b18234a7d9
* IASECC: offset is a size_t
Let's use a size_t for the offset in order to have a proper logic
along with the related arithmetics.
Fix: part if issue #2262
Suggested-by: Frank Morgner <frankmorgner@gmail.com>
* iasecc: Fix ACLs support when length is 6
ACLs with length < 6 are allowed, depending on the mask of the offset 0.
For instance, when the offset 0 is 0x7B, then length can be up to 7
when the offset 0 is 0x7A, the loop was never performing any access to
the acls[7] thanks to:
if (!(mask & acls[0]))
continue;
However, the oss-fuzz tools cannot guess such behavior. So let's have a
robust boundary check.
Fix: issue #2262
Fix: ae1cf0be90
'Prevent stack buffer overflow when empty ACL is returned'
Co-authored-by: Vincent JARDIN <vjardin@free.fr>
Co-authored-by: Frank Morgner <frankmorgner@gmail.com>
3647 lines
108 KiB
C
3647 lines
108 KiB
C
/*
|
|
* card-iasecc.c: Support for IAS/ECC smart cards
|
|
*
|
|
* Copyright (C) 2010 Viktor Tarasov <vtarasov@gmail.com>
|
|
* OpenTrust <www.opentrust.com>
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include <config.h>
|
|
#endif
|
|
|
|
#ifdef ENABLE_OPENSSL /* empty file without openssl */
|
|
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#include <openssl/bn.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/sha.h>
|
|
#include <openssl/rsa.h>
|
|
#include <openssl/pkcs12.h>
|
|
#include <openssl/x509v3.h>
|
|
|
|
#include "internal.h"
|
|
#include "asn1.h"
|
|
#include "cardctl.h"
|
|
#include "opensc.h"
|
|
/* #include "sm.h" */
|
|
#include "pkcs15.h"
|
|
/* #include "hash-strings.h" */
|
|
#include "gp.h"
|
|
|
|
#include "iasecc.h"
|
|
|
|
#define IASECC_CARD_DEFAULT_FLAGS ( 0 \
|
|
| SC_ALGORITHM_ONBOARD_KEY_GEN \
|
|
| SC_ALGORITHM_RSA_PAD_ISO9796 \
|
|
| SC_ALGORITHM_RSA_PAD_PKCS1 \
|
|
| SC_ALGORITHM_RSA_HASH_NONE \
|
|
| SC_ALGORITHM_RSA_HASH_SHA1 \
|
|
| SC_ALGORITHM_RSA_HASH_SHA256)
|
|
|
|
#define IASECC_CARD_DEFAULT_CAPS ( 0 \
|
|
| SC_CARD_CAP_RNG \
|
|
| SC_CARD_CAP_APDU_EXT \
|
|
| SC_CARD_CAP_USE_FCI_AC \
|
|
| SC_CARD_CAP_ISO7816_PIN_INFO)
|
|
|
|
/* generic iso 7816 operations table */
|
|
static const struct sc_card_operations *iso_ops = NULL;
|
|
|
|
/* our operations table with overrides */
|
|
static struct sc_card_operations iasecc_ops;
|
|
|
|
static struct sc_card_driver iasecc_drv = {
|
|
"IAS-ECC",
|
|
"iasecc",
|
|
&iasecc_ops,
|
|
NULL, 0, NULL
|
|
};
|
|
|
|
static const struct sc_atr_table iasecc_known_atrs[] = {
|
|
{ "3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00",
|
|
"FF:FF:FF:FF:FF:FF:FF:FE:FF:FF:00:00:FF:FF:FF:FF:FF:FF:FF:FF",
|
|
"IAS/ECC Gemalto", SC_CARD_TYPE_IASECC_GEMALTO, 0, NULL },
|
|
{ "3B:DD:00:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:00",
|
|
"FF:FF:00:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:00",
|
|
"IAS/ECC v1.0.1 Oberthur", SC_CARD_TYPE_IASECC_OBERTHUR, 0, NULL },
|
|
{ "3B:7D:13:00:00:4D:44:57:2D:49:41:53:2D:43:41:52:44:32", NULL,
|
|
"IAS/ECC v1.0.1 Sagem MDW-IAS-CARD2", SC_CARD_TYPE_IASECC_SAGEM, 0, NULL },
|
|
{ "3B:7F:18:00:00:00:31:B8:64:50:23:EC:C1:73:94:01:80:82:90:00", NULL,
|
|
"IAS/ECC v1.0.1 Sagem ypsID S3", SC_CARD_TYPE_IASECC_SAGEM, 0, NULL },
|
|
{ "3B:DF:96:00:80:31:FE:45:00:31:B8:64:04:1F:EC:C1:73:94:01:80:82:90:00:EC", NULL,
|
|
"IAS/ECC Morpho MinInt - Agent Card", SC_CARD_TYPE_IASECC_MI, 0, NULL },
|
|
{ "3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3", NULL,
|
|
"IAS/ECC v1.0.1 Amos", SC_CARD_TYPE_IASECC_AMOS, 0, NULL },
|
|
{ "3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:02:04:03:55:00:02:34", NULL,
|
|
"IAS/ECC v1.0.1 Amos", SC_CARD_TYPE_IASECC_AMOS, 0, NULL },
|
|
{ "3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38", NULL,
|
|
"IAS/ECC v1.0.1 Amos", SC_CARD_TYPE_IASECC_AMOS, 0, NULL },
|
|
{
|
|
.atr = "3B:AC:00:40:2A:00:12:25:00:64:80:00:03:10:00:90:00",
|
|
.atrmask = "FF:00:00:00:00:FF:FF:FF:FF:FF:FF:00:00:00:FF:FF:FF",
|
|
.name = "IAS/ECC CPx",
|
|
.type = SC_CARD_TYPE_IASECC_CPX,
|
|
},
|
|
{
|
|
.atr = "2B:8F:80:01:00:31:B8:64:04:B0:EC:C1:73:94:01:80:82:90:00:0E",
|
|
.atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:FF:C0:FF:FF:FF:FF:FF:FF:FF:FF",
|
|
.name = "IAS/ECC CPxCL",
|
|
.type = SC_CARD_TYPE_IASECC_CPXCL,
|
|
},
|
|
{ NULL, NULL, NULL, 0, 0, NULL }
|
|
};
|
|
|
|
static struct sc_aid OberthurIASECC_AID = {
|
|
{0xA0,0x00,0x00,0x00,0x77,0x01,0x08,0x00,0x07,0x00,0x00,0xFE,0x00,0x00,0x01,0x00}, 16
|
|
};
|
|
|
|
static struct sc_aid MIIASECC_AID = {
|
|
{ 0x4D, 0x49, 0x4F, 0x4D, 0x43, 0x54}, 6
|
|
};
|
|
|
|
struct iasecc_pin_status {
|
|
unsigned char sha1[SHA_DIGEST_LENGTH];
|
|
unsigned char reference;
|
|
|
|
struct iasecc_pin_status *next;
|
|
struct iasecc_pin_status *prev;
|
|
};
|
|
|
|
struct iasecc_pin_status *checked_pins = NULL;
|
|
|
|
/* Any absent field is set to -1, except scbs, which is always present */
|
|
struct iasecc_pin_policy {
|
|
int min_length;
|
|
int max_length;
|
|
int stored_length;
|
|
int tries_maximum;
|
|
int tries_remaining;
|
|
unsigned char scbs[IASECC_MAX_SCBS];
|
|
};
|
|
|
|
static int iasecc_select_file(struct sc_card *card, const struct sc_path *path, struct sc_file **file_out);
|
|
static int iasecc_process_fci(struct sc_card *card, struct sc_file *file, const unsigned char *buf, size_t buflen);
|
|
static int iasecc_get_serialnr(struct sc_card *card, struct sc_serial_number *serial);
|
|
static int iasecc_sdo_get_data(struct sc_card *card, struct iasecc_sdo *sdo);
|
|
static int iasecc_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data, struct iasecc_pin_policy *pin);
|
|
static int iasecc_pin_get_status(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left);
|
|
static int iasecc_pin_get_info(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left);
|
|
static int iasecc_check_update_pin(struct sc_pin_cmd_data *data, struct sc_pin_cmd_pin *pin);
|
|
static void iasecc_set_pin_padding(struct sc_pin_cmd_data *data, struct sc_pin_cmd_pin *pin,
|
|
size_t pad_len);
|
|
static int iasecc_pin_merge_policy(struct sc_card *card, struct sc_pin_cmd_data *data,
|
|
struct sc_pin_cmd_pin *pin, struct iasecc_pin_policy *policy);
|
|
static int iasecc_get_free_reference(struct sc_card *card, struct iasecc_ctl_get_free_reference *ctl_data);
|
|
static int iasecc_sdo_put_data(struct sc_card *card, struct iasecc_sdo_update *update);
|
|
|
|
#ifdef ENABLE_SM
|
|
static int _iasecc_sm_read_binary(struct sc_card *card, unsigned int offs, unsigned char *buf, size_t count);
|
|
static int _iasecc_sm_update_binary(struct sc_card *card, unsigned int offs, const unsigned char *buff, size_t count);
|
|
#endif
|
|
|
|
static int
|
|
iasecc_chv_cache_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_pin_status *pin_status = NULL, *current = NULL;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
for(current = checked_pins; current; current = current->next)
|
|
if (current->reference == pin_cmd->pin_reference)
|
|
break;
|
|
|
|
if (current) {
|
|
sc_log(ctx, "iasecc_chv_cache_verified() current PIN-%i", current->reference);
|
|
pin_status = current;
|
|
}
|
|
else {
|
|
pin_status = calloc(1, sizeof(struct iasecc_pin_status));
|
|
if (!pin_status)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot callocate PIN status info");
|
|
sc_log(ctx, "iasecc_chv_cache_verified() allocated %p", pin_status);
|
|
}
|
|
|
|
pin_status->reference = pin_cmd->pin_reference;
|
|
if (pin_cmd->pin1.data)
|
|
SHA1(pin_cmd->pin1.data, pin_cmd->pin1.len, pin_status->sha1);
|
|
else
|
|
memset(pin_status->sha1, 0, SHA_DIGEST_LENGTH);
|
|
|
|
sc_log_hex(ctx, "iasecc_chv_cache_verified() sha1(PIN)", pin_status->sha1, SHA_DIGEST_LENGTH);
|
|
|
|
if (!current) {
|
|
if (!checked_pins) {
|
|
checked_pins = pin_status;
|
|
}
|
|
else {
|
|
checked_pins->prev = pin_status;
|
|
pin_status->next = checked_pins;
|
|
checked_pins = pin_status;
|
|
}
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_chv_cache_clean(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_pin_status *current = NULL;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
for(current = checked_pins; current; current = current->next)
|
|
if (current->reference == pin_cmd->pin_reference)
|
|
break;
|
|
|
|
if (!current)
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
|
|
|
|
if (current->next && current->prev) {
|
|
current->prev->next = current->next;
|
|
current->next->prev = current->prev;
|
|
}
|
|
else if (!current->prev) {
|
|
checked_pins = current->next;
|
|
}
|
|
else if (!current->next && current->prev) {
|
|
current->prev->next = NULL;
|
|
}
|
|
|
|
free(current);
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static struct iasecc_pin_status *
|
|
iasecc_chv_cache_is_verified(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_pin_status *current = NULL;
|
|
unsigned char data_sha1[SHA_DIGEST_LENGTH];
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (pin_cmd->pin1.data)
|
|
SHA1(pin_cmd->pin1.data, pin_cmd->pin1.len, data_sha1);
|
|
else
|
|
memset(data_sha1, 0, SHA_DIGEST_LENGTH);
|
|
sc_log_hex(ctx, "data_sha1: %s", data_sha1, SHA_DIGEST_LENGTH);
|
|
|
|
for(current = checked_pins; current; current = current->next)
|
|
if (current->reference == pin_cmd->pin_reference)
|
|
break;
|
|
|
|
if (current && !memcmp(data_sha1, current->sha1, SHA_DIGEST_LENGTH)) {
|
|
sc_log(ctx, "PIN-%i status 'verified'", pin_cmd->pin_reference);
|
|
return current;
|
|
}
|
|
|
|
sc_log(ctx, "PIN-%i status 'not verified'", pin_cmd->pin_reference);
|
|
return NULL;
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_select_mf(struct sc_card *card, struct sc_file **file_out)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_file *mf_file = NULL;
|
|
struct sc_path path;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (file_out)
|
|
*file_out = NULL;
|
|
|
|
memset(&path, 0, sizeof(struct sc_path));
|
|
if (!card->ef_atr || !card->ef_atr->aid.len) {
|
|
struct sc_apdu apdu;
|
|
unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
|
|
|
|
/* ISO 'select' command fails when not FCP data returned */
|
|
sc_format_path("3F00", &path);
|
|
path.type = SC_PATH_TYPE_FILE_ID;
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xA4, 0x00, 0x0C);
|
|
apdu.lc = path.len;
|
|
apdu.data = path.value;
|
|
apdu.datalen = path.len;
|
|
apdu.resplen = sizeof(apdu_resp);
|
|
apdu.resp = apdu_resp;
|
|
|
|
/* TODO: this might be obsolete now that 0x0c (no data) is default for p2 */
|
|
if (card->type == SC_CARD_TYPE_IASECC_MI2)
|
|
apdu.p2 = 0x04;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(card->ctx, rv, "Cannot select MF");
|
|
}
|
|
else {
|
|
memset(&path, 0, sizeof(path));
|
|
path.type = SC_PATH_TYPE_DF_NAME;
|
|
memcpy(path.value, card->ef_atr->aid.value, card->ef_atr->aid.len);
|
|
path.len = card->ef_atr->aid.len;
|
|
rv = iasecc_select_file(card, &path, file_out);
|
|
LOG_TEST_RET(ctx, rv, "Unable to ROOT selection");
|
|
}
|
|
|
|
/* Ignore the FCP of the MF, because:
|
|
* - some cards do not return it;
|
|
* - there is not need of it -- create/delete of the files in MF is not envisaged.
|
|
*/
|
|
mf_file = sc_file_new();
|
|
if (mf_file == NULL)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot allocate MF file");
|
|
mf_file->type = SC_FILE_TYPE_DF;
|
|
mf_file->path = path;
|
|
|
|
if (card->cache.valid) {
|
|
sc_file_free(card->cache.current_df);
|
|
}
|
|
card->cache.current_df = NULL;
|
|
|
|
if (card->cache.valid) {
|
|
sc_file_free(card->cache.current_ef);
|
|
}
|
|
card->cache.current_ef = NULL;
|
|
|
|
sc_file_dup(&card->cache.current_df, mf_file);
|
|
card->cache.valid = 1;
|
|
|
|
if (file_out && *file_out == NULL)
|
|
*file_out = mf_file;
|
|
else
|
|
sc_file_free(mf_file);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_select_aid(struct sc_card *card, struct sc_aid *aid, unsigned char *out, size_t *out_len)
|
|
{
|
|
struct sc_apdu apdu;
|
|
unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(card->ctx);
|
|
|
|
/* Select application (deselect previously selected application) */
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x04, 0x00);
|
|
apdu.lc = aid->len;
|
|
apdu.data = aid->value;
|
|
apdu.datalen = aid->len;
|
|
apdu.resplen = sizeof(apdu_resp);
|
|
apdu.resp = apdu_resp;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(card->ctx, rv, "Cannot select AID");
|
|
|
|
if (*out_len < apdu.resplen)
|
|
LOG_TEST_RET(card->ctx, SC_ERROR_BUFFER_TOO_SMALL, "Cannot select AID");
|
|
memcpy(out, apdu.resp, apdu.resplen);
|
|
|
|
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_match_card(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
int i;
|
|
|
|
i = _sc_match_atr(card, iasecc_known_atrs, &card->type);
|
|
if (i < 0) {
|
|
sc_log(ctx, "card not matched");
|
|
return 0;
|
|
}
|
|
|
|
sc_log(ctx, "'%s' card matched", iasecc_known_atrs[i].name);
|
|
return 1;
|
|
}
|
|
|
|
|
|
static int iasecc_parse_ef_atr(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_private_data *pdata = (struct iasecc_private_data *) card->drv_data;
|
|
struct iasecc_version *version = &pdata->version;
|
|
struct iasecc_io_buffer_sizes *sizes = &pdata->max_sizes;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
rv = sc_parse_ef_atr(card);
|
|
LOG_TEST_RET(ctx, rv, "MF selection error");
|
|
|
|
if (card->ef_atr->pre_issuing_len < 4)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid pre-issuing data");
|
|
|
|
version->ic_manufacturer = card->ef_atr->pre_issuing[0];
|
|
version->ic_type = card->ef_atr->pre_issuing[1];
|
|
version->os_version = card->ef_atr->pre_issuing[2];
|
|
version->iasecc_version = card->ef_atr->pre_issuing[3];
|
|
sc_log(ctx, "EF.ATR: IC manufacturer/type %X/%X, OS/IasEcc versions %X/%X",
|
|
version->ic_manufacturer, version->ic_type, version->os_version, version->iasecc_version);
|
|
|
|
if (card->ef_atr->issuer_data_len < 16)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid issuer data");
|
|
|
|
sizes->send = card->ef_atr->issuer_data[2] * 0x100 + card->ef_atr->issuer_data[3];
|
|
sizes->send_sc = card->ef_atr->issuer_data[6] * 0x100 + card->ef_atr->issuer_data[7];
|
|
sizes->recv = card->ef_atr->issuer_data[10] * 0x100 + card->ef_atr->issuer_data[11];
|
|
sizes->recv_sc = card->ef_atr->issuer_data[14] * 0x100 + card->ef_atr->issuer_data[15];
|
|
|
|
sc_log(ctx, "EF.ATR: IO Buffer Size send/sc %ld/%ld recv/sc %ld/%ld",
|
|
sizes->send, sizes->send_sc, sizes->recv, sizes->recv_sc);
|
|
|
|
card->max_send_size = sizes->send;
|
|
card->max_recv_size = sizes->recv;
|
|
|
|
/* Most of the card producers interpret 'send' values as "maximum APDU data size".
|
|
* Oberthur strictly follows specification and interpret these values as "maximum APDU command size".
|
|
* Here we need 'data size'.
