From ced77ae6c7360914e746178b369561ad7fac84dc Mon Sep 17 00:00:00 2001
From: Pedro Martelletto <pedro@ambientworks.net>
Date: Tue, 17 Feb 2015 17:14:40 +0100
Subject: [PATCH] cardos: overwrite content of deleted private key

when deleting a private key object, overwrite its contents so the key can no longer be used.

(VTA: original commit touched to use LOG macros and add debug logs)
---
 src/pkcs15init/pkcs15-cardos.c | 58 +++++++++++++++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
index 160b975b..63f32a85 100644
--- a/src/pkcs15init/pkcs15-cardos.c
+++ b/src/pkcs15init/pkcs15-cardos.c
@@ -402,6 +402,62 @@ out:
 	return r;
 }
 
+/*
+ * Object deletion.
+ */
+static int
+cardos_delete_object(sc_profile_t *profile, struct sc_pkcs15_card *p15card,
+		struct sc_pkcs15_object *obj, const struct sc_path *path)
+{
+	int r, stored_in_ef = 0, algorithm = 0;
+	size_t keybits;
+	sc_file_t *file = NULL;
+	struct sc_pkcs15_prkey_info *key_info;
+	struct sc_pkcs15_prkey_rsa key_obj;
+	struct sc_context *ctx = p15card->card->ctx;
+	uint8_t abignum[256];
+
+	LOG_FUNC_CALLED(ctx);
+	/*
+	 * If we are deleting a private key, overwrite it so it can't be used.
+	 */
+	if ((obj->type & SC_PKCS15_TYPE_CLASS_MASK) == SC_PKCS15_TYPE_PRKEY) {
+		key_info = obj->data;
+		keybits = key_info->modulus_length & ~7UL;
+		init_key_object(&key_obj, abignum, keybits >> 3);
+		r = cardos_key_algorithm(key_info->usage, keybits, &algorithm);
+		LOG_TEST_RET(ctx, r, "cardos_key_algorithm failed");
+
+		r = sc_select_file(p15card->card, &key_info->path, &file);
+		LOG_TEST_RET(ctx, r, "Failed to store key: cannot select parent DF");
+
+		r = sc_pkcs15init_authenticate(profile, p15card, file, SC_AC_OP_UPDATE);
+		sc_file_free(file);
+		LOG_TEST_RET(ctx, r, "Failed to store key: UPDATE authentication failed");
+
+		r = cardos_put_key(profile, p15card, algorithm, key_info, &key_obj);
+		LOG_TEST_RET(ctx, r, "cardos_put_key failed");
+	}
+
+	/* Delete object from the PKCS15 file system. */
+	if (path->len || path->aid.len)   {
+		r = sc_select_file(p15card->card, path, &file);
+		if (r != SC_ERROR_FILE_NOT_FOUND)
+			LOG_TEST_RET(ctx, r, "select object path failed");
+
+		stored_in_ef = (file->type != SC_FILE_TYPE_DF);
+		sc_file_free(file);
+	}
+
+	/* If the object is stored in a normal EF, try to delete the EF. */
+	if (r == SC_SUCCESS && stored_in_ef) {
+		r = sc_pkcs15init_delete_by_path(profile, p15card, path);
+		LOG_TEST_RET(ctx, r, "Failed to delete object by path");
+	}
+
+	LOG_FUNC_RETURN(ctx, SC_SUCCESS);
+}
+
 /*
  * Store a PIN or PUK
  */
@@ -851,7 +907,7 @@ static struct sc_pkcs15init_operations sc_pkcs15init_cardos_operations = {
 	cardos_generate_key,
 	NULL, NULL, 			/* encode private/public key */
 	NULL,				/* finalize_card */
-	NULL, 				/* delete_object */
+	cardos_delete_object,
 	NULL, NULL, NULL, NULL, NULL, 	/* pkcs15init emulation */
 	NULL				/* sanity_check */
 };