, see npa_init().
*
* Now, verify the QES PIN. */
r = npa_standard_pin_cmd(card, data, tries_left);
if (r != SC_SUCCESS)
goto err;
break;
}
if (data->cmd == SC_PIN_CMD_CHANGE) {
r = npa_reset_retry_counter(card, data->pin_reference, 1,
(const char *) data->pin2.data, data->pin2.len);
if (r != SC_SUCCESS)
goto err;
}
break;
default:
r = SC_ERROR_INTERNAL;
goto err;
break;
}
err:
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
}
static int npa_logout(sc_card_t *card)
{
struct sc_apdu apdu;
sc_sm_stop(card);
if (card->reader->capabilities & SC_READER_CAP_PACE_GENERIC) {
/* If PACE is done between reader and card, SM is transparent to us as
* it ends at the reader. With CLA=0x0C we provoque a SM error to
* disable SM on the reader. */
sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xA4, 0x00, 0x00);
apdu.cla = 0x0C;
sc_transmit_apdu(card, &apdu);
/* ignore result */
}
return sc_select_file(card, sc_get_mf_path(), NULL);
}
static struct sc_card_driver *npa_get_driver(void)
{
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
npa_ops = *iso_drv->ops;
npa_ops.match_card = npa_match_card;
npa_ops.init = npa_init;
npa_ops.finish = npa_finish;
npa_ops.set_security_env = npa_set_security_env;
npa_ops.pin_cmd = npa_pin_cmd;
npa_ops.logout = npa_logout;
return &npa_drv;
}
void *sc_module_init(const char *name)
{
const char npa_name[] = "npa";
if (name) {
if (strcmp(npa_name, name) == 0)
return npa_get_driver;
}
return NULL;
}
const char *sc_driver_version(void)
{
/* Tested with OpenSC 0.12 and 0.13.0, which can't be captured by checking
* our version info against OpenSC's PACKAGE_VERSION. For this reason we
* tell OpenSC that everything is fine, here. */
return sc_get_version();
}

49
src/libopensc/card-npa.h Normal file
View File

@ -0,0 +1,49 @@
/*
* Copyright (C) 2014-2015 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _CARD_NPA_H
#define _CARD_NPA_H
#ifdef __cplusplus
extern "C" {
#endif
#include "libopensc/opensc.h"
enum {
SC_CARD_TYPE_NPA = 42000,
SC_CARD_TYPE_NPA_TEST,
SC_CARD_TYPE_NPA_ONLINE,
};
const unsigned char esign_chat[] = {
0x7F, 0x4C, 0x0E,
0x06, 0x09, 0x04, 0x00, 0x7F, 0x00, 0x07, 0x03, 0x01, 0x02, 0x03,
0x53, 0x01, 0x03,
};
static const unsigned char df_esign_aid[] = { 0xa0, 0x00, 0x00, 0x01, 0x67, 0x45, 0x53, 0x49, 0x47, 0x4e};
static const unsigned char df_esign_path[] = { 0x3f, 0x00, 0x50, 0x15, 0x1f, 0xff};
static const unsigned char ef_cardaccess_path[] = { 0x3f, 0x00, 0x01, 0x1c};
#ifdef __cplusplus
}
#endif
#endif

2
src/libopensc/cardnpa.exports Normal file
View File

@ -0,0 +1,2 @@
sc_driver_version
sc_module_init

135
src/libopensc/iso7816.c
View File

@ -28,6 +28,7 @@
#include "internal.h"
#include "asn1.h"
#include "iso7816.h"
#include "sm/sm-iso.h"
static void fixup_transceive_length(const struct sc_card *card,
@ -1247,3 +1248,137 @@ struct sc_card_driver * sc_get_iso7816_driver(void)
{
return &iso_driver;
}
#define ISO_READ_BINARY 0xB0
#define ISO_P1_FLAG_SFID 0x80
int iso7816_read_binary_sfid(sc_card_t *card, unsigned char sfid,
u8 **ef, size_t *ef_len)
{
int r;
size_t read = MAX_SM_APDU_RESP_SIZE;
sc_apdu_t apdu;
u8 *p;
if (!card || !ef || !ef_len) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
*ef_len = 0;
if (read > 0xff+1)
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_EXT,
ISO_READ_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
else
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT,
ISO_READ_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
p = realloc(*ef, read);
if (!p) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
*ef = p;
apdu.resp = *ef;
apdu.resplen = read;
apdu.le = read;
r = sc_transmit_apdu(card, &apdu);
/* emulate the behaviour of sc_read_binary */
if (r >= 0)
r = apdu.resplen;
while(1) {
if (r >= 0 && ((size_t) r) != read) {
*ef_len += r;
break;
}
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not read EF.");
goto err;
}
*ef_len += r;
p = realloc(*ef, *ef_len + read);
if (!p) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
*ef = p;
r = sc_read_binary(card, *ef_len,
*ef + *ef_len, read, 0);
}
r = SC_SUCCESS;
err:
return r;
}
#define ISO_WRITE_BINARY 0xD0
int iso7816_write_binary_sfid(sc_card_t *card, unsigned char sfid,
u8 *ef, size_t ef_len)
{
int r;
size_t write = MAX_SM_APDU_DATA_SIZE, wrote = 0;
sc_apdu_t apdu;
#ifdef ENABLE_SM
struct iso_sm_ctx *iso_sm_ctx;
#endif
if (!card) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
#ifdef ENABLE_SM
iso_sm_ctx = card->sm_ctx.info.cmd_data;
if (write > SC_MAX_APDU_BUFFER_SIZE-2
|| (card->sm_ctx.sm_mode == SM_MODE_TRANSMIT
&& write > (((SC_MAX_APDU_BUFFER_SIZE-2
/* for encrypted APDUs we usually get authenticated status
* bytes (4B), a MAC (11B) and a cryptogram with padding
* indicator (3B without data). The cryptogram is always
* padded to the block size. */
-18) / iso_sm_ctx->block_length)
* iso_sm_ctx->block_length - 1)))
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT,
ISO_WRITE_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
else
#endif
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT,
ISO_WRITE_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
if (write > ef_len) {
apdu.datalen = ef_len;
apdu.lc = ef_len;
} else {
apdu.datalen = write;
apdu.lc = write;
}
apdu.data = ef;
r = sc_transmit_apdu(card, &apdu);
/* emulate the behaviour of sc_write_binary */
if (r >= 0)
r = apdu.datalen;
while (1) {
if (r < 0 || ((size_t) r) > ef_len) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not write EF.");
goto err;
}
wrote += r;
apdu.data += r;
if (wrote >= ef_len)
break;
r = sc_write_binary(card, wrote, ef, write, 0);
}
r = SC_SUCCESS;
err:
return r;
}

14
src/libopensc/libopensc.exports
View File

@ -269,6 +269,8 @@ sc_write_binary
sc_write_record
sc_erase_binary
sc_get_iso7816_driver
iso7816_write_binary_sfid
iso7816_read_binary_sfid
sc_pkcs15init_add_app
sc_pkcs15init_authenticate
sc_pkcs15init_bind
@ -339,3 +341,15 @@ iasecc_sm_rsa_update
iasecc_sm_update_binary
iasecc_sm_sdo_update
iasecc_sdo_encode_update_field
_sc_card_add_ec_alg
_sc_card_add_rsa_alg
_sc_match_atr
_sc_log
npa_secret_name
get_pace_capabilities
perform_pace
perform_terminal_authentication
perform_chip_authentication
npa_default_flags
npa_reset_retry_counter
npa_pace_get_tries_left

28
src/libopensc/opensc.h
View File

@ -1351,6 +1351,34 @@ extern const char *sc_get_version(void);
extern sc_card_driver_t *sc_get_iso7816_driver(void);
/**
* @brief Read a complete EF by short file identifier.
*
* @param[in] card
* @param[in] sfid Short file identifier
* @param[in,out] ef Where to safe the file. the buffer will be allocated
* using \c realloc() and should be set to NULL, if
* empty.
* @param[in,out] ef_len Length of \a *ef
*
* @note The appropriate directory must be selected before calling this function.
* */
int iso7816_read_binary_sfid(sc_card_t *card, unsigned char sfid,
u8 **ef, size_t *ef_len);
/**
* @brief Write a complete EF by short file identifier.
*
* @param[in] card
* @param[in] sfid Short file identifier
* @param[in] ef Date to write
* @param[in] ef_len Length of \a ef
*
* @note The appropriate directory must be selected before calling this function.
* */
int iso7816_write_binary_sfid(sc_card_t *card, unsigned char sfid,
u8 *ef, size_t ef_len);
#ifdef __cplusplus
}
#endif

82
src/libopensc/pace.h
View File

@ -1,7 +1,7 @@
/*
* opensc.h: PACE library header file
*
* Copyright (C) ???? Frank Morgner <morgner@informatik.hu-berlin.de>
* Copyright (C) 2010-2012 Frank Morgner <frankmorgner@gmail.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@ -43,61 +43,61 @@ extern "C" {
* Input data for EstablishPACEChannel()
*/
struct establish_pace_channel_input {
/** Type of secret (CAN, MRZ, PIN or PUK). */
unsigned char pin_id;
/** Type of secret (CAN, MRZ, PIN or PUK). */
unsigned char pin_id;
/** Length of \a chat */
size_t chat_length;
/** Card holder authorization template */
const unsigned char *chat;
/** Length of \a chat */
size_t chat_length;
/** Card holder authorization template */
const unsigned char *chat;
/** Length of \a pin */
size_t pin_length;
/** Secret */
const unsigned char *pin;
/** Length of \a pin */
size_t pin_length;
/** Secret */
const unsigned char *pin;
/** Length of \a certificate_description */
size_t certificate_description_length;
/** Certificate description */
const unsigned char *certificate_description;
/** Length of \a certificate_description */
size_t certificate_description_length;
/** Certificate description */
const unsigned char *certificate_description;
};
/**
* Output data for EstablishPACEChannel()
*/
struct establish_pace_channel_output {
/** PACE result (TR-03119) */
unsigned int result;
/** PACE result (TR-03119) */
unsigned int result;
/** MSE: Set AT status byte */
unsigned char mse_set_at_sw1;
/** MSE: Set AT status byte */
unsigned char mse_set_at_sw2;
/** MSE: Set AT status byte */
unsigned char mse_set_at_sw1;
/** MSE: Set AT status byte */
unsigned char mse_set_at_sw2;
/** Length of \a ef_cardaccess */
size_t ef_cardaccess_length;
/** EF.CardAccess */
unsigned char *ef_cardaccess;
/** Length of \a ef_cardaccess */
size_t ef_cardaccess_length;
/** EF.CardAccess */
unsigned char *ef_cardaccess;
/** Length of \a recent_car */
size_t recent_car_length;
/** Most recent certificate authority reference */
unsigned char *recent_car;
/** Length of \a recent_car */
size_t recent_car_length;
/** Most recent certificate authority reference */
unsigned char *recent_car;
/** Length of \a previous_car */
size_t previous_car_length;
/** Previous certificate authority reference */
unsigned char *previous_car;
/** Length of \a previous_car */
size_t previous_car_length;
/** Previous certificate authority reference */
unsigned char *previous_car;
/** Length of \a id_icc */
size_t id_icc_length;
/** ICC identifier */
unsigned char *id_icc;
/** Length of \a id_icc */
size_t id_icc_length;
/** ICC identifier */
unsigned char *id_icc;
/** Length of \a id_pcd */
size_t id_pcd_length;
/** PCD identifier */
unsigned char *id_pcd;
/** Length of \a id_pcd */
size_t id_pcd_length;
/** PCD identifier */
unsigned char *id_pcd;
};
#ifdef __cplusplus

14
src/libsm/Makefile.am
View File

@ -1,14 +0,0 @@
# Process this file with automake to create Makefile.in
MAINTAINERCLEANFILES = Makefile.in
EXTRA_DIST = Makefile.mak
if ENABLE_OPENSSL
noinst_LTLIBRARIES = libsm.la
endif
noinst_HEADERS = sm-common.h
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src/include
libsm_la_SOURCES = sm-common.c sm-common.h

18
src/libsm/Makefile.mak
View File

@ -1,18 +0,0 @@
TOPDIR = ..\..
TARGET = libsm.lib
OBJECTS = sm-common.obj
all: $(TARGET)
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
!IF "$(OPENSSL_DEF)" == "/DENABLE_OPENSSL"
$(TARGET): $(OBJECTS)
lib $(LIBFLAGS) /out:$(TARGET) $(OBJECTS)
!ELSE
$(TARGET):
!ENDIF

28
src/sm/Makefile.am Normal file
View File

@ -0,0 +1,28 @@
# Process this file with automake to create Makefile.in
MAINTAINERCLEANFILES = Makefile.in
EXTRA_DIST = Makefile.mak
noinst_LTLIBRARIES = libsmiso.la libsmeac.la
noinst_HEADERS = \
sm-iso-internal.h \
sm-iso.h \
sslutil.h \
sm-eac.h
if ENABLE_OPENSSL
noinst_LTLIBRARIES += libsm.la
endif
noinst_HEADERS += sm-common.h
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src/include
libsm_la_SOURCES = sm-common.c sm-common.h
libsmiso_la_SOURCES = sm-iso.c
libsmeac_la_SOURCES = sm-eac.c
libsmeac_la_LIBADD = $(OPENPACE_LIBS) $(OPENSSL_LIBS) libsmiso.la
libsmeac_la_CFLAGS = $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS) -I$(top_srcdir)/src

30
src/sm/Makefile.mak Normal file
View File

@ -0,0 +1,30 @@
TOPDIR = ..\..
TARGET = libsm.lib
OBJECTS = sm-common.obj
TARGET1 = libsmiso.lib
OBJECTS1 = sm-iso.obj
TARGET2 = libsmeac.lib
OBJECTS2 = sm-eac.obj
all: $(TARGET) $(TARGET1) $(TARGET2)
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
!IF "$(OPENSSL_DEF)" == "/DENABLE_OPENSSL"
$(TARGET): $(OBJECTS)
lib $(LIBFLAGS) /out:$(TARGET) $(OBJECTS)
!ELSE
$(TARGET):
!ENDIF
$(TARGET1): $(OBJECTS1)
lib $(LIBFLAGS) /out:$(TARGET1) $(OBJECTS1)
$(TARGET2): $(OBJECTS2)
lib $(LIBFLAGS) /out:$(TARGET2) $(OBJECTS2)