|
|
*/
|
|
if (card->max_send_size > 0xFF)
|
|
card->max_send_size -= 5;
|
|
|
|
sc_log(ctx,
|
|
"EF.ATR: max send/recv sizes %"SC_FORMAT_LEN_SIZE_T"X/%"SC_FORMAT_LEN_SIZE_T"X",
|
|
card->max_send_size, card->max_recv_size);
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_init_gemalto(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_path path;
|
|
unsigned int flags;
|
|
int rv = 0;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
flags = IASECC_CARD_DEFAULT_FLAGS;
|
|
|
|
card->caps = IASECC_CARD_DEFAULT_CAPS;
|
|
|
|
sc_format_path("3F00", &path);
|
|
if (SC_SUCCESS != sc_select_file(card, &path, NULL)) {
|
|
/* Result ignored*/
|
|
sc_log(card->ctx, "Warning, MF select failed");
|
|
}
|
|
|
|
rv = iasecc_parse_ef_atr(card);
|
|
sc_log(ctx, "rv %i", rv);
|
|
if (rv == SC_ERROR_FILE_NOT_FOUND) {
|
|
sc_log(ctx, "Select MF");
|
|
rv = iasecc_select_mf(card, NULL);
|
|
sc_log(ctx, "rv %i", rv);
|
|
LOG_TEST_RET(ctx, rv, "MF selection error");
|
|
|
|
rv = iasecc_parse_ef_atr(card);
|
|
sc_log(ctx, "rv %i", rv);
|
|
}
|
|
sc_log(ctx, "rv %i", rv);
|
|
LOG_TEST_RET(ctx, rv, "Cannot read/parse EF.ATR");
|
|
|
|
_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);
|
|
_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_oberthur_match(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char *hist = card->reader->atr_info.hist_bytes;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (*hist != 0x80 || ((*(hist+1)&0xF0) != 0xF0))
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OBJECT_NOT_FOUND);
|
|
|
|
sc_log_hex(ctx, "AID in historical_bytes", hist + 2, *(hist+1) & 0x0F);
|
|
|
|
if (memcmp(hist + 2, OberthurIASECC_AID.value, *(hist+1) & 0x0F))
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_RECORD_NOT_FOUND);
|
|
|
|
if (!card->ef_atr)
|
|
card->ef_atr = calloc(1, sizeof(struct sc_ef_atr));
|
|
if (!card->ef_atr)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
|
|
|
memcpy(card->ef_atr->aid.value, OberthurIASECC_AID.value, OberthurIASECC_AID.len);
|
|
card->ef_atr->aid.len = OberthurIASECC_AID.len;
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_init_oberthur(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned int flags;
|
|
int rv = 0;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
flags = IASECC_CARD_DEFAULT_FLAGS;
|
|
|
|
_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);
|
|
_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);
|
|
|
|
card->caps = IASECC_CARD_DEFAULT_CAPS;
|
|
|
|
iasecc_parse_ef_atr(card);
|
|
|
|
/* if we fail to select CM, */
|
|
if (gp_select_card_manager(card)) {
|
|
gp_select_isd_rid(card);
|
|
}
|
|
|
|
rv = iasecc_oberthur_match(card);
|
|
LOG_TEST_RET(ctx, rv, "unknown Oberthur's IAS/ECC card");
|
|
|
|
rv = iasecc_select_mf(card, NULL);
|
|
LOG_TEST_RET(ctx, rv, "MF selection error");
|
|
|
|
rv = iasecc_parse_ef_atr(card);
|
|
LOG_TEST_RET(ctx, rv, "EF.ATR read or parse error");
|
|
|
|
sc_log(ctx, "EF.ATR(aid:'%s')", sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len));
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_mi_match(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char resp[0x100];
|
|
size_t resp_len;
|
|
int rv = 0;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
resp_len = sizeof(resp);
|
|
rv = iasecc_select_aid(card, &MIIASECC_AID, resp, &resp_len);
|
|
LOG_TEST_RET(ctx, rv, "IASECC: failed to select MI IAS/ECC applet");
|
|
|
|
if (!card->ef_atr)
|
|
card->ef_atr = calloc(1, sizeof(struct sc_ef_atr));
|
|
if (!card->ef_atr)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
|
|
|
memcpy(card->ef_atr->aid.value, MIIASECC_AID.value, MIIASECC_AID.len);
|
|
card->ef_atr->aid.len = MIIASECC_AID.len;
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_init_amos_or_sagem(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned int flags;
|
|
int rv = 0;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
flags = IASECC_CARD_DEFAULT_FLAGS;
|
|
|
|
_sc_card_add_rsa_alg(card, 1024, flags, 0x10001);
|
|
_sc_card_add_rsa_alg(card, 2048, flags, 0x10001);
|
|
|
|
card->caps = IASECC_CARD_DEFAULT_CAPS;
|
|
|
|
if (card->type == SC_CARD_TYPE_IASECC_MI) {
|
|
rv = iasecc_mi_match(card);
|
|
if (rv)
|
|
card->type = SC_CARD_TYPE_IASECC_MI2;
|
|
else
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
rv = iasecc_parse_ef_atr(card);
|
|
if (rv == SC_ERROR_FILE_NOT_FOUND) {
|
|
rv = iasecc_select_mf(card, NULL);
|
|
LOG_TEST_RET(ctx, rv, "MF selection error");
|
|
|
|
rv = iasecc_parse_ef_atr(card);
|
|
}
|
|
LOG_TEST_RET(ctx, rv, "IASECC: ATR parse failed");
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
inline static int
|
|
iasecc_is_cpx(const struct sc_card *card)
|
|
{
|
|
switch(card->type) {
|
|
case SC_CARD_TYPE_IASECC_CPX:
|
|
case SC_CARD_TYPE_IASECC_CPXCL:
|
|
return 1;
|
|
default:
|
|
return 0;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
iasecc_init_cpx(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned int flags; /* TBC it is not IASECC_CARD_DEFAULT_FLAGS */
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
card->caps = SC_CARD_CAP_RNG; /* TBC it is not IASECC_CARD_DEFAULT_CAPS */
|
|
|
|
flags = SC_ALGORITHM_RSA_PAD_PKCS1;
|
|
flags |= SC_ALGORITHM_RSA_RAW;
|
|
|
|
flags |= SC_ALGORITHM_RSA_HASH_SHA1 |
|
|
SC_ALGORITHM_RSA_HASH_SHA256;
|
|
|
|
_sc_card_add_rsa_alg(card, 512, flags, 0);
|
|
_sc_card_add_rsa_alg(card, 1024, flags, 0);
|
|
_sc_card_add_rsa_alg(card, 2048, flags, 0);
|
|
|
|
LOG_TEST_RET(ctx, sc_enum_apps(card), "Enumerate apps failed");
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_init(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_private_data *private_data = NULL;
|
|
int rv = SC_ERROR_NO_CARD_SUPPORT;
|
|
void *old_drv_data = card->drv_data;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
private_data = (struct iasecc_private_data *) calloc(1, sizeof(struct iasecc_private_data));
|
|
if (private_data == NULL)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
|
|
|
card->cla = 0x00;
|
|
card->drv_data = private_data;
|
|
|
|
if (card->type == SC_CARD_TYPE_IASECC_GEMALTO)
|
|
rv = iasecc_init_gemalto(card);
|
|
else if (card->type == SC_CARD_TYPE_IASECC_OBERTHUR)
|
|
rv = iasecc_init_oberthur(card);
|
|
else if (card->type == SC_CARD_TYPE_IASECC_SAGEM)
|
|
rv = iasecc_init_amos_or_sagem(card);
|
|
else if (card->type == SC_CARD_TYPE_IASECC_AMOS)
|
|
rv = iasecc_init_amos_or_sagem(card);
|
|
else if (card->type == SC_CARD_TYPE_IASECC_MI)
|
|
rv = iasecc_init_amos_or_sagem(card);
|
|
else if (iasecc_is_cpx(card))
|
|
rv = iasecc_init_cpx(card);
|
|
else {
|
|
LOG_TEST_GOTO_ERR(ctx, SC_ERROR_INVALID_CARD, "");
|
|
}
|
|
|
|
|
|
if (!rv) {
|
|
if (card->ef_atr && card->ef_atr->aid.len) {
|
|
struct sc_path path;
|
|
|
|
memset(&path, 0, sizeof(struct sc_path));
|
|
path.type = SC_PATH_TYPE_DF_NAME;
|
|
memcpy(path.value, card->ef_atr->aid.value, card->ef_atr->aid.len);
|
|
path.len = card->ef_atr->aid.len;
|
|
|
|
rv = iasecc_select_file(card, &path, NULL);
|
|
sc_log(ctx, "Select ECC ROOT with the AID from EF.ATR: rv %i", rv);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Select EF.ATR AID failed");
|
|
}
|
|
|
|
iasecc_get_serialnr(card, NULL);
|
|
}
|
|
|
|
#ifdef ENABLE_SM
|
|
card->sm_ctx.ops.read_binary = _iasecc_sm_read_binary;
|
|
card->sm_ctx.ops.update_binary = _iasecc_sm_update_binary;
|
|
#endif
|
|
|
|
if (!rv && card->ef_atr && card->ef_atr->aid.len) {
|
|
sc_log(ctx, "EF.ATR(aid:'%s')", sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len));
|
|
}
|
|
|
|
err:
|
|
if (rv < 0) {
|
|
free(private_data);
|
|
card->drv_data = old_drv_data;
|
|
} else {
|
|
free(old_drv_data);
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_read_binary(struct sc_card *card, unsigned int offs,
|
|
unsigned char *buf, size_t count, unsigned long flags)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"iasecc_read_binary(card:%p) offs %i; count %"SC_FORMAT_LEN_SIZE_T"u",
|
|
card, offs, count);
|
|
if (offs > 0x7fff) {
|
|
sc_log(ctx, "invalid EF offset: 0x%X > 0x7FFF", offs);
|
|
return SC_ERROR_OFFSET_TOO_LARGE;
|
|
}
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xB0, (offs >> 8) & 0x7F, offs & 0xFF);
|
|
apdu.le = count < 0x100 ? count : 0x100;
|
|
apdu.resplen = count;
|
|
apdu.resp = buf;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_read_binary() failed");
|
|
sc_log(ctx,
|
|
"iasecc_read_binary() apdu.resplen %"SC_FORMAT_LEN_SIZE_T"u",
|
|
apdu.resplen);
|
|
|
|
if (apdu.resplen == IASECC_READ_BINARY_LENGTH_MAX && apdu.resplen < count) {
|
|
rv = iasecc_read_binary(card, offs + apdu.resplen, buf + apdu.resplen, count - apdu.resplen, flags);
|
|
if (rv != SC_ERROR_WRONG_LENGTH) {
|
|
LOG_TEST_RET(ctx, rv, "iasecc_read_binary() read tail failed");
|
|
apdu.resplen += rv;
|
|
}
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, apdu.resplen);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_erase_binary(struct sc_card *card, unsigned int offs, size_t count, unsigned long flags)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char *tmp = NULL;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"iasecc_erase_binary(card:%p) count %"SC_FORMAT_LEN_SIZE_T"u",
|
|
card, count);
|
|
if (!count)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "'ERASE BINARY' failed: invalid size to erase");
|
|
|
|
tmp = malloc(count);
|
|
if (!tmp)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot allocate temporary buffer");
|
|
memset(tmp, 0xFF, count);
|
|
|
|
rv = sc_update_binary(card, offs, tmp, count, flags);
|
|
free(tmp);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
#if ENABLE_SM
|
|
static int
|
|
_iasecc_sm_read_binary(struct sc_card *card, unsigned int offs,
|
|
unsigned char *buff, size_t count)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
const struct sc_acl_entry *entry = NULL;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"iasecc_sm_read_binary() card:%p offs:%i count:%"SC_FORMAT_LEN_SIZE_T"u ",
|
|
card, offs, count);
|
|
if (offs > 0x7fff)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OFFSET_TOO_LARGE, "Invalid arguments");
|
|
|
|
if (count == 0)
|
|
return 0;
|
|
|
|
sc_print_cache(card);
|
|
|
|
if (card->cache.valid && card->cache.current_ef) {
|
|
entry = sc_file_get_acl_entry(card->cache.current_ef, SC_AC_OP_READ);
|
|
if (!entry)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, "iasecc_sm_read() 'READ' ACL not present");
|
|
|
|
sc_log(ctx, "READ method/reference %X/%X", entry->method, entry->key_ref);
|
|
if ((entry->method == SC_AC_SCB) && (entry->key_ref & IASECC_SCB_METHOD_SM)) {
|
|
unsigned char se_num = (entry->method == SC_AC_SCB) ? (entry->key_ref & IASECC_SCB_METHOD_MASK_REF) : 0;
|
|
|
|
rv = iasecc_sm_read_binary(card, se_num, offs, buff, count);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
_iasecc_sm_update_binary(struct sc_card *card, unsigned int offs,
|
|
const unsigned char *buff, size_t count)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
const struct sc_acl_entry *entry = NULL;
|
|
int rv;
|
|
|
|
if (count == 0)
|
|
return SC_SUCCESS;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"iasecc_sm_read_binary() card:%p offs:%i count:%"SC_FORMAT_LEN_SIZE_T"u ",
|
|
card, offs, count);
|
|
sc_print_cache(card);
|
|
|
|
if (card->cache.valid && card->cache.current_ef) {
|
|
entry = sc_file_get_acl_entry(card->cache.current_ef, SC_AC_OP_UPDATE);
|
|
if (!entry)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, "iasecc_sm_update() 'UPDATE' ACL not present");
|
|
|
|
sc_log(ctx, "UPDATE method/reference %X/%X", entry->method, entry->key_ref);
|
|
if (entry->method == SC_AC_SCB && (entry->key_ref & IASECC_SCB_METHOD_SM)) {
|
|
unsigned char se_num = entry->method == SC_AC_SCB ? entry->key_ref & IASECC_SCB_METHOD_MASK_REF : 0;
|
|
|
|
rv = iasecc_sm_update_binary(card, se_num, offs, buff, count);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, 0);
|
|
}
|
|
#endif
|
|
|
|
|
|
static int
|
|
iasecc_emulate_fcp(struct sc_context *ctx, struct sc_apdu *apdu)
|
|
{
|
|
unsigned char dummy_df_fcp[] = {
|
|
0x62,0xFF,
|
|
0x82,0x01,0x38,
|
|
0x8A,0x01,0x05,
|
|
0xA1,0x04,0x8C,0x02,0x02,0x00,
|
|
0x84,0xFF,
|
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
|
|
};
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (apdu->p1 != 0x04)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "FCP emulation supported only for the DF-NAME selection type");
|
|
if (apdu->datalen > 16)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid DF-NAME length");
|
|
if (apdu->resplen < apdu->datalen + 16)
|
|
LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "not enough space for FCP data");
|
|
|
|
memcpy(dummy_df_fcp + 16, apdu->data, apdu->datalen);
|
|
dummy_df_fcp[15] = apdu->datalen;
|
|
dummy_df_fcp[1] = apdu->datalen + 14;
|
|
memcpy(apdu->resp, dummy_df_fcp, apdu->datalen + 16);
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
/* TODO: redesign using of cache
|
|
* TODO: do not keep intermediate results in 'file_out' argument */
|
|
static int
|
|
iasecc_select_file(struct sc_card *card, const struct sc_path *path,
|
|
struct sc_file **file_out)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_path lpath;
|
|
int cache_valid = card->cache.valid, df_from_cache = 0;
|
|
int rv, ii;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
memcpy(&lpath, path, sizeof(struct sc_path));
|
|
if (file_out)
|
|
*file_out = NULL;
|
|
|
|
sc_log(ctx,
|
|
"iasecc_select_file(card:%p) path.len %"SC_FORMAT_LEN_SIZE_T"u; path.type %i; aid_len %"SC_FORMAT_LEN_SIZE_T"u",
|
|
card, path->len, path->type, path->aid.len);
|
|
sc_log(ctx, "iasecc_select_file() path:%s", sc_print_path(path));
|
|
|
|
sc_print_cache(card);
|
|
if ((!iasecc_is_cpx(card)) &&
|
|
(path->type != SC_PATH_TYPE_DF_NAME
|
|
&& lpath.len >= 2
|
|
&& lpath.value[0] == 0x3F && lpath.value[1] == 0x00)) {
|
|
sc_log(ctx, "EF.ATR(aid:'%s')", card->ef_atr ? sc_dump_hex(card->ef_atr->aid.value, card->ef_atr->aid.len) : "");
|
|
|
|
rv = iasecc_select_mf(card, file_out);
|
|
LOG_TEST_RET(ctx, rv, "MF selection error");
|
|
|
|
memmove(&lpath.value[0], &lpath.value[2], lpath.len - 2);
|
|
lpath.len -= 2;
|
|
}
|
|
|
|
if (lpath.aid.len) {
|
|
struct sc_file *file = NULL;
|
|
struct sc_path ppath;
|
|
|
|
sc_log(ctx,
|
|
"iasecc_select_file() select parent AID:%p/%"SC_FORMAT_LEN_SIZE_T"u",
|
|
lpath.aid.value, lpath.aid.len);
|
|
sc_log(ctx, "iasecc_select_file() select parent AID:%s", sc_dump_hex(lpath.aid.value, lpath.aid.len));
|
|
memset(&ppath, 0, sizeof(ppath));
|
|
memcpy(ppath.value, lpath.aid.value, lpath.aid.len);
|
|
ppath.len = lpath.aid.len;
|
|
ppath.type = SC_PATH_TYPE_DF_NAME;
|
|
|
|
if (card->cache.valid && card->cache.current_df
|
|
&& card->cache.current_df->path.len == lpath.aid.len
|
|
&& !memcmp(card->cache.current_df->path.value, lpath.aid.value, lpath.aid.len))
|
|
df_from_cache = 1;
|
|
|
|
rv = iasecc_select_file(card, &ppath, &file);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "select AID path failed");
|
|
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = file;
|
|
} else {
|
|
sc_file_free(file);
|
|
}
|
|
|
|
if (lpath.type == SC_PATH_TYPE_DF_NAME)
|
|
lpath.type = SC_PATH_TYPE_FROM_CURRENT;
|
|
}
|
|
|
|
if (lpath.type == SC_PATH_TYPE_PATH)
|
|
lpath.type = SC_PATH_TYPE_FROM_CURRENT;
|
|
|
|
if (!lpath.len) {
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = NULL;
|
|
}
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
sc_print_cache(card);
|
|
|
|
if (card->cache.valid && card->cache.current_df && lpath.type == SC_PATH_TYPE_DF_NAME
|
|
&& card->cache.current_df->path.len == lpath.len
|
|
&& !memcmp(card->cache.current_df->path.value, lpath.value, lpath.len)) {
|
|
sc_log(ctx, "returns current DF path %s", sc_print_path(&card->cache.current_df->path));
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
sc_file_dup(file_out, card->cache.current_df);
|
|
}
|
|
|
|
sc_print_cache(card);
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
do {
|
|
struct sc_apdu apdu;
|
|
struct sc_file *file = NULL;
|
|
unsigned char rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
|
int pathlen = lpath.len;
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xA4, 0x00, 0x00);
|
|
|
|
if (card->type != SC_CARD_TYPE_IASECC_GEMALTO
|
|
&& card->type != SC_CARD_TYPE_IASECC_OBERTHUR
|
|
&& card->type != SC_CARD_TYPE_IASECC_SAGEM
|
|
&& card->type != SC_CARD_TYPE_IASECC_AMOS
|
|
&& card->type != SC_CARD_TYPE_IASECC_MI
|
|
&& card->type != SC_CARD_TYPE_IASECC_MI2
|
|
&& !iasecc_is_cpx(card)) {
|
|
rv = SC_ERROR_NOT_SUPPORTED;
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Unsupported card");
|
|
}
|
|
|
|
if (lpath.type == SC_PATH_TYPE_FILE_ID) {
|
|
apdu.p1 = 0x02;
|
|
if (card->type == SC_CARD_TYPE_IASECC_OBERTHUR)
|
|
apdu.p1 = 0x01;
|
|
if (card->type == SC_CARD_TYPE_IASECC_OBERTHUR ||
|
|
card->type == SC_CARD_TYPE_IASECC_AMOS ||
|
|
card->type == SC_CARD_TYPE_IASECC_MI ||
|
|
card->type == SC_CARD_TYPE_IASECC_MI2 ||
|
|
iasecc_is_cpx(card)
|
|
) {
|
|
apdu.p2 = 0x04;
|
|
}
|
|
}
|
|
else if (lpath.type == SC_PATH_TYPE_FROM_CURRENT) {
|
|
apdu.p1 = 0x09;
|
|
if (card->type == SC_CARD_TYPE_IASECC_OBERTHUR ||
|
|
card->type == SC_CARD_TYPE_IASECC_AMOS ||
|
|
card->type == SC_CARD_TYPE_IASECC_MI ||
|
|
card->type == SC_CARD_TYPE_IASECC_MI2 ||
|
|
iasecc_is_cpx(card)) {
|
|
apdu.p2 = 0x04;
|
|
}
|
|
}
|
|
else if (lpath.type == SC_PATH_TYPE_PARENT) {
|
|
apdu.p1 = 0x03;
|
|
pathlen = 0;
|
|
apdu.cse = SC_APDU_CASE_2_SHORT;
|
|
}
|
|
else if (lpath.type == SC_PATH_TYPE_DF_NAME) {
|
|
apdu.p1 = 0x04;
|
|
if (card->type == SC_CARD_TYPE_IASECC_AMOS ||
|
|
card->type == SC_CARD_TYPE_IASECC_MI2 ||
|
|
card->type == SC_CARD_TYPE_IASECC_OBERTHUR) {
|
|
apdu.p2 = 0x04;
|
|
}
|
|
}
|
|
else {
|
|
sc_log(ctx, "Invalid PATH type: 0x%X", lpath.type);
|
|
rv = SC_ERROR_NOT_SUPPORTED;
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "iasecc_select_file() invalid PATH type");
|
|
}
|
|
|
|
for (ii=0; ii<2; ii++) {
|
|
apdu.lc = pathlen;
|
|
apdu.data = lpath.value;
|
|
apdu.datalen = pathlen;
|
|
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
apdu.le = 256;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
if (rv == SC_ERROR_INCORRECT_PARAMETERS &&
|
|
lpath.type == SC_PATH_TYPE_DF_NAME && apdu.p2 == 0x00) {
|
|
apdu.p2 = 0x0C;
|
|
continue;
|
|
}
|
|
|
|
if (ii) {
|
|
/* 'SELECT AID' do not returned FCP. Try to emulate. */
|
|
apdu.resplen = sizeof(rbuf);
|
|
rv = iasecc_emulate_fcp(ctx, &apdu);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Failed to emulate DF FCP");
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* Using of the cached DF and EF can cause problems in the multi-thread environment.
