From ba19a467e4b60cd51e458a15a3bcb21f14ab32bc Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Mon, 22 Jul 2019 13:05:32 +0200 Subject: [PATCH] Rutoken Lite (#1728) * card-rtecp: Add Rutoken Lite * avoid seperate rutoken lite driver * added rutoken lite to minidriver closes #1722 --- src/libopensc/card-rtecp.c | 30 ++++- src/libopensc/cards.h | 2 + src/pkcs15init/Makefile.am | 1 + src/pkcs15init/pkcs15-lib.c | 1 + src/pkcs15init/rutoken_lite.profile | 202 ++++++++++++++++++++++++++++ win32/OpenSC.wxs.in | 4 + win32/customactions.cpp | 4 + 7 files changed, 239 insertions(+), 5 deletions(-) create mode 100644 src/pkcs15init/rutoken_lite.profile diff --git a/src/libopensc/card-rtecp.c b/src/libopensc/card-rtecp.c index bff77be0..eae1ff65 100644 --- a/src/libopensc/card-rtecp.c +++ b/src/libopensc/card-rtecp.c @@ -1,5 +1,5 @@ /* - * card-rtecp.c: Support for Rutoken ECP cards + * card-rtecp.c: Support for Rutoken ECP and Rutoken Lite cards * * Copyright (C) 2009 Aleksey Samsonov * @@ -35,7 +35,7 @@ static const struct sc_card_operations *iso_ops = NULL; static struct sc_card_operations rtecp_ops; static struct sc_card_driver rtecp_drv = { - "Rutoken ECP driver", + "Rutoken ECP and Lite driver", "rutoken_ecp", &rtecp_ops, NULL, 0, NULL @@ -56,6 +56,13 @@ static const struct sc_atr_table rtecp_atrs[] = { { "3B:9C:94:80:11:40:52:75:74:6F:6B:65:6E:45:43:50:73:63:C3", "00:00:00:00:00:00:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:00", "Rutoken ECP SC", SC_CARD_TYPE_RUTOKEN_ECP_SC, 0, NULL }, + /* Rutoken Lite */ + { "3B:8B:01:52:75:74:6F:6B:65:6E:6C:69:74:65:C2", + NULL, "Rutoken Lite", SC_CARD_TYPE_RUTOKEN_LITE, 0, NULL }, + /* Rutoken Lite SC*/ + { "3B:9E:96:00:52:75:74:6F:6B:65:6E:4C:69:74:65:53:43:32", + "00:00:00:00:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF", + "Rutoken Lite SC", SC_CARD_TYPE_RUTOKEN_LITE_SC, 0, NULL }, { NULL, NULL, NULL, 0, 0, NULL } }; @@ -76,9 +83,14 @@ static int rtecp_init(sc_card_t *card) unsigned long flags; assert(card && card->ctx); - card->caps |= SC_CARD_CAP_RNG; card->cla = 0; + if (card->type == SC_CARD_TYPE_RUTOKEN_LITE + || card->type == SC_CARD_TYPE_RUTOKEN_LITE_SC) + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, 0); + + card->caps |= SC_CARD_CAP_RNG; + flags = SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN | SC_ALGORITHM_RSA_PAD_NONE | SC_ALGORITHM_RSA_HASH_NONE; @@ -422,6 +434,11 @@ static int rtecp_decipher(sc_card_t *card, int r; assert(card && card->ctx && data && out); + + if (card->type == SC_CARD_TYPE_RUTOKEN_LITE + || card->type == SC_CARD_TYPE_RUTOKEN_LITE_SC) + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NOT_SUPPORTED); + /* decipher */ r = rtecp_cipher(card, data, data_len, out, out_len, 0); SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r); @@ -433,6 +450,11 @@ static int rtecp_compute_signature(sc_card_t *card, int r; assert(card && card->ctx && data && out); + + if (card->type == SC_CARD_TYPE_RUTOKEN_LITE + || card->type == SC_CARD_TYPE_RUTOKEN_LITE_SC) + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NOT_SUPPORTED); + /* compute digital signature */ r = rtecp_cipher(card, data, data_len, out, out_len, 1); SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, r); @@ -811,7 +833,5 @@ struct