Vincent JARDIN
e93bd3983c
IASECC/Gemalto: add support
...
Add support for Gemalto's IAS ECC Dual ID One Cosmo using samples from:
http://cartesapuce-discount.com/fr/cartes-a-puce-ias-ecc/146-cartes-a-puce-protiva-ias-ecc-tpc.html
Some suppots were already available (ATR, init, etc.), but the
select_file was missing the proper cases.
2021-04-26 21:37:39 +02:00
Vincent JARDIN
e3a3722ad1
IASECC/CPX: Fix SDO path
...
Some objects need to be read from a specific path.
IASECC_SDO_PRVKEY_TAG: from 3F00:0001
IASECC_SDO_CHV_TAG: from 3F00
2021-04-26 15:55:17 +02:00
Vincent JARDIN
fcd2e665fe
IASECC/CPX: fix APDU errors for SE get data
...
On a CPX, this object needs to be read from 3F00.
For instance:
$ opensc-explorer -r 2
OpenSC [3F00]> cd 0002
OpenSC [3F00/0002]> apdu 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Sending: 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Received (SW1=0x6A, SW2=0x88)
Failure: Data object not found
OpenSC [3F00/0002]> apdu 00 A4 09 04 02 3F 00
Sending: 00 A4 09 04 02 3F 00
Received (SW1=0x90, SW2=0x00)
Success!
OpenSC [3F00/0002]> apdu 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Sending: 00 CB 3F FF 0A 4D 08 70 06 BF FB 05 02 7B 80
Received (SW1=0x90, SW2=0x00)
Success!
Currently, this patch limits to the CPX cards since I cannot know
the behaviour for the other cards. I could not find any reference
from the standard.
Fix: issue #2275
2021-04-26 15:55:17 +02:00
Vincent JARDIN
396cbc46cf
IASECC/CPX: set default flags
...
The CPX has the standard capabilities of the IASECC standard.
Let's be carefull with memory leakage, see the
previous commit 83162c5c8
Fix: issue #2270
2021-04-26 15:52:09 +02:00
Peter Marschall
344ac0abe6
iasec: use proper printf format specifiers for size_t
...
Do not hard-code the printf format specifier for size_t: use the macro instead.
This fixes compliation on 32-bit architectures.
2021-04-20 14:26:37 +02:00
Vincent JARDIN
1a3666364d
IASECC/CPX: Avoid APDU Incorrect Parameters
...
Without this patch, we would get from the logs:
Outgoing APDU (18 bytes):
00 A4 04 00 0D E8 28 BD 08 0F 80 25 00 00 01 FF ......(....%....
00 10 ..
[opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
[opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
6A 86 j.
[opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
[opensc-pkcs11] apdu.c:537:sc_transmit: returning with: 0 (Success)
[opensc-pkcs11] card.c:523:sc_unlock: called
[opensc-pkcs11] iso7816.c:128:iso7816_check_sw: Incorrect parameters P1-P2
[opensc-pkcs11] card-iasecc.c:1064:iasecc_select_file: Warning: SC_ERROR_INCORRECT_PARAMETERS for SC_PATH_TYPE_DF_NAME, try again with P2=0x0C
[opensc-pkcs11] apdu.c:548:sc_transmit_apdu: called
[opensc-pkcs11] card.c:473:sc_lock: called
[opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
[opensc-pkcs11] apdu.c:515:sc_transmit: called
[opensc-pkcs11] apdu.c:363:sc_single_transmit: called
[opensc-pkcs11] apdu.c:367:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:C, data(13) 0x7fff4b339b20
[opensc-pkcs11] reader-pcsc.c:323:pcsc_transmit: reader 'Ingenico TL TELIUM (25005334) 00 02'
[opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (18 bytes):
00 A4 04 0C 0D E8 28 BD 08 0F 80 25 00 00 01 FF ......(....%....
00 10 ..
[opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
[opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
90 00 ..
Let's align it with the behaviour of the other IASECC cards.
2021-04-01 11:11:33 +02:00
Vincent JARDIN
0df0f80b55
IASECC: log any APDU Incorrect parameters
...
From the logs, we can detect many 6A 86 (Incorrect P1 or P2 paremeters).
A deeper analysis will be required, but the best option to check them
is to start emitting any Warning for such events.
2021-04-01 11:11:33 +02:00
Frank Morgner
83162c5c87
fixed memory leak
...
fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32324
sc_enum_apps() causes card->cache.current_ef to be allocated for
IAS/ECC, but not freed if any other error occurs during initialization.
since sc_enum_apps() is called anyway during PKCS#15 initialization.
Having this at the card driver level (instead of the PKCS#15 level) is
not needed.
2021-03-24 23:27:01 +01:00
Vincent JARDIN
b18234a7d9
iasecc: Fix ACLs support when length is 6 ( #2264 )
...