|
|
* FIXME: introduce config. option that invalidates this cache outside the locked card session,
|
|
* (or invent something else)
|
|
*/
|
|
if (rv == SC_ERROR_FILE_NOT_FOUND && cache_valid && df_from_cache) {
|
|
sc_invalidate_cache(card);
|
|
sc_log(ctx, "iasecc_select_file() file not found, retry without cached DF");
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = NULL;
|
|
}
|
|
rv = iasecc_select_file(card, path, file_out);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "iasecc_select_file() check SW failed");
|
|
|
|
sc_log(ctx,
|
|
"iasecc_select_file() apdu.resp %"SC_FORMAT_LEN_SIZE_T"u",
|
|
apdu.resplen);
|
|
if (apdu.resplen) {
|
|
sc_log(ctx, "apdu.resp %02X:%02X:%02X...", apdu.resp[0], apdu.resp[1], apdu.resp[2]);
|
|
|
|
switch (apdu.resp[0]) {
|
|
case 0x62:
|
|
case 0x6F:
|
|
file = sc_file_new();
|
|
if (file == NULL) {
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = NULL;
|
|
}
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
|
}
|
|
file->path = lpath;
|
|
|
|
rv = iasecc_process_fci(card, file, apdu.resp, apdu.resplen);
|
|
if (rv) {
|
|
sc_file_free(file);
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = NULL;
|
|
}
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
break;
|
|
default:
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = NULL;
|
|
}
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
|
|
}
|
|
|
|
sc_log(ctx, "FileType %i", file->type);
|
|
if (file->type == SC_FILE_TYPE_DF) {
|
|
if (card->cache.valid) {
|
|
sc_file_free(card->cache.current_df);
|
|
}
|
|
card->cache.current_df = NULL;
|
|
|
|
sc_file_dup(&card->cache.current_df, file);
|
|
card->cache.valid = 1;
|
|
}
|
|
else {
|
|
if (card->cache.valid) {
|
|
sc_file_free(card->cache.current_ef);
|
|
}
|
|
|
|
card->cache.current_ef = NULL;
|
|
|
|
sc_file_dup(&card->cache.current_ef, file);
|
|
card->cache.valid = 1;
|
|
}
|
|
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = file;
|
|
}
|
|
else {
|
|
sc_file_free(file);
|
|
}
|
|
}
|
|
else if (lpath.type == SC_PATH_TYPE_DF_NAME) {
|
|
sc_file_free(card->cache.current_df);
|
|
card->cache.current_df = NULL;
|
|
|
|
sc_file_free(card->cache.current_ef);
|
|
card->cache.current_ef = NULL;
|
|
|
|
card->cache.valid = 1;
|
|
}
|
|
} while(0);
|
|
|
|
sc_print_cache(card);
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
err:
|
|
if (file_out) {
|
|
sc_file_free(*file_out);
|
|
*file_out = NULL;
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_process_fci(struct sc_card *card, struct sc_file *file,
|
|
const unsigned char *buf, size_t buflen)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
size_t taglen, offs, ii;
|
|
int rv;
|
|
const unsigned char *acls = NULL, *tag = NULL;
|
|
unsigned char mask;
|
|
unsigned char ops_DF[7] = {
|
|
SC_AC_OP_DELETE, 0xFF, SC_AC_OP_ACTIVATE, SC_AC_OP_DEACTIVATE, 0xFF, SC_AC_OP_CREATE, 0xFF
|
|
};
|
|
unsigned char ops_EF[7] = {
|
|
SC_AC_OP_DELETE, 0xFF, SC_AC_OP_ACTIVATE, SC_AC_OP_DEACTIVATE, 0xFF, SC_AC_OP_UPDATE, SC_AC_OP_READ
|
|
};
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
tag = sc_asn1_find_tag(ctx, buf, buflen, 0x6F, &taglen);
|
|
sc_log(ctx, "processing FCI: 0x6F tag %p", tag);
|
|
if (tag != NULL) {
|
|
sc_log(ctx, " FCP length %"SC_FORMAT_LEN_SIZE_T"u", taglen);
|
|
buf = tag;
|
|
buflen = taglen;
|
|
}
|
|
|
|
tag = sc_asn1_find_tag(ctx, buf, buflen, 0x62, &taglen);
|
|
sc_log(ctx, "processing FCI: 0x62 tag %p", tag);
|
|
if (tag != NULL) {
|
|
sc_log(ctx, " FCP length %"SC_FORMAT_LEN_SIZE_T"u", taglen);
|
|
buf = tag;
|
|
buflen = taglen;
|
|
}
|
|
|
|
rv = iso_ops->process_fci(card, file, buf, buflen);
|
|
LOG_TEST_RET(ctx, rv, "ISO parse FCI failed");
|
|
/*
|
|
Gemalto: 6F 19 80 02 02 ED 82 01 01 83 02 B0 01 88 00 8C 07 7B 17 17 17 17 17 00 8A 01 05 90 00
|
|
Sagem: 6F 17 62 15 80 02 00 7D 82 01 01 8C 02 01 00 83 02 2F 00 88 01 F0 8A 01 05 90 00
|
|
Oberthur: 62 1B 80 02 05 DC 82 01 01 83 02 B0 01 88 00 A1 09 8C 07 7B 17 FF 17 17 17 00 8A 01 05 90 00
|
|
*/
|
|
|
|
sc_log(ctx, "iasecc_process_fci() type %i; let's parse file ACLs", file->type);
|
|
tag = sc_asn1_find_tag(ctx, buf, buflen, IASECC_DOCP_TAG_ACLS, &taglen);
|
|
if (tag)
|
|
acls = sc_asn1_find_tag(ctx, tag, taglen, IASECC_DOCP_TAG_ACLS_CONTACT, &taglen);
|
|
else
|
|
acls = sc_asn1_find_tag(ctx, buf, buflen, IASECC_DOCP_TAG_ACLS_CONTACT, &taglen);
|
|
|
|
if (!acls) {
|
|
sc_log(ctx,
|
|
"ACLs not found in data(%"SC_FORMAT_LEN_SIZE_T"u) %s",
|
|
buflen, sc_dump_hex(buf, buflen));
|
|
LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, "ACLs tag missing");
|
|
}
|
|
|
|
sc_log(ctx, "ACLs(%"SC_FORMAT_LEN_SIZE_T"u) '%s'", taglen,
|
|
sc_dump_hex(acls, taglen));
|
|
mask = 0x40, offs = 1;
|
|
for (ii = 0; ii < 7; ii++, mask /= 2) {
|
|
unsigned char op = file->type == SC_FILE_TYPE_DF ? ops_DF[ii] : ops_EF[ii];
|
|
|
|
/* avoid any access to acls[offs] beyond the taglen */
|
|
if (offs >= taglen) {
|
|
sc_log(ctx, "Warning: Invalid offset reached during ACL parsing");
|
|
break;
|
|
}
|
|
if (!(mask & acls[0]))
|
|
continue;
|
|
|
|
sc_log(ctx, "ACLs mask 0x%X, offs %"SC_FORMAT_LEN_SIZE_T"u, op 0x%X, acls[offs] 0x%X", mask, offs, op, acls[offs]);
|
|
if (op == 0xFF) {
|
|
;
|
|
}
|
|
else if (acls[offs] == 0) {
|
|
sc_file_add_acl_entry(file, op, SC_AC_NONE, 0);
|
|
}
|
|
else if (acls[offs] == 0xFF) {
|
|
sc_file_add_acl_entry(file, op, SC_AC_NEVER, 0);
|
|
}
|
|
else if ((acls[offs] & IASECC_SCB_METHOD_MASK) == IASECC_SCB_METHOD_USER_AUTH) {
|
|
sc_file_add_acl_entry(file, op, SC_AC_SEN, acls[offs] & IASECC_SCB_METHOD_MASK_REF);
|
|
}
|
|
else if (acls[offs] & IASECC_SCB_METHOD_MASK) {
|
|
sc_file_add_acl_entry(file, op, SC_AC_SCB, acls[offs]);
|
|
}
|
|
else {
|
|
sc_log(ctx, "Warning: non supported SCB method: %X", acls[offs]);
|
|
sc_file_add_acl_entry(file, op, SC_AC_NEVER, 0);
|
|
}
|
|
|
|
offs++;
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, 0);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_fcp_encode(struct sc_card *card, struct sc_file *file, unsigned char *out, size_t out_len)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char buf[0x80], type;
|
|
unsigned char ops[7] = {
|
|
SC_AC_OP_DELETE, 0xFF, SC_AC_OP_ACTIVATE, SC_AC_OP_DEACTIVATE, 0xFF, SC_AC_OP_UPDATE, SC_AC_OP_READ
|
|
};
|
|
unsigned char smbs[8];
|
|
size_t ii, offs = 0, amb, mask, nn_smb;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (file->type == SC_FILE_TYPE_DF)
|
|
type = IASECC_FCP_TYPE_DF;
|
|
else
|
|
type = IASECC_FCP_TYPE_EF;
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_SIZE;
|
|
buf[offs++] = 2;
|
|
buf[offs++] = (file->size >> 8) & 0xFF;
|
|
buf[offs++] = file->size & 0xFF;
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_TYPE;
|
|
buf[offs++] = 1;
|
|
buf[offs++] = type;
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_FID;
|
|
buf[offs++] = 2;
|
|
buf[offs++] = (file->id >> 8) & 0xFF;
|
|
buf[offs++] = file->id & 0xFF;
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_SFID;
|
|
buf[offs++] = 0;
|
|
|
|
amb = 0, mask = 0x40, nn_smb = 0;
|
|
for (ii = 0; ii < sizeof(ops); ii++, mask >>= 1) {
|
|
const struct sc_acl_entry *entry;
|
|
|
|
if (ops[ii]==0xFF)
|
|
continue;
|
|
|
|
entry = sc_file_get_acl_entry(file, ops[ii]);
|
|
if (!entry)
|
|
continue;
|
|
|
|
sc_log(ctx, "method %X; reference %X", entry->method, entry->key_ref);
|
|
if (entry->method == SC_AC_NEVER)
|
|
continue;
|
|
else if (entry->method == SC_AC_NONE)
|
|
smbs[nn_smb++] = 0x00;
|
|
else if (entry->method == SC_AC_CHV)
|
|
smbs[nn_smb++] = entry->key_ref | IASECC_SCB_METHOD_USER_AUTH;
|
|
else if (entry->method == SC_AC_SEN)
|
|
smbs[nn_smb++] = entry->key_ref | IASECC_SCB_METHOD_USER_AUTH;
|
|
else if (entry->method == SC_AC_SCB)
|
|
smbs[nn_smb++] = entry->key_ref;
|
|
else if (entry->method == SC_AC_PRO)
|
|
smbs[nn_smb++] = entry->key_ref | IASECC_SCB_METHOD_SM;
|
|
else
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Non supported AC method");
|
|
|
|
amb |= mask;
|
|
sc_log(ctx,
|
|
"%"SC_FORMAT_LEN_SIZE_T"u: AMB %"SC_FORMAT_LEN_SIZE_T"X; nn_smb %"SC_FORMAT_LEN_SIZE_T"u",
|
|
ii, amb, nn_smb);
|
|
}
|
|
|
|
/* TODO: Encode contactless ACLs and life cycle status for all IAS/ECC cards */
|
|
if (card->type == SC_CARD_TYPE_IASECC_SAGEM ||
|
|
card->type == SC_CARD_TYPE_IASECC_AMOS ) {
|
|
unsigned char status = 0;
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_ACLS;
|
|
buf[offs++] = 2*(2 + 1 + nn_smb);
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_ACLS_CONTACT;
|
|
buf[offs++] = nn_smb + 1;
|
|
buf[offs++] = amb;
|
|
memcpy(buf + offs, smbs, nn_smb);
|
|
offs += nn_smb;
|
|
|
|
/* Same ACLs for contactless */
|
|
buf[offs++] = IASECC_FCP_TAG_ACLS_CONTACTLESS;
|
|
buf[offs++] = nn_smb + 1;
|
|
buf[offs++] = amb;
|
|
memcpy(buf + offs, smbs, nn_smb);
|
|
offs += nn_smb;
|
|
|
|
if (file->status == SC_FILE_STATUS_ACTIVATED)
|
|
status = 0x05;
|
|
else if (file->status == SC_FILE_STATUS_CREATION)
|
|
status = 0x01;
|
|
|
|
if (status) {
|
|
buf[offs++] = 0x8A;
|
|
buf[offs++] = 0x01;
|
|
buf[offs++] = status;
|
|
}
|
|
}
|
|
else {
|
|
buf[offs++] = IASECC_FCP_TAG_ACLS;
|
|
buf[offs++] = 2 + 1 + nn_smb;
|
|
|
|
buf[offs++] = IASECC_FCP_TAG_ACLS_CONTACT;
|
|
buf[offs++] = nn_smb + 1;
|
|
buf[offs++] = amb;
|
|
memcpy(buf + offs, smbs, nn_smb);
|
|
offs += nn_smb;
|
|
}
|
|
|
|
if (out) {
|
|
if (out_len < offs)
|
|
LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Buffer too small to encode FCP");
|
|
memcpy(out, buf, offs);
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, offs);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_create_file(struct sc_card *card, struct sc_file *file)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
const struct sc_acl_entry *entry = NULL;
|
|
unsigned char sbuf[0x100];
|
|
size_t sbuf_len;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_print_cache(card);
|
|
|
|
if (file->type != SC_FILE_TYPE_WORKING_EF)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Creation of the file with of this type is not supported");
|
|
|
|
sbuf_len = iasecc_fcp_encode(card, file, sbuf + 2, sizeof(sbuf)-2);
|
|
LOG_TEST_RET(ctx, sbuf_len, "FCP encode error");
|
|
|
|
sbuf[0] = IASECC_FCP_TAG;
|
|
sbuf[1] = sbuf_len;
|
|
|
|
if (card->cache.valid && card->cache.current_df) {
|
|
entry = sc_file_get_acl_entry(card->cache.current_df, SC_AC_OP_CREATE);
|
|
if (!entry)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, "iasecc_create_file() 'CREATE' ACL not present");
|
|
|
|
sc_log(ctx, "iasecc_create_file() 'CREATE' method/reference %X/%X", entry->method, entry->key_ref);
|
|
sc_log(ctx, "iasecc_create_file() create data: '%s'", sc_dump_hex(sbuf, sbuf_len + 2));
|
|
if (entry->method == SC_AC_SCB && (entry->key_ref & IASECC_SCB_METHOD_SM)) {
|
|
rv = iasecc_sm_create_file(card, entry->key_ref & IASECC_SCB_METHOD_MASK_REF, sbuf, sbuf_len + 2);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_create_file() SM create file error");
|
|
|
|
rv = iasecc_select_file(card, &file->path, NULL);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
|
|
}
|
|
}
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xE0, 0, 0);
|
|
apdu.data = sbuf;
|
|
apdu.datalen = sbuf_len + 2;
|
|
apdu.lc = sbuf_len + 2;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_create_file() create file error");
|
|
|
|
rv = iasecc_select_file(card, &file->path, NULL);
|
|
LOG_TEST_RET(ctx, rv, "Cannot select newly created file");
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
static int
|
|
iasecc_get_challenge(struct sc_card *card, u8 * rnd, size_t len)
|
|
{
|
|
/* As IAS/ECC cannot handle other data length than 0x08 */
|
|
u8 rbuf[8];
|
|
size_t out_len;
|
|
int r;
|
|
|
|
LOG_FUNC_CALLED(card->ctx);
|
|
|
|
r = iso_ops->get_challenge(card, rbuf, sizeof rbuf);
|
|
LOG_TEST_RET(card->ctx, r, "GET CHALLENGE cmd failed");
|
|
|
|
if (len < (size_t) r) {
|
|
out_len = len;
|
|
} else {
|
|
out_len = (size_t) r;
|
|
}
|
|
memcpy(rnd, rbuf, out_len);
|
|
|
|
LOG_FUNC_RETURN(card->ctx, (int) out_len);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_logout(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_path path;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (!card->ef_atr || !card->ef_atr->aid.len)
|
|
return SC_SUCCESS;
|
|
|
|
memset(&path, 0, sizeof(struct sc_path));
|
|
path.type = SC_PATH_TYPE_DF_NAME;
|
|
memcpy(path.value, card->ef_atr->aid.value, card->ef_atr->aid.len);
|
|
path.len = card->ef_atr->aid.len;
|
|
|
|
rv = iasecc_select_file(card, &path, NULL);
|
|
sc_log(ctx, "Select ECC ROOT with the AID from EF.ATR: rv %i", rv);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_finish(struct sc_card *card)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_private_data *private_data = (struct iasecc_private_data *)card->drv_data;
|
|
struct iasecc_se_info *se_info = private_data->se_info, *next;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
while (se_info) {
|
|
sc_file_free(se_info->df);
|
|
next = se_info->next;
|
|
free(se_info);
|
|
se_info = next;
|
|
}
|
|
|
|
free(card->drv_data);
|
|
card->drv_data = NULL;
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_delete_file(struct sc_card *card, const struct sc_path *path)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
const struct sc_acl_entry *entry = NULL;
|
|
struct sc_apdu apdu;
|
|
struct sc_file *file = NULL;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_print_cache(card);
|
|
|
|
rv = iasecc_select_file(card, path, &file);
|
|
if (rv == SC_ERROR_FILE_NOT_FOUND)
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
LOG_TEST_RET(ctx, rv, "Cannot select file to delete");
|
|
|
|
entry = sc_file_get_acl_entry(file, SC_AC_OP_DELETE);
|
|
if (!entry)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_FOUND, "Cannot delete file: no 'DELETE' acl");
|
|
|
|
sc_log(ctx, "DELETE method/reference %X/%X", entry->method, entry->key_ref);
