Overview
| Comment: | Merged in PIV support |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: | 3e5963d5d9cfa5bcfef7407795b3db3653b6f021 |
| User & Date: | rkeene on 2013-10-17 20:29:39 |
| Other Links: | manifest | tags |
Context
|
2013-10-17
| ||
| 20:32 | CACKey 0.7.0 check-in: d6a874f3b5 user: rkeene tags: trunk, 0.7.0 | |
| 20:29 | Merged in PIV support check-in: 3e5963d5d9 user: rkeene tags: trunk | |
| 20:29 | Updated to deal with 6E00 and added support for win32 build options check-in: 6ba1dff55a user: rkeene tags: piv | |
|
2013-08-14
| ||
| 04:40 | Updated to allow compilation excluding DoD certificates check-in: b6863060d8 user: rkeene tags: trunk | |
Changes
Added build/ask-pass/cackey-askpass version [5c6636f8ba].
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
#! /usr/bin/env bash ZENITY="$(which 'zenity' 2>/dev/null)" GDIALOG="$(which 'gdialog' 2>/dev/null)" ASKPASS="$(which 'ssh-askpass' 'x11-ssh-askpass' '/usr/libexec/x11-ssh-askpass' 2>/dev/null | head -n 1)" DIALOG="$(which 'dialog' 2>/dev/null)" XTERM="$(which 'xterm' 2>/dev/null)" if [ -x "${ZENITY}" ]; then # XXX: TODO: Zenity true fi if [ -x "${GDIALOG}" ]; then # XXX: TODO: Gdialog true fi if [ -x "${ASKPASS}" ]; then exec "${ASKPASS}" "$@" exit 1 fi if [ -x "${DIALOG}" -a -x "${XTERM}" ]; then # XXX: TODO: dialog true fi if [ -x "${XTERM}" ]; then # XXX: TODO: xterm true fi exit 1 |
Added build/builtin-certs-update version [6d290a2094].
> > > > > > > > > |
1 2 3 4 5 6 7 8 9 |
#! /bin/bash ourdir="$(dirname "$(which "$0")")" cd "${outdir}" || exit 1 make -C certs/dod distclean all make -C certs/federal distclean all ./certs-to-c certs/*/*.crt > ../cackey_builtin_certs.h |
Modified build/cackey_osx_build/Template_pmbuild/index.xml.in from [e98adc8605] to [7d02eca4b2].
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
{\fonttbl\f0\fnil\fcharset0 LucidaGrande;}
{\colortbl;\red255\green255\blue255;}
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
\f0\fs26 \cf0 Release information:\
pkg: CACKey\
author: US Army Corps of Engineers\
Mac build contact: Kenneth Van Alstyne <kenneth.vanalstyne@hq.dhs.gov>\
US Department of Homeland Security\
contact: Roy Keene <roy.s.keene@usace.army.mil>\
------------------------------------------------\
\
The PKCS11.tokend connector module included in this package is licensed under\
the APSL. See: http://devel.kvanals.org/PKCS11_Tokend\
\
The following files in the source directory are the intellectual property of the\
Free Software Foundation and are licensed under the terms of the GNU General\
|
| | |
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
{\fonttbl\f0\fnil\fcharset0 LucidaGrande;}
{\colortbl;\red255\green255\blue255;}
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\ql\qnatural\pardirnatural
\f0\fs26 \cf0 Release information:\
pkg: CACKey\
author: US Army Corps of Engineers\
Mac build contact: Kenneth Van Alstyne <DC1SAN_SUPPORT@hq.dhs.gov>\
US Department of Homeland Security\
contact: Roy Keene <DC1-UNIX@hq.dhs.gov>\
------------------------------------------------\
\
The PKCS11.tokend connector module included in this package is licensed under\
the APSL. See: http://devel.kvanals.org/PKCS11_Tokend\
\
The following files in the source directory are the intellectual property of the\
Free Software Foundation and are licensed under the terms of the GNU General\
|
Modified build/cackey_osx_build/build_osx.sh from [7f1f41f856] to [c66d1aadeb].
1 2 3 4 5 6 7 8 9 10 11 |
#!/bin/bash
# Shell Script to make Mac OS X Releases of CACKey
# Kenneth Van Alstyne
# kenneth.vanalstyne@associates.hq.dhs.gov
CACKEY_VERSION=`cat configure.ac | grep AC_INIT | cut -d " " -f 2 | sed 's_)__'`
# Check to see if we're building on Mac OS X 10.7 "Lion"
if [ "`uname -r | cut -d . -f 1`" = "11" ]; then
LIONBUILD=1
fi
|
| |
1 2 3 4 5 6 7 8 9 10 11 |
#!/bin/bash
# Shell Script to make Mac OS X Releases of CACKey
# Kenneth Van Alstyne
# DC1SAN_SUPPORT@hq.dhs.gov
CACKEY_VERSION=`cat configure.ac | grep AC_INIT | cut -d " " -f 2 | sed 's_)__'`
# Check to see if we're building on Mac OS X 10.7 "Lion"
if [ "`uname -r | cut -d . -f 1`" = "11" ]; then
LIONBUILD=1
fi
|
Modified build/cackey_win32_build/build.sh from [716f40add4] to [fbfa3a5bbe].
1 2 3 4 5 6 7 8 9 |
#! /bin/bash make distclean ./configure --with-pcsc-headers="$(pwd)/build/cackey_win32_build/include" --with-pcsc-libs="-L$(pwd)/build/cackey_win32_build/lib -lwinscard" --host=i586-mingw32msvc CPPFLAGS="-I$(pwd)/build/cackey_win32_build/include" || exit 1 make || exit 1 exit 0 |
| |
1 2 3 4 5 6 7 8 9 |
#! /bin/bash
make distclean
./configure --with-pcsc-headers="$(pwd)/build/cackey_win32_build/include" --with-pcsc-libs="-L$(pwd)/build/cackey_win32_build/lib -lwinscard" --host=i586-mingw32msvc CPPFLAGS="-I$(pwd)/build/cackey_win32_build/include" "$@" || exit 1
make || exit 1
exit 0
|
Modified build/certs-to-c from [c49efbf6f1] to [1cd87f2aca].
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
continue
fi
openssl x509 -in "${file}" -out tmpfile.x509 -inform pem -outform der
pubkeylen="$(openssl x509 -in tmpfile.x509 -inform der -text -noout | grep 'RSA Public Key:' | sed 's@^.*(\([0-9][0-9]*\) bit).*$@\1@')"
certlen="$(stat -c '%s' tmpfile.x509)"
cert="$(( cat tmpfile.x509 | od -t x1 | cut -c 9- | tr "\n" ' '; echo ) | sed 's@ @@g;s@..@\\x&@g')"
cat << _EOF_
{
{0},
0,
${certlen},
(unsigned char *) "${cert}",
${pubkeylen}
},
_EOF_
done
rm -f tmpfile.x509
|
| | < | | | |
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
continue
fi
openssl x509 -in "${file}" -out tmpfile.x509 -inform pem -outform der
pubkeylen="$(openssl x509 -in tmpfile.x509 -inform der -text -noout | grep 'RSA Public Key:' | sed 's@^.*(\([0-9][0-9]*\) bit).*$@\1@')"
certlen="$(cat tmpfile.x509 | wc -c)"
cert="$(( cat tmpfile.x509 | od -t x1 | cut -c 9- | tr "\n" ' '; echo ) | sed 's@ @@g;s@..@\\x&@g')"
cat << _EOF_
{
CACKEY_ID_TYPE_CERT_ONLY, /* id_type */
${certlen}, /* certificate_len */
(unsigned char *) "${cert}", /* certificate */
${pubkeylen} /* keysize */
},
_EOF_
done
rm -f tmpfile.x509
|
Added build/certs/dod/Makefile version [678511107e].
> > > > > > > > > > > > > > > > > > > > > > > > > > |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
all: cert-0.crt rel3_dodroot_2048.cac: wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac mv "$@.new" "$@" cert-%.crt: rel3_dodroot_2048.cac idx=0; \ ( \ openssl pkcs7 -in rel3_dodroot_2048.cac -inform DER -print_certs -text; \ ) | while IFS='' read -r line; do \ if [ -z "$${line}" ]; then \ continue; \ fi; \ echo "$${line}" >> "cert-$${idx}.crt"; \ if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \ idx=$$[$$idx + 1]; \ fi; \ done clean: rm -f cert-*.crt rm -f rel3_dodroot_2048.cac.new distclean: clean rm -f rel3_dodroot_2048.cac |
Added build/certs/federal/Makefile version [7088ba1ceb].
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
all: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt grep -l 'Issuer: C=US, O=U.S. Government, OU=FPKI, CN=Federal Bridge CA' *.crt | xargs rm -f grep -l 'Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA' *.crt | xargs grep -H 'Issuer:' | grep -v 'Issuer: C=us, O=U.S. Government, OU=FBCA, CN=Common Policy' | cut -f 1 -d : | xargs rm -f CPCA_TRCA.crt: wget -O - --no-check-certificate https://pki.treas.gov/CPCA_TRCA.cer | openssl x509 -text > "$@.new" mv "$@.new" "$@" caCertsIssuedTofcpca.p7c: wget -O "$@.new" http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c mv "$@.new" "$@" root_sia.p7b: wget -O "$@.new" --no-check-certificate https://pki.treas.gov/root_sia.p7b mv "$@.new" "$@" CommonPolicy.crt: wget -O - http://fpkia.gsa.gov/CommonPolicy/CommonPolicy.crt | openssl x509 -inform der -text > "$@.new" mv "$@.new" "$@" cert-%.crt: root_sia.p7b caCertsIssuedTofcpca.p7c idx=0; \ ( \ openssl pkcs7 -in root_sia.p7b -inform DER -print_certs -text; \ openssl pkcs7 -in caCertsIssuedTofcpca.p7c -inform DER -print_certs -text; \ ) | while IFS='' read -r line; do \ if [ -z "$${line}" ]; then \ continue; \ fi; \ echo "$${line}" >> "cert-$${idx}.crt"; \ if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \ idx=$$[$$idx + 1]; \ fi; \ done clean: rm -f cert-*.crt rm -f CPCA_TRCA.crt.new root_sia.p7b.new caCertsIssuedTofcpca.p7c.new CommonPolicy.crt.new distclean: clean rm -f CPCA_TRCA.crt root_sia.p7b caCertsIssuedTofcpca.p7c CommonPolicy.crt |
Modified cackey.c from [967c6f655f] to [e6fa629162].
