Skip authentication if card access control mechanism is not active.

Depending on the "lifecycle" of the file, we may omit the authentication operation. Typically if the card is in initialization or creation state, the access control mechanism is inactive. If authentification can be skiped, the card driver is responsible for setting the "acl_inactive" variable in sc_file structure.
2021-03-05 08:59:48 +01:00 · 2021-03-05 08:59:48 +01:00 · f46b617397
parent 8e614bfe6e
commit f46b617397
3 changed files with 18 additions and 17 deletions
--- a/src/libopensc/card-myeid.c
+++ b/src/libopensc/card-myeid.c
@ -43,9 +43,6 @@
 #define LOAD_KEY_EC_PRIVATE		0x1087
 #define LOAD_KEY_SYMMETRIC		0x20a0

-#define MYEID_STATE_CREATION		0x01
-#define MYEID_STATE_ACTIVATED		0x07
-
 #define MYEID_CARD_NAME_MAX_LEN		100

 /* The following flags define the features supported by the card currently in use.
@ -475,20 +472,18 @@ static int myeid_process_fci(struct sc_card *card, struct sc_file *file,
 		sc_log(card->ctx, "id (%X) sec_attr (%X %X %X)", file->id,
 			file->sec_attr[0],file->sec_attr[1],file->sec_attr[2]);
 	}
-	tag = sc_asn1_find_tag(NULL, buf, buflen, 0x8A, &taglen);
-	if (tag != NULL && taglen > 0)
-	{
-		if(tag[0] == MYEID_STATE_CREATION) {
-			file->status = SC_FILE_STATUS_CREATION;
-			sc_log(card->ctx, "File id (%X) status SC_FILE_STATUS_CREATION (0x%X)",
-					file->id, tag[0]);
-		}
-		else if(tag[0] == MYEID_STATE_ACTIVATED) {
-			file->status = SC_FILE_STATUS_ACTIVATED;
-			sc_log(card->ctx, "File id (%X) status SC_FILE_STATUS_ACTIVATED (0x%X)",
-					file->id, tag[0]);
-		}
-		priv->card_state = file->status;
+
+	priv->card_state = file->status;
+	switch (file->status) {
+		case SC_FILE_STATUS_CREATION:
+			file->acl_inactive = 1;
+			sc_log(card->ctx, "File id (%X) status SC_FILE_STATUS_CREATION", file->id);
+			break;
+		case SC_FILE_STATUS_ACTIVATED:
+			sc_log(card->ctx, "File id (%X) status SC_FILE_STATUS_ACTIVATED", file->id);
+			break;
+		default:
+			sc_log(card->ctx, "File id (%X) unusual status (0x%X)", file->id, file->status);
 	}

 	LOG_FUNC_RETURN(card->ctx, 0);
--- a/src/libopensc/types.h
+++ b/src/libopensc/types.h
@ -257,6 +257,7 @@ typedef struct sc_file {
 	int id;		/* file identifier (2 bytes) */
 	int sid;	/* short EF identifier (1 byte) */
 	struct sc_acl_entry *acl[SC_MAX_AC_OPS]; /* Access Control List */
+	int acl_inactive;                        /* if set, the card access control mechanism is not active */

 	size_t record_length; /* max. length in case of record-oriented EF */
 	size_t record_count;  /* Valid, if not transparent EF or DF */
--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
@ -3851,6 +3851,11 @@ sc_pkcs15init_authenticate(struct sc_profile *profile, struct sc_pkcs15_card *p1
 	assert(file != NULL);
 	sc_log(ctx, "path '%s', op=%u", sc_print_path(&file->path), op);

+	if (file->acl_inactive) {
+		sc_log(ctx, "access control mechanism is not active (always allowed)");
+		LOG_FUNC_RETURN(ctx, r);
+	}
+
 	if (p15card->card->caps & SC_CARD_CAP_USE_FCI_AC) {
 		r = sc_select_file(p15card->card, &file->path, &file_tmp);
 		LOG_TEST_RET(ctx, r, "Authentication failed: cannot select file.");