|
|
if (entry->method == SC_AC_SCB && (entry->key_ref & IASECC_SCB_METHOD_SM)) {
|
|
unsigned char se_num = (entry->method == SC_AC_SCB) ? (entry->key_ref & IASECC_SCB_METHOD_MASK_REF) : 0;
|
|
rv = iasecc_sm_delete_file(card, se_num, file->id);
|
|
}
|
|
else {
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xE4, 0x00, 0x00);
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "Delete file failed");
|
|
|
|
if (card->cache.valid) {
|
|
sc_file_free(card->cache.current_ef);
|
|
}
|
|
card->cache.current_ef = NULL;
|
|
}
|
|
|
|
sc_file_free(file);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_check_sw(struct sc_card *card, unsigned int sw1, unsigned int sw2)
|
|
{
|
|
if (sw1 == 0x62 && sw2 == 0x82)
|
|
return SC_SUCCESS;
|
|
|
|
return iso_ops->check_sw(card, sw1, sw2);
|
|
}
|
|
|
|
|
|
static unsigned
|
|
iasecc_get_algorithm(struct sc_context *ctx, const struct sc_security_env *env,
|
|
unsigned operation, unsigned mechanism)
|
|
{
|
|
const struct sc_supported_algo_info *info = NULL;
|
|
int ii;
|
|
|
|
if (!env)
|
|
return 0;
|
|
|
|
for (ii=0;ii<SC_MAX_SUPPORTED_ALGORITHMS && env->supported_algos[ii].reference; ii++)
|
|
if ((env->supported_algos[ii].operations & operation)
|
|
&& (env->supported_algos[ii].mechanism == mechanism))
|
|
break;
|
|
|
|
if (ii < SC_MAX_SUPPORTED_ALGORITHMS && env->supported_algos[ii].reference) {
|
|
info = &env->supported_algos[ii];
|
|
sc_log(ctx, "found IAS/ECC algorithm %X:%X:%X:%X",
|
|
info->reference, info->mechanism, info->operations, info->algo_ref);
|
|
}
|
|
else {
|
|
sc_log(ctx, "cannot find IAS/ECC algorithm (operation:%X,mechanism:%X)", operation, mechanism);
|
|
}
|
|
|
|
return info ? info->algo_ref : 0;
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_se_cache_info(struct sc_card *card, struct iasecc_se_info *se)
|
|
{
|
|
struct iasecc_private_data *prv = (struct iasecc_private_data *) card->drv_data;
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_se_info *se_info = NULL, *si = NULL;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
se_info = calloc(1, sizeof(struct iasecc_se_info));
|
|
if (!se_info)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "SE info allocation error");
|
|
memcpy(se_info, se, sizeof(struct iasecc_se_info));
|
|
|
|
if (card->cache.valid && card->cache.current_df) {
|
|
sc_file_dup(&se_info->df, card->cache.current_df);
|
|
if (se_info->df == NULL) {
|
|
free(se_info);
|
|
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot duplicate current DF file");
|
|
}
|
|
}
|
|
|
|
rv = iasecc_docp_copy(ctx, &se->docp, &se_info->docp);
|
|
if (rv < 0) {
|
|
free(se_info->df);
|
|
free(se_info);
|
|
LOG_TEST_RET(ctx, rv, "Cannot make copy of DOCP");
|
|
}
|
|
|
|
if (!prv->se_info) {
|
|
prv->se_info = se_info;
|
|
}
|
|
else {
|
|
for (si = prv->se_info; si->next; si = si->next)
|
|
;
|
|
si->next = se_info;
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_se_get_info_from_cache(struct sc_card *card, struct iasecc_se_info *se)
|
|
{
|
|
struct iasecc_private_data *prv = (struct iasecc_private_data *) card->drv_data;
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_se_info *si = NULL;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
for(si = prv->se_info; si; si = si->next) {
|
|
if (si->reference != se->reference)
|
|
continue;
|
|
if (!(card->cache.valid && card->cache.current_df) && si->df)
|
|
continue;
|
|
if (card->cache.valid && card->cache.current_df && !si->df)
|
|
continue;
|
|
if (card->cache.valid && card->cache.current_df && si->df)
|
|
if (memcmp(&card->cache.current_df->path, &si->df->path, sizeof(struct sc_path)))
|
|
continue;
|
|
break;
|
|
}
|
|
|
|
if (!si)
|
|
return SC_ERROR_OBJECT_NOT_FOUND;
|
|
|
|
memcpy(se, si, sizeof(struct iasecc_se_info));
|
|
|
|
if (si->df) {
|
|
sc_file_dup(&se->df, si->df);
|
|
if (se->df == NULL)
|
|
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot duplicate current DF file");
|
|
}
|
|
|
|
rv = iasecc_docp_copy(ctx, &si->docp, &se->docp);
|
|
LOG_TEST_RET(ctx, rv, "Cannot make copy of DOCP");
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
int
|
|
iasecc_se_get_info(struct sc_card *card, struct iasecc_se_info *se)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
unsigned char rbuf[0x100];
|
|
unsigned char sbuf_iasecc[10] = {
|
|
0x4D, 0x08, IASECC_SDO_TEMPLATE_TAG, 0x06,
|
|
IASECC_SDO_TAG_HEADER, IASECC_SDO_CLASS_SE | IASECC_OBJECT_REF_LOCAL,
|
|
se->reference & 0x3F,
|
|
0x02, IASECC_SDO_CLASS_SE, 0x80
|
|
};
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (se->reference > IASECC_SE_REF_MAX)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
rv = iasecc_se_get_info_from_cache(card, se);
|
|
if (rv == SC_ERROR_OBJECT_NOT_FOUND) {
|
|
sc_log(ctx, "No SE#%X info in cache, try to use 'GET DATA'", se->reference);
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xCB, 0x3F, 0xFF);
|
|
apdu.data = sbuf_iasecc;
|
|
apdu.datalen = sizeof(sbuf_iasecc);
|
|
apdu.lc = apdu.datalen;
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
apdu.le = sizeof(rbuf);
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "get SE data error");
|
|
|
|
rv = iasecc_se_parse(card, apdu.resp, apdu.resplen, se);
|
|
LOG_TEST_RET(ctx, rv, "cannot parse SE data");
|
|
|
|
rv = iasecc_se_cache_info(card, se);
|
|
LOG_TEST_RET(ctx, rv, "failed to put SE data into cache");
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_set_security_env(struct sc_card *card,
|
|
const struct sc_security_env *env, int se_num)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_sdo sdo;
|
|
struct iasecc_private_data *prv = (struct iasecc_private_data *) card->drv_data;
|
|
unsigned algo_ref;
|
|
struct sc_apdu apdu;
|
|
unsigned sign_meth, sign_ref, auth_meth, auth_ref, aflags;
|
|
unsigned char cse_crt_at[] = {
|
|
0x84, 0x01, 0xFF,
|
|
0x80, 0x01, IASECC_ALGORITHM_RSA_PKCS
|
|
};
|
|
unsigned char cse_crt_dst[] = {
|
|
0x84, 0x01, 0xFF,
|
|
0x80, 0x01, (IASECC_ALGORITHM_RSA_PKCS | IASECC_ALGORITHM_SHA1)
|
|
};
|
|
unsigned char cse_crt_ht[] = {
|
|
0x80, 0x01, IASECC_ALGORITHM_SHA1
|
|
};
|
|
unsigned char cse_crt_ct[] = {
|
|
0x84, 0x01, 0xFF,
|
|
0x80, 0x01, (IASECC_ALGORITHM_RSA_PKCS_DECRYPT | IASECC_ALGORITHM_SHA1)
|
|
};
|
|
int rv, operation = env->operation;
|
|
|
|
/* TODO: take algorithm references from 5032, not from header file. */
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "iasecc_set_security_env(card:%p) operation 0x%X; senv.algorithm 0x%X, senv.algorithm_ref 0x%X",
|
|
card, env->operation, env->algorithm, env->algorithm_ref);
|
|
|
|
memset(&sdo, 0, sizeof(sdo));
|
|
sdo.sdo_class = IASECC_SDO_CLASS_RSA_PRIVATE;
|
|
sdo.sdo_ref = env->key_ref[0] & ~IASECC_OBJECT_REF_LOCAL;
|
|
rv = iasecc_sdo_get_data(card, &sdo);
|
|
LOG_TEST_RET(ctx, rv, "Cannot get RSA PRIVATE SDO data");
|
|
|
|
/* To made by iasecc_sdo_convert_to_file() */
|
|
prv->key_size = *(sdo.docp.size.value + 0) * 0x100 + *(sdo.docp.size.value + 1);
|
|
sc_log(ctx, "prv->key_size 0x%"SC_FORMAT_LEN_SIZE_T"X", prv->key_size);
|
|
|
|
rv = iasecc_sdo_convert_acl(card, &sdo, SC_AC_OP_PSO_COMPUTE_SIGNATURE, &sign_meth, &sign_ref);
|
|
LOG_TEST_RET(ctx, rv, "Cannot convert SC_AC_OP_SIGN acl");
|
|
|
|
rv = iasecc_sdo_convert_acl(card, &sdo, SC_AC_OP_INTERNAL_AUTHENTICATE, &auth_meth, &auth_ref);
|
|
LOG_TEST_RET(ctx, rv, "Cannot convert SC_AC_OP_INT_AUTH acl");
|
|
|
|
aflags = env->algorithm_flags;
|
|
|
|
if (!(aflags & SC_ALGORITHM_RSA_PAD_PKCS1))
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Only supported signature with PKCS1 padding");
|
|
|
|
if (operation == SC_SEC_OPERATION_SIGN) {
|
|
if (!(aflags & (SC_ALGORITHM_RSA_HASH_SHA1 | SC_ALGORITHM_RSA_HASH_SHA256))) {
|
|
sc_log(ctx, "CKM_RSA_PKCS asked -- use 'AUTHENTICATE' sign operation instead of 'SIGN'");
|
|
operation = SC_SEC_OPERATION_AUTHENTICATE;
|
|
}
|
|
else if (sign_meth == SC_AC_NEVER) {
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "PSO_DST not allowed for this key");
|
|
}
|
|
}
|
|
|
|
if (operation == SC_SEC_OPERATION_SIGN) {
|
|
prv->op_method = sign_meth;
|
|
prv->op_ref = sign_ref;
|
|
}
|
|
else if (operation == SC_SEC_OPERATION_AUTHENTICATE) {
|
|
if (auth_meth == SC_AC_NEVER)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_ALLOWED, "INTERNAL_AUTHENTICATE is not allowed for this key");
|
|
|
|
prv->op_method = auth_meth;
|
|
prv->op_ref = auth_ref;
|
|
}
|
|
|
|
sc_log(ctx, "senv.algorithm 0x%X, senv.algorithm_ref 0x%X", env->algorithm, env->algorithm_ref);
|
|
sc_log(ctx,
|
|
"se_num %i, operation 0x%X, algorithm 0x%X, algorithm_ref 0x%X, flags 0x%X; key size %"SC_FORMAT_LEN_SIZE_T"u",
|
|
se_num, operation, env->algorithm, env->algorithm_ref,
|
|
env->algorithm_flags, prv->key_size);
|
|
switch (operation) {
|
|
case SC_SEC_OPERATION_SIGN:
|
|
if (!(env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PKCS1))
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Need RSA_PKCS1 specified");
|
|
|
|
if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA256) {
|
|
algo_ref = iasecc_get_algorithm(ctx, env, SC_PKCS15_ALGO_OP_HASH, CKM_SHA256);
|
|
if (!algo_ref)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Card application do not supports HASH:SHA256");
|
|
|
|
cse_crt_ht[2] = algo_ref; /* IASECC_ALGORITHM_SHA2 */
|
|
|
|
algo_ref = iasecc_get_algorithm(ctx, env, SC_PKCS15_ALGO_OP_COMPUTE_SIGNATURE, CKM_SHA256_RSA_PKCS);
|
|
if (!algo_ref)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Card application do not supports SIGNATURE:SHA1_RSA_PKCS");
|
|
|
|
cse_crt_dst[2] = env->key_ref[0] | IASECC_OBJECT_REF_LOCAL;
|
|
cse_crt_dst[5] = algo_ref; /* IASECC_ALGORITHM_RSA_PKCS | IASECC_ALGORITHM_SHA2 */
|
|
}
|
|
else if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA1) {
|
|
algo_ref = iasecc_get_algorithm(ctx, env, SC_PKCS15_ALGO_OP_HASH, CKM_SHA_1);
|
|
if (!algo_ref)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Card application do not supports HASH:SHA1");
|
|
|
|
cse_crt_ht[2] = algo_ref; /* IASECC_ALGORITHM_SHA1 */
|
|
|
|
algo_ref = iasecc_get_algorithm(ctx, env, SC_PKCS15_ALGO_OP_COMPUTE_SIGNATURE, CKM_SHA1_RSA_PKCS);
|
|
if (!algo_ref)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Card application do not supports SIGNATURE:SHA1_RSA_PKCS");
|
|
|
|
cse_crt_dst[2] = env->key_ref[0] | IASECC_OBJECT_REF_LOCAL;
|
|
cse_crt_dst[5] = algo_ref; /* IASECC_ALGORITHM_RSA_PKCS | IASECC_ALGORITHM_SHA1 */
|
|
}
|
|
else {
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Need RSA_HASH_SHA[1,256] specified");
|
|
}
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, 0x41, IASECC_CRT_TAG_HT);
|
|
apdu.data = cse_crt_ht;
|
|
apdu.datalen = sizeof(cse_crt_ht);
|
|
apdu.lc = sizeof(cse_crt_ht);
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "MSE restore error");
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, 0x41, IASECC_CRT_TAG_DST);
|
|
apdu.data = cse_crt_dst;
|
|
apdu.datalen = sizeof(cse_crt_dst);
|
|
apdu.lc = sizeof(cse_crt_dst);
|
|
break;
|
|
case SC_SEC_OPERATION_AUTHENTICATE:
|
|
algo_ref = iasecc_get_algorithm(ctx, env, SC_PKCS15_ALGO_OP_COMPUTE_SIGNATURE, CKM_RSA_PKCS);
|
|
if (!algo_ref)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Application do not supports SIGNATURE:RSA_PKCS");
|
|
|
|
cse_crt_at[2] = env->key_ref[0] | IASECC_OBJECT_REF_LOCAL;
|
|
cse_crt_at[5] = algo_ref; /* IASECC_ALGORITHM_RSA_PKCS */
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, 0x41, IASECC_CRT_TAG_AT);
|
|
apdu.data = cse_crt_at;
|
|
apdu.datalen = sizeof(cse_crt_at);
|
|
apdu.lc = sizeof(cse_crt_at);
|
|
break;
|
|
case SC_SEC_OPERATION_DECIPHER:
|
|
rv = iasecc_sdo_convert_acl(card, &sdo, SC_AC_OP_PSO_DECRYPT, &prv->op_method, &prv->op_ref);
|
|
LOG_TEST_RET(ctx, rv, "Cannot convert SC_AC_OP_PSO_DECRYPT acl");
|
|
algo_ref = iasecc_get_algorithm(ctx, env, SC_PKCS15_ALGO_OP_DECIPHER, CKM_RSA_PKCS);
|
|
if (!algo_ref)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Application do not supports DECIPHER:RSA_PKCS");
|
|
|
|
cse_crt_ct[2] = env->key_ref[0] | IASECC_OBJECT_REF_LOCAL;
|
|
cse_crt_ct[5] = algo_ref; /* IASECC_ALGORITHM_RSA_PKCS_DECRYPT | IASECC_ALGORITHM_SHA1 */
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x22, 0x41, IASECC_CRT_TAG_CT);
|
|
apdu.data = cse_crt_ct;
|
|
apdu.datalen = sizeof(cse_crt_ct);
|
|
apdu.lc = sizeof(cse_crt_ct);
|
|
break;
|
|
default:
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
|
}
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "MSE restore error");
|
|
|
|
prv->security_env = *env;
|
|
prv->security_env.operation = operation;
|
|
|
|
LOG_FUNC_RETURN(ctx, 0);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_chv_verify(struct sc_card *card, struct sc_pin_cmd_data *pin_cmd, unsigned char *scbs,
|
|
int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char scb = scbs[IASECC_ACLS_CHV_VERIFY];
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "Verify CHV PIN(ref:%i,len:%i,scb:%X)", pin_cmd->pin_reference, pin_cmd->pin1.len,
|
|
scb);
|
|
|
|
if (scb & IASECC_SCB_METHOD_SM) {
|
|
rv = iasecc_sm_pin_verify(card, scb & IASECC_SCB_METHOD_MASK_REF, pin_cmd, tries_left);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
rv = iso_ops->pin_cmd(card, pin_cmd, tries_left);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_se_at_to_chv_reference(struct sc_card *card, unsigned reference,
|
|
unsigned *chv_reference)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_se_info se;
|
|
struct sc_crt crt;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "SE reference %i", reference);
|
|
|
|
if (reference > IASECC_SE_REF_MAX)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
memset(&se, 0, sizeof(se));
|
|
se.reference = reference;
|
|
|
|
rv = iasecc_se_get_info(card, &se);
|
|
LOG_TEST_RET(ctx, rv, "SDO get data error");
|
|
|
|
memset(&crt, 0, sizeof(crt));
|
|
crt.tag = IASECC_CRT_TAG_AT;
|
|