sc_card_driver * sc_get_rtecp_driver(void) /* process_fci */ rtecp_ops.construct_fci = rtecp_construct_fci; rtecp_ops.pin_cmd = NULL; - return &rtecp_drv; } - diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h index 55f91a79..39cb2a67 100644 --- a/src/libopensc/cards.h +++ b/src/libopensc/cards.h @@ -257,6 +257,8 @@ enum { SC_CARD_TYPE_RUTOKENS = 36000, SC_CARD_TYPE_RUTOKEN_ECP, SC_CARD_TYPE_RUTOKEN_ECP_SC, + SC_CARD_TYPE_RUTOKEN_LITE, + SC_CARD_TYPE_RUTOKEN_LITE_SC, }; extern sc_card_driver_t *sc_get_default_driver(void); diff --git a/src/pkcs15init/Makefile.am b/src/pkcs15init/Makefile.am index eadf8df1..1ff594c0 100644 --- a/src/pkcs15init/Makefile.am +++ b/src/pkcs15init/Makefile.am @@ -23,6 +23,7 @@ dist_pkgdata_DATA = \ entersafe.profile \ epass2003.profile \ rutoken_ecp.profile \ + rutoken_lite.profile \ westcos.profile \ myeid.profile \ authentic.profile \ diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c index 6b4c72ed..bcc54bd9 100644 --- a/src/pkcs15init/pkcs15-lib.c +++ b/src/pkcs15init/pkcs15-lib.c @@ -157,6 +157,7 @@ static struct profile_operations { { "entersafe",(void*) sc_pkcs15init_get_entersafe_ops }, { "epass2003",(void*) sc_pkcs15init_get_epass2003_ops }, { "rutoken_ecp", (void *) sc_pkcs15init_get_rtecp_ops }, + { "rutoken_lite", (void *) sc_pkcs15init_get_rtecp_ops }, { "westcos", (void *) sc_pkcs15init_get_westcos_ops }, { "myeid", (void *) sc_pkcs15init_get_myeid_ops }, { "sc-hsm", (void *) sc_pkcs15init_get_sc_hsm_ops }, diff --git a/src/pkcs15init/rutoken_lite.profile b/src/pkcs15init/rutoken_lite.profile new file mode 100644 index 00000000..60c924e1 --- /dev/null +++ b/src/pkcs15init/rutoken_lite.profile @@ -0,0 +1,202 @@ +# +# PKCS15 profile, generic information. +# This profile is loaded before any card specific profile. +# + +cardinfo { + label = "Rutoken Lite"; + manufacturer = "Aktiv Co."; + + max-pin-length = 32; + min-pin-length = 1; + pin-encoding = ascii-numeric; +} + +# +# The following controls some aspects of the PKCS15 we put onto +# the card. +# +pkcs15 { + # Put certificates into the CDF itself? + direct-certificates = no; + # Put the DF length into the ODF file? + encode-df-length = no; + # Have a lastUpdate field in the EF(TokenInfo)? + do-last-update = yes; + + pkcs15-id-style = mozilla; +} + +# Default settings. +# This option block will always be processed. +option default { + macros { + ti-size = 128; + odf-size = 128; + aodf-size = 256; + dodf-size = 2048; + cdf-size = 2048; + prkdf-size = 2048; + pukdf-size = 2048; + } +} + +# Define reasonable limits for PINs and PUK +# Note that we do not set a file path or reference +# for the user pin; that is done dynamically. +PIN user-pin { + auth-id = 2; + reference = 2; + attempts = 5; + min-length = 4; + max-length = 32; + flags = case-sensitive, initialized; +} +PIN user-puk { + min-length = 0; + max-length = 0; +} + +PIN so-pin { + auth-id = 1; + reference = 1; + attempts = 10; + min-length = 8; + max-length = 32; + flags = case-sensitive, initialized, soPin; +} +PIN so-puk { + min-length = 0; + max-length = 0; +} + +filesystem { + EF CHV2 { + file-id = 0002; + ACL = *=NEVER, UPDATE=$SOPIN, PIN-RESET=$SOPIN; + } + + DF MF { + path = 3F00; + type = DF; + acl = *=NEVER, SELECT=NONE, DELETE=NEVER, CREATE=CHV2, READ=NONE; + + DF