CACKey: Check-in [def08b9deb]

Overview

Comment:	Updated to determine what kind of authentication to perform based on token present (PIV/CAC)
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| piv
Files:	files \| file ages \| folders
SHA1:	def08b9deb8260a05fcfad50d67ee5ac9f02ab4a
User & Date:	rkeene on 2013-01-16 15:21:31
Other Links:	manifest \| tags

Context

2013-01-16
15:46		Updated macbuild contact information to have valid government email addresses to contact us. check-in: f42b92cf98 user: kvanals tags: piv
15:21		Updated to determine what kind of authentication to perform based on token present (PIV/CAC) check-in: def08b9deb user: rkeene tags: piv
2013-01-15
21:12		Updated to label PIV keys with their types. Removed extraneous debugging output check-in: e2ba3f7684 user: rkeene tags: piv

Changes

Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified cackey.c from [0c58d0837a] to [8554f45411].

  3027   3027    *     ...
  3028   3028    *
  3029   3029    * NOTES
  3030   3030    *     ...
  3031   3031    *
  3032   3032    */
  3033   3033   static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) {
         3034  +	struct cackey_pcsc_identity *pcsc_identities;
  3034   3035   	unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
         3036  +	unsigned long num_certs;
  3035   3037   	uint16_t response_code;
  3036   3038   	int tries_remaining;
  3037   3039   	int send_ret;
  3038   3040   	int key_reference = 0x00;
  3039   3041   
  3040   3042   	/* Indicate that we do not know about how many tries are remaining */
  3041   3043   	if (tries_remaining_p) {
................................................................................
  3044   3046   
  3045   3047   	/* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */
  3046   3048   	if (pin_len >= 8) {
  3047   3049   		memcpy(cac_pin, pin, 8);
  3048   3050   	} else {
  3049   3051   		memcpy(cac_pin, pin, pin_len);
  3050   3052   	}
         3053  +
         3054  +	/* PIV authentication uses a "key_reference" of 0x80 */
         3055  +	pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
         3056  +	if (num_certs > 0 && pcsc_identities != NULL) {
         3057  +		switch (pcsc_identities[0].id_type) {
         3058  +			case CACKEY_ID_TYPE_PIV:
         3059  +				CACKEY_DEBUG_PRINTF("We recently had a PIV card, so we will attempt to authenticate using the PIV Application key reference");
         3060  +
         3061  +				key_reference = 0x80;
         3062  +				break;
         3063  +			default:
         3064  +				break;
         3065  +		}
         3066  +	}
  3051   3067   
  3052   3068   	/* Issue PIN Verify */
  3053   3069   	send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_VERIFY, 0x00, key_reference, sizeof(cac_pin), cac_pin, 0x00, &response_code, NULL, NULL);
  3054         -	if (send_ret != CACKEY_PCSC_S_OK && response_code == 0x6A88) {
  3055         -		key_reference = 0x80;
  3056         -
  3057         -		send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_VERIFY, 0x00, key_reference, sizeof(cac_pin), cac_pin, 0x00, &response_code, NULL, NULL);
  3058         -	}
  3059   3070   
  3060   3071   	if (send_ret != CACKEY_PCSC_S_OK) {
  3061   3072   		if ((response_code & 0x63C0) == 0x63C0) {
  3062   3073   			tries_remaining = (response_code & 0xF);
  3063   3074   
  3064   3075   			CACKEY_DEBUG_PRINTF("PIN Verification failed, %i tries remaining", tries_remaining);
  3065   3076