Added (external) card driver for German ID card
(Imported libcardnpa from https://github.com/frankmorgner/vsmartcard) - Added generic SM implementation of ISO/IEC 7816-8 - Added implementation of extended access control as defined by - BSI TR-03110 - ICAO Doc 9303 - ISO/IEC 7501 - Added tool for German ID card (and other EAC tokens) - renamed folder libsm to sm
This commit is contained in:
parent
dae323ea50
commit
a4f64d9439
|
@ -67,7 +67,7 @@ doc/tools/netkey-tool
|
|||
doc/tools/openpgp-tool
|
||||
doc/tools/opensc-explorer
|
||||
doc/tools/opensc-tool
|
||||
src/tools/gids-tool
|
||||
doc/tools/gids-tool
|
||||
doc/tools/piv-tool
|
||||
doc/tools/pkcs11-tool
|
||||
doc/tools/pkcs15-crypt
|
||||
|
@ -76,7 +76,6 @@ doc/tools/pkcs15-tool
|
|||
doc/tools/sc-hsm-tool
|
||||
doc/tools/westcos-tool
|
||||
doc/tools/dnie-tool
|
||||
doc/tools/gids-tool
|
||||
|
||||
etc/opensc.conf.win
|
||||
etc/opensc.conf
|
||||
|
@ -101,7 +100,8 @@ src/tools/cryptoflex-tool
|
|||
src/tools/netkey-tool
|
||||
src/tools/pkcs11-tool
|
||||
src/tools/dnie-tool
|
||||
src/tools/gids-tool
|
||||
src/tools/npa-tool
|
||||
src/tools/sceac-example
|
||||
|
||||
win32/OpenSC.iss
|
||||
win32/OpenSC.wxs
|
||||
|
|
20
.travis.yml
20
.travis.yml
|
@ -13,6 +13,7 @@ addons:
|
|||
- mingw-w64
|
||||
- wine
|
||||
- xsltproc
|
||||
- gengetopt
|
||||
coverity_scan:
|
||||
project:
|
||||
name: "OpenSC/OpenSC"
|
||||
|
@ -45,6 +46,14 @@ matrix:
|
|||
- os: linux
|
||||
env: HOST=i686-w64-mingw32
|
||||
|
||||
before_install:
|
||||
- if [ "$TRAVIS_OS_NAME" == "osx" ]; then
|
||||
brew update;
|
||||
brew uninstall libtool;
|
||||
brew install libtool;
|
||||
brew install gengetopt;
|
||||
fi
|
||||
|
||||
before_script:
|
||||
# we run a weekly cron job in travis on the coverity branch
|
||||
# just synchronize it with master to get a new report
|
||||
|
@ -53,7 +62,7 @@ before_script:
|
|||
fi
|
||||
- ./bootstrap
|
||||
- if [ -z "$HOST" ]; then
|
||||
CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
|
||||
CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
|
||||
else
|
||||
if [ ! -f "$(winepath 'C:/Program Files (x86)/Inno Setup 5/ISCC.exe')" ]; then
|
||||
/sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16;
|
||||
|
@ -90,13 +99,4 @@ after_script:
|
|||
killall services.exe;
|
||||
fi
|
||||
|
||||
|
||||
before_install:
|
||||
- if [ "$TRAVIS_OS_NAME" != "linux" ]; then
|
||||
brew update;
|
||||
brew uninstall libtool;
|
||||
brew install libtool;
|
||||
brew install libdvbpsi libhdhomerun;
|
||||
fi
|
||||
|
||||
cache: ccache
|
||||
|
|
103
configure.ac
103
configure.ac
|
@ -168,6 +168,13 @@ AC_ARG_ENABLE(
|
|||
[enable_openssl="detect"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[openpace],
|
||||
[AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])],
|
||||
,
|
||||
[enable_openpace="detect"]
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE(
|
||||
[openct],
|
||||
[AS_HELP_STRING([--enable-openct],[enable openct linkage @<:@disabled@:>@])],
|
||||
|
@ -354,7 +361,7 @@ AC_FUNC_ERROR_AT_LINE
|
|||
AC_FUNC_STAT
|
||||
AC_FUNC_VPRINTF
|
||||
AC_CHECK_FUNCS([ \
|
||||
getpass gettimeofday memset mkdir \
|
||||
getpass gettimeofday getline memset mkdir \
|
||||
strdup strerror getopt_long getopt_long_only \
|
||||
strlcpy strlcat strnlen
|
||||
])
|
||||
|
@ -552,6 +559,88 @@ else
|
|||
OPENSSL_LIBS=""
|
||||
fi
|
||||
|
||||
|
||||
|
||||
PKG_CHECK_EXISTS([libeac], [PKG_CHECK_MODULES([OPENPACE], [libeac >= 0.9])],
|
||||
[AC_MSG_WARN([libeac not found by pkg-config])])
|
||||
|
||||
saved_CPPFLAGS="$CPPFLAGS"
|
||||
saved_LIBS="$LIBS"
|
||||
CPPFLAGS="$CPPFLAGS $OPENPACE_CFLAGS"
|
||||
LIBS="$LDFLAGS $OPENPACE_LIBS"
|
||||
|
||||
have_openpace="yes"
|
||||
AC_CHECK_HEADERS(eac/eac.h, [],
|
||||
[ AC_MSG_WARN([OpenPACE headers not found])
|
||||
have_openpace="no" ])
|
||||
AC_MSG_CHECKING([for EAC_CTX_init_pace])
|
||||
AC_TRY_LINK_FUNC(EAC_CTX_init_pace, [ AC_MSG_RESULT([yes]) ],
|
||||
[ AC_MSG_WARN([Cannot link against libeac])
|
||||
have_openpace="no" ])
|
||||
|
||||
CPPFLAGS="$saved_CPPFLAGS"
|
||||
LIBS="$saved_LIBS"
|
||||
|
||||
|
||||
AC_ARG_ENABLE(cvcdir,
|
||||
AC_HELP_STRING([--enable-cvcdir=DIR],
|
||||
[directory containing CV certificates (default is determined by libeac)]),
|
||||
[cvcdir="${enableval}"],
|
||||
[cvcdir=false])
|
||||
if test "${cvcdir}" = false ; then
|
||||
cvcdir="`$PKG_CONFIG libeac --variable=cvcdir`"
|
||||
fi
|
||||
if test "${cvcdir}" = "" ; then
|
||||
AC_MSG_WARN([use --enable-cvcdir=DIR])
|
||||
fi
|
||||
CVCDIR="${cvcdir}"
|
||||
AC_SUBST(CVCDIR)
|
||||
|
||||
AC_ARG_ENABLE(x509dir,
|
||||
AC_HELP_STRING([--enable-x509dir=DIR],
|
||||
[directory containing X.509 certificates (default is determined by libeac)]),
|
||||
[x509dir="${enableval}"],
|
||||
[x509dir=false])
|
||||
if test "${x509dir}" = false ; then
|
||||
x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
|
||||
fi
|
||||
if test -z "${x509dir}"
|
||||
then
|
||||
x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
|
||||
fi
|
||||
if test -z "${x509dir}"
|
||||
then
|
||||
AC_MSG_WARN([use --enable-x509dir=DIR])
|
||||
fi
|
||||
X509DIR="${x509dir}"
|
||||
AC_SUBST(X509DIR)
|
||||
|
||||
case "${enable_openpace}" in
|
||||
no)
|
||||
have_openpace="no"
|
||||
;;
|
||||
detect)
|
||||
if test "${have_openpace}" = "yes"; then
|
||||
enable_openpace="yes"
|
||||
else
|
||||
enable_openpace="no"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if test "${enable_openpace}" = "yes"; then
|
||||
if test "${have_openpace}" = "yes"; then
|
||||
AC_DEFINE([ENABLE_OPENPACE], [1], [Use OpenPACE libraries and header files])
|
||||
else
|
||||
AC_MSG_ERROR([OpenPACE linkage required, but no OpenPACE was found])
|
||||
fi
|
||||
else
|
||||
OPENPACE_CFLAGS=""
|
||||
OPENPACE_LIBS=""
|
||||
fi
|
||||
|
||||
|
||||
|
||||
if test "${enable_sm}" = "yes"; then
|
||||
AC_DEFINE([ENABLE_SM], [1], [Enable secure messaging support])
|
||||
|
||||
|
@ -672,6 +761,13 @@ if test "${enable_man}" = "yes" -o "${enable_doc}" = "yes"; then
|
|||
AC_MSG_RESULT([ok])
|
||||
fi
|
||||
|
||||
AC_ARG_VAR([HELP2MAN],
|
||||
[absolute path to help2man used for man page generation of npa-tool])
|
||||
AC_PATH_PROG(HELP2MAN, help2man, not found)
|
||||
AC_ARG_VAR([GENGETOPT],
|
||||
[absolute path to gengetopt used for command line parsing of npa-tool])
|
||||
AC_PATH_PROG(GENGETOPT, gengetopt, not found)
|
||||
|
||||
OPENSC_FEATURES=""
|
||||
if test "${enable_thread_locking}" = "yes"; then
|
||||
OPENSC_FEATURES="${OPENSC_FEATURES} locking"
|
||||
|
@ -770,6 +866,7 @@ AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
|
|||
AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
|
||||
AM_CONDITIONAL([ENABLE_SM], [test "${enable_sm}" = "yes"])
|
||||
AM_CONDITIONAL([ENABLE_DNIE_UI], [test "${enable_dnie_ui}" = "yes"])
|
||||
AM_CONDITIONAL([ENABLE_NPATOOL], [test "${ENABLE_NPATOOL}" = "yes"])
|
||||
AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
|
||||
|
||||
if test "${enable_pedantic}" = "yes"; then
|
||||
|
@ -796,7 +893,7 @@ AC_CONFIG_FILES([
|
|||
src/Makefile
|
||||
src/common/Makefile
|
||||
src/libopensc/Makefile
|
||||
src/libsm/Makefile
|
||||
src/sm/Makefile
|
||||
src/pkcs11/Makefile
|
||||
src/pkcs11/versioninfo-pkcs11.rc
|
||||
src/pkcs11/versioninfo-pkcs11-spy.rc
|
||||
|
@ -877,6 +974,8 @@ ZLIB_CFLAGS: ${ZLIB_CFLAGS}
|
|||
ZLIB_LIBS: ${ZLIB_LIBS}
|
||||
OPENSSL_CFLAGS: ${OPENSSL_CFLAGS}
|
||||
OPENSSL_LIBS: ${OPENSSL_LIBS}
|
||||
OPENPACE_CFLAGS: ${OPENPACE_CFLAGS}
|
||||
OPENPACE_LIBS: ${OPENPACE_LIBS}
|
||||
OPENCT_CFLAGS: ${OPENCT_CFLAGS}
|
||||
OPENCT_LIBS: ${OPENCT_LIBS}
|
||||
PCSC_CFLAGS: ${PCSC_CFLAGS}
|
||||
|
|
|
@ -133,7 +133,7 @@ app default {
|
|||
# Default: internal
|
||||
# NOTE: When "internal" keyword is used, must be last entry
|
||||
#
|
||||
# card_drivers = customcos, internal;
|
||||
card_drivers = npa, internal;
|
||||
|
||||
# Card driver configuration blocks.
|
||||
|
||||
|
@ -145,6 +145,32 @@ app default {
|
|||
# module = @LIBDIR@@LIB_PRE@card_customcos@DYN_LIB_EXT@;
|
||||
# }
|
||||
|
||||
card_driver npa {
|
||||
# The location of the driver library
|
||||
module = @LIBDIR@@LIB_PRE@cardnpa@DYN_LIB_EXT@;
|
||||
|
||||
# German ID card requires the CAN to be verified before QES PIN. This,
|
||||
# however, is not part of the PKCS#15 profile of the card. So for
|
||||
# verifying the QES PIN we actually need both. The CAN may be given
|
||||
# here. If the CAN is not given here, it will be prompted on the
|
||||
# command line or on the reader (depending on the reader's
|
||||
# capabilities).
|
||||
#
|
||||
#can = 222222;
|
||||
|
||||
# QES is only possible with a Comfort Reader (CAT-K), which holds a
|
||||
# cryptographic key to authenticate itself as signature terminal (ST).
|
||||
# We usually will use the reader's capability to sign the data.
|
||||
# However, during developement you may specify soft certificates and
|
||||
# keys for a ST below.
|
||||
# The following example EAC PKI can be found in vicc's example data:
|
||||
# https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data
|
||||
#
|
||||
#st_dv_certificate = ZZSTDVCA00001.cvcert;
|
||||
#st_certificate = ZZSTTERM00001.cvcert;
|
||||
#st_key = ZZSTTERM00001.pkcs8;
|
||||
}
|
||||
|
||||
# Force using specific card driver
|
||||
#
|
||||
# If this option is present, OpenSC will use the supplied
|
||||
|
|
|
@ -2,9 +2,9 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
|
|||
EXTRA_DIST = Makefile.mak
|
||||
|
||||
# Order IS important
|
||||
SUBDIRS = common scconf pkcs15init libopensc pkcs11 \
|
||||
tools tests minidriver
|
||||
SUBDIRS = common scconf pkcs15init sm \
|
||||
libopensc pkcs11 tools tests minidriver
|
||||
|
||||
if ENABLE_SM
|
||||
SUBDIRS += libsm smm
|
||||
SUBDIRS += smm
|
||||
endif
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
TOPDIR = ..
|
||||
|
||||
SUBDIRS = common scconf libsm pkcs15init libopensc pkcs11 tools tests
|
||||
SUBDIRS = common scconf sm pkcs15init \
|
||||
libopensc pkcs11 tools tests
|
||||
|
||||
default: all
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
|
|||
|
||||
EXTRA_DIST = Makefile.mak
|
||||
|
||||
lib_LTLIBRARIES = libopensc.la
|
||||
lib_LTLIBRARIES = libopensc.la libcardnpa.la
|
||||
noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.h \
|
||||
internal-winscard.h p15card-helper.h pkcs15-syn.h \
|
||||
opensc.h pkcs15.h \
|
||||
|
@ -12,7 +12,7 @@ noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.
|
|||
errors.h types.h compression.h itacns.h iso7816.h \
|
||||
authentic.h iasecc.h iasecc-sdo.h sm.h card-sc-hsm.h \
|
||||
pace.h cwa14890.h cwa-dnie.h card-gids.h aux-data.h \
|
||||
jpki.h sc-ossl-compat.h
|
||||
jpki.h sc-ossl-compat.h card-npa.h
|
||||
|
||||
AM_CPPFLAGS = -DOPENSC_CONF_PATH=\"$(sysconfdir)/opensc.conf\" \
|
||||
-I$(top_srcdir)/src
|
||||
|
@ -63,6 +63,7 @@ libopensc_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \
|
|||
$(top_builddir)/src/pkcs15init/libpkcs15init.la \
|
||||
$(top_builddir)/src/scconf/libscconf.la \
|
||||
$(top_builddir)/src/common/libscdl.la \
|
||||
$(top_builddir)/src/sm/libsmeac.la \
|
||||
$(top_builddir)/src/common/libcompat.la
|
||||
if WIN32
|
||||
libopensc_la_LIBADD += -lws2_32
|
||||
|
@ -72,6 +73,16 @@ libopensc_la_LDFLAGS = $(AM_LDFLAGS) \
|
|||
-export-symbols "$(srcdir)/libopensc.exports" \
|
||||
-no-undefined
|
||||
|
||||
libcardnpa_la_SOURCES = card-npa.c cardnpa.exports
|
||||
libcardnpa_la_LIBADD = $(OPENPACE_LIBS) \
|
||||
$(top_builddir)/src/common/libcompat.la \
|
||||
libopensc.la
|
||||
libcardnpa_la_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
|
||||
libcardnpa_la_LDFLAGS = $(AM_LDFLAGS) \
|
||||
-version-info @OPENSC_LT_CURRENT@:@OPENSC_LT_REVISION@:@OPENSC_LT_AGE@ \
|
||||
-export-symbols "$(srcdir)/cardnpa.exports" \
|
||||
-no-undefined
|
||||
|
||||
if WIN32
|
||||
# def file required for MS users to build library
|
||||
mylibdir=$(libdir)
|
||||
|
|
|
@ -40,9 +40,13 @@ OBJECTS = \
|
|||
LIBS = $(TOPDIR)\src\scconf\scconf.lib \
|
||||
$(TOPDIR)\src\common\common.lib \
|
||||
$(TOPDIR)\src\common\libscdl.lib \
|
||||
$(TOPDIR)\src\sm\libsmeac.lib \
|
||||
$(TOPDIR)\src\pkcs15init\pkcs15init.lib
|
||||
|
||||
all: $(TOPDIR)\win32\versioninfo.res $(TARGET)
|
||||
TARGET1 = cardnpa.dll
|
||||
OBJECTS1 = card-npa.obj
|
||||
|
||||
all: $(TOPDIR)\win32\versioninfo.res $(TARGET) $(TARGET1)
|
||||
|
||||
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
|
||||
|
||||
|
@ -55,3 +59,10 @@ opensc.dll: $(OBJECTS) $(LIBS)
|
|||
|
||||
opensc_a.lib: $(OBJECTS) $(LIBS)
|
||||
lib $(LIBFLAGS) /out:opensc_a.lib $(OBJECTS) $(LIBS) $(OPENSSL_LIB) $(ZLIB_LIB) user32.lib advapi32.lib ws2_32.lib
|
||||
|
||||
$(TARGET1): $(OBJECTS1) opensc_a.lib
|
||||
echo LIBRARY $* > $*.def
|
||||
echo EXPORTS >> $*.def
|
||||
type $*.exports >> $*.def
|
||||
link /dll $(LINKFLAGS) /def:$*.def /implib:$*.lib /out:$(TARGET1) $(OBJECTS1) opensc_a.lib $(ZLIB_LIB) $(OPENPACE_LIB) $(OPENSSL_LIB) ws2_32.lib gdi32.lib advapi32.lib Crypt32.lib User32.lib
|
||||
if EXIST $(TARGET).manifest mt -manifest $(TARGET1).manifest -outputresource:$(TARGET1);2
|
||||
|
|
|
@ -0,0 +1,724 @@
|
|||
/*
|
||||
* card-npa.c: Recognize known German identity cards
|
||||
*
|
||||
* Copyright (C) 2011-2015 Frank Morgner <frankmorgner@gmail.com>
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
#include "card-npa.h"
|
||||
#include "libopensc/internal.h"
|
||||
#include "libopensc/opensc.h"
|
||||
#include "libopensc/pace.h"
|
||||
#include "libopensc/sm.h"
|
||||
#include "sm/sm-eac.h"
|
||||
#include <string.h>
|
||||
|
||||
#include "../tools/fread_to_eof.c"
|
||||
|
||||
struct npa_drv_data {
|
||||
const char *can;
|
||||
unsigned char *st_dv_certificate;
|
||||
size_t st_dv_certificate_len;
|
||||
unsigned char *st_certificate;
|
||||
size_t st_certificate_len;
|
||||
unsigned char *st_key;
|
||||
size_t st_key_len;
|
||||
unsigned char *ef_cardaccess;
|
||||
size_t ef_cardaccess_length;
|
||||
unsigned char *ef_cardsecurity;
|
||||
size_t ef_cardsecurity_length;
|
||||
};
|
||||
|
||||
static struct npa_drv_data *npa_drv_data_create(void)
|
||||
{
|
||||
struct npa_drv_data *drv_data = calloc(1, sizeof *drv_data);
|
||||
return drv_data;
|
||||
}
|
||||
|
||||
static void npa_drv_data_free(struct npa_drv_data *drv_data)
|
||||
{
|
||||
if (drv_data) {
|
||||
free(drv_data->ef_cardaccess);
|
||||
free(drv_data->ef_cardsecurity);
|
||||
free(drv_data->st_certificate);
|
||||
free(drv_data->st_dv_certificate);
|
||||
free(drv_data->st_key);
|
||||
free(drv_data);
|
||||
}
|
||||
}
|
||||
|
||||
static struct sc_atr_table npa_atrs[] = {
|
||||
{"3B:8A:80:01:80:31:F8:73:F7:41:E0:82:90:00:75",
|
||||
"FF:FF:FF:FF:FF:FF:00:FF:00:00:FF:FF:FF:FF:00",
|
||||
"German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
|
||||
{"3B:88:80:01:00:00:00:00:00:00:00:00:09", NULL,
|
||||
"German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
|
||||
{"3B:87:80:01:80:31:B8:73:84:01:E0:19", NULL,
|
||||
"German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
|
||||
{"3B:84:80:01:00:00:90:00:95", NULL,
|
||||
"German ID card (Test neuer Personalausweis)", SC_CARD_TYPE_NPA_TEST, 0, NULL},
|
||||
{"3B:88:80:01:00:E1:F3:5E:13:77:83:00:00",
|
||||
"FF:FF:FF:FF:00:FF:FF:FF:FF:FF:FF:FF:00",
|
||||
"German ID card (Test Online-Ausweisfunktion)", SC_CARD_TYPE_NPA_ONLINE, 0, NULL},
|
||||
{NULL, NULL, NULL, 0, 0, NULL}
|
||||
};
|
||||
|
||||
static struct sc_card_operations npa_ops;
|
||||
static struct sc_card_driver npa_drv = {
|
||||
"German ID card (neuer Personalausweis, nPA)",
|
||||
"npa",
|
||||
&npa_ops,
|
||||
NULL, 0, NULL
|
||||
};
|
||||
|
||||
static int npa_load_options(sc_context_t *ctx, struct npa_drv_data *drv_data)
|
||||
{
|
||||
int r;
|
||||
size_t i, j;
|
||||
scconf_block **found_blocks, *block;
|
||||
const char *file;
|
||||
|
||||
if (!ctx || !drv_data) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
for (i = 0; ctx->conf_blocks[i]; i++) {
|
||||
found_blocks = scconf_find_blocks(ctx->conf, ctx->conf_blocks[i],
|
||||
"card_driver", "npa");
|
||||
if (!found_blocks)
|
||||
continue;
|
||||
|
||||
for (j = 0, block = found_blocks[j]; block; j++, block = found_blocks[j]) {
|
||||
if (!drv_data->can)
|
||||
drv_data->can = scconf_get_str(block, "can", NULL);
|
||||
|
||||
if (!drv_data->st_dv_certificate
|
||||
|| !drv_data->st_dv_certificate_len) {
|
||||
file = scconf_get_str(block, "st_dv_certificate", NULL);
|
||||
if (!fread_to_eof(file,
|
||||
(unsigned char **) &drv_data->st_dv_certificate,
|
||||
&drv_data->st_dv_certificate_len))
|
||||
sc_log(ctx, "Waring: Could not read %s.\n", file);
|
||||
}
|
||||
|
||||
if (!drv_data->st_certificate
|
||||
|| !drv_data->st_certificate_len) {
|
||||
file = scconf_get_str(block, "st_certificate", NULL);
|
||||
if (!fread_to_eof(file,
|
||||
(unsigned char **) &drv_data->st_certificate,
|
||||
&drv_data->st_certificate_len))
|
||||
sc_log(ctx, "Waring: Could not read %s.\n", file);
|
||||
}
|
||||
|
||||
if (!drv_data->st_key
|
||||
|| !drv_data->st_key_len) {
|
||||
file = scconf_get_str(block, "st_key", NULL);
|
||||
if (!fread_to_eof(file,
|
||||
(unsigned char **) &drv_data->st_key,
|
||||
&drv_data->st_key_len))
|
||||
sc_log(ctx, "Waring: Could not read %s.\n", file);
|
||||
}
|
||||
}
|
||||
|
||||
free(found_blocks);
|
||||
}
|
||||
r = SC_SUCCESS;
|
||||
|
||||
err:
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_match_card(sc_card_t * card)
|
||||
{
|
||||
if (_sc_match_atr(card, npa_atrs, &card->type) < 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void npa_get_cached_pace_params(sc_card_t *card,
|
||||
struct establish_pace_channel_input *pace_input,
|
||||
struct establish_pace_channel_output *pace_output)
|
||||
{
|
||||
struct npa_drv_data *drv_data;
|
||||
|
||||
if (card->drv_data) {
|
||||
drv_data = card->drv_data;
|
||||
|
||||
if (pace_output) {
|
||||
pace_output->ef_cardaccess = drv_data->ef_cardaccess;
|
||||
pace_output->ef_cardaccess_length = drv_data->ef_cardaccess_length;
|
||||
}
|
||||
|
||||
if (pace_input && pace_input->pin_id == PACE_PIN_ID_CAN) {
|
||||
pace_input->pin = (const unsigned char *) drv_data->can;
|
||||
pace_input->pin_length = drv_data->can ? strlen(drv_data->can) : 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void npa_get_cached_ta_params(sc_card_t *card,
|
||||
const unsigned char *certs[2], size_t certs_lens[2],
|
||||
const unsigned char **st_key, size_t *st_key_len)
|
||||
{
|
||||
struct npa_drv_data *drv_data;
|
||||
size_t i;
|
||||
|
||||
if (card->drv_data) {
|
||||
drv_data = card->drv_data;
|
||||
|
||||
if (certs && certs_lens) {
|
||||
i = 0;
|
||||
if (drv_data->st_dv_certificate) {
|
||||
certs[i] = drv_data->st_dv_certificate;
|
||||
certs_lens[i] = drv_data->st_dv_certificate_len;
|
||||
i++;
|
||||
}
|
||||
if (drv_data->st_certificate) {
|
||||
certs[i] = drv_data->st_certificate;
|
||||
certs_lens[i] = drv_data->st_certificate_len;
|
||||
}
|
||||
}
|
||||
if (st_key && st_key_len) {
|
||||
*st_key = drv_data->st_key;
|
||||
*st_key_len = drv_data->st_key_len;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void npa_get_cached_ca_params(sc_card_t *card,
|
||||
unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_length)
|
||||
{
|
||||
struct npa_drv_data *drv_data;
|
||||
|
||||
if (card->drv_data) {
|
||||
drv_data = card->drv_data;
|
||||
|
||||
if (ef_cardsecurity && ef_cardsecurity_length) {
|
||||
*ef_cardsecurity = drv_data->ef_cardsecurity;
|
||||
*ef_cardsecurity_length = drv_data->ef_cardsecurity_length;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void npa_cache_or_free(sc_card_t *card,
|
||||
unsigned char **ef_cardaccess, size_t *ef_cardaccess_length,
|
||||
unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_length)
|
||||
{
|
||||
struct npa_drv_data *drv_data;
|
||||
|
||||
if (card && card->drv_data) {
|
||||
drv_data = card->drv_data;
|
||||
|
||||
if (ef_cardaccess && ef_cardaccess_length
|
||||
&& *ef_cardaccess && *ef_cardaccess_length) {
|
||||
drv_data->ef_cardaccess = *ef_cardaccess;
|
||||
drv_data->ef_cardaccess_length = *ef_cardaccess_length;
|
||||
*ef_cardaccess = NULL;
|
||||
*ef_cardaccess_length = 0;
|
||||
}
|
||||
if (ef_cardsecurity && ef_cardsecurity_length
|
||||
&& *ef_cardsecurity && *ef_cardsecurity_length) {
|
||||
drv_data->ef_cardsecurity = *ef_cardsecurity;
|
||||
drv_data->ef_cardsecurity_length = *ef_cardsecurity_length;
|
||||
*ef_cardsecurity = NULL;
|
||||
*ef_cardsecurity_length = 0;
|
||||
}
|
||||
} else {
|
||||
if (ef_cardaccess && ef_cardaccess_length) {
|
||||
free(*ef_cardaccess);
|
||||
*ef_cardaccess = NULL;
|
||||