0
src/libsm/sm-common.c → src/sm/sm-common.c
View File

0
src/libsm/sm-common.h → src/sm/sm-common.h
View File

2502
src/sm/sm-eac.c Normal file
View File

File diff suppressed because it is too large Load Diff

296
src/sm/sm-eac.h Normal file
View File

@ -0,0 +1,296 @@
/*
* Copyright (C) 2011-2015 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* @file
* @defgroup npa Interface to German identity card (neuer Personalausweis, nPA)
* @{
*/
#ifndef _SC_EAC_H
#define _SC_EAC_H
#include "libopensc/opensc.h"
#include "libopensc/pace.h"
#include "sm/sm-iso.h"
#ifdef __cplusplus
extern "C" {
#endif
#ifdef ENABLE_OPENPACE
#include <eac/cv_cert.h>
#include <eac/eac.h>
#include <eac/pace.h>
/** @brief ASN.1 type for authenticated auxiliary data for terminal authentication */
typedef STACK_OF(CVC_DISCRETIONARY_DATA_TEMPLATE) ASN1_AUXILIARY_DATA;
DECLARE_ASN1_FUNCTIONS(ASN1_AUXILIARY_DATA)
#else
/** @brief Type of the secret */
enum s_type {
/** @brief MRZ is the Machine Readable Zone, printed on the card, encoding
* the personal information of the user */
PACE_MRZ = 1,
/** @brief CAN is the Card access number printed on the card */
PACE_CAN,
/** @brief PIN is the Personal Identification Number, a secret known only
* to the user and not printed on the card */
PACE_PIN,
/** @brief PUK is the Personal Unblocking key. This type of secret is used
* when the card is suspended due to too many incorrect PACE runs */
PACE_PUK,
/** @brief This type of secret is not defined in BSI TR-03110. We use it as
* a generic type, so we can use PACE independent from a ID card */
PACE_RAW,
/** @brief Undefined type, if nothing else matches */
PACE_SEC_UNDEF
};
/**
* @brief Identification of the specifications to use.
*
* @note TR-03110 v2.01 differs from all later versions of the Technical
* Guideline in how the authentication token is calculated. Therefore old test
* cards are incompatible with the newer specification.
*/
enum eac_tr_version {
/** @brief Undefined type, if nothing else matches */
EAC_TR_VERSION = 0,
/** @brief Perform EAC according to TR-03110 v2.01 */
EAC_TR_VERSION_2_01,
/** @brief Perform EAC according to TR-03110 v2.02 and later */
EAC_TR_VERSION_2_02,
};
#endif
/** @brief NPA capabilities (TR-03119): PACE */
#define NPA_BITMAP_PACE 0x40
/** @brief NPA capabilities (TR-03119): EPA: eID */
#define NPA_BITMAP_EID 0x20
/** @brief NPA capabilities (TR-03119): EPA: eSign */
#define NPA_BITMAP_ESIGN 0x10
/** @brief NPA result (TR-03119): Kein Fehler */
#define NPA_SUCCESS 0x00000000
/** @brief NPA result (TR-03119): Längen im Input sind inkonsistent */
#define NPA_ERROR_LENGTH_INCONSISTENT 0xD0000001
/** @brief NPA result (TR-03119): Unerwartete Daten im Input */
#define NPA_ERROR_UNEXPECTED_DATA 0xD0000002
/** @brief NPA result (TR-03119): Unerwartete Kombination von Daten im Input */
#define NPA_ERROR_UNEXPECTED_DATA_COMBINATION 0xD0000003
/** @brief NPA result (TR-03119): Die Karte unterstützt das PACE Verfahren nicht. (Unerwartete Struktur in Antwortdaten der Karte) */
#define NPA_ERROR_CARD_NOT_SUPPORTED 0xE0000001
/** @brief NPA result (TR-03119): Der Kartenleser unterstützt den angeforderten bzw. den ermittelten Algorithmus nicht. */
#define NPA_ERROR_ALGORITH_NOT_SUPPORTED 0xE0000002
/** @brief NPA result (TR-03119): Der Kartenleser kennt die PIN ID nicht. */
#define NPA_ERROR_PINID_NOT_SUPPORTED 0xE0000003
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf Select EF_CardAccess (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_SELECT_EF_CARDACCESS 0xF0000000
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf Read Binary (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_READ_BINARY 0xF0010000
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf MSE: Set AT (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_MSE_SET_AT 0xF0020000
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 1 (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_GENERAL_AUTHENTICATE_1 0xF0030000
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 2 (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_GENERAL_AUTHENTICATE_2 0xF0040000
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 3 (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_GENERAL_AUTHENTICATE_3 0xF0050000
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 4 (needs to be OR-ed with SW1|SW2) */
#define NPA_ERROR_GENERAL_AUTHENTICATE_4 0xF0060000
/** @brief NPA result (TR-03119): Kommunikationsabbruch mit Karte. */
#define NPA_ERROR_COMMUNICATION 0xF0100001
/** @brief NPA result (TR-03119): Keine Karte im Feld. */
#define NPA_ERROR_NO_CARD 0xF0100002
/** @brief NPA result (TR-03119): Benutzerabbruch. */
#define NPA_ERROR_ABORTED 0xF0200001
/** @brief NPA result (TR-03119): Benutzer Timeout */
#define NPA_ERROR_TIMEOUT 0xF0200002
/** @brief File identifier of EF.CardAccess */
#define FID_EF_CARDACCESS 0x011C
/** @brief Short file identifier of EF.CardAccess */
#define SFID_EF_CARDACCESS 0x1C
/** @brief File identifier of EF.CardSecurity */
#define FID_EF_CARDSECURITY 0x011D
/** @brief Short file identifier of EF.CardAccess */
#define SFID_EF_CARDSECURITY 0x1D
/** @brief Maximum length of PIN */
#define MAX_PIN_LEN 6
/** @brief Minimum length of PIN */
#define MIN_PIN_LEN 6
/** @brief Length of CAN */
#define CAN_LEN 6
/** @brief Minimum length of MRZ */
#define MAX_MRZ_LEN 128
/** @brief Number of retries for PIN */
#define MAX_PIN_TRIES 3
/** @brief Usage counter of PIN in suspended state */
#define UC_PIN_SUSPENDED 1
/**
* @brief Names the type of the PACE secret
*
* @param pin_id type of the PACE secret
*
* @return Printable string containing the name
*/
const char *npa_secret_name(enum s_type pin_id);
/**
* @brief Get the PACE capabilities
*
* @param[in,out] bitmap where to store capabilities bitmap
* @note Since this code offers no support for terminal certificate, the bitmap is always \c PACE_BITMAP_PACE|PACE_BITMAP_EID
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int get_pace_capabilities(u8 *bitmap);
/**
* @brief Establish secure messaging using PACE
*
* Modifies \a card to use the ISO SM driver and initializes the data
* structures to use the established SM channel.
*
* Prints certificate description and card holder authorization template if
* given in a human readable form to stdout. If no secret is given, the user is
* asked for it. Only \a pace_input.pin_id is mandatory, the other members of
* \a pace_input can be set to \c 0 or \c NULL respectively.
*
* The buffers in \a pace_output are allocated using \c realloc() and should be
* set to NULL, if empty. If an EF.CardAccess is already present, this file is
* reused and not fetched from the card.
*
* @param[in,out] card
* @param[in] pace_input
* @param[in,out] pace_output
* @param[in] tr_version Version of TR-03110 to use with PACE
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int perform_pace(sc_card_t *card,
struct establish_pace_channel_input pace_input,
struct establish_pace_channel_output *pace_output,
enum eac_tr_version tr_version);
/**
* @brief Terminal Authentication version 2
*
* @param[in] card
* @param[in] certs chain of cv certificates, the last certificate
* is the terminal's certificate, array should be
* terminated with \c NULL
* @param[in] certs_lens length of each element in \c certs, should be
* terminated with \c 0
* @param[in] privkey The terminal's private key
* @param[in] privkey_len length of \a privkey
* @param[in] auxiliary_data auxiliary data for age/validity/community ID
* verification. Should be an ASN1 object tagged
* with \c 0x67
* @param[in] auxiliary_data_len length of \a auxiliary_data
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int perform_terminal_authentication(sc_card_t *card,
const unsigned char **certs, const size_t *certs_lens,
const unsigned char *privkey, size_t privkey_len,
const unsigned char *auxiliary_data, size_t auxiliary_data_len);
/**
* @brief Establish secure messaging using Chip Authentication version 2
*
* Switches the SM context of \c card to the new established keys.
*
* @param[in] card
* @param[in,out] ef_cardsecurity
* @param[in,out] ef_cardsecurity_len
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int perform_chip_authentication(sc_card_t *card,
unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_len);
/**
* @brief Sends a reset retry counter APDU
*
* According to TR-03110 the reset retry counter APDU is used to set a new PIN
* or to reset the retry counter of the PIN. The standard requires this
* operation to be authorized either by an established PACE channel or by the
* effective authorization of the terminal's certificate.
*
* @param[in] card
* @param[in] pin_id Type of secret (usually PIN or CAN). You may use <tt>enum s_type</tt> from \c <openssl/pace.h>.
* @param[in] ask_for_secret whether to ask the user for the secret (\c 1) or not (\c 0)
* @param[in] new (optional) new secret
* @param[in] new_len (optional) length of \a new
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int npa_reset_retry_counter(sc_card_t *card,
enum s_type pin_id, int ask_for_secret,
const char *new, size_t new_len);
/**
* @brief Sends an MSE:Set AT to determine the number of remaining tries
*
* @param[in] card
* @param[in] pin_id Type of secret (usually PIN or CAN). You may use <tt>enum s_type</tt> from \c <openssl/pace.h>.
* @param[in,out] tries_left Tries left or -1 if no specific number has been returned by the card (e.g. when there is no limit in retries).
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int npa_pace_get_tries_left(sc_card_t *card,
enum s_type pin_id, int *tries_left);
/**
* @brief Send APDU to unblock the PIN
*
* @param[in] card
*/
#define npa_unblock_pin(card) \
npa_reset_retry_counter(card, PACE_PIN, 0, NULL, 0)
/**
* @brief Send APDU to set a new PIN
*
* @param[in] card
* @param[in] newp (optional) new PIN
* @param[in] newplen (optional) length of \a new
*/
#define npa_change_pin(card, newp, newplen) \
npa_reset_retry_counter(card, PACE_PIN, 1, newp, newplen)
/** @brief Disable all sanity checks done by libnpa */
#define NPA_FLAG_DISABLE_CHECK_ALL 1
/** @brief Disable checking validity period of CV certificates */
#define NPA_FLAG_DISABLE_CHECK_TA 2
/** @brief Disable checking passive authentication during CA */
#define NPA_FLAG_DISABLE_CHECK_CA 4
/** @brief Use \c npa_default_flags to disable checks for EAC/SM */
extern char npa_default_flags;
#ifdef __cplusplus
}
#endif
#endif
/* @} */

91
src/sm/sm-iso-internal.h Normal file
View File

@ -0,0 +1,91 @@
/*
* Copyright (C) 2012-2015 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* @file
* @defgroup sm Interface to Secure Messaging (SM) defined in ISO 7816
* @{
*/
#ifndef _ISO_SM_INTERNAL_H
#define _ISO_SM_INTERNAL_H
#include "libopensc/opensc.h"
#ifdef __cplusplus
extern "C" {
#endif
/* @brief Protect an APDU with Secure Messaging
*
* If secure messaging (SM) is activated in \a sctx and \a apdu is not already
* SM protected, \a apdu is processed with the following steps:
* \li call to \a sctx->pre_transmit
* \li encrypt \a apdu calling \a sctx->encrypt
* \li authenticate \a apdu calling \a sctx->authenticate
* \li copy the SM protected data to \a sm_apdu
*
* Data for authentication or encryption is always padded before the callback
* functions are called
*
* @param[in] card
* @param[in] apdu
* @param[in,out] sm_apdu
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu);
/* @brief Remove Secure Messaging from an APDU
*
* If secure messaging (SM) is activated in \a sctx and \a apdu is not already
* SM protected, \a apdu is processed with the following steps:
* \li verify SM protected \a apdu calling \a sctx->verify_authentication
* \li decrypt SM protected \a apdu calling \a sctx->decrypt
* \li copy decrypted/authenticated data and status bytes to \a apdu
*
* Callback functions must not remove padding.
*
* @param[in] card
* @param[in,out] apdu
* @param[in,out] sm_apdu will be freed when done.
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int iso_free_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu);
/**
* @brief Cleans up allocated ressources of the ISO SM driver
*
* \c iso_sm_close() is designed as SM card operation. However, have in mind
* that this card operation is not called automatically for \c
* sc_disconnect_card() .
*
* @param[in] card
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int iso_sm_close(struct sc_card *card);
#ifdef __cplusplus
}
#endif
#endif
/* @} */

