378 lines
11 KiB
C
378 lines
11 KiB
C
/*
|
|
* card-masktech.c: Support for Masktech smart cards using the MTCOS operating system.
|
|
*
|
|
* Copyright (C) 2011-2015 MaskTech GmbH Fischerstrasse 19, 87435 Kempten, Germany
|
|
* Copyright (C) 2011 Andrey Uvarov (X-Infotech) <andrejs.uvarovs@x-infotech.com>
|
|
* Copyright (C) 2015 Vincent Le Toux (My Smart Logon) <vincent.letoux@mysmartlogon.com>
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#if HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include "internal.h"
|
|
#include "cardctl.h"
|
|
#include "iso7816.h"
|
|
|
|
static struct sc_atr_table masktech_atrs[] = {
|
|
{"3B:89:80:01:4D:54:43:4F:53:70:02:00:04:31",
|
|
"FF:FF:FF:FF:FF:FF:FF:FF:FF:FC:FF:FC:F4:F5" , NULL,
|
|
SC_CARD_TYPE_MASKTECH_GENERIC, 0, NULL},
|
|
{"3B:88:80:01:00:00:00:00:77:81:80:00:6E", "FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:EE:FF:EE", NULL,
|
|
SC_CARD_TYPE_MASKTECH_GENERIC, 0, NULL},
|
|
{"3B:9D:13:81:31:60:35:80:31:C0:69:4D:54:43:4F:53:73:02:00:00:40",
|
|
"FF:FF:FF:FF:FF:FF:FD:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FC:F0:F0", NULL,
|
|
SC_CARD_TYPE_MASKTECH_GENERIC, 0, NULL},
|
|
{NULL, NULL, NULL, 0, 0, NULL}
|
|
};
|
|
|
|
static struct sc_card_operations *iso_ops;
|
|
static struct sc_card_operations masktech_ops;
|
|
static struct sc_card_driver masktech_drv = {
|
|
"MaskTech Smart Card",
|
|
"MaskTech",
|
|
&masktech_ops,
|
|
masktech_atrs, 0, NULL
|
|
};
|
|
|
|
struct masktech_private_data {
|
|
/* save the key reference set at set_masktech_set_security_env to recover it as the signature step */
|
|
int rsa_key_ref;
|
|
|
|
};
|
|
|
|
static int masktech_match_card(sc_card_t * card)
|
|
{
|
|
/* check if the ATR is in the known ATR */
|
|
if (_sc_match_atr(card, masktech_atrs, &card->type) < 0)
|
|
return 0;
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int masktech_init(sc_card_t * card)
|
|
{
|
|
unsigned long flags;
|
|
struct masktech_private_data *data;
|
|
|
|
sc_log(card->ctx, "masktech_init()\n");
|
|
|
|
/* private data kept during the live of the driver */
|
|
if (!(data = (struct masktech_private_data *) malloc(sizeof(*data))))
|
|
return SC_ERROR_OUT_OF_MEMORY;
|
|
card->drv_data = data;
|
|
|
|
/* supported RSA keys and how padding is done */
|
|
flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE;
|
|
_sc_card_add_rsa_alg(card, 1024, flags, 0);
|
|
_sc_card_add_rsa_alg(card, 2048, flags, 0);
|
|
_sc_card_add_rsa_alg(card, 3072, flags, 0);
|
|
card->caps |= SC_CARD_CAP_APDU_EXT;
|
|
return SC_SUCCESS;
|
|
}
|
|
|
|
|
|
static int masktech_finish(sc_card_t *card)
|
|
{
|
|
/* free the private data */
|
|
if (card->drv_data) {
|
|
free(card->drv_data);
|
|
card->drv_data = NULL;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int masktech_set_security_env(sc_card_t *card,
|
|
const sc_security_env_t *env,
|
|
int se_num)
|
|
{
|
|
struct masktech_private_data *private_data;
|
|
sc_log(card->ctx, "masktech_set_security_env(), keyRef = 0x%0x, algo = 0x%0x\n",
|
|
*env->key_ref, env->algorithm_flags);
|
|
|
|
private_data = (struct masktech_private_data *) card->drv_data;
|
|
if (!private_data)
|
|
return SC_ERROR_INTERNAL;
|
|
|
|
/* save the key reference */
|
|
if (env->flags & SC_SEC_ENV_KEY_REF_PRESENT) {
|
|
if (env->key_ref_len != 1) {
|
|
sc_log(card->ctx, "Invalid key reference supplied.\n");
|
|
return SC_ERROR_NOT_SUPPORTED;
|
|
}
|
|
private_data->rsa_key_ref = env->key_ref[0];
|
|
}
|
|
|
|
return iso_ops->set_security_env(card, env, se_num);
|
|
}
|
|
|
|
static int masktech_compute_signature(sc_card_t *card,
|
|
const u8 * data,
|
|
size_t datalen,
|
|
u8 * out,
|
|
size_t outlen)
|
|
{
|
|
|
|
struct masktech_private_data *private_data;
|
|
u8 sha256hash[32];
|
|
static const u8 hdr_sha256[] = {
|
|
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