*ef_cardaccess_length = 0;
|
||||
}
|
||||
if (ef_cardsecurity && ef_cardsecurity_length) {
|
||||
free(*ef_cardsecurity);
|
||||
*ef_cardsecurity = NULL;
|
||||
*ef_cardsecurity_length = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int npa_unlock_esign(sc_card_t *card)
|
||||
{
|
||||
int r = SC_ERROR_INTERNAL;
|
||||
struct establish_pace_channel_input pace_input;
|
||||
struct establish_pace_channel_output pace_output;
|
||||
const unsigned char *certs[] = { NULL, NULL };
|
||||
size_t certs_lens[] = { 0, 0};
|
||||
const unsigned char *st_key = NULL;
|
||||
size_t st_key_len = 0;
|
||||
unsigned char *ef_cardsecurity = NULL;
|
||||
size_t ef_cardsecurity_len = 0;
|
||||
memset(&pace_input, 0, sizeof pace_input);
|
||||
memset(&pace_output, 0, sizeof pace_output);
|
||||
|
||||
if (!card) {
|
||||
r = SC_ERROR_INVALID_CARD;
|
||||
goto err;
|
||||
}
|
||||
|
||||
sc_log(card->ctx, "Will verify CAN first for unlocking eSign application.\n");
|
||||
pace_input.chat = esign_chat;
|
||||
pace_input.chat_length = sizeof esign_chat;
|
||||
pace_input.pin_id = PACE_PIN_ID_CAN;
|
||||
npa_get_cached_pace_params(card, &pace_input, &pace_output);
|
||||
npa_get_cached_ta_params(card, certs, certs_lens, &st_key, &st_key_len);
|
||||
npa_get_cached_ca_params(card, &ef_cardsecurity, &ef_cardsecurity_len);
|
||||
|
||||
if (!(card->reader && (card->reader->capabilities & SC_READER_CAP_PACE_ESIGN))
|
||||
&& (!st_key || !st_key_len)) {
|
||||
sc_log(card->ctx, "QES requires a comfort reader (CAT-K) or a ST certificate.\n");
|
||||
r = SC_ERROR_NOT_SUPPORTED;
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* FIXME set flags with opensc.conf */
|
||||
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_ALL;
|
||||
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_TA;
|
||||
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_CA;
|
||||
|
||||
/* FIXME show an alert to the user if can == NULL */
|
||||
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
|
||||
if (SC_SUCCESS != r) {
|
||||
sc_log(card->ctx, "Error verifying CAN.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (card->reader->capabilities & SC_READER_CAP_PACE_ESIGN) {
|
||||
sc_log(card->ctx, "Proved Access rights to eSign application with comfort reader (CAT-K).\n");
|
||||
} else {
|
||||
r = perform_terminal_authentication(card, certs, certs_lens, st_key,
|
||||
st_key_len, NULL, 0);
|
||||
if (r != SC_SUCCESS) {
|
||||
sc_log(card->ctx, "Error authenticating as signature terminal.\n");
|
||||
goto err;
|
||||
}
|
||||
r = perform_chip_authentication(card, &ef_cardsecurity, &ef_cardsecurity_len);
|
||||
if ( SC_SUCCESS != r) {
|
||||
sc_log(card->ctx, "Error verifying the chips authenticy.\n");
|
||||
}
|
||||
|
||||
sc_log(card->ctx, "Proved Access rights to eSign application with configured key as ST.\n");
|
||||
}
|
||||
|
||||
err:
|
||||
npa_cache_or_free(card, &pace_output.ef_cardaccess,
|
||||
&pace_output.ef_cardaccess_length,
|
||||
&ef_cardsecurity, &ef_cardsecurity_len);
|
||||
free(pace_output.recent_car);
|
||||
free(pace_output.previous_car);
|
||||
free(pace_output.id_icc);
|
||||
free(pace_output.id_pcd);
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_init(sc_card_t * card)
|
||||
{
|
||||
int flags = SC_ALGORITHM_ECDSA_RAW;
|
||||
int ext_flags = 0;
|
||||
int r;
|
||||
|
||||
if (!card) {
|
||||
r = SC_ERROR_INVALID_CARD;
|
||||
goto err;
|
||||
}
|
||||
|
||||
card->caps |= SC_CARD_CAP_APDU_EXT | SC_CARD_CAP_RNG;
|
||||
/* 1520 bytes is the minimum lenght of the communication buffer in all
|
||||
* Chip/OS variants */
|
||||
card->max_recv_size = 1520;
|
||||
card->max_send_size = 1520;
|
||||
#ifdef ENABLE_SM
|
||||
memset(&card->sm_ctx, 0, sizeof card->sm_ctx);
|
||||
#endif
|
||||
|
||||
r = _sc_card_add_ec_alg(card, 192, flags, ext_flags, NULL);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
r = _sc_card_add_ec_alg(card, 224, flags, ext_flags, NULL);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
r = _sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
/* nPA does not encode the proprietary fieldSize in PrivateECKeyAttributes,
|
||||
* which leaves it at 0 for OpenSC, so we need to add 0x00 as supported
|
||||
* field_length */
|
||||
r = _sc_card_add_ec_alg(card, 0, flags, ext_flags, NULL);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
|
||||
#ifdef ENABLE_OPENPACE
|
||||
EAC_init();
|
||||
#endif
|
||||
card->drv_data = npa_drv_data_create();
|
||||
r = npa_load_options(card->ctx, card->drv_data);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
|
||||
/* unlock the eSign application for reading the certificates
|
||||
* by the PKCS#15 layer (i.e. sc_pkcs15_bind_internal) */
|
||||
if (SC_SUCCESS != npa_unlock_esign(card))
|
||||
sc_log(card->ctx, "Propably not all functionality will be available.\n");
|
||||
|
||||
err:
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_finish(sc_card_t * card)
|
||||
{
|
||||
sc_sm_stop(card);
|
||||
npa_drv_data_free(card->drv_data);
|
||||
card->drv_data = NULL;
|
||||
#ifdef ENABLE_OPENPACE
|
||||
EAC_cleanup();
|
||||
#endif
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
static int npa_set_security_env(struct sc_card *card,
|
||||
const struct sc_security_env *env, int se_num)
|
||||
{
|
||||
int r;
|
||||
struct sc_card_driver *iso_drv;
|
||||
struct sc_security_env fixed_env;
|
||||
|
||||
iso_drv = sc_get_iso7816_driver();
|
||||
|
||||
if (!env || !iso_drv || !iso_drv->ops || !iso_drv->ops->set_security_env) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
} else {
|
||||
memcpy(&fixed_env, env, sizeof fixed_env);
|
||||
if (env->operation == SC_SEC_OPERATION_SIGN) {
|
||||
/* The pkcs#15 layer assumes that the field_size of the private key
|
||||
* object is correctly initialized and wants to include it as
|
||||
* algorithm reference. We disable it here */
|
||||
fixed_env.flags &= ~SC_SEC_ENV_ALG_REF_PRESENT;
|
||||
}
|
||||
r = iso_drv->ops->set_security_env(card, &fixed_env, se_num);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_pin_cmd_get_info(struct sc_card *card,
|
||||
struct sc_pin_cmd_data *data, int *tries_left)
|
||||
{
|
||||
int r;
|
||||
u8 pin_reference;
|
||||
|
||||
if (!data || data->pin_type != SC_AC_CHV || !tries_left) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
|
||||
pin_reference = data->pin_reference;
|
||||
switch (data->pin_reference) {
|
||||
case PACE_PIN_ID_CAN:
|
||||
case PACE_PIN_ID_MRZ:
|
||||
/* usually unlimited number of retries */
|
||||
*tries_left = -1;
|
||||
data->pin1.max_tries = -1;
|
||||
data->pin1.tries_left = -1;
|
||||
r = SC_SUCCESS;
|
||||
break;
|
||||
|
||||
case PACE_PIN_ID_PUK:
|
||||
/* usually 10 tries */
|
||||
*tries_left = 10;
|
||||
data->pin1.max_tries = 10;
|
||||
r = npa_pace_get_tries_left(card,
|
||||
pin_reference, tries_left);
|
||||
data->pin1.tries_left = *tries_left;
|
||||
break;
|
||||
|
||||
case PACE_PIN_ID_PIN:
|
||||
/* usually 3 tries */
|
||||
*tries_left = 3;
|
||||
data->pin1.max_tries = 3;
|
||||
r = npa_pace_get_tries_left(card,
|
||||
pin_reference, tries_left);
|
||||
data->pin1.tries_left = *tries_left;
|
||||
break;
|
||||
|
||||
default:
|
||||
r = SC_ERROR_OBJECT_NOT_FOUND;
|
||||
goto err;
|
||||
}
|
||||
|
||||
err:
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_pace_verify(struct sc_card *card,
|
||||
unsigned char pin_reference, struct sc_pin_cmd_pin *pin,
|
||||
const unsigned char *chat, size_t chat_length, int *tries_left)
|
||||
{
|
||||
int r;
|
||||
struct establish_pace_channel_input pace_input;
|
||||
struct establish_pace_channel_output pace_output;
|
||||
|
||||
memset(&pace_input, 0, sizeof pace_input);
|
||||
memset(&pace_output, 0, sizeof pace_output);
|
||||
if (chat) {
|
||||
pace_input.chat = chat;
|
||||
pace_input.chat_length = chat_length;
|
||||
}
|
||||
pace_input.pin_id = pin_reference;
|
||||
if (pin) {
|
||||
pace_input.pin = pin->data;
|
||||
pace_input.pin_length = pin->len;
|
||||
}
|
||||
npa_get_cached_pace_params(card, &pace_input, &pace_output);
|
||||
|
||||
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
|
||||
|
||||
if (tries_left) {
|
||||
if (pace_output.mse_set_at_sw1 == 0x63
|
||||
&& (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0) {
|
||||
*tries_left = pace_output.mse_set_at_sw2 & 0x0f;
|
||||
} else {
|
||||
*tries_left = -1;
|
||||
}
|
||||
}
|
||||
|
||||
/* resume the PIN if needed */
|
||||
if (pin_reference == PACE_PIN_ID_PIN
|
||||
&& r != SC_SUCCESS
|
||||
&& pace_output.mse_set_at_sw1 == 0x63
|
||||
&& (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0
|
||||
&& (pace_output.mse_set_at_sw2 & 0x0f) <= UC_PIN_SUSPENDED) {
|
||||
/* TODO ask for user consent when automatically resuming the PIN */
|
||||
sc_log(card->ctx, "%s is suspended. Will try to resume it with %s.\n",
|
||||
npa_secret_name(pin_reference), npa_secret_name(PACE_PIN_ID_CAN));
|
||||
|
||||
pace_input.pin_id = PACE_PIN_ID_CAN;
|
||||
pace_input.pin = NULL;
|
||||
pace_input.pin_length = 0;
|
||||
|
||||
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
|
||||
|
||||
if (r == SC_SUCCESS) {
|
||||
pace_input.pin_id = pin_reference;
|
||||
if (pin) {
|
||||
pace_input.pin = pin->data;
|
||||
pace_input.pin_length = pin->len;
|
||||
}
|
||||
|
||||
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
|
||||
|
||||
if (r == SC_SUCCESS) {
|
||||
sc_log(card->ctx, "%s resumed.\n");
|
||||
if (tries_left) {
|
||||
*tries_left = MAX_PIN_TRIES;
|
||||
}
|
||||
} else {
|
||||
if (tries_left) {
|
||||
if (pace_output.mse_set_at_sw1 == 0x63
|
||||
&& (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0) {
|
||||
*tries_left = pace_output.mse_set_at_sw2 & 0x0f;
|
||||
} else {
|
||||
*tries_left = -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (pin_reference == PACE_PIN_ID_PIN && tries_left) {
|
||||
if (*tries_left == 0) {
|
||||
sc_log(card->ctx, "%s is suspended and must be resumed.\n",
|
||||
npa_secret_name(pin_reference));
|
||||
} else if (*tries_left == 1) {
|
||||
sc_log(card->ctx, "%s is blocked and must be unblocked.\n",
|
||||
npa_secret_name(pin_reference));
|
||||
}
|
||||
}
|
||||
|
||||
npa_cache_or_free(card, &pace_output.ef_cardaccess,
|
||||
&pace_output.ef_cardaccess_length, NULL, NULL);
|
||||
free(pace_output.recent_car);
|
||||
free(pace_output.previous_car);
|
||||
free(pace_output.id_icc);
|
||||
free(pace_output.id_pcd);
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_standard_pin_cmd(struct sc_card *card,
|
||||
struct sc_pin_cmd_data *data, int *tries_left)
|
||||
{
|
||||
int r;
|
||||
struct sc_card_driver *iso_drv;
|
||||
|
||||
iso_drv = sc_get_iso7816_driver();
|
||||
|
||||
if (!iso_drv || !iso_drv->ops || !iso_drv->ops->pin_cmd) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
} else {
|
||||
r = iso_drv->ops->pin_cmd(card, data, tries_left);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int npa_pin_cmd(struct sc_card *card,
|
||||
struct sc_pin_cmd_data *data, int *tries_left)
|
||||
{
|
||||
int r;
|
||||
|
||||
if (!data) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (data->pin_type != SC_AC_CHV) {
|
||||
r = SC_ERROR_NOT_SUPPORTED;
|
||||
goto err;
|
||||
}
|
||||
|
||||
switch (data->cmd) {
|
||||
case SC_PIN_CMD_GET_INFO:
|
||||
r = npa_pin_cmd_get_info(card, data, tries_left);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
break;
|
||||
|
||||
case SC_PIN_CMD_UNBLOCK:
|
||||
#ifdef ENABLE_SM
|
||||
/* opensc-explorer unblocks the PIN by only sending
|
||||
* SC_PIN_CMD_UNBLOCK whereas the PKCS#15 framework first verifies
|
||||
* the PUK with SC_PIN_CMD_VERIFY and then calls with
|
||||
* SC_PIN_CMD_UNBLOCK.
|
||||
*
|
||||
* Here we determine whether the PUK has been verified or not by
|
||||
* checking if an SM channel has been established. */
|
||||
if (card->sm_ctx.sm_mode != SM_MODE_TRANSMIT) {
|
||||
/* PUK has not yet been verified */
|
||||
r = npa_pace_verify(card, PACE_PIN_ID_PUK, &(data->pin1), NULL,
|
||||
0, NULL);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
}
|
||||
#endif
|
||||
r = npa_reset_retry_counter(card, data->pin_reference, 0,
|
||||
NULL, 0);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
break;
|
||||
|
||||
case SC_PIN_CMD_CHANGE:
|
||||
case SC_PIN_CMD_VERIFY:
|
||||
switch (data->pin_reference) {
|
||||
case PACE_PIN_ID_CAN:
|
||||
case PACE_PIN_ID_PUK:
|
||||
case PACE_PIN_ID_MRZ:
|
||||
case PACE_PIN_ID_PIN:
|
||||
r = npa_pace_verify(card, data->pin_reference,
|
||||
&(data->pin1), NULL, 0, tries_left);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
break;
|
||||
|
||||
default:
|
||||
/* assuming QES PIN */
|
||||
|
||||
/* We assume that the eSign application has already been
|
||||
* unlocked, see npa_init().
|
||||
*
|
||||
* Now, verify the QES PIN. */
|
||||
r = npa_standard_pin_cmd(card, data, tries_left);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
break;
|
||||
}
|
||||
|
||||
if (data->cmd == SC_PIN_CMD_CHANGE) {
|
||||
r = npa_reset_retry_counter(card, data->pin_reference, 1,
|
||||
(const char *) data->pin2.data, data->pin2.len);
|
||||
if (r != SC_SUCCESS)
|
||||
goto err;
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
break;
|
||||
|
||||
}
|
||||
|
||||
err:
|
||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
||||
}
|
||||
|
||||
static int npa_logout(sc_card_t *card)
|
||||
{
|
||||
struct sc_apdu apdu;
|
||||
|
||||
sc_sm_stop(card);
|
||||
|
||||
if (card->reader->capabilities & SC_READER_CAP_PACE_GENERIC) {
|
||||
/* If PACE is done between reader and card, SM is transparent to us as
|
||||
* it ends at the reader. With CLA=0x0C we provoque a SM error to
|
||||
* disable SM on the reader. */
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xA4, 0x00, 0x00);
|
||||
apdu.cla = 0x0C;
|
||||
sc_transmit_apdu(card, &apdu);
|
||||
/* ignore result */
|
||||
}
|
||||
return sc_select_file(card, sc_get_mf_path(), NULL);
|
||||
}
|
||||
|
||||
static struct sc_card_driver *npa_get_driver(void)
|
||||
{
|
||||
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
|
||||
|
||||
npa_ops = *iso_drv->ops;
|
||||
npa_ops.match_card = npa_match_card;
|
||||
npa_ops.init = npa_init;
|
||||
npa_ops.finish = npa_finish;
|
||||
npa_ops.set_security_env = npa_set_security_env;
|
||||
npa_ops.pin_cmd = npa_pin_cmd;
|
||||
npa_ops.logout = npa_logout;
|
||||
|
||||
return &npa_drv;
|
||||
}
|
||||
|
||||
void *sc_module_init(const char *name)
|
||||
{
|
||||
const char npa_name[] = "npa";
|
||||
if (name) {
|
||||
if (strcmp(npa_name, name) == 0)
|
||||
return npa_get_driver;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const char *sc_driver_version(void)
|
||||
{
|
||||
/* Tested with OpenSC 0.12 and 0.13.0, which can't be captured by checking
|
||||
* our version info against OpenSC's PACKAGE_VERSION. For this reason we
|
||||
* tell OpenSC that everything is fine, here. */
|
||||
return sc_get_version();
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
/*
|
||||
* Copyright (C) 2014-2015 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
|
||||
#ifndef _CARD_NPA_H
|
||||
#define _CARD_NPA_H
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#include "libopensc/opensc.h"
|
||||
|
||||
enum {
|
||||
SC_CARD_TYPE_NPA = 42000,
|
||||
SC_CARD_TYPE_NPA_TEST,
|
||||
SC_CARD_TYPE_NPA_ONLINE,
|
||||
};
|
||||
|
||||
const unsigned char esign_chat[] = {
|
||||
0x7F, 0x4C, 0x0E,
|
||||
0x06, 0x09, 0x04, 0x00, 0x7F, 0x00, 0x07, 0x03, 0x01, 0x02, 0x03,
|
||||
0x53, 0x01, 0x03,
|
||||
};
|
||||
|
||||
static const unsigned char df_esign_aid[] = { 0xa0, 0x00, 0x00, 0x01, 0x67, 0x45, 0x53, 0x49, 0x47, 0x4e};
|
||||
static const unsigned char df_esign_path[] = { 0x3f, 0x00, 0x50, 0x15, 0x1f, 0xff};
|
||||
static const unsigned char ef_cardaccess_path[] = { 0x3f, 0x00, 0x01, 0x1c};
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
#endif
|
|
@ -0,0 +1,2 @@
|
|||
sc_driver_version
|
||||
sc_module_init
|
|
@ -28,6 +28,7 @@
|
|||
#include "internal.h"
|
||||
#include "asn1.h"
|
||||
#include "iso7816.h"
|
||||
#include "sm/sm-iso.h"
|
||||
|
||||
|
||||
static void fixup_transceive_length(const struct sc_card *card,
|
||||
|
@ -1247,3 +1248,137 @@ struct sc_card_driver * sc_get_iso7816_driver(void)
|
|||
{
|
||||
return &iso_driver;
|
||||
}
|
||||
|
||||
#define ISO_READ_BINARY 0xB0
|
||||
#define ISO_P1_FLAG_SFID 0x80
|
||||
int iso7816_read_binary_sfid(sc_card_t *card, unsigned char sfid,
|
||||
u8 **ef, size_t *ef_len)
|
||||
{
|
||||
int r;
|
||||
size_t read = MAX_SM_APDU_RESP_SIZE;
|
||||
sc_apdu_t apdu;
|
||||
u8 *p;
|
||||
|
||||
if (!card || !ef || !ef_len) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
*ef_len = 0;
|
||||
|
||||
if (read > 0xff+1)
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_EXT,
|
||||
ISO_READ_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
|
||||
else
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT,
|
||||
ISO_READ_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
|
||||
|
||||
p = realloc(*ef, read);
|
||||
if (!p) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
*ef = p;
|
||||
apdu.resp = *ef;
|
||||
apdu.resplen = read;
|
||||
apdu.le = read;
|
||||
|
||||
r = sc_transmit_apdu(card, &apdu);
|
||||
/* emulate the behaviour of sc_read_binary */
|
||||
if (r >= 0)
|
||||
r = apdu.resplen;
|
||||
|
||||
while(1) {
|
||||
if (r >= 0 && ((size_t) r) != read) {
|
||||
*ef_len += r;
|
||||
break;
|
||||
}
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not read EF.");
|
||||
goto err;
|
||||
}
|
||||
*ef_len += r;
|
||||
|
||||
p = realloc(*ef, *ef_len + read);
|
||||
if (!p) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
*ef = p;
|
||||
|
||||
r = sc_read_binary(card, *ef_len,
|
||||
*ef + *ef_len, read, 0);
|
||||
}
|
||||
|
||||
r = SC_SUCCESS;
|
||||
|
||||
err:
|
||||
return r;
|
||||
}
|
||||
|
||||
#define ISO_WRITE_BINARY 0xD0
|
||||
int iso7816_write_binary_sfid(sc_card_t *card, unsigned char sfid,
|
||||
u8 *ef, size_t ef_len)
|
||||
{
|
||||
int r;
|
||||
size_t write = MAX_SM_APDU_DATA_SIZE, wrote = 0;
|
||||
sc_apdu_t apdu;
|
||||
#ifdef ENABLE_SM
|
||||
struct iso_sm_ctx *iso_sm_ctx;
|
||||
#endif
|
||||
|
||||
if (!card) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_SM
|
||||
iso_sm_ctx = card->sm_ctx.info.cmd_data;
|
||||
if (write > SC_MAX_APDU_BUFFER_SIZE-2
|
||||
|| (card->sm_ctx.sm_mode == SM_MODE_TRANSMIT
|
||||
&& write > (((SC_MAX_APDU_BUFFER_SIZE-2
|
||||
/* for encrypted APDUs we usually get authenticated status
|
||||
* bytes (4B), a MAC (11B) and a cryptogram with padding
|
||||
* indicator (3B without data). The cryptogram is always
|
||||
* padded to the block size. */
|
||||
-18) / iso_sm_ctx->block_length)
|
||||
* iso_sm_ctx->block_length - 1)))
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT,
|
||||
ISO_WRITE_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
|
||||
else
|
||||
#endif
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT,
|
||||
ISO_WRITE_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
|
||||
|
||||
if (write > ef_len) {
|
||||
apdu.datalen = ef_len;
|
||||
apdu.lc = ef_len;
|
||||
} else {
|
||||
apdu.datalen = write;
|
||||
apdu.lc = write;
|
||||
}
|
||||
apdu.data = ef;
|
||||
|
||||
|
||||
r = sc_transmit_apdu(card, &apdu);
|
||||
/* emulate the behaviour of sc_write_binary */
|
||||
if (r >= 0)
|
||||
r = apdu.datalen;
|
||||
|
||||
while (1) {
|
||||
if (r < 0 || ((size_t) r) > ef_len) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not write EF.");
|
||||
goto err;
|
||||
}
|
||||
wrote += r;
|
||||
apdu.data += r;
|
||||
if (wrote >= ef_len)
|
||||
break;
|
||||
|
||||
r = sc_write_binary(card, wrote, ef, write, 0);
|
||||
}
|
||||
|
||||
r = SC_SUCCESS;
|
||||
|
||||
err:
|
||||
return r;
|
||||
}
|
||||
|
|
|
@ -269,6 +269,8 @@ sc_write_binary
|
|||
sc_write_record
|
||||
sc_erase_binary
|
||||
sc_get_iso7816_driver
|
||||
iso7816_write_binary_sfid
|
||||
iso7816_read_binary_sfid
|
||||
sc_pkcs15init_add_app
|
||||
sc_pkcs15init_authenticate
|
||||
sc_pkcs15init_bind
|
||||
|
@ -339,3 +341,15 @@ iasecc_sm_rsa_update
|
|||
iasecc_sm_update_binary
|
||||
iasecc_sm_sdo_update
|
||||
iasecc_sdo_encode_update_field
|
||||
_sc_card_add_ec_alg
|
||||
_sc_card_add_rsa_alg
|
||||
_sc_match_atr
|
||||
_sc_log
|
||||
npa_secret_name
|
||||
get_pace_capabilities
|
||||
perform_pace
|
||||
perform_terminal_authentication
|
||||
perform_chip_authentication
|
||||
npa_default_flags
|
||||
npa_reset_retry_counter
|
||||
npa_pace_get_tries_left
|
||||
|
|
|
@ -1351,6 +1351,34 @@ extern const char *sc_get_version(void);
|
|||
|
||||
extern sc_card_driver_t *sc_get_iso7816_driver(void);
|
||||
|
||||
/**
|
||||
* @brief Read a complete EF by short file identifier.