crt.usage = IASECC_UQB_AT_USER_PASSWORD;
|
|
|
|
rv = iasecc_se_get_crt(card, &se, &crt);
|
|
LOG_TEST_RET(ctx, rv, "no authentication template for USER PASSWORD");
|
|
|
|
if (chv_reference)
|
|
*chv_reference = crt.refs[0];
|
|
|
|
sc_file_free(se.df);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_pin_get_status(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_pin_cmd_data info;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (data->pin_type != SC_AC_CHV)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "PIN type is not supported for status");
|
|
|
|
memset(&info, 0, sizeof(info));
|
|
info.cmd = SC_PIN_CMD_GET_INFO;
|
|
info.pin_type = data->pin_type;
|
|
info.pin_reference = data->pin_reference;
|
|
|
|
rv = iso_ops->pin_cmd(card, &info, tries_left);
|
|
LOG_TEST_RET(ctx, rv, "Failed to get PIN info");
|
|
|
|
data->pin1.max_tries = info.pin1.max_tries;
|
|
data->pin1.tries_left = info.pin1.tries_left;
|
|
data->pin1.logged_in = info.pin1.logged_in;
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_pin_verify(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned type = data->pin_type;
|
|
unsigned reference = data->pin_reference;
|
|
struct sc_pin_cmd_data pin_cmd;
|
|
struct iasecc_pin_policy policy;
|
|
int tries_before_verify = -1;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"Verify PIN(type:%X,ref:%i,data(len:%i,%p)",
|
|
type, reference, data->pin1.len, data->pin1.data);
|
|
|
|
if (type == SC_AC_AUT) {
|
|
rv = iasecc_sm_external_authentication(card, reference, tries_left);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
if (type == SC_AC_SCB) {
|
|
if (reference & IASECC_SCB_METHOD_USER_AUTH) {
|
|
type = SC_AC_SEN;
|
|
reference = reference & IASECC_SCB_METHOD_MASK_REF;
|
|
}
|
|
}
|
|
|
|
if (type == SC_AC_SEN) {
|
|
type = SC_AC_CHV;
|
|
rv = iasecc_se_at_to_chv_reference(card, reference, &reference);
|
|
LOG_TEST_RET(ctx, rv, "SE AT to CHV reference error");
|
|
}
|
|
|
|
if (type != SC_AC_CHV) {
|
|
sc_log(ctx, "Do not try to verify non CHV PINs");
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
}
|
|
|
|
pin_cmd = *data;
|
|
pin_cmd.pin_type = SC_AC_CHV;
|
|
pin_cmd.pin_reference = reference;
|
|
pin_cmd.cmd = SC_PIN_CMD_VERIFY;
|
|
|
|
rv = iasecc_pin_get_status(card, &pin_cmd, tries_left);
|
|
if (data->pin1.data && !data->pin1.len)
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
|
|
if (!rv) {
|
|
if (pin_cmd.pin1.logged_in == SC_PIN_STATE_LOGGED_IN)
|
|
if (iasecc_chv_cache_is_verified(card, &pin_cmd))
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
else if (rv != SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
iasecc_chv_cache_clean(card, &pin_cmd);
|
|
|
|
rv = iasecc_pin_merge_policy(card, &pin_cmd, &pin_cmd.pin1, &policy);
|
|
LOG_TEST_RET(ctx, rv, "Failed to update PIN1 info");
|
|
|
|
/* PIN-pads work best with fixed-size lengths. Use PIN padding when length is available. */
|
|
if (pin_cmd.flags & SC_PIN_CMD_USE_PINPAD) {
|
|
tries_before_verify = pin_cmd.pin1.tries_left;
|
|
if (policy.stored_length > 0)
|
|
iasecc_set_pin_padding(&pin_cmd, &pin_cmd.pin1, policy.stored_length);
|
|
}
|
|
|
|
rv = iasecc_chv_verify(card, &pin_cmd, policy.scbs, tries_left);
|
|
|
|
/*
|
|
* Detect and log PIN-pads which don't handle variable-length PIN - special case where they
|
|
* forward the CHV verify command with Lc = 0 to the card, without updating Lc. An IAS-ECC
|
|
* card responds to this command by returning the number of attempts left, without
|
|
* decreasing the counter.
|
|
*/
|
|
if ((pin_cmd.flags & SC_PIN_CMD_USE_PINPAD) && !(pin_cmd.flags & SC_PIN_CMD_NEED_PADDING)) {
|
|
if (rv == SC_ERROR_PIN_CODE_INCORRECT && pin_cmd.pin1.tries_left == tries_before_verify) {
|
|
SC_TEST_RET(ctx, SC_LOG_DEBUG_VERBOSE, rv,
|
|
"PIN-pad reader does not support variable-length PIN");
|
|
}
|
|
}
|
|
|
|
LOG_TEST_RET(ctx, rv, "PIN CHV verification error");
|
|
|
|
rv = iasecc_chv_cache_verified(card, &pin_cmd);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_pin_get_policy (struct sc_card *card, struct sc_pin_cmd_data *data, struct iasecc_pin_policy *pin)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_file *save_current_df = NULL, *save_current_ef = NULL;
|
|
struct iasecc_sdo sdo;
|
|
struct sc_path path;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "iasecc_pin_get_policy(card:%p)", card);
|
|
|
|
if (data->pin_type != SC_AC_CHV) {
|
|
sc_log(ctx, "PIN policy only available for CHV type");
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
}
|
|
|
|
if (card->cache.valid && card->cache.current_df) {
|
|
sc_file_dup(&save_current_df, card->cache.current_df);
|
|
if (save_current_df == NULL) {
|
|
rv = SC_ERROR_OUT_OF_MEMORY;
|
|
sc_log(ctx, "Cannot duplicate current DF file");
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (card->cache.valid && card->cache.current_ef) {
|
|
sc_file_dup(&save_current_ef, card->cache.current_ef);
|
|
if (save_current_ef == NULL) {
|
|
rv = SC_ERROR_OUT_OF_MEMORY;
|
|
sc_log(ctx, "Cannot duplicate current EF file");
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (!(data->pin_reference & IASECC_OBJECT_REF_LOCAL) && card->cache.valid && card->cache.current_df) {
|
|
sc_format_path("3F00", &path);
|
|
path.type = SC_PATH_TYPE_FILE_ID;
|
|
rv = iasecc_select_file(card, &path, NULL);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Unable to select MF");
|
|
}
|
|
|
|
memset(&sdo, 0, sizeof(sdo));
|
|
sdo.sdo_class = IASECC_SDO_CLASS_CHV;
|
|
|
|
sdo.sdo_ref = data->pin_reference & ~IASECC_OBJECT_REF_LOCAL;
|
|
|
|
sc_log(ctx, "iasecc_pin_get_policy() reference %i", sdo.sdo_ref);
|
|
|
|
rv = iasecc_sdo_get_data(card, &sdo);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Cannot get SDO PIN data");
|
|
|
|
if (sdo.docp.acls_contact.size == 0) {
|
|
rv = SC_ERROR_INVALID_DATA;
|
|
sc_log(ctx, "Extremely strange ... there is no ACLs");
|
|
goto err;
|
|
}
|
|
|
|
sc_log(ctx,
|
|
"iasecc_pin_get_policy() sdo.docp.size.size %"SC_FORMAT_LEN_SIZE_T"u",
|
|
sdo.docp.size.size);
|
|
|
|
memcpy(pin->scbs, sdo.docp.scbs, sizeof(pin->scbs));
|
|
|
|
pin->min_length = (sdo.data.chv.size_min.value ? *sdo.data.chv.size_min.value : -1);
|
|
pin->max_length = (sdo.data.chv.size_max.value ? *sdo.data.chv.size_max.value : -1);
|
|
pin->tries_maximum = (sdo.docp.tries_maximum.value ? *sdo.docp.tries_maximum.value : -1);
|
|
pin->tries_remaining = (sdo.docp.tries_remaining.value ? *sdo.docp.tries_remaining.value : -1);
|
|
if (sdo.docp.size.value && sdo.docp.size.size <= sizeof(int)) {
|
|
unsigned int n = 0;
|
|
unsigned int i;
|
|
for (i=0; i<sdo.docp.size.size; i++)
|
|
n = (n << 8) + *(sdo.docp.size.value + i);
|
|
pin->stored_length = n;
|
|
} else {
|
|
pin->stored_length = -1;
|
|
}
|
|
|
|
sc_log(ctx, "PIN policy: size max/min %i/%i, tries max/left %i/%i",
|
|
pin->max_length, pin->min_length, pin->tries_maximum, pin->tries_remaining);
|
|
iasecc_sdo_free_fields(card, &sdo);
|
|
|
|
if (save_current_df) {
|
|
sc_log(ctx, "iasecc_pin_get_policy() restore current DF");
|
|
rv = iasecc_select_file(card, &save_current_df->path, NULL);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Cannot return to saved DF");
|
|
}
|
|
|
|
if (save_current_ef) {
|
|
sc_log(ctx, "iasecc_pin_get_policy() restore current EF");
|
|
rv = iasecc_select_file(card, &save_current_ef->path, NULL);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "Cannot return to saved EF");
|
|
}
|
|
|
|
err:
|
|
sc_file_free(save_current_df);
|
|
sc_file_free(save_current_ef);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_pin_get_info(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_pin_policy policy;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "iasecc_pin_get_info(card:%p)", card);
|
|
|
|
/*
|
|
* Get PIN status first and thereafter update with info from PIN policy, when available.
|
|
* The first one is typically used for the PIN verification status and number of remaining
|
|
* tries, and the second one for the maximum tries. If a field is present in both, the
|
|
* policy takes precedence.
|
|
*/
|
|
rv = iasecc_pin_get_status(card, data, tries_left);
|
|
LOG_TEST_RET(ctx, rv, "Failed to get PIN status");
|
|
|
|
rv = iasecc_pin_get_policy(card, data, &policy);
|
|
LOG_TEST_RET(ctx, rv, "Failed to get PIN policy");
|
|
|
|
/*
|
|
* We only care about the tries_xxx fields in the PIN policy, since the other ones are not
|
|
* commonly expected or used in a SC_PIN_CMD_GET_INFO response. Note that max_tries is
|
|
* always taken from the policy, since it is never expected to be available in status (it
|
|
* is set to -1 when not available in policy).
|
|
*/
|
|
data->pin1.max_tries = policy.tries_maximum;
|
|
if (policy.tries_remaining >= 0)
|
|
data->pin1.tries_left = policy.tries_remaining;
|
|
|
|
if (tries_left)
|
|
*tries_left = data->pin1.tries_left;
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
/*
|
|
* Check PIN and update flags. We reject empty PINs (where data is non-NULL but length is 0) due
|
|
* to their non-obvious meaning in verification/change/unblock. We also need to update the
|
|
* SC_PIN_CMD_USE_PINPAD flag depending on the PIN being available or not (where data is NULL means
|
|
* that PIN is not available). Unfortunately we can not rely on the flag provided by the caller due
|
|
* to its ambiguous use. The approach here is to assume pin-pad input when the PIN data is NULL,
|
|
* otherwise not.
|
|
*/
|
|
static int iasecc_check_update_pin(struct sc_pin_cmd_data *data, struct sc_pin_cmd_pin *pin)
|
|
{
|
|
if ((!pin->data && pin->len) || (pin->data && !pin->len))
|
|
return SC_ERROR_INVALID_ARGUMENTS;
|
|
|
|
if (pin->data)
|
|
data->flags &= ~SC_PIN_CMD_USE_PINPAD;
|
|
else
|
|
data->flags |= SC_PIN_CMD_USE_PINPAD;
|
|
|
|
return SC_SUCCESS;
|
|
}
|
|
|
|
|
|
/* Enable PIN padding with 0xff as the padding character, unless already enabled */
|
|
static void iasecc_set_pin_padding(struct sc_pin_cmd_data *data, struct sc_pin_cmd_pin *pin,
|
|
size_t pad_len)
|
|
{
|
|
if (data->flags & SC_PIN_CMD_NEED_PADDING)
|
|
return;
|
|
|
|
pin->pad_length = pad_len;
|
|
pin->pad_char = 0xff;
|
|
data->flags |= SC_PIN_CMD_NEED_PADDING;
|
|
}
|
|
|
|
|
|
/*
|
|
* Retrieve the PIN policy and combine it with the existing fields in an intelligent way. This is
|
|
* needed since we may be called with existing settings, typically from the PKCS #15 layer. We use
|
|
* the IAS-ECC card-level PIN settings as complementary.
|
|
*/
|
|
static int
|
|
iasecc_pin_merge_policy(struct sc_card *card, struct sc_pin_cmd_data *data,
|
|
struct sc_pin_cmd_pin *pin, struct iasecc_pin_policy *policy)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
size_t pad_len = 0;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "iasecc_pin_merge_policy(card:%p)", card);
|
|
|
|
rv = iasecc_check_update_pin(data, pin);
|
|
LOG_TEST_RET(ctx, rv, "Invalid PIN");
|
|
|
|
rv = iasecc_pin_get_policy(card, data, policy);
|
|
LOG_TEST_RET(ctx, rv, "Failed to get PIN policy");
|
|
|
|
/* Some cards obviously use the min/max length fields to signal PIN padding */
|
|
if (policy->min_length > 0 && policy->min_length == policy->max_length) {
|
|
pad_len = policy->min_length;
|
|
policy->min_length = 0;
|
|
}
|
|
|
|
/* Take the most limited values of min/max lengths */
|
|
if (policy->min_length > 0 && (size_t) policy->min_length > pin->min_length)
|
|
pin->min_length = policy->min_length;
|
|
if (policy->max_length > 0 && (!pin->max_length || (size_t) policy->max_length < pin->max_length))
|
|
pin->max_length = policy->max_length;
|
|
|
|
/* Set PIN padding if needed and not already set by the caller */
|
|
if (pad_len)
|
|
iasecc_set_pin_padding(data, pin, pad_len);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_keyset_change(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_sdo_update update;
|
|
struct iasecc_sdo sdo;
|
|
unsigned scb;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "Change keyset(ref:%i,lengths:%i)", data->pin_reference, data->pin2.len);
|
|
if (!data->pin2.data || data->pin2.len < 32)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Needs at least 32 bytes for a new keyset value");
|
|
|
|
memset(&sdo, 0, sizeof(sdo));
|
|
sdo.sdo_class = IASECC_SDO_CLASS_KEYSET;
|
|
sdo.sdo_ref = data->pin_reference;
|
|
|
|
rv = iasecc_sdo_get_data(card, &sdo);
|
|
LOG_TEST_RET(ctx, rv, "Cannot get keyset data");
|
|
|
|
if (sdo.docp.acls_contact.size == 0)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Bewildered ... there are no ACLs");
|
|
scb = sdo.docp.scbs[IASECC_ACLS_KEYSET_PUT_DATA];
|
|
iasecc_sdo_free_fields(card, &sdo);
|
|
|
|
sc_log(ctx, "SCB:0x%X", scb);
|
|
if (!(scb & IASECC_SCB_METHOD_SM))
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Other then protected by SM, the keyset change is not supported");
|
|
|
|
memset(&update, 0, sizeof(update));
|
|
update.magic = SC_CARDCTL_IASECC_SDO_MAGIC_PUT_DATA;
|
|
update.sdo_class = sdo.sdo_class;
|
|
update.sdo_ref = sdo.sdo_ref;
|
|
|
|
update.fields[0].parent_tag = IASECC_SDO_KEYSET_TAG;
|
|
update.fields[0].tag = IASECC_SDO_KEYSET_TAG_MAC;
|
|
/* FIXME is it safe to modify the const value here? */
|
|
update.fields[0].value = (unsigned char *) data->pin2.data;
|
|
update.fields[0].size = 16;
|
|
|
|
update.fields[1].parent_tag = IASECC_SDO_KEYSET_TAG;
|
|
update.fields[1].tag = IASECC_SDO_KEYSET_TAG_ENC;
|
|
/* FIXME is it safe to modify the const value here? */
|
|
update.fields[1].value = (unsigned char *) data->pin2.data + 16;
|
|
update.fields[1].size = 16;
|
|
|
|
rv = iasecc_sm_sdo_update(card, (scb & IASECC_SCB_METHOD_MASK_REF), &update);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
/*
|
|
* The PIN change function can handle different PIN-pad input combinations for the old and new
|
|
* PINs:
|
|
* OLD PIN: NEW PIN: DESCRIPTION:
|
|
* Available Available No input.