783
src/sm/sm-iso.c Normal file
View File

@ -0,0 +1,783 @@
/*
* Copyright (C) 2011-2015 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "sm-iso-internal.h"
#include "libopensc/asn1.h"
#include "libopensc/log.h"
#include "sm/sm-iso.h"
#include <stdlib.h>
#include <string.h>
#ifdef ENABLE_SM
static const struct sc_asn1_entry c_sm_capdu[] = {
{ "Cryptogram",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x05, SC_ASN1_OPTIONAL, NULL, NULL },
{ "Padding-content indicator followed by cryptogram",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x07, SC_ASN1_OPTIONAL, NULL, NULL },
{ "Protected Le",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x17, SC_ASN1_OPTIONAL, NULL, NULL },
{ "Cryptographic Checksum",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x0E, SC_ASN1_OPTIONAL, NULL, NULL },
{ NULL , 0 , 0 , 0 , NULL , NULL }
};
static const struct sc_asn1_entry c_sm_rapdu[] = {
{ "Cryptogram",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x05, SC_ASN1_OPTIONAL, NULL, NULL },
{ "Padding-content indicator followed by cryptogram" ,
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x07, SC_ASN1_OPTIONAL, NULL, NULL },
{ "Processing Status",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x19, 0 , NULL, NULL },
{ "Cryptographic Checksum",
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x0E, SC_ASN1_OPTIONAL, NULL, NULL },
{ NULL, 0, 0, 0, NULL, NULL }
};
static int
add_iso_pad(const u8 *data, size_t datalen, int block_size, u8 **padded)
{
u8 *p;
size_t p_len;
if (!padded)
return SC_ERROR_INVALID_ARGUMENTS;
/* calculate length of padded message */
p_len = (datalen / block_size) * block_size + block_size;
p = realloc(*padded, p_len);
if (!p)
return SC_ERROR_OUT_OF_MEMORY;
if (*padded != data)
/* Flawfinder: ignore */
memcpy(p, data, datalen);
*padded = p;
/* now add iso padding */
memset(p + datalen, 0x80, 1);
memset(p + datalen + 1, 0, p_len - datalen - 1);
return p_len;
}
static int
add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
u8 **padded)
{
u8 *p;
switch (ctx->padding_indicator) {
case SM_NO_PADDING:
if (*padded != data) {
p = realloc(*padded, datalen);
if (!p)
return SC_ERROR_OUT_OF_MEMORY;
*padded = p;
/* Flawfinder: ignore */
memcpy(*padded, data, datalen);
}
return datalen;
case SM_ISO_PADDING:
return add_iso_pad(data, datalen, ctx->block_length, padded);
default:
return SC_ERROR_INVALID_ARGUMENTS;
}
}
static int
rm_padding(u8 padding_indicator, const u8 *data, size_t datalen)
{
size_t len;
if (!datalen || !data)
return SC_ERROR_INVALID_ARGUMENTS;
switch (padding_indicator) {
case SM_NO_PADDING:
len = datalen;
break;
case SM_ISO_PADDING:
len = datalen;
while (len) {
len--;
if (data[len])
break;
}
if (data[len] != 0x80)
return SC_ERROR_INVALID_DATA;
break;
default:
return SC_ERROR_NOT_SUPPORTED;
}
return len;
}
static int format_le(size_t le, struct sc_asn1_entry *le_entry,
u8 **lebuf, size_t *le_len)
{
u8 *p;
if (!lebuf || !le_len)
return SC_ERROR_INVALID_ARGUMENTS;
p = realloc(*lebuf, *le_len);
if (!p)
return SC_ERROR_OUT_OF_MEMORY;
*lebuf = p;
switch (*le_len) {
case 1:
p[0] = le;
break;
case 2:
p[0] = le >> 8;
p[1] = le & 0xff;
break;
case 3:
p[0] = 0x00;
p[1] = le >> 8;
p[2] = le & 0xff;
break;
default:
return SC_ERROR_INVALID_ARGUMENTS;
}
sc_format_asn1_entry(le_entry, *lebuf, le_len, SC_ASN1_PRESENT);
return SC_SUCCESS;
}
static int prefix_buf(u8 prefix, u8 *buf, size_t buflen, u8 **cat)
{
u8 *p;
p = realloc(*cat, buflen + 1);
if (!p)
return SC_ERROR_OUT_OF_MEMORY;
if (*cat == buf) {
memmove(p + 1, p, buflen);
} else {
/* Flawfinder: ignore */
memcpy(p + 1, buf, buflen);
}
p[0] = prefix;
*cat = p;
return buflen + 1;
}
static int format_data(sc_card_t *card, const struct iso_sm_ctx *ctx,
int prepend_padding_indicator, const u8 *data, size_t datalen,
struct sc_asn1_entry *formatted_encrypted_data_entry,
u8 **formatted_data, size_t *formatted_data_len)
{
int r;
u8 *pad_data = NULL;
size_t pad_data_len = 0;
if (!ctx || !formatted_data || !formatted_data_len) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
r = add_padding(ctx, data, datalen, &pad_data);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not add padding to data: %s",
sc_strerror(r));
goto err;
}
pad_data_len = r;
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Data to encrypt", pad_data, pad_data_len);
r = ctx->encrypt(card, ctx, pad_data, pad_data_len, formatted_data);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt the data");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Cryptogram", *formatted_data, r);
if (prepend_padding_indicator) {
r = prefix_buf(ctx->padding_indicator, *formatted_data, r, formatted_data);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not prepend padding indicator to formatted "
"data: %s", sc_strerror(r));
goto err;
}
}
*formatted_data_len = r;
sc_format_asn1_entry(formatted_encrypted_data_entry,
*formatted_data, formatted_data_len, SC_ASN1_PRESENT);
r = SC_SUCCESS;
err:
if (pad_data) {
sc_mem_clear(pad_data, pad_data_len);
free(pad_data);
}
return r;
}
static int format_head(const struct iso_sm_ctx *ctx, const sc_apdu_t *apdu,
u8 **formatted_head)
{
u8 *p;
if (!apdu || !formatted_head)
return SC_ERROR_INVALID_ARGUMENTS;
p = realloc(*formatted_head, 4);
if (!p)
return SC_ERROR_OUT_OF_MEMORY;
p[0] = apdu->cla;
p[1] = apdu->ins;
p[2] = apdu->p1;
p[3] = apdu->p2;
*formatted_head = p;
return add_padding(ctx, *formatted_head, 4, formatted_head);
}
static int sm_encrypt(const struct iso_sm_ctx *ctx, sc_card_t *card,
const sc_apdu_t *apdu, sc_apdu_t **psm_apdu)
{
struct sc_asn1_entry sm_capdu[5];
u8 *p, *le = NULL, *sm_data = NULL, *fdata = NULL, *mac_data = NULL,
*asn1 = NULL, *mac = NULL, *resp_data = NULL;
size_t sm_data_len, fdata_len, mac_data_len, asn1_len, mac_len, le_len;
int r, cse;
sc_apdu_t *sm_apdu = NULL;
if (!apdu || !ctx || !card || !card->reader || !psm_apdu) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
if ((apdu->cla & 0x0C) == 0x0C) {
r = SC_ERROR_INVALID_ARGUMENTS;
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Given APDU is already protected with some secure messaging");
goto err;
}
sc_copy_asn1_entry(c_sm_capdu, sm_capdu);
sm_apdu = malloc(sizeof(sc_apdu_t));
if (!sm_apdu) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
sm_apdu->control = apdu->control;
sm_apdu->flags = apdu->flags;
sm_apdu->cla = apdu->cla|0x0C;
sm_apdu->ins = apdu->ins;
sm_apdu->p1 = apdu->p1;
sm_apdu->p2 = apdu->p2;
r = format_head(ctx, sm_apdu, &mac_data);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format header of SM apdu");
goto err;
}
mac_data_len = r;
/* get le and data depending on the case of the insecure command */
cse = apdu->cse;
if ((apdu->le/ctx->block_length + 1)*ctx->block_length + 18 > 0xff+1)
/* for encrypted APDUs we usually get authenticated status bytes (4B),
* a MAC (11B) and a cryptogram with padding indicator (3B without
* data). The cryptogram is always padded to the block size. */
/*cse |= SC_APDU_EXT;*/
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
"Response data may be truncated, because it doesn't fit into a short length APDU.");
switch (cse) {
case SC_APDU_CASE_1:
break;
case SC_APDU_CASE_2_SHORT:
le_len = 1;
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
break;
case SC_APDU_CASE_2_EXT:
if (card->reader->active_protocol == SC_PROTO_T0) {
/* T0 extended APDUs look just like short APDUs */
le_len = 1;
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
goto err;
}
} else {
/* in case of T1 always use 2 bytes for length */
le_len = 2;
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
goto err;
}
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
break;
case SC_APDU_CASE_3_SHORT:
case SC_APDU_CASE_3_EXT:
if (apdu->ins & 1) {
r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
sm_capdu + 0, &fdata, &fdata_len);
} else {
r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
sm_capdu + 1, &fdata, &fdata_len);
}
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
fdata, fdata_len);
break;
case SC_APDU_CASE_4_SHORT:
/* in case of T0 no Le byte is added */
if (card->reader->active_protocol != SC_PROTO_T0) {
le_len = 1;
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
}
if (apdu->ins & 1) {
r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
sm_capdu + 0, &fdata, &fdata_len);
} else {
r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
sm_capdu + 1, &fdata, &fdata_len);
}
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
fdata, fdata_len);
break;
case SC_APDU_CASE_4_EXT:
if (card->reader->active_protocol == SC_PROTO_T0) {
/* again a T0 extended case 4 APDU looks just
* like a short APDU, the additional data is
* transferred using ENVELOPE and GET RESPONSE */
} else {
/* only 2 bytes are use to specify the length of the
* expected data */
le_len = 2;
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
}
if (apdu->ins & 1) {
r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
sm_capdu + 0, &fdata, &fdata_len);
} else {
r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
sm_capdu + 1, &fdata, &fdata_len);
}
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
goto err;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
fdata, fdata_len);
break;
default:
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Unhandled apdu case");
r = SC_ERROR_INVALID_DATA;
goto err;
}
r = sc_asn1_encode(card->ctx, sm_capdu, (u8 **) &asn1, &asn1_len);
if (r < 0) {
goto err;
}
if (asn1_len) {
p = realloc(mac_data, mac_data_len + asn1_len);
if (!p) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
mac_data = p;
/* Flawfinder: ignore */
memcpy(mac_data + mac_data_len, asn1, asn1_len);
mac_data_len += asn1_len;
r = add_padding(ctx, mac_data, mac_data_len, &mac_data);
if (r < 0) {
goto err;
}
mac_data_len = r;
}
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Data to authenticate", mac_data, mac_data_len);
r = ctx->authenticate(card, ctx, mac_data, mac_data_len,
&mac);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get authentication code");
goto err;
}
mac_len = r;
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Cryptographic Checksum (plain)", mac, mac_len);
/* format SM apdu */
sc_format_asn1_entry(sm_capdu + 3, mac, &mac_len, SC_ASN1_PRESENT);
r = sc_asn1_encode(card->ctx, sm_capdu, (u8 **) &sm_data, &sm_data_len);
if (r < 0)
goto err;
sm_apdu->data = sm_data;
sm_apdu->datalen = sm_data_len;
sm_apdu->lc = sm_data_len;
sm_apdu->le = 0;
if (cse & SC_APDU_EXT) {
sm_apdu->cse = SC_APDU_CASE_4_EXT;
#if OPENSC_NOT_BOGUS_ANYMORE
sm_apdu->resplen = 0xffff+1;
#else
sm_apdu->resplen = SC_MAX_EXT_APDU_BUFFER_SIZE;
#endif
} else {
sm_apdu->cse = SC_APDU_CASE_4_SHORT;
#if OPENSC_NOT_BOGUS_ANYMORE
sm_apdu->resplen = 0xff+1;
#else
sm_apdu->resplen = SC_MAX_APDU_BUFFER_SIZE;
#endif
}
resp_data = malloc(sm_apdu->resplen);
if (!resp_data) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
sm_apdu->resp = resp_data;
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "ASN.1 encoded encrypted APDU data", sm_apdu->data, sm_apdu->datalen);
*psm_apdu = sm_apdu;
err:
free(fdata);
free(asn1);
free(mac_data);
free(mac);
free(le);
if (r < 0) {
free(resp_data);
free(sm_apdu);
free(sm_data);
}
return r;
}
static int sm_decrypt(const struct iso_sm_ctx *ctx, sc_card_t *card,
const sc_apdu_t *sm_apdu, sc_apdu_t *apdu)
{
int r;
struct sc_asn1_entry sm_rapdu[5];
struct sc_asn1_entry my_sm_rapdu[5];
u8 sw[2], mac[8], fdata[SC_MAX_EXT_APDU_BUFFER_SIZE];
size_t sw_len = sizeof sw, mac_len = sizeof mac, fdata_len = sizeof fdata,
buf_len, asn1_len, fdata_offset = 0;
const u8 *buf;
u8 *data = NULL, *mac_data = NULL, *asn1 = NULL;
sc_copy_asn1_entry(c_sm_rapdu, sm_rapdu);
sc_format_asn1_entry(sm_rapdu + 0, fdata, &fdata_len, 0);
sc_format_asn1_entry(sm_rapdu + 1, fdata, &fdata_len, 0);
sc_format_asn1_entry(sm_rapdu + 2, sw, &sw_len, 0);
sc_format_asn1_entry(sm_rapdu + 3, mac, &mac_len, 0);
r = sc_asn1_decode(card->ctx, sm_rapdu, sm_apdu->resp, sm_apdu->resplen,
&buf, &buf_len);
if (r < 0)
goto err;
if (buf_len > 0) {
r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
goto err;
}
if (sm_rapdu[3].flags & SC_ASN1_PRESENT) {
/* copy from sm_apdu to my_sm_apdu, but leave mac at default */
sc_copy_asn1_entry(sm_rapdu, my_sm_rapdu);
sc_copy_asn1_entry(&c_sm_rapdu[3], &my_sm_rapdu[3]);
r = sc_asn1_encode(card->ctx, my_sm_rapdu, &asn1, &asn1_len);
if (r < 0)
goto err;
r = add_padding(ctx, asn1, asn1_len, &mac_data);
if (r < 0) {
goto err;
}
r = ctx->verify_authentication(card, ctx, mac, mac_len,
mac_data, r);
if (r < 0)
goto err;
} else {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Cryptographic Checksum missing");
r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
goto err;
}
if (sm_rapdu[1].flags & SC_ASN1_PRESENT) {
if (ctx->padding_indicator != fdata[0]) {
r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
goto err;
}
fdata_offset = 1;
}
if (sm_rapdu[0].flags & SC_ASN1_PRESENT
|| sm_rapdu[1].flags & SC_ASN1_PRESENT) {
r = ctx->decrypt(card, ctx, fdata + fdata_offset,
fdata_len - fdata_offset, &data);
if (r < 0)
goto err;
buf_len = r;
r = rm_padding(ctx->padding_indicator, data, buf_len);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not remove padding");
goto err;
}
if (apdu->resplen < (size_t) r || (r && !apdu->resp)) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
"Response of SM APDU %u byte%s too long", r-apdu->resplen,
r-apdu->resplen < 2 ? "" : "s");
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
/* Flawfinder: ignore */
memcpy(apdu->resp, data, r);
apdu->resplen = r;
} else {
apdu->resplen = 0;
}
if (sm_rapdu[2].flags & SC_ASN1_PRESENT) {
if (sw_len != 2) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Length of processing status bytes must be 2");
r = SC_ERROR_ASN1_END_OF_CONTENTS;
goto err;
}
apdu->sw1 = sw[0];
apdu->sw2 = sw[1];
} else {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Authenticated status bytes are missing");
r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
goto err;
}
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Decrypted APDU sw1=%02x sw2=%02x",
apdu->sw1, apdu->sw2);
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Decrypted APDU response data",
apdu->resp, apdu->resplen);
r = SC_SUCCESS;
err:
free(asn1);
free(mac_data);
if (data) {
sc_mem_clear(data, buf_len);
free(data);
}
return r;
}
static int iso_add_sm(struct iso_sm_ctx *sctx, sc_card_t *card,
sc_apdu_t *apdu, sc_apdu_t **sm_apdu)
{
if (!card || !sctx)
return SC_ERROR_INVALID_ARGUMENTS;
if ((apdu->cla & 0x0C) == 0x0C) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Given APDU is already protected with some secure messaging. Closing own SM context.");
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sc_sm_stop(card),
"Could not close ISO SM session");
return SC_ERROR_SM_NOT_APPLIED;
}
if (sctx->pre_transmit)
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->pre_transmit(card, sctx, apdu),
"Could not complete SM specific pre transmit routine");
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sm_encrypt(sctx, card, apdu, sm_apdu),
"Could not encrypt APDU");
return SC_SUCCESS;
}
static int iso_rm_sm(struct iso_sm_ctx *sctx, sc_card_t *card,
sc_apdu_t *sm_apdu, sc_apdu_t *apdu)
{
if (sctx->post_transmit)
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->post_transmit(card, sctx, sm_apdu),
"Could not complete SM specific post transmit routine");
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sm_decrypt(sctx, card, sm_apdu, apdu),
"Could not decrypt APDU");
if (sctx->finish)
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->finish(card, sctx, apdu),
"Could not complete SM specific post transmit routine");
return SC_SUCCESS;
}
int iso_sm_close(struct sc_card *card)
{
if (card) {
iso_sm_ctx_clear_free(card->sm_ctx.info.cmd_data);
card->sm_ctx.info.cmd_data = NULL;
}
return SC_SUCCESS;
}
int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
{
return iso_add_sm(card->sm_ctx.info.cmd_data, card, apdu, sm_apdu);
}
int iso_free_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
{
struct sc_apdu *p = *sm_apdu;
int r;
if (!sm_apdu)
return SC_ERROR_INVALID_ARGUMENTS;
p = *sm_apdu;
r = iso_rm_sm(card->sm_ctx.info.cmd_data, card, p, apdu);
if (p) {
free((unsigned char *) p->data);
free((unsigned char *) p->resp);
}
free(*sm_apdu);
*sm_apdu = NULL;
return r;
}
struct iso_sm_ctx *iso_sm_ctx_create(void)
{
struct iso_sm_ctx *sctx = malloc(sizeof *sctx);
if (!sctx)
return NULL;
sctx->priv_data = NULL;
sctx->padding_indicator = SM_ISO_PADDING;
sctx->block_length = 0;
sctx->authenticate = NULL;
sctx->verify_authentication = NULL;
sctx->encrypt = NULL;
sctx->decrypt = NULL;
sctx->pre_transmit = NULL;
sctx->post_transmit = NULL;
sctx->finish = NULL;
sctx->clear_free = NULL;
return sctx;
}
void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx)
{
if (sctx && sctx->clear_free)
sctx->clear_free(sctx);
free(sctx);
}
int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx)
{
if (!card)
return SC_ERROR_INVALID_ARGUMENTS;
if (card->sm_ctx.ops.close)
card->sm_ctx.ops.close(card);
card->sm_ctx.info.cmd_data = sctx;
card->sm_ctx.ops.close = iso_sm_close;
card->sm_ctx.ops.free_sm_apdu = iso_free_sm_apdu;
card->sm_ctx.ops.get_sm_apdu = iso_get_sm_apdu;
card->sm_ctx.sm_mode = SM_MODE_TRANSMIT;
return SC_SUCCESS;
}
#else
int iso_sm_close(struct sc_card *card)
{
return SC_ERROR_NOT_SUPPORTED;
}
int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
{
return SC_ERROR_NOT_SUPPORTED;
}
struct iso_sm_ctx *iso_sm_ctx_create(void)
{
return NULL;
}
void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx)
{
}
int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx)
{
return SC_ERROR_NOT_SUPPORTED;
}
#endif

126
src/sm/sm-iso.h Normal file
View File

@ -0,0 +1,126 @@
/*
* Copyright (C) 2012-2015 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* @file
* @defgroup sm Interface to Secure Messaging (SM) defined in ISO 7816
* @{
*/
#ifndef _ISO_SM_H
#define _ISO_SM_H
#include "libopensc/opensc.h"
#ifdef __cplusplus
extern "C" {
#endif
/** @brief maximum length of response when targeting a SM RAPDU
*
* Using SM with authenticated data+le and encrypted data this is the biggest
* amount of the unencrypted response data we can receive. We assume AES block
* length for padding and MAC. */
#define MAX_SM_APDU_RESP_SIZE 223
/** @brief maximum length of data when targeting a SM APDU
*
* Using SM with authenticated data+header and encrypted data this is the
* biggest amount of the unencrypted data we can send. We assume AES block
* length for padding and MAC. */
#define MAX_SM_APDU_DATA_SIZE 239
/** @brief Padding indicator: use ISO/IEC 9797-1 padding method 2 */
#define SM_ISO_PADDING 0x01
/** @brief Padding indicator: use no padding */
#define SM_NO_PADDING 0x02
/** @brief Secure messaging context */
struct iso_sm_ctx {
/** @brief data of the specific crypto implementation */
void *priv_data;
/** @brief Padding-content indicator byte (ISO 7816-4 Table 30) */
u8 padding_indicator;
/** @brief Pad to this block length */
size_t block_length;
/** @brief Call back function for authentication of data */
int (*authenticate)(sc_card_t *card, const struct iso_sm_ctx *ctx,
const u8 *data, size_t datalen, u8 **outdata);
/** @brief Call back function for verifying authentication data */
int (*verify_authentication)(sc_card_t *card, const struct iso_sm_ctx *ctx,
const u8 *mac, size_t maclen,
const u8 *macdata, size_t macdatalen);
/** @brief Call back function for encryption of data */
int (*encrypt)(sc_card_t *card, const struct iso_sm_ctx *ctx,
const u8 *data, size_t datalen, u8 **enc);
/** @brief Call back function for decryption of data */
int (*decrypt)(sc_card_t *card, const struct iso_sm_ctx *ctx,
const u8 *enc, size_t enclen, u8 **data);
/** @brief Call back function for actions before encoding and encryption of \a apdu */
int (*pre_transmit)(sc_card_t *card, const struct iso_sm_ctx *ctx,
sc_apdu_t *apdu);
/** @brief Call back function for actions before decryption and decoding of \a sm_apdu */
int (*post_transmit)(sc_card_t *card, const struct iso_sm_ctx *ctx,
sc_apdu_t *sm_apdu);
/** @brief Call back function for actions after decrypting SM protected APDU */
int (*finish)(sc_card_t *card, const struct iso_sm_ctx *ctx,
sc_apdu_t *apdu);
/** @brief Clears and frees private data */
void (*clear_free)(const struct iso_sm_ctx *ctx);
};
/**
* @brief Clears and frees the SM context including private data
*
* Calls \a sctx->clear_free() if available
*
* @param[in] sctx (optional)
*/
void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx);
/**
* @brief Creates a SM context
*
* @return SM context or NULL if an error occurred
*/
struct iso_sm_ctx *iso_sm_ctx_create(void);
/**
* @brief Initializes a card for usage of the ISO SM driver
*
* If a SM module has been assigned previously to the card, it will be cleaned
* up.
*
* @param[in] card
* @param[in] sctx will NOT be freed automatically. \a sctx should be present
* for the time of the SM session.
*
* @return \c SC_SUCCESS or error code if an error occurred
*/
int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx);
#ifdef __cplusplus
}
#endif
#endif
/* @} */