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] sfid Short file identifier
|
||||
* @param[in,out] ef Where to safe the file. the buffer will be allocated
|
||||
* using \c realloc() and should be set to NULL, if
|
||||
* empty.
|
||||
* @param[in,out] ef_len Length of \a *ef
|
||||
*
|
||||
* @note The appropriate directory must be selected before calling this function.
|
||||
* */
|
||||
int iso7816_read_binary_sfid(sc_card_t *card, unsigned char sfid,
|
||||
u8 **ef, size_t *ef_len);
|
||||
|
||||
/**
|
||||
* @brief Write a complete EF by short file identifier.
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] sfid Short file identifier
|
||||
* @param[in] ef Date to write
|
||||
* @param[in] ef_len Length of \a ef
|
||||
*
|
||||
* @note The appropriate directory must be selected before calling this function.
|
||||
* */
|
||||
int iso7816_write_binary_sfid(sc_card_t *card, unsigned char sfid,
|
||||
u8 *ef, size_t ef_len);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* opensc.h: PACE library header file
|
||||
*
|
||||
* Copyright (C) ???? Frank Morgner <morgner@informatik.hu-berlin.de>
|
||||
* Copyright (C) 2010-2012 Frank Morgner <frankmorgner@gmail.com>
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
|
@ -43,61 +43,61 @@ extern "C" {
|
|||
* Input data for EstablishPACEChannel()
|
||||
*/
|
||||
struct establish_pace_channel_input {
|
||||
/** Type of secret (CAN, MRZ, PIN or PUK). */
|
||||
unsigned char pin_id;
|
||||
/** Type of secret (CAN, MRZ, PIN or PUK). */
|
||||
unsigned char pin_id;
|
||||
|
||||
/** Length of \a chat */
|
||||
size_t chat_length;
|
||||
/** Card holder authorization template */
|
||||
const unsigned char *chat;
|
||||
/** Length of \a chat */
|
||||
size_t chat_length;
|
||||
/** Card holder authorization template */
|
||||
const unsigned char *chat;
|
||||
|
||||
/** Length of \a pin */
|
||||
size_t pin_length;
|
||||
/** Secret */
|
||||
const unsigned char *pin;
|
||||
/** Length of \a pin */
|
||||
size_t pin_length;
|
||||
/** Secret */
|
||||
const unsigned char *pin;
|
||||
|
||||
/** Length of \a certificate_description */
|
||||
size_t certificate_description_length;
|
||||
/** Certificate description */
|
||||
const unsigned char *certificate_description;
|
||||
/** Length of \a certificate_description */
|
||||
size_t certificate_description_length;
|
||||
/** Certificate description */
|
||||
const unsigned char *certificate_description;
|
||||
};
|
||||
|
||||
/**
|
||||
* Output data for EstablishPACEChannel()
|
||||
*/
|
||||
struct establish_pace_channel_output {
|
||||
/** PACE result (TR-03119) */
|
||||
unsigned int result;
|
||||
/** PACE result (TR-03119) */
|
||||
unsigned int result;
|
||||
|
||||
/** MSE: Set AT status byte */
|
||||
unsigned char mse_set_at_sw1;
|
||||
/** MSE: Set AT status byte */
|
||||
unsigned char mse_set_at_sw2;
|
||||
/** MSE: Set AT status byte */
|
||||
unsigned char mse_set_at_sw1;
|
||||
/** MSE: Set AT status byte */
|
||||
unsigned char mse_set_at_sw2;
|
||||
|
||||
/** Length of \a ef_cardaccess */
|
||||
size_t ef_cardaccess_length;
|
||||
/** EF.CardAccess */
|
||||
unsigned char *ef_cardaccess;
|
||||
/** Length of \a ef_cardaccess */
|
||||
size_t ef_cardaccess_length;
|
||||
/** EF.CardAccess */
|
||||
unsigned char *ef_cardaccess;
|
||||
|
||||
/** Length of \a recent_car */
|
||||
size_t recent_car_length;
|
||||
/** Most recent certificate authority reference */
|
||||
unsigned char *recent_car;
|
||||
/** Length of \a recent_car */
|
||||
size_t recent_car_length;
|
||||
/** Most recent certificate authority reference */
|
||||
unsigned char *recent_car;
|
||||
|
||||
/** Length of \a previous_car */
|
||||
size_t previous_car_length;
|
||||
/** Previous certificate authority reference */
|
||||
unsigned char *previous_car;
|
||||
/** Length of \a previous_car */
|
||||
size_t previous_car_length;
|
||||
/** Previous certificate authority reference */
|
||||
unsigned char *previous_car;
|
||||
|
||||
/** Length of \a id_icc */
|
||||
size_t id_icc_length;
|
||||
/** ICC identifier */
|
||||
unsigned char *id_icc;
|
||||
/** Length of \a id_icc */
|
||||
size_t id_icc_length;
|
||||
/** ICC identifier */
|
||||
unsigned char *id_icc;
|
||||
|
||||
/** Length of \a id_pcd */
|
||||
size_t id_pcd_length;
|
||||
/** PCD identifier */
|
||||
unsigned char *id_pcd;
|
||||
/** Length of \a id_pcd */
|
||||
size_t id_pcd_length;
|
||||
/** PCD identifier */
|
||||
unsigned char *id_pcd;
|
||||
};
|
||||
|
||||
#ifdef __cplusplus
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
# Process this file with automake to create Makefile.in
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in
|
||||
EXTRA_DIST = Makefile.mak
|
||||
|
||||
if ENABLE_OPENSSL
|
||||
noinst_LTLIBRARIES = libsm.la
|
||||
endif
|
||||
noinst_HEADERS = sm-common.h
|
||||
|
||||
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src/include
|
||||
|
||||
libsm_la_SOURCES = sm-common.c sm-common.h
|
|
@ -1,18 +0,0 @@
|
|||
TOPDIR = ..\..
|
||||
|
||||
TARGET = libsm.lib
|
||||
OBJECTS = sm-common.obj
|
||||
|
||||
all: $(TARGET)
|
||||
|
||||
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
|
||||
|
||||
!IF "$(OPENSSL_DEF)" == "/DENABLE_OPENSSL"
|
||||
|
||||
$(TARGET): $(OBJECTS)
|
||||
lib $(LIBFLAGS) /out:$(TARGET) $(OBJECTS)
|
||||
|
||||
!ELSE
|
||||
$(TARGET):
|
||||
|
||||
!ENDIF
|
|
@ -0,0 +1,28 @@
|
|||
# Process this file with automake to create Makefile.in
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in
|
||||
EXTRA_DIST = Makefile.mak
|
||||
|
||||
noinst_LTLIBRARIES = libsmiso.la libsmeac.la
|
||||
|
||||
noinst_HEADERS = \
|
||||
sm-iso-internal.h \
|
||||
sm-iso.h \
|
||||
sslutil.h \
|
||||
sm-eac.h
|
||||
|
||||
if ENABLE_OPENSSL
|
||||
noinst_LTLIBRARIES += libsm.la
|
||||
endif
|
||||
noinst_HEADERS += sm-common.h
|
||||
|
||||
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src/include
|
||||
|
||||
libsm_la_SOURCES = sm-common.c sm-common.h
|
||||
|
||||
libsmiso_la_SOURCES = sm-iso.c
|
||||
|
||||
libsmeac_la_SOURCES = sm-eac.c
|
||||
libsmeac_la_LIBADD = $(OPENPACE_LIBS) $(OPENSSL_LIBS) libsmiso.la
|
||||
libsmeac_la_CFLAGS = $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS) -I$(top_srcdir)/src
|
|
@ -0,0 +1,30 @@
|
|||
TOPDIR = ..\..
|
||||
|
||||
TARGET = libsm.lib
|
||||
OBJECTS = sm-common.obj
|
||||
|
||||
TARGET1 = libsmiso.lib
|
||||
OBJECTS1 = sm-iso.obj
|
||||
|
||||
TARGET2 = libsmeac.lib
|
||||
OBJECTS2 = sm-eac.obj
|
||||
|
||||
all: $(TARGET) $(TARGET1) $(TARGET2)
|
||||
|
||||
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
|
||||
|
||||
!IF "$(OPENSSL_DEF)" == "/DENABLE_OPENSSL"
|
||||
|
||||
$(TARGET): $(OBJECTS)
|
||||
lib $(LIBFLAGS) /out:$(TARGET) $(OBJECTS)
|
||||
|
||||
!ELSE
|
||||
$(TARGET):
|
||||
|
||||
!ENDIF
|
||||
|
||||
$(TARGET1): $(OBJECTS1)
|
||||
lib $(LIBFLAGS) /out:$(TARGET1) $(OBJECTS1)
|
||||
|
||||
$(TARGET2): $(OBJECTS2)
|
||||
lib $(LIBFLAGS) /out:$(TARGET2) $(OBJECTS2)
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,296 @@
|
|||
/*
|
||||
* Copyright (C) 2011-2015 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
/**
|
||||
* @file
|
||||
* @defgroup npa Interface to German identity card (neuer Personalausweis, nPA)
|
||||
* @{
|
||||
*/
|
||||
#ifndef _SC_EAC_H
|
||||
#define _SC_EAC_H
|
||||
|
||||
#include "libopensc/opensc.h"
|
||||
#include "libopensc/pace.h"
|
||||
#include "sm/sm-iso.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_OPENPACE
|
||||
#include <eac/cv_cert.h>
|
||||
#include <eac/eac.h>
|
||||
#include <eac/pace.h>
|
||||
|
||||
/** @brief ASN.1 type for authenticated auxiliary data for terminal authentication */
|
||||
typedef STACK_OF(CVC_DISCRETIONARY_DATA_TEMPLATE) ASN1_AUXILIARY_DATA;
|
||||
DECLARE_ASN1_FUNCTIONS(ASN1_AUXILIARY_DATA)
|
||||
|
||||
#else
|
||||
/** @brief Type of the secret */
|
||||
enum s_type {
|
||||
/** @brief MRZ is the Machine Readable Zone, printed on the card, encoding
|
||||
* the personal information of the user */
|
||||
PACE_MRZ = 1,
|
||||
/** @brief CAN is the Card access number printed on the card */
|
||||
PACE_CAN,
|
||||
/** @brief PIN is the Personal Identification Number, a secret known only
|
||||
* to the user and not printed on the card */
|
||||
PACE_PIN,
|
||||
/** @brief PUK is the Personal Unblocking key. This type of secret is used
|
||||
* when the card is suspended due to too many incorrect PACE runs */
|
||||
PACE_PUK,
|
||||
/** @brief This type of secret is not defined in BSI TR-03110. We use it as
|
||||
* a generic type, so we can use PACE independent from a ID card */
|
||||
PACE_RAW,
|
||||
/** @brief Undefined type, if nothing else matches */
|
||||
PACE_SEC_UNDEF
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Identification of the specifications to use.
|
||||
*
|
||||
* @note TR-03110 v2.01 differs from all later versions of the Technical
|
||||
* Guideline in how the authentication token is calculated. Therefore old test
|
||||
* cards are incompatible with the newer specification.
|
||||
*/
|
||||
enum eac_tr_version {
|
||||
/** @brief Undefined type, if nothing else matches */
|
||||
EAC_TR_VERSION = 0,
|
||||
/** @brief Perform EAC according to TR-03110 v2.01 */
|
||||
EAC_TR_VERSION_2_01,
|
||||
/** @brief Perform EAC according to TR-03110 v2.02 and later */
|
||||
EAC_TR_VERSION_2_02,
|
||||
};
|
||||
#endif
|
||||
|
||||
/** @brief NPA capabilities (TR-03119): PACE */
|
||||
#define NPA_BITMAP_PACE 0x40
|
||||
/** @brief NPA capabilities (TR-03119): EPA: eID */
|
||||
#define NPA_BITMAP_EID 0x20
|
||||
/** @brief NPA capabilities (TR-03119): EPA: eSign */
|
||||
#define NPA_BITMAP_ESIGN 0x10
|
||||
|
||||
/** @brief NPA result (TR-03119): Kein Fehler */
|
||||
#define NPA_SUCCESS 0x00000000
|
||||
/** @brief NPA result (TR-03119): Längen im Input sind inkonsistent */
|
||||
#define NPA_ERROR_LENGTH_INCONSISTENT 0xD0000001
|
||||
/** @brief NPA result (TR-03119): Unerwartete Daten im Input */
|
||||
#define NPA_ERROR_UNEXPECTED_DATA 0xD0000002
|
||||
/** @brief NPA result (TR-03119): Unerwartete Kombination von Daten im Input */
|
||||
#define NPA_ERROR_UNEXPECTED_DATA_COMBINATION 0xD0000003
|
||||
/** @brief NPA result (TR-03119): Die Karte unterstützt das PACE – Verfahren nicht. (Unerwartete Struktur in Antwortdaten der Karte) */
|
||||
#define NPA_ERROR_CARD_NOT_SUPPORTED 0xE0000001
|
||||
/** @brief NPA result (TR-03119): Der Kartenleser unterstützt den angeforderten bzw. den ermittelten Algorithmus nicht. */
|
||||
#define NPA_ERROR_ALGORITH_NOT_SUPPORTED 0xE0000002
|
||||
/** @brief NPA result (TR-03119): Der Kartenleser kennt die PIN – ID nicht. */
|
||||
#define NPA_ERROR_PINID_NOT_SUPPORTED 0xE0000003
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf Select EF_CardAccess (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_SELECT_EF_CARDACCESS 0xF0000000
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf Read Binary (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_READ_BINARY 0xF0010000
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf MSE: Set AT (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_MSE_SET_AT 0xF0020000
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 1 (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_GENERAL_AUTHENTICATE_1 0xF0030000
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 2 (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_GENERAL_AUTHENTICATE_2 0xF0040000
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 3 (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_GENERAL_AUTHENTICATE_3 0xF0050000
|
||||
/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 4 (needs to be OR-ed with SW1|SW2) */
|
||||
#define NPA_ERROR_GENERAL_AUTHENTICATE_4 0xF0060000
|
||||
/** @brief NPA result (TR-03119): Kommunikationsabbruch mit Karte. */
|
||||
#define NPA_ERROR_COMMUNICATION 0xF0100001
|
||||
/** @brief NPA result (TR-03119): Keine Karte im Feld. */
|
||||
#define NPA_ERROR_NO_CARD 0xF0100002
|
||||
/** @brief NPA result (TR-03119): Benutzerabbruch. */
|
||||
#define NPA_ERROR_ABORTED 0xF0200001
|
||||
/** @brief NPA result (TR-03119): Benutzer – Timeout */
|
||||
#define NPA_ERROR_TIMEOUT 0xF0200002
|
||||
|
||||
/** @brief File identifier of EF.CardAccess */
|
||||
#define FID_EF_CARDACCESS 0x011C
|
||||
/** @brief Short file identifier of EF.CardAccess */
|
||||
#define SFID_EF_CARDACCESS 0x1C
|
||||
/** @brief File identifier of EF.CardSecurity */
|
||||
#define FID_EF_CARDSECURITY 0x011D
|
||||
/** @brief Short file identifier of EF.CardAccess */
|
||||
#define SFID_EF_CARDSECURITY 0x1D
|
||||
|
||||
/** @brief Maximum length of PIN */
|
||||
#define MAX_PIN_LEN 6
|
||||
/** @brief Minimum length of PIN */
|
||||
#define MIN_PIN_LEN 6
|
||||
/** @brief Length of CAN */
|
||||
#define CAN_LEN 6
|
||||
/** @brief Minimum length of MRZ */
|
||||
#define MAX_MRZ_LEN 128
|
||||
/** @brief Number of retries for PIN */
|
||||
#define MAX_PIN_TRIES 3
|
||||
/** @brief Usage counter of PIN in suspended state */
|
||||
#define UC_PIN_SUSPENDED 1
|
||||
|
||||
|
||||
/**
|
||||
* @brief Names the type of the PACE secret
|
||||
*
|
||||
* @param pin_id type of the PACE secret
|
||||
*
|
||||
* @return Printable string containing the name
|
||||
*/
|
||||
const char *npa_secret_name(enum s_type pin_id);
|
||||
|
||||
|
||||
/**
|
||||
* @brief Get the PACE capabilities
|
||||
*
|
||||
* @param[in,out] bitmap where to store capabilities bitmap
|
||||
* @note Since this code offers no support for terminal certificate, the bitmap is always \c PACE_BITMAP_PACE|PACE_BITMAP_EID
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int get_pace_capabilities(u8 *bitmap);
|
||||
|
||||
/**
|
||||
* @brief Establish secure messaging using PACE
|
||||
*
|
||||
* Modifies \a card to use the ISO SM driver and initializes the data
|
||||
* structures to use the established SM channel.
|
||||
*
|
||||
* Prints certificate description and card holder authorization template if
|
||||
* given in a human readable form to stdout. If no secret is given, the user is
|
||||
* asked for it. Only \a pace_input.pin_id is mandatory, the other members of
|
||||
* \a pace_input can be set to \c 0 or \c NULL respectively.
|
||||
*
|
||||
* The buffers in \a pace_output are allocated using \c realloc() and should be
|
||||
* set to NULL, if empty. If an EF.CardAccess is already present, this file is
|
||||
* reused and not fetched from the card.
|
||||
*
|
||||
* @param[in,out] card
|
||||
* @param[in] pace_input
|
||||
* @param[in,out] pace_output
|
||||
* @param[in] tr_version Version of TR-03110 to use with PACE
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int perform_pace(sc_card_t *card,
|
||||
struct establish_pace_channel_input pace_input,
|
||||
struct establish_pace_channel_output *pace_output,
|
||||
enum eac_tr_version tr_version);
|
||||
|
||||
/**
|
||||
* @brief Terminal Authentication version 2
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] certs chain of cv certificates, the last certificate
|
||||
* is the terminal's certificate, array should be
|
||||
* terminated with \c NULL
|
||||
* @param[in] certs_lens length of each element in \c certs, should be
|
||||
* terminated with \c 0
|
||||
* @param[in] privkey The terminal's private key
|
||||
* @param[in] privkey_len length of \a privkey
|
||||
* @param[in] auxiliary_data auxiliary data for age/validity/community ID
|
||||
* verification. Should be an ASN1 object tagged
|
||||
* with \c 0x67
|
||||
* @param[in] auxiliary_data_len length of \a auxiliary_data
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int perform_terminal_authentication(sc_card_t *card,
|
||||
const unsigned char **certs, const size_t *certs_lens,
|
||||
const unsigned char *privkey, size_t privkey_len,
|
||||
const unsigned char *auxiliary_data, size_t auxiliary_data_len);
|
||||
|
||||
/**
|
||||
* @brief Establish secure messaging using Chip Authentication version 2
|
||||
*
|
||||
* Switches the SM context of \c card to the new established keys.
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in,out] ef_cardsecurity
|
||||
* @param[in,out] ef_cardsecurity_len
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int perform_chip_authentication(sc_card_t *card,
|
||||
unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_len);
|
||||
|
||||
/**
|
||||
* @brief Sends a reset retry counter APDU
|
||||
*
|
||||
* According to TR-03110 the reset retry counter APDU is used to set a new PIN
|
||||
* or to reset the retry counter of the PIN. The standard requires this
|
||||
* operation to be authorized either by an established PACE channel or by the
|
||||
* effective authorization of the terminal's certificate.
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] pin_id Type of secret (usually PIN or CAN). You may use <tt>enum s_type</tt> from \c <openssl/pace.h>.
|
||||
* @param[in] ask_for_secret whether to ask the user for the secret (\c 1) or not (\c 0)
|
||||
* @param[in] new (optional) new secret
|
||||
* @param[in] new_len (optional) length of \a new
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int npa_reset_retry_counter(sc_card_t *card,
|
||||
enum s_type pin_id, int ask_for_secret,
|
||||
const char *new, size_t new_len);
|
||||
|
||||
/**
|
||||
* @brief Sends an MSE:Set AT to determine the number of remaining tries
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] pin_id Type of secret (usually PIN or CAN). You may use <tt>enum s_type</tt> from \c <openssl/pace.h>.
|
||||
* @param[in,out] tries_left Tries left or -1 if no specific number has been returned by the card (e.g. when there is no limit in retries).
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int npa_pace_get_tries_left(sc_card_t *card,
|
||||
enum s_type pin_id, int *tries_left);
|
||||
/**
|
||||
* @brief Send APDU to unblock the PIN
|
||||
*
|
||||
* @param[in] card
|
||||
*/
|
||||
#define npa_unblock_pin(card) \
|
||||
npa_reset_retry_counter(card, PACE_PIN, 0, NULL, 0)
|
||||
/**
|
||||
* @brief Send APDU to set a new PIN
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] newp (optional) new PIN
|
||||
* @param[in] newplen (optional) length of \a new
|
||||
*/
|
||||
#define npa_change_pin(card, newp, newplen) \
|
||||
npa_reset_retry_counter(card, PACE_PIN, 1, newp, newplen)
|
||||
|
||||
/** @brief Disable all sanity checks done by libnpa */
|
||||
#define NPA_FLAG_DISABLE_CHECK_ALL 1
|
||||
/** @brief Disable checking validity period of CV certificates */
|
||||
#define NPA_FLAG_DISABLE_CHECK_TA 2
|
||||
/** @brief Disable checking passive authentication during CA */
|
||||
#define NPA_FLAG_DISABLE_CHECK_CA 4
|
||||
|
||||
/** @brief Use \c npa_default_flags to disable checks for EAC/SM */
|
||||
extern char npa_default_flags;
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
/* @} */
|
|
@ -0,0 +1,91 @@
|
|||
/*
|
||||
* Copyright (C) 2012-2015 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
/**
|
||||
* @file
|
||||
* @defgroup sm Interface to Secure Messaging (SM) defined in ISO 7816
|
||||
* @{
|
||||
*/
|
||||
#ifndef _ISO_SM_INTERNAL_H
|
||||
#define _ISO_SM_INTERNAL_H
|
||||
|
||||
#include "libopensc/opensc.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
/* @brief Protect an APDU with Secure Messaging
|
||||
*
|
||||
* If secure messaging (SM) is activated in \a sctx and \a apdu is not already
|
||||
* SM protected, \a apdu is processed with the following steps:
|
||||
* \li call to \a sctx->pre_transmit
|
||||
* \li encrypt \a apdu calling \a sctx->encrypt
|
||||
* \li authenticate \a apdu calling \a sctx->authenticate
|
||||
* \li copy the SM protected data to \a sm_apdu
|
||||
*
|
||||
* Data for authentication or encryption is always padded before the callback
|
||||
* functions are called
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] apdu
|
||||
* @param[in,out] sm_apdu
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu);
|
||||
|
||||
/* @brief Remove Secure Messaging from an APDU
|
||||
*
|
||||
* If secure messaging (SM) is activated in \a sctx and \a apdu is not already
|
||||
* SM protected, \a apdu is processed with the following steps:
|
||||
* \li verify SM protected \a apdu calling \a sctx->verify_authentication
|
||||
* \li decrypt SM protected \a apdu calling \a sctx->decrypt
|
||||
* \li copy decrypted/authenticated data and status bytes to \a apdu
|
||||
*
|
||||
* Callback functions must not remove padding.
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in,out] apdu
|
||||
* @param[in,out] sm_apdu will be freed when done.