|
|
* Available Absent Only new PIN is input.
|
|
* Absent Available Both PINs are input (due to limitations in IAS-ECC)
|
|
* Absent Absent Both PINs are input.
|
|
*/
|
|
static int
|
|
iasecc_pin_change(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_pin_cmd_data pin_cmd;
|
|
struct iasecc_pin_policy policy;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "Change PIN(ref:%i,type:0x%X,lengths:%i/%i)",
|
|
data->pin_reference, data->pin_type, data->pin1.len, data->pin2.len);
|
|
|
|
if (data->pin_type != SC_AC_CHV) {
|
|
sc_log(ctx, "Can not change non-CHV PINs");
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
|
}
|
|
|
|
/*
|
|
* Verify the original PIN. This would normally not be needed since it is implicitly done
|
|
* by the card when executing a PIN change command. But we must go through our verification
|
|
* function in order to handle secure messaging setup, if enabled for the PIN. The
|
|
* verification is skipped for PIN-pads (which do not work with SM anyway), to avoid the
|
|
* user having to enter the PIN twice.
|
|
*/
|
|
pin_cmd = *data;
|
|
pin_cmd.cmd = SC_PIN_CMD_VERIFY;
|
|
|
|
rv = iasecc_pin_merge_policy(card, &pin_cmd, &pin_cmd.pin1, &policy);
|
|
LOG_TEST_RET(ctx, rv, "Failed to update PIN1 info");
|
|
|
|
if (!(pin_cmd.flags & SC_PIN_CMD_USE_PINPAD)) {
|
|
rv = iasecc_chv_verify(card, &pin_cmd, policy.scbs, tries_left);
|
|
LOG_TEST_RET(ctx, rv, "PIN CHV verification error");
|
|
}
|
|
|
|
/*
|
|
* To keep things simple, assume that we can use the same PIN parameters for the new PIN as
|
|
* for the old one, ignoring the ones specified by the caller, with the exception of the
|
|
* PIN prompt and the PIN data itself. Note that the old PIN is re-verified since the
|
|
* IAS-ECC specification has no implicit verification for the PIN change command. This also
|
|
* forces us to always use PIN-pad for the second PIN if the first one was input on a
|
|
* PIN-pad.
|
|
*/
|
|
pin_cmd.cmd = SC_PIN_CMD_CHANGE;
|
|
pin_cmd.pin2 = pin_cmd.pin1;
|
|
pin_cmd.pin2.prompt = data->pin2.prompt;
|
|
if (pin_cmd.flags & SC_PIN_CMD_USE_PINPAD) {
|
|
pin_cmd.pin2.data = NULL;
|
|
pin_cmd.pin2.len = 0;
|
|
} else {
|
|
pin_cmd.pin2.data = data->pin2.data;
|
|
pin_cmd.pin2.len = data->pin2.len;
|
|
}
|
|
|
|
rv = iasecc_check_update_pin(&pin_cmd, &pin_cmd.pin2);
|
|
LOG_TEST_RET(ctx, rv, "Invalid PIN2");
|
|
|
|
rv = iso_ops->pin_cmd(card, &pin_cmd, tries_left);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
/*
|
|
* The PIN unblock function can handle different PIN-pad input combinations for the PUK and the new
|
|
* PIN:
|
|
* PUK: NEW PIN: DESCRIPTION:
|
|
* Available Available No input.
|
|
* Available Absent Only new PIN is input.
|
|
* Absent Available Only PUK is input.
|
|
* Absent Absent Both PUK and new PIN are input.
|
|
*/
|
|
static int
|
|
iasecc_pin_reset(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char scb;
|
|
struct sc_pin_cmd_data pin_cmd;
|
|
struct iasecc_pin_policy policy;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "Reset PIN(ref:%i,lengths:%i/%i)", data->pin_reference, data->pin1.len, data->pin2.len);
|
|
|
|
if (data->pin_type != SC_AC_CHV)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Unblock procedure can be used only with the PINs of type CHV");
|
|
|
|
rv = iasecc_pin_get_policy(card, data, &policy);
|
|
LOG_TEST_RET(ctx, rv, "Failed to get PIN policy");
|
|
|
|
scb = policy.scbs[IASECC_ACLS_CHV_RESET];
|
|
do {
|
|
unsigned need_all = scb & IASECC_SCB_METHOD_NEED_ALL ? 1 : 0;
|
|
unsigned char se_num = scb & IASECC_SCB_METHOD_MASK_REF;
|
|
|
|
if (scb & IASECC_SCB_METHOD_USER_AUTH) {
|
|
pin_cmd = *data;
|
|
if (pin_cmd.puk_reference) {
|
|
sc_log(ctx, "Verify PIN with CHV %X", pin_cmd.puk_reference);
|
|
pin_cmd.pin_type = SC_AC_CHV;
|
|
pin_cmd.pin_reference = pin_cmd.puk_reference;
|
|
} else {
|
|
sc_log(ctx, "Verify PIN in SE %X", se_num);
|
|
pin_cmd.pin_type = SC_AC_SEN;
|
|
pin_cmd.pin_reference = se_num;
|
|
}
|
|
rv = iasecc_pin_verify(card, &pin_cmd, tries_left);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_pin_reset() verify PUK error");
|
|
|
|
if (!need_all)
|
|
break;
|
|
}
|
|
|
|
if (scb & IASECC_SCB_METHOD_SM) {
|
|
rv = iasecc_sm_pin_reset(card, se_num, data);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
if (scb & IASECC_SCB_METHOD_EXT_AUTH) {
|
|
rv = iasecc_sm_external_authentication(card, data->pin_reference, tries_left);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_pin_reset() external authentication error");
|
|
}
|
|
} while(0);
|
|
|
|
/* Use iso 7816 layer for unblock, with implicit pin for PIN1 and the new PIN for PIN2 */
|
|
pin_cmd = *data;
|
|
pin_cmd.cmd = SC_PIN_CMD_UNBLOCK;
|
|
pin_cmd.flags |= SC_PIN_CMD_IMPLICIT_CHANGE;
|
|
pin_cmd.pin1.len = 0;
|
|
|
|
rv = iasecc_pin_merge_policy(card, &pin_cmd, &pin_cmd.pin2, &policy);
|
|
LOG_TEST_RET(ctx, rv, "Failed to update PIN2 info");
|
|
|
|
rv = iso_ops->pin_cmd(card, &pin_cmd, tries_left);
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_pin_cmd(struct sc_card *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx, "iasecc_pin_cmd() cmd 0x%X, PIN type 0x%X, PIN reference %i, PIN-1 %p:%i, PIN-2 %p:%i",
|
|
data->cmd, data->pin_type, data->pin_reference,
|
|
data->pin1.data, data->pin1.len, data->pin2.data, data->pin2.len);
|
|
|
|
switch (data->cmd) {
|
|
case SC_PIN_CMD_VERIFY:
|
|
rv = iasecc_pin_verify(card, data, tries_left);
|
|
break;
|
|
case SC_PIN_CMD_CHANGE:
|
|
if (data->pin_type == SC_AC_AUT)
|
|
rv = iasecc_keyset_change(card, data, tries_left);
|
|
else
|
|
rv = iasecc_pin_change(card, data, tries_left);
|
|
break;
|
|
case SC_PIN_CMD_UNBLOCK:
|
|
rv = iasecc_pin_reset(card, data, tries_left);
|
|
break;
|
|
case SC_PIN_CMD_GET_INFO:
|
|
rv = iasecc_pin_get_info(card, data, tries_left);
|
|
break;
|
|
default:
|
|
sc_log(ctx, "Other pin commands not supported yet: 0x%X", data->cmd);
|
|
rv = SC_ERROR_NOT_SUPPORTED;
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_get_serialnr(struct sc_card *card, struct sc_serial_number *serial)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_iin *iin = &card->serialnr.iin;
|
|
struct sc_apdu apdu;
|
|
unsigned char rbuf[0xC0];
|
|
size_t ii, offs, len;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (card->serialnr.len)
|
|
goto end;
|
|
|
|
memset(&card->serialnr, 0, sizeof(card->serialnr));
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xB0, 0x80 | IASECC_SFI_EF_SN, 0);
|
|
apdu.le = sizeof(rbuf);
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "Get 'serial number' data failed");
|
|
|
|
if (apdu.resplen < 2 || rbuf[0] != ISO7812_PAN_SN_TAG || rbuf[1] > (apdu.resplen-2))
|
|
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "serial number parse error");
|
|
len = rbuf[1];
|
|
|
|
iin->mii = (rbuf[2] >> 4) & 0x0F;
|
|
|
|
iin->country = 0;
|
|
for (ii=5; ii<8; ii++) {
|
|
iin->country *= 10;
|
|
iin->country += (rbuf[ii/2] >> ((ii & 0x01) ? 0 : 4)) & 0x0F;
|
|
}
|
|
|
|
iin->issuer_id = 0;
|
|
for (ii=8; ii<10; ii++) {
|
|
iin->issuer_id *= 10;
|
|
iin->issuer_id += (rbuf[ii/2] >> (ii & 0x01 ? 0 : 4)) & 0x0F;
|
|
}
|
|
|
|
/* Copy the serial number from the last 8 bytes (at most) */
|
|
offs = len > 8 ? len - 8 : 0;
|
|
if (card->type == SC_CARD_TYPE_IASECC_SAGEM) {
|
|
/* 5A 0A 92 50 00 20 10 10 25 00 01 3F */
|
|
/* 00 02 01 01 02 50 00 13 */
|
|
for (ii=0; ii < len - offs; ii++)
|
|
*(card->serialnr.value + ii) = ((rbuf[ii + offs + 1] & 0x0F) << 4)
|
|
+ ((rbuf[ii + offs + 2] & 0xF0) >> 4) ;
|
|
card->serialnr.len = ii;
|
|
}
|
|
else {
|
|
for (ii=0; ii < len - offs; ii++)
|
|
*(card->serialnr.value + ii) = rbuf[ii + offs + 2];
|
|
card->serialnr.len = ii;
|
|
}
|
|
|
|
do {
|
|
char txt[0x200];
|
|
|
|
for (ii=0;ii<card->serialnr.len;ii++)
|
|
sprintf(txt + ii*2, "%02X", *(card->serialnr.value + ii));
|
|
|
|
sc_log(ctx, "serial number '%s'; mii %i; country %i; issuer_id %li", txt, iin->mii, iin->country, iin->issuer_id);
|
|
} while(0);
|
|
|
|
end:
|
|
if (serial)
|
|
memcpy(serial, &card->serialnr, sizeof(*serial));
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_create(struct sc_card *card, struct iasecc_sdo *sdo)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
unsigned char *data = NULL, sdo_class = sdo->sdo_class;
|
|
struct iasecc_sdo_update update;
|
|
struct iasecc_extended_tlv *field = NULL;
|
|
int rv = SC_ERROR_NOT_SUPPORTED, data_len;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (sdo->magic != SC_CARDCTL_IASECC_SDO_MAGIC)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid SDO data");
|
|
|
|
sc_log(ctx, "iasecc_sdo_create(card:%p) %02X%02X%02X", card,
|
|
IASECC_SDO_TAG_HEADER, sdo->sdo_class | 0x80, sdo->sdo_ref);
|
|
|
|
data_len = iasecc_sdo_encode_create(ctx, sdo, &data);
|
|
LOG_TEST_RET(ctx, data_len, "iasecc_sdo_create() cannot encode SDO create data");
|
|
sc_log(ctx, "iasecc_sdo_create() create data(%i):%s", data_len, sc_dump_hex(data, data_len));
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xDB, 0x3F, 0xFF);
|
|
apdu.data = data;
|
|
apdu.datalen = data_len;
|
|
apdu.lc = data_len;
|
|
apdu.flags |= SC_APDU_FLAGS_CHAINING;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_sdo_create() SDO put data error");
|
|
|
|
memset(&update, 0, sizeof(update));
|
|
update.magic = SC_CARDCTL_IASECC_SDO_MAGIC_PUT_DATA;
|
|
update.sdo_class = sdo->sdo_class;
|
|
update.sdo_ref = sdo->sdo_ref;
|
|
|
|
if (sdo_class == IASECC_SDO_CLASS_RSA_PRIVATE) {
|
|
update.fields[0] = sdo->data.prv_key.compulsory;
|
|
update.fields[0].parent_tag = IASECC_SDO_PRVKEY_TAG;
|
|
field = &sdo->data.prv_key.compulsory;
|
|
}
|
|
else if (sdo_class == IASECC_SDO_CLASS_RSA_PUBLIC) {
|
|
update.fields[0] = sdo->data.pub_key.compulsory;
|
|
update.fields[0].parent_tag = IASECC_SDO_PUBKEY_TAG;
|
|
field = &sdo->data.pub_key.compulsory;
|
|
}
|
|
else if (sdo_class == IASECC_SDO_CLASS_KEYSET) {
|
|
update.fields[0] = sdo->data.keyset.compulsory;
|
|
update.fields[0].parent_tag = IASECC_SDO_KEYSET_TAG;
|
|
field = &sdo->data.keyset.compulsory;
|
|
}
|
|
|
|
if (update.fields[0].value && !update.fields[0].on_card) {
|
|
rv = iasecc_sdo_put_data(card, &update);
|
|
LOG_TEST_RET(ctx, rv, "failed to update 'Compulsory usage' data");
|
|
|
|
if (field)
|
|
field->on_card = 1;
|
|
}
|
|
|
|
free(data);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
/* Oberthur's specific */
|
|
static int
|
|
iasecc_sdo_delete(struct sc_card *card, struct iasecc_sdo *sdo)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
unsigned char data[6] = {
|
|
0x70, 0x04, 0xBF, 0xFF, 0xFF, 0x00
|
|
};
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (sdo->magic != SC_CARDCTL_IASECC_SDO_MAGIC)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid SDO data");
|
|
|
|
data[2] = IASECC_SDO_TAG_HEADER;
|
|
data[3] = sdo->sdo_class | 0x80;
|
|
data[4] = sdo->sdo_ref;
|
|
sc_log(ctx, "delete SDO %02X%02X%02X", data[2], data[3], data[4]);
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xDB, 0x3F, 0xFF);
|
|
apdu.data = data;
|
|
apdu.datalen = sizeof(data);
|
|
apdu.lc = sizeof(data);
|
|
apdu.flags |= SC_APDU_FLAGS_CHAINING;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "delete SDO error");
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_put_data(struct sc_card *card, struct iasecc_sdo_update *update)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
int ii, rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (update->magic != SC_CARDCTL_IASECC_SDO_MAGIC_PUT_DATA)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid SDO update data");
|
|
|
|
for(ii=0; update->fields[ii].tag && ii < IASECC_SDO_TAGS_UPDATE_MAX; ii++) {
|
|
unsigned char *encoded = NULL;
|
|
int encoded_len;
|
|
|
|
encoded_len = iasecc_sdo_encode_update_field(ctx, update->sdo_class, update->sdo_ref,
|
|
&update->fields[ii], &encoded);
|
|
sc_log(ctx, "iasecc_sdo_put_data() encode[%i]; tag %X; encoded_len %i", ii, update->fields[ii].tag, encoded_len);
|
|
LOG_TEST_RET(ctx, encoded_len, "Cannot encode update data");
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0xDB, 0x3F, 0xFF);
|
|
apdu.data = encoded;
|
|
apdu.datalen = encoded_len;
|
|
apdu.lc = encoded_len;
|
|
apdu.flags |= SC_APDU_FLAGS_CHAINING;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "SDO put data error");
|
|
|
|
free(encoded);
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_key_rsa_put_data(struct sc_card *card, struct iasecc_sdo_rsa_update *update)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
unsigned char scb;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (update->sdo_prv_key) {
|
|
sc_log(ctx, "encode private rsa in %p", &update->update_prv);
|
|
rv = iasecc_sdo_encode_rsa_update(card->ctx, update->sdo_prv_key, update->p15_rsa, &update->update_prv);
|
|
LOG_TEST_RET(ctx, rv, "failed to encode update of RSA private key");
|
|
}
|
|
|
|
if (update->sdo_pub_key) {
|
|
sc_log(ctx, "encode public rsa in %p", &update->update_pub);
|
|
if (card->type == SC_CARD_TYPE_IASECC_SAGEM) {
|
|
if (update->sdo_pub_key->data.pub_key.cha.value) {
|
|
free(update->sdo_pub_key->data.pub_key.cha.value);
|
|
memset(&update->sdo_pub_key->data.pub_key.cha, 0, sizeof(update->sdo_pub_key->data.pub_key.cha));
|
|
}
|
|
}
|
|
rv = iasecc_sdo_encode_rsa_update(card->ctx, update->sdo_pub_key, update->p15_rsa, &update->update_pub);
|
|
LOG_TEST_RET(ctx, rv, "failed to encode update of RSA public key");
|
|
}
|
|
|
|
if (update->sdo_prv_key) {
|
|
sc_log(ctx, "reference of the private key to store: %X", update->sdo_prv_key->sdo_ref);
|
|
|
|
if (update->sdo_prv_key->docp.acls_contact.size == 0)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "extremely strange ... there are no ACLs");
|
|
|
|
scb = update->sdo_prv_key->docp.scbs[IASECC_ACLS_RSAKEY_PUT_DATA];
|
|
sc_log(ctx, "'UPDATE PRIVATE RSA' scb 0x%X", scb);
|
|
|
|
do {
|
|