Sys-DF { + file-id = 1000; + + DF SysKey-DF { + file-id = 1000; + } + + DF Resrv1-DF { + file-id = 1001; + } + DF Resrv2-DF { + file-id = 1002; + } + DF Resrv3-DF { + file-id = 1003; + } + DF Resrv4-DF { + file-id = 1004; + } + } + + EF DIR { + type = EF; + file-id = 2F00; + size = 128; + acl = *=NEVER, READ=NONE, UPDATE=CHV1, WRITE=CHV1, DELETE=CHV1; + } + + # Here comes the application DF + DF PKCS15-AppDF { + type = DF; + file-id = 5000; + acl = *=NONE, DELETE=CHV2; + + EF PKCS15-ODF { + file-id = 5031; + size = $odf-size; + acl = *=NONE, DELETE=$SOPIN; + } + + EF PKCS15-TokenInfo { + file-id = 5032; + size = $ti-size; + acl = *=NONE, DELETE=CHV2; + } + + EF PKCS15-AODF { + file-id = 6005; + size = $aodf-size; + acl = *=NEVER, READ=NONE, UPDATE=$SOPIN, WRITE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-PrKDF { + file-id = 6002; + size = $prkdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + EF PKCS15-PuKDF { + file-id = 6001; + size = $pukdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + EF PKCS15-CDF { + file-id = 6004; + size = $cdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + EF PKCS15-DODF { + file-id = 6006; + size = $dodf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + # This template defines files for keys, certificates etc. + # + # When instantiating the template, each file id will be + # combined with the last octet of the object's pkcs15 id + # to form a unique file ID. + template key-domain { + EF private-key { + file-id = 0100; + structure = transparent; + acl = *=NEVER, READ=$PIN, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + EF public-key { + file-id = 0200; + structure = transparent; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + # Certificate template + EF certificate { + file-id = 0300; + structure = transparent; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + # data objects are stored in transparent EFs. + EF data { + file-id = 0400; + structure = transparent; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + + # private data objects are stored in transparent EFs. + EF privdata { + file-id = 0500; + structure = transparent; + acl = *=NEVER, READ=$PIN, UPDATE=$PIN, WRITE=$PIN, DELETE=$PIN; + } + } + } + } +} + diff --git a/win32/OpenSC.wxs.in b/win32/OpenSC.wxs.in index 09ab5336..63284f3f 100644 --- a/win32/OpenSC.wxs.in +++ b/win32/OpenSC.wxs.in @@ -282,6 +282,9 @@ + + + @@ -424,6 +427,7 @@ + diff --git a/win32/customactions.cpp b/win32/customactions.cpp index 680d48d7..c7bae1e3 100644 --- a/win32/customactions.cpp +++ b/win32/customactions.cpp @@ -173,6 +173,10 @@ MD_REGISTRATION minidriver_registration[] = { 16, {0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}}, {TEXT("Rutoken ECP SC"), {0x3B,0x9C,0x94,0x80,0x11,0x40,0x52,0x75,0x74,0x6F,0x6B,0x65,0x6E,0x45,0x43,0x50,0x73,0x63,0xC3}, 19, {0x00,0x00,0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x00}}, + {TEXT("Rutoken Lite"), {0x3B,0x8B,0x01,0x52,0x75,0x74,0x6F,0x6B,0x65,0x6E,0x6C,0x69,0x74,0x65,0xC2}, + 15, {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}}, + {TEXT("Rutoken Lite SC"), {0x3B,0x8B,0x01,0x52,0x75,0x74,0x6F,0x6B,0x65,0x6E,0x6C,0x69,0x74,0x65,0xC2}, + 15, {0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}}, };