39
src/sm/sslutil.h Normal file
View File

@ -0,0 +1,39 @@
/*
* Copyright (C) 2011-2015 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _SC_SSLUTIL_H
#define _SC_SSLUTIL_H
#include <libopensc/opensc.h>
#include <libopensc/log.h>
#ifdef ENABLE_OPENSSL
#include <openssl/err.h>
#define ssl_error(ctx) { \
unsigned long _r; \
ERR_load_crypto_strings(); \
for (_r = ERR_get_error(); _r; _r = ERR_get_error()) { \
sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, ERR_error_string(_r, NULL)); \
} \
ERR_free_strings(); \
}
#endif
#endif

2
src/smm/Makefile.am
View File

@ -6,7 +6,7 @@ EXTRA_DIST = Makefile.mak
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/common -I$(top_builddir)/src/include
LIBS = $(top_builddir)/src/libsm/libsm.la \
LIBS = $(top_builddir)/src/sm/libsm.la \
$(top_builddir)/src/libopensc/libopensc.la \
$(top_builddir)/src/common/libcompat.la

2
src/smm/Makefile.mak
View File

@ -3,7 +3,7 @@ TOPDIR = ..\..
TARGET = smm-local.dll
OBJECTS = smm-local.obj sm-global-platform.obj sm-cwa14890.obj sm-card-iasecc.obj sm-card-authentic.obj
LIBS = $(TOPDIR)\src\libsm\libsm.lib $(TOPDIR)\src\libopensc\opensc_a.lib $(TOPDIR)\src\common\libscdl.lib
LIBS = $(TOPDIR)\src\sm\libsm.lib $(TOPDIR)\src\libopensc\opensc_a.lib $(TOPDIR)\src\common\libscdl.lib
all: $(TARGET)

2
src/smm/sm-module.h
View File

@ -31,7 +31,7 @@ extern "C" {
#include <openssl/sha.h>
#include "libopensc/sm.h"
#include "libsm/sm-common.h"
#include "sm/sm-common.h"
/* Global Platform definitions */
int sm_gp_get_mac(unsigned char *key, DES_cblock *icv, unsigned char *in, int in_len,

58
src/tools/Makefile.am
View File

@ -1,14 +1,32 @@
include $(top_srcdir)/win32/ltrc.inc
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-tools.rc
EXTRA_DIST = Makefile.mak versioninfo-tools.rc.in
do_subst = $(SED) \
-e 's,[@]CVCDIR[@],$(CVCDIR),g' \
-e 's,[@]PACKAGE[@],$(PACKAGE),g' \
-e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
-e 's,[@]PACKAGE_NAME[@],$(PACKAGE_NAME),g' \
-e 's,[@]PACKAGE_TARNAME[@],$(PACKAGE_TARNAME),g' \
-e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
-e 's,[@]PACKAGE_SUMMARY[@],$(PACKAGE_SUMMARY),g' \
-e 's,[@]PACKAGE_VERSION[@],"$(PACKAGE_VERSION)",g' \
-e 's,[@]X509DIR[@],$(X509DIR),g'
noinst_HEADERS = util.h
NPA_TOOL_BUILT_SOURCES = npa-tool-cmdline.h npa-tool-cmdline.c
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-tools.rc
EXTRA_DIST = Makefile.mak versioninfo-tools.rc.in npa-tool.ggo.in
noinst_HEADERS = util.h fread_to_eof.h
noinst_PROGRAMS = sceac-example
bin_PROGRAMS = opensc-tool opensc-explorer pkcs15-tool pkcs15-crypt \
pkcs11-tool cardos-tool eidenv openpgp-tool iasecc-tool
if ENABLE_OPENSSL
bin_PROGRAMS += cryptoflex-tool pkcs15-init netkey-tool piv-tool \
westcos-tool sc-hsm-tool dnie-tool gids-tool
westcos-tool sc-hsm-tool dnie-tool gids-tool npa-tool
endif
if ENABLE_MAN
dist_man1_MANS = npa-tool.1
endif
# compile with $(PTHREAD_CFLAGS) to allow debugging with gdb
@ -19,6 +37,10 @@ LIBS = \
$(top_builddir)/src/common/libscdl.la \
$(top_builddir)/src/common/libcompat.la
sceac_example_SOURCES = sceac-example.c
sceac_example_LDADD = $(top_builddir)/src/sm/libsmeac.la $(top_builddir)/src/libopensc/libopensc.la $(OPENPACE_LIBS)
sceac_example_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS)
opensc_tool_SOURCES = opensc-tool.c util.c
piv_tool_SOURCES = piv-tool.c util.c
piv_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
@ -54,6 +76,31 @@ dnie_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
gids_tool_SOURCES = gids-tool.c util.c
gids_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
npa_tool_SOURCES = npa-tool.c fread_to_eof.c $(NPA_TOOL_BUILT_SOURCES)
npa_tool_LDADD = $(top_builddir)/src/libopensc/libopensc.la \
$(top_builddir)/src/sm/libsmeac.la \
$(OPENPACE_LIBS)
npa_tool_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
npa-tool.c: $(abs_builddir)/npa-tool.ggo $(NPA_TOOL_BUILT_SOURCES)
# We only want *cmdline* to be generated when they have explicitly been removed.
$(NPA_TOOL_BUILT_SOURCES):
$(MAKE) $(abs_builddir)/npa-tool.ggo
$(GENGETOPT) --include-getopt --file-name=npa-tool-cmdline --output-dir=$(builddir) < $(abs_builddir)/npa-tool.ggo
$(abs_builddir)/npa-tool.ggo: npa-tool.ggo.in
$(do_subst) < $(abs_srcdir)/npa-tool.ggo.in > $@
# We only want npa-tool.1 to be generated when it has explicitly been removed.
npa-tool.1:
$(MAKE) npa-tool$(EXEEXT)
$(HELP2MAN) \
--output=$@ \
--no-info \
--source='$(PACKAGE_STRING)' \
$(builddir)/npa-tool$(EXEEXT)
if WIN32
opensc_tool_SOURCES += versioninfo-tools.rc
piv_tool_SOURCES += versioninfo-tools.rc
@ -72,3 +119,6 @@ iasecc_tool_SOURCES += versioninfo-tools.rc
sc_hsm_tool_SOURCES += versioninfo-tools.rc
gids_tool_SOURCES += versioninfo-tools.rc
endif
clean-local:
rm -f $(abs_builddir)/npa-tool.ggo

6
src/tools/Makefile.mak
View File

@ -8,12 +8,14 @@ TARGETS = opensc-tool.exe opensc-explorer.exe pkcs15-tool.exe pkcs15-crypt.exe \
pkcs11-tool.exe cardos-tool.exe eidenv.exe openpgp-tool.exe iasecc-tool.exe \
$(PROGRAMS_OPENSSL)
OBJECTS = util.obj versioninfo-tools.res
OBJECTS = util.obj npa-tool-cmdline.obj fread_to_eof.obj versioninfo-tools.res
LIBS = $(TOPDIR)\src\common\common.lib \
$(TOPDIR)\src\scconf\scconf.lib \
$(TOPDIR)\src\libopensc\opensc.lib \
$(TOPDIR)\src\pkcs15init\pkcs15init.lib \
$(TOPDIR)\src\common\libpkcs11.lib \
$(TOPDIR)\src\sm\libsmeac.lib \
$(TOPDIR)\src\sm\libsmiso.lib \
$(TOPDIR)\src\common\libscdl.lib
all: $(TARGETS)
@ -22,5 +24,5 @@ $(TARGETS): $(OBJECTS) $(LIBS)
.c.exe:
cl $(COPTS) /c $<
link $(LINKFLAGS) /pdb:$*.pdb /out:$@ $*.obj $(OBJECTS) $(LIBS) $(OPENSSL_LIB) gdi32.lib shell32.lib
link $(LINKFLAGS) /pdb:$*.pdb /out:$@ $*.obj $(OBJECTS) $(LIBS) $(OPENPACE_LIB) $(OPENSSL_LIB) gdi32.lib shell32.lib ws2_32.lib
if EXIST $@.manifest mt -manifest $@.manifest -outputresource:$@;1

29
src/tools/apdus Normal file
View File

@ -0,0 +1,29 @@
00:22:81:B6:0F:83:0D:5A:5A:43:56:43:41:41:54:41:30:30:30:31
00:2a:00:be:e4:7f:4e:81:9d:5f:29:01:00:42:0d:5a:5a:43:56:43:41:41:54:41:30:30:30:31:7f:49:4f:06:0a:04:00:7f:00:07:02:02:02:02:03:86:41:04:52:dd:32:ea:fe:1f:bb:b4:00:0c:d9:ce:75:f6:66:36:cf:cf:1e:dd:44:f7:b1:ed:ae:25:b8:41:93:da:04:a9:1c:77:ee:87:f5:c8:f9:59:ed:27:62:00:de:33:ab:57:4c:e9:80:11:35:ff:44:97:a3:71:62:b7:c8:54:8a:0c:5f:20:0e:5a:5a:44:56:43:41:41:54:41:30:30:30:30:35:7f:4c:12:06:09:04:00:7f:00:07:03:01:02:02:53:05:70:03:01:ff:b7:5f:25:06:01:00:00:06:01:01:5f:24:06:01:00:01:00:03:01:5f:37:40:6f:13:ae:9a:6f:4e:dd:b7:83:9f:f3:f0:4d:71:e0:dc:37:7b:c4:b0:8f:ad:29:5e:ed:24:1b:52:43:28:ad:07:30:eb:55:34:97:b4:fb:66:e9:bb:7a:b9:08:15:f0:42:73:f0:9e:75:1d:7f:d4:b8:61:43:9b:4e:e6:53:81:c3
002281B610830E5A5A445643414154413030303035
002a00be0001417f4e81fa5f290100420e5a5a4456434141544130303030357f494f060a04007f000702020202038641049bfe7415d73c4a78d60b2cc1bca11b6d5e523969acfb5b756a3be1551b22239c79ae362b838b00669983c0caf6ed0c781d401c95d2b32857de8ce1b619dac4a75f200a5a5a5349543030304f347f4c12060904007f000703010202530500000000045f25060100000902015f2406010000090206655e732d060904007f0007030103028020b02baa51a94fac0954df204d61fe22da1d408d45db4aa1d70e600dad4faf6799732d060904007f0007030103018020c72e13582f01ba068dd1aac29a2428c0c54ab9c204fd53b3f13e8290e21e50f95f374083c5b441fec5b18efd1caa4a11b8e1cede0a8b42d442f00d7f604e429f339b4e3e6c06f9e76a2daa82c1722ee137a89038b969c634561581e6c26d9f6fa75c52
00:22:81:A4:53:80:0A:04:00:7F:00:07:02:02:02:02:03:83:0A:5A:5A:53:49:54:30:30:30:4F:34:91:20:88:E5:F2:C6:11:18:0D:0A:C1:0E:BD:E6:FC:2A:5E:62:41:79:C0:A5:77:C3:E4:88:52:DD:81:A4:CD:F7:90:51:67:17:73:15:06:09:04:00:7F:00:07:03:01:04:02:53:08:32:30:31:30:30:39:32:34
00:84:00:00:08
00820000400C9E7DB72CB0FAEA15B00FECAE0257546446A9395862239AF240C3C29E857F8403345817760FE13F6597F04D2F7330B59065F68DF71EF7FDEC86743CDE2869DD
00a4000c023f00
00:A4:02:0C:02:01:1D
00:b0:00:00:80
00B0008080
00b0010080
00:B0:01:80:80
00:b0:02:00:80
00B0028080
00b0030080
00:B0:03:80:80
00:b0:04:00:80
00B0048080
00b0050080
00:B0:05:80:80
00:b0:06:00:80
00B0068080
00b0070080
00:B0:07:80:80
00:22:41:a4:0c:80:0a:04:00:7f:00:07:02:02:03:02:02
00860000457C43804104239E3D05EEB059117D30F86AEB5AE7D12E0EBF758889C79115F2A13DC1BB570A5CAD91A384337C09D1B74BED1C0FF195A7C3EA3A2CEDF86DDEF7B95D1FD1B35D00
0020001006010203040506

62
src/tools/fread_to_eof.c Normal file
View File

@ -0,0 +1,62 @@
/*
* Copyright (C) 2010 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int fread_to_eof(const char *file, unsigned char **buf, size_t *buflen)
{
FILE *input = NULL;
int r = 0;
unsigned char *p;
if (!buflen || !buf || !file)
goto err;
#define MAX_READ_LEN 0xfff
p = realloc(*buf, MAX_READ_LEN);
if (!p)
goto err;
*buf = p;
input = fopen(file, "rb");
if (!input) {
goto err;
}
*buflen = 0;
while (feof(input) == 0 && *buflen < MAX_READ_LEN) {
*buflen += fread(*buf+*buflen, 1, MAX_READ_LEN-*buflen, input);
if (ferror(input)) {
goto err;
}
}
r = 1;
err:
if (input)
fclose(input);
return r;
}

25
src/tools/fread_to_eof.h Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) 2010 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _FREAD_TO_EOF_H
#define _FREAD_TO_EOF_H
int fread_to_eof(const char *file, unsigned char **buf, size_t *buflen);
#endif