* IASECC: offset is a size_t
Let's use a size_t for the offset in order to have a proper logic
along with the related arithmetics.
Fix: part if issue #2262
Suggested-by: Frank Morgner <frankmorgner@gmail.com>
* iasecc: Fix ACLs support when length is 6
ACLs with length < 6 are allowed, depending on the mask of the offset 0.
For instance, when the offset 0 is 0x7B, then length can be up to 7
when the offset 0 is 0x7A, the loop was never performing any access to
the acls[7] thanks to:
if (!(mask & acls[0]))
continue;
However, the oss-fuzz tools cannot guess such behavior. So let's have a
robust boundary check.
Fix: issue #2262
Fix: ae1cf0be90
'Prevent stack buffer overflow when empty ACL is returned'
Co-authored-by: Vincent JARDIN <vjardin@free.fr>
Co-authored-by: Frank Morgner <frankmorgner@gmail.com>
2021-03-22 13:08:28 +01:00
Vincent JARDIN
fc0df4e5d5
IASECC/CPX: revert removal of 3F00 from the path
...
Few years ago, the commit 03628449b7
did squash the 3F00nnnn path to nnnn. For instance, 3F002F00
becomes 2F00. It is an issue such as:
00000200 [139681798813440] APDU: 00 A4 09 04 02 2F 00
00029790 [139681798813440] SW: 6A 82
Fix: issue #2231
2021-03-17 10:58:20 +01:00
Vincent JARDIN
76507508d7
IASECC/CPX: code factorization
...
There are two flavours of CPX cards:
- contact mode,
- contactless mode
2021-03-17 10:58:20 +01:00
Vincent JARDIN
20f359ea04
IASECC/CPX: SC_PATH_TYPE_FILE_ID, wrong APDU
...
For SC_PATH_TYPE_FILE_ID, P2 should be 0x04, if not,
then we get the following errors:
[opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (7 bytes):
00 A4 02 00 02 A0 01 .......
[opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
[opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
6A 86 j.
[opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
[opensc-pkcs11] apdu.c:535:sc_transmit: returning with: 0 (Success)
[opensc-pkcs11] card.c:523:sc_unlock: called
[opensc-pkcs11] iso7816.c:128:iso7816_check_sw: Incorrect parameters P1-P2
[opensc-pkcs11] card-iasecc.c:1107:iasecc_select_file: iasecc_select_file() check SW failed: -1205 (Incorrect parameters in APDU)
[opensc-pkcs11] card.c:866:sc_select_file: 'SELECT' error: -1205 (Incorrect parameters in APDU)
when running:
./pkcs11-tool --test --login --pin abcd
2021-03-17 10:58:20 +01:00
Vincent JARDIN
6efd7b3029
IASECC: send/recv from EF.ATR
...
Log the send/recv data extracted from the EF.ATR (2F01).
2021-03-17 10:58:20 +01:00
Vincent JARDIN
41edcaa413
IASECC/CPX: proper set of RSA support
...
The previous commit was over simplified. According to the known
mechanism, we should have the following scope:
./pkcs11-tool --module ../lib/onepin-opensc-pkcs11.so -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
RSA-PKCS-PSS, keySize={512,2048}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
SHA256-RSA-PKCS-PSS, keySize={512,2048}, sign, verify
do not use the default flags yet:
_sc_card_add_rsa_alg(card, 1024, IASECC_CARD_DEFAULT_FLAGS, 0x10001);
_sc_card_add_rsa_alg(card, 2048, IASECC_CARD_DEFAULT_FLAGS, 0x10001);
_sc_card_add_rsa_alg(card, 512, IASECC_CARD_DEFAULT_FLAGS, 0x10001);
Contactless specific behaviour shall be added later on.
2021-03-17 10:58:20 +01:00
Vincent JARDIN
7cd713d15d
IASECC/CPX: enable RSA algorithms
...
Without this fix, we get:
./pkcs11-tool --module ../lib/onepin-opensc-pkcs11.so -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
Once we include it, we get:
./pkcs11-tool --module ../lib/onepin-opensc-pkcs11.so -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-9796, keySize={1024,2048}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, generate_key_pair
2021-03-17 10:58:20 +01:00
Vincent JARDIN
560692221b
IASECC/CPX: file selection and app enumeration
...
Thanks to this commit, we get the full support of:
- ./opensc-explore
cd 0001
asn1 2F00
- ./pkcs11-tool -O
- etc.
2021-03-17 10:58:20 +01:00
Vincent JARDIN
acb8822444
IASECC: Add support for CPx cards
...
The French CPx Healthcare cards are designed to support the IASECC
standard.
2021-03-17 10:58:20 +01:00
Jakub Jelen
ae1cf0be90
iasecc: Prevent stack buffer overflow when empty ACL is returned
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800
2021-02-25 09:08:52 +01:00
Vincent JARDIN
66e5600b27
IASECC: log AID selection
...