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int iso_free_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu);
|
||||
|
||||
/**
|
||||
* @brief Cleans up allocated ressources of the ISO SM driver
|
||||
*
|
||||
* \c iso_sm_close() is designed as SM card operation. However, have in mind
|
||||
* that this card operation is not called automatically for \c
|
||||
* sc_disconnect_card() .
|
||||
*
|
||||
* @param[in] card
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int iso_sm_close(struct sc_card *card);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
/* @} */
|
|
@ -0,0 +1,783 @@
|
|||
/*
|
||||
* Copyright (C) 2011-2015 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
#include "sm-iso-internal.h"
|
||||
#include "libopensc/asn1.h"
|
||||
#include "libopensc/log.h"
|
||||
#include "sm/sm-iso.h"
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifdef ENABLE_SM
|
||||
|
||||
static const struct sc_asn1_entry c_sm_capdu[] = {
|
||||
{ "Cryptogram",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x05, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ "Padding-content indicator followed by cryptogram",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x07, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ "Protected Le",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x17, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ "Cryptographic Checksum",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x0E, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ NULL , 0 , 0 , 0 , NULL , NULL }
|
||||
};
|
||||
|
||||
static const struct sc_asn1_entry c_sm_rapdu[] = {
|
||||
{ "Cryptogram",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x05, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ "Padding-content indicator followed by cryptogram" ,
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x07, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ "Processing Status",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x19, 0 , NULL, NULL },
|
||||
{ "Cryptographic Checksum",
|
||||
SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x0E, SC_ASN1_OPTIONAL, NULL, NULL },
|
||||
{ NULL, 0, 0, 0, NULL, NULL }
|
||||
};
|
||||
|
||||
static int
|
||||
add_iso_pad(const u8 *data, size_t datalen, int block_size, u8 **padded)
|
||||
{
|
||||
u8 *p;
|
||||
size_t p_len;
|
||||
|
||||
if (!padded)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
/* calculate length of padded message */
|
||||
p_len = (datalen / block_size) * block_size + block_size;
|
||||
|
||||
p = realloc(*padded, p_len);
|
||||
if (!p)
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
if (*padded != data)
|
||||
/* Flawfinder: ignore */
|
||||
memcpy(p, data, datalen);
|
||||
|
||||
*padded = p;
|
||||
|
||||
/* now add iso padding */
|
||||
memset(p + datalen, 0x80, 1);
|
||||
memset(p + datalen + 1, 0, p_len - datalen - 1);
|
||||
|
||||
return p_len;
|
||||
}
|
||||
|
||||
static int
|
||||
add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
|
||||
u8 **padded)
|
||||
{
|
||||
u8 *p;
|
||||
|
||||
switch (ctx->padding_indicator) {
|
||||
case SM_NO_PADDING:
|
||||
if (*padded != data) {
|
||||
p = realloc(*padded, datalen);
|
||||
if (!p)
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
*padded = p;
|
||||
/* Flawfinder: ignore */
|
||||
memcpy(*padded, data, datalen);
|
||||
}
|
||||
return datalen;
|
||||
case SM_ISO_PADDING:
|
||||
return add_iso_pad(data, datalen, ctx->block_length, padded);
|
||||
default:
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
rm_padding(u8 padding_indicator, const u8 *data, size_t datalen)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
if (!datalen || !data)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
switch (padding_indicator) {
|
||||
case SM_NO_PADDING:
|
||||
len = datalen;
|
||||
break;
|
||||
|
||||
case SM_ISO_PADDING:
|
||||
len = datalen;
|
||||
|
||||
while (len) {
|
||||
len--;
|
||||
if (data[len])
|
||||
break;
|
||||
}
|
||||
|
||||
if (data[len] != 0x80)
|
||||
return SC_ERROR_INVALID_DATA;
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
return SC_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
return len;
|
||||
}
|
||||
|
||||
static int format_le(size_t le, struct sc_asn1_entry *le_entry,
|
||||
u8 **lebuf, size_t *le_len)
|
||||
{
|
||||
u8 *p;
|
||||
|
||||
if (!lebuf || !le_len)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
p = realloc(*lebuf, *le_len);
|
||||
if (!p)
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
*lebuf = p;
|
||||
|
||||
switch (*le_len) {
|
||||
case 1:
|
||||
p[0] = le;
|
||||
break;
|
||||
case 2:
|
||||
p[0] = le >> 8;
|
||||
p[1] = le & 0xff;
|
||||
break;
|
||||
case 3:
|
||||
p[0] = 0x00;
|
||||
p[1] = le >> 8;
|
||||
p[2] = le & 0xff;
|
||||
break;
|
||||
default:
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
}
|
||||
|
||||
sc_format_asn1_entry(le_entry, *lebuf, le_len, SC_ASN1_PRESENT);
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
static int prefix_buf(u8 prefix, u8 *buf, size_t buflen, u8 **cat)
|
||||
{
|
||||
u8 *p;
|
||||
|
||||
p = realloc(*cat, buflen + 1);
|
||||
if (!p)
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
if (*cat == buf) {
|
||||
memmove(p + 1, p, buflen);
|
||||
} else {
|
||||
/* Flawfinder: ignore */
|
||||
memcpy(p + 1, buf, buflen);
|
||||
}
|
||||
p[0] = prefix;
|
||||
|
||||
*cat = p;
|
||||
|
||||
return buflen + 1;
|
||||
}
|
||||
|
||||
static int format_data(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
int prepend_padding_indicator, const u8 *data, size_t datalen,
|
||||
struct sc_asn1_entry *formatted_encrypted_data_entry,
|
||||
u8 **formatted_data, size_t *formatted_data_len)
|
||||
{
|
||||
int r;
|
||||
u8 *pad_data = NULL;
|
||||
size_t pad_data_len = 0;
|
||||
|
||||
if (!ctx || !formatted_data || !formatted_data_len) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
|
||||
r = add_padding(ctx, data, datalen, &pad_data);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not add padding to data: %s",
|
||||
sc_strerror(r));
|
||||
goto err;
|
||||
}
|
||||
pad_data_len = r;
|
||||
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Data to encrypt", pad_data, pad_data_len);
|
||||
r = ctx->encrypt(card, ctx, pad_data, pad_data_len, formatted_data);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt the data");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Cryptogram", *formatted_data, r);
|
||||
|
||||
if (prepend_padding_indicator) {
|
||||
r = prefix_buf(ctx->padding_indicator, *formatted_data, r, formatted_data);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not prepend padding indicator to formatted "
|
||||
"data: %s", sc_strerror(r));
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
*formatted_data_len = r;
|
||||
sc_format_asn1_entry(formatted_encrypted_data_entry,
|
||||
*formatted_data, formatted_data_len, SC_ASN1_PRESENT);
|
||||
|
||||
r = SC_SUCCESS;
|
||||
|
||||
err:
|
||||
if (pad_data) {
|
||||
sc_mem_clear(pad_data, pad_data_len);
|
||||
free(pad_data);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int format_head(const struct iso_sm_ctx *ctx, const sc_apdu_t *apdu,
|
||||
u8 **formatted_head)
|
||||
{
|
||||
u8 *p;
|
||||
|
||||
if (!apdu || !formatted_head)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
p = realloc(*formatted_head, 4);
|
||||
if (!p)
|
||||
return SC_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
p[0] = apdu->cla;
|
||||
p[1] = apdu->ins;
|
||||
p[2] = apdu->p1;
|
||||
p[3] = apdu->p2;
|
||||
*formatted_head = p;
|
||||
|
||||
return add_padding(ctx, *formatted_head, 4, formatted_head);
|
||||
}
|
||||
|
||||
static int sm_encrypt(const struct iso_sm_ctx *ctx, sc_card_t *card,
|
||||
const sc_apdu_t *apdu, sc_apdu_t **psm_apdu)
|
||||
{
|
||||
struct sc_asn1_entry sm_capdu[5];
|
||||
u8 *p, *le = NULL, *sm_data = NULL, *fdata = NULL, *mac_data = NULL,
|
||||
*asn1 = NULL, *mac = NULL, *resp_data = NULL;
|
||||
size_t sm_data_len, fdata_len, mac_data_len, asn1_len, mac_len, le_len;
|
||||
int r, cse;
|
||||
sc_apdu_t *sm_apdu = NULL;
|
||||
|
||||
if (!apdu || !ctx || !card || !card->reader || !psm_apdu) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((apdu->cla & 0x0C) == 0x0C) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Given APDU is already protected with some secure messaging");
|
||||
goto err;
|
||||
}
|
||||
|
||||
sc_copy_asn1_entry(c_sm_capdu, sm_capdu);
|
||||
|
||||
sm_apdu = malloc(sizeof(sc_apdu_t));
|
||||
if (!sm_apdu) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
sm_apdu->control = apdu->control;
|
||||
sm_apdu->flags = apdu->flags;
|
||||
sm_apdu->cla = apdu->cla|0x0C;
|
||||
sm_apdu->ins = apdu->ins;
|
||||
sm_apdu->p1 = apdu->p1;
|
||||
sm_apdu->p2 = apdu->p2;
|
||||
r = format_head(ctx, sm_apdu, &mac_data);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format header of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
mac_data_len = r;
|
||||
|
||||
/* get le and data depending on the case of the insecure command */
|
||||
cse = apdu->cse;
|
||||
if ((apdu->le/ctx->block_length + 1)*ctx->block_length + 18 > 0xff+1)
|
||||
/* for encrypted APDUs we usually get authenticated status bytes (4B),
|
||||
* a MAC (11B) and a cryptogram with padding indicator (3B without
|
||||
* data). The cryptogram is always padded to the block size. */
|
||||
/*cse |= SC_APDU_EXT;*/
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
|
||||
"Response data may be truncated, because it doesn't fit into a short length APDU.");
|
||||
|
||||
switch (cse) {
|
||||
case SC_APDU_CASE_1:
|
||||
break;
|
||||
case SC_APDU_CASE_2_SHORT:
|
||||
le_len = 1;
|
||||
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
|
||||
break;
|
||||
case SC_APDU_CASE_2_EXT:
|
||||
if (card->reader->active_protocol == SC_PROTO_T0) {
|
||||
/* T0 extended APDUs look just like short APDUs */
|
||||
le_len = 1;
|
||||
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
/* in case of T1 always use 2 bytes for length */
|
||||
le_len = 2;
|
||||
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
|
||||
break;
|
||||
case SC_APDU_CASE_3_SHORT:
|
||||
case SC_APDU_CASE_3_EXT:
|
||||
if (apdu->ins & 1) {
|
||||
r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
|
||||
sm_capdu + 0, &fdata, &fdata_len);
|
||||
} else {
|
||||
r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
|
||||
sm_capdu + 1, &fdata, &fdata_len);
|
||||
}
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
|
||||
fdata, fdata_len);
|
||||
break;
|
||||
case SC_APDU_CASE_4_SHORT:
|
||||
/* in case of T0 no Le byte is added */
|
||||
if (card->reader->active_protocol != SC_PROTO_T0) {
|
||||
le_len = 1;
|
||||
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
|
||||
}
|
||||
|
||||
if (apdu->ins & 1) {
|
||||
r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
|
||||
sm_capdu + 0, &fdata, &fdata_len);
|
||||
} else {
|
||||
r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
|
||||
sm_capdu + 1, &fdata, &fdata_len);
|
||||
}
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
|
||||
fdata, fdata_len);
|
||||
break;
|
||||
case SC_APDU_CASE_4_EXT:
|
||||
if (card->reader->active_protocol == SC_PROTO_T0) {
|
||||
/* again a T0 extended case 4 APDU looks just
|
||||
* like a short APDU, the additional data is
|
||||
* transferred using ENVELOPE and GET RESPONSE */
|
||||
} else {
|
||||
/* only 2 bytes are use to specify the length of the
|
||||
* expected data */
|
||||
le_len = 2;
|
||||
r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
|
||||
}
|
||||
|
||||
if (apdu->ins & 1) {
|
||||
r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
|
||||
sm_capdu + 0, &fdata, &fdata_len);
|
||||
} else {
|
||||
r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
|
||||
sm_capdu + 1, &fdata, &fdata_len);
|
||||
}
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
|
||||
goto err;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
|
||||
fdata, fdata_len);
|
||||
break;
|
||||
default:
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Unhandled apdu case");
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
||||
r = sc_asn1_encode(card->ctx, sm_capdu, (u8 **) &asn1, &asn1_len);
|
||||
if (r < 0) {
|
||||
goto err;
|
||||
}
|
||||
if (asn1_len) {
|
||||
p = realloc(mac_data, mac_data_len + asn1_len);
|
||||
if (!p) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
mac_data = p;
|
||||
/* Flawfinder: ignore */
|
||||
memcpy(mac_data + mac_data_len, asn1, asn1_len);
|
||||
mac_data_len += asn1_len;
|
||||
r = add_padding(ctx, mac_data, mac_data_len, &mac_data);
|
||||
if (r < 0) {
|
||||
goto err;
|
||||
}
|
||||
mac_data_len = r;
|
||||
}
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Data to authenticate", mac_data, mac_data_len);
|
||||
|
||||
r = ctx->authenticate(card, ctx, mac_data, mac_data_len,
|
||||
&mac);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get authentication code");
|
||||
goto err;
|
||||
}
|
||||
mac_len = r;
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Cryptographic Checksum (plain)", mac, mac_len);
|
||||
|
||||
|
||||
/* format SM apdu */
|
||||
sc_format_asn1_entry(sm_capdu + 3, mac, &mac_len, SC_ASN1_PRESENT);
|
||||
r = sc_asn1_encode(card->ctx, sm_capdu, (u8 **) &sm_data, &sm_data_len);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
sm_apdu->data = sm_data;
|
||||
sm_apdu->datalen = sm_data_len;
|
||||
sm_apdu->lc = sm_data_len;
|
||||
sm_apdu->le = 0;
|
||||
if (cse & SC_APDU_EXT) {
|
||||
sm_apdu->cse = SC_APDU_CASE_4_EXT;
|
||||
#if OPENSC_NOT_BOGUS_ANYMORE
|
||||
sm_apdu->resplen = 0xffff+1;
|
||||
#else
|
||||
sm_apdu->resplen = SC_MAX_EXT_APDU_BUFFER_SIZE;
|
||||
#endif
|
||||
} else {
|
||||
sm_apdu->cse = SC_APDU_CASE_4_SHORT;
|
||||
#if OPENSC_NOT_BOGUS_ANYMORE
|
||||
sm_apdu->resplen = 0xff+1;
|
||||
#else
|
||||
sm_apdu->resplen = SC_MAX_APDU_BUFFER_SIZE;
|
||||
#endif
|
||||
}
|
||||
resp_data = malloc(sm_apdu->resplen);
|
||||
if (!resp_data) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
sm_apdu->resp = resp_data;
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "ASN.1 encoded encrypted APDU data", sm_apdu->data, sm_apdu->datalen);
|
||||
|
||||
*psm_apdu = sm_apdu;
|
||||
|
||||
err:
|
||||
free(fdata);
|
||||
free(asn1);
|
||||
free(mac_data);
|
||||
free(mac);
|
||||
free(le);
|
||||
if (r < 0) {
|
||||
free(resp_data);
|
||||
free(sm_apdu);
|
||||
free(sm_data);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int sm_decrypt(const struct iso_sm_ctx *ctx, sc_card_t *card,
|
||||
const sc_apdu_t *sm_apdu, sc_apdu_t *apdu)
|
||||
{
|
||||
int r;
|
||||
struct sc_asn1_entry sm_rapdu[5];
|
||||
struct sc_asn1_entry my_sm_rapdu[5];
|
||||
u8 sw[2], mac[8], fdata[SC_MAX_EXT_APDU_BUFFER_SIZE];
|
||||
size_t sw_len = sizeof sw, mac_len = sizeof mac, fdata_len = sizeof fdata,
|
||||
buf_len, asn1_len, fdata_offset = 0;
|
||||
const u8 *buf;
|
||||
u8 *data = NULL, *mac_data = NULL, *asn1 = NULL;
|
||||
|
||||
sc_copy_asn1_entry(c_sm_rapdu, sm_rapdu);
|
||||
sc_format_asn1_entry(sm_rapdu + 0, fdata, &fdata_len, 0);
|
||||
sc_format_asn1_entry(sm_rapdu + 1, fdata, &fdata_len, 0);
|
||||
sc_format_asn1_entry(sm_rapdu + 2, sw, &sw_len, 0);
|
||||
sc_format_asn1_entry(sm_rapdu + 3, mac, &mac_len, 0);
|
||||
|
||||
r = sc_asn1_decode(card->ctx, sm_rapdu, sm_apdu->resp, sm_apdu->resplen,
|
||||
&buf, &buf_len);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
if (buf_len > 0) {
|
||||
r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
||||
if (sm_rapdu[3].flags & SC_ASN1_PRESENT) {
|
||||
/* copy from sm_apdu to my_sm_apdu, but leave mac at default */
|
||||
sc_copy_asn1_entry(sm_rapdu, my_sm_rapdu);
|
||||
sc_copy_asn1_entry(&c_sm_rapdu[3], &my_sm_rapdu[3]);
|
||||
|
||||
r = sc_asn1_encode(card->ctx, my_sm_rapdu, &asn1, &asn1_len);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
r = add_padding(ctx, asn1, asn1_len, &mac_data);
|
||||
if (r < 0) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
r = ctx->verify_authentication(card, ctx, mac, mac_len,
|
||||
mac_data, r);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
} else {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Cryptographic Checksum missing");
|
||||
r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
||||
if (sm_rapdu[1].flags & SC_ASN1_PRESENT) {
|
||||
if (ctx->padding_indicator != fdata[0]) {
|
||||
r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
|
||||
goto err;
|
||||
}
|
||||
fdata_offset = 1;
|
||||
}
|
||||
if (sm_rapdu[0].flags & SC_ASN1_PRESENT
|
||||
|| sm_rapdu[1].flags & SC_ASN1_PRESENT) {
|
||||
r = ctx->decrypt(card, ctx, fdata + fdata_offset,
|
||||
fdata_len - fdata_offset, &data);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
buf_len = r;
|
||||
|
||||
r = rm_padding(ctx->padding_indicator, data, buf_len);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not remove padding");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (apdu->resplen < (size_t) r || (r && !apdu->resp)) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
|
||||
"Response of SM APDU %u byte%s too long", r-apdu->resplen,
|
||||
r-apdu->resplen < 2 ? "" : "s");
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
/* Flawfinder: ignore */
|
||||
memcpy(apdu->resp, data, r);
|
||||
apdu->resplen = r;
|
||||
} else {
|
||||
apdu->resplen = 0;
|
||||
}
|
||||
|
||||
if (sm_rapdu[2].flags & SC_ASN1_PRESENT) {
|
||||
if (sw_len != 2) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Length of processing status bytes must be 2");
|
||||
r = SC_ERROR_ASN1_END_OF_CONTENTS;
|
||||
goto err;
|
||||
}
|
||||
apdu->sw1 = sw[0];
|
||||
apdu->sw2 = sw[1];
|
||||
} else {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Authenticated status bytes are missing");
|
||||
r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
|
||||
goto err;
|
||||
}
|
||||
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Decrypted APDU sw1=%02x sw2=%02x",
|
||||
apdu->sw1, apdu->sw2);
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Decrypted APDU response data",
|
||||
apdu->resp, apdu->resplen);
|
||||
|
||||
r = SC_SUCCESS;
|
||||
|
||||
err:
|
||||
free(asn1);
|
||||
free(mac_data);
|
||||
if (data) {
|
||||
sc_mem_clear(data, buf_len);
|
||||
free(data);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int iso_add_sm(struct iso_sm_ctx *sctx, sc_card_t *card,
|
||||
sc_apdu_t *apdu, sc_apdu_t **sm_apdu)
|
||||
{
|
||||
if (!card || !sctx)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
if ((apdu->cla & 0x0C) == 0x0C) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Given APDU is already protected with some secure messaging. Closing own SM context.");
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sc_sm_stop(card),
|
||||
"Could not close ISO SM session");
|
||||
return SC_ERROR_SM_NOT_APPLIED;
|
||||
}
|
||||
|
||||
if (sctx->pre_transmit)
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->pre_transmit(card, sctx, apdu),
|
||||
"Could not complete SM specific pre transmit routine");
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sm_encrypt(sctx, card, apdu, sm_apdu),
|
||||
"Could not encrypt APDU");
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
static int iso_rm_sm(struct iso_sm_ctx *sctx, sc_card_t *card,
|
||||
sc_apdu_t *sm_apdu, sc_apdu_t *apdu)
|
||||
{
|
||||
if (sctx->post_transmit)
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->post_transmit(card, sctx, sm_apdu),
|
||||
"Could not complete SM specific post transmit routine");
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sm_decrypt(sctx, card, sm_apdu, apdu),
|
||||
"Could not decrypt APDU");
|
||||
if (sctx->finish)
|
||||
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->finish(card, sctx, apdu),
|
||||
"Could not complete SM specific post transmit routine");
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
int iso_sm_close(struct sc_card *card)
|
||||
{
|
||||
if (card) {
|
||||
iso_sm_ctx_clear_free(card->sm_ctx.info.cmd_data);
|
||||
card->sm_ctx.info.cmd_data = NULL;
|
||||
}
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
|
||||
{
|
||||
return iso_add_sm(card->sm_ctx.info.cmd_data, card, apdu, sm_apdu);
|
||||
}
|
||||
|
||||
int iso_free_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
|
||||
{
|
||||
struct sc_apdu *p = *sm_apdu;
|
||||
int r;
|
||||
|
||||
if (!sm_apdu)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
p = *sm_apdu;
|
||||
|
||||
r = iso_rm_sm(card->sm_ctx.info.cmd_data, card, p, apdu);
|
||||
|
||||
if (p) {
|
||||
free((unsigned char *) p->data);
|
||||
free((unsigned char *) p->resp);
|
||||
}
|
||||
free(*sm_apdu);
|
||||
*sm_apdu = NULL;
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
struct iso_sm_ctx *iso_sm_ctx_create(void)
|
||||
{
|
||||
struct iso_sm_ctx *sctx = malloc(sizeof *sctx);
|
||||
if (!sctx)
|
||||
return NULL;
|
||||
|
||||
sctx->priv_data = NULL;
|
||||
sctx->padding_indicator = SM_ISO_PADDING;
|
||||
sctx->block_length = 0;
|
||||
sctx->authenticate = NULL;
|
||||
sctx->verify_authentication = NULL;
|
||||
sctx->encrypt = NULL;
|
||||
sctx->decrypt = NULL;
|
||||
sctx->pre_transmit = NULL;
|
||||
sctx->post_transmit = NULL;
|
||||
sctx->finish = NULL;
|
||||
sctx->clear_free = NULL;
|
||||
|
||||
return sctx;
|
||||
}
|
||||
|
||||
void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx)
|
||||
{
|
||||
if (sctx && sctx->clear_free)
|
||||
sctx->clear_free(sctx);
|
||||
free(sctx);
|
||||
}
|
||||
|
||||
int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx)
|
||||
{
|
||||
if (!card)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
if (card->sm_ctx.ops.close)
|
||||
card->sm_ctx.ops.close(card);
|
||||
|
||||
card->sm_ctx.info.cmd_data = sctx;
|
||||
card->sm_ctx.ops.close = iso_sm_close;
|
||||
card->sm_ctx.ops.free_sm_apdu = iso_free_sm_apdu;
|
||||
card->sm_ctx.ops.get_sm_apdu = iso_get_sm_apdu;
|
||||
card->sm_ctx.sm_mode = SM_MODE_TRANSMIT;
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
int iso_sm_close(struct sc_card *card)
|
||||
{
|
||||
return SC_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
|
||||
{
|
||||
return SC_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
struct iso_sm_ctx *iso_sm_ctx_create(void)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx)
|
||||
{
|
||||
}
|
||||
|
||||
int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx)
|
||||
{
|
||||
return SC_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,126 @@
|
|||
/*
|
||||
* Copyright (C) 2012-2015 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
/**
|
||||
* @file
|
||||
* @defgroup sm Interface to Secure Messaging (SM) defined in ISO 7816
|
||||
* @{
|
||||
*/
|
||||
#ifndef _ISO_SM_H
|
||||
#define _ISO_SM_H
|
||||
|
||||
#include "libopensc/opensc.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/** @brief maximum length of response when targeting a SM RAPDU
|
||||
*
|
||||
* Using SM with authenticated data+le and encrypted data this is the biggest
|
||||
* amount of the unencrypted response data we can receive. We assume AES block
|
||||
* length for padding and MAC. */
|
||||
#define MAX_SM_APDU_RESP_SIZE 223
|
||||
|
||||
/** @brief maximum length of data when targeting a SM APDU
|
||||
*
|
||||
* Using SM with authenticated data+header and encrypted data this is the
|
||||
* biggest amount of the unencrypted data we can send. We assume AES block
|
||||
* length for padding and MAC. */
|
||||
#define MAX_SM_APDU_DATA_SIZE 239
|
||||
|
||||
/** @brief Padding indicator: use ISO/IEC 9797-1 padding method 2 */
|
||||
#define SM_ISO_PADDING 0x01
|
||||
/** @brief Padding indicator: use no padding */
|
||||
#define SM_NO_PADDING 0x02
|
||||
|
||||
/** @brief Secure messaging context */
|
||||
struct iso_sm_ctx {
|
||||
/** @brief data of the specific crypto implementation */
|
||||
void *priv_data;
|
||||
|
||||
/** @brief Padding-content indicator byte (ISO 7816-4 Table 30) */
|
||||
u8 padding_indicator;
|
||||
/** @brief Pad to this block length */
|
||||
size_t block_length;
|
||||
|
||||
/** @brief Call back function for authentication of data */
|
||||
int (*authenticate)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
const u8 *data, size_t datalen, u8 **outdata);
|
||||
/** @brief Call back function for verifying authentication data */
|
||||
int (*verify_authentication)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
const u8 *mac, size_t maclen,
|
||||
const u8 *macdata, size_t macdatalen);
|
||||
|
||||
/** @brief Call back function for encryption of data */
|
||||
int (*encrypt)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
const u8 *data, size_t datalen, u8 **enc);
|
||||
/** @brief Call back function for decryption of data */
|
||||
int (*decrypt)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
const u8 *enc, size_t enclen, u8 **data);
|
||||
|
||||
/** @brief Call back function for actions before encoding and encryption of \a apdu */
|
||||
int (*pre_transmit)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
sc_apdu_t *apdu);
|
||||
/** @brief Call back function for actions before decryption and decoding of \a sm_apdu */
|
||||
int (*post_transmit)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
sc_apdu_t *sm_apdu);
|
||||
/** @brief Call back function for actions after decrypting SM protected APDU */
|
||||
int (*finish)(sc_card_t *card, const struct iso_sm_ctx *ctx,
|
||||
sc_apdu_t *apdu);
|
||||
|
||||
/** @brief Clears and frees private data */
|
||||
void (*clear_free)(const struct iso_sm_ctx *ctx);
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Clears and frees the SM context including private data
|
||||
*
|
||||
* Calls \a sctx->clear_free() if available
|
||||
*
|
||||
* @param[in] sctx (optional)
|
||||
*/
|
||||
void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx);
|
||||
|
||||
/**
|
||||
* @brief Creates a SM context
|
||||
*
|
||||
* @return SM context or NULL if an error occurred
|
||||
*/
|
||||
struct iso_sm_ctx *iso_sm_ctx_create(void);
|
||||
|
||||
/**
|
||||
* @brief Initializes a card for usage of the ISO SM driver
|
||||
*
|
||||
* If a SM module has been assigned previously to the card, it will be cleaned
|
||||
* up.