2540
src/tools/npa-tool-cmdline.c Normal file
View File

File diff suppressed because it is too large Load Diff

354
src/tools/npa-tool-cmdline.h Normal file
View File

@ -0,0 +1,354 @@
/** @file npa-tool-cmdline.h
* @brief The header file for the command line option parser
* generated by GNU Gengetopt version 2.22.6
* http://www.gnu.org/software/gengetopt.
* DO NOT modify this file, since it can be overwritten
* @author GNU Gengetopt by Lorenzo Bettini */
#ifndef NPA_TOOL_CMDLINE_H
#define NPA_TOOL_CMDLINE_H
/* If we use autoconf. */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <stdio.h> /* for FILE */
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
#ifndef CMDLINE_PARSER_PACKAGE
/** @brief the program name (used for printing errors) */
#define CMDLINE_PARSER_PACKAGE "npa-tool"
#endif
#ifndef CMDLINE_PARSER_PACKAGE_NAME
/** @brief the complete program name (used for help and version) */
#define CMDLINE_PARSER_PACKAGE_NAME "npa-tool"
#endif
#ifndef CMDLINE_PARSER_VERSION
/** @brief the program version */
#define CMDLINE_PARSER_VERSION VERSION
#endif
/** @brief Where the command line options are stored */
struct gengetopt_args_info
{
const char *help_help; /**< @brief Print help and exit help description. */
const char *version_help; /**< @brief Print version and exit help description. */
int reader_arg; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) (default='-1'). */
char * reader_orig; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) original value given at command line. */
const char *reader_help; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) help description. */
unsigned int verbose_min; /**< @brief Use (several times) to be more verbose's minimum occurreces */
unsigned int verbose_max; /**< @brief Use (several times) to be more verbose's maximum occurreces */
const char *verbose_help; /**< @brief Use (several times) to be more verbose help description. */
char * pin_arg; /**< @brief Run PACE with (transport) eID-PIN. */
char * pin_orig; /**< @brief Run PACE with (transport) eID-PIN original value given at command line. */
const char *pin_help; /**< @brief Run PACE with (transport) eID-PIN help description. */
char * puk_arg; /**< @brief Run PACE with PUK. */
char * puk_orig; /**< @brief Run PACE with PUK original value given at command line. */
const char *puk_help; /**< @brief Run PACE with PUK help description. */
char * can_arg; /**< @brief Run PACE with CAN. */
char * can_orig; /**< @brief Run PACE with CAN original value given at command line. */
const char *can_help; /**< @brief Run PACE with CAN help description. */
char * mrz_arg; /**< @brief Run PACE with MRZ (insert MRZ without newlines). */
char * mrz_orig; /**< @brief Run PACE with MRZ (insert MRZ without newlines) original value given at command line. */
const char *mrz_help; /**< @brief Run PACE with MRZ (insert MRZ without newlines) help description. */
int env_flag; /**< @brief Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this. (default=off). */
const char *env_help; /**< @brief Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this. help description. */
char * new_pin_arg; /**< @brief Install a new PIN. */
char * new_pin_orig; /**< @brief Install a new PIN original value given at command line. */
const char *new_pin_help; /**< @brief Install a new PIN help description. */
int resume_flag; /**< @brief Resume eID-PIN (uses CAN to activate last retry) (default=off). */
const char *resume_help; /**< @brief Resume eID-PIN (uses CAN to activate last retry) help description. */
int unblock_flag; /**< @brief Unblock PIN (uses PUK to activate three more retries) (default=off). */
const char *unblock_help; /**< @brief Unblock PIN (uses PUK to activate three more retries) help description. */
char ** cv_certificate_arg; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).. */
char ** cv_certificate_orig; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important). original value given at command line. */
unsigned int cv_certificate_min; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).'s minimum occurreces */
unsigned int cv_certificate_max; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).'s maximum occurreces */
const char *cv_certificate_help; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important). help description. */
char * cert_desc_arg; /**< @brief Certificate description to show for Terminal Authentication. */
char * cert_desc_orig; /**< @brief Certificate description to show for Terminal Authentication original value given at command line. */
const char *cert_desc_help; /**< @brief Certificate description to show for Terminal Authentication help description. */
char * chat_arg; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).. */
char * chat_orig; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser). original value given at command line. */
const char *chat_help; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser). help description. */
char * auxiliary_data_arg; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID).. */
char * auxiliary_data_orig; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID). original value given at command line. */
const char *auxiliary_data_help; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID). help description. */
char * private_key_arg; /**< @brief Terminal's private key. */
char * private_key_orig; /**< @brief Terminal's private key original value given at command line. */
const char *private_key_help; /**< @brief Terminal's private key help description. */
char * cvc_dir_arg; /**< @brief Where to look for the CVCA's certificate (default='/home/fm/.local/etc/eac/cvc'). */
char * cvc_dir_orig; /**< @brief Where to look for the CVCA's certificate original value given at command line. */
const char *cvc_dir_help; /**< @brief Where to look for the CVCA's certificate help description. */
char * x509_dir_arg; /**< @brief Where to look for the CSCA's certificate (default='/home/fm/.local/etc/eac/x509'). */
char * x509_dir_orig; /**< @brief Where to look for the CSCA's certificate original value given at command line. */
const char *x509_dir_help; /**< @brief Where to look for the CSCA's certificate help description. */
int disable_ta_checks_flag; /**< @brief Disable checking the validity period of CV certifcates (default=off). */
const char *disable_ta_checks_help; /**< @brief Disable checking the validity period of CV certifcates help description. */
int disable_ca_checks_flag; /**< @brief Disable passive authentication (default=off). */
const char *disable_ca_checks_help; /**< @brief Disable passive authentication help description. */
int read_dg1_flag; /**< @brief Read DG 1 (Document Type) (default=off). */
const char *read_dg1_help; /**< @brief Read DG 1 (Document Type) help description. */
int read_dg2_flag; /**< @brief Read DG 2 (Issuing State) (default=off). */
const char *read_dg2_help; /**< @brief Read DG 2 (Issuing State) help description. */
int read_dg3_flag; /**< @brief Read DG 3 (Date of Expiry) (default=off). */
const char *read_dg3_help; /**< @brief Read DG 3 (Date of Expiry) help description. */
int read_dg4_flag; /**< @brief Read DG 4 (Given Names) (default=off). */
const char *read_dg4_help; /**< @brief Read DG 4 (Given Names) help description. */
int read_dg5_flag; /**< @brief Read DG 5 (Family Names) (default=off). */
const char *read_dg5_help; /**< @brief Read DG 5 (Family Names) help description. */
int read_dg6_flag; /**< @brief Read DG 6 (Religious/Artistic Name) (default=off). */
const char *read_dg6_help; /**< @brief Read DG 6 (Religious/Artistic Name) help description. */
int read_dg7_flag; /**< @brief Read DG 7 (Academic Title) (default=off). */
const char *read_dg7_help; /**< @brief Read DG 7 (Academic Title) help description. */
int read_dg8_flag; /**< @brief Read DG 8 (Date of Birth) (default=off). */
const char *read_dg8_help; /**< @brief Read DG 8 (Date of Birth) help description. */
int read_dg9_flag; /**< @brief Read DG 9 (Place of Birth) (default=off). */
const char *read_dg9_help; /**< @brief Read DG 9 (Place of Birth) help description. */
int read_dg10_flag; /**< @brief Read DG 10 (Nationality) (default=off). */
const char *read_dg10_help; /**< @brief Read DG 10 (Nationality) help description. */
int read_dg11_flag; /**< @brief Read DG 11 (Sex) (default=off). */
const char *read_dg11_help; /**< @brief Read DG 11 (Sex) help description. */
int read_dg12_flag; /**< @brief Read DG 12 (Optional Data) (default=off). */
const char *read_dg12_help; /**< @brief Read DG 12 (Optional Data) help description. */
int read_dg13_flag; /**< @brief Read DG 13 (Birth Name) (default=off). */
const char *read_dg13_help; /**< @brief Read DG 13 (Birth Name) help description. */
int read_dg14_flag; /**< @brief Read DG 14 (default=off). */
const char *read_dg14_help; /**< @brief Read DG 14 help description. */
int read_dg15_flag; /**< @brief Read DG 15 (default=off). */
const char *read_dg15_help; /**< @brief Read DG 15 help description. */
int read_dg16_flag; /**< @brief Read DG 16 (default=off). */
const char *read_dg16_help; /**< @brief Read DG 16 help description. */
int read_dg17_flag; /**< @brief Read DG 17 (Normal Place of Residence) (default=off). */
const char *read_dg17_help; /**< @brief Read DG 17 (Normal Place of Residence) help description. */
int read_dg18_flag; /**< @brief Read DG 18 (Community ID) (default=off). */
const char *read_dg18_help; /**< @brief Read DG 18 (Community ID) help description. */
int read_dg19_flag; /**< @brief Read DG 19 (Residence Permit I) (default=off). */
const char *read_dg19_help; /**< @brief Read DG 19 (Residence Permit I) help description. */
int read_dg20_flag; /**< @brief Read DG 20 (Residence Permit II) (default=off). */
const char *read_dg20_help; /**< @brief Read DG 20 (Residence Permit II) help description. */
int read_dg21_flag; /**< @brief Read DG 21 (Optional Data) (default=off). */
const char *read_dg21_help; /**< @brief Read DG 21 (Optional Data) help description. */
char * write_dg17_arg; /**< @brief Write DG 17 (Normal Place of Residence). */
char * write_dg17_orig; /**< @brief Write DG 17 (Normal Place of Residence) original value given at command line. */
const char *write_dg17_help; /**< @brief Write DG 17 (Normal Place of Residence) help description. */
char * write_dg18_arg; /**< @brief Write DG 18 (Community ID). */
char * write_dg18_orig; /**< @brief Write DG 18 (Community ID) original value given at command line. */
const char *write_dg18_help; /**< @brief Write DG 18 (Community ID) help description. */
char * write_dg19_arg; /**< @brief Write DG 19 (Residence Permit I). */
char * write_dg19_orig; /**< @brief Write DG 19 (Residence Permit I) original value given at command line. */
const char *write_dg19_help; /**< @brief Write DG 19 (Residence Permit I) help description. */
char * write_dg20_arg; /**< @brief Write DG 20 (Residence Permit II). */
char * write_dg20_orig; /**< @brief Write DG 20 (Residence Permit II) original value given at command line. */
const char *write_dg20_help; /**< @brief Write DG 20 (Residence Permit II) help description. */
char * write_dg21_arg; /**< @brief Write DG 21 (Optional Data). */
char * write_dg21_orig; /**< @brief Write DG 21 (Optional Data) original value given at command line. */
const char *write_dg21_help; /**< @brief Write DG 21 (Optional Data) help description. */
char * verify_validity_arg; /**< @brief Verify chip's validity with a reference date. */
char * verify_validity_orig; /**< @brief Verify chip's validity with a reference date original value given at command line. */
const char *verify_validity_help; /**< @brief Verify chip's validity with a reference date help description. */
char * older_than_arg; /**< @brief Verify age with a reference date. */
char * older_than_orig; /**< @brief Verify age with a reference date original value given at command line. */
const char *older_than_help; /**< @brief Verify age with a reference date help description. */
char * verify_community_arg; /**< @brief Verify community ID with a reference ID. */
char * verify_community_orig; /**< @brief Verify community ID with a reference ID original value given at command line. */
const char *verify_community_help; /**< @brief Verify community ID with a reference ID help description. */
int break_flag; /**< @brief Brute force PIN, CAN or PUK. Use together with -p, -a or -u (default=off). */
const char *break_help; /**< @brief Brute force PIN, CAN or PUK. Use together with -p, -a or -u help description. */
char * translate_arg; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel (default='stdin'). */
char * translate_orig; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel original value given at command line. */
const char *translate_help; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel help description. */
int tr_03110v201_flag; /**< @brief Force compliance to BSI TR-03110 version 2.01 (default=off). */
const char *tr_03110v201_help; /**< @brief Force compliance to BSI TR-03110 version 2.01 help description. */
int disable_all_checks_flag; /**< @brief Disable all checking of fly-by-data (default=off). */
const char *disable_all_checks_help; /**< @brief Disable all checking of fly-by-data help description. */
unsigned int help_given ; /**< @brief Whether help was given. */
unsigned int version_given ; /**< @brief Whether version was given. */
unsigned int reader_given ; /**< @brief Whether reader was given. */
unsigned int verbose_given ; /**< @brief Whether verbose was given. */
unsigned int pin_given ; /**< @brief Whether pin was given. */
unsigned int puk_given ; /**< @brief Whether puk was given. */
unsigned int can_given ; /**< @brief Whether can was given. */
unsigned int mrz_given ; /**< @brief Whether mrz was given. */
unsigned int env_given ; /**< @brief Whether env was given. */
unsigned int new_pin_given ; /**< @brief Whether new-pin was given. */
unsigned int resume_given ; /**< @brief Whether resume was given. */
unsigned int unblock_given ; /**< @brief Whether unblock was given. */
unsigned int cv_certificate_given ; /**< @brief Whether cv-certificate was given. */
unsigned int cert_desc_given ; /**< @brief Whether cert-desc was given. */
unsigned int chat_given ; /**< @brief Whether chat was given. */
unsigned int auxiliary_data_given ; /**< @brief Whether auxiliary-data was given. */
unsigned int private_key_given ; /**< @brief Whether private-key was given. */
unsigned int cvc_dir_given ; /**< @brief Whether cvc-dir was given. */
unsigned int x509_dir_given ; /**< @brief Whether x509-dir was given. */
unsigned int disable_ta_checks_given ; /**< @brief Whether disable-ta-checks was given. */
unsigned int disable_ca_checks_given ; /**< @brief Whether disable-ca-checks was given. */
unsigned int read_dg1_given ; /**< @brief Whether read-dg1 was given. */
unsigned int read_dg2_given ; /**< @brief Whether read-dg2 was given. */
unsigned int read_dg3_given ; /**< @brief Whether read-dg3 was given. */
unsigned int read_dg4_given ; /**< @brief Whether read-dg4 was given. */
unsigned int read_dg5_given ; /**< @brief Whether read-dg5 was given. */
unsigned int read_dg6_given ; /**< @brief Whether read-dg6 was given. */
unsigned int read_dg7_given ; /**< @brief Whether read-dg7 was given. */
unsigned int read_dg8_given ; /**< @brief Whether read-dg8 was given. */
unsigned int read_dg9_given ; /**< @brief Whether read-dg9 was given. */
unsigned int read_dg10_given ; /**< @brief Whether read-dg10 was given. */
unsigned int read_dg11_given ; /**< @brief Whether read-dg11 was given. */
unsigned int read_dg12_given ; /**< @brief Whether read-dg12 was given. */
unsigned int read_dg13_given ; /**< @brief Whether read-dg13 was given. */
unsigned int read_dg14_given ; /**< @brief Whether read-dg14 was given. */
unsigned int read_dg15_given ; /**< @brief Whether read-dg15 was given. */
unsigned int read_dg16_given ; /**< @brief Whether read-dg16 was given. */
unsigned int read_dg17_given ; /**< @brief Whether read-dg17 was given. */
unsigned int read_dg18_given ; /**< @brief Whether read-dg18 was given. */
unsigned int read_dg19_given ; /**< @brief Whether read-dg19 was given. */
unsigned int read_dg20_given ; /**< @brief Whether read-dg20 was given. */
unsigned int read_dg21_given ; /**< @brief Whether read-dg21 was given. */
unsigned int write_dg17_given ; /**< @brief Whether write-dg17 was given. */
unsigned int write_dg18_given ; /**< @brief Whether write-dg18 was given. */
unsigned int write_dg19_given ; /**< @brief Whether write-dg19 was given. */
unsigned int write_dg20_given ; /**< @brief Whether write-dg20 was given. */
unsigned int write_dg21_given ; /**< @brief Whether write-dg21 was given. */
unsigned int verify_validity_given ; /**< @brief Whether verify-validity was given. */
unsigned int older_than_given ; /**< @brief Whether older-than was given. */
unsigned int verify_community_given ; /**< @brief Whether verify-community was given. */
unsigned int break_given ; /**< @brief Whether break was given. */
unsigned int translate_given ; /**< @brief Whether translate was given. */
unsigned int tr_03110v201_given ; /**< @brief Whether tr-03110v201 was given. */
unsigned int disable_all_checks_given ; /**< @brief Whether disable-all-checks was given. */
} ;
/** @brief The additional parameters to pass to parser functions */
struct cmdline_parser_params
{
int override; /**< @brief whether to override possibly already present options (default 0) */
int initialize; /**< @brief whether to initialize the option structure gengetopt_args_info (default 1) */
int check_required; /**< @brief whether to check that all required options were provided (default 1) */
int check_ambiguity; /**< @brief whether to check for options already specified in the option structure gengetopt_args_info (default 0) */
int print_errors; /**< @brief whether getopt_long should print an error message for a bad option (default 1) */
} ;
/** @brief the purpose string of the program */
extern const char *gengetopt_args_info_purpose;
/** @brief the usage string of the program */
extern const char *gengetopt_args_info_usage;
/** @brief the description string of the program */
extern const char *gengetopt_args_info_description;
/** @brief all the lines making the help output */
extern const char *gengetopt_args_info_help[];
/**
* The command line parser
* @param argc the number of command line options
* @param argv the command line options
* @param args_info the structure where option information will be stored
* @return 0 if everything went fine, NON 0 if an error took place
*/
int cmdline_parser (int argc, char **argv,
struct gengetopt_args_info *args_info);
/**
* The command line parser (version with additional parameters - deprecated)
* @param argc the number of command line options
* @param argv the command line options
* @param args_info the structure where option information will be stored
* @param override whether to override possibly already present options
* @param initialize whether to initialize the option structure my_args_info
* @param check_required whether to check that all required options were provided
* @return 0 if everything went fine, NON 0 if an error took place
* @deprecated use cmdline_parser_ext() instead
*/
int cmdline_parser2 (int argc, char **argv,
struct gengetopt_args_info *args_info,
int override, int initialize, int check_required);
/**
* The command line parser (version with additional parameters)
* @param argc the number of command line options
* @param argv the command line options
* @param args_info the structure where option information will be stored
* @param params additional parameters for the parser
* @return 0 if everything went fine, NON 0 if an error took place
*/
int cmdline_parser_ext (int argc, char **argv,
struct gengetopt_args_info *args_info,
struct cmdline_parser_params *params);
/**
* Save the contents of the option struct into an already open FILE stream.
* @param outfile the stream where to dump options
* @param args_info the option struct to dump
* @return 0 if everything went fine, NON 0 if an error took place
*/
int cmdline_parser_dump(FILE *outfile,
struct gengetopt_args_info *args_info);
/**
* Save the contents of the option struct into a (text) file.
* This file can be read by the config file parser (if generated by gengetopt)
* @param filename the file where to save
* @param args_info the option struct to save
* @return 0 if everything went fine, NON 0 if an error took place
*/
int cmdline_parser_file_save(const char *filename,
struct gengetopt_args_info *args_info);
/**
* Print the help
*/
void cmdline_parser_print_help(void);
/**
* Print the version
*/
void cmdline_parser_print_version(void);
/**
* Initializes all the fields a cmdline_parser_params structure
* to their default values
* @param params the structure to initialize
*/
void cmdline_parser_params_init(struct cmdline_parser_params *params);
/**
* Allocates dynamically a cmdline_parser_params structure and initializes
* all its fields to their default values
* @return the created and initialized cmdline_parser_params structure
*/
struct cmdline_parser_params *cmdline_parser_params_create(void);
/**
* Initializes the passed gengetopt_args_info structure's fields
* (also set default values for options that have a default)
* @param args_info the structure to initialize
*/
void cmdline_parser_init (struct gengetopt_args_info *args_info);
/**
* Deallocates the string fields of the gengetopt_args_info structure
* (but does not deallocate the structure itself)
* @param args_info the structure to deallocate
*/
void cmdline_parser_free (struct gengetopt_args_info *args_info);
/**
* Checks that all the required options were specified
* @param args_info the structure to check
* @param prog_name the name of the program that will be used to print
* possible errors
* @return
*/
int cmdline_parser_required (struct gengetopt_args_info *args_info,
const char *prog_name);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* NPA_TOOL_CMDLINE_H */