|
|
0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
|
|
};
|
|
assert(card != NULL && data != NULL && out != NULL);
|
|
sc_log(card->ctx, "masktech_compute_signature()\n");
|
|
|
|
/* retrieve the key reference */
|
|
private_data = (struct masktech_private_data *) card->drv_data;
|
|
if (!private_data)
|
|
return SC_ERROR_INTERNAL;
|
|
|
|
if (private_data->rsa_key_ref == 0x88)
|
|
{
|
|
/* for this key reference, the card supports only SHA256 hash and the hash is computed using a digest info */
|
|
/* check that it is a SHA256 with digest info*/
|
|
if ((datalen != sizeof(hdr_sha256) + 32) || (memcmp(hdr_sha256, data, sizeof(hdr_sha256)) != 0))
|
|
{
|
|
sc_log(card->ctx, "It is not a SHA256 with digestinfo\n");
|
|
return SC_ERROR_NOT_SUPPORTED;
|
|
}
|
|
/* extract the SHA-256 hash */
|
|
memcpy(sha256hash, (u8 *)(data+(datalen-32)), 32);//only last 32 byte => sha256
|
|
/* default ISO 7816 functions */
|
|
return iso_ops->compute_signature(card, sha256hash, 32, out, outlen);
|
|
}
|
|
else
|
|
{
|
|
/* default ISO 7816 functions */
|
|
return iso_ops->compute_signature(card, data, datalen, out, outlen);
|
|
}
|
|
}
|
|
|
|
static int masktech_decipher(sc_card_t *card,
|
|
const u8 * crgram,
|
|
size_t crgram_len,
|
|
u8 * out,
|
|
size_t outlen)
|
|
{
|
|
int r;
|
|
sc_apdu_t apdu;
|
|
u8 rbuf[SC_MAX_EXT_APDU_BUFFER_SIZE];
|
|
|
|
assert(card != NULL && crgram != NULL && out != NULL);
|
|
sc_log(card->ctx, "masktech_decipher()\n");
|
|
|
|
if (crgram_len > SC_MAX_EXT_APDU_BUFFER_SIZE) {
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);
|
|
}
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_EXT, 0x2A, 0x80, 0x86);
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
/* the card doesn't support anything else here (+1 / -1 is not working) */
|
|
apdu.le = 65536;
|
|
|
|
apdu.data = crgram;
|
|
apdu.lc = crgram_len;
|
|
apdu.datalen = crgram_len;
|
|
|
|
r = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
|
|
if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
|
|
size_t len = apdu.resplen > outlen ? outlen : apdu.resplen;
|
|
|
|
memcpy(out, apdu.resp, len);
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, len);
|
|
}
|
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, sc_check_sw(card, apdu.sw1, apdu.sw2));
|
|
}
|
|
|
|
/* unblock pin cmd */
|
|
static int masktech_pin_unblock(sc_card_t *card,
|
|
struct sc_pin_cmd_data *data,
|
|
int *tries_left)
|
|
{
|
|
int rv = 0;
|
|
struct sc_pin_cmd_data verify_data;
|
|
struct sc_pin_cmd_data reset_data;
|
|
|
|
/* Build a SC_PIN_CMD_VERIFY APDU on PUK */
|
|
memset(&verify_data, 0, sizeof(verify_data));
|
|
verify_data.cmd = SC_PIN_CMD_VERIFY;
|
|
verify_data.pin_type = 1;
|
|
verify_data.pin_reference = 0x83;
|
|
verify_data.pin1 = data->pin1;
|
|
verify_data.flags = data->flags;
|
|
verify_data.pin1.prompt = data->pin1.prompt;
|
|
|
|
rv = iso_ops->pin_cmd(card, &verify_data, tries_left);
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed - verify unblock PIN");
|
|
|
|
/* Build a SC_PIN_CMD_UNBLOCK APDU */
|
|
memset(&reset_data, 0, sizeof(reset_data));
|
|
reset_data.cmd = SC_PIN_CMD_UNBLOCK;
|
|
reset_data.pin_type = 1;
|
|
reset_data.pin_reference = 0x91;
|
|
/* pin1 is set to null on purpose and flag set to implicit change
|
|
=> if there is a pinpad reader, do not ask for pin1 */
|
|
reset_data.pin2 = data->pin2;
|
|
reset_data.flags = data->flags | SC_PIN_CMD_IMPLICIT_CHANGE;
|
|
reset_data.pin2.prompt = data->pin2.prompt;
|
|
|
|
rv = iso_ops->pin_cmd(card, &reset_data, tries_left);
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed - reset unblock PIN");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int masktech_pin_change(sc_card_t *card,
|
|
struct sc_pin_cmd_data *data,
|
|
int *tries_left)
|
|
{
|
|
int rv = 0;
|
|
struct sc_pin_cmd_data verify_data;