|
||||
*
|
||||
* @param[in] card
|
||||
* @param[in] sctx will NOT be freed automatically. \a sctx should be present
|
||||
* for the time of the SM session.
|
||||
*
|
||||
* @return \c SC_SUCCESS or error code if an error occurred
|
||||
*/
|
||||
int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
/* @} */
|
|
@ -0,0 +1,39 @@
|
|||
/*
|
||||
* Copyright (C) 2011-2015 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
#ifndef _SC_SSLUTIL_H
|
||||
#define _SC_SSLUTIL_H
|
||||
|
||||
#include <libopensc/opensc.h>
|
||||
#include <libopensc/log.h>
|
||||
|
||||
#ifdef ENABLE_OPENSSL
|
||||
#include <openssl/err.h>
|
||||
|
||||
#define ssl_error(ctx) { \
|
||||
unsigned long _r; \
|
||||
ERR_load_crypto_strings(); \
|
||||
for (_r = ERR_get_error(); _r; _r = ERR_get_error()) { \
|
||||
sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, ERR_error_string(_r, NULL)); \
|
||||
} \
|
||||
ERR_free_strings(); \
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -6,7 +6,7 @@ EXTRA_DIST = Makefile.mak
|
|||
|
||||
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/common -I$(top_builddir)/src/include
|
||||
LIBS = $(top_builddir)/src/libsm/libsm.la \
|
||||
LIBS = $(top_builddir)/src/sm/libsm.la \
|
||||
$(top_builddir)/src/libopensc/libopensc.la \
|
||||
$(top_builddir)/src/common/libcompat.la
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@ TOPDIR = ..\..
|
|||
TARGET = smm-local.dll
|
||||
|
||||
OBJECTS = smm-local.obj sm-global-platform.obj sm-cwa14890.obj sm-card-iasecc.obj sm-card-authentic.obj
|
||||
LIBS = $(TOPDIR)\src\libsm\libsm.lib $(TOPDIR)\src\libopensc\opensc_a.lib $(TOPDIR)\src\common\libscdl.lib
|
||||
LIBS = $(TOPDIR)\src\sm\libsm.lib $(TOPDIR)\src\libopensc\opensc_a.lib $(TOPDIR)\src\common\libscdl.lib
|
||||
|
||||
all: $(TARGET)
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ extern "C" {
|
|||
#include <openssl/sha.h>
|
||||
|
||||
#include "libopensc/sm.h"
|
||||
#include "libsm/sm-common.h"
|
||||
#include "sm/sm-common.h"
|
||||
|
||||
/* Global Platform definitions */
|
||||
int sm_gp_get_mac(unsigned char *key, DES_cblock *icv, unsigned char *in, int in_len,
|
||||
|
|
|
@ -1,14 +1,32 @@
|
|||
include $(top_srcdir)/win32/ltrc.inc
|
||||
|
||||
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-tools.rc
|
||||
EXTRA_DIST = Makefile.mak versioninfo-tools.rc.in
|
||||
do_subst = $(SED) \
|
||||
-e 's,[@]CVCDIR[@],$(CVCDIR),g' \
|
||||
-e 's,[@]PACKAGE[@],$(PACKAGE),g' \
|
||||
-e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
|
||||
-e 's,[@]PACKAGE_NAME[@],$(PACKAGE_NAME),g' \
|
||||
-e 's,[@]PACKAGE_TARNAME[@],$(PACKAGE_TARNAME),g' \
|
||||
-e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
|
||||
-e 's,[@]PACKAGE_SUMMARY[@],$(PACKAGE_SUMMARY),g' \
|
||||
-e 's,[@]PACKAGE_VERSION[@],"$(PACKAGE_VERSION)",g' \
|
||||
-e 's,[@]X509DIR[@],$(X509DIR),g'
|
||||
|
||||
noinst_HEADERS = util.h
|
||||
NPA_TOOL_BUILT_SOURCES = npa-tool-cmdline.h npa-tool-cmdline.c
|
||||
|
||||
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-tools.rc
|
||||
EXTRA_DIST = Makefile.mak versioninfo-tools.rc.in npa-tool.ggo.in
|
||||
|
||||
noinst_HEADERS = util.h fread_to_eof.h
|
||||
noinst_PROGRAMS = sceac-example
|
||||
bin_PROGRAMS = opensc-tool opensc-explorer pkcs15-tool pkcs15-crypt \
|
||||
pkcs11-tool cardos-tool eidenv openpgp-tool iasecc-tool
|
||||
if ENABLE_OPENSSL
|
||||
bin_PROGRAMS += cryptoflex-tool pkcs15-init netkey-tool piv-tool \
|
||||
westcos-tool sc-hsm-tool dnie-tool gids-tool
|
||||
westcos-tool sc-hsm-tool dnie-tool gids-tool npa-tool
|
||||
endif
|
||||
|
||||
if ENABLE_MAN
|
||||
dist_man1_MANS = npa-tool.1
|
||||
endif
|
||||
|
||||
# compile with $(PTHREAD_CFLAGS) to allow debugging with gdb
|
||||
|
@ -19,6 +37,10 @@ LIBS = \
|
|||
$(top_builddir)/src/common/libscdl.la \
|
||||
$(top_builddir)/src/common/libcompat.la
|
||||
|
||||
sceac_example_SOURCES = sceac-example.c
|
||||
sceac_example_LDADD = $(top_builddir)/src/sm/libsmeac.la $(top_builddir)/src/libopensc/libopensc.la $(OPENPACE_LIBS)
|
||||
sceac_example_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS)
|
||||
|
||||
opensc_tool_SOURCES = opensc-tool.c util.c
|
||||
piv_tool_SOURCES = piv-tool.c util.c
|
||||
piv_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
|
||||
|
@ -54,6 +76,31 @@ dnie_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
|
|||
gids_tool_SOURCES = gids-tool.c util.c
|
||||
gids_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
|
||||
|
||||
npa_tool_SOURCES = npa-tool.c fread_to_eof.c $(NPA_TOOL_BUILT_SOURCES)
|
||||
npa_tool_LDADD = $(top_builddir)/src/libopensc/libopensc.la \
|
||||
$(top_builddir)/src/sm/libsmeac.la \
|
||||
$(OPENPACE_LIBS)
|
||||
npa_tool_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
|
||||
|
||||
npa-tool.c: $(abs_builddir)/npa-tool.ggo $(NPA_TOOL_BUILT_SOURCES)
|
||||
|
||||
# We only want *cmdline* to be generated when they have explicitly been removed.
|
||||
$(NPA_TOOL_BUILT_SOURCES):
|
||||
$(MAKE) $(abs_builddir)/npa-tool.ggo
|
||||
$(GENGETOPT) --include-getopt --file-name=npa-tool-cmdline --output-dir=$(builddir) < $(abs_builddir)/npa-tool.ggo
|
||||
|
||||
$(abs_builddir)/npa-tool.ggo: npa-tool.ggo.in
|
||||
$(do_subst) < $(abs_srcdir)/npa-tool.ggo.in > $@
|
||||
|
||||
# We only want npa-tool.1 to be generated when it has explicitly been removed.
|
||||
npa-tool.1:
|
||||
$(MAKE) npa-tool$(EXEEXT)
|
||||
$(HELP2MAN) \
|
||||
--output=$@ \
|
||||
--no-info \
|
||||
--source='$(PACKAGE_STRING)' \
|
||||
$(builddir)/npa-tool$(EXEEXT)
|
||||
|
||||
if WIN32
|
||||
opensc_tool_SOURCES += versioninfo-tools.rc
|
||||
piv_tool_SOURCES += versioninfo-tools.rc
|
||||
|
@ -72,3 +119,6 @@ iasecc_tool_SOURCES += versioninfo-tools.rc
|
|||
sc_hsm_tool_SOURCES += versioninfo-tools.rc
|
||||
gids_tool_SOURCES += versioninfo-tools.rc
|
||||
endif
|
||||
|
||||
clean-local:
|
||||
rm -f $(abs_builddir)/npa-tool.ggo
|
||||
|
|
|
@ -8,12 +8,14 @@ TARGETS = opensc-tool.exe opensc-explorer.exe pkcs15-tool.exe pkcs15-crypt.exe \
|
|||
pkcs11-tool.exe cardos-tool.exe eidenv.exe openpgp-tool.exe iasecc-tool.exe \
|
||||
$(PROGRAMS_OPENSSL)
|
||||
|
||||
OBJECTS = util.obj versioninfo-tools.res
|
||||
OBJECTS = util.obj npa-tool-cmdline.obj fread_to_eof.obj versioninfo-tools.res
|
||||
LIBS = $(TOPDIR)\src\common\common.lib \
|
||||
$(TOPDIR)\src\scconf\scconf.lib \
|
||||
$(TOPDIR)\src\libopensc\opensc.lib \
|
||||
$(TOPDIR)\src\pkcs15init\pkcs15init.lib \
|
||||
$(TOPDIR)\src\common\libpkcs11.lib \
|
||||
$(TOPDIR)\src\sm\libsmeac.lib \
|
||||
$(TOPDIR)\src\sm\libsmiso.lib \
|
||||
$(TOPDIR)\src\common\libscdl.lib
|
||||
|
||||
all: $(TARGETS)
|
||||
|
@ -22,5 +24,5 @@ $(TARGETS): $(OBJECTS) $(LIBS)
|
|||
|
||||
.c.exe:
|
||||
cl $(COPTS) /c $<
|
||||
link $(LINKFLAGS) /pdb:$*.pdb /out:$@ $*.obj $(OBJECTS) $(LIBS) $(OPENSSL_LIB) gdi32.lib shell32.lib
|
||||
link $(LINKFLAGS) /pdb:$*.pdb /out:$@ $*.obj $(OBJECTS) $(LIBS) $(OPENPACE_LIB) $(OPENSSL_LIB) gdi32.lib shell32.lib ws2_32.lib
|
||||
if EXIST $@.manifest mt -manifest $@.manifest -outputresource:$@;1
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
00:22:81:B6:0F:83:0D:5A:5A:43:56:43:41:41:54:41:30:30:30:31
|
||||
00:2a:00:be:e4:7f:4e:81:9d:5f:29:01:00:42:0d:5a:5a:43:56:43:41:41:54:41:30:30:30:31:7f:49:4f:06:0a:04:00:7f:00:07:02:02:02:02:03:86:41:04:52:dd:32:ea:fe:1f:bb:b4:00:0c:d9:ce:75:f6:66:36:cf:cf:1e:dd:44:f7:b1:ed:ae:25:b8:41:93:da:04:a9:1c:77:ee:87:f5:c8:f9:59:ed:27:62:00:de:33:ab:57:4c:e9:80:11:35:ff:44:97:a3:71:62:b7:c8:54:8a:0c:5f:20:0e:5a:5a:44:56:43:41:41:54:41:30:30:30:30:35:7f:4c:12:06:09:04:00:7f:00:07:03:01:02:02:53:05:70:03:01:ff:b7:5f:25:06:01:00:00:06:01:01:5f:24:06:01:00:01:00:03:01:5f:37:40:6f:13:ae:9a:6f:4e:dd:b7:83:9f:f3:f0:4d:71:e0:dc:37:7b:c4:b0:8f:ad:29:5e:ed:24:1b:52:43:28:ad:07:30:eb:55:34:97:b4:fb:66:e9:bb:7a:b9:08:15:f0:42:73:f0:9e:75:1d:7f:d4:b8:61:43:9b:4e:e6:53:81:c3
|
||||
002281B610830E5A5A445643414154413030303035
|
||||
002a00be0001417f4e81fa5f290100420e5a5a4456434141544130303030357f494f060a04007f000702020202038641049bfe7415d73c4a78d60b2cc1bca11b6d5e523969acfb5b756a3be1551b22239c79ae362b838b00669983c0caf6ed0c781d401c95d2b32857de8ce1b619dac4a75f200a5a5a5349543030304f347f4c12060904007f000703010202530500000000045f25060100000902015f2406010000090206655e732d060904007f0007030103028020b02baa51a94fac0954df204d61fe22da1d408d45db4aa1d70e600dad4faf6799732d060904007f0007030103018020c72e13582f01ba068dd1aac29a2428c0c54ab9c204fd53b3f13e8290e21e50f95f374083c5b441fec5b18efd1caa4a11b8e1cede0a8b42d442f00d7f604e429f339b4e3e6c06f9e76a2daa82c1722ee137a89038b969c634561581e6c26d9f6fa75c52
|
||||
00:22:81:A4:53:80:0A:04:00:7F:00:07:02:02:02:02:03:83:0A:5A:5A:53:49:54:30:30:30:4F:34:91:20:88:E5:F2:C6:11:18:0D:0A:C1:0E:BD:E6:FC:2A:5E:62:41:79:C0:A5:77:C3:E4:88:52:DD:81:A4:CD:F7:90:51:67:17:73:15:06:09:04:00:7F:00:07:03:01:04:02:53:08:32:30:31:30:30:39:32:34
|
||||
00:84:00:00:08
|
||||
00820000400C9E7DB72CB0FAEA15B00FECAE0257546446A9395862239AF240C3C29E857F8403345817760FE13F6597F04D2F7330B59065F68DF71EF7FDEC86743CDE2869DD
|
||||
00a4000c023f00
|
||||
00:A4:02:0C:02:01:1D
|
||||
00:b0:00:00:80
|
||||
00B0008080
|
||||
00b0010080
|
||||
00:B0:01:80:80
|
||||
00:b0:02:00:80
|
||||
00B0028080
|
||||
00b0030080
|
||||
00:B0:03:80:80
|
||||
00:b0:04:00:80
|
||||
00B0048080
|
||||
00b0050080
|
||||
00:B0:05:80:80
|
||||
00:b0:06:00:80
|
||||
00B0068080
|
||||
00b0070080
|
||||
00:B0:07:80:80
|
||||
00:22:41:a4:0c:80:0a:04:00:7f:00:07:02:02:03:02:02
|
||||
00860000457C43804104239E3D05EEB059117D30F86AEB5AE7D12E0EBF758889C79115F2A13DC1BB570A5CAD91A384337C09D1B74BED1C0FF195A7C3EA3A2CEDF86DDEF7B95D1FD1B35D00
|
||||
0020001006010203040506
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
int fread_to_eof(const char *file, unsigned char **buf, size_t *buflen)
|
||||
{
|
||||
FILE *input = NULL;
|
||||
int r = 0;
|
||||
unsigned char *p;
|
||||
|
||||
if (!buflen || !buf || !file)
|
||||
goto err;
|
||||
|
||||
#define MAX_READ_LEN 0xfff
|
||||
p = realloc(*buf, MAX_READ_LEN);
|
||||
if (!p)
|
||||
goto err;
|
||||
*buf = p;
|
||||
|
||||
input = fopen(file, "rb");
|
||||
if (!input) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
*buflen = 0;
|
||||
while (feof(input) == 0 && *buflen < MAX_READ_LEN) {
|
||||
*buflen += fread(*buf+*buflen, 1, MAX_READ_LEN-*buflen, input);
|
||||
if (ferror(input)) {
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
r = 1;
|
||||
err:
|
||||
if (input)
|
||||
fclose(input);
|
||||
|
||||
return r;
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/*
|
||||
* Copyright (C) 2010 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
#ifndef _FREAD_TO_EOF_H
|
||||
#define _FREAD_TO_EOF_H
|
||||
|
||||
int fread_to_eof(const char *file, unsigned char **buf, size_t *buflen);
|
||||
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,354 @@
|
|||
/** @file npa-tool-cmdline.h
|
||||
* @brief The header file for the command line option parser
|
||||
* generated by GNU Gengetopt version 2.22.6
|
||||
* http://www.gnu.org/software/gengetopt.
|
||||
* DO NOT modify this file, since it can be overwritten
|
||||
* @author GNU Gengetopt by Lorenzo Bettini */
|
||||
|
||||
#ifndef NPA_TOOL_CMDLINE_H
|
||||
#define NPA_TOOL_CMDLINE_H
|
||||
|
||||
/* If we use autoconf. */
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdio.h> /* for FILE */
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif /* __cplusplus */
|
||||
|
||||
#ifndef CMDLINE_PARSER_PACKAGE
|
||||
/** @brief the program name (used for printing errors) */
|
||||
#define CMDLINE_PARSER_PACKAGE "npa-tool"
|
||||
#endif
|
||||
|
||||
#ifndef CMDLINE_PARSER_PACKAGE_NAME
|
||||
/** @brief the complete program name (used for help and version) */
|
||||
#define CMDLINE_PARSER_PACKAGE_NAME "npa-tool"
|
||||
#endif
|
||||
|
||||
#ifndef CMDLINE_PARSER_VERSION
|
||||
/** @brief the program version */
|
||||
#define CMDLINE_PARSER_VERSION VERSION
|
||||
#endif
|
||||
|
||||
/** @brief Where the command line options are stored */
|
||||
struct gengetopt_args_info
|
||||
{
|
||||
const char *help_help; /**< @brief Print help and exit help description. */
|
||||
const char *version_help; /**< @brief Print version and exit help description. */
|
||||
int reader_arg; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) (default='-1'). */
|
||||
char * reader_orig; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) original value given at command line. */
|
||||
const char *reader_help; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) help description. */
|
||||
unsigned int verbose_min; /**< @brief Use (several times) to be more verbose's minimum occurreces */
|
||||
unsigned int verbose_max; /**< @brief Use (several times) to be more verbose's maximum occurreces */
|
||||
const char *verbose_help; /**< @brief Use (several times) to be more verbose help description. */
|
||||
char * pin_arg; /**< @brief Run PACE with (transport) eID-PIN. */
|
||||
char * pin_orig; /**< @brief Run PACE with (transport) eID-PIN original value given at command line. */
|
||||
const char *pin_help; /**< @brief Run PACE with (transport) eID-PIN help description. */
|
||||
char * puk_arg; /**< @brief Run PACE with PUK. */
|
||||
char * puk_orig; /**< @brief Run PACE with PUK original value given at command line. */
|
||||
const char *puk_help; /**< @brief Run PACE with PUK help description. */
|
||||
char * can_arg; /**< @brief Run PACE with CAN. */
|
||||
char * can_orig; /**< @brief Run PACE with CAN original value given at command line. */
|
||||
const char *can_help; /**< @brief Run PACE with CAN help description. */
|
||||
char * mrz_arg; /**< @brief Run PACE with MRZ (insert MRZ without newlines). */
|
||||
char * mrz_orig; /**< @brief Run PACE with MRZ (insert MRZ without newlines) original value given at command line. */
|
||||
const char *mrz_help; /**< @brief Run PACE with MRZ (insert MRZ without newlines) help description. */
|
||||
int env_flag; /**< @brief Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this. (default=off). */
|
||||
const char *env_help; /**< @brief Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this. help description. */
|
||||
char * new_pin_arg; /**< @brief Install a new PIN. */
|
||||
char * new_pin_orig; /**< @brief Install a new PIN original value given at command line. */
|
||||
const char *new_pin_help; /**< @brief Install a new PIN help description. */
|
||||
int resume_flag; /**< @brief Resume eID-PIN (uses CAN to activate last retry) (default=off). */
|
||||
const char *resume_help; /**< @brief Resume eID-PIN (uses CAN to activate last retry) help description. */
|
||||
int unblock_flag; /**< @brief Unblock PIN (uses PUK to activate three more retries) (default=off). */
|
||||
const char *unblock_help; /**< @brief Unblock PIN (uses PUK to activate three more retries) help description. */
|
||||
char ** cv_certificate_arg; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).. */
|
||||
char ** cv_certificate_orig; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important). original value given at command line. */
|
||||
unsigned int cv_certificate_min; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).'s minimum occurreces */
|
||||
unsigned int cv_certificate_max; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).'s maximum occurreces */
|
||||
const char *cv_certificate_help; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important). help description. */
|
||||
char * cert_desc_arg; /**< @brief Certificate description to show for Terminal Authentication. */
|
||||
char * cert_desc_orig; /**< @brief Certificate description to show for Terminal Authentication original value given at command line. */
|
||||
const char *cert_desc_help; /**< @brief Certificate description to show for Terminal Authentication help description. */
|
||||
char * chat_arg; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).. */
|
||||
char * chat_orig; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser). original value given at command line. */
|
||||
const char *chat_help; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser). help description. */
|
||||
char * auxiliary_data_arg; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID).. */
|
||||
char * auxiliary_data_orig; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID). original value given at command line. */
|
||||
const char *auxiliary_data_help; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID). help description. */
|
||||
char * private_key_arg; /**< @brief Terminal's private key. */
|
||||
char * private_key_orig; /**< @brief Terminal's private key original value given at command line. */
|
||||
const char *private_key_help; /**< @brief Terminal's private key help description. */
|
||||
char * cvc_dir_arg; /**< @brief Where to look for the CVCA's certificate (default='/home/fm/.local/etc/eac/cvc'). */
|
||||
char * cvc_dir_orig; /**< @brief Where to look for the CVCA's certificate original value given at command line. */
|
||||
const char *cvc_dir_help; /**< @brief Where to look for the CVCA's certificate help description. */
|
||||
char * x509_dir_arg; /**< @brief Where to look for the CSCA's certificate (default='/home/fm/.local/etc/eac/x509'). */
|
||||
char * x509_dir_orig; /**< @brief Where to look for the CSCA's certificate original value given at command line. */
|
||||
const char *x509_dir_help; /**< @brief Where to look for the CSCA's certificate help description. */
|
||||
int disable_ta_checks_flag; /**< @brief Disable checking the validity period of CV certifcates (default=off). */
|
||||
const char *disable_ta_checks_help; /**< @brief Disable checking the validity period of CV certifcates help description. */
|
||||
int disable_ca_checks_flag; /**< @brief Disable passive authentication (default=off). */
|
||||
const char *disable_ca_checks_help; /**< @brief Disable passive authentication help description. */
|
||||
int read_dg1_flag; /**< @brief Read DG 1 (Document Type) (default=off). */
|
||||
const char *read_dg1_help; /**< @brief Read DG 1 (Document Type) help description. */
|
||||
int read_dg2_flag; /**< @brief Read DG 2 (Issuing State) (default=off). */
|
||||
const char *read_dg2_help; /**< @brief Read DG 2 (Issuing State) help description. */
|
||||
int read_dg3_flag; /**< @brief Read DG 3 (Date of Expiry) (default=off). */
|
||||
const char *read_dg3_help; /**< @brief Read DG 3 (Date of Expiry) help description. */
|
||||
int read_dg4_flag; /**< @brief Read DG 4 (Given Names) (default=off). */
|
||||
const char *read_dg4_help; /**< @brief Read DG 4 (Given Names) help description. */
|
||||
int read_dg5_flag; /**< @brief Read DG 5 (Family Names) (default=off). */
|
||||
const char *read_dg5_help; /**< @brief Read DG 5 (Family Names) help description. */
|
||||
int read_dg6_flag; /**< @brief Read DG 6 (Religious/Artistic Name) (default=off). */