205
src/tools/npa-tool.1 Normal file
View File

@ -0,0 +1,205 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH NPA-TOOL "1" "July 2016" "OpenSC 0.16.0" "User Commands"
.SH NAME
npa-tool \- manual page for npa-tool 0.16.0
.SH SYNOPSIS
.B npa-tool
[\fI\,OPTIONS\/\fR]...
.SH DESCRIPTION
npa\-tool 0.16.0
.TP
\fB\-h\fR, \fB\-\-help\fR
Print help and exit
.TP
\fB\-V\fR, \fB\-\-version\fR
Print version and exit
.TP
\fB\-r\fR, \fB\-\-reader\fR=\fI\,INT\/\fR
Number of the PC/SC reader to use (\fB\-1\fR for
autodetect) (default=`\-1')
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Use (several times) to be more verbose
.SS "Password Authenticated Connection Establishment (PACE):"
.TP
\fB\-p\fR, \fB\-\-pin\fR[=\fI\,STRING\/\fR]
Run PACE with (transport) eID\-PIN
.TP
\fB\-u\fR, \fB\-\-puk\fR[=\fI\,STRING\/\fR]
Run PACE with PUK
.TP
\fB\-c\fR, \fB\-\-can\fR[=\fI\,STRING\/\fR]
Run PACE with CAN
.TP
\fB\-m\fR, \fB\-\-mrz\fR[=\fI\,STRING\/\fR]
Run PACE with MRZ (insert MRZ without newlines)
.TP
\fB\-\-env\fR
Whether to use environment variables PIN, PUK,
CAN, MRZ and NEWPIN. You may want to clean
your environment before enabling this.
(default=off)
.SS "PIN management:"
.TP
\fB\-N\fR, \fB\-\-new\-pin\fR[=\fI\,STRING\/\fR]
Install a new PIN
.TP
\fB\-R\fR, \fB\-\-resume\fR
Resume eID\-PIN (uses CAN to activate last
retry) (default=off)
.TP
\fB\-U\fR, \fB\-\-unblock\fR
Unblock PIN (uses PUK to activate three more
retries) (default=off)
.SS "Terminal Authentication (TA) and Chip Authentication (CA):"
.TP
\fB\-C\fR, \fB\-\-cv\-certificate\fR=\fI\,FILENAME\/\fR Card Verifiable Certificate to create a
certificate chain. Can be used multiple times
(order is important).
.TP
\fB\-\-cert\-desc\fR=\fI\,HEX_STRING\/\fR
Certificate description to show for Terminal
Authentication
.TP
\fB\-\-chat\fR=\fI\,HEX_STRING\/\fR
Card holder authorization template to use
(default is terminal's CHAT). Use
7F4C0E060904007F000703010203530103 to trigger
EAC on the CAT\-C (Komfortleser).
.TP
\fB\-A\fR, \fB\-\-auxiliary\-data\fR=\fI\,HEX_STRING\/\fR
Terminal's auxiliary data (default is
.TP
determined by verification of validity, age
and community ID).
.TP
\fB\-P\fR, \fB\-\-private\-key\fR=\fI\,FILENAME\/\fR
Terminal's private key
.TP
\fB\-\-cvc\-dir\fR=\fI\,DIRECTORY\/\fR
Where to look for the CVCA's certificate
(default=`/home/fm/.local/etc/eac/cvc')
.TP
\fB\-\-x509\-dir\fR=\fI\,DIRECTORY\/\fR
Where to look for the CSCA's certificate
(default=`/home/fm/.local/etc/eac/x509')
.TP
\fB\-\-disable\-ta\-checks\fR
Disable checking the validity period of CV
certifcates (default=off)
.TP
\fB\-\-disable\-ca\-checks\fR
Disable passive authentication (default=off)
.SS "Read and write data groups:"
.TP
\fB\-\-read\-dg1\fR
Read DG 1 (Document Type) (default=off)
.TP
\fB\-\-read\-dg2\fR
Read DG 2 (Issuing State) (default=off)
.TP
\fB\-\-read\-dg3\fR
Read DG 3 (Date of Expiry) (default=off)
.TP
\fB\-\-read\-dg4\fR
Read DG 4 (Given Names) (default=off)
.TP
\fB\-\-read\-dg5\fR
Read DG 5 (Family Names) (default=off)
.TP
\fB\-\-read\-dg6\fR
Read DG 6 (Religious/Artistic Name)
(default=off)
.TP
\fB\-\-read\-dg7\fR
Read DG 7 (Academic Title) (default=off)
.TP
\fB\-\-read\-dg8\fR
Read DG 8 (Date of Birth) (default=off)
.TP
\fB\-\-read\-dg9\fR
Read DG 9 (Place of Birth) (default=off)
.TP
\fB\-\-read\-dg10\fR
Read DG 10 (Nationality) (default=off)
.TP
\fB\-\-read\-dg11\fR
Read DG 11 (Sex) (default=off)
.TP
\fB\-\-read\-dg12\fR
Read DG 12 (Optional Data) (default=off)
.TP
\fB\-\-read\-dg13\fR
Read DG 13 (Birth Name) (default=off)
.TP
\fB\-\-read\-dg14\fR
Read DG 14 (default=off)
.TP
\fB\-\-read\-dg15\fR
Read DG 15 (default=off)
.TP
\fB\-\-read\-dg16\fR
Read DG 16 (default=off)
.TP
\fB\-\-read\-dg17\fR
Read DG 17 (Normal Place of Residence)
(default=off)
.TP
\fB\-\-read\-dg18\fR
Read DG 18 (Community ID) (default=off)
.TP
\fB\-\-read\-dg19\fR
Read DG 19 (Residence Permit I) (default=off)
.TP
\fB\-\-read\-dg20\fR
Read DG 20 (Residence Permit II)
(default=off)
.TP
\fB\-\-read\-dg21\fR
Read DG 21 (Optional Data) (default=off)
.TP
\fB\-\-write\-dg17\fR=\fI\,HEX_STRING\/\fR
Write DG 17 (Normal Place of Residence)
.TP
\fB\-\-write\-dg18\fR=\fI\,HEX_STRING\/\fR
Write DG 18 (Community ID)
.TP
\fB\-\-write\-dg19\fR=\fI\,HEX_STRING\/\fR
Write DG 19 (Residence Permit I)
.TP
\fB\-\-write\-dg20\fR=\fI\,HEX_STRING\/\fR
Write DG 20 (Residence Permit II)
.TP
\fB\-\-write\-dg21\fR=\fI\,HEX_STRING\/\fR
Write DG 21 (Optional Data)
.SS "Verification of validity, age and community ID:"
.TP
\fB\-\-verify\-validity\fR=\fI\,YYYYMMDD\/\fR
Verify chip's validity with a reference date
.TP
\fB\-\-older\-than\fR=\fI\,YYYYMMDD\/\fR
Verify age with a reference date
.TP
\fB\-\-verify\-community\fR=\fI\,HEX_STRING\/\fR
Verify community ID with a reference ID
.SS "Special options, not always useful:"
.TP
\fB\-b\fR, \fB\-\-break\fR
Brute force PIN, CAN or PUK. Use together with
\fB\-p\fR, \fB\-a\fR or \fB\-u\fR (default=off)
.TP
\fB\-t\fR, \fB\-\-translate\fR=\fI\,FILENAME\/\fR
File with APDUs of HEX_STRINGs to send through
the secure channel (default=`stdin')
.TP
\fB\-\-tr\-03110v201\fR
Force compliance to BSI TR\-03110 version 2.01
(default=off)
.TP
\fB\-\-disable\-all\-checks\fR
Disable all checking of fly\-by\-data
(default=off)
.SH AUTHOR
Written by Frank Morgner <frankmorgner@gmail.com>
.SH "REPORTING BUGS"
Report bugs to opensc\-devel@lists.sourceforge.net