|
|
struct sc_pin_cmd_data change_data;
|
|
|
|
/* Build a SC_PIN_CMD_VERIFY APDU */
|
|
memset(&verify_data, 0, sizeof(verify_data));
|
|
verify_data.cmd = SC_PIN_CMD_VERIFY;
|
|
verify_data.pin_type = 1;
|
|
verify_data.pin_reference = data->pin_reference;
|
|
verify_data.pin1 = data->pin1;
|
|
verify_data.flags = data->flags;
|
|
verify_data.pin1.prompt = data->pin1.prompt;
|
|
|
|
rv = iso_ops->pin_cmd(card, &verify_data, tries_left);
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed - verify change PIN");
|
|
|
|
/* Build a SC_PIN_CMD_CHANGE APDU */
|
|
memset(&change_data, 0, sizeof(change_data));
|
|
change_data.cmd = SC_PIN_CMD_CHANGE;
|
|
change_data.pin_type = 1;
|
|
change_data.pin_reference = data->pin_reference;
|
|
/* pin1 is set to null on purpose and flag set to implicit change
|
|
=> if there is a pinpad reader, do not ask for pin1 */
|
|
change_data.pin2 = data->pin2;
|
|
change_data.flags = data->flags | SC_PIN_CMD_IMPLICIT_CHANGE;
|
|
change_data.pin2.prompt = data->pin2.prompt;
|
|
|
|
rv = iso_ops->pin_cmd(card, &change_data, tries_left);
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed - change PIN");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int masktech_pin_cmd(sc_card_t *card,
|
|
struct sc_pin_cmd_data *data,
|
|
int *tries_left)
|
|
{
|
|
int rv;
|
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
|
|
|
switch(data->cmd)
|
|
{
|
|
case SC_PIN_CMD_UNBLOCK:
|
|
rv = masktech_pin_unblock(card, data, tries_left);
|
|
break;
|
|
case SC_PIN_CMD_CHANGE:
|
|
rv = masktech_pin_change(card, data, tries_left);
|
|
break;
|
|
default:
|
|
rv = iso_ops->pin_cmd(card, data, tries_left);
|
|
break;
|
|
}
|
|
return rv;
|
|
|
|
|
|
}
|
|
|
|
static int masktech_get_serialnr(sc_card_t * card, sc_serial_number_t * serial)
|
|
{
|
|
struct sc_apdu apdu;
|
|
unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE-2];
|
|
int rv;
|
|
|
|
if (!serial)
|
|
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
/* Get smart card serial number */
|
|
card->cla = 0x80;
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0x08, 0x00, 0x00);
|
|
apdu.resplen = sizeof(apdu_resp);
|
|
apdu.resp = apdu_resp;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
card->cla = 0x00;
|
|
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
|
|
|
|
if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
|
|
return SC_ERROR_INTERNAL;
|
|
|
|
if (SC_MAX_SERIALNR < apdu.resplen)
|
|
{
|
|
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
|
|
}
|
|
/* cache serial number */
|
|
card->serialnr.len = apdu.resplen;
|
|
memcpy(card->serialnr.value, apdu.resp, card->serialnr.len);
|
|
|
|
/* copy and return serial number */
|
|
if (serial)
|
|
memcpy(serial, &card->serialnr, sizeof(*serial));
|
|
|
|
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int masktech_card_ctl(sc_card_t * card, unsigned long cmd, void *ptr)
|
|
{
|
|
sc_log(card->ctx, "masktech_card_ctl()\n");
|
|
switch (cmd) {
|
|
case SC_CARDCTL_GET_SERIALNR:
|
|
return masktech_get_serialnr(card, (sc_serial_number_t *) ptr);
|
|
default:
|
|
return SC_ERROR_NOT_SUPPORTED;
|
|
}
|
|
}
|
|
|
|
static struct sc_card_driver *sc_get_driver(void)
|
|
{
|
|
|
|
if (iso_ops == NULL)
|
|
iso_ops = sc_get_iso7816_driver()->ops;
|
|
|
|
masktech_ops = *iso_ops;
|
|
|
|
masktech_ops.match_card = masktech_match_card;
|
|
masktech_ops.init = masktech_init;
|
|
masktech_ops.finish = masktech_finish;
|
|
masktech_ops.set_security_env = masktech_set_security_env;
|
|
masktech_ops.compute_signature = masktech_compute_signature;
|
|
masktech_ops.decipher = masktech_decipher;
|
|
masktech_ops.pin_cmd = masktech_pin_cmd;
|
|
masktech_ops.card_ctl = masktech_card_ctl;
|
|
return &masktech_drv;
|
|
}
|
|
|
|
struct sc_card_driver *sc_get_masktech_driver(void)
|
|
{
|
|
return sc_get_driver();
|
|
}
|