|
||||
const char *read_dg6_help; /**< @brief Read DG 6 (Religious/Artistic Name) help description. */
|
||||
int read_dg7_flag; /**< @brief Read DG 7 (Academic Title) (default=off). */
|
||||
const char *read_dg7_help; /**< @brief Read DG 7 (Academic Title) help description. */
|
||||
int read_dg8_flag; /**< @brief Read DG 8 (Date of Birth) (default=off). */
|
||||
const char *read_dg8_help; /**< @brief Read DG 8 (Date of Birth) help description. */
|
||||
int read_dg9_flag; /**< @brief Read DG 9 (Place of Birth) (default=off). */
|
||||
const char *read_dg9_help; /**< @brief Read DG 9 (Place of Birth) help description. */
|
||||
int read_dg10_flag; /**< @brief Read DG 10 (Nationality) (default=off). */
|
||||
const char *read_dg10_help; /**< @brief Read DG 10 (Nationality) help description. */
|
||||
int read_dg11_flag; /**< @brief Read DG 11 (Sex) (default=off). */
|
||||
const char *read_dg11_help; /**< @brief Read DG 11 (Sex) help description. */
|
||||
int read_dg12_flag; /**< @brief Read DG 12 (Optional Data) (default=off). */
|
||||
const char *read_dg12_help; /**< @brief Read DG 12 (Optional Data) help description. */
|
||||
int read_dg13_flag; /**< @brief Read DG 13 (Birth Name) (default=off). */
|
||||
const char *read_dg13_help; /**< @brief Read DG 13 (Birth Name) help description. */
|
||||
int read_dg14_flag; /**< @brief Read DG 14 (default=off). */
|
||||
const char *read_dg14_help; /**< @brief Read DG 14 help description. */
|
||||
int read_dg15_flag; /**< @brief Read DG 15 (default=off). */
|
||||
const char *read_dg15_help; /**< @brief Read DG 15 help description. */
|
||||
int read_dg16_flag; /**< @brief Read DG 16 (default=off). */
|
||||
const char *read_dg16_help; /**< @brief Read DG 16 help description. */
|
||||
int read_dg17_flag; /**< @brief Read DG 17 (Normal Place of Residence) (default=off). */
|
||||
const char *read_dg17_help; /**< @brief Read DG 17 (Normal Place of Residence) help description. */
|
||||
int read_dg18_flag; /**< @brief Read DG 18 (Community ID) (default=off). */
|
||||
const char *read_dg18_help; /**< @brief Read DG 18 (Community ID) help description. */
|
||||
int read_dg19_flag; /**< @brief Read DG 19 (Residence Permit I) (default=off). */
|
||||
const char *read_dg19_help; /**< @brief Read DG 19 (Residence Permit I) help description. */
|
||||
int read_dg20_flag; /**< @brief Read DG 20 (Residence Permit II) (default=off). */
|
||||
const char *read_dg20_help; /**< @brief Read DG 20 (Residence Permit II) help description. */
|
||||
int read_dg21_flag; /**< @brief Read DG 21 (Optional Data) (default=off). */
|
||||
const char *read_dg21_help; /**< @brief Read DG 21 (Optional Data) help description. */
|
||||
char * write_dg17_arg; /**< @brief Write DG 17 (Normal Place of Residence). */
|
||||
char * write_dg17_orig; /**< @brief Write DG 17 (Normal Place of Residence) original value given at command line. */
|
||||
const char *write_dg17_help; /**< @brief Write DG 17 (Normal Place of Residence) help description. */
|
||||
char * write_dg18_arg; /**< @brief Write DG 18 (Community ID). */
|
||||
char * write_dg18_orig; /**< @brief Write DG 18 (Community ID) original value given at command line. */
|
||||
const char *write_dg18_help; /**< @brief Write DG 18 (Community ID) help description. */
|
||||
char * write_dg19_arg; /**< @brief Write DG 19 (Residence Permit I). */
|
||||
char * write_dg19_orig; /**< @brief Write DG 19 (Residence Permit I) original value given at command line. */
|
||||
const char *write_dg19_help; /**< @brief Write DG 19 (Residence Permit I) help description. */
|
||||
char * write_dg20_arg; /**< @brief Write DG 20 (Residence Permit II). */
|
||||
char * write_dg20_orig; /**< @brief Write DG 20 (Residence Permit II) original value given at command line. */
|
||||
const char *write_dg20_help; /**< @brief Write DG 20 (Residence Permit II) help description. */
|
||||
char * write_dg21_arg; /**< @brief Write DG 21 (Optional Data). */
|
||||
char * write_dg21_orig; /**< @brief Write DG 21 (Optional Data) original value given at command line. */
|
||||
const char *write_dg21_help; /**< @brief Write DG 21 (Optional Data) help description. */
|
||||
char * verify_validity_arg; /**< @brief Verify chip's validity with a reference date. */
|
||||
char * verify_validity_orig; /**< @brief Verify chip's validity with a reference date original value given at command line. */
|
||||
const char *verify_validity_help; /**< @brief Verify chip's validity with a reference date help description. */
|
||||
char * older_than_arg; /**< @brief Verify age with a reference date. */
|
||||
char * older_than_orig; /**< @brief Verify age with a reference date original value given at command line. */
|
||||
const char *older_than_help; /**< @brief Verify age with a reference date help description. */
|
||||
char * verify_community_arg; /**< @brief Verify community ID with a reference ID. */
|
||||
char * verify_community_orig; /**< @brief Verify community ID with a reference ID original value given at command line. */
|
||||
const char *verify_community_help; /**< @brief Verify community ID with a reference ID help description. */
|
||||
int break_flag; /**< @brief Brute force PIN, CAN or PUK. Use together with -p, -a or -u (default=off). */
|
||||
const char *break_help; /**< @brief Brute force PIN, CAN or PUK. Use together with -p, -a or -u help description. */
|
||||
char * translate_arg; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel (default='stdin'). */
|
||||
char * translate_orig; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel original value given at command line. */
|
||||
const char *translate_help; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel help description. */
|
||||
int tr_03110v201_flag; /**< @brief Force compliance to BSI TR-03110 version 2.01 (default=off). */
|
||||
const char *tr_03110v201_help; /**< @brief Force compliance to BSI TR-03110 version 2.01 help description. */
|
||||
int disable_all_checks_flag; /**< @brief Disable all checking of fly-by-data (default=off). */
|
||||
const char *disable_all_checks_help; /**< @brief Disable all checking of fly-by-data help description. */
|
||||
|
||||
unsigned int help_given ; /**< @brief Whether help was given. */
|
||||
unsigned int version_given ; /**< @brief Whether version was given. */
|
||||
unsigned int reader_given ; /**< @brief Whether reader was given. */
|
||||
unsigned int verbose_given ; /**< @brief Whether verbose was given. */
|
||||
unsigned int pin_given ; /**< @brief Whether pin was given. */
|
||||
unsigned int puk_given ; /**< @brief Whether puk was given. */
|
||||
unsigned int can_given ; /**< @brief Whether can was given. */
|
||||
unsigned int mrz_given ; /**< @brief Whether mrz was given. */
|
||||
unsigned int env_given ; /**< @brief Whether env was given. */
|
||||
unsigned int new_pin_given ; /**< @brief Whether new-pin was given. */
|
||||
unsigned int resume_given ; /**< @brief Whether resume was given. */
|
||||
unsigned int unblock_given ; /**< @brief Whether unblock was given. */
|
||||
unsigned int cv_certificate_given ; /**< @brief Whether cv-certificate was given. */
|
||||
unsigned int cert_desc_given ; /**< @brief Whether cert-desc was given. */
|
||||
unsigned int chat_given ; /**< @brief Whether chat was given. */
|
||||
unsigned int auxiliary_data_given ; /**< @brief Whether auxiliary-data was given. */
|
||||
unsigned int private_key_given ; /**< @brief Whether private-key was given. */
|
||||
unsigned int cvc_dir_given ; /**< @brief Whether cvc-dir was given. */
|
||||
unsigned int x509_dir_given ; /**< @brief Whether x509-dir was given. */
|
||||
unsigned int disable_ta_checks_given ; /**< @brief Whether disable-ta-checks was given. */
|
||||
unsigned int disable_ca_checks_given ; /**< @brief Whether disable-ca-checks was given. */
|
||||
unsigned int read_dg1_given ; /**< @brief Whether read-dg1 was given. */
|
||||
unsigned int read_dg2_given ; /**< @brief Whether read-dg2 was given. */
|
||||
unsigned int read_dg3_given ; /**< @brief Whether read-dg3 was given. */
|
||||
unsigned int read_dg4_given ; /**< @brief Whether read-dg4 was given. */
|
||||
unsigned int read_dg5_given ; /**< @brief Whether read-dg5 was given. */
|
||||
unsigned int read_dg6_given ; /**< @brief Whether read-dg6 was given. */
|
||||
unsigned int read_dg7_given ; /**< @brief Whether read-dg7 was given. */
|
||||
unsigned int read_dg8_given ; /**< @brief Whether read-dg8 was given. */
|
||||
unsigned int read_dg9_given ; /**< @brief Whether read-dg9 was given. */
|
||||
unsigned int read_dg10_given ; /**< @brief Whether read-dg10 was given. */
|
||||
unsigned int read_dg11_given ; /**< @brief Whether read-dg11 was given. */
|
||||
unsigned int read_dg12_given ; /**< @brief Whether read-dg12 was given. */
|
||||
unsigned int read_dg13_given ; /**< @brief Whether read-dg13 was given. */
|
||||
unsigned int read_dg14_given ; /**< @brief Whether read-dg14 was given. */
|
||||
unsigned int read_dg15_given ; /**< @brief Whether read-dg15 was given. */
|
||||
unsigned int read_dg16_given ; /**< @brief Whether read-dg16 was given. */
|
||||
unsigned int read_dg17_given ; /**< @brief Whether read-dg17 was given. */
|
||||
unsigned int read_dg18_given ; /**< @brief Whether read-dg18 was given. */
|
||||
unsigned int read_dg19_given ; /**< @brief Whether read-dg19 was given. */
|
||||
unsigned int read_dg20_given ; /**< @brief Whether read-dg20 was given. */
|
||||
unsigned int read_dg21_given ; /**< @brief Whether read-dg21 was given. */
|
||||
unsigned int write_dg17_given ; /**< @brief Whether write-dg17 was given. */
|
||||
unsigned int write_dg18_given ; /**< @brief Whether write-dg18 was given. */
|
||||
unsigned int write_dg19_given ; /**< @brief Whether write-dg19 was given. */
|
||||
unsigned int write_dg20_given ; /**< @brief Whether write-dg20 was given. */
|
||||
unsigned int write_dg21_given ; /**< @brief Whether write-dg21 was given. */
|
||||
unsigned int verify_validity_given ; /**< @brief Whether verify-validity was given. */
|
||||
unsigned int older_than_given ; /**< @brief Whether older-than was given. */
|
||||
unsigned int verify_community_given ; /**< @brief Whether verify-community was given. */
|
||||
unsigned int break_given ; /**< @brief Whether break was given. */
|
||||
unsigned int translate_given ; /**< @brief Whether translate was given. */
|
||||
unsigned int tr_03110v201_given ; /**< @brief Whether tr-03110v201 was given. */
|
||||
unsigned int disable_all_checks_given ; /**< @brief Whether disable-all-checks was given. */
|
||||
|
||||
} ;
|
||||
|
||||
/** @brief The additional parameters to pass to parser functions */
|
||||
struct cmdline_parser_params
|
||||
{
|
||||
int override; /**< @brief whether to override possibly already present options (default 0) */
|
||||
int initialize; /**< @brief whether to initialize the option structure gengetopt_args_info (default 1) */
|
||||
int check_required; /**< @brief whether to check that all required options were provided (default 1) */
|
||||
int check_ambiguity; /**< @brief whether to check for options already specified in the option structure gengetopt_args_info (default 0) */
|
||||
int print_errors; /**< @brief whether getopt_long should print an error message for a bad option (default 1) */
|
||||
} ;
|
||||
|
||||
/** @brief the purpose string of the program */
|
||||
extern const char *gengetopt_args_info_purpose;
|
||||
/** @brief the usage string of the program */
|
||||
extern const char *gengetopt_args_info_usage;
|
||||
/** @brief the description string of the program */
|
||||
extern const char *gengetopt_args_info_description;
|
||||
/** @brief all the lines making the help output */
|
||||
extern const char *gengetopt_args_info_help[];
|
||||
|
||||
/**
|
||||
* The command line parser
|
||||
* @param argc the number of command line options
|
||||
* @param argv the command line options
|
||||
* @param args_info the structure where option information will be stored
|
||||
* @return 0 if everything went fine, NON 0 if an error took place
|
||||
*/
|
||||
int cmdline_parser (int argc, char **argv,
|
||||
struct gengetopt_args_info *args_info);
|
||||
|
||||
/**
|
||||
* The command line parser (version with additional parameters - deprecated)
|
||||
* @param argc the number of command line options
|
||||
* @param argv the command line options
|
||||
* @param args_info the structure where option information will be stored
|
||||
* @param override whether to override possibly already present options
|
||||
* @param initialize whether to initialize the option structure my_args_info
|
||||
* @param check_required whether to check that all required options were provided
|
||||
* @return 0 if everything went fine, NON 0 if an error took place
|
||||
* @deprecated use cmdline_parser_ext() instead
|
||||
*/
|
||||
int cmdline_parser2 (int argc, char **argv,
|
||||
struct gengetopt_args_info *args_info,
|
||||
int override, int initialize, int check_required);
|
||||
|
||||
/**
|
||||
* The command line parser (version with additional parameters)
|
||||
* @param argc the number of command line options
|
||||
* @param argv the command line options
|
||||
* @param args_info the structure where option information will be stored
|
||||
* @param params additional parameters for the parser
|
||||
* @return 0 if everything went fine, NON 0 if an error took place
|
||||
*/
|
||||
int cmdline_parser_ext (int argc, char **argv,
|
||||
struct gengetopt_args_info *args_info,
|
||||
struct cmdline_parser_params *params);
|
||||
|
||||
/**
|
||||
* Save the contents of the option struct into an already open FILE stream.
|
||||
* @param outfile the stream where to dump options
|
||||
* @param args_info the option struct to dump
|
||||
* @return 0 if everything went fine, NON 0 if an error took place
|
||||
*/
|
||||
int cmdline_parser_dump(FILE *outfile,
|
||||
struct gengetopt_args_info *args_info);
|
||||
|
||||
/**
|
||||
* Save the contents of the option struct into a (text) file.
|
||||
* This file can be read by the config file parser (if generated by gengetopt)
|
||||
* @param filename the file where to save
|
||||
* @param args_info the option struct to save
|
||||
* @return 0 if everything went fine, NON 0 if an error took place
|
||||
*/
|
||||
int cmdline_parser_file_save(const char *filename,
|
||||
struct gengetopt_args_info *args_info);
|
||||
|
||||
/**
|
||||
* Print the help
|
||||
*/
|
||||
void cmdline_parser_print_help(void);
|
||||
/**
|
||||
* Print the version
|
||||
*/
|
||||
void cmdline_parser_print_version(void);
|
||||
|
||||
/**
|
||||
* Initializes all the fields a cmdline_parser_params structure
|
||||
* to their default values
|
||||
* @param params the structure to initialize
|
||||
*/
|
||||
void cmdline_parser_params_init(struct cmdline_parser_params *params);
|
||||
|
||||
/**
|
||||
* Allocates dynamically a cmdline_parser_params structure and initializes
|
||||
* all its fields to their default values
|
||||
* @return the created and initialized cmdline_parser_params structure
|
||||
*/
|
||||
struct cmdline_parser_params *cmdline_parser_params_create(void);
|
||||
|
||||
/**
|
||||
* Initializes the passed gengetopt_args_info structure's fields
|
||||
* (also set default values for options that have a default)
|
||||
* @param args_info the structure to initialize
|
||||
*/
|
||||
void cmdline_parser_init (struct gengetopt_args_info *args_info);
|
||||
/**
|
||||
* Deallocates the string fields of the gengetopt_args_info structure
|
||||
* (but does not deallocate the structure itself)
|
||||
* @param args_info the structure to deallocate
|
||||
*/
|
||||
void cmdline_parser_free (struct gengetopt_args_info *args_info);
|
||||
|
||||
/**
|
||||
* Checks that all the required options were specified
|
||||
* @param args_info the structure to check
|
||||
* @param prog_name the name of the program that will be used to print
|
||||
* possible errors
|
||||
* @return
|
||||
*/
|
||||
int cmdline_parser_required (struct gengetopt_args_info *args_info,
|
||||
const char *prog_name);
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif /* __cplusplus */
|
||||
#endif /* NPA_TOOL_CMDLINE_H */
|
|
@ -0,0 +1,205 @@
|
|||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
|
||||
.TH NPA-TOOL "1" "July 2016" "OpenSC 0.16.0" "User Commands"
|
||||
.SH NAME
|
||||
npa-tool \- manual page for npa-tool 0.16.0
|
||||
.SH SYNOPSIS
|
||||
.B npa-tool
|
||||
[\fI\,OPTIONS\/\fR]...
|
||||
.SH DESCRIPTION
|
||||
npa\-tool 0.16.0
|
||||
.TP
|
||||
\fB\-h\fR, \fB\-\-help\fR
|
||||
Print help and exit
|
||||
.TP
|
||||
\fB\-V\fR, \fB\-\-version\fR
|
||||
Print version and exit
|
||||
.TP
|
||||
\fB\-r\fR, \fB\-\-reader\fR=\fI\,INT\/\fR
|
||||
Number of the PC/SC reader to use (\fB\-1\fR for
|
||||
autodetect) (default=`\-1')
|
||||
.TP
|
||||
\fB\-v\fR, \fB\-\-verbose\fR
|
||||
Use (several times) to be more verbose
|
||||
.SS "Password Authenticated Connection Establishment (PACE):"
|
||||
.TP
|
||||
\fB\-p\fR, \fB\-\-pin\fR[=\fI\,STRING\/\fR]
|
||||
Run PACE with (transport) eID\-PIN
|
||||
.TP
|
||||
\fB\-u\fR, \fB\-\-puk\fR[=\fI\,STRING\/\fR]
|
||||
Run PACE with PUK
|
||||
.TP
|
||||
\fB\-c\fR, \fB\-\-can\fR[=\fI\,STRING\/\fR]
|
||||
Run PACE with CAN
|
||||
.TP
|
||||
\fB\-m\fR, \fB\-\-mrz\fR[=\fI\,STRING\/\fR]
|
||||
Run PACE with MRZ (insert MRZ without newlines)
|
||||
.TP
|
||||
\fB\-\-env\fR
|
||||
Whether to use environment variables PIN, PUK,
|
||||
CAN, MRZ and NEWPIN. You may want to clean
|
||||
your environment before enabling this.
|
||||
(default=off)
|
||||
.SS "PIN management:"
|
||||
.TP
|
||||
\fB\-N\fR, \fB\-\-new\-pin\fR[=\fI\,STRING\/\fR]
|
||||
Install a new PIN
|
||||
.TP
|
||||
\fB\-R\fR, \fB\-\-resume\fR
|
||||
Resume eID\-PIN (uses CAN to activate last
|
||||
retry) (default=off)
|
||||
.TP
|
||||
\fB\-U\fR, \fB\-\-unblock\fR
|
||||
Unblock PIN (uses PUK to activate three more
|
||||
retries) (default=off)
|
||||
.SS "Terminal Authentication (TA) and Chip Authentication (CA):"
|
||||
.TP
|
||||
\fB\-C\fR, \fB\-\-cv\-certificate\fR=\fI\,FILENAME\/\fR Card Verifiable Certificate to create a
|
||||
certificate chain. Can be used multiple times
|
||||
(order is important).
|
||||
.TP
|
||||
\fB\-\-cert\-desc\fR=\fI\,HEX_STRING\/\fR
|
||||
Certificate description to show for Terminal
|
||||
Authentication
|
||||
.TP
|
||||
\fB\-\-chat\fR=\fI\,HEX_STRING\/\fR
|
||||
Card holder authorization template to use
|
||||
(default is terminal's CHAT). Use
|
||||
7F4C0E060904007F000703010203530103 to trigger
|
||||
EAC on the CAT\-C (Komfortleser).
|
||||
.TP
|
||||
\fB\-A\fR, \fB\-\-auxiliary\-data\fR=\fI\,HEX_STRING\/\fR
|
||||
Terminal's auxiliary data (default is
|
||||
.TP
|
||||
determined by verification of validity, age
|
||||
and community ID).