897
src/tools/npa-tool.c Normal file
View File

@ -0,0 +1,897 @@
/*
* Copyright (C) 2010-2012 Frank Morgner <frankmorgner@gmail.com>
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#ifdef ENABLE_OPENPACE
#include "npa-tool-cmdline.h"
#include "fread_to_eof.h"
#include "sm/sslutil.h"
#include "sm/sm-eac.h"
#include <eac/pace.h>
#include <libopensc/log.h>
#include <libopensc/opensc.h>
#include <libopensc/sm.h>
#include <sm/sm-eac.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#else
/* only implement what we are using in this file */
struct timeval {
unsigned int tv_sec;
unsigned int tv_usec;
};
int gettimeofday(struct timeval *tv, struct timezone *tz)
{
#ifdef _WIN32
SYSTEMTIME st;
GetLocalTime(&st);
if (!tv)
return -1;
tv->tv_sec = st.wSecond;
tv->tv_usec = st.wMilliseconds*1000;
#else
tv->tv_sec = 0;
tv->tv_usec = 0;
#endif
return 0;
}
#endif
#ifndef HAVE_GETLINE
static int getline(char **lineptr, size_t *n, FILE *stream)
{
char *p;
if (!lineptr)
return -1;
p = realloc(*lineptr, SC_MAX_EXT_APDU_BUFFER_SIZE*3);
if (!p)
return -1;
*lineptr = p;
if (fgets(p, SC_MAX_EXT_APDU_BUFFER_SIZE*3, stream) == NULL)
return -1;
return strlen(p);
}
#endif
/**
* @brief Print binary data to a file stream
*
* @param[in] file File for printing
* @param[in] label Label to prepend to the buffer
* @param[in] data Binary data
* @param[in] len Length of \a data
*/
#define bin_print(file, label, data, len) { \
fprintf(file, "%s (%u byte%s)%s%s\n", \
label, (unsigned int) len, len==1?"":"s", len==0?"":":\n", sc_dump_hex(data, len)); \
}
static int initialize(int reader_id, int verbose,
sc_context_t **ctx, sc_reader_t **reader)
{
unsigned int i, reader_count;
int r;
if (!ctx || !reader)
return SC_ERROR_INVALID_ARGUMENTS;
r = sc_establish_context(ctx, "");
if (r < 0 || !*ctx) {
fprintf(stderr, "Failed to create initial context: %s", sc_strerror(r));
return r;
}
(*ctx)->debug = verbose;
(*ctx)->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
reader_count = sc_ctx_get_reader_count(*ctx);
if (reader_count == 0) {
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "No reader not found.\n");
return SC_ERROR_NO_READERS_FOUND;
}
if (reader_id < 0) {
/* Automatically try to skip to a reader with a card if reader not specified */
for (i = 0; i < reader_count; i++) {
*reader = sc_ctx_get_reader(*ctx, i);
if (sc_detect_card_presence(*reader) & SC_READER_CARD_PRESENT) {
reader_id = i;
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "Using the first reader"
" with a card: %s", (*reader)->name);
break;
}
}
if ((unsigned int) reader_id >= reader_count) {
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "No card found, using the first reader.");
reader_id = 0;
}
}
if ((unsigned int) reader_id >= reader_count) {
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "Invalid reader number "
"(%d), only %d available.\n", reader_id, reader_count);
return SC_ERROR_NO_READERS_FOUND;
}
*reader = sc_ctx_get_reader(*ctx, reader_id);
return SC_SUCCESS;
}
static void read_dg(sc_card_t *card, unsigned char sfid, const char *dg_str,
unsigned char **dg, size_t *dg_len)
{
int r = iso7816_read_binary_sfid(card, sfid, dg, dg_len);
if (r < 0)
fprintf(stderr, "Coult not read DG %02u %s (%s)\n",
sfid, dg_str, sc_strerror(r));
else {
char buf[0x200];
sc_hex_dump(NULL, 0, *dg, *dg_len, buf, sizeof buf);
fprintf(stdout, "Read %s", buf);
}
}
static void write_dg(sc_card_t *card, unsigned char sfid, const char *dg_str,
const char *dg_hex)
{
unsigned char dg[0xff];
size_t dg_len = sizeof dg;
int r;
r = sc_hex_to_bin(dg_hex, dg, &dg_len);
if (r < 0) {
fprintf(stderr, "Could not parse DG %02u %s (%s)\n",
sfid, dg_str, sc_strerror(r));
} else {
r = iso7816_write_binary_sfid(card, sfid, dg, dg_len);
if (r < 0)
fprintf(stderr, "Could not write DG %02u %s (%s)\n",
sfid, dg_str, sc_strerror(r));
else
printf("Wrote DG %02u %s\n", sfid, dg_str);
}
}
#define ISO_VERIFY 0x20
static void verify(sc_card_t *card, const char *verify_str,
unsigned char *data, size_t data_len)
{
sc_apdu_t apdu;
int r;
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, ISO_VERIFY, 0x80, 0);
apdu.cla = 0x80;
apdu.data = data;
apdu.datalen = data_len;
apdu.lc = data_len;
r = sc_transmit_apdu(card, &apdu);
if (r < 0)
fprintf(stderr, "Coult not verify %s (%s)\n",
verify_str, sc_strerror(r));
else
printf("Verified %s\n", verify_str);
}
int npa_translate_apdus(sc_card_t *card, FILE *input)
{
u8 buf[4 + 3 + 0xffff + 3];
char *read = NULL;
size_t readlen = 0, apdulen;
sc_apdu_t apdu;
int linelen;
int r;
memset(&apdu, 0, sizeof apdu);
while (1) {
if (input == stdin)
printf("Enter unencrypted C-APDU (empty line to exit)\n");
linelen = getline(&read, &readlen, input);
if (linelen <= 1) {
if (linelen < 0) {
r = SC_ERROR_INTERNAL;
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
"Could not read line");
} else {
r = SC_SUCCESS;
printf("Thanks for flying with ccid\n");
}
break;
}
read[linelen - 1] = 0;
apdulen = sizeof buf;
if (sc_hex_to_bin(read, buf, &apdulen) < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
"Could not format binary string");
continue;
}
if (input != stdin)
bin_print(stdout, "Unencrypted C-APDU", buf, apdulen);
r = sc_bytes2apdu(card->ctx, buf, apdulen, &apdu);
if (r < 0) {
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Invalid C-APDU", buf, apdulen);
continue;
}
apdu.resp = buf;
apdu.resplen = sizeof buf;
r = sc_transmit_apdu(card, &apdu);
if (r < 0) {
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
"Could not send C-APDU: %s", sc_strerror(r));
continue;
}
printf("Decrypted R-APDU sw1=%02x sw2=%02x\n", apdu.sw1, apdu.sw2);
bin_print(stdout, "Decrypted R-APDU response data", apdu.resp, apdu.resplen);
printf("======================================================================\n");
}
if (read)
free(read);
return r;
}
static int add_to_ASN1_AUXILIARY_DATA(
ASN1_AUXILIARY_DATA **auxiliary_data,
int nid, const unsigned char *data, size_t data_len)
{
int r;
CVC_DISCRETIONARY_DATA_TEMPLATE *template = NULL;
if (!auxiliary_data) {
r = SC_ERROR_INVALID_ARGUMENTS;
goto err;
}
if (!*auxiliary_data) {
*auxiliary_data = ASN1_AUXILIARY_DATA_new();
if (!*auxiliary_data) {
r = SC_ERROR_INTERNAL;
goto err;
}
}
template = CVC_DISCRETIONARY_DATA_TEMPLATE_new();
if (!template) {
r = SC_ERROR_INTERNAL;
goto err;
}
template->type = OBJ_nid2obj(nid);
if (!template->type) {
r = SC_ERROR_INTERNAL;
goto err;
}
if (data && data_len) {
template->discretionary_data3 = ASN1_OCTET_STRING_new();
if (!template->discretionary_data3
|| !M_ASN1_OCTET_STRING_set(
template->discretionary_data3, data, data_len)) {
r = SC_ERROR_INTERNAL;
goto err;
}
}
if (!sk_push((_STACK*) (*auxiliary_data), template)) {
r = SC_ERROR_INTERNAL;
goto err;
}
r = SC_SUCCESS;
err:
return r;
}
int
main (int argc, char **argv)
{
const char *newpin = NULL;
const char *pin = NULL;
const char *puk = NULL;
const char *can = NULL;
const char *mrz = NULL;
unsigned char chat[0xff];
unsigned char desc[0xffff];
unsigned char **certs = NULL;
size_t *certs_lens = NULL;
unsigned char *privkey = NULL;
size_t privkey_len = 0;
unsigned char auxiliary_data[0xff];
size_t auxiliary_data_len = 0;
unsigned char community_id[0xf];
size_t community_id_len = 0;
sc_context_t *ctx = NULL;
sc_card_t *card = NULL;
sc_reader_t *reader;
int r, tr_version = EAC_TR_VERSION_2_02;
struct establish_pace_channel_input pace_input;
struct establish_pace_channel_output pace_output;
struct timeval tv;
size_t i;
FILE *input = NULL;
CVC_CERT *cvc_cert = NULL;
unsigned char *certs_chat = NULL;
unsigned char *dg = NULL;
size_t dg_len = 0;
ASN1_AUXILIARY_DATA *templates = NULL;
unsigned char *ef_cardsecurity = NULL;
size_t ef_cardsecurity_len = 0;
struct gengetopt_args_info cmdline;
memset(&pace_input, 0, sizeof pace_input);
memset(&pace_output, 0, sizeof pace_output);
/* Parse command line */
if (cmdline_parser (argc, argv, &cmdline) != 0)
exit(1);
if (cmdline.env_flag) {
can = getenv("CAN");
mrz = getenv("MRZ");
pin = getenv("PIN");
puk = getenv("PUK");
newpin = getenv("NEWPIN");
}
can = cmdline.can_arg;
mrz = cmdline.mrz_arg;
pin = cmdline.pin_arg;
puk = cmdline.puk_arg;
newpin = cmdline.new_pin_arg;
if (cmdline.chat_given) {
pace_input.chat = chat;
pace_input.chat_length = sizeof chat;
if (sc_hex_to_bin(cmdline.chat_arg, (u8 *) pace_input.chat,
&pace_input.chat_length) < 0) {
fprintf(stderr, "Could not parse CHAT.\n");
exit(2);
}
}
if (cmdline.cert_desc_given) {
pace_input.certificate_description = desc;
pace_input.certificate_description_length = sizeof desc;
if (sc_hex_to_bin(cmdline.cert_desc_arg,
(u8 *) pace_input.certificate_description,
&pace_input.certificate_description_length) < 0) {
fprintf(stderr, "Could not parse certificate description.\n");
exit(2);
}
}
if (cmdline.tr_03110v201_flag)
tr_version = EAC_TR_VERSION_2_01;
if (cmdline.disable_all_checks_flag)
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_ALL;
if (cmdline.disable_ta_checks_flag)
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_TA;
if (cmdline.disable_ca_checks_flag)
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_CA;
r = initialize(cmdline.reader_arg, cmdline.verbose_given, &ctx, &reader);
if (r < 0) {
fprintf(stderr, "Can't initialize reader\n");
exit(1);
}
if (sc_connect_card(reader, &card) < 0) {
fprintf(stderr, "Could not connect to card\n");
sc_release_context(ctx);
exit(1);
}
EAC_init();
if (cmdline.cvc_dir_given)
EAC_set_cvc_default_dir(cmdline.cvc_dir_arg);
if (cmdline.x509_dir_given)
EAC_set_x509_default_dir(cmdline.cvc_dir_arg);
if (cmdline.break_flag) {
/* The biggest number sprintf could write with "%llu is 18446744073709551615 */
char secretbuf[21];
unsigned long long secret = 0;
unsigned long long maxsecret = 0;
if (cmdline.pin_given) {
pace_input.pin_id = PACE_PIN;
pace_input.pin_length = 6;
maxsecret = 999999;
if (pin) {
if (sscanf(pin, "%llu", &secret) != 1) {
fprintf(stderr, "%s is not an unsigned long long.\n",
npa_secret_name(pace_input.pin_id));
exit(2);
}
if (strlen(pin) > pace_input.pin_length) {
fprintf(stderr, "%s too big, only %u digits allowed.\n",
npa_secret_name(pace_input.pin_id),
(unsigned int) pace_input.pin_length);
exit(2);
}
}
} else if (cmdline.can_given) {
pace_input.pin_id = PACE_CAN;
pace_input.pin_length = 6;
maxsecret = 999999;
if (can) {
if (sscanf(can, "%llu", &secret) != 1) {
fprintf(stderr, "%s is not an unsigned long long.\n",
npa_secret_name(pace_input.pin_id));
exit(2);
}
if (strlen(can) > pace_input.pin_length) {
fprintf(stderr, "%s too big, only %u digits allowed.\n",
npa_secret_name(pace_input.pin_id),
(unsigned int) pace_input.pin_length);
exit(2);
}
}
} else if (cmdline.puk_given) {
pace_input.pin_id = PACE_PUK;
pace_input.pin_length = 10;
maxsecret = 9999999999LLU;
if (puk) {
if (sscanf(puk, "%llu", &secret) != 1) {
fprintf(stderr, "%s is not an unsigned long long.\n",
npa_secret_name(pace_input.pin_id));
exit(2);
}
if (strlen(puk) > pace_input.pin_length) {
fprintf(stderr, "%s too big, only %u digits allowed.\n",
npa_secret_name(pace_input.pin_id),
(unsigned int) pace_input.pin_length);
exit(2);
}
}
} else {
fprintf(stderr, "Please specify whether to do PACE with "
"PIN, CAN or PUK.\n");
exit(1);
}
pace_input.pin = (unsigned char *) secretbuf;
do {
sprintf(secretbuf, "%0*llu", (unsigned int) pace_input.pin_length, secret);
gettimeofday(&tv, NULL);
printf("%u,%06u: Trying %s=%s\n",
(unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
npa_secret_name(pace_input.pin_id), pace_input.pin);
r = perform_pace(card, pace_input, &pace_output, tr_version);
secret++;
} while (0 > r && secret <= maxsecret);
gettimeofday(&tv, NULL);
if (0 > r) {
printf("%u,%06u: Tried breaking %s without success.\n",
(unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
npa_secret_name(pace_input.pin_id));
goto err;
} else {
printf("%u,%06u: Tried breaking %s with success (=%s).\n",
(unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
npa_secret_name(pace_input.pin_id),
pace_input.pin);
}
}
if (cmdline.resume_flag) {
pace_input.pin_id = PACE_CAN;
if (can) {
pace_input.pin = (unsigned char *) can;
pace_input.pin_length = strlen(can);
} else {
pace_input.pin = NULL;
pace_input.pin_length = 0;
}
r = perform_pace(card, pace_input, &pace_output, tr_version);
if (r < 0)
goto err;
printf("Established PACE channel with CAN.\n");
pace_input.pin_id = PACE_PIN;
if (pin) {
pace_input.pin = (unsigned char *) pin;
pace_input.pin_length = strlen(pin);
} else {
pace_input.pin = NULL;
pace_input.pin_length = 0;
}
r = perform_pace(card, pace_input, &pace_output, tr_version);
if (r < 0)
goto err;
printf("Established PACE channel with PIN. PIN resumed.\n");
}
if (cmdline.unblock_flag) {
pace_input.pin_id = PACE_PUK;
if (puk) {
pace_input.pin = (unsigned char *) puk;
pace_input.pin_length = strlen(puk);
} else {
pace_input.pin = NULL;
pace_input.pin_length = 0;
}
r = perform_pace(card, pace_input, &pace_output, tr_version);
if (r < 0)
goto err;
printf("Established PACE channel with PUK.\n");
r = npa_unblock_pin(card);
if (r < 0)
goto err;
printf("Unblocked PIN.\n");
}
if (cmdline.new_pin_given) {
pace_input.pin_id = PACE_PIN;
if (pin) {
pace_input.pin = (unsigned char *) pin;
pace_input.pin_length = strlen(pin);
} else {
pace_input.pin = NULL;
pace_input.pin_length = 0;
}
r = perform_pace(card, pace_input, &pace_output, tr_version);
if (r < 0)
goto err;
printf("Established PACE channel with PIN.\n");
r = npa_change_pin(card, newpin, newpin ? strlen(newpin) : 0);
if (r < 0)
goto err;
printf("Changed PIN.\n");
}
if (cmdline.translate_given
|| (!cmdline.resume_flag && !cmdline.new_pin_given
&& !cmdline.unblock_flag && !cmdline.break_given)) {
if (cmdline.cv_certificate_given || cmdline.private_key_given
|| cmdline.auxiliary_data_given) {
if (!cmdline.cv_certificate_given || !cmdline.private_key_given) {
fprintf(stderr, "Need at least the terminal's certificate "
"and its private key to perform terminal authentication.\n");
exit(1);
}
certs = calloc(sizeof *certs, cmdline.cv_certificate_given + 1);
certs_lens = calloc(sizeof *certs_lens,
cmdline.cv_certificate_given + 1);
if (!certs || !certs_lens) {
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
for (i = 0; i < cmdline.cv_certificate_given; i++) {
if (!fread_to_eof(cmdline.cv_certificate_arg[i],
(unsigned char **) &certs[i], &certs_lens[i])) {
fprintf(stderr, "Could not read certificate.\n");
r = SC_ERROR_INVALID_DATA;
goto err;
}
}
if (!pace_input.chat_length) {
const unsigned char *p = certs[cmdline.cv_certificate_given-1];
if (!CVC_d2i_CVC_CERT(&cvc_cert, &p, certs_lens[cmdline.cv_certificate_given-1])
|| !cvc_cert || !cvc_cert->body
|| !cvc_cert->body->certificate_authority_reference
|| !cvc_cert->body->chat) {
fprintf(stderr, "Could not parse certificate.\n");
ssl_error(ctx);
r = SC_ERROR_INVALID_DATA;
goto err;
}
pace_input.chat_length = i2d_CVC_CHAT(cvc_cert->body->chat, &certs_chat);
if (0 >= (int) pace_input.chat_length) {
fprintf(stderr, "Could not parse CHAT.\n");
r = SC_ERROR_INVALID_DATA;
ssl_error(ctx);
goto err;
}
pace_input.chat = certs_chat;
}
if (!fread_to_eof(cmdline.private_key_arg,
&privkey, &privkey_len)) {
fprintf(stderr, "Could not parse private key.\n");
r = SC_ERROR_INVALID_DATA;
goto err;
}
if (cmdline.auxiliary_data_given) {
auxiliary_data_len = sizeof auxiliary_data;
if (sc_hex_to_bin(cmdline.auxiliary_data_arg, auxiliary_data,
&auxiliary_data_len) < 0) {
fprintf(stderr, "Could not parse auxiliary data.\n");
r = SC_ERROR_INVALID_DATA;
goto err;
}
} else {
if (cmdline.older_than_given) {
r = add_to_ASN1_AUXILIARY_DATA(&templates,
NID_id_DateOfBirth,
(unsigned char *) cmdline.older_than_arg,
strlen(cmdline.older_than_arg));
if (r < 0)
goto err;
}
if (cmdline.verify_validity_given) {
r = add_to_ASN1_AUXILIARY_DATA(&templates,
NID_id_DateOfExpiry,
(unsigned char *) cmdline.verify_validity_arg,
strlen(cmdline.verify_validity_arg));
if (r < 0)
goto err;
}
if (cmdline.verify_community_given) {
community_id_len = sizeof community_id;
if (sc_hex_to_bin(cmdline.verify_community_arg, community_id,
&community_id_len) < 0) {
fprintf(stderr, "Could not parse community ID.\n");
exit(2);
}
r = add_to_ASN1_AUXILIARY_DATA(&templates,
NID_id_CommunityID,
community_id, community_id_len);
if (r < 0)
goto err;
}
if (templates) {
unsigned char *p = NULL;
auxiliary_data_len = i2d_ASN1_AUXILIARY_DATA(
templates, &p);
if (0 > (int) auxiliary_data_len
|| auxiliary_data_len > sizeof auxiliary_data) {
free(p);
fprintf(stderr, "Auxiliary data too big.\n");
r = SC_ERROR_OUT_OF_MEMORY;
goto err;
}
memcpy(auxiliary_data, p, auxiliary_data_len);
free(p);
}
}
}
pace_input.pin = NULL;
pace_input.pin_length = 0;
if (cmdline.pin_given) {
pace_input.pin_id = PACE_PIN;
if (pin) {
pace_input.pin = (unsigned char *) pin;
pace_input.pin_length = strlen(pin);
}
} else if (cmdline.can_given) {
pace_input.pin_id = PACE_CAN;
if (can) {
pace_input.pin = (unsigned char *) can;
pace_input.pin_length = strlen(can);
}
} else if (cmdline.mrz_given) {
pace_input.pin_id = PACE_MRZ;
if (mrz) {
pace_input.pin = (unsigned char *) mrz;
pace_input.pin_length = strlen(mrz);
}
} else if (cmdline.puk_given) {
pace_input.pin_id = PACE_PUK;
if (puk) {
pace_input.pin = (unsigned char *) puk;
pace_input.pin_length = strlen(puk);
}
} else {
fprintf(stderr, "Skipping PIN verification\n");
goto nopace;
}
r = perform_pace(card, pace_input, &pace_output, tr_version);
if (r < 0)
goto err;
printf("Established PACE channel with %s.\n",
npa_secret_name(pace_input.pin_id));
nopace:
if (cmdline.cv_certificate_given || cmdline.private_key_given) {
unsigned char eid_aid[] = { 0xE8, 0x07, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x02};
sc_path_t path;
r = perform_terminal_authentication(card,
(const unsigned char **) certs, certs_lens,
privkey, privkey_len, auxiliary_data, auxiliary_data_len);
if (r < 0)
goto err;
printf("Performed Terminal Authentication.\n");
r = perform_chip_authentication(card, &ef_cardsecurity, &ef_cardsecurity_len);
if (r < 0)
goto err;
printf("Performed Chip Authentication.\n");
sc_path_set(&path, SC_PATH_TYPE_DF_NAME, eid_aid, sizeof eid_aid, 0, 0);
r = sc_select_file(card, &path, NULL);
if (r < 0)
goto err;
printf("Selected eID application.\n");
}
if (cmdline.read_dg1_flag)
read_dg(card, 1, "Document Type", &dg, &dg_len);
if (cmdline.read_dg2_flag)
read_dg(card, 2, "Issuing State", &dg, &dg_len);
if (cmdline.read_dg3_flag)
read_dg(card, 3, "Date of Expiry", &dg, &dg_len);
if (cmdline.read_dg4_flag)
read_dg(card, 4, "Given Names", &dg, &dg_len);
if (cmdline.read_dg5_flag)
read_dg(card, 5, "Family Names", &dg, &dg_len);
if (cmdline.read_dg6_flag)
read_dg(card, 6, "Religious/Artistic Name", &dg, &dg_len);
if (cmdline.read_dg7_flag)
read_dg(card, 7, "Academic Title", &dg, &dg_len);
if (cmdline.read_dg8_flag)
read_dg(card, 8, "Date of Birth", &dg, &dg_len);
if (cmdline.read_dg9_flag)
read_dg(card, 9, "Place of Birth", &dg, &dg_len);
if (cmdline.read_dg10_flag)
read_dg(card, 10, "Nationality", &dg, &dg_len);
if (cmdline.read_dg11_flag)
read_dg(card, 11, "Sex", &dg, &dg_len);
if (cmdline.read_dg12_flag)
read_dg(card, 12, "Optional Data", &dg, &dg_len);
if (cmdline.read_dg13_flag)
read_dg(card, 13, "Birth Name", &dg, &dg_len);
if (cmdline.read_dg14_flag)
read_dg(card, 14, "DG 14", &dg, &dg_len);
if (cmdline.read_dg15_flag)
read_dg(card, 15, "DG 15", &dg, &dg_len);
if (cmdline.read_dg16_flag)
read_dg(card, 16, "DG 16", &dg, &dg_len);
if (cmdline.read_dg17_flag)
read_dg(card, 17, "Normal Place of Residence", &dg, &dg_len);
if (cmdline.read_dg18_flag)
read_dg(card, 18, "Community ID", &dg, &dg_len);
if (cmdline.read_dg19_flag)
read_dg(card, 19, "Residence Permit I", &dg, &dg_len);
if (cmdline.read_dg20_flag)
read_dg(card, 20, "Residence Permit II", &dg, &dg_len);
if (cmdline.read_dg21_flag)
read_dg(card, 21, "Optional Data", &dg, &dg_len);
if (cmdline.write_dg17_given)
write_dg(card, 17, "Normal Place of Residence", cmdline.write_dg17_arg);
if (cmdline.write_dg18_given)
write_dg(card, 18, "Community ID", cmdline.write_dg18_arg);
if (cmdline.write_dg19_given)
write_dg(card, 19, "Residence Permit I", cmdline.write_dg19_arg);
if (cmdline.write_dg20_given)
write_dg(card, 20, "Residence Permit II", cmdline.write_dg20_arg);
if (cmdline.write_dg21_given)
write_dg(card, 21, "Optional Data", cmdline.write_dg21_arg);
if (cmdline.older_than_given) {
unsigned char id_DateOfBirth[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 1};
verify(card, "age", id_DateOfBirth, sizeof id_DateOfBirth);
}
if (cmdline.verify_validity_given) {
unsigned char id_DateOfExpiry[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 2};
verify(card, "validity", id_DateOfExpiry, sizeof id_DateOfExpiry);
}
if (cmdline.verify_community_given) {
unsigned char id_CommunityID[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 3};
verify(card, "community ID", id_CommunityID, sizeof id_CommunityID);
}
if (cmdline.translate_given) {
if (strncmp(cmdline.translate_arg, "stdin", strlen("stdin")) == 0)
input = stdin;
else {
input = fopen(cmdline.translate_arg, "r");
if (!input) {
perror("Opening file with APDUs");
r = SC_ERROR_INVALID_DATA;
goto err;
}
}
r = npa_translate_apdus(card, input);
if (r < 0)
goto err;
fclose(input);
input = NULL;
}
}
err:
cmdline_parser_free(&cmdline);
free(pace_output.ef_cardaccess);
free(pace_output.recent_car);
free(pace_output.previous_car);
free(pace_output.id_icc);
free(pace_output.id_pcd);
if (ef_cardsecurity) {
OPENSSL_cleanse(ef_cardsecurity, ef_cardsecurity_len);
free(ef_cardsecurity);
}
if (input)
fclose(input);
if (certs) {
i = 0;
while (certs[i]) {
free((unsigned char *) certs[i]);
i++;
}
free(certs);
}
free(certs_lens);
free(certs_chat);
if (cvc_cert)
CVC_CERT_free(cvc_cert);
free(privkey);
free(dg);
if (templates)
ASN1_AUXILIARY_DATA_free(templates);
sc_sm_stop(card);
sc_reset(card, 1);
sc_disconnect_card(card);
sc_release_context(ctx);
EAC_cleanup();
if (r < 0)
fprintf(stderr, "Error: %s\n", sc_strerror(r));
return -r;
}
#else
int
main (int argc, char **argv)
{
return 1;
}
#endif