unsigned all_conditions = scb & IASECC_SCB_METHOD_NEED_ALL ? 1 : 0;
|
|
|
|
if ((scb & IASECC_SCB_METHOD_USER_AUTH) && !all_conditions)
|
|
break;
|
|
|
|
if (scb & IASECC_SCB_METHOD_EXT_AUTH)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Not yet");
|
|
|
|
if (scb & IASECC_SCB_METHOD_SM) {
|
|
#ifdef ENABLE_SM
|
|
rv = iasecc_sm_rsa_update(card, scb & IASECC_SCB_METHOD_MASK_REF, update);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
#else
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "built without support of Secure-Messaging");
|
|
#endif
|
|
}
|
|
} while(0);
|
|
|
|
rv = iasecc_sdo_put_data(card, &update->update_prv);
|
|
LOG_TEST_RET(ctx, rv, "failed to update of RSA private key");
|
|
}
|
|
|
|
if (update->sdo_pub_key) {
|
|
sc_log(ctx, "reference of the public key to store: %X", update->sdo_pub_key->sdo_ref);
|
|
|
|
rv = iasecc_sdo_put_data(card, &update->update_pub);
|
|
LOG_TEST_RET(ctx, rv, "failed to update of RSA public key");
|
|
}
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_tag_from_class(unsigned sdo_class)
|
|
{
|
|
switch (sdo_class & ~IASECC_OBJECT_REF_LOCAL) {
|
|
case IASECC_SDO_CLASS_CHV:
|
|
return IASECC_SDO_CHV_TAG;
|
|
case IASECC_SDO_CLASS_RSA_PRIVATE:
|
|
return IASECC_SDO_PRVKEY_TAG;
|
|
case IASECC_SDO_CLASS_RSA_PUBLIC:
|
|
return IASECC_SDO_PUBKEY_TAG;
|
|
case IASECC_SDO_CLASS_SE:
|
|
return IASECC_SDO_CLASS_SE;
|
|
case IASECC_SDO_CLASS_KEYSET:
|
|
return IASECC_SDO_KEYSET_TAG;
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_get_tagged_data(struct sc_card *card, int sdo_tag, struct iasecc_sdo *sdo)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
unsigned char sbuf[0x100];
|
|
size_t offs = sizeof(sbuf) - 1;
|
|
unsigned char rbuf[0x400];
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
sbuf[offs--] = 0x80;
|
|
sbuf[offs--] = sdo_tag & 0xFF;
|
|
if ((sdo_tag >> 8) & 0xFF)
|
|
sbuf[offs--] = (sdo_tag >> 8) & 0xFF;
|
|
sbuf[offs] = sizeof(sbuf) - offs - 1;
|
|
offs--;
|
|
|
|
sbuf[offs--] = sdo->sdo_ref & 0x9F;
|
|
sbuf[offs--] = sdo->sdo_class | IASECC_OBJECT_REF_LOCAL;
|
|
sbuf[offs--] = IASECC_SDO_TAG_HEADER;
|
|
|
|
sbuf[offs] = sizeof(sbuf) - offs - 1;
|
|
offs--;
|
|
sbuf[offs--] = IASECC_SDO_TEMPLATE_TAG;
|
|
|
|
sbuf[offs] = sizeof(sbuf) - offs - 1;
|
|
offs--;
|
|
sbuf[offs] = 0x4D;
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0xCB, 0x3F, 0xFF);
|
|
apdu.data = sbuf + offs;
|
|
apdu.datalen = sizeof(sbuf) - offs;
|
|
apdu.lc = sizeof(sbuf) - offs;
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
apdu.le = 0x100;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "SDO get data error");
|
|
|
|
rv = iasecc_sdo_parse(card, apdu.resp, apdu.resplen, sdo);
|
|
LOG_TEST_RET(ctx, rv, "cannot parse SDO data");
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_get_data(struct sc_card *card, struct iasecc_sdo *sdo)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
int rv, sdo_tag;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
sdo_tag = iasecc_sdo_tag_from_class(sdo->sdo_class);
|
|
|
|
rv = iasecc_sdo_get_tagged_data(card, sdo_tag, sdo);
|
|
/* When there is no public data 'GET DATA' returns error */
|
|
if (rv != SC_ERROR_INCORRECT_PARAMETERS)
|
|
LOG_TEST_RET(ctx, rv, "cannot parse ECC SDO data");
|
|
|
|
rv = iasecc_sdo_get_tagged_data(card, IASECC_DOCP_TAG, sdo);
|
|
LOG_TEST_RET(ctx, rv, "cannot parse ECC DOCP data");
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_sdo_generate(struct sc_card *card, struct iasecc_sdo *sdo)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_sdo_update update_pubkey;
|
|
struct sc_apdu apdu;
|
|
unsigned char scb, sbuf[5], rbuf[0x400], exponent[3] = {0x01, 0x00, 0x01};
|
|
int offs = 0, rv = SC_ERROR_NOT_SUPPORTED;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (sdo->sdo_class != IASECC_SDO_CLASS_RSA_PRIVATE)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "For a moment, only RSA_PRIVATE class can be accepted for the SDO generation");
|
|
|
|
if (sdo->docp.acls_contact.size == 0)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Bewildered ... there are no ACLs");
|
|
|
|
scb = sdo->docp.scbs[IASECC_ACLS_RSAKEY_GENERATE];
|
|
sc_log(ctx, "'generate RSA key' SCB 0x%X", scb);
|
|
do {
|
|
unsigned all_conditions = scb & IASECC_SCB_METHOD_NEED_ALL ? 1 : 0;
|
|
|
|
if (scb & IASECC_SCB_METHOD_USER_AUTH)
|
|
if (!all_conditions)
|
|
break;
|
|
|
|
if (scb & IASECC_SCB_METHOD_EXT_AUTH)
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Not yet");
|
|
|
|
if (scb & IASECC_SCB_METHOD_SM) {
|
|
rv = iasecc_sm_rsa_generate(card, scb & IASECC_SCB_METHOD_MASK_REF, sdo);
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
} while(0);
|
|
|
|
memset(&update_pubkey, 0, sizeof(update_pubkey));
|
|
update_pubkey.magic = SC_CARDCTL_IASECC_SDO_MAGIC_PUT_DATA;
|
|
update_pubkey.sdo_class = IASECC_SDO_CLASS_RSA_PUBLIC;
|
|
update_pubkey.sdo_ref = sdo->sdo_ref;
|
|
|
|
update_pubkey.fields[0].parent_tag = IASECC_SDO_PUBKEY_TAG;
|
|
update_pubkey.fields[0].tag = IASECC_SDO_PUBKEY_TAG_E;
|
|
update_pubkey.fields[0].value = exponent;
|
|
update_pubkey.fields[0].size = sizeof(exponent);
|
|
|
|
rv = iasecc_sdo_put_data(card, &update_pubkey);
|
|
LOG_TEST_RET(ctx, rv, "iasecc_sdo_generate() update SDO public key failed");
|
|
|
|
offs = 0;
|
|
sbuf[offs++] = IASECC_SDO_TEMPLATE_TAG;
|
|
sbuf[offs++] = 0x03;
|
|
sbuf[offs++] = IASECC_SDO_TAG_HEADER;
|
|
sbuf[offs++] = IASECC_SDO_CLASS_RSA_PRIVATE | IASECC_OBJECT_REF_LOCAL;
|
|
sbuf[offs++] = sdo->sdo_ref & ~IASECC_OBJECT_REF_LOCAL;
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x47, 0x00, 0x00);
|
|
apdu.data = sbuf;
|
|
apdu.datalen = offs;
|
|
apdu.lc = offs;
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
apdu.le = 0x100;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "SDO get data error");
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_get_chv_reference_from_se(struct sc_card *card, int *se_reference)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_se_info se;
|
|
struct sc_crt crt;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (!se_reference)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Invalid arguments");
|
|
|
|
memset(&se, 0, sizeof(se));
|
|
se.reference = *se_reference;
|
|
|
|
rv = iasecc_se_get_info(card, &se);
|
|
LOG_TEST_RET(ctx, rv, "get SE info error");
|
|
|
|
memset(&crt, 0, sizeof(crt));
|
|
crt.tag = IASECC_CRT_TAG_AT;
|
|
crt.usage = IASECC_UQB_AT_USER_PASSWORD;
|
|
|
|
rv = iasecc_se_get_crt(card, &se, &crt);
|
|
LOG_TEST_RET(ctx, rv, "Cannot get 'USER PASSWORD' authentication template");
|
|
|
|
sc_file_free(se.df);
|
|
LOG_FUNC_RETURN(ctx, crt.refs[0]);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_card_ctl(struct sc_card *card, unsigned long cmd, void *ptr)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_sdo *sdo = (struct iasecc_sdo *) ptr;
|
|
|
|
switch (cmd) {
|
|
case SC_CARDCTL_GET_SERIALNR:
|
|
return iasecc_get_serialnr(card, (struct sc_serial_number *)ptr);
|
|
case SC_CARDCTL_IASECC_SDO_CREATE:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_SDO_CREATE: sdo_class %X", sdo->sdo_class);
|
|
return iasecc_sdo_create(card, (struct iasecc_sdo *) ptr);
|
|
case SC_CARDCTL_IASECC_SDO_DELETE:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_SDO_DELETE: sdo_class %X", sdo->sdo_class);
|
|
return iasecc_sdo_delete(card, (struct iasecc_sdo *) ptr);
|
|
case SC_CARDCTL_IASECC_SDO_PUT_DATA:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_SDO_PUT_DATA: sdo_class %X", sdo->sdo_class);
|
|
return iasecc_sdo_put_data(card, (struct iasecc_sdo_update *) ptr);
|
|
case SC_CARDCTL_IASECC_SDO_KEY_RSA_PUT_DATA:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_SDO_KEY_RSA_PUT_DATA");
|
|
return iasecc_sdo_key_rsa_put_data(card, (struct iasecc_sdo_rsa_update *) ptr);
|
|
case SC_CARDCTL_IASECC_SDO_GET_DATA:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_SDO_GET_DATA: sdo_class %X", sdo->sdo_class);
|
|
return iasecc_sdo_get_data(card, (struct iasecc_sdo *) ptr);
|
|
case SC_CARDCTL_IASECC_SDO_GENERATE:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_SDO_GET_DATA: sdo_class %X", sdo->sdo_class);
|
|
return iasecc_sdo_generate(card, (struct iasecc_sdo *) ptr);
|
|
case SC_CARDCTL_GET_SE_INFO:
|
|
sc_log(ctx, "CMD SC_CARDCTL_GET_SE_INFO: sdo_class %X", sdo->sdo_class);
|
|
return iasecc_se_get_info(card, (struct iasecc_se_info *) ptr);
|
|
case SC_CARDCTL_GET_CHV_REFERENCE_IN_SE:
|
|
sc_log(ctx, "CMD SC_CARDCTL_GET_CHV_REFERENCE_IN_SE");
|
|
return iasecc_get_chv_reference_from_se(card, (int *)ptr);
|
|
case SC_CARDCTL_IASECC_GET_FREE_KEY_REFERENCE:
|
|
sc_log(ctx, "CMD SC_CARDCTL_IASECC_GET_FREE_KEY_REFERENCE");
|
|
return iasecc_get_free_reference(card, (struct iasecc_ctl_get_free_reference *)ptr);
|
|
}
|
|
return SC_ERROR_NOT_SUPPORTED;
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_decipher(struct sc_card *card,
|
|
const unsigned char *in, size_t in_len,
|
|
unsigned char *out, size_t out_len)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct sc_apdu apdu;
|
|
unsigned char sbuf[0x200];
|
|
unsigned char resp[SC_MAX_APDU_BUFFER_SIZE];
|
|
size_t offs;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(card->ctx,
|
|
"crgram_len %"SC_FORMAT_LEN_SIZE_T"u; outlen %"SC_FORMAT_LEN_SIZE_T"u",
|
|
in_len, out_len);
|
|
if (!out || !out_len || in_len > SC_MAX_APDU_BUFFER_SIZE)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
offs = 0;
|
|
sbuf[offs++] = 0x81;
|
|
memcpy(sbuf + offs, in, in_len);
|
|
offs += in_len;
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A, 0x80, 0x86);
|
|
apdu.flags |= SC_APDU_FLAGS_CHAINING;
|
|
apdu.data = sbuf;
|
|
apdu.datalen = offs;
|
|
apdu.lc = offs;
|
|
apdu.resp = resp;
|
|
apdu.resplen = sizeof(resp);
|
|
apdu.le = 256;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "Card returned error");
|
|
|
|
if (out_len > apdu.resplen)
|
|
out_len = apdu.resplen;
|
|
|
|
memcpy(out, apdu.resp, out_len);
|
|
rv = out_len;
|
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_qsign_data_sha1(struct sc_context *ctx, const unsigned char *in, size_t in_len,
|
|
struct iasecc_qsign_data *out)
|
|
{
|
|
SHA_CTX sha;
|
|
SHA_LONG pre_hash_Nl, *hh[5] = {
|
|
&sha.h0, &sha.h1, &sha.h2, &sha.h3, &sha.h4
|
|
};
|
|
int jj, ii;
|
|
int hh_size = sizeof(SHA_LONG), hh_num = SHA_DIGEST_LENGTH / sizeof(SHA_LONG);
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if (!in || !in_len || !out)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
sc_log(ctx,
|
|
"sc_pkcs15_get_qsign_data() input data length %"SC_FORMAT_LEN_SIZE_T"u",
|
|
in_len);
|
|
memset(out, 0, sizeof(struct iasecc_qsign_data));
|
|
|
|
SHA1_Init(&sha);
|
|
SHA1_Update(&sha, in, in_len);
|
|
|
|
for (jj=0; jj<hh_num; jj++)
|
|
for(ii=0; ii<hh_size; ii++)
|
|
out->pre_hash[jj*hh_size + ii] = ((*hh[jj] >> 8*(hh_size-1-ii)) & 0xFF);
|
|
out->pre_hash_size = SHA_DIGEST_LENGTH;
|
|
sc_log(ctx, "Pre SHA1:%s", sc_dump_hex(out->pre_hash, out->pre_hash_size));
|
|
|
|
pre_hash_Nl = sha.Nl - (sha.Nl % (sizeof(sha.data) * 8));
|
|
for (ii=0; ii<hh_size; ii++) {
|
|
out->counter[ii] = (sha.Nh >> 8*(hh_size-1-ii)) &0xFF;
|
|
out->counter[hh_size+ii] = (pre_hash_Nl >> 8*(hh_size-1-ii)) &0xFF;
|
|
}
|
|
for (ii=0, out->counter_long=0; ii<(int)sizeof(out->counter); ii++)
|
|
out->counter_long = out->counter_long*0x100 + out->counter[ii];
|
|
sc_log(ctx, "Pre counter(%li):%s", out->counter_long, sc_dump_hex(out->counter, sizeof(out->counter)));
|
|
|
|
if (sha.num) {
|
|
memcpy(out->last_block, in + in_len - sha.num, sha.num);
|
|
out->last_block_size = sha.num;
|
|
sc_log(ctx, "Last block(%"SC_FORMAT_LEN_SIZE_T"u):%s",
|
|
out->last_block_size,
|
|
sc_dump_hex(out->last_block, out->last_block_size));
|
|
}
|
|
|
|
SHA1_Final(out->hash, &sha);
|
|
out->hash_size = SHA_DIGEST_LENGTH;
|
|
sc_log(ctx, "Expected digest %s\n", sc_dump_hex(out->hash, out->hash_size));
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_qsign_data_sha256(struct sc_context *ctx, const unsigned char *in, size_t in_len,
|
|
struct iasecc_qsign_data *out)
|
|
{
|
|
SHA256_CTX sha256;
|
|
SHA_LONG pre_hash_Nl;
|
|
int jj, ii;
|
|
int hh_size = sizeof(SHA_LONG), hh_num = SHA256_DIGEST_LENGTH / sizeof(SHA_LONG);
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (!in || !in_len || !out)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
sc_log(ctx,
|
|
"sc_pkcs15_get_qsign_data() input data length %"SC_FORMAT_LEN_SIZE_T"u",
|
|
in_len);
|
|
memset(out, 0, sizeof(struct iasecc_qsign_data));
|
|
|
|
SHA256_Init(&sha256);
|
|
SHA256_Update(&sha256, in, in_len);
|
|
|
|
for (jj=0; jj<hh_num; jj++)
|
|
for(ii=0; ii<hh_size; ii++)
|
|
out->pre_hash[jj*hh_size + ii] = ((sha256.h[jj] >> 8*(hh_size-1-ii)) & 0xFF);
|
|
out->pre_hash_size = SHA256_DIGEST_LENGTH;
|
|
sc_log(ctx, "Pre hash:%s", sc_dump_hex(out->pre_hash, out->pre_hash_size));
|
|
|
|
pre_hash_Nl = sha256.Nl - (sha256.Nl % (sizeof(sha256.data) * 8));
|
|
for (ii=0; ii<hh_size; ii++) {
|
|
out->counter[ii] = (sha256.Nh >> 8*(hh_size-1-ii)) &0xFF;
|
|
out->counter[hh_size+ii] = (pre_hash_Nl >> 8*(hh_size-1-ii)) &0xFF;
|
|
}
|
|
for (ii=0, out->counter_long=0; ii<(int)sizeof(out->counter); ii++)
|
|
out->counter_long = out->counter_long*0x100 + out->counter[ii];
|
|
sc_log(ctx, "Pre counter(%li):%s", out->counter_long, sc_dump_hex(out->counter, sizeof(out->counter)));
|
|
|
|
if (sha256.num) {
|
|
memcpy(out->last_block, in + in_len - sha256.num, sha256.num);
|
|
out->last_block_size = sha256.num;
|
|
sc_log(ctx, "Last block(%"SC_FORMAT_LEN_SIZE_T"u):%s",
|
|
out->last_block_size,
|
|
sc_dump_hex(out->last_block, out->last_block_size));
|
|
}
|
|
|
|
SHA256_Final(out->hash, &sha256);
|
|
out->hash_size = SHA256_DIGEST_LENGTH;
|
|
sc_log(ctx, "Expected digest %s\n", sc_dump_hex(out->hash, out->hash_size));
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_compute_signature_dst(struct sc_card *card,
|
|