Record the selection of the AID for better debugging
2021-02-05 12:09:20 +01:00
Jakub Jelen
03cbf91be5
iasecc: Avoid another memory leak
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29456
2021-01-22 19:07:05 +01:00
Zoltan Kelemen
bad74e1ed6
Enabled code for using PUK reference for PIN unblock, when available.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
ba76bc0239
Improved syntactic readability without any change in functionality.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
c903ddfce1
Fixed bounds checking and enabled the function again.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
163b69e6a7
Change ADF selection to return FCP for Oberthur cards. No need to simulate
...
since it is supported.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
3331a7f134
Fix MF selection APDU to use 0x0c in P2 (no data). The previous value of 0x00
...
is invalid according to IAS-ECC and resulted in 6A 86 on the Oberthur
cards that we tested with.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
471468260e
Improved PIN unblock function:
...
- Uses PIN padding from merged policy
- Added PIN-pad support
- Use ISO 7816 layer to avoid code duplication
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
79e81eeef0
Improved PIN change function:
...
- Uses PIN padding from merged policy
- Improved PIN-pad logic and merged here from separate function
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
5ae488c1b9
Improved PIN verification function:
...
- Uses PIN padding from merged policy
- Moved PIN-pad logic into this function instead of keeping separate
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
d0b3e90431
Simlified low-level CHV verification function:
...
- Removed special PIN-pad case, moving logic into high-level function.
- Use ISO 7816 layer to avoid code duplication.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
8c2d629f94
Functions used to control PIN padding and PIN pad use:
...
- Use PIN padding information when provided by upper layers
- Enable PIN padding at card level when min/max len set to same, nonzero value
- Allow PIN-pad use to be dynamically selected for each PIN
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
ca911e342c
Improved PIN info retrieval, now returning verification status, and attempts
...
left even when previously not available (due to card not providing it in the
SDO).
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
19063932f0
Simplified PIN policy retrieval to only read the data that is actually needed,
...
excluding the CRT info from the SE-SDO, which is not guaranteed to be
available in all card types.
Use an explicit PIN policy structure type instead of keeping the info in the
sc_pin_cmd_data, since this type of info is only used privately in the card
driver.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
741ee73ec9
Add generic function for PIN status retrieval, for subsequent use (among
...
others intended to replace iasecc_pin_is_verified).
Base it on functionality in the ISO 7816 layer to avoid code duplication.
2020-07-22 22:57:23 +02:00
Zoltan Kelemen
7ed876c816
Added ATR mask for Idemia (Oberthur) IAS-ECC card to recognize Cosmo V8 cards.
2020-07-22 22:57:23 +02:00
Frank Morgner
a7d563b657
Merge branch 'master' into recursion
2020-05-11 18:45:36 +02:00
Jakub Jelen
1ddef2cd15
iasecc: Avoid memory leak on error
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21297
2020-04-06 17:56:28 +02:00
Jakub Jelen
7bfca52bab
iasecc: Free old driver data if the driver was initialized correctly
...
CID: 354007
2020-03-04 21:27:56 +01:00
Jakub Jelen
9c0a7adbfc
iasecc: Avoid memory leaks on error
...
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20700
2020-03-04 21:27:56 +01:00
Frank Morgner
6c855c561c
fixed memory leak
...
fixes https://oss-fuzz.com/testcase-detail/5739164513599488
2020-02-12 04:48:40 +01:00
Frank Morgner
70baccbe95
iso7816_*_sfid: return the number of bytes processed
2020-01-31 15:04:31 +01:00
Frank Morgner
8d7092c0cb
13598 Unchecked return value
2019-11-05 21:49:30 +01:00
Frank Morgner
b7b501d0a5
fixed issues reported by clang-analyzer
2019-05-21 19:34:46 +02:00
Frank Morgner
85485eb9b0
fixed unused assignments
2019-02-14 09:22:23 +01:00
Frank Morgner
fdb0e6d581
Fixed Potential leak of memory
2019-02-14 09:22:23 +01:00
Frank Morgner
7a7ff50422
fixed memory leaks during card initialization
2019-01-30 21:57:59 +01:00
Jakub Jelen
74105300bf
card-iasecc: Avoid memory leaks on failure
2018-10-01 23:07:34 +02:00
Priit Laes
1f06a76b1a
openssl: Bump openssl requirement to 0.9.8
2018-09-14 08:21:40 +02:00
Frank Morgner
db438f61c1
ias/ecc: fixed GET CHALLENGE
2018-08-24 13:59:03 +02:00
Frank Morgner
94f9fdf145
ias/ecc: fixed card detection
...
regression of 439a95f2d
2018-08-24 13:51:15 +02:00
Frank Morgner
5daec17e32
ias/ecc: ignore missing serial on card initialization
...
fixes problem in card detection introduced in
50b000047c
2018-08-24 13:50:53 +02:00