|
||||
.TP
|
||||
\fB\-P\fR, \fB\-\-private\-key\fR=\fI\,FILENAME\/\fR
|
||||
Terminal's private key
|
||||
.TP
|
||||
\fB\-\-cvc\-dir\fR=\fI\,DIRECTORY\/\fR
|
||||
Where to look for the CVCA's certificate
|
||||
(default=`/home/fm/.local/etc/eac/cvc')
|
||||
.TP
|
||||
\fB\-\-x509\-dir\fR=\fI\,DIRECTORY\/\fR
|
||||
Where to look for the CSCA's certificate
|
||||
(default=`/home/fm/.local/etc/eac/x509')
|
||||
.TP
|
||||
\fB\-\-disable\-ta\-checks\fR
|
||||
Disable checking the validity period of CV
|
||||
certifcates (default=off)
|
||||
.TP
|
||||
\fB\-\-disable\-ca\-checks\fR
|
||||
Disable passive authentication (default=off)
|
||||
.SS "Read and write data groups:"
|
||||
.TP
|
||||
\fB\-\-read\-dg1\fR
|
||||
Read DG 1 (Document Type) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg2\fR
|
||||
Read DG 2 (Issuing State) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg3\fR
|
||||
Read DG 3 (Date of Expiry) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg4\fR
|
||||
Read DG 4 (Given Names) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg5\fR
|
||||
Read DG 5 (Family Names) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg6\fR
|
||||
Read DG 6 (Religious/Artistic Name)
|
||||
(default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg7\fR
|
||||
Read DG 7 (Academic Title) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg8\fR
|
||||
Read DG 8 (Date of Birth) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg9\fR
|
||||
Read DG 9 (Place of Birth) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg10\fR
|
||||
Read DG 10 (Nationality) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg11\fR
|
||||
Read DG 11 (Sex) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg12\fR
|
||||
Read DG 12 (Optional Data) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg13\fR
|
||||
Read DG 13 (Birth Name) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg14\fR
|
||||
Read DG 14 (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg15\fR
|
||||
Read DG 15 (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg16\fR
|
||||
Read DG 16 (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg17\fR
|
||||
Read DG 17 (Normal Place of Residence)
|
||||
(default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg18\fR
|
||||
Read DG 18 (Community ID) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg19\fR
|
||||
Read DG 19 (Residence Permit I) (default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg20\fR
|
||||
Read DG 20 (Residence Permit II)
|
||||
(default=off)
|
||||
.TP
|
||||
\fB\-\-read\-dg21\fR
|
||||
Read DG 21 (Optional Data) (default=off)
|
||||
.TP
|
||||
\fB\-\-write\-dg17\fR=\fI\,HEX_STRING\/\fR
|
||||
Write DG 17 (Normal Place of Residence)
|
||||
.TP
|
||||
\fB\-\-write\-dg18\fR=\fI\,HEX_STRING\/\fR
|
||||
Write DG 18 (Community ID)
|
||||
.TP
|
||||
\fB\-\-write\-dg19\fR=\fI\,HEX_STRING\/\fR
|
||||
Write DG 19 (Residence Permit I)
|
||||
.TP
|
||||
\fB\-\-write\-dg20\fR=\fI\,HEX_STRING\/\fR
|
||||
Write DG 20 (Residence Permit II)
|
||||
.TP
|
||||
\fB\-\-write\-dg21\fR=\fI\,HEX_STRING\/\fR
|
||||
Write DG 21 (Optional Data)
|
||||
.SS "Verification of validity, age and community ID:"
|
||||
.TP
|
||||
\fB\-\-verify\-validity\fR=\fI\,YYYYMMDD\/\fR
|
||||
Verify chip's validity with a reference date
|
||||
.TP
|
||||
\fB\-\-older\-than\fR=\fI\,YYYYMMDD\/\fR
|
||||
Verify age with a reference date
|
||||
.TP
|
||||
\fB\-\-verify\-community\fR=\fI\,HEX_STRING\/\fR
|
||||
Verify community ID with a reference ID
|
||||
.SS "Special options, not always useful:"
|
||||
.TP
|
||||
\fB\-b\fR, \fB\-\-break\fR
|
||||
Brute force PIN, CAN or PUK. Use together with
|
||||
\fB\-p\fR, \fB\-a\fR or \fB\-u\fR (default=off)
|
||||
.TP
|
||||
\fB\-t\fR, \fB\-\-translate\fR=\fI\,FILENAME\/\fR
|
||||
File with APDUs of HEX_STRINGs to send through
|
||||
the secure channel (default=`stdin')
|
||||
.TP
|
||||
\fB\-\-tr\-03110v201\fR
|
||||
Force compliance to BSI TR\-03110 version 2.01
|
||||
(default=off)
|
||||
.TP
|
||||
\fB\-\-disable\-all\-checks\fR
|
||||
Disable all checking of fly\-by\-data
|
||||
(default=off)
|
||||
.SH AUTHOR
|
||||
Written by Frank Morgner <frankmorgner@gmail.com>
|
||||
.SH "REPORTING BUGS"
|
||||
Report bugs to opensc\-devel@lists.sourceforge.net
|
|
@ -0,0 +1,897 @@
|
|||
/*
|
||||
* Copyright (C) 2010-2012 Frank Morgner <frankmorgner@gmail.com>
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_OPENPACE
|
||||
#include "npa-tool-cmdline.h"
|
||||
#include "fread_to_eof.h"
|
||||
#include "sm/sslutil.h"
|
||||
#include "sm/sm-eac.h"
|
||||
#include <eac/pace.h>
|
||||
#include <libopensc/log.h>
|
||||
#include <libopensc/opensc.h>
|
||||
#include <libopensc/sm.h>
|
||||
#include <sm/sm-eac.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
#include <sys/time.h>
|
||||
#else
|
||||
/* only implement what we are using in this file */
|
||||
struct timeval {
|
||||
unsigned int tv_sec;
|
||||
unsigned int tv_usec;
|
||||
};
|
||||
int gettimeofday(struct timeval *tv, struct timezone *tz)
|
||||
{
|
||||
#ifdef _WIN32
|
||||
SYSTEMTIME st;
|
||||
GetLocalTime(&st);
|
||||
if (!tv)
|
||||
return -1;
|
||||
tv->tv_sec = st.wSecond;
|
||||
tv->tv_usec = st.wMilliseconds*1000;
|
||||
#else
|
||||
tv->tv_sec = 0;
|
||||
tv->tv_usec = 0;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_GETLINE
|
||||
static int getline(char **lineptr, size_t *n, FILE *stream)
|
||||
{
|
||||
char *p;
|
||||
|
||||
if (!lineptr)
|
||||
return -1;
|
||||
|
||||
p = realloc(*lineptr, SC_MAX_EXT_APDU_BUFFER_SIZE*3);
|
||||
if (!p)
|
||||
return -1;
|
||||
*lineptr = p;
|
||||
|
||||
if (fgets(p, SC_MAX_EXT_APDU_BUFFER_SIZE*3, stream) == NULL)
|
||||
return -1;
|
||||
|
||||
return strlen(p);
|
||||
}
|
||||
#endif
|
||||
|
||||
/**
|
||||
* @brief Print binary data to a file stream
|
||||
*
|
||||
* @param[in] file File for printing
|
||||
* @param[in] label Label to prepend to the buffer
|
||||
* @param[in] data Binary data
|
||||
* @param[in] len Length of \a data
|
||||
*/
|
||||
#define bin_print(file, label, data, len) { \
|
||||
fprintf(file, "%s (%u byte%s)%s%s\n", \
|
||||
label, (unsigned int) len, len==1?"":"s", len==0?"":":\n", sc_dump_hex(data, len)); \
|
||||
}
|
||||
|
||||
static int initialize(int reader_id, int verbose,
|
||||
sc_context_t **ctx, sc_reader_t **reader)
|
||||
{
|
||||
unsigned int i, reader_count;
|
||||
int r;
|
||||
|
||||
if (!ctx || !reader)
|
||||
return SC_ERROR_INVALID_ARGUMENTS;
|
||||
|
||||
r = sc_establish_context(ctx, "");
|
||||
if (r < 0 || !*ctx) {
|
||||
fprintf(stderr, "Failed to create initial context: %s", sc_strerror(r));
|
||||
return r;
|
||||
}
|
||||
|
||||
(*ctx)->debug = verbose;
|
||||
(*ctx)->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
|
||||
|
||||
reader_count = sc_ctx_get_reader_count(*ctx);
|
||||
|
||||
if (reader_count == 0) {
|
||||
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "No reader not found.\n");
|
||||
return SC_ERROR_NO_READERS_FOUND;
|
||||
}
|
||||
|
||||
if (reader_id < 0) {
|
||||
/* Automatically try to skip to a reader with a card if reader not specified */
|
||||
for (i = 0; i < reader_count; i++) {
|
||||
*reader = sc_ctx_get_reader(*ctx, i);
|
||||
if (sc_detect_card_presence(*reader) & SC_READER_CARD_PRESENT) {
|
||||
reader_id = i;
|
||||
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "Using the first reader"
|
||||
" with a card: %s", (*reader)->name);
|
||||
break;
|
||||
}
|
||||
}
|
||||
if ((unsigned int) reader_id >= reader_count) {
|
||||
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "No card found, using the first reader.");
|
||||
reader_id = 0;
|
||||
}
|
||||
}
|
||||
|
||||
if ((unsigned int) reader_id >= reader_count) {
|
||||
sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "Invalid reader number "
|
||||
"(%d), only %d available.\n", reader_id, reader_count);
|
||||
return SC_ERROR_NO_READERS_FOUND;
|
||||
}
|
||||
|
||||
*reader = sc_ctx_get_reader(*ctx, reader_id);
|
||||
|
||||
return SC_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
static void read_dg(sc_card_t *card, unsigned char sfid, const char *dg_str,
|
||||
unsigned char **dg, size_t *dg_len)
|
||||
{
|
||||
int r = iso7816_read_binary_sfid(card, sfid, dg, dg_len);
|
||||
if (r < 0)
|
||||
fprintf(stderr, "Coult not read DG %02u %s (%s)\n",
|
||||
sfid, dg_str, sc_strerror(r));
|
||||
else {
|
||||
char buf[0x200];
|
||||
sc_hex_dump(NULL, 0, *dg, *dg_len, buf, sizeof buf);
|
||||
fprintf(stdout, "Read %s", buf);
|
||||
}
|
||||
}
|
||||
|
||||
static void write_dg(sc_card_t *card, unsigned char sfid, const char *dg_str,
|
||||
const char *dg_hex)
|
||||
{
|
||||
unsigned char dg[0xff];
|
||||
size_t dg_len = sizeof dg;
|
||||
int r;
|
||||
|
||||
r = sc_hex_to_bin(dg_hex, dg, &dg_len);
|
||||
if (r < 0) {
|
||||
fprintf(stderr, "Could not parse DG %02u %s (%s)\n",
|
||||
sfid, dg_str, sc_strerror(r));
|
||||
} else {
|
||||
r = iso7816_write_binary_sfid(card, sfid, dg, dg_len);
|
||||
if (r < 0)
|
||||
fprintf(stderr, "Could not write DG %02u %s (%s)\n",
|
||||
sfid, dg_str, sc_strerror(r));
|
||||
else
|
||||
printf("Wrote DG %02u %s\n", sfid, dg_str);
|
||||
}
|
||||
}
|
||||
|
||||
#define ISO_VERIFY 0x20
|
||||
static void verify(sc_card_t *card, const char *verify_str,
|
||||
unsigned char *data, size_t data_len)
|
||||
{
|
||||
sc_apdu_t apdu;
|
||||
int r;
|
||||
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, ISO_VERIFY, 0x80, 0);
|
||||
apdu.cla = 0x80;
|
||||
apdu.data = data;
|
||||
apdu.datalen = data_len;
|
||||
apdu.lc = data_len;
|
||||
|
||||
r = sc_transmit_apdu(card, &apdu);
|
||||
if (r < 0)
|
||||
fprintf(stderr, "Coult not verify %s (%s)\n",
|
||||
verify_str, sc_strerror(r));
|
||||
else
|
||||
printf("Verified %s\n", verify_str);
|
||||
}
|
||||
|
||||
int npa_translate_apdus(sc_card_t *card, FILE *input)
|
||||
{
|
||||
u8 buf[4 + 3 + 0xffff + 3];
|
||||
char *read = NULL;
|
||||
size_t readlen = 0, apdulen;
|
||||
sc_apdu_t apdu;
|
||||
int linelen;
|
||||
int r;
|
||||
|
||||
memset(&apdu, 0, sizeof apdu);
|
||||
|
||||
while (1) {
|
||||
if (input == stdin)
|
||||
printf("Enter unencrypted C-APDU (empty line to exit)\n");
|
||||
|
||||
linelen = getline(&read, &readlen, input);
|
||||
if (linelen <= 1) {
|
||||
if (linelen < 0) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
|
||||
"Could not read line");
|
||||
} else {
|
||||
r = SC_SUCCESS;
|
||||
printf("Thanks for flying with ccid\n");
|
||||
}
|
||||
break;
|
||||
}
|
||||
read[linelen - 1] = 0;
|
||||
|
||||
apdulen = sizeof buf;
|
||||
if (sc_hex_to_bin(read, buf, &apdulen) < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
|
||||
"Could not format binary string");
|
||||
continue;
|
||||
}
|
||||
if (input != stdin)
|
||||
bin_print(stdout, "Unencrypted C-APDU", buf, apdulen);
|
||||
|
||||
r = sc_bytes2apdu(card->ctx, buf, apdulen, &apdu);
|
||||
if (r < 0) {
|
||||
sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Invalid C-APDU", buf, apdulen);
|
||||
continue;
|
||||
}
|
||||
|
||||
apdu.resp = buf;
|
||||
apdu.resplen = sizeof buf;
|
||||
|
||||
r = sc_transmit_apdu(card, &apdu);
|
||||
if (r < 0) {
|
||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
|
||||
"Could not send C-APDU: %s", sc_strerror(r));
|
||||
continue;
|
||||
}
|
||||
|
||||
printf("Decrypted R-APDU sw1=%02x sw2=%02x\n", apdu.sw1, apdu.sw2);
|
||||
bin_print(stdout, "Decrypted R-APDU response data", apdu.resp, apdu.resplen);
|
||||
printf("======================================================================\n");
|
||||
}
|
||||
|
||||
if (read)
|
||||
free(read);
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int add_to_ASN1_AUXILIARY_DATA(
|
||||
ASN1_AUXILIARY_DATA **auxiliary_data,
|
||||
int nid, const unsigned char *data, size_t data_len)
|
||||
{
|
||||
int r;
|
||||
CVC_DISCRETIONARY_DATA_TEMPLATE *template = NULL;
|
||||
|
||||
if (!auxiliary_data) {
|
||||
r = SC_ERROR_INVALID_ARGUMENTS;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!*auxiliary_data) {
|
||||
*auxiliary_data = ASN1_AUXILIARY_DATA_new();
|
||||
if (!*auxiliary_data) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
template = CVC_DISCRETIONARY_DATA_TEMPLATE_new();
|
||||
if (!template) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
template->type = OBJ_nid2obj(nid);
|
||||
if (!template->type) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (data && data_len) {
|
||||
template->discretionary_data3 = ASN1_OCTET_STRING_new();
|
||||
if (!template->discretionary_data3
|
||||
|| !M_ASN1_OCTET_STRING_set(
|
||||
template->discretionary_data3, data, data_len)) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
if (!sk_push((_STACK*) (*auxiliary_data), template)) {
|
||||
r = SC_ERROR_INTERNAL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
r = SC_SUCCESS;
|
||||
|
||||
err:
|
||||
return r;
|
||||
}
|
||||
|
||||
int
|
||||
main (int argc, char **argv)
|
||||
{
|
||||
const char *newpin = NULL;
|
||||
const char *pin = NULL;
|
||||
const char *puk = NULL;
|
||||
const char *can = NULL;
|
||||
const char *mrz = NULL;
|
||||
|
||||
unsigned char chat[0xff];
|
||||
unsigned char desc[0xffff];
|
||||
unsigned char **certs = NULL;
|
||||
size_t *certs_lens = NULL;
|
||||
unsigned char *privkey = NULL;
|
||||
size_t privkey_len = 0;
|
||||
unsigned char auxiliary_data[0xff];
|
||||
size_t auxiliary_data_len = 0;
|
||||
unsigned char community_id[0xf];
|
||||
size_t community_id_len = 0;
|
||||
|
||||
sc_context_t *ctx = NULL;
|
||||
sc_card_t *card = NULL;
|
||||
sc_reader_t *reader;
|
||||
|
||||
int r, tr_version = EAC_TR_VERSION_2_02;
|
||||
struct establish_pace_channel_input pace_input;
|
||||
struct establish_pace_channel_output pace_output;
|
||||
struct timeval tv;
|
||||
size_t i;
|
||||
FILE *input = NULL;
|
||||
CVC_CERT *cvc_cert = NULL;
|
||||
unsigned char *certs_chat = NULL;
|
||||
unsigned char *dg = NULL;
|
||||
size_t dg_len = 0;
|
||||
ASN1_AUXILIARY_DATA *templates = NULL;
|
||||
unsigned char *ef_cardsecurity = NULL;
|
||||
size_t ef_cardsecurity_len = 0;
|
||||
|
||||
struct gengetopt_args_info cmdline;
|
||||
|
||||
memset(&pace_input, 0, sizeof pace_input);
|
||||
memset(&pace_output, 0, sizeof pace_output);
|
||||
|
||||
|
||||
/* Parse command line */
|
||||
if (cmdline_parser (argc, argv, &cmdline) != 0)
|
||||
exit(1);
|
||||
if (cmdline.env_flag) {
|
||||
can = getenv("CAN");
|
||||
mrz = getenv("MRZ");
|
||||
pin = getenv("PIN");
|
||||
puk = getenv("PUK");
|
||||
newpin = getenv("NEWPIN");
|
||||
}
|
||||
can = cmdline.can_arg;
|
||||
mrz = cmdline.mrz_arg;
|
||||
pin = cmdline.pin_arg;
|
||||
puk = cmdline.puk_arg;
|
||||
newpin = cmdline.new_pin_arg;
|
||||
if (cmdline.chat_given) {
|
||||
pace_input.chat = chat;
|
||||
pace_input.chat_length = sizeof chat;
|
||||
if (sc_hex_to_bin(cmdline.chat_arg, (u8 *) pace_input.chat,
|
||||
&pace_input.chat_length) < 0) {
|
||||
fprintf(stderr, "Could not parse CHAT.\n");
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
if (cmdline.cert_desc_given) {
|
||||
pace_input.certificate_description = desc;
|
||||
pace_input.certificate_description_length = sizeof desc;
|
||||
if (sc_hex_to_bin(cmdline.cert_desc_arg,
|
||||
(u8 *) pace_input.certificate_description,
|
||||
&pace_input.certificate_description_length) < 0) {
|
||||
fprintf(stderr, "Could not parse certificate description.\n");
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
if (cmdline.tr_03110v201_flag)
|
||||
tr_version = EAC_TR_VERSION_2_01;
|
||||
if (cmdline.disable_all_checks_flag)
|
||||
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_ALL;
|
||||
if (cmdline.disable_ta_checks_flag)
|
||||
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_TA;
|
||||
if (cmdline.disable_ca_checks_flag)
|
||||
npa_default_flags |= NPA_FLAG_DISABLE_CHECK_CA;
|
||||
|
||||
|
||||
r = initialize(cmdline.reader_arg, cmdline.verbose_given, &ctx, &reader);
|
||||
if (r < 0) {
|
||||
fprintf(stderr, "Can't initialize reader\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (sc_connect_card(reader, &card) < 0) {
|
||||
fprintf(stderr, "Could not connect to card\n");
|
||||
sc_release_context(ctx);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
EAC_init();
|
||||
if (cmdline.cvc_dir_given)
|
||||
EAC_set_cvc_default_dir(cmdline.cvc_dir_arg);
|
||||
if (cmdline.x509_dir_given)
|
||||
EAC_set_x509_default_dir(cmdline.cvc_dir_arg);
|
||||
|
||||
if (cmdline.break_flag) {
|
||||
/* The biggest number sprintf could write with "%llu is 18446744073709551615 */
|
||||
char secretbuf[21];
|
||||
unsigned long long secret = 0;
|
||||
unsigned long long maxsecret = 0;
|
||||
|
||||
if (cmdline.pin_given) {
|
||||
pace_input.pin_id = PACE_PIN;
|
||||
pace_input.pin_length = 6;
|
||||
maxsecret = 999999;
|
||||
if (pin) {
|
||||
if (sscanf(pin, "%llu", &secret) != 1) {
|
||||
fprintf(stderr, "%s is not an unsigned long long.\n",
|
||||
npa_secret_name(pace_input.pin_id));
|
||||
exit(2);
|
||||
}
|
||||
if (strlen(pin) > pace_input.pin_length) {
|
||||
fprintf(stderr, "%s too big, only %u digits allowed.\n",
|
||||
npa_secret_name(pace_input.pin_id),
|
||||
(unsigned int) pace_input.pin_length);
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
} else if (cmdline.can_given) {
|
||||
pace_input.pin_id = PACE_CAN;
|
||||
pace_input.pin_length = 6;
|
||||
maxsecret = 999999;
|
||||
if (can) {
|
||||
if (sscanf(can, "%llu", &secret) != 1) {
|
||||
fprintf(stderr, "%s is not an unsigned long long.\n",
|
||||
npa_secret_name(pace_input.pin_id));
|
||||
exit(2);
|
||||
}
|
||||
if (strlen(can) > pace_input.pin_length) {
|
||||
fprintf(stderr, "%s too big, only %u digits allowed.\n",
|
||||
npa_secret_name(pace_input.pin_id),
|
||||
(unsigned int) pace_input.pin_length);
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
} else if (cmdline.puk_given) {
|
||||
pace_input.pin_id = PACE_PUK;
|
||||
pace_input.pin_length = 10;
|
||||
maxsecret = 9999999999LLU;
|
||||
if (puk) {
|
||||
if (sscanf(puk, "%llu", &secret) != 1) {
|
||||
fprintf(stderr, "%s is not an unsigned long long.\n",
|
||||
npa_secret_name(pace_input.pin_id));
|
||||
exit(2);
|
||||
}
|
||||
if (strlen(puk) > pace_input.pin_length) {
|
||||
fprintf(stderr, "%s too big, only %u digits allowed.\n",
|
||||
npa_secret_name(pace_input.pin_id),
|
||||
(unsigned int) pace_input.pin_length);
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fprintf(stderr, "Please specify whether to do PACE with "
|
||||
"PIN, CAN or PUK.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
pace_input.pin = (unsigned char *) secretbuf;
|
||||
|
||||
do {
|
||||
sprintf(secretbuf, "%0*llu", (unsigned int) pace_input.pin_length, secret);
|
||||
|
||||
gettimeofday(&tv, NULL);
|
||||
printf("%u,%06u: Trying %s=%s\n",
|
||||
(unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
|
||||
npa_secret_name(pace_input.pin_id), pace_input.pin);
|
||||
|
||||
r = perform_pace(card, pace_input, &pace_output, tr_version);
|
||||
|
||||
secret++;
|
||||
} while (0 > r && secret <= maxsecret);
|
||||
|
||||
gettimeofday(&tv, NULL);
|
||||
if (0 > r) {
|
||||
printf("%u,%06u: Tried breaking %s without success.\n",
|
||||
(unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
|
||||
npa_secret_name(pace_input.pin_id));
|
||||
goto err;
|
||||
} else {
|
||||
printf("%u,%06u: Tried breaking %s with success (=%s).\n",
|
||||
(unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
|
||||
npa_secret_name(pace_input.pin_id),
|
||||
pace_input.pin);
|
||||
}
|
||||
}
|
||||
|
||||
if (cmdline.resume_flag) {
|
||||
pace_input.pin_id = PACE_CAN;
|
||||
if (can) {
|
||||
pace_input.pin = (unsigned char *) can;
|
||||
pace_input.pin_length = strlen(can);
|
||||
} else {
|
||||
pace_input.pin = NULL;
|
||||
pace_input.pin_length = 0;
|
||||
}
|
||||
r = perform_pace(card, pace_input, &pace_output, tr_version);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Established PACE channel with CAN.\n");
|
||||
|
||||
pace_input.pin_id = PACE_PIN;
|
||||
if (pin) {
|
||||
pace_input.pin = (unsigned char *) pin;
|
||||
pace_input.pin_length = strlen(pin);
|
||||
} else {
|
||||
pace_input.pin = NULL;
|
||||
pace_input.pin_length = 0;
|
||||
}
|
||||
r = perform_pace(card, pace_input, &pace_output, tr_version);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Established PACE channel with PIN. PIN resumed.\n");
|
||||
}
|
||||
|
||||
if (cmdline.unblock_flag) {
|
||||
pace_input.pin_id = PACE_PUK;
|
||||
if (puk) {
|
||||
pace_input.pin = (unsigned char *) puk;
|
||||
pace_input.pin_length = strlen(puk);
|
||||
} else {
|
||||
pace_input.pin = NULL;
|
||||
pace_input.pin_length = 0;
|
||||
}
|
||||
r = perform_pace(card, pace_input, &pace_output, tr_version);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Established PACE channel with PUK.\n");
|
||||
|
||||
r = npa_unblock_pin(card);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Unblocked PIN.\n");
|
||||
}
|
||||
|
||||
if (cmdline.new_pin_given) {
|
||||
pace_input.pin_id = PACE_PIN;
|
||||
if (pin) {
|
||||
pace_input.pin = (unsigned char *) pin;
|
||||
pace_input.pin_length = strlen(pin);
|
||||
} else {
|
||||
pace_input.pin = NULL;
|
||||
pace_input.pin_length = 0;
|
||||
}
|
||||
r = perform_pace(card, pace_input, &pace_output, tr_version);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Established PACE channel with PIN.\n");
|
||||
|
||||
r = npa_change_pin(card, newpin, newpin ? strlen(newpin) : 0);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Changed PIN.\n");
|
||||
}
|
||||
|
||||
if (cmdline.translate_given
|
||||
|| (!cmdline.resume_flag && !cmdline.new_pin_given
|
||||
&& !cmdline.unblock_flag && !cmdline.break_given)) {
|
||||
|
||||
if (cmdline.cv_certificate_given || cmdline.private_key_given
|
||||
|| cmdline.auxiliary_data_given) {
|
||||
if (!cmdline.cv_certificate_given || !cmdline.private_key_given) {
|
||||
fprintf(stderr, "Need at least the terminal's certificate "
|
||||
"and its private key to perform terminal authentication.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
certs = calloc(sizeof *certs, cmdline.cv_certificate_given + 1);
|
||||
certs_lens = calloc(sizeof *certs_lens,
|
||||
cmdline.cv_certificate_given + 1);
|
||||
if (!certs || !certs_lens) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
for (i = 0; i < cmdline.cv_certificate_given; i++) {
|
||||
if (!fread_to_eof(cmdline.cv_certificate_arg[i],
|
||||
(unsigned char **) &certs[i], &certs_lens[i])) {
|
||||
fprintf(stderr, "Could not read certificate.\n");
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
if (!pace_input.chat_length) {
|
||||
const unsigned char *p = certs[cmdline.cv_certificate_given-1];
|
||||
if (!CVC_d2i_CVC_CERT(&cvc_cert, &p, certs_lens[cmdline.cv_certificate_given-1])
|
||||
|| !cvc_cert || !cvc_cert->body
|
||||
|| !cvc_cert->body->certificate_authority_reference
|
||||
|| !cvc_cert->body->chat) {
|
||||
fprintf(stderr, "Could not parse certificate.\n");
|
||||
ssl_error(ctx);
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
goto err;
|
||||
}
|
||||
pace_input.chat_length = i2d_CVC_CHAT(cvc_cert->body->chat, &certs_chat);
|
||||
if (0 >= (int) pace_input.chat_length) {
|
||||
fprintf(stderr, "Could not parse CHAT.\n");
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
ssl_error(ctx);
|
||||
goto err;
|
||||
}
|
||||
pace_input.chat = certs_chat;
|
||||
}
|
||||
|
||||
if (!fread_to_eof(cmdline.private_key_arg,
|
||||
&privkey, &privkey_len)) {
|
||||
fprintf(stderr, "Could not parse private key.\n");
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (cmdline.auxiliary_data_given) {
|
||||
auxiliary_data_len = sizeof auxiliary_data;
|
||||
if (sc_hex_to_bin(cmdline.auxiliary_data_arg, auxiliary_data,
|
||||
&auxiliary_data_len) < 0) {
|
||||
fprintf(stderr, "Could not parse auxiliary data.\n");
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
if (cmdline.older_than_given) {
|
||||
r = add_to_ASN1_AUXILIARY_DATA(&templates,
|
||||
NID_id_DateOfBirth,
|
||||
(unsigned char *) cmdline.older_than_arg,
|
||||
strlen(cmdline.older_than_arg));
|
||||
if (r < 0)
|
||||
goto err;
|
||||
}
|
||||
if (cmdline.verify_validity_given) {
|
||||
r = add_to_ASN1_AUXILIARY_DATA(&templates,
|
||||
NID_id_DateOfExpiry,
|
||||
(unsigned char *) cmdline.verify_validity_arg,
|
||||
strlen(cmdline.verify_validity_arg));
|
||||
if (r < 0)
|
||||
goto err;
|
||||
}
|
||||
if (cmdline.verify_community_given) {
|
||||
community_id_len = sizeof community_id;
|
||||
if (sc_hex_to_bin(cmdline.verify_community_arg, community_id,
|
||||
&community_id_len) < 0) {
|
||||
fprintf(stderr, "Could not parse community ID.\n");
|
||||
exit(2);
|
||||
}
|
||||
r = add_to_ASN1_AUXILIARY_DATA(&templates,
|
||||
NID_id_CommunityID,
|
||||
community_id, community_id_len);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
}
|
||||
if (templates) {
|
||||
unsigned char *p = NULL;
|
||||
auxiliary_data_len = i2d_ASN1_AUXILIARY_DATA(
|
||||
templates, &p);
|
||||
if (0 > (int) auxiliary_data_len
|
||||
|| auxiliary_data_len > sizeof auxiliary_data) {
|
||||
free(p);
|
||||
fprintf(stderr, "Auxiliary data too big.\n");
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
goto err;
|
||||
}
|
||||
memcpy(auxiliary_data, p, auxiliary_data_len);
|
||||
free(p);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pace_input.pin = NULL;
|
||||
pace_input.pin_length = 0;
|
||||
if (cmdline.pin_given) {
|
||||
pace_input.pin_id = PACE_PIN;
|
||||
if (pin) {
|
||||
pace_input.pin = (unsigned char *) pin;
|
||||
pace_input.pin_length = strlen(pin);
|
||||
}
|
||||
} else if (cmdline.can_given) {
|
||||
pace_input.pin_id = PACE_CAN;
|
||||
if (can) {
|
||||
pace_input.pin = (unsigned char *) can;
|
||||
pace_input.pin_length = strlen(can);
|
||||
}
|
||||
} else if (cmdline.mrz_given) {
|
||||
pace_input.pin_id = PACE_MRZ;
|
||||
if (mrz) {
|
||||
pace_input.pin = (unsigned char *) mrz;
|
||||
pace_input.pin_length = strlen(mrz);
|
||||
}
|
||||
} else if (cmdline.puk_given) {
|
||||
pace_input.pin_id = PACE_PUK;
|
||||
if (puk) {
|
||||
pace_input.pin = (unsigned char *) puk;
|
||||
pace_input.pin_length = strlen(puk);
|
||||
}
|
||||
} else {
|
||||
fprintf(stderr, "Skipping PIN verification\n");
|
||||
goto nopace;
|
||||
}
|
||||
|
||||
r = perform_pace(card, pace_input, &pace_output, tr_version);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Established PACE channel with %s.\n",
|
||||
npa_secret_name(pace_input.pin_id));
|
||||
|
||||
nopace:
|
||||
if (cmdline.cv_certificate_given || cmdline.private_key_given) {
|
||||
unsigned char eid_aid[] = { 0xE8, 0x07, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x02};
|
||||
sc_path_t path;
|
||||
|
||||
r = perform_terminal_authentication(card,
|
||||
(const unsigned char **) certs, certs_lens,
|
||||
privkey, privkey_len, auxiliary_data, auxiliary_data_len);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Performed Terminal Authentication.\n");
|
||||
|
||||
r = perform_chip_authentication(card, &ef_cardsecurity, &ef_cardsecurity_len);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Performed Chip Authentication.\n");
|
||||
|
||||
sc_path_set(&path, SC_PATH_TYPE_DF_NAME, eid_aid, sizeof eid_aid, 0, 0);
|
||||
r = sc_select_file(card, &path, NULL);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Selected eID application.\n");
|
||||
}
|
||||
|
||||
if (cmdline.read_dg1_flag)
|
||||
read_dg(card, 1, "Document Type", &dg, &dg_len);
|
||||
if (cmdline.read_dg2_flag)
|
||||
read_dg(card, 2, "Issuing State", &dg, &dg_len);
|
||||
if (cmdline.read_dg3_flag)
|
||||
read_dg(card, 3, "Date of Expiry", &dg, &dg_len);
|
||||
if (cmdline.read_dg4_flag)
|
||||
read_dg(card, 4, "Given Names", &dg, &dg_len);
|
||||
if (cmdline.read_dg5_flag)
|
||||
read_dg(card, 5, "Family Names", &dg, &dg_len);
|
||||
if (cmdline.read_dg6_flag)
|
||||
read_dg(card, 6, "Religious/Artistic Name", &dg, &dg_len);
|
||||
if (cmdline.read_dg7_flag)
|
||||
read_dg(card, 7, "Academic Title", &dg, &dg_len);
|
||||
if (cmdline.read_dg8_flag)
|
||||
read_dg(card, 8, "Date of Birth", &dg, &dg_len);
|
||||
if (cmdline.read_dg9_flag)
|
||||
read_dg(card, 9, "Place of Birth", &dg, &dg_len);
|
||||
if (cmdline.read_dg10_flag)
|
||||
read_dg(card, 10, "Nationality", &dg, &dg_len);
|
||||
if (cmdline.read_dg11_flag)
|
||||
read_dg(card, 11, "Sex", &dg, &dg_len);
|
||||
if (cmdline.read_dg12_flag)
|
||||
read_dg(card, 12, "Optional Data", &dg, &dg_len);
|
||||
if (cmdline.read_dg13_flag)
|
||||
read_dg(card, 13, "Birth Name", &dg, &dg_len);
|
||||
if (cmdline.read_dg14_flag)
|
||||
read_dg(card, 14, "DG 14", &dg, &dg_len);
|
||||
if (cmdline.read_dg15_flag)
|
||||
read_dg(card, 15, "DG 15", &dg, &dg_len);
|
||||
if (cmdline.read_dg16_flag)
|
||||
read_dg(card, 16, "DG 16", &dg, &dg_len);
|
||||
if (cmdline.read_dg17_flag)
|
||||
read_dg(card, 17, "Normal Place of Residence", &dg, &dg_len);
|
||||
if (cmdline.read_dg18_flag)
|
||||
read_dg(card, 18, "Community ID", &dg, &dg_len);
|
||||
if (cmdline.read_dg19_flag)
|
||||
read_dg(card, 19, "Residence Permit I", &dg, &dg_len);
|
||||
if (cmdline.read_dg20_flag)
|
||||
read_dg(card, 20, "Residence Permit II", &dg, &dg_len);
|
||||
if (cmdline.read_dg21_flag)
|
||||
read_dg(card, 21, "Optional Data", &dg, &dg_len);
|
||||
|
||||
if (cmdline.write_dg17_given)
|
||||
write_dg(card, 17, "Normal Place of Residence", cmdline.write_dg17_arg);
|
||||
if (cmdline.write_dg18_given)
|
||||
write_dg(card, 18, "Community ID", cmdline.write_dg18_arg);
|
||||
if (cmdline.write_dg19_given)
|
||||
write_dg(card, 19, "Residence Permit I", cmdline.write_dg19_arg);
|
||||
if (cmdline.write_dg20_given)
|
||||
write_dg(card, 20, "Residence Permit II", cmdline.write_dg20_arg);
|
||||
if (cmdline.write_dg21_given)
|
||||
write_dg(card, 21, "Optional Data", cmdline.write_dg21_arg);
|
||||
|
||||
if (cmdline.older_than_given) {
|
||||
unsigned char id_DateOfBirth[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 1};
|
||||
verify(card, "age", id_DateOfBirth, sizeof id_DateOfBirth);
|
||||
}
|
||||
if (cmdline.verify_validity_given) {
|
||||
unsigned char id_DateOfExpiry[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 2};
|
||||
verify(card, "validity", id_DateOfExpiry, sizeof id_DateOfExpiry);
|
||||
}
|
||||
if (cmdline.verify_community_given) {
|
||||
unsigned char id_CommunityID[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 3};
|
||||
verify(card, "community ID", id_CommunityID, sizeof id_CommunityID);
|
||||
}
|
||||
|
||||
if (cmdline.translate_given) {
|
||||
if (strncmp(cmdline.translate_arg, "stdin", strlen("stdin")) == 0)
|
||||
input = stdin;
|
||||
else {
|
||||
input = fopen(cmdline.translate_arg, "r");
|
||||
if (!input) {
|
||||
perror("Opening file with APDUs");
|
||||
r = SC_ERROR_INVALID_DATA;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
r = npa_translate_apdus(card, input);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
fclose(input);
|
||||
input = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
err:
|
||||
cmdline_parser_free(&cmdline);
|
||||
free(pace_output.ef_cardaccess);
|
||||
free(pace_output.recent_car);
|
||||
free(pace_output.previous_car);
|
||||
free(pace_output.id_icc);
|
||||
free(pace_output.id_pcd);
|
||||
if (ef_cardsecurity) {
|
||||
OPENSSL_cleanse(ef_cardsecurity, ef_cardsecurity_len);
|
||||
free(ef_cardsecurity);
|
||||
}
|
||||
if (input)
|
||||
fclose(input);
|
||||
if (certs) {
|
||||
i = 0;
|
||||
while (certs[i]) {
|
||||
free((unsigned char *) certs[i]);
|
||||
i++;
|
||||
}
|
||||
free(certs);
|
||||
}
|
||||
free(certs_lens);
|
||||
free(certs_chat);
|
||||
if (cvc_cert)
|
||||
CVC_CERT_free(cvc_cert);
|
||||
free(privkey);
|
||||
free(dg);
|
||||
if (templates)
|
||||
ASN1_AUXILIARY_DATA_free(templates);
|
||||
|
||||
sc_sm_stop(card);
|
||||
sc_reset(card, 1);
|
||||
sc_disconnect_card(card);
|
||||
sc_release_context(ctx);
|
||||
EAC_cleanup();
|
||||
|
||||
if (r < 0)
|
||||
fprintf(stderr, "Error: %s\n", sc_strerror(r));
|
||||
|
||||
return -r;
|
||||
}
|
||||
#else
|
||||
int
|
||||
main (int argc, char **argv)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
#endif
|
|
@ -0,0 +1,225 @@
|
|||
package "npa-tool"
|
||||
purpose "@PACKAGE_SUMMARY@"
|
||||
|
||||
option "reader" r
|
||||
"Number of the PC/SC reader to use (-1 for autodetect)"
|
||||
int
|
||||
default="-1"
|
||||
optional
|
||||
option "verbose" v
|
||||
"Use (several times) to be more verbose"
|
||||
multiple
|
||||
optional
|
||||
|
||||
section "Password Authenticated Connection Establishment (PACE)"
|
||||
option "pin" p
|
||||
"Run PACE with (transport) eID-PIN"
|
||||
string
|
||||
argoptional
|
||||
optional
|
||||
option "puk" u
|
||||
"Run PACE with PUK"
|
||||
string
|
||||
argoptional
|
||||
optional
|
||||
option "can" c
|
||||
"Run PACE with CAN"
|
||||
string
|
||||
argoptional
|
||||
optional
|
||||
option "mrz" m
|
||||
"Run PACE with MRZ (insert MRZ without newlines)"
|
||||
string
|
||||
argoptional
|
||||
optional
|
||||
option "env" -
|
||||
"Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this."