const unsigned char *in, size_t in_len, unsigned char *out, size_t out_len)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_private_data *prv = (struct iasecc_private_data *) card->drv_data;
|
|
struct sc_security_env *env = &prv->security_env;
|
|
struct iasecc_qsign_data qsign_data;
|
|
struct sc_apdu apdu;
|
|
size_t offs = 0, hash_len = 0;
|
|
unsigned char sbuf[SC_MAX_APDU_BUFFER_SIZE];
|
|
unsigned char rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
|
int rv = SC_SUCCESS;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"iasecc_compute_signature_dst() input length %"SC_FORMAT_LEN_SIZE_T"u",
|
|
in_len);
|
|
if (env->operation != SC_SEC_OPERATION_SIGN)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "It's not SC_SEC_OPERATION_SIGN");
|
|
else if (!(prv->key_size & 0x1E0) || (prv->key_size & ~0x1E0))
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Invalid key size for SC_SEC_OPERATION_SIGN");
|
|
|
|
memset(&qsign_data, 0, sizeof(qsign_data));
|
|
if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA1) {
|
|
rv = iasecc_qsign_data_sha1(card->ctx, in, in_len, &qsign_data);
|
|
}
|
|
else if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA256) {
|
|
rv = iasecc_qsign_data_sha256(card->ctx, in, in_len, &qsign_data);
|
|
}
|
|
else
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Need RSA_HASH_SHA1 or RSA_HASH_SHA256 algorithm");
|
|
LOG_TEST_RET(ctx, rv, "Cannot get QSign data");
|
|
|
|
sc_log(ctx,
|
|
"iasecc_compute_signature_dst() hash_len %"SC_FORMAT_LEN_SIZE_T"u; key_size %"SC_FORMAT_LEN_SIZE_T"u",
|
|
hash_len, prv->key_size);
|
|
|
|
memset(sbuf, 0, sizeof(sbuf));
|
|
sbuf[offs++] = 0x90;
|
|
if (qsign_data.counter_long) {
|
|
sbuf[offs++] = qsign_data.hash_size + 8;
|
|
memcpy(sbuf + offs, qsign_data.pre_hash, qsign_data.pre_hash_size);
|
|
offs += qsign_data.pre_hash_size;
|
|
memcpy(sbuf + offs, qsign_data.counter, sizeof(qsign_data.counter));
|
|
offs += sizeof(qsign_data.counter);
|
|
}
|
|
else {
|
|
sbuf[offs++] = 0;
|
|
}
|
|
|
|
sbuf[offs++] = 0x80;
|
|
sbuf[offs++] = qsign_data.last_block_size;
|
|
memcpy(sbuf + offs, qsign_data.last_block, qsign_data.last_block_size);
|
|
offs += qsign_data.last_block_size;
|
|
|
|
sc_log(ctx,
|
|
"iasecc_compute_signature_dst() offs %"SC_FORMAT_LEN_SIZE_T"u; OP(meth:%X,ref:%X)",
|
|
offs, prv->op_method, prv->op_ref);
|
|
if (prv->op_method == SC_AC_SCB && (prv->op_ref & IASECC_SCB_METHOD_SM))
|
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Not yet");
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x2A, 0x90, 0xA0);
|
|
apdu.data = sbuf;
|
|
apdu.datalen = offs;
|
|
apdu.lc = offs;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "Compute signature failed");
|
|
|
|
sc_log(ctx, "iasecc_compute_signature_dst() partial hash OK");
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0x2A, 0x9E, 0x9A);
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = prv->key_size;
|
|
apdu.le = prv->key_size;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "Compute signature failed");
|
|
|
|
sc_log(ctx,
|
|
"iasecc_compute_signature_dst() DST resplen %"SC_FORMAT_LEN_SIZE_T"u",
|
|
apdu.resplen);
|
|
if (apdu.resplen > out_len)
|
|
LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Result buffer too small for the DST signature");
|
|
|
|
memcpy(out, apdu.resp, apdu.resplen);
|
|
|
|
LOG_FUNC_RETURN(ctx, apdu.resplen);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_compute_signature_at(struct sc_card *card,
|
|
const unsigned char *in, size_t in_len, unsigned char *out, size_t out_len)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_private_data *prv = (struct iasecc_private_data *) card->drv_data;
|
|
struct sc_security_env *env = &prv->security_env;
|
|
struct sc_apdu apdu;
|
|
size_t offs = 0, sz = 0;
|
|
unsigned char rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (env->operation != SC_SEC_OPERATION_AUTHENTICATE)
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "It's not SC_SEC_OPERATION_AUTHENTICATE");
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x88, 0x00, 0x00);
|
|
apdu.datalen = in_len;
|
|
apdu.data = in;
|
|
apdu.lc = in_len;
|
|
apdu.resp = rbuf;
|
|
apdu.resplen = sizeof(rbuf);
|
|
apdu.le = 0x100;
|
|
|
|
rv = sc_transmit_apdu(card, &apdu);
|
|
LOG_TEST_RET(ctx, rv, "APDU transmit failed");
|
|
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
|
LOG_TEST_RET(ctx, rv, "Compute signature failed");
|
|
|
|
do {
|
|
if (offs + apdu.resplen > out_len)
|
|
LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Buffer too small to return signature");
|
|
|
|
memcpy(out + offs, rbuf, apdu.resplen);
|
|
offs += apdu.resplen;
|
|
|
|
if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
|
|
break;
|
|
|
|
if (apdu.sw1 == 0x61) {
|
|
sz = apdu.sw2 == 0x00 ? 0x100 : apdu.sw2;
|
|
rv = iso_ops->get_response(card, &sz, rbuf);
|
|
LOG_TEST_RET(ctx, rv, "Get response error");
|
|
|
|
apdu.resplen = rv;
|
|
}
|
|
else {
|
|
LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Impossible error: SW1 is not 0x90 neither 0x61");
|
|
}
|
|
|
|
} while(rv > 0);
|
|
|
|
LOG_FUNC_RETURN(ctx, offs);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_compute_signature(struct sc_card *card,
|
|
const unsigned char *in, size_t in_len, unsigned char *out, size_t out_len)
|
|
{
|
|
struct sc_context *ctx;
|
|
struct iasecc_private_data *prv;
|
|
struct sc_security_env *env;
|
|
|
|
if (!card || !in || !out)
|
|
return SC_ERROR_INVALID_ARGUMENTS;
|
|
|
|
ctx = card->ctx;
|
|
prv = (struct iasecc_private_data *) card->drv_data;
|
|
env = &prv->security_env;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
sc_log(ctx,
|
|
"inlen %"SC_FORMAT_LEN_SIZE_T"u, outlen %"SC_FORMAT_LEN_SIZE_T"u",
|
|
in_len, out_len);
|
|
|
|
if (env->operation == SC_SEC_OPERATION_SIGN)
|
|
return iasecc_compute_signature_dst(card, in, in_len, out, out_len);
|
|
else if (env->operation == SC_SEC_OPERATION_AUTHENTICATE)
|
|
return iasecc_compute_signature_at(card, in, in_len, out, out_len);
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_read_public_key(struct sc_card *card, unsigned type,
|
|
struct sc_path *key_path, unsigned ref, unsigned size,
|
|
unsigned char **out, size_t *out_len)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_sdo sdo;
|
|
struct sc_pkcs15_bignum bn[2];
|
|
struct sc_pkcs15_pubkey_rsa rsa_key;
|
|
int rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
if (type != SC_ALGORITHM_RSA)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
|
|
|
sc_log(ctx, "read public kay(ref:%i;size:%i)", ref, size);
|
|
|
|
memset(&bn, 0, sizeof bn);
|
|
memset(&sdo, 0, sizeof(sdo));
|
|
sdo.sdo_class = IASECC_SDO_CLASS_RSA_PUBLIC;
|
|
sdo.sdo_ref = ref & ~IASECC_OBJECT_REF_LOCAL;
|
|
|
|
rv = iasecc_sdo_get_data(card, &sdo);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "failed to read public key: cannot get RSA SDO data");
|
|
|
|
if (out)
|
|
*out = NULL;
|
|
if (out_len)
|
|
*out_len = 0;
|
|
|
|
bn[0].data = (unsigned char *) malloc(sdo.data.pub_key.n.size);
|
|
if (!bn[0].data)
|
|
LOG_TEST_GOTO_ERR(ctx, SC_ERROR_OUT_OF_MEMORY, "failed to read public key: cannot allocate modulus");
|
|
bn[0].len = sdo.data.pub_key.n.size;
|
|
memcpy(bn[0].data, sdo.data.pub_key.n.value, sdo.data.pub_key.n.size);
|
|
|
|
bn[1].data = (unsigned char *) malloc(sdo.data.pub_key.e.size);
|
|
if (!bn[1].data)
|
|
LOG_TEST_GOTO_ERR(ctx, SC_ERROR_OUT_OF_MEMORY, "failed to read public key: cannot allocate exponent");
|
|
bn[1].len = sdo.data.pub_key.e.size;
|
|
memcpy(bn[1].data, sdo.data.pub_key.e.value, sdo.data.pub_key.e.size);
|
|
|
|
rsa_key.modulus = bn[0];
|
|
rsa_key.exponent = bn[1];
|
|
|
|
rv = sc_pkcs15_encode_pubkey_rsa(ctx, &rsa_key, out, out_len);
|
|
LOG_TEST_GOTO_ERR(ctx, rv, "failed to read public key: cannot encode RSA public key");
|
|
|
|
if (out && out_len)
|
|
sc_log(ctx, "encoded public key: %s", sc_dump_hex(*out, *out_len));
|
|
|
|
err:
|
|
if (bn[0].data)
|
|
free(bn[0].data);
|
|
if (bn[1].data)
|
|
free(bn[1].data);
|
|
|
|
iasecc_sdo_free_fields(card, &sdo);
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static int
|
|
iasecc_get_free_reference(struct sc_card *card, struct iasecc_ctl_get_free_reference *ctl_data)
|
|
{
|
|
struct sc_context *ctx = card->ctx;
|
|
struct iasecc_sdo *sdo = NULL;
|
|
int idx, rv;
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
if ((ctl_data->key_size % 0x40) || ctl_data->index < 1 || (ctl_data->index > IASECC_OBJECT_REF_MAX))
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
|
|
|
sc_log(ctx, "get reference for key(index:%i,usage:%X,access:%X)", ctl_data->index, ctl_data->usage, ctl_data->access);
|
|
/* TODO: when looking for the slot for the signature keys, check also PSO_SIGNATURE ACL */
|
|
for (idx = ctl_data->index; idx <= IASECC_OBJECT_REF_MAX; idx++) {
|
|
unsigned char sdo_tag[3] = {
|
|
IASECC_SDO_TAG_HEADER, IASECC_OBJECT_REF_LOCAL | IASECC_SDO_CLASS_RSA_PRIVATE, idx
|
|
};
|
|
size_t sz;
|
|
|
|
if (sdo)
|
|
iasecc_sdo_free(card, sdo);
|
|
|
|
rv = iasecc_sdo_allocate_and_parse(card, sdo_tag, 3, &sdo);
|
|
LOG_TEST_RET(ctx, rv, "cannot parse SDO data");
|
|
|
|
rv = iasecc_sdo_get_data(card, sdo);
|
|
if (rv == SC_ERROR_DATA_OBJECT_NOT_FOUND) {
|
|
iasecc_sdo_free(card, sdo);
|
|
|
|
sc_log(ctx, "found empty key slot %i", idx);
|
|
break;
|
|
} else if (rv != SC_SUCCESS) {
|
|
iasecc_sdo_free(card, sdo);
|
|
|
|
sc_log(ctx, "get new key reference failed");
|
|
LOG_FUNC_RETURN(ctx, rv);
|
|
}
|
|
|
|
sz = *(sdo->docp.size.value + 0) * 0x100 + *(sdo->docp.size.value + 1);
|
|
sc_log(ctx,
|
|
"SDO(idx:%i) size %"SC_FORMAT_LEN_SIZE_T"u; key_size %"SC_FORMAT_LEN_SIZE_T"u",
|
|
idx, sz, ctl_data->key_size);
|
|
|
|
if (sz != ctl_data->key_size / 8) {
|
|
sc_log(ctx,
|
|
"key index %i ignored: different key sizes %"SC_FORMAT_LEN_SIZE_T"u/%"SC_FORMAT_LEN_SIZE_T"u",
|
|
idx, sz, ctl_data->key_size / 8);
|
|
continue;
|
|
}
|
|
|
|
if (sdo->docp.non_repudiation.value) {
|
|
sc_log(ctx, "non repudiation flag %X", sdo->docp.non_repudiation.value[0]);
|
|
if ((ctl_data->usage & SC_PKCS15_PRKEY_USAGE_NONREPUDIATION) && !(*sdo->docp.non_repudiation.value)) {
|
|
sc_log(ctx, "key index %i ignored: need non repudiation", idx);
|
|
continue;
|
|
}
|
|
|
|
if (!(ctl_data->usage & SC_PKCS15_PRKEY_USAGE_NONREPUDIATION) && *sdo->docp.non_repudiation.value) {
|
|
sc_log(ctx, "key index %i ignored: don't need non-repudiation", idx);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (ctl_data->access & SC_PKCS15_PRKEY_ACCESS_LOCAL) {
|
|
if (sdo->docp.scbs[IASECC_ACLS_RSAKEY_GENERATE] == IASECC_SCB_NEVER) {
|
|
sc_log(ctx, "key index %i ignored: GENERATE KEY not allowed", idx);
|
|
continue;
|
|
}
|
|
}
|
|
else {
|
|
if (sdo->docp.scbs[IASECC_ACLS_RSAKEY_PUT_DATA] == IASECC_SCB_NEVER) {
|
|
sc_log(ctx, "key index %i ignored: PUT DATA not allowed", idx);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if ((ctl_data->usage & SC_PKCS15_PRKEY_USAGE_NONREPUDIATION) && (ctl_data->usage & SC_PKCS15_PRKEY_USAGE_SIGN)) {
|
|
if (sdo->docp.scbs[IASECC_ACLS_RSAKEY_PSO_SIGN] == IASECC_SCB_NEVER) {
|
|
sc_log(ctx, "key index %i ignored: PSO SIGN not allowed", idx);
|
|
continue;
|
|
}
|
|
}
|
|
else if (ctl_data->usage & SC_PKCS15_PRKEY_USAGE_SIGN) {
|
|
if (sdo->docp.scbs[IASECC_ACLS_RSAKEY_INTERNAL_AUTH] == IASECC_SCB_NEVER) {
|
|
sc_log(ctx, "key index %i ignored: INTERNAL AUTHENTICATE not allowed", idx);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (ctl_data->usage & (SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP)) {
|
|
if (sdo->docp.scbs[IASECC_ACLS_RSAKEY_PSO_DECIPHER] == IASECC_SCB_NEVER) {
|
|
sc_log(ctx, "key index %i ignored: PSO DECIPHER not allowed", idx);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
ctl_data->index = idx;
|
|
|
|
if (idx > IASECC_OBJECT_REF_MAX)
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_DATA_OBJECT_NOT_FOUND);
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
}
|
|
|
|
|
|
static struct sc_card_driver *
|
|
sc_get_driver(void)
|
|
{
|
|
struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
|
|
|
|
if (!iso_ops)
|
|
iso_ops = iso_drv->ops;
|
|
|
|
iasecc_ops = *iso_ops;
|
|
|
|
iasecc_ops.match_card = iasecc_match_card;
|
|
iasecc_ops.init = iasecc_init;
|
|
iasecc_ops.finish = iasecc_finish;
|
|
iasecc_ops.read_binary = iasecc_read_binary;
|
|
/* write_binary: ISO7816 implementation works */
|
|
/* update_binary: ISO7816 implementation works */
|
|
iasecc_ops.erase_binary = iasecc_erase_binary;
|
|
/* resize_binary */
|
|
/* read_record: Untested */
|
|
/* write_record: Untested */
|
|
/* append_record: Untested */
|
|
/* update_record: Untested */
|
|
iasecc_ops.select_file = iasecc_select_file;
|
|
/* get_response: Untested */
|
|
iasecc_ops.get_challenge = iasecc_get_challenge;
|
|
iasecc_ops.logout = iasecc_logout;
|
|
/* restore_security_env */
|
|
iasecc_ops.set_security_env = iasecc_set_security_env;
|
|
iasecc_ops.decipher = iasecc_decipher;
|
|
iasecc_ops.compute_signature = iasecc_compute_signature;
|
|
iasecc_ops.create_file = iasecc_create_file;
|
|
iasecc_ops.delete_file = iasecc_delete_file;
|
|
/* list_files */
|
|
iasecc_ops.check_sw = iasecc_check_sw;
|
|
iasecc_ops.card_ctl = iasecc_card_ctl;
|
|
iasecc_ops.process_fci = iasecc_process_fci;
|
|
/* construct_fci: Not needed */
|
|
iasecc_ops.pin_cmd = iasecc_pin_cmd;
|
|
/* get_data: Not implemented */
|
|
/* put_data: Not implemented */
|
|
/* delete_record: Not implemented */
|
|
|
|
iasecc_ops.read_public_key = iasecc_read_public_key;
|
|
|
|
return &iasecc_drv;
|
|
}
|
|
|
|
struct sc_card_driver *
|
|
sc_get_iasecc_driver(void)
|
|
{
|
|
return sc_get_driver();
|
|
}
|
|
|
|
#else
|
|
|
|
/* we need to define the functions below to export them */
|
|
#include "errors.h"
|
|
|
|
int
|
|
iasecc_se_get_info()
|
|
{
|
|
return SC_ERROR_NOT_SUPPORTED;
|
|
}
|
|
|
|
#endif /* ENABLE_OPENSSL */
|