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 ... 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 ... 832 833 834 835 836 837 838 839 840 841 842 843 844 845 .... 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 .... 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 .... 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 .... 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 .... 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 .... 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 .... 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 .... 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 .... 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 .... 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 .... 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 .... 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 .... 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 .... 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 .... 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 .... 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 .... 3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 .... 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 .... 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 .... 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 .... 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 .... 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4711 4712 4713 4714 .... 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 |
#define GSCIS_TAG_SERNO 0x51 #define GSCIS_TAG_ISSUE_DATE 0x52 #define GSCIS_TAG_EXPIRE_DATE 0x53 #define GSCIS_TAG_CARD_TYPE 0x54 #define GSCIS_TAG_SECURITY_CODE 0x57 #define GSCIS_TAG_CARDID_AID 0x58 /*** PKI Information - EF 7000 ***/ #define GSCIS_TAG_CERTIFICATE 0x70 #define GSCIS_TAG_CERT_ISSUE_DATE 0x71 #define GSCIS_TAG_CERT_EXPIRE_DATE 0x72 /** Applet IDs **/ #define GSCIS_AID_CCC 0xA0, 0x00, 0x00, 0x01, 0x16, 0xDB, 0x00 /* Maximum size of data portion of APDUs */ /** Do not set this above 250 **/ #define CACKEY_APDU_MTU 250 /* ATR If not available */ #ifndef MAX_ATR_SIZE ................................................................................ # define CACKEY_DEBUG_FUNC_TAG_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_SCARDERR_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_OBJID_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_APPTYPE_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_ATTRIBUTE_TO_STR(x) "DEBUG_DISABLED" #endif struct cackey_pcsc_identity { unsigned char applet[7]; uint16_t file; size_t certificate_len; unsigned char *certificate; ssize_t keysize; }; struct cackey_identity { struct cackey_pcsc_identity *pcsc_identity; CK_ATTRIBUTE *attributes; CK_ULONG attributes_count; ................................................................................ static int cackey_biglock_init = 0; CK_C_INITIALIZE_ARGS cackey_args; /** Extra certificates to include in token **/ struct cackey_pcsc_identity extra_certs[] = { #include "cackey_builtin_certs.h" }; /* PCSC Global Handles */ static LPSCARDCONTEXT cackey_pcsc_handle = NULL; static unsigned long cackey_getversion(void) { static unsigned long retval = 255; unsigned long major = 0; ................................................................................ slot->pcsc_card_connected = 1; slot->transaction_depth = 0; slot->transaction_need_hw_lock = 0; slot->protocol = protocol; } return(CACKEY_PCSC_S_OK); } /* * SYNPOSIS * cackey_ret cackey_begin_transaction(struct cackey_slot *slot); * ................................................................................ * cackey_pcsc_connect() if needed. * * It will connect to the card in the reader attached to the slot * specified. It will reconnect to the card if the connection * goes away. * */ static cackey_ret cackey_send_apdu(struct cackey_slot *slot, unsigned char class, unsigned char instruction, unsigned char p1, unsigned char p2, unsigned char lc, unsigned char *data, unsigned char le, uint16_t *respcode, unsigned char *respdata, size_t *respdata_len) { uint8_t major_rc, minor_rc; size_t bytes_to_copy, tmp_respdata_len; LPCSCARD_IO_REQUEST pioSendPci; DWORD protocol; DWORD xmit_len, recv_len; LONG scard_xmit_ret, scard_reconn_ret; BYTE xmit_buf[1024], recv_buf[1024]; ................................................................................ return(CACKEY_PCSC_E_GENERIC); } /* Determine which protocol to send using */ switch (slot->protocol) { case SCARD_PROTOCOL_T0: pioSendPci = SCARD_PCI_T0; break; case SCARD_PROTOCOL_T1: pioSendPci = SCARD_PCI_T1; break; default: CACKEY_DEBUG_PRINTF("Invalid protocol found, aborting."); return(CACKEY_PCSC_E_GENERIC); ................................................................................ /* Transmit */ xmit_len = 0; xmit_buf[xmit_len++] = class; xmit_buf[xmit_len++] = instruction; xmit_buf[xmit_len++] = p1; xmit_buf[xmit_len++] = p2; if (data) { xmit_buf[xmit_len++] = lc; for (idx = 0; idx < lc; idx++) { xmit_buf[xmit_len++] = data[idx]; } } if (le != 0x00) { xmit_buf[xmit_len++] = le; } /* Begin Smartcard Transaction */ cackey_begin_transaction(slot); if (class == GSCIS_CLASS_ISO7816 && instruction == GSCIS_INSTR_VERIFY && p1 == 0x00 && p2 == 0x00) { CACKEY_DEBUG_PRINTF("Sending APDU: <<censored>>"); } else { CACKEY_DEBUG_PRINTBUF("Sending APDU:", xmit_buf, xmit_len); } recv_len = sizeof(recv_buf); scard_xmit_ret = SCardTransmit(slot->pcsc_card, pioSendPci, xmit_buf, xmit_len, NULL, recv_buf, &recv_len); ................................................................................ } CACKEY_DEBUG_PRINTF("APDU Returned an error, returning in failure"); return(CACKEY_PCSC_E_GENERIC); } /* * SYNPOSIS * ssize_t cackey_read_buffer(struct cackey_slot *slot, unsigned char *buffer, size_t count, unsigned char t_or_v, size_t initial_offset); * * ARGUMENTS * struct cackey_slot *slot ................................................................................ } if (dest == NULL) { dest = malloc(sizeof(*dest) * count); } for (idx = 0; idx < count; idx++) { memcpy(dest[idx].applet, start[idx].applet, sizeof(dest[idx].applet)); dest[idx].file = start[idx].file; dest[idx].certificate_len = start[idx].certificate_len; dest[idx].keysize = start[idx].keysize; dest[idx].certificate = malloc(dest[idx].certificate_len); memcpy(dest[idx].certificate, start[idx].certificate, dest[idx].certificate_len); } ................................................................................ * NOTES * ... * */ static struct cackey_pcsc_identity *cackey_read_certs(struct cackey_slot *slot, struct cackey_pcsc_identity *certs, unsigned long *count) { struct cackey_pcsc_identity *curr_id; struct cackey_tlv_entity *ccc_tlv, *ccc_curr, *app_tlv, *app_curr; unsigned char ccc_aid[] = {GSCIS_AID_CCC}; unsigned char curr_aid[7]; unsigned long outidx = 0; cackey_ret transaction_ret; int certs_resizable; int send_ret, select_ret; CACKEY_DEBUG_PRINTF("Called."); if (count == NULL) { CACKEY_DEBUG_PRINTF("count is NULL, returning in failure"); return(NULL); ................................................................................ } if (!slot->slot_reset) { if (slot->cached_certs) { if (certs == NULL) { certs = malloc(sizeof(*certs) * slot->cached_certs_count); *count = slot->cached_certs_count; } else { if (*count > slot->cached_certs_count) { *count = slot->cached_certs_count; } } cackey_copy_certs(certs, slot->cached_certs, *count); ................................................................................ } else { certs_resizable = 0; } /* Select the CCC Applet */ send_ret = cackey_select_applet(slot, ccc_aid, sizeof(ccc_aid)); if (send_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Unable to select CCC Applet, returning in failure"); /* Terminate SmartCard Transaction */ cackey_end_transaction(slot); return(NULL); } /* Read all the applets from the CCC's TLV */ ccc_tlv = cackey_read_tlv(slot); /* Look for CARDURLs that coorespond to PKI applets */ for (ccc_curr = ccc_tlv; ccc_curr; ccc_curr = ccc_curr->_next) { CACKEY_DEBUG_PRINTF("Found tag: %s ... ", CACKEY_DEBUG_FUNC_TAG_TO_STR(ccc_curr->tag)); if (ccc_curr->tag != GSCIS_TAG_CARDURL) { CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about CARDURLs)"); continue; } if ((ccc_curr->value_cardurl->apptype & CACKEY_TLV_APP_PKI) != CACKEY_TLV_APP_PKI) { CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about PKI applets, this applet supports: %s/%02x)", CACKEY_DEBUG_FUNC_APPTYPE_TO_STR(ccc_curr->value_cardurl->apptype), (unsigned int) ccc_curr->value_cardurl->apptype); continue; } CACKEY_DEBUG_PRINTBUF("RID:", ccc_curr->value_cardurl->rid, sizeof(ccc_curr->value_cardurl->rid)); CACKEY_DEBUG_PRINTF("AppID = %s/%04lx", CACKEY_DEBUG_FUNC_OBJID_TO_STR(ccc_curr->value_cardurl->appid), (unsigned long) ccc_curr->value_cardurl->appid); CACKEY_DEBUG_PRINTF("ObjectID = %s/%04lx", CACKEY_DEBUG_FUNC_OBJID_TO_STR(ccc_curr->value_cardurl->objectid), (unsigned long) ccc_curr->value_cardurl->objectid); memcpy(curr_aid, ccc_curr->value_cardurl->rid, sizeof(ccc_curr->value_cardurl->rid)); curr_aid[sizeof(curr_aid) - 2] = (ccc_curr->value_cardurl->appid >> 8) & 0xff; curr_aid[sizeof(curr_aid) - 1] = ccc_curr->value_cardurl->appid & 0xff; /* Select found applet ... */ select_ret = cackey_select_applet(slot, curr_aid, sizeof(curr_aid)); if (select_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Failed to select applet, skipping processing of this object"); continue; } /* ... and object (file) */ select_ret = cackey_select_file(slot, ccc_curr->value_cardurl->objectid); if (select_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Failed to select file, skipping processing of this object"); continue; } /* Process this file's TLV looking for certificates */ app_tlv = cackey_read_tlv(slot); for (app_curr = app_tlv; app_curr; app_curr = app_curr->_next) { CACKEY_DEBUG_PRINTF("Found tag: %s", CACKEY_DEBUG_FUNC_TAG_TO_STR(app_curr->tag)); if (app_curr->tag != GSCIS_TAG_CERTIFICATE) { CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about CERTIFICATEs)"); continue; } curr_id = &certs[outidx]; outidx++; memcpy(curr_id->applet, curr_aid, sizeof(curr_id->applet)); curr_id->file = ccc_curr->value_cardurl->objectid; curr_id->keysize = -1; CACKEY_DEBUG_PRINTF("Filling curr_id->applet (%p) with %lu bytes:", curr_id->applet, (unsigned long) sizeof(curr_id->applet)); CACKEY_DEBUG_PRINTBUF("VAL:", curr_id->applet, sizeof(curr_id->applet)); curr_id->certificate_len = app_curr->length; curr_id->certificate = malloc(curr_id->certificate_len); memcpy(curr_id->certificate, app_curr->value, curr_id->certificate_len); if (outidx >= *count) { if (certs_resizable) { *count *= 2; certs = realloc(certs, sizeof(*certs) * (*count)); } else { break; } } } cackey_free_tlv(app_tlv); if (outidx >= *count) { break; } } cackey_free_tlv(ccc_tlv); *count = outidx; if (certs_resizable) { certs = realloc(certs, sizeof(*certs) * (*count)); } slot->cached_certs = cackey_copy_certs(NULL, certs, *count); ................................................................................ * ... * * NOTES * ... * */ static ssize_t cackey_signdecrypt(struct cackey_slot *slot, struct cackey_identity *identity, unsigned char *buf, size_t buflen, unsigned char *outbuf, size_t outbuflen, int padInput, int unpadOutput) { unsigned char *tmpbuf, *tmpbuf_s, *outbuf_s; unsigned char bytes_to_send, p1; unsigned char blocktype; cackey_ret send_ret; uint16_t respcode; ssize_t retval = 0, unpadoffset; size_t tmpbuflen, padlen, tmpoutbuflen; int free_tmpbuf = 0; int le; CACKEY_DEBUG_PRINTF("Called."); if (slot == NULL) { CACKEY_DEBUG_PRINTF("Error. slot is NULL"); ................................................................................ } if (identity->pcsc_identity == NULL) { CACKEY_DEBUG_PRINTF("Error. identity->pcsc_identity is NULL"); return(-1); } /* Determine identity Key size */ if (identity->pcsc_identity->keysize < 0) { identity->pcsc_identity->keysize = x509_to_keysize(identity->pcsc_identity->certificate, identity->pcsc_identity->certificate_len); } /* Pad message to key size */ ................................................................................ padlen = 0; } /* Begin transaction */ cackey_begin_transaction(slot); /* Select correct applet */ CACKEY_DEBUG_PRINTF("Selecting applet found at %p ...", identity->pcsc_identity->applet); cackey_select_applet(slot, identity->pcsc_identity->applet, sizeof(identity->pcsc_identity->applet)); /* Select correct file */ cackey_select_file(slot, identity->pcsc_identity->file); tmpbuf_s = tmpbuf; outbuf_s = outbuf; while (tmpbuflen) { if (tmpbuflen > 245) { bytes_to_send = 245; p1 = 0x80; le = 0x00; } else { bytes_to_send = tmpbuflen; p1 = 0x00; le = 0x00; } tmpoutbuflen = outbuflen; send_ret = cackey_send_apdu(slot, GSCIS_CLASS_GLOBAL_PLATFORM, GSCIS_INSTR_SIGNDECRYPT, p1, 0x00, bytes_to_send, tmpbuf, le, &respcode, outbuf, &tmpoutbuflen); if (send_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("ADPU Sending Failed -- returning in error."); if (free_tmpbuf) { if (tmpbuf_s) { free(tmpbuf_s); } } /* End transaction */ cackey_end_transaction(slot); if (respcode == 0x6982) { CACKEY_DEBUG_PRINTF("Security status not satisified. Returning NEEDLOGIN"); cackey_mark_slot_reset(slot); slot->token_flags = CKF_LOGIN_REQUIRED; return(CACKEY_PCSC_E_NEEDLOGIN); } ................................................................................ if (outbuflen > _POSIX_SSIZE_MAX) { CACKEY_DEBUG_PRINTF("Outbuflen exceeds maximum value, returning in failure. (max = %li, outbuflen = %lu)", (long) _POSIX_SSIZE_MAX, (unsigned long) outbuflen); return(-1); } # endif #endif /* Unpad reply */ if (unpadOutput) { if (retval < 3) { CACKEY_DEBUG_PRINTF("Reply is too small, we are not able to unpad -- passing back and hoping for the best!"); CACKEY_DEBUG_PRINTF("Returning in success, retval = %li (bytes)", (long) retval); ................................................................................ * ... * * NOTES * ... * */ static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) { unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; uint16_t response_code; int tries_remaining; int send_ret; /* Indicate that we do not know about how many tries are remaining */ if (tries_remaining_p) { *tries_remaining_p = -1; } /* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */ if (pin_len >= 8) { memcpy(cac_pin, pin, 8); } else { memcpy(cac_pin, pin, pin_len); } /* Issue PIN Verify */ send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_VERIFY, 0x00, 0x00, sizeof(cac_pin), cac_pin, 0x00, &response_code, NULL, NULL); if (send_ret != CACKEY_PCSC_S_OK) { if ((response_code & 0x63C0) == 0x63C0) { tries_remaining = (response_code & 0xF); CACKEY_DEBUG_PRINTF("PIN Verification failed, %i tries remaining", tries_remaining); if (tries_remaining_p) { ................................................................................ pcsc_connect_ret = cackey_connect_card(slot); if (pcsc_connect_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Unable to connect to card, returning token absent"); return(CACKEY_PCSC_E_TOKENABSENT); } atr_len = sizeof(atr); status_ret = SCardStatus(slot->pcsc_card, NULL, &reader_len, &state, &protocol, atr, &atr_len); if (status_ret == SCARD_E_INVALID_HANDLE) { CACKEY_DEBUG_PRINTF("SCardStatus() returned SCARD_E_INVALID_HANDLE, marking is not already connected and trying again"); cackey_mark_slot_reset(slot); pcsc_connect_ret = cackey_connect_card(slot); if (pcsc_connect_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Unable to connect to card, returning token absent"); return(CACKEY_PCSC_E_TOKENABSENT); } atr_len = sizeof(atr); status_ret = SCardStatus(slot->pcsc_card, NULL, &reader_len, &state, &protocol, atr, &atr_len); } if (status_ret != SCARD_S_SUCCESS) { cackey_mark_slot_reset(slot); ................................................................................ CACKEY_DEBUG_PRINTF(" ... returning %lu (%p/%lu)", (unsigned long) *((CK_BBOOL *) pValue), pValue, (unsigned long) ulValueLen); break; case CKA_LABEL: CACKEY_DEBUG_PRINTF("Requesting attribute CKA_LABEL (0x%08lx) ...", (unsigned long) curr_attr_type); /* XXX: Determine name */ ulValueLen = snprintf((char *) ucTmpBuf, sizeof(ucTmpBuf), "Identity #%lu", (unsigned long) identity_num); pValue = ucTmpBuf; if (ulValueLen >= sizeof(ucTmpBuf)) { ulValueLen = 0; pValue = NULL; } CACKEY_DEBUG_PRINTF(" ... returning (%p/%lu)", pValue, (unsigned long) ulValueLen); break; case CKA_VALUE: CACKEY_DEBUG_PRINTF("Requesting attribute CKA_VALUE (0x%08lx) ...", (unsigned long) curr_attr_type); ................................................................................ memcpy(identities[id_idx].pcsc_identity->certificate, pcsc_identities[cert_idx].certificate, pcsc_identities[cert_idx].certificate_len); id_idx++; } } if (include_extra_certs) { CACKEY_DEBUG_PRINTF("Including DoD Certificates on hardware slot"); cackey_read_dod_identities(identities + id_idx, num_dod_certs); } cackey_free_certs(pcsc_identities, num_certs, 1); *ids_found = num_ids; ................................................................................ return(NULL); } CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) { CK_C_INITIALIZE_ARGS CK_PTR args; uint32_t idx, highest_slot; int mutex_init_ret; CACKEY_DEBUG_PRINTF("Called."); if (cackey_initialized) { CACKEY_DEBUG_PRINTF("Error. Already initialized."); return(CKR_CRYPTOKI_ALREADY_INITIALIZED); ................................................................................ cackey_slots[idx].transaction_need_hw_lock = 0; cackey_slots[idx].slot_reset = 0; cackey_slots[idx].token_flags = 0; cackey_slots[idx].label = NULL; cackey_slots[idx].internal = 0; } if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) { CACKEY_DEBUG_PRINTF("Asked not to include DoD certificates"); } else { highest_slot = (sizeof(cackey_slots) / sizeof(cackey_slots[0])) - 1; CACKEY_DEBUG_PRINTF("Including DoD certs in slot %lu", (unsigned long) highest_slot); cackey_slots[highest_slot].active = 1; cackey_slots[highest_slot].internal = 1; cackey_slots[highest_slot].label = (unsigned char *) "DoD Certificates"; cackey_slots[highest_slot].pcsc_reader = "CACKey"; cackey_slots[highest_slot].token_flags = 0; } cackey_initialized = 1; if (!cackey_biglock_init) { ................................................................................ CACKEY_DEBUG_PRINTF("Error. Mutex initialization failed."); return(CKR_CANT_LOCK); } cackey_biglock_init = 1; } CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK); return(CKR_OK); } CK_DEFINE_FUNCTION(CK_RV, C_Finalize)(CK_VOID_PTR pReserved) { ................................................................................ pInfo->hardwareVersion.major = (cackey_getversion() >> 16) & 0xff; pInfo->hardwareVersion.minor = (cackey_getversion() >> 8) & 0xff; pInfo->firmwareVersion.major = 0x00; pInfo->firmwareVersion.minor = 0x00; pInfo->flags = CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED | cackey_slots[slotID].token_flags; pInfo->ulMaxSessionCount = (sizeof(cackey_sessions) / sizeof(cackey_sessions[0])) - 1; pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION; pInfo->ulMaxRwSessionCount = 0; pInfo->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION; pInfo->ulMaxPinLen = 128; pInfo->ulMinPinLen = 0; ................................................................................ CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED); return(CKR_FUNCTION_NOT_SUPPORTED); } CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) { CK_SLOT_ID slotID; int mutex_retval; int tries_remaining; int login_ret; CACKEY_DEBUG_PRINTF("Called."); if (!cackey_initialized) { CACKEY_DEBUG_PRINTF("Error. Not initialized."); return(CKR_CRYPTOKI_NOT_INITIALIZED); ................................................................................ if (cackey_slots[slotID].active == 0) { CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID); cackey_mutex_unlock(cackey_biglock); return(CKR_GENERAL_ERROR); } login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining); if (login_ret != CACKEY_PCSC_S_OK) { cackey_mutex_unlock(cackey_biglock); if (login_ret == CACKEY_PCSC_E_LOCKED) { CACKEY_DEBUG_PRINTF("Error. Token is locked."); cackey_slots[slotID].token_flags |= CKF_USER_PIN_LOCKED; return(CKR_PIN_LOCKED); } else if (login_ret == CACKEY_PCSC_E_BADPIN) { CACKEY_DEBUG_PRINTF("Error. Invalid PIN."); cackey_slots[slotID].token_flags |= CKF_USER_PIN_COUNT_LOW; if (tries_remaining == 1) { cackey_slots[slotID].token_flags |= CKF_USER_PIN_FINAL_TRY; } return(CKR_PIN_INCORRECT); } CACKEY_DEBUG_PRINTF("Error. Unknown error returned from cackey_login() (%i)", login_ret); return(CKR_GENERAL_ERROR); |
> > > > > > > > > > > > > > > > > > > > > > > > > > > > < < > > > > > > > > > > > > > > > > > > > > | > > > > > > > > > > > | > > > > > > > > > > | > | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > > > > | > > > > > > > > | > > > > > > > < > > > > > > > | | | | | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | > | | | < > | | | | | | | | | | | > > > > > > > | | < < | < < < < > > | | | > > > > > > > > > > > > > > > > > > > | | | | > > > > > > > > > > > > > > > > > > > > | > > | > > > > > > | | | < | | | < < | > > > > > > > > > > > > > > > > | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > > > > > | > > > | | | | | > | > > > > > > > > > > > > > > > | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 ... 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 ... 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 .... 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 .... 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 .... 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 .... 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 .... 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 .... 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 .... 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 .... 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 .... 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 .... 2671 2672 2673 2674 2675 2676 2677 2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 .... 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 .... 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 .... 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 .... 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 .... 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 .... 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 .... 4064 4065 4066 4067 4068 4069 4070 4071 4072 4073 4074 4075 4076 4077 4078 .... 4085 4086 4087 4088 4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 .... 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 .... 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4189 4190 4191 4192 4193 4194 4195 4196 4197 4198 4199 4200 4201 4202 .... 4721 4722 4723 4724 4725 4726 4727 4728 4729 4730 4731 4732 4733 4734 4735 4736 4737 4738 .... 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 .... 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 |
#define GSCIS_TAG_SERNO 0x51 #define GSCIS_TAG_ISSUE_DATE 0x52 #define GSCIS_TAG_EXPIRE_DATE 0x53 #define GSCIS_TAG_CARD_TYPE 0x54 #define GSCIS_TAG_SECURITY_CODE 0x57 #define GSCIS_TAG_CARDID_AID 0x58 /*** PIV Codes ***/ #define NISTSP800_73_3_INSTR_GET_DATA 0xCB #define NISTSP800_73_3_INSTR_GENAUTH 0x87 /*** PKI Information - EF 7000 ***/ #define GSCIS_TAG_CERTIFICATE 0x70 #define GSCIS_TAG_CERT_ISSUE_DATE 0x71 #define GSCIS_TAG_CERT_EXPIRE_DATE 0x72 /** Applet IDs **/ #define GSCIS_AID_CCC 0xA0, 0x00, 0x00, 0x01, 0x16, 0xDB, 0x00 #define NISTSP800_73_3_PIV_AID 0xA0, 0x00, 0x00, 0x03, 0x08, 0x00, 0x00, 0x10, 0x00, 0x01, 0x00 /* PIV IDs */ /** Key Identifiers (NIST SP 800-78-3, Table 6-1 **/ #define NISTSP800_78_3_KEY_PIVAUTH 0x9A #define NISTSP800_78_3_KEY_SIGNATURE 0x9C #define NISTSP800_78_3_KEY_KEYMGT 0x9D #define NISTSP800_78_3_KEY_CARDAUTH 0x9E /** Algorithm Identifiers (NIST SP 800-78-3, Table 6-2 **/ #define NISTSP800_78_3_ALGO_RSA1024 0x06 #define NISTSP800_78_3_ALGO_RSA2048 0x07 /** Object Identifiers (NIST SP 800-73-3 Part 1, Table 2) **/ #define NISTSP800_73_3_OID_PIVAUTH 0x5F, 0xC1, 0x05 #define NISTSP800_73_3_OID_SIGNATURE 0x5F, 0xC1, 0x0A #define NISTSP800_73_3_OID_KEYMGT 0x5F, 0xC1, 0x0B #define NISTSP800_73_3_OID_CARDAUTH 0x5F, 0xC1, 0x01 /* Maximum size of data portion of APDUs */ /** Do not set this above 250 **/ #define CACKEY_APDU_MTU 250 /* ATR If not available */ #ifndef MAX_ATR_SIZE ................................................................................ # define CACKEY_DEBUG_FUNC_TAG_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_SCARDERR_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_OBJID_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_APPTYPE_TO_STR(x) "DEBUG_DISABLED" # define CACKEY_DEBUG_FUNC_ATTRIBUTE_TO_STR(x) "DEBUG_DISABLED" #endif typedef enum { CACKEY_ID_TYPE_CAC, CACKEY_ID_TYPE_PIV, CACKEY_ID_TYPE_CERT_ONLY } cackey_pcsc_id_type; struct cackey_pcsc_identity { cackey_pcsc_id_type id_type; size_t certificate_len; unsigned char *certificate; ssize_t keysize; union { struct { unsigned char applet[7]; uint16_t file; } cac; struct { unsigned char key_id; char label[32]; } piv; } card; }; struct cackey_identity { struct cackey_pcsc_identity *pcsc_identity; CK_ATTRIBUTE *attributes; CK_ULONG attributes_count; ................................................................................ static int cackey_biglock_init = 0; CK_C_INITIALIZE_ARGS cackey_args; /** Extra certificates to include in token **/ struct cackey_pcsc_identity extra_certs[] = { #include "cackey_builtin_certs.h" }; /* Protected Authentication Path command */ #define CACKEY_PIN_COMMAND_DEFAULT_XSTR(str) CACKEY_PIN_COMMAND_DEFAULT_STR(str) #define CACKEY_PIN_COMMAND_DEFAULT_STR(str) #str static char *cackey_pin_command = NULL; /* PCSC Global Handles */ static LPSCARDCONTEXT cackey_pcsc_handle = NULL; static unsigned long cackey_getversion(void) { static unsigned long retval = 255; unsigned long major = 0; ................................................................................ slot->pcsc_card_connected = 1; slot->transaction_depth = 0; slot->transaction_need_hw_lock = 0; slot->protocol = protocol; } CACKEY_DEBUG_PRINTF("Returning in success"); return(CACKEY_PCSC_S_OK); } /* * SYNPOSIS * cackey_ret cackey_begin_transaction(struct cackey_slot *slot); * ................................................................................ * cackey_pcsc_connect() if needed. * * It will connect to the card in the reader attached to the slot * specified. It will reconnect to the card if the connection * goes away. * */ static cackey_ret cackey_send_apdu(struct cackey_slot *slot, unsigned char class, unsigned char instruction, unsigned char p1, unsigned char p2, unsigned int lc, unsigned char *data, unsigned int le, uint16_t *respcode, unsigned char *respdata, size_t *respdata_len) { uint8_t major_rc, minor_rc; size_t bytes_to_copy, tmp_respdata_len; LPCSCARD_IO_REQUEST pioSendPci; DWORD protocol; DWORD xmit_len, recv_len; LONG scard_xmit_ret, scard_reconn_ret; BYTE xmit_buf[1024], recv_buf[1024]; ................................................................................ return(CACKEY_PCSC_E_GENERIC); } /* Determine which protocol to send using */ switch (slot->protocol) { case SCARD_PROTOCOL_T0: CACKEY_DEBUG_PRINTF("Protocol to send datagram is T=0"); pioSendPci = SCARD_PCI_T0; break; case SCARD_PROTOCOL_T1: CACKEY_DEBUG_PRINTF("Protocol to send datagram is T=1"); pioSendPci = SCARD_PCI_T1; break; default: CACKEY_DEBUG_PRINTF("Invalid protocol found, aborting."); return(CACKEY_PCSC_E_GENERIC); ................................................................................ /* Transmit */ xmit_len = 0; xmit_buf[xmit_len++] = class; xmit_buf[xmit_len++] = instruction; xmit_buf[xmit_len++] = p1; xmit_buf[xmit_len++] = p2; if (data) { if (lc > 255) { CACKEY_DEBUG_PRINTF("CAUTION! Using an Lc greater than 255 is untested. Lc = %u", lc); xmit_buf[xmit_len++] = 0x82; /* XXX UNTESTED */ xmit_buf[xmit_len++] = (lc & 0xff00) >> 8; xmit_buf[xmit_len++] = lc & 0xff; } else { xmit_buf[xmit_len++] = lc; } for (idx = 0; idx < lc; idx++) { xmit_buf[xmit_len++] = data[idx]; } } if (le != 0x00) { if (le > 256) { CACKEY_DEBUG_PRINTF("CAUTION! Using an Le greater than 256 is untested. Le = %u", le); xmit_buf[xmit_len++] = 0x82; /* XXX UNTESTED */ xmit_buf[xmit_len++] = (le & 0xff00) >> 8; xmit_buf[xmit_len++] = le & 0xff; } else if (le == 256) { xmit_buf[xmit_len++] = 0x00; } else { xmit_buf[xmit_len++] = le; } } /* Begin Smartcard Transaction */ cackey_begin_transaction(slot); if (class == GSCIS_CLASS_ISO7816 && instruction == GSCIS_INSTR_VERIFY && p1 == 0x00) { CACKEY_DEBUG_PRINTF("Sending APDU: <<censored>>"); } else { CACKEY_DEBUG_PRINTBUF("Sending APDU:", xmit_buf, xmit_len); } recv_len = sizeof(recv_buf); scard_xmit_ret = SCardTransmit(slot->pcsc_card, pioSendPci, xmit_buf, xmit_len, NULL, recv_buf, &recv_len); ................................................................................ } CACKEY_DEBUG_PRINTF("APDU Returned an error, returning in failure"); return(CACKEY_PCSC_E_GENERIC); } static unsigned char *cackey_read_bertlv_tag(unsigned char *buffer, size_t *buffer_len_p, unsigned char tag, unsigned char *outbuffer, size_t *outbuffer_len_p) { unsigned char *buffer_p; size_t outbuffer_len, buffer_len; size_t size; int idx; CACKEY_DEBUG_PRINTF("Called."); if (buffer_len_p == NULL) { CACKEY_DEBUG_PRINTF("buffer_len_p is NULL. Returning in failure."); return(NULL); } if (outbuffer_len_p == NULL) { CACKEY_DEBUG_PRINTF("outbuffer_len_p is NULL. Returning in failure."); return(NULL); } buffer_len = *outbuffer_len_p; outbuffer_len = *outbuffer_len_p; buffer_p = buffer; if (buffer_p[0] != tag) { CACKEY_DEBUG_PRINTF("Tag found was not tag expected. Tag = %02x, Expected = %02x. Returning in failure.", (unsigned int) buffer_p[0], tag); return(NULL); } buffer_p++; buffer_len--; if ((buffer_p[0] & 0x80) == 0x80) { size = 0; idx = (buffer_p[0] & 0x7f); if (idx > buffer_len) { CACKEY_DEBUG_PRINTF("Malformed BER value -- not enough bytes available to read length (idx = %i, buffer_len = %lu)", idx, (unsigned long) buffer_len); return(NULL); } for (; idx > 0; idx--) { buffer_p++; buffer_len--; size <<= 8; size |= buffer_p[0]; } } else { size = buffer_p[0]; } buffer_p++; buffer_len--; if (size > outbuffer_len) { CACKEY_DEBUG_PRINTF("Unable to copy value buffer to outbuffer, not enough room. Value buffer length = %lu, out buffer length = %lu", (unsigned long) size, (unsigned long) outbuffer_len); return(NULL); } *outbuffer_len_p = size; if (outbuffer) { memcpy(outbuffer, buffer_p, size); buffer_p += size; buffer_len -= size; *buffer_len_p = buffer_len; CACKEY_DEBUG_PRINTBUF("BER-TLV results:", outbuffer, size); } else { memmove(buffer, buffer_p, size); buffer_p = buffer; CACKEY_DEBUG_PRINTBUF("BER-TLV results:", buffer, size); } CACKEY_DEBUG_PRINTF("Returning in success. Size of contents for tag %02x is %lu", (unsigned int) tag, (unsigned long) size); return(buffer_p); } /* * SYNPOSIS * ssize_t cackey_get_data(struct cackey_slot *slot, unsigned char *buffer, size_t buffer_len, unsigned char oid[3]); * * ARGUMENTS * struct cackey_slot *slot * Slot to send commands to * * unsigned char *buffer * [OUT] Buffer * * size_t buffer_len * Number of bytes to attempt to read * * unsigned char oid[3] * 3-byte OID to read * * * RETURN VALUE * This function returns the number of bytes actually read, or -1 on error. * * NOTES * None * */ static ssize_t cackey_get_data(struct cackey_slot *slot, unsigned char *buffer, size_t buffer_len, unsigned char oid[3]) { unsigned char cmd[] = {0x5C, 0x03, 0x00, 0x00, 0x00}; unsigned char *buffer_p; size_t init_buffer_len, size; uint16_t respcode; int send_ret; CACKEY_DEBUG_PRINTF("Called."); init_buffer_len = buffer_len; cmd[2] = oid[0]; cmd[3] = oid[1]; cmd[4] = oid[2]; /* 256 to indicate the largest message size -- not clear if this will work with all messages */ send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, NISTSP800_73_3_INSTR_GET_DATA, 0x3F, 0xFF, sizeof(cmd), cmd, 256, &respcode, buffer, &buffer_len); if (send_ret == CACKEY_PCSC_E_RETRY) { CACKEY_DEBUG_PRINTF("ADPU Sending failed, retrying read buffer"); return(cackey_get_data(slot, buffer, init_buffer_len, oid)); } if (send_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("cackey_send_apdu() failed, returning in failure"); return(-1); } #ifdef CACKEY_PARANOID # ifdef _POSIX_SSIZE_MAX if (buffer_len > _POSIX_SSIZE_MAX) { CACKEY_DEBUG_PRINTF("Read bytes (buffer_len) exceeds maximum value, returning in failure. (max = %li, buffer_len = %lu)", (long) _POSIX_SSIZE_MAX, (unsigned long) buffer_len); return(-1); } # endif #endif if (buffer_len < 2) { CACKEY_DEBUG_PRINTF("APDU GET DATA returned %lu bytes, which is too short for a BER-TLV response", (unsigned long) buffer_len); return(-1); } size = buffer_len; buffer_p = cackey_read_bertlv_tag(buffer, &buffer_len, 0x53, NULL, &size); if (buffer_p == NULL) { CACKEY_DEBUG_PRINTF("Tag decoding failed, returning in error."); return(-1); } CACKEY_DEBUG_PRINTBUF("GET DATA result", buffer, size); CACKEY_DEBUG_PRINTF("Returning in success, read %lu bytes", (unsigned long) size); return(size); } /* * SYNPOSIS * ssize_t cackey_read_buffer(struct cackey_slot *slot, unsigned char *buffer, size_t count, unsigned char t_or_v, size_t initial_offset); * * ARGUMENTS * struct cackey_slot *slot ................................................................................ } if (dest == NULL) { dest = malloc(sizeof(*dest) * count); } for (idx = 0; idx < count; idx++) { dest[idx].id_type = start[idx].id_type; switch (dest[idx].id_type) { case CACKEY_ID_TYPE_CAC: memcpy(dest[idx].card.cac.applet, start[idx].card.cac.applet, sizeof(dest[idx].card.cac.applet)); dest[idx].card.cac.file = start[idx].card.cac.file; break; case CACKEY_ID_TYPE_PIV: dest[idx].card.piv.key_id = start[idx].card.piv.key_id; memcpy(dest[idx].card.piv.label, start[idx].card.piv.label, sizeof(dest[idx].card.piv.label)); break; case CACKEY_ID_TYPE_CERT_ONLY: break; } dest[idx].certificate_len = start[idx].certificate_len; dest[idx].keysize = start[idx].keysize; dest[idx].certificate = malloc(dest[idx].certificate_len); memcpy(dest[idx].certificate, start[idx].certificate, dest[idx].certificate_len); } ................................................................................ * NOTES * ... * */ static struct cackey_pcsc_identity *cackey_read_certs(struct cackey_slot *slot, struct cackey_pcsc_identity *certs, unsigned long *count) { struct cackey_pcsc_identity *curr_id; struct cackey_tlv_entity *ccc_tlv, *ccc_curr, *app_tlv, *app_curr; unsigned char ccc_aid[] = {GSCIS_AID_CCC}, piv_aid[] = {NISTSP800_73_3_PIV_AID}; unsigned char *piv_oid, piv_oid_pivauth[] = {NISTSP800_73_3_OID_PIVAUTH}, piv_oid_signature[] = {NISTSP800_73_3_OID_SIGNATURE}, piv_oid_keymgt[] = {NISTSP800_73_3_OID_KEYMGT}; unsigned char curr_aid[7]; unsigned char buffer[8192], *buffer_p; unsigned long outidx = 0; char *piv_label; cackey_ret transaction_ret; ssize_t read_ret; size_t buffer_len; int certs_resizable; int send_ret, select_ret; int piv_key, piv = 0; int idx; CACKEY_DEBUG_PRINTF("Called."); if (count == NULL) { CACKEY_DEBUG_PRINTF("count is NULL, returning in failure"); return(NULL); ................................................................................ } if (!slot->slot_reset) { if (slot->cached_certs) { if (certs == NULL) { certs = malloc(sizeof(*certs) * slot->cached_certs_count); *count = slot->cached_certs_count; } else { if (*count > slot->cached_certs_count) { *count = slot->cached_certs_count; } } cackey_copy_certs(certs, slot->cached_certs, *count); ................................................................................ } else { certs_resizable = 0; } /* Select the CCC Applet */ send_ret = cackey_select_applet(slot, ccc_aid, sizeof(ccc_aid)); if (send_ret != CACKEY_PCSC_S_OK) { /* Try PIV application */ send_ret = cackey_select_applet(slot, piv_aid, sizeof(piv_aid)); if (send_ret == CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("We have a PIV card -- not using the CCC, pulling pre-selected keys"); piv = 1; } else { CACKEY_DEBUG_PRINTF("Unable to select CCC Applet, returning in failure"); /* Terminate SmartCard Transaction */ cackey_end_transaction(slot); return(NULL); } } if (piv) { for (idx = 0; idx < 3; idx++) { switch (idx) { case 0: piv_oid = piv_oid_pivauth; piv_key = NISTSP800_78_3_KEY_PIVAUTH; piv_label = "Authentication"; break; case 1: piv_oid = piv_oid_signature; piv_key = NISTSP800_78_3_KEY_SIGNATURE; piv_label = "Signature"; break; case 2: piv_oid = piv_oid_keymgt; piv_key = NISTSP800_78_3_KEY_KEYMGT; piv_label = "Key Management"; break; } read_ret = cackey_get_data(slot, buffer, sizeof(buffer), piv_oid); if (read_ret <= 0) { continue; } curr_id = &certs[outidx]; outidx++; curr_id->keysize = -1; curr_id->id_type = CACKEY_ID_TYPE_PIV; curr_id->card.piv.key_id = piv_key; memcpy(curr_id->card.piv.label, piv_label, strlen(piv_label) + 1); curr_id->certificate_len = read_ret; curr_id->certificate = malloc(curr_id->certificate_len); buffer_len = sizeof(buffer); buffer_p = cackey_read_bertlv_tag(buffer, &buffer_len, 0x70, curr_id->certificate, &curr_id->certificate_len); if (buffer_p == NULL) { CACKEY_DEBUG_PRINTF("Reading certificate from BER-TLV response failed, skipping key %i", idx); free(curr_id->certificate); outidx--; continue; } } } else { /* Read all the applets from the CCC's TLV */ ccc_tlv = cackey_read_tlv(slot); /* Look for CARDURLs that coorespond to PKI applets */ for (ccc_curr = ccc_tlv; ccc_curr; ccc_curr = ccc_curr->_next) { CACKEY_DEBUG_PRINTF("Found tag: %s ... ", CACKEY_DEBUG_FUNC_TAG_TO_STR(ccc_curr->tag)); if (ccc_curr->tag != GSCIS_TAG_CARDURL) { CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about CARDURLs)"); continue; } if ((ccc_curr->value_cardurl->apptype & CACKEY_TLV_APP_PKI) != CACKEY_TLV_APP_PKI) { CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about PKI applets, this applet supports: %s/%02x)", CACKEY_DEBUG_FUNC_APPTYPE_TO_STR(ccc_curr->value_cardurl->apptype), (unsigned int) ccc_curr->value_cardurl->apptype); continue; } CACKEY_DEBUG_PRINTBUF("RID:", ccc_curr->value_cardurl->rid, sizeof(ccc_curr->value_cardurl->rid)); CACKEY_DEBUG_PRINTF("AppID = %s/%04lx", CACKEY_DEBUG_FUNC_OBJID_TO_STR(ccc_curr->value_cardurl->appid), (unsigned long) ccc_curr->value_cardurl->appid); CACKEY_DEBUG_PRINTF("ObjectID = %s/%04lx", CACKEY_DEBUG_FUNC_OBJID_TO_STR(ccc_curr->value_cardurl->objectid), (unsigned long) ccc_curr->value_cardurl->objectid); memcpy(curr_aid, ccc_curr->value_cardurl->rid, sizeof(ccc_curr->value_cardurl->rid)); curr_aid[sizeof(curr_aid) - 2] = (ccc_curr->value_cardurl->appid >> 8) & 0xff; curr_aid[sizeof(curr_aid) - 1] = ccc_curr->value_cardurl->appid & 0xff; /* Select found applet ... */ select_ret = cackey_select_applet(slot, curr_aid, sizeof(curr_aid)); if (select_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Failed to select applet, skipping processing of this object"); continue; } /* ... and object (file) */ select_ret = cackey_select_file(slot, ccc_curr->value_cardurl->objectid); if (select_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Failed to select file, skipping processing of this object"); continue; } /* Process this file's TLV looking for certificates */ app_tlv = cackey_read_tlv(slot); for (app_curr = app_tlv; app_curr; app_curr = app_curr->_next) { CACKEY_DEBUG_PRINTF("Found tag: %s", CACKEY_DEBUG_FUNC_TAG_TO_STR(app_curr->tag)); if (app_curr->tag != GSCIS_TAG_CERTIFICATE) { CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about CERTIFICATEs)"); continue; } curr_id = &certs[outidx]; outidx++; curr_id->id_type = CACKEY_ID_TYPE_CAC; memcpy(curr_id->card.cac.applet, curr_aid, sizeof(curr_id->card.cac.applet)); curr_id->card.cac.file = ccc_curr->value_cardurl->objectid; curr_id->keysize = -1; CACKEY_DEBUG_PRINTF("Filling curr_id->card.cac.applet (%p) with %lu bytes:", curr_id->card.cac.applet, (unsigned long) sizeof(curr_id->card.cac.applet)); CACKEY_DEBUG_PRINTBUF("VAL:", curr_id->card.cac.applet, sizeof(curr_id->card.cac.applet)); curr_id->certificate_len = app_curr->length; curr_id->certificate = malloc(curr_id->certificate_len); memcpy(curr_id->certificate, app_curr->value, curr_id->certificate_len); if (outidx >= *count) { if (certs_resizable) { *count *= 2; certs = realloc(certs, sizeof(*certs) * (*count)); } else { break; } } } cackey_free_tlv(app_tlv); if (outidx >= *count) { break; } } cackey_free_tlv(ccc_tlv); } *count = outidx; if (certs_resizable) { certs = realloc(certs, sizeof(*certs) * (*count)); } slot->cached_certs = cackey_copy_certs(NULL, certs, *count); ................................................................................ * ... * * NOTES * ... * */ static ssize_t cackey_signdecrypt(struct cackey_slot *slot, struct cackey_identity *identity, unsigned char *buf, size_t buflen, unsigned char *outbuf, size_t outbuflen, int padInput, int unpadOutput) { cackey_pcsc_id_type id_type; unsigned char dyn_auth_template[10]; unsigned char *tmpbuf, *tmpbuf_s, *outbuf_s, *outbuf_p; unsigned char bytes_to_send, p1, class; unsigned char blocktype; cackey_ret send_ret; uint16_t respcode; ssize_t retval = 0, unpadoffset; size_t tmpbuflen, padlen, tmpoutbuflen, outbuf_len; int free_tmpbuf = 0; int le; CACKEY_DEBUG_PRINTF("Called."); if (slot == NULL) { CACKEY_DEBUG_PRINTF("Error. slot is NULL"); ................................................................................ } if (identity->pcsc_identity == NULL) { CACKEY_DEBUG_PRINTF("Error. identity->pcsc_identity is NULL"); return(-1); } id_type = identity->pcsc_identity->id_type; if (id_type == CACKEY_ID_TYPE_CERT_ONLY) { CACKEY_DEBUG_PRINTF("Error. identity->pcsc_identity is CACKEY_ID_TYPE_CERT_ONLY, which cannot be used for sign/decrypt"); return(-1); } switch (id_type) { case CACKEY_ID_TYPE_PIV: case CACKEY_ID_TYPE_CAC: break; default: CACKEY_DEBUG_PRINTF("Error. identity->pcsc_identity is not a supported value. Type is: 0x%lx (PIV = 0x%lx, CAC = 0x%lx)", (unsigned long) id_type, (unsigned long) CACKEY_ID_TYPE_PIV, (unsigned long) CACKEY_ID_TYPE_CAC); return(-1); } /* Determine identity Key size */ if (identity->pcsc_identity->keysize < 0) { identity->pcsc_identity->keysize = x509_to_keysize(identity->pcsc_identity->certificate, identity->pcsc_identity->certificate_len); } /* Pad message to key size */ ................................................................................ padlen = 0; } /* Begin transaction */ cackey_begin_transaction(slot); /* Select correct applet */ switch (id_type) { case CACKEY_ID_TYPE_CAC: CACKEY_DEBUG_PRINTF("Selecting applet found at %p ...", identity->pcsc_identity->card.cac.applet); cackey_select_applet(slot, identity->pcsc_identity->card.cac.applet, sizeof(identity->pcsc_identity->card.cac.applet)); /* Select correct file */ cackey_select_file(slot, identity->pcsc_identity->card.cac.file); break; case CACKEY_ID_TYPE_PIV: dyn_auth_template[0] = 0x7C; dyn_auth_template[1] = 0x82; dyn_auth_template[2] = ((tmpbuflen + 6) & 0xff00) >> 8; dyn_auth_template[3] = (tmpbuflen + 6) & 0x00ff; dyn_auth_template[4] = 0x82; dyn_auth_template[5] = 0x00; dyn_auth_template[6] = 0x81; dyn_auth_template[7] = 0x82; dyn_auth_template[8] = (tmpbuflen & 0xff00) >> 8; dyn_auth_template[9] = tmpbuflen & 0x00ff; send_ret = cackey_send_apdu(slot, 0x10, NISTSP800_73_3_INSTR_GENAUTH, NISTSP800_78_3_ALGO_RSA2048, identity->pcsc_identity->card.piv.key_id, sizeof(dyn_auth_template), dyn_auth_template, 0x00, NULL, NULL, NULL); break; case CACKEY_ID_TYPE_CERT_ONLY: break; } tmpbuf_s = tmpbuf; outbuf_s = outbuf; while (tmpbuflen) { tmpoutbuflen = outbuflen; if (tmpbuflen > CACKEY_APDU_MTU) { bytes_to_send = CACKEY_APDU_MTU; } else { bytes_to_send = tmpbuflen; } send_ret = CACKEY_PCSC_E_GENERIC; switch (id_type) { case CACKEY_ID_TYPE_CAC: if (tmpbuflen > CACKEY_APDU_MTU) { p1 = 0x80; le = 0x00; } else { p1 = 0x00; le = 0x00; } send_ret = cackey_send_apdu(slot, GSCIS_CLASS_GLOBAL_PLATFORM, GSCIS_INSTR_SIGNDECRYPT, p1, 0x00, bytes_to_send, tmpbuf, le, &respcode, outbuf, &tmpoutbuflen); break; case CACKEY_ID_TYPE_PIV: if (tmpbuflen > CACKEY_APDU_MTU) { class = 0x10; le = 0x00; } else { class = GSCIS_CLASS_ISO7816; le = 256; } send_ret = cackey_send_apdu(slot, class, NISTSP800_73_3_INSTR_GENAUTH, NISTSP800_78_3_ALGO_RSA2048, identity->pcsc_identity->card.piv.key_id, bytes_to_send, tmpbuf, le, &respcode, outbuf, &tmpoutbuflen); break; case CACKEY_ID_TYPE_CERT_ONLY: break; } if (send_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("ADPU Sending Failed -- returning in error."); if (free_tmpbuf) { if (tmpbuf_s) { free(tmpbuf_s); } } /* End transaction */ cackey_end_transaction(slot); if (respcode == 0x6982 || respcode == 0x6e00) { CACKEY_DEBUG_PRINTF("Security status not satisified (respcode = 0x%04x). Returning NEEDLOGIN", (int) respcode); cackey_mark_slot_reset(slot); slot->token_flags = CKF_LOGIN_REQUIRED; return(CACKEY_PCSC_E_NEEDLOGIN); } if (respcode == 0x6E00) { CACKEY_DEBUG_PRINTF("Got \"WRONG CLASS\", this means we are talking to the wrong object (likely because the card went away) -- resetting"); cackey_mark_slot_reset(slot); slot->token_flags = CKF_LOGIN_REQUIRED; return(CACKEY_PCSC_E_NEEDLOGIN); } ................................................................................ if (outbuflen > _POSIX_SSIZE_MAX) { CACKEY_DEBUG_PRINTF("Outbuflen exceeds maximum value, returning in failure. (max = %li, outbuflen = %lu)", (long) _POSIX_SSIZE_MAX, (unsigned long) outbuflen); return(-1); } # endif #endif /* We must remove the "7C" tag to get to the signature */ switch (id_type) { case CACKEY_ID_TYPE_PIV: outbuf_len = retval; outbuf_p = cackey_read_bertlv_tag(outbuf, &outbuf_len, 0x7C, NULL, &outbuf_len); if (outbuf_p == NULL) { CACKEY_DEBUG_PRINTF("Response from PIV for GENERATE AUTHENTICATION was not a 0x7C tag, returning in failure"); return(-1); } retval = outbuf_len; outbuf_len = retval; outbuf_p = cackey_read_bertlv_tag(outbuf, &outbuf_len, 0x82, NULL, &outbuf_len); if (outbuf_p == NULL) { CACKEY_DEBUG_PRINTF("Response from PIV for GENERATE AUTHENTICATION was not a 0x82 with then 0x7C tag, returning in failure"); return(-1); } retval = outbuf_len; break; case CACKEY_ID_TYPE_CAC: case CACKEY_ID_TYPE_CERT_ONLY: break; } /* Unpad reply */ if (unpadOutput) { if (retval < 3) { CACKEY_DEBUG_PRINTF("Reply is too small, we are not able to unpad -- passing back and hoping for the best!"); CACKEY_DEBUG_PRINTF("Returning in success, retval = %li (bytes)", (long) retval); ................................................................................ * ... * * NOTES * ... * */ static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) { struct cackey_pcsc_identity *pcsc_identities; unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; unsigned long num_certs; uint16_t response_code; int tries_remaining; int send_ret; int key_reference = 0x00; /* Indicate that we do not know about how many tries are remaining */ if (tries_remaining_p) { *tries_remaining_p = -1; } /* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */ if (pin_len >= 8) { memcpy(cac_pin, pin, 8); } else { memcpy(cac_pin, pin, pin_len); } /* Reject PINs which are too short */ if (pin_len < 5) { CACKEY_DEBUG_PRINTF("Rejecting PIN which is too short (length = %lu, must be atleast 5)", pin_len); return(CACKEY_PCSC_E_BADPIN); } /* PIV authentication uses a "key_reference" of 0x80 */ pcsc_identities = cackey_read_certs(slot, NULL, &num_certs); if (num_certs > 0 && pcsc_identities != NULL) { switch (pcsc_identities[0].id_type) { case CACKEY_ID_TYPE_PIV: CACKEY_DEBUG_PRINTF("We have PIV card, so we will attempt to authenticate using the PIV Application key reference"); key_reference = 0x80; break; default: break; } cackey_free_certs(pcsc_identities, num_certs, 1); } /* Issue PIN Verify */ send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_VERIFY, 0x00, key_reference, sizeof(cac_pin), cac_pin, 0x00, &response_code, NULL, NULL); if (send_ret != CACKEY_PCSC_S_OK) { if ((response_code & 0x63C0) == 0x63C0) { tries_remaining = (response_code & 0xF); CACKEY_DEBUG_PRINTF("PIN Verification failed, %i tries remaining", tries_remaining); if (tries_remaining_p) { ................................................................................ pcsc_connect_ret = cackey_connect_card(slot); if (pcsc_connect_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Unable to connect to card, returning token absent"); return(CACKEY_PCSC_E_TOKENABSENT); } CACKEY_DEBUG_PRINTF("Calling SCardStatus() to determine card status"); atr_len = sizeof(atr); status_ret = SCardStatus(slot->pcsc_card, NULL, &reader_len, &state, &protocol, atr, &atr_len); if (status_ret == SCARD_E_INVALID_HANDLE) { CACKEY_DEBUG_PRINTF("SCardStatus() returned SCARD_E_INVALID_HANDLE, marking is not already connected and trying again"); cackey_mark_slot_reset(slot); pcsc_connect_ret = cackey_connect_card(slot); if (pcsc_connect_ret != CACKEY_PCSC_S_OK) { CACKEY_DEBUG_PRINTF("Unable to connect to card, returning token absent"); return(CACKEY_PCSC_E_TOKENABSENT); } CACKEY_DEBUG_PRINTF("Calling SCardStatus() again"); atr_len = sizeof(atr); status_ret = SCardStatus(slot->pcsc_card, NULL, &reader_len, &state, &protocol, atr, &atr_len); } if (status_ret != SCARD_S_SUCCESS) { cackey_mark_slot_reset(slot); ................................................................................ CACKEY_DEBUG_PRINTF(" ... returning %lu (%p/%lu)", (unsigned long) *((CK_BBOOL *) pValue), pValue, (unsigned long) ulValueLen); break; case CKA_LABEL: CACKEY_DEBUG_PRINTF("Requesting attribute CKA_LABEL (0x%08lx) ...", (unsigned long) curr_attr_type); if (identity->id_type == CACKEY_ID_TYPE_PIV) { pValue = identity->card.piv.label; ulValueLen = strlen(pValue); } else { ulValueLen = snprintf((char *) ucTmpBuf, sizeof(ucTmpBuf), "Identity #%lu", (unsigned long) identity_num); pValue = ucTmpBuf; if (ulValueLen >= sizeof(ucTmpBuf)) { ulValueLen = 0; pValue = NULL; } } CACKEY_DEBUG_PRINTF(" ... returning (%p/%lu)", pValue, (unsigned long) ulValueLen); break; case CKA_VALUE: CACKEY_DEBUG_PRINTF("Requesting attribute CKA_VALUE (0x%08lx) ...", (unsigned long) curr_attr_type); ................................................................................ memcpy(identities[id_idx].pcsc_identity->certificate, pcsc_identities[cert_idx].certificate, pcsc_identities[cert_idx].certificate_len); id_idx++; } } if (include_extra_certs) { CACKEY_DEBUG_PRINTF("Including US Government Certificates on hardware slot"); cackey_read_dod_identities(identities + id_idx, num_dod_certs); } cackey_free_certs(pcsc_identities, num_certs, 1); *ids_found = num_ids; ................................................................................ return(NULL); } CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) { CK_C_INITIALIZE_ARGS CK_PTR args; uint32_t idx, highest_slot; int mutex_init_ret; int include_dod_certs; CACKEY_DEBUG_PRINTF("Called."); if (cackey_initialized) { CACKEY_DEBUG_PRINTF("Error. Already initialized."); return(CKR_CRYPTOKI_ALREADY_INITIALIZED); ................................................................................ cackey_slots[idx].transaction_need_hw_lock = 0; cackey_slots[idx].slot_reset = 0; cackey_slots[idx].token_flags = 0; cackey_slots[idx].label = NULL; cackey_slots[idx].internal = 0; } #ifdef CACKEY_NO_EXTRA_CERTS if (getenv("CACKEY_EXTRA_CERTS") != NULL) { include_dod_certs = 1; } else { include_dod_certs = 0; } #else if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) { include_dod_certs = 0; } else { include_dod_certs = 1; } #endif if (include_dod_certs == 0) { CACKEY_DEBUG_PRINTF("Asked not to include DoD certificates"); } else { highest_slot = (sizeof(cackey_slots) / sizeof(cackey_slots[0])) - 1; CACKEY_DEBUG_PRINTF("Including DoD certs in slot %lu", (unsigned long) highest_slot); cackey_slots[highest_slot].active = 1; cackey_slots[highest_slot].internal = 1; cackey_slots[highest_slot].label = (unsigned char *) "US Government Certificates"; cackey_slots[highest_slot].pcsc_reader = "CACKey"; cackey_slots[highest_slot].token_flags = 0; } cackey_initialized = 1; if (!cackey_biglock_init) { ................................................................................ CACKEY_DEBUG_PRINTF("Error. Mutex initialization failed."); return(CKR_CANT_LOCK); } cackey_biglock_init = 1; } /* Define a command to prompt user for a PIN */ #ifdef CACKEY_PIN_COMMAND_DEFAULT cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_DEFAULT); #endif #ifdef CACKEY_PIN_COMMAND_XONLY_DEFAULT if (getenv("DISPLAY") != NULL) { cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_XONLY_DEFAULT); } #endif if (getenv("CACKEY_PIN_COMMAND") != NULL) { cackey_pin_command = getenv("CACKEY_PIN_COMMAND"); } if (getenv("CACKEY_PIN_COMMAND_XONLY") != NULL && getenv("DISPLAY") != NULL) { cackey_pin_command = getenv("CACKEY_PIN_COMMAND_XONLY"); } CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK); return(CKR_OK); } CK_DEFINE_FUNCTION(CK_RV, C_Finalize)(CK_VOID_PTR pReserved) { ................................................................................ pInfo->hardwareVersion.major = (cackey_getversion() >> 16) & 0xff; pInfo->hardwareVersion.minor = (cackey_getversion() >> 8) & 0xff; pInfo->firmwareVersion.major = 0x00; pInfo->firmwareVersion.minor = 0x00; pInfo->flags = CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED | cackey_slots[slotID].token_flags; if (cackey_pin_command != NULL) { pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH; } pInfo->ulMaxSessionCount = (sizeof(cackey_sessions) / sizeof(cackey_sessions[0])) - 1; pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION; pInfo->ulMaxRwSessionCount = 0; pInfo->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION; pInfo->ulMaxPinLen = 128; pInfo->ulMinPinLen = 0; ................................................................................ CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED); return(CKR_FUNCTION_NOT_SUPPORTED); } CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) { CK_SLOT_ID slotID; FILE *pinfd; char *pincmd, pinbuf[64], *fgets_ret; int mutex_retval; int tries_remaining; int login_ret; int pclose_ret; CACKEY_DEBUG_PRINTF("Called."); if (!cackey_initialized) { CACKEY_DEBUG_PRINTF("Error. Not initialized."); return(CKR_CRYPTOKI_NOT_INITIALIZED); ................................................................................ if (cackey_slots[slotID].active == 0) { CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID); cackey_mutex_unlock(cackey_biglock); return(CKR_GENERAL_ERROR); } pincmd = cackey_pin_command; if (pincmd != NULL) { CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", pincmd); if (pPin != NULL) { CACKEY_DEBUG_PRINTF("Protected authentication path in effect and PIN provided !?"); } pinfd = popen(pincmd, "r"); if (pinfd == NULL) { CACKEY_DEBUG_PRINTF("Error. %s: Unable to run", pincmd); cackey_mutex_unlock(cackey_biglock); CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT); return(CKR_PIN_INCORRECT); } fgets_ret = fgets(pinbuf, sizeof(pinbuf), pinfd); if (fgets_ret == NULL) { pinbuf[0] = '\0'; } pclose_ret = pclose(pinfd); if (pclose_ret != 0) { CACKEY_DEBUG_PRINTF("Error. %s: exited with non-zero status of %i", pincmd, pclose_ret); cackey_mutex_unlock(cackey_biglock); CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT); return(CKR_PIN_INCORRECT); } if (strlen(pinbuf) < 1) { CACKEY_DEBUG_PRINTF("Error. %s: returned no data", pincmd); cackey_mutex_unlock(cackey_biglock); CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT); return(CKR_PIN_INCORRECT); } if (pinbuf[strlen(pinbuf) - 1] == '\n') { pinbuf[strlen(pinbuf) - 1] = '\0'; } pPin = (CK_UTF8CHAR_PTR) pinbuf; ulPinLen = strlen(pinbuf); } login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining); if (login_ret != CACKEY_PCSC_S_OK) { cackey_mutex_unlock(cackey_biglock); if (login_ret == CACKEY_PCSC_E_LOCKED) { CACKEY_DEBUG_PRINTF("Error. Token is locked."); cackey_slots[slotID].token_flags |= CKF_USER_PIN_LOCKED; CACKEY_DEBUG_PRINTF("Returning CKR_PIN_LOCKED (%i)", (int) CKR_PIN_LOCKED); return(CKR_PIN_LOCKED); } else if (login_ret == CACKEY_PCSC_E_BADPIN) { CACKEY_DEBUG_PRINTF("Error. Invalid PIN."); cackey_slots[slotID].token_flags |= CKF_USER_PIN_COUNT_LOW; if (tries_remaining == 1) { cackey_slots[slotID].token_flags |= CKF_USER_PIN_FINAL_TRY; } CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT); return(CKR_PIN_INCORRECT); } CACKEY_DEBUG_PRINTF("Error. Unknown error returned from cackey_login() (%i)", login_ret); return(CKR_GENERAL_ERROR); |
Modified cackey_builtin_certs.h from [093ba34f4f] to [954ba4d224].
cannot compute difference between binary files
Modified configure.ac from [b325ed9a06] to [8333de68f9].
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 |
], [
dodcerts=yes
])
if test "${dodcerts}" = 'no'; then
AC_DEFINE(CACKEY_NO_EXTRA_CERTS, [1], [Specify that DoD certificates should not be made available])
fi
dnl Set version script, to limit the scope of symbols
DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker
DC_SYNC_RPATH
dnl If we updated LIBOBJS, update SHLIBOBJS -- must be last.
DC_SYNC_SHLIBOBJS
dnl Produce Makefile
AC_OUTPUT(Makefile libcackey.syms)
|
> > > > > > > > > > > > > > > > > > > > > |
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
], [
dodcerts=yes
])
if test "${dodcerts}" = 'no'; then
AC_DEFINE(CACKEY_NO_EXTRA_CERTS, [1], [Specify that DoD certificates should not be made available])
fi
dnl Option to hard-code a command to run to request a PIN (enabling protected authentication path)
AC_ARG_WITH(pin-command, AC_HELP_STRING([--with-pin-command=<command>], [Specify a command to run to request a PIN from the user. The user may override this with the CACKEY_PIN_COMMAND environment variable.]), [
pincommand="${withval}"
], [
pincommand="no"
])
AC_ARG_WITH(pin-command-x, AC_HELP_STRING([--with-pin-command-x=<command>], [Same as --with-pin-command, but only sets Protected Authentication Path if the DISPLAY environment variable is set]), [
pincommandxonly="${withval}"
], [
pincommandxonly="no"
])
if ! test "${pincommand}" = 'no'; then
AC_DEFINE_UNQUOTED(CACKEY_PIN_COMMAND_DEFAULT, [$pincommand], [Command to run to prompt user for PIN])
fi
if ! test "${pincommandxonly}" = 'no'; then
AC_DEFINE_UNQUOTED(CACKEY_PIN_COMMAND_XONLY_DEFAULT, [$pincommandxonly], [Command to run to prompt user for PIN only if DISPLAY environment variable is set])
fi
dnl Set version script, to limit the scope of symbols
DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker
DC_SYNC_RPATH
dnl If we updated LIBOBJS, update SHLIBOBJS -- must be last.
DC_SYNC_SHLIBOBJS
dnl Produce Makefile
AC_OUTPUT(Makefile libcackey.syms)
|
Modified test.c from [86bd0fe2e2] to [47338c5b52].
331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
chk_rv = C_OpenSession(slots[0], CKF_SERIAL_SESSION, NULL, NULL, &hSession);
if (chk_rv == CKR_OK) {
chk_rv = C_GetTokenInfo(slots[0], &tokenInfo);
if (chk_rv != CKR_OK) {
return(1);
}
if ((tokenInfo.flags & CKF_LOGIN_REQUIRED) == CKF_LOGIN_REQUIRED) {
fgets_ret = NULL;
while (fgets_ret == NULL) {
printf("** ENTER PIN: ");
fflush(stdout);
fgets_ret = fgets((char *) user_pin, sizeof(user_pin), stdin);
|
| |
331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
chk_rv = C_OpenSession(slots[0], CKF_SERIAL_SESSION, NULL, NULL, &hSession);
if (chk_rv == CKR_OK) {
chk_rv = C_GetTokenInfo(slots[0], &tokenInfo);
if (chk_rv != CKR_OK) {
return(1);
}
if ((tokenInfo.flags & CKF_LOGIN_REQUIRED) == CKF_LOGIN_REQUIRED && (tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) == 0) {
fgets_ret = NULL;
while (fgets_ret == NULL) {
printf("** ENTER PIN: ");
fflush(stdout);
fgets_ret = fgets((char *) user_pin, sizeof(user_pin), stdin);
|