225
src/tools/npa-tool.ggo.in Normal file
View File

@ -0,0 +1,225 @@
package "npa-tool"
purpose "@PACKAGE_SUMMARY@"
option "reader" r
"Number of the PC/SC reader to use (-1 for autodetect)"
int
default="-1"
optional
option "verbose" v
"Use (several times) to be more verbose"
multiple
optional
section "Password Authenticated Connection Establishment (PACE)"
option "pin" p
"Run PACE with (transport) eID-PIN"
string
argoptional
optional
option "puk" u
"Run PACE with PUK"
string
argoptional
optional
option "can" c
"Run PACE with CAN"
string
argoptional
optional
option "mrz" m
"Run PACE with MRZ (insert MRZ without newlines)"
string
argoptional
optional
option "env" -
"Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this."
flag off
section "PIN management"
option "new-pin" N
"Install a new PIN"
string
argoptional
optional
option "resume" R
"Resume eID-PIN (uses CAN to activate last retry)"
flag off
option "unblock" U
"Unblock PIN (uses PUK to activate three more retries)"
flag off
section "Terminal Authentication (TA) and Chip Authentication (CA)"
option "cv-certificate" C
"Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important)."
string
typestr="FILENAME"
optional
multiple
option "cert-desc" -
"Certificate description to show for Terminal Authentication"
string
typestr="HEX_STRING"
optional
option "chat" -
"Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser)."
string
typestr="HEX_STRING"
optional
option "auxiliary-data" A
"Terminal's auxiliary data (default is determined by verification of validity, age and community ID)."
string
typestr="HEX_STRING"
optional
option "private-key" P
"Terminal's private key"
string
typestr="FILENAME"
optional
option "cvc-dir" -
"Where to look for the CVCA's certificate"
string
typestr="DIRECTORY"
default="@CVCDIR@"
optional
option "x509-dir" -
"Where to look for the CSCA's certificate"
string
typestr="DIRECTORY"
default="@X509DIR@"
optional
option "disable-ta-checks" -
"Disable checking the validity period of CV certifcates"
flag off
option "disable-ca-checks" -
"Disable passive authentication"
flag off
section "Read and write data groups"
option "read-dg1" -
"Read DG 1 (Document Type)"
flag off
option "read-dg2" -
"Read DG 2 (Issuing State)"
flag off
option "read-dg3" -
"Read DG 3 (Date of Expiry)"
flag off
option "read-dg4" -
"Read DG 4 (Given Names)"
flag off
option "read-dg5" -
"Read DG 5 (Family Names)"
flag off
option "read-dg6" -
"Read DG 6 (Religious/Artistic Name)"
flag off
option "read-dg7" -
"Read DG 7 (Academic Title)"
flag off
option "read-dg8" -
"Read DG 8 (Date of Birth)"
flag off
option "read-dg9" -
"Read DG 9 (Place of Birth)"
flag off
option "read-dg10" -
"Read DG 10 (Nationality)"
flag off
option "read-dg11" -
"Read DG 11 (Sex)"
flag off
option "read-dg12" -
"Read DG 12 (Optional Data)"
flag off
option "read-dg13" -
"Read DG 13 (Birth Name)"
flag off
option "read-dg14" -
"Read DG 14"
flag off
option "read-dg15" -
"Read DG 15"
flag off
option "read-dg16" -
"Read DG 16"
flag off
option "read-dg17" -
"Read DG 17 (Normal Place of Residence)"
flag off
option "read-dg18" -
"Read DG 18 (Community ID)"
flag off
option "read-dg19" -
"Read DG 19 (Residence Permit I)"
flag off
option "read-dg20" -
"Read DG 20 (Residence Permit II)"
flag off
option "read-dg21" -
"Read DG 21 (Optional Data)"
flag off
option "write-dg17" -
"Write DG 17 (Normal Place of Residence)"
string
typestr="HEX_STRING"
optional
option "write-dg18" -
"Write DG 18 (Community ID)"
string
typestr="HEX_STRING"
optional
option "write-dg19" -
"Write DG 19 (Residence Permit I)"
string
typestr="HEX_STRING"
optional
option "write-dg20" -
"Write DG 20 (Residence Permit II)"
string
typestr="HEX_STRING"
optional
option "write-dg21" -
"Write DG 21 (Optional Data)"
string
typestr="HEX_STRING"
optional
section "Verification of validity, age and community ID"
option "verify-validity" -
"Verify chip's validity with a reference date"
string
typestr="YYYYMMDD"
optional
option "older-than" -
"Verify age with a reference date"
string
typestr="YYYYMMDD"
optional
option "verify-community" -
"Verify community ID with a reference ID"
string
typestr="HEX_STRING"
optional
section "Special options, not always useful"
option "break" b
"Brute force PIN, CAN or PUK. Use together with -p, -a or -u"
flag off
option "translate" t
"File with APDUs of HEX_STRINGs to send through the secure channel"
string
typestr="FILENAME"
default="stdin"
optional
option "tr-03110v201" -
"Force compliance to BSI TR-03110 version 2.01"
flag off
option "disable-all-checks" -
"Disable all checking of fly-by-data"
flag off
text "
Report bugs to @PACKAGE_BUGREPORT@
Written by Frank Morgner <frankmorgner@gmail.com>"

146
src/tools/sceac-example.c Normal file
View File

@ -0,0 +1,146 @@
/*
* Copyright (C) 2011 Frank Morgner
*
* This file is part of OpenSC.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/* This example shows how to use the library functions perform_pace to
* get a secure channel to the nPA. We use the builtin function npa_change_pin
* to modify the PIN using the secure channel. Then we transmit an arbitrary
* APDU encrypted and authenticated to the card using sm_transmit_apdu. */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#ifdef ENABLE_OPENPACE
#include "libopensc/sm.h"
#include "sm/sm-iso.h"
#include "sm/sm-eac.h"
#include <string.h>
static const char *newpin = NULL;
static const char *pin = NULL;
/* SELECT the Master File (MF) */
const unsigned char apdubuf[] = {0x00, 0xA4, 0x00, 0x0C, 0x02, 0x3F, 0x00};
int
main (int argc, char **argv)
{
/* Set up the environment */
int r;
sc_context_t *ctx = NULL;
sc_card_t *card = NULL;
sc_reader_t *reader = NULL;
sc_apdu_t apdu;
u8 buf[0xffff];
struct establish_pace_channel_input pace_input;
struct establish_pace_channel_output pace_output;
memset(&pace_input, 0, sizeof pace_input);
memset(&pace_output, 0, sizeof pace_output);
/* Connect to a reader */
r = sc_establish_context(&ctx, "example");
if (r < 0 || !ctx) {
fprintf(stderr, "Failed to create initial context: %s", sc_strerror(r));
exit(1);
}
reader = sc_ctx_get_reader(ctx, 0);
if (!reader) {
fprintf(stderr, "Failed to access reader 0");
exit(1);
}
/* Connect to a nPA */
ctx->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
if (sc_connect_card(reader, &card) < 0) {
fprintf(stderr, "Could not connect to card\n");
sc_release_context(ctx);
exit(1);
}
/* initialize OpenPACE */
EAC_init();
/* Now we try to change the PIN. Therefor we need to establish a SM channel
* with PACE.
*
* You could set your PIN with pin=123456; or just leave it at NULL to be
* asked for it. The same applies to the new PIN newpin. */
pace_input.pin_id = PACE_PIN;
pace_input.pin = (unsigned char *) pin;
pace_input.pin_length = pin ? strlen(pin) : 0;
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
if (r < 0)
goto err;
printf("Established PACE channel with PIN.\n");
r = npa_change_pin(card, newpin, newpin ? strlen(newpin) : 0);
if (r < 0)
goto err;
printf("Changed PIN.\n");
/* Now we want to transmit additional APDUs in the established SM channel.
*
* Here we are parsing the raw apdu buffer apdubuf to be transformed into
* an sc_apdu_t. Alternatively you could also set CLA, INS, P1, P2, ... by
* hand in the sc_apdu_t object. */
r = sc_bytes2apdu(ctx, apdubuf, sizeof apdubuf, &apdu);
if (r < 0)
goto err;
/* write the response data to buf */
apdu.resp = buf;
apdu.resplen = sizeof buf;
/* Transmit the APDU with SM */
r = sc_transmit_apdu(card, &apdu);
err:
fprintf(r < 0 ? stderr : stdout, "%s\n", sc_strerror(r));
/* Free up memory and wipe it if necessary (e.g. for keys stored in sm_ctx) */
free(pace_output.ef_cardaccess);
free(pace_output.recent_car);
free(pace_output.previous_car);
free(pace_output.id_icc);
free(pace_output.id_pcd);
sc_sm_stop(card);
sc_reset(card, 1);
sc_disconnect_card(card);
sc_release_context(ctx);
EAC_cleanup();
return -r;
}
#else
int
main (int argc, char **argv)
{
return 1;
}
#endif

21
win32/Make.rules.mak
View File

@ -48,7 +48,7 @@ OPENSSL_LIB = $(OPENSSL_DIR)\lib\VC\$(OPENSSL_STATIC_DIR)\libeay32MT.lib user32.
!ENDIF
PROGRAMS_OPENSSL = cryptoflex-tool.exe pkcs15-init.exe netkey-tool.exe piv-tool.exe \
westcos-tool.exe sc-hsm-tool.exe dnie-tool.exe gids-tool.exe
westcos-tool.exe sc-hsm-tool.exe dnie-tool.exe gids-tool.exe npa-tool.exe
OPENSC_FEATURES = $(OPENSC_FEATURES) openssl
CANDLEFLAGS = -dOpenSSL="$(OPENSSL_DIR)" $(CANDLEFLAGS)
!ENDIF
@ -73,6 +73,19 @@ CANDLEFLAGS = -dzlib="C:\zlib-dll" $(CANDLEFLAGS)
!ENDIF
# If you want support for EAC:
# - Download OpenPACE and
# - uncomment the line starting with OPENPACE_DEF
# - set the OPENPACE_INCL_DIR below to the OpenPACE include directory preceeded by "/I"
# - set the OPENPACE_LIB below to your OpenPACE lib file
#OPENPACE_DEF= /DENABLE_OPENPACE
!IF "$(OPENPACE_DEF)" == "/DENABLE_OPENPACE"
OPENPACE_DIR = C:\OpenPACE
OPENPACE_INCL_DIR = /I$(OPENPACE_DIR)\include
OPENPACE_LIB = $(OPENPACE_DIR)\lib\libeac.lib
!ENDIF
# Used for MiniDriver
CNGSDK_INCL_DIR = "/I$(PROGRAMFILES_PATH)\Microsoft CNG Development Kit\Include"
# Mandatory path to 'ISO C9x compliant stdint.h and inttypes.h for Microsoft Visual Studio'
@ -83,15 +96,15 @@ CNGSDK_INCL_DIR = "/I$(PROGRAMFILES_PATH)\Microsoft CNG Development Kit\Include"
# O1 - minimal code size
CODE_OPTIMIZATION = /O1
ALL_INCLUDES = /I$(TOPDIR)\win32 /I$(TOPDIR)\src $(OPENSSL_INCL_DIR) $(OPENSSL_EXTRA_CFLAGS) $(ZLIB_INCL_DIR) $(LIBLTDL_INCL) $(INTTYPES_INCL_DIR) $(CNGSDK_INCL_DIR) $(WIX_INCL_DIR)
ALL_INCLUDES = /I$(TOPDIR)\win32 /I$(TOPDIR)\src $(OPENPACE_INCL_DIR) $(OPENSSL_INCL_DIR) $(OPENSSL_EXTRA_CFLAGS) $(ZLIB_INCL_DIR) $(LIBLTDL_INCL) $(INTTYPES_INCL_DIR) $(CNGSDK_INCL_DIR) $(WIX_INCL_DIR)
!IF "$(DEBUG_DEF)" == "/DDEBUG"
LINKDEBUGFLAGS = /NODEFAULTLIB:LIBCMT /DEBUG
CODE_OPTIMIZATION =
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MTd /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\"" /DDEBUG /Zi /Od
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MTd /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENPACE_DEF) $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\"" /DDEBUG /Zi /Od
!ELSE
LINKDEBUGFLAGS = /NODEFAULTLIB:LIBCMTD
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\""
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENPACE_DEF) $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\""
!ENDIF

9
win32/OpenSC.wxs.in
View File

@ -62,6 +62,9 @@
<Directory Id="TARGETDIR" Name="SourceDir">
<!-- Install critical DLL-s to system folder. NB! Id-s can not contain "-" characters! -->
<Directory Id="$(var.PlatformSystemFolder)" Name=".">
<Component Id="cardnpa.dll" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\libopensc\cardnpa.dll" Vital="yes"/>
</Component>
<Component Id="opensc_pkcs11.dll" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\pkcs11\opensc-pkcs11.dll" Vital="yes"/>
</Component>
@ -180,6 +183,9 @@
<Component Id="gids_tool.exe" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\tools\gids-tool.exe" Vital="yes"/>
</Component>
<Component Id="npa_tool.exe" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\tools\npa-tool.exe" Vital="yes"/>
</Component>
<?endif ?>
</Directory>
<?ifdef OpenSSL ?>
@ -296,6 +302,7 @@
<Feature Id="Complete" Level="1" Title="OpenSC software suite" Display="expand">
<Feature Id="OpenSC_core" Level="1" Title="OpenSC core library" Description="Core DLL and configuration file used by all other components." Absent="disallow">
<ComponentRef Id="opensc.dll"/>
<ComponentRef Id="cardnpa.dll"/>
<?ifdef zlib ?>
<ComponentRef Id="zlib1.dll"/>
<?endif ?>
@ -305,6 +312,7 @@
<?endif ?>
</Feature>
<Feature Id="OpenSC_pkcs11" Level="1" Title="OpenSC PKCS#11 module" Description="PKCS#11 module usd by most open source and cross-platform software (like Firefox, Putty, TrueCrypt, OpenVPN etc)" TypicalDefault="install">
<ComponentRef Id="cardnpa.dll"/>
<ComponentRef Id="opensc_pkcs11.dll"/>
<ComponentRef Id="onepin_opensc_pkcs11.dll"/>
</Feature>
@ -335,6 +343,7 @@
<ComponentRef Id="sc_hsm_tool.exe"/>
<ComponentRef Id="dnie_tool.exe"/>
<ComponentRef Id="gids_tool.exe"/>
<ComponentRef Id="npa_tool.exe"/>
<ComponentRef Id="cyberflex.profile"/>
<ComponentRef Id="flex.profile"/>
<ComponentRef Id="gpk.profile"/>

4
win32/winconfig.h.in
View File

@ -90,6 +90,10 @@
#define PACKAGE_VERSION "@PACKAGE_VERSION@"
#endif
#ifndef VERSION
#define VERSION PACKAGE_VERSION
#endif
#ifndef PACKAGE_NAME
#define PACKAGE_NAME "@PACKAGE_NAME@"
#endif