|
||||
flag off
|
||||
|
||||
section "PIN management"
|
||||
option "new-pin" N
|
||||
"Install a new PIN"
|
||||
string
|
||||
argoptional
|
||||
optional
|
||||
option "resume" R
|
||||
"Resume eID-PIN (uses CAN to activate last retry)"
|
||||
flag off
|
||||
option "unblock" U
|
||||
"Unblock PIN (uses PUK to activate three more retries)"
|
||||
flag off
|
||||
|
||||
section "Terminal Authentication (TA) and Chip Authentication (CA)"
|
||||
option "cv-certificate" C
|
||||
"Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important)."
|
||||
string
|
||||
typestr="FILENAME"
|
||||
optional
|
||||
multiple
|
||||
option "cert-desc" -
|
||||
"Certificate description to show for Terminal Authentication"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "chat" -
|
||||
"Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser)."
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "auxiliary-data" A
|
||||
"Terminal's auxiliary data (default is determined by verification of validity, age and community ID)."
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "private-key" P
|
||||
"Terminal's private key"
|
||||
string
|
||||
typestr="FILENAME"
|
||||
optional
|
||||
option "cvc-dir" -
|
||||
"Where to look for the CVCA's certificate"
|
||||
string
|
||||
typestr="DIRECTORY"
|
||||
default="@CVCDIR@"
|
||||
optional
|
||||
option "x509-dir" -
|
||||
"Where to look for the CSCA's certificate"
|
||||
string
|
||||
typestr="DIRECTORY"
|
||||
default="@X509DIR@"
|
||||
optional
|
||||
option "disable-ta-checks" -
|
||||
"Disable checking the validity period of CV certifcates"
|
||||
flag off
|
||||
option "disable-ca-checks" -
|
||||
"Disable passive authentication"
|
||||
flag off
|
||||
|
||||
section "Read and write data groups"
|
||||
option "read-dg1" -
|
||||
"Read DG 1 (Document Type)"
|
||||
flag off
|
||||
option "read-dg2" -
|
||||
"Read DG 2 (Issuing State)"
|
||||
flag off
|
||||
option "read-dg3" -
|
||||
"Read DG 3 (Date of Expiry)"
|
||||
flag off
|
||||
option "read-dg4" -
|
||||
"Read DG 4 (Given Names)"
|
||||
flag off
|
||||
option "read-dg5" -
|
||||
"Read DG 5 (Family Names)"
|
||||
flag off
|
||||
option "read-dg6" -
|
||||
"Read DG 6 (Religious/Artistic Name)"
|
||||
flag off
|
||||
option "read-dg7" -
|
||||
"Read DG 7 (Academic Title)"
|
||||
flag off
|
||||
option "read-dg8" -
|
||||
"Read DG 8 (Date of Birth)"
|
||||
flag off
|
||||
option "read-dg9" -
|
||||
"Read DG 9 (Place of Birth)"
|
||||
flag off
|
||||
option "read-dg10" -
|
||||
"Read DG 10 (Nationality)"
|
||||
flag off
|
||||
option "read-dg11" -
|
||||
"Read DG 11 (Sex)"
|
||||
flag off
|
||||
option "read-dg12" -
|
||||
"Read DG 12 (Optional Data)"
|
||||
flag off
|
||||
option "read-dg13" -
|
||||
"Read DG 13 (Birth Name)"
|
||||
flag off
|
||||
option "read-dg14" -
|
||||
"Read DG 14"
|
||||
flag off
|
||||
option "read-dg15" -
|
||||
"Read DG 15"
|
||||
flag off
|
||||
option "read-dg16" -
|
||||
"Read DG 16"
|
||||
flag off
|
||||
option "read-dg17" -
|
||||
"Read DG 17 (Normal Place of Residence)"
|
||||
flag off
|
||||
option "read-dg18" -
|
||||
"Read DG 18 (Community ID)"
|
||||
flag off
|
||||
option "read-dg19" -
|
||||
"Read DG 19 (Residence Permit I)"
|
||||
flag off
|
||||
option "read-dg20" -
|
||||
"Read DG 20 (Residence Permit II)"
|
||||
flag off
|
||||
option "read-dg21" -
|
||||
"Read DG 21 (Optional Data)"
|
||||
flag off
|
||||
option "write-dg17" -
|
||||
"Write DG 17 (Normal Place of Residence)"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "write-dg18" -
|
||||
"Write DG 18 (Community ID)"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "write-dg19" -
|
||||
"Write DG 19 (Residence Permit I)"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "write-dg20" -
|
||||
"Write DG 20 (Residence Permit II)"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
option "write-dg21" -
|
||||
"Write DG 21 (Optional Data)"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
|
||||
section "Verification of validity, age and community ID"
|
||||
option "verify-validity" -
|
||||
"Verify chip's validity with a reference date"
|
||||
string
|
||||
typestr="YYYYMMDD"
|
||||
optional
|
||||
option "older-than" -
|
||||
"Verify age with a reference date"
|
||||
string
|
||||
typestr="YYYYMMDD"
|
||||
optional
|
||||
option "verify-community" -
|
||||
"Verify community ID with a reference ID"
|
||||
string
|
||||
typestr="HEX_STRING"
|
||||
optional
|
||||
|
||||
section "Special options, not always useful"
|
||||
option "break" b
|
||||
"Brute force PIN, CAN or PUK. Use together with -p, -a or -u"
|
||||
flag off
|
||||
option "translate" t
|
||||
"File with APDUs of HEX_STRINGs to send through the secure channel"
|
||||
string
|
||||
typestr="FILENAME"
|
||||
default="stdin"
|
||||
optional
|
||||
option "tr-03110v201" -
|
||||
"Force compliance to BSI TR-03110 version 2.01"
|
||||
flag off
|
||||
option "disable-all-checks" -
|
||||
"Disable all checking of fly-by-data"
|
||||
flag off
|
||||
|
||||
text "
|
||||
Report bugs to @PACKAGE_BUGREPORT@
|
||||
|
||||
Written by Frank Morgner <frankmorgner@gmail.com>"
|
|
@ -0,0 +1,146 @@
|
|||
/*
|
||||
* Copyright (C) 2011 Frank Morgner
|
||||
*
|
||||
* This file is part of OpenSC.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, write to the Free Software
|
||||
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
*/
|
||||
|
||||
/* This example shows how to use the library functions perform_pace to
|
||||
* get a secure channel to the nPA. We use the builtin function npa_change_pin
|
||||
* to modify the PIN using the secure channel. Then we transmit an arbitrary
|
||||
* APDU encrypted and authenticated to the card using sm_transmit_apdu. */
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif
|
||||
|
||||
#ifdef ENABLE_OPENPACE
|
||||
#include "libopensc/sm.h"
|
||||
#include "sm/sm-iso.h"
|
||||
#include "sm/sm-eac.h"
|
||||
#include <string.h>
|
||||
|
||||
static const char *newpin = NULL;
|
||||
static const char *pin = NULL;
|
||||
|
||||
/* SELECT the Master File (MF) */
|
||||
const unsigned char apdubuf[] = {0x00, 0xA4, 0x00, 0x0C, 0x02, 0x3F, 0x00};
|
||||
|
||||
int
|
||||
main (int argc, char **argv)
|
||||
{
|
||||
/* Set up the environment */
|
||||
int r;
|
||||
|
||||
sc_context_t *ctx = NULL;
|
||||
sc_card_t *card = NULL;
|
||||
sc_reader_t *reader = NULL;
|
||||
|
||||
sc_apdu_t apdu;
|
||||
u8 buf[0xffff];
|
||||
|
||||
struct establish_pace_channel_input pace_input;
|
||||
struct establish_pace_channel_output pace_output;
|
||||
|
||||
memset(&pace_input, 0, sizeof pace_input);
|
||||
memset(&pace_output, 0, sizeof pace_output);
|
||||
|
||||
|
||||
/* Connect to a reader */
|
||||
r = sc_establish_context(&ctx, "example");
|
||||
if (r < 0 || !ctx) {
|
||||
fprintf(stderr, "Failed to create initial context: %s", sc_strerror(r));
|
||||
exit(1);
|
||||
}
|
||||
reader = sc_ctx_get_reader(ctx, 0);
|
||||
if (!reader) {
|
||||
fprintf(stderr, "Failed to access reader 0");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* Connect to a nPA */
|
||||
ctx->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
|
||||
if (sc_connect_card(reader, &card) < 0) {
|
||||
fprintf(stderr, "Could not connect to card\n");
|
||||
sc_release_context(ctx);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* initialize OpenPACE */
|
||||
EAC_init();
|
||||
|
||||
|
||||
/* Now we try to change the PIN. Therefor we need to establish a SM channel
|
||||
* with PACE.
|
||||
*
|
||||
* You could set your PIN with pin=“123456”; or just leave it at NULL to be
|
||||
* asked for it. The same applies to the new PIN newpin. */
|
||||
pace_input.pin_id = PACE_PIN;
|
||||
pace_input.pin = (unsigned char *) pin;
|
||||
pace_input.pin_length = pin ? strlen(pin) : 0;
|
||||
|
||||
r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Established PACE channel with PIN.\n");
|
||||
|
||||
r = npa_change_pin(card, newpin, newpin ? strlen(newpin) : 0);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
printf("Changed PIN.\n");
|
||||
|
||||
|
||||
/* Now we want to transmit additional APDUs in the established SM channel.
|
||||
*
|
||||
* Here we are parsing the raw apdu buffer apdubuf to be transformed into
|
||||
* an sc_apdu_t. Alternatively you could also set CLA, INS, P1, P2, ... by
|
||||
* hand in the sc_apdu_t object. */
|
||||
r = sc_bytes2apdu(ctx, apdubuf, sizeof apdubuf, &apdu);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
|
||||
/* write the response data to buf */
|
||||
apdu.resp = buf;
|
||||
apdu.resplen = sizeof buf;
|
||||
|
||||
/* Transmit the APDU with SM */
|
||||
r = sc_transmit_apdu(card, &apdu);
|
||||
|
||||
|
||||
err:
|
||||
fprintf(r < 0 ? stderr : stdout, "%s\n", sc_strerror(r));
|
||||
|
||||
/* Free up memory and wipe it if necessary (e.g. for keys stored in sm_ctx) */
|
||||
free(pace_output.ef_cardaccess);
|
||||
free(pace_output.recent_car);
|
||||
free(pace_output.previous_car);
|
||||
free(pace_output.id_icc);
|
||||
free(pace_output.id_pcd);
|
||||
|
||||
sc_sm_stop(card);
|
||||
sc_reset(card, 1);
|
||||
sc_disconnect_card(card);
|
||||
sc_release_context(ctx);
|
||||
EAC_cleanup();
|
||||
|
||||
return -r;
|
||||
}
|
||||
#else
|
||||
int
|
||||
main (int argc, char **argv)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
#endif
|
|
@ -48,7 +48,7 @@ OPENSSL_LIB = $(OPENSSL_DIR)\lib\VC\$(OPENSSL_STATIC_DIR)\libeay32MT.lib user32.
|
|||
!ENDIF
|
||||
|
||||
PROGRAMS_OPENSSL = cryptoflex-tool.exe pkcs15-init.exe netkey-tool.exe piv-tool.exe \
|
||||
westcos-tool.exe sc-hsm-tool.exe dnie-tool.exe gids-tool.exe
|
||||
westcos-tool.exe sc-hsm-tool.exe dnie-tool.exe gids-tool.exe npa-tool.exe
|
||||
OPENSC_FEATURES = $(OPENSC_FEATURES) openssl
|
||||
CANDLEFLAGS = -dOpenSSL="$(OPENSSL_DIR)" $(CANDLEFLAGS)
|
||||
!ENDIF
|
||||
|
@ -73,6 +73,19 @@ CANDLEFLAGS = -dzlib="C:\zlib-dll" $(CANDLEFLAGS)
|
|||
!ENDIF
|
||||
|
||||
|
||||
# If you want support for EAC:
|
||||
# - Download OpenPACE and
|
||||
# - uncomment the line starting with OPENPACE_DEF
|
||||
# - set the OPENPACE_INCL_DIR below to the OpenPACE include directory preceeded by "/I"
|
||||
# - set the OPENPACE_LIB below to your OpenPACE lib file
|
||||
#OPENPACE_DEF= /DENABLE_OPENPACE
|
||||
!IF "$(OPENPACE_DEF)" == "/DENABLE_OPENPACE"
|
||||
OPENPACE_DIR = C:\OpenPACE
|
||||
OPENPACE_INCL_DIR = /I$(OPENPACE_DIR)\include
|
||||
OPENPACE_LIB = $(OPENPACE_DIR)\lib\libeac.lib
|
||||
!ENDIF
|
||||
|
||||
|
||||
# Used for MiniDriver
|
||||
CNGSDK_INCL_DIR = "/I$(PROGRAMFILES_PATH)\Microsoft CNG Development Kit\Include"
|
||||
# Mandatory path to 'ISO C9x compliant stdint.h and inttypes.h for Microsoft Visual Studio'
|
||||
|
@ -83,15 +96,15 @@ CNGSDK_INCL_DIR = "/I$(PROGRAMFILES_PATH)\Microsoft CNG Development Kit\Include"
|
|||
# O1 - minimal code size
|
||||
CODE_OPTIMIZATION = /O1
|
||||
|
||||
ALL_INCLUDES = /I$(TOPDIR)\win32 /I$(TOPDIR)\src $(OPENSSL_INCL_DIR) $(OPENSSL_EXTRA_CFLAGS) $(ZLIB_INCL_DIR) $(LIBLTDL_INCL) $(INTTYPES_INCL_DIR) $(CNGSDK_INCL_DIR) $(WIX_INCL_DIR)
|
||||
ALL_INCLUDES = /I$(TOPDIR)\win32 /I$(TOPDIR)\src $(OPENPACE_INCL_DIR) $(OPENSSL_INCL_DIR) $(OPENSSL_EXTRA_CFLAGS) $(ZLIB_INCL_DIR) $(LIBLTDL_INCL) $(INTTYPES_INCL_DIR) $(CNGSDK_INCL_DIR) $(WIX_INCL_DIR)
|
||||
|
||||
!IF "$(DEBUG_DEF)" == "/DDEBUG"
|
||||
LINKDEBUGFLAGS = /NODEFAULTLIB:LIBCMT /DEBUG
|
||||
CODE_OPTIMIZATION =
|
||||
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MTd /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\"" /DDEBUG /Zi /Od
|
||||
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MTd /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENPACE_DEF) $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\"" /DDEBUG /Zi /Od
|
||||
!ELSE
|
||||
LINKDEBUGFLAGS = /NODEFAULTLIB:LIBCMTD
|
||||
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\""
|
||||
COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENPACE_DEF) $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\""
|
||||
!ENDIF
|
||||
|
||||
|
||||
|
|
|
@ -62,6 +62,9 @@
|
|||
<Directory Id="TARGETDIR" Name="SourceDir">
|
||||
<!-- Install critical DLL-s to system folder. NB! Id-s can not contain "-" characters! -->
|
||||
<Directory Id="$(var.PlatformSystemFolder)" Name=".">
|
||||
<Component Id="cardnpa.dll" Guid="*" Win64="$(var.Win64YesNo)">
|
||||
<File Source="$(var.SOURCE_DIR)\src\libopensc\cardnpa.dll" Vital="yes"/>
|
||||
</Component>
|
||||
<Component Id="opensc_pkcs11.dll" Guid="*" Win64="$(var.Win64YesNo)">
|
||||
<File Source="$(var.SOURCE_DIR)\src\pkcs11\opensc-pkcs11.dll" Vital="yes"/>
|
||||
</Component>
|
||||
|
@ -180,6 +183,9 @@
|
|||
<Component Id="gids_tool.exe" Guid="*" Win64="$(var.Win64YesNo)">
|
||||
<File Source="$(var.SOURCE_DIR)\src\tools\gids-tool.exe" Vital="yes"/>
|
||||
</Component>
|
||||
<Component Id="npa_tool.exe" Guid="*" Win64="$(var.Win64YesNo)">
|
||||
<File Source="$(var.SOURCE_DIR)\src\tools\npa-tool.exe" Vital="yes"/>
|
||||
</Component>
|
||||
<?endif ?>
|
||||
</Directory>
|
||||
<?ifdef OpenSSL ?>
|
||||
|
@ -296,6 +302,7 @@
|
|||
<Feature Id="Complete" Level="1" Title="OpenSC software suite" Display="expand">
|
||||
<Feature Id="OpenSC_core" Level="1" Title="OpenSC core library" Description="Core DLL and configuration file used by all other components." Absent="disallow">
|
||||
<ComponentRef Id="opensc.dll"/>
|
||||
<ComponentRef Id="cardnpa.dll"/>
|
||||
<?ifdef zlib ?>
|
||||
<ComponentRef Id="zlib1.dll"/>
|
||||
<?endif ?>
|
||||
|
@ -305,6 +312,7 @@
|
|||
<?endif ?>
|
||||
</Feature>
|
||||
<Feature Id="OpenSC_pkcs11" Level="1" Title="OpenSC PKCS#11 module" Description="PKCS#11 module usd by most open source and cross-platform software (like Firefox, Putty, TrueCrypt, OpenVPN etc)" TypicalDefault="install">
|
||||
<ComponentRef Id="cardnpa.dll"/>
|
||||
<ComponentRef Id="opensc_pkcs11.dll"/>
|
||||
<ComponentRef Id="onepin_opensc_pkcs11.dll"/>
|
||||
</Feature>
|
||||
|
@ -335,6 +343,7 @@
|
|||
<ComponentRef Id="sc_hsm_tool.exe"/>
|
||||
<ComponentRef Id="dnie_tool.exe"/>
|
||||
<ComponentRef Id="gids_tool.exe"/>
|
||||
<ComponentRef Id="npa_tool.exe"/>
|
||||
<ComponentRef Id="cyberflex.profile"/>
|
||||
<ComponentRef Id="flex.profile"/>
|
||||
<ComponentRef Id="gpk.profile"/>
|
||||
|
|
|
@ -90,6 +90,10 @@
|
|||
#define PACKAGE_VERSION "@PACKAGE_VERSION@"
|
||||
#endif
|
||||
|
||||
#ifndef VERSION
|
||||
#define VERSION PACKAGE_VERSION
|
||||
#endif
|
||||
|
||||
#ifndef PACKAGE_NAME
|
||||
#define PACKAGE_NAME "@PACKAGE_NAME@"
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue