1 /*
2 * pkcs15-pin.c: PKCS #15 PIN functions
3 *
4 * Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi>
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
20
21 #if HAVE_CONFIG_H
22 #include "config.h"
23 #endif
24
25 #include <assert.h>
26 #include <string.h>
27 #include <stdlib.h>
28 #include <stdio.h>
29
30 #include "internal.h"
31 #include "asn1.h"
32 #include "pkcs15.h"
33 #include "ui/notify.h"
34
35 int _sc_pkcs15_verify_pin(struct sc_pkcs15_card *, struct sc_pkcs15_object *,
36 const unsigned char *, size_t);
37
38 static const struct sc_asn1_entry c_asn1_com_ao_attr[] = {
39 { "authId", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL },
40 { NULL, 0, 0, 0, NULL, NULL }
41 };
42
43 /* PIN attributes */
44 static const struct sc_asn1_entry c_asn1_pin_attr[] = {
45 { "pinFlags", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL },
46 { "pinType", SC_ASN1_ENUMERATED, SC_ASN1_TAG_ENUMERATED, 0, NULL, NULL },
47 { "minLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL },
48 { "storedLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL },
49 { "maxLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL },
50 { "pinReference", SC_ASN1_INTEGER, SC_ASN1_CTX | 0, SC_ASN1_OPTIONAL, NULL, NULL },
51 { "padChar", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_OPTIONAL, NULL, NULL },
52 { "lastPinChange",SC_ASN1_GENERALIZEDTIME, SC_ASN1_TAG_GENERALIZEDTIME, SC_ASN1_OPTIONAL, NULL, NULL },
53 { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL },
54 { NULL, 0, 0, 0, NULL, NULL }
55 };
56 static const struct sc_asn1_entry c_asn1_type_pin_attr[] = {
57 { "pinAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL },
58 { NULL, 0, 0, 0, NULL, NULL }
59 };
60
61 /* Auth Key attributes */
62 static const struct sc_asn1_entry c_asn1_authkey_attr[] = {
63 { "derivedKey", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, NULL, NULL },
64 { "authKeyId", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL },
65 { NULL, 0, 0, 0, NULL, NULL }
66 };
67 static const struct sc_asn1_entry c_asn1_type_authkey_attr[] = {
68 { "authKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL },
69 { NULL, 0, 0, 0, NULL, NULL }
70 };
71 static const struct sc_asn1_entry c_asn1_auth_type[] = {
72 { "authType", SC_ASN1_CHOICE, 0, 0, NULL, NULL },
73 { NULL, 0, 0, 0, NULL, NULL }
74 };
75 static const struct sc_asn1_entry c_asn1_auth_type_choice[] = {
76 { "pin", SC_ASN1_PKCS15_OBJECT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL },
77 { "biometricTemplate", SC_ASN1_PKCS15_OBJECT, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL },
78 { "authKey", SC_ASN1_PKCS15_OBJECT, SC_ASN1_CTX | 1 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL },
79 { NULL, 0, 0, 0, NULL, NULL }
80 };
81
82
83 int
sc_pkcs15_decode_aodf_entry(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * obj,const u8 ** buf,size_t * buflen)84 sc_pkcs15_decode_aodf_entry(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *obj,
85 const u8 ** buf, size_t *buflen)
86 {
87 sc_context_t *ctx = p15card->card->ctx;
88 struct sc_pkcs15_auth_info info;
89 int r;
90 size_t flags_len = sizeof(info.attrs.pin.flags);
91 size_t derived_len = sizeof(info.attrs.authkey.derived);
92 size_t padchar_len = 1;
93 struct sc_asn1_entry asn1_com_ao_attr[2];
94 struct sc_asn1_entry asn1_pin_attr[10], asn1_type_pin_attr[2];
95 struct sc_asn1_entry asn1_authkey_attr[3], asn1_type_authkey_attr[2];
96 struct sc_asn1_entry asn1_auth_type[2];
97 struct sc_asn1_entry asn1_auth_type_choice[4];
98 struct sc_asn1_pkcs15_object pin_obj = { obj, asn1_com_ao_attr, NULL, asn1_type_pin_attr };
99 struct sc_asn1_pkcs15_object authkey_obj = { obj, asn1_com_ao_attr, NULL, asn1_type_authkey_attr };
100
101 SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_ASN1);
102
103 sc_copy_asn1_entry(c_asn1_auth_type, asn1_auth_type);
104 sc_copy_asn1_entry(c_asn1_auth_type_choice, asn1_auth_type_choice);
105
106 sc_copy_asn1_entry(c_asn1_com_ao_attr, asn1_com_ao_attr);
107
108 sc_copy_asn1_entry(c_asn1_type_pin_attr, asn1_type_pin_attr);
109 sc_copy_asn1_entry(c_asn1_pin_attr, asn1_pin_attr);
110
111 sc_copy_asn1_entry(c_asn1_type_authkey_attr, asn1_type_authkey_attr);
112 sc_copy_asn1_entry(c_asn1_authkey_attr, asn1_authkey_attr);
113
114 sc_format_asn1_entry(asn1_auth_type + 0, asn1_auth_type_choice, NULL, 0);
115 sc_format_asn1_entry(asn1_auth_type_choice + 0, &pin_obj, NULL, 0); /* 'pin' */
116 sc_format_asn1_entry(asn1_auth_type_choice + 2, &authkey_obj, NULL, 0); /* 'authKey' */
117
118 /* pinAttributes */
119 sc_format_asn1_entry(asn1_type_pin_attr + 0, asn1_pin_attr, NULL, 0);
120 sc_format_asn1_entry(asn1_pin_attr + 0, &info.attrs.pin.flags, &flags_len, 0);
121 sc_format_asn1_entry(asn1_pin_attr + 1, &info.attrs.pin.type, NULL, 0);
122 sc_format_asn1_entry(asn1_pin_attr + 2, &info.attrs.pin.min_length, NULL, 0);
123 sc_format_asn1_entry(asn1_pin_attr + 3, &info.attrs.pin.stored_length, NULL, 0);
124 sc_format_asn1_entry(asn1_pin_attr + 4, &info.attrs.pin.max_length, NULL, 0);
125 sc_format_asn1_entry(asn1_pin_attr + 5, &info.attrs.pin.reference, NULL, 0);
126 sc_format_asn1_entry(asn1_pin_attr + 6, &info.attrs.pin.pad_char, &padchar_len, 0);
127
128 /* authKeyAttributes */
129 sc_format_asn1_entry(asn1_type_authkey_attr + 0, asn1_authkey_attr, NULL, 0);
130 sc_format_asn1_entry(asn1_authkey_attr + 0, &info.attrs.authkey.derived, &derived_len, 0);
131 sc_format_asn1_entry(asn1_authkey_attr + 1, &info.attrs.authkey.skey_id, NULL, 0);
132
133 /* We don't support lastPinChange yet. */
134 sc_format_asn1_entry(asn1_pin_attr + 8, &info.path, NULL, 0);
135
136 sc_format_asn1_entry(asn1_com_ao_attr + 0, &info.auth_id, NULL, 0);
137
138 /* Fill in defaults */
139 memset(&info, 0, sizeof(info));
140 info.tries_left = -1;
141 info.logged_in = SC_PIN_STATE_UNKNOWN;
142
143 r = sc_asn1_decode(ctx, asn1_auth_type, *buf, *buflen, buf, buflen);
144 if (r == SC_ERROR_ASN1_END_OF_CONTENTS)
145 return r;
146 LOG_TEST_RET(ctx, r, "ASN.1 decoding failed");
147
148 if (asn1_auth_type_choice[0].flags & SC_ASN1_PRESENT) {
149 sc_log(ctx, "AuthType: PIN");
150 obj->type = SC_PKCS15_TYPE_AUTH_PIN;
151 info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;
152 info.auth_method = SC_AC_CHV;
153
154 if (info.attrs.pin.max_length == 0) {
155 if (p15card->card->max_pin_len != 0)
156 info.attrs.pin.max_length = p15card->card->max_pin_len;
157 else if (info.attrs.pin.stored_length != 0)
158 info.attrs.pin.max_length = info.attrs.pin.type != SC_PKCS15_PIN_TYPE_BCD ?
159 info.attrs.pin.stored_length : 2 * info.attrs.pin.stored_length;
160 else
161 info.attrs.pin.max_length = 8; /* shouldn't happen */
162 }
163
164 /* OpenSC 0.11.4 and older encoded "pinReference" as a negative
165 value. Fixed in 0.11.5 we need to add a hack, so old cards
166 continue to work.
167 The same invalid encoding has some models of the proprietary PKCS#15 cards.
168 */
169 if (info.attrs.pin.reference < 0)
170 info.attrs.pin.reference += 256;
171
172 if (info.attrs.pin.flags & SC_PKCS15_PIN_FLAG_LOCAL) {
173 /* In OpenSC pkcs#15 framework 'path' is mandatory for the 'Local' PINs.
174 * If 'path' do not present in PinAttributes, derive it from the PKCS#15 context. */
175 if (!info.path.len) {
176 /* Give priority to AID defined in the application DDO */
177 if (p15card->app && p15card->app->ddo.aid.len)
178 info.path.aid = p15card->app->ddo.aid;
179 else if (p15card->file_app && p15card->file_app->path.len)
180 info.path = p15card->file_app->path;
181 else
182 return SC_ERROR_INTERNAL;
183 }
184 }
185 sc_debug(ctx, SC_LOG_DEBUG_ASN1, "decoded PIN(ref:%X,path:%s)", info.attrs.pin.reference, sc_print_path(&info.path));
186 }
187 else if (asn1_auth_type_choice[1].flags & SC_ASN1_PRESENT) {
188 LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "BIO authentication object not yet supported");
189 }
190 else if (asn1_auth_type_choice[2].flags & SC_ASN1_PRESENT) {
191 sc_log(ctx, "AuthType: AuthKey");
192 obj->type = SC_PKCS15_TYPE_AUTH_AUTHKEY;
193 info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY;
194 info.auth_method = SC_AC_AUT;
195 if (!(asn1_authkey_attr[0].flags & SC_ASN1_PRESENT))
196 info.attrs.authkey.derived = 1;
197 }
198 else {
199 LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unknown authentication type");
200 }
201
202 obj->data = malloc(sizeof(info));
203 if (obj->data == NULL)
204 LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
205 memcpy(obj->data, &info, sizeof(info));
206
207 SC_FUNC_RETURN(ctx, SC_LOG_DEBUG_ASN1, SC_SUCCESS);
208 }
209
sc_pkcs15_encode_aodf_entry(sc_context_t * ctx,const struct sc_pkcs15_object * obj,u8 ** buf,size_t * buflen)210 int sc_pkcs15_encode_aodf_entry(sc_context_t *ctx,
211 const struct sc_pkcs15_object *obj,
212 u8 **buf, size_t *buflen)
213 {
214 struct sc_asn1_entry asn1_com_ao_attr[2], asn1_pin_attr[10], asn1_type_pin_attr[2];
215 struct sc_asn1_entry asn1_auth_type[2];
216 struct sc_asn1_entry asn1_auth_type_choice[4];
217 struct sc_pkcs15_auth_info *info = (struct sc_pkcs15_auth_info *) obj->data;
218 struct sc_asn1_pkcs15_object pin_obj = { (struct sc_pkcs15_object *) obj,
219 asn1_com_ao_attr, NULL, asn1_type_pin_attr };
220 int r;
221 size_t flags_len;
222 size_t padchar_len = 1;
223
224 if (info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
225 return SC_ERROR_NOT_SUPPORTED;
226
227 sc_copy_asn1_entry(c_asn1_auth_type, asn1_auth_type);
228 sc_copy_asn1_entry(c_asn1_auth_type_choice, asn1_auth_type_choice);
229 sc_copy_asn1_entry(c_asn1_type_pin_attr, asn1_type_pin_attr);
230 sc_copy_asn1_entry(c_asn1_pin_attr, asn1_pin_attr);
231 sc_copy_asn1_entry(c_asn1_com_ao_attr, asn1_com_ao_attr);
232
233 sc_format_asn1_entry(asn1_auth_type + 0, asn1_auth_type_choice, NULL, 1);
234 sc_format_asn1_entry(asn1_auth_type_choice + 0, &pin_obj, NULL, 1);
235
236 sc_format_asn1_entry(asn1_type_pin_attr + 0, asn1_pin_attr, NULL, 1);
237
238 flags_len = sizeof(info->attrs.pin.flags);
239 sc_format_asn1_entry(asn1_pin_attr + 0, &info->attrs.pin.flags, &flags_len, 1);
240 sc_format_asn1_entry(asn1_pin_attr + 1, &info->attrs.pin.type, NULL, 1);
241 sc_format_asn1_entry(asn1_pin_attr + 2, &info->attrs.pin.min_length, NULL, 1);
242 sc_format_asn1_entry(asn1_pin_attr + 3, &info->attrs.pin.stored_length, NULL, 1);
243 if (info->attrs.pin.max_length > 0)
244 sc_format_asn1_entry(asn1_pin_attr + 4, &info->attrs.pin.max_length, NULL, 1);
245 if (info->attrs.pin.reference >= 0)
246 sc_format_asn1_entry(asn1_pin_attr + 5, &info->attrs.pin.reference, NULL, 1);
247 /* FIXME: check if pad_char present */
248 sc_format_asn1_entry(asn1_pin_attr + 6, &info->attrs.pin.pad_char, &padchar_len, 1);
249 sc_format_asn1_entry(asn1_pin_attr + 8, &info->path, NULL, info->path.len ? 1 : 0);
250
251 sc_format_asn1_entry(asn1_com_ao_attr + 0, &info->auth_id, NULL, 1);
252
253 r = sc_asn1_encode(ctx, asn1_auth_type, buf, buflen);
254
255 return r;
256 }
257
258
259 static int
_validate_pin(struct sc_pkcs15_card * p15card,struct sc_pkcs15_auth_info * auth_info,size_t pinlen)260 _validate_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_auth_info *auth_info, size_t pinlen)
261 {
262 size_t max_length;
263 if (p15card == NULL) {
264 return SC_ERROR_INVALID_ARGUMENTS;
265 }
266
267 /* Ignore validation of the non-PIN authentication objects */
268 if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
269 return SC_SUCCESS;
270
271 /* prevent buffer overflow from hostile card */
272 if (auth_info->attrs.pin.stored_length > SC_MAX_PIN_SIZE)
273 return SC_ERROR_BUFFER_TOO_SMALL;
274
275 /* if we use pinpad, no more checks are needed */
276 if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD
277 || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)
278 && !pinlen)
279 return SC_SUCCESS;
280
281 /* If pin is given, make sure it is within limits */
282 max_length = auth_info->attrs.pin.max_length != 0 ? auth_info->attrs.pin.max_length : SC_MAX_PIN_SIZE;
283 if (pinlen > max_length || pinlen < auth_info->attrs.pin.min_length)
284 return SC_ERROR_INVALID_PIN_LENGTH;
285
286 return SC_SUCCESS;
287 }
288
289 /*
290 * Verify a PIN.
291 *
292 * If the code given to us has zero length, this means we
293 * should ask the card reader to obtain the PIN from the
294 * reader's PIN pad
295 */
296 int
sc_pkcs15_verify_pin(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj,const unsigned char * pincode,size_t pinlen)297 sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj,
298 const unsigned char *pincode, size_t pinlen)
299 {
300 struct sc_context *ctx = p15card->card->ctx;
301 struct sc_pkcs15_auth_info *auth_info;
302 int r;
303
304 LOG_FUNC_CALLED(ctx);
305
306 if (!pin_obj || !pin_obj->data)
307 LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
308 auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
309
310 /*
311 * if pin cache is disabled, we can get here with no PIN data.
312 * in this case, to avoid error or unnecessary pin prompting on pinpad,
313 * check if the PIN has been already verified and the access condition
314 * is still open on card.
315 */
316 if (pinlen == 0) {
317 r = sc_pkcs15_get_pin_info(p15card, pin_obj);
318
319 if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)
320 LOG_FUNC_RETURN(ctx, r);
321 }
322
323 r = _validate_pin(p15card, auth_info, pinlen);
324
325 if (r)
326 LOG_FUNC_RETURN(ctx, r);
327
328 r = _sc_pkcs15_verify_pin(p15card, pin_obj, pincode, pinlen);
329
330 if (r == SC_SUCCESS)
331 sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen);
332
333 LOG_FUNC_RETURN(ctx, r);
334 }
335
336
337 int
_sc_pkcs15_verify_pin(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj,const unsigned char * pincode,size_t pinlen)338 _sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj,
339 const unsigned char *pincode, size_t pinlen)
340 {
341 return sc_pkcs15_verify_pin_with_session_pin(p15card, pin_obj, pincode,
342 pinlen, NULL, NULL);
343 }
344
345 /*
346 * Verify a PIN and generate a session PIN
347 *
348 * If the code given to us has zero length, this means we
349 * should ask the card reader to obtain the PIN from the
350 * reader's PIN pad
351 */
sc_pkcs15_verify_pin_with_session_pin(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj,const unsigned char * pincode,size_t pinlen,const unsigned char * sessionpin,size_t * sessionpinlen)352 int sc_pkcs15_verify_pin_with_session_pin(struct sc_pkcs15_card *p15card,
353 struct sc_pkcs15_object *pin_obj,
354 const unsigned char *pincode, size_t pinlen,
355 const unsigned char *sessionpin, size_t *sessionpinlen)
356 {
357 struct sc_context *ctx = p15card->card->ctx;
358 struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
359 int r;
360 sc_card_t *card;
361 struct sc_pin_cmd_data data;
362
363 LOG_FUNC_CALLED(ctx);
364 sc_log(ctx,
365 "PIN(type:%X; method:%X; value(%p:%"SC_FORMAT_LEN_SIZE_T"u)",
366 auth_info->auth_type, auth_info->auth_method,
367 pincode, pinlen);
368 card = p15card->card;
369
370 if (pinlen > SC_MAX_PIN_SIZE) {
371 sc_notify_id(card->ctx, &card->reader->atr, p15card,
372 NOTIFY_PIN_BAD);
373 LOG_TEST_RET(ctx, SC_ERROR_INVALID_PIN_LENGTH, "Invalid PIN size");
374 }
375
376 /* Initialize arguments */
377 memset(&data, 0, sizeof(data));
378 data.pin_type = auth_info->auth_method;
379
380 if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_PIN) {
381 data.pin_reference = auth_info->attrs.pin.reference;
382 data.pin1.min_length = auth_info->attrs.pin.min_length;
383 data.pin1.max_length = auth_info->attrs.pin.max_length;
384 data.pin1.pad_length = auth_info->attrs.pin.stored_length;
385 data.pin1.pad_char = auth_info->attrs.pin.pad_char;
386 data.pin1.data = pincode;
387 data.pin1.len = pinlen;
388
389 if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING)
390 data.flags |= SC_PIN_CMD_NEED_PADDING;
391
392 switch (auth_info->attrs.pin.type) {
393 case SC_PKCS15_PIN_TYPE_BCD:
394 data.pin1.encoding = SC_PIN_ENCODING_BCD;
395 break;
396 case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC:
397 data.pin1.encoding = SC_PIN_ENCODING_ASCII;
398 break;
399 default:
400 /* assume/hope the card driver knows how to encode the pin */
401 data.pin1.encoding = 0;
402 }
403 }
404 else if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_AUTH_KEY) {
405 struct sc_pkcs15_object *skey_obj = NULL;
406 struct sc_pkcs15_id *skey_id = &auth_info->attrs.authkey.skey_id;
407 struct sc_pkcs15_skey_info *skey_info = NULL;
408
409 r = sc_pkcs15_find_skey_by_id(p15card, skey_id, &skey_obj);
410 if (r) {
411 sc_log(ctx, "cannot find secret key with id:%s", sc_pkcs15_print_id(skey_id));
412 LOG_FUNC_RETURN(ctx, r);
413 }
414 skey_info = (struct sc_pkcs15_skey_info *)skey_obj->data;
415
416 sc_log(ctx, "found secret key '%s'", skey_obj->label);
417 data.pin_reference = skey_info->key_reference;
418 }
419
420 if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD
421 || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) {
422 if (!pincode && !pinlen)
423 data.flags |= SC_PIN_CMD_USE_PINPAD;
424
425 if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN)
426 data.pin1.prompt = "Please enter SO PIN";
427 else
428 data.pin1.prompt = "Please enter PIN";
429 }
430
431 if (card->caps & SC_CARD_CAP_SESSION_PIN && sessionpin && sessionpinlen) {
432 /* session pin is requested and supported with standard verification*/
433 data.cmd = SC_PIN_CMD_GET_SESSION_PIN;
434 memcpy(&data.pin2, &data.pin1, sizeof (data.pin1));
435 data.pin2.data = sessionpin;
436 data.pin2.len = *sessionpinlen;
437 } else {
438 /* perform a standard verify */
439 data.cmd = SC_PIN_CMD_VERIFY;
440 if (sessionpinlen)
441 *sessionpinlen = 0;
442 }
443
444 r = sc_lock(card);
445 LOG_TEST_RET(ctx, r, "sc_lock() failed");
446
447 /* the path in the pin object is optional */
448 if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) {
449 r = sc_select_file(card, &auth_info->path, NULL);
450 if (r)
451 goto out;
452 }
453
454 r = sc_pin_cmd(card, &data, &auth_info->tries_left);
455 sc_log(ctx, "PIN cmd result %i", r);
456 if (r == SC_SUCCESS) {
457 sc_pkcs15_pincache_add(p15card, pin_obj, pincode, pinlen);
458 if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) {
459 *sessionpinlen = data.pin2.len;
460 }
461 } else {
462 sc_notify_id(card->ctx, &card->reader->atr, p15card,
463 NOTIFY_PIN_BAD);
464 if (data.cmd == SC_PIN_CMD_GET_SESSION_PIN && sessionpinlen) {
465 *sessionpinlen = 0;
466 }
467 }
468
469 if (auth_info->auth_type == SC_PKCS15_PIN_AUTH_TYPE_PIN
470 && auth_info->auth_method != SC_AC_SESSION) {
471 sc_notify_id(card->ctx, &card->reader->atr, p15card,
472 r == SC_SUCCESS ? NOTIFY_PIN_GOOD : NOTIFY_PIN_BAD);
473 }
474
475 out:
476 sc_unlock(card);
477 LOG_FUNC_RETURN(ctx, r);
478 }
479
480
481
482 /*
483 * Change a PIN.
484 */
sc_pkcs15_change_pin(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj,const u8 * oldpin,size_t oldpinlen,const u8 * newpin,size_t newpinlen)485 int sc_pkcs15_change_pin(struct sc_pkcs15_card *p15card,
486 struct sc_pkcs15_object *pin_obj,
487 const u8 *oldpin, size_t oldpinlen,
488 const u8 *newpin, size_t newpinlen)
489 {
490 struct sc_context *ctx = p15card->card->ctx;
491 struct sc_pin_cmd_data data;
492 struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
493 struct sc_card *card;
494 int r;
495
496 LOG_FUNC_CALLED(ctx);
497 if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
498 LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
499
500 /* make sure the pins are in valid range */
501 r = _validate_pin(p15card, auth_info, oldpinlen);
502 LOG_TEST_RET(ctx, r, "Old PIN value do not conform PIN policy");
503
504 r = _validate_pin(p15card, auth_info, newpinlen);
505 LOG_TEST_RET(ctx, r, "New PIN value do not conform PIN policy");
506
507 card = p15card->card;
508 r = sc_lock(card);
509 LOG_TEST_RET(ctx, r, "sc_lock() failed");
510 /* the path in the pin object is optional */
511 if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) {
512 r = sc_select_file(card, &auth_info->path, NULL);
513 if (r)
514 goto out;
515 }
516
517 /* set pin_cmd data */
518 memset(&data, 0, sizeof(data));
519 data.cmd = SC_PIN_CMD_CHANGE;
520 data.pin_type = SC_AC_CHV;
521 data.pin_reference = auth_info->attrs.pin.reference;
522 data.pin1.data = oldpin;
523 data.pin1.len = oldpinlen;
524 data.pin1.pad_char = auth_info->attrs.pin.pad_char;
525 data.pin1.min_length = auth_info->attrs.pin.min_length;
526 data.pin1.max_length = auth_info->attrs.pin.max_length;
527 data.pin1.pad_length = auth_info->attrs.pin.stored_length;
528 data.pin2.data = newpin;
529 data.pin2.len = newpinlen;
530 data.pin2.pad_char = auth_info->attrs.pin.pad_char;
531 data.pin2.min_length = auth_info->attrs.pin.min_length;
532 data.pin2.max_length = auth_info->attrs.pin.max_length;
533 data.pin2.pad_length = auth_info->attrs.pin.stored_length;
534
535 if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING)
536 data.flags |= SC_PIN_CMD_NEED_PADDING;
537
538 switch (auth_info->attrs.pin.type) {
539 case SC_PKCS15_PIN_TYPE_BCD:
540 data.pin1.encoding = SC_PIN_ENCODING_BCD;
541 data.pin2.encoding = SC_PIN_ENCODING_BCD;
542 break;
543 case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC:
544 data.pin1.encoding = SC_PIN_ENCODING_ASCII;
545 data.pin2.encoding = SC_PIN_ENCODING_ASCII;
546 break;
547 }
548
549 if((!oldpin || !newpin)
550 && (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD
551 || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) {
552 data.flags |= SC_PIN_CMD_USE_PINPAD;
553 if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) {
554 data.pin1.prompt = "Please enter SO PIN";
555 data.pin2.prompt = "Please enter new SO PIN";
556 }
557 else {
558 data.pin1.prompt = "Please enter PIN";
559 data.pin2.prompt = "Please enter new PIN";
560 }
561 }
562
563 r = sc_pin_cmd(card, &data, &auth_info->tries_left);
564 if (r == SC_SUCCESS)
565 sc_pkcs15_pincache_add(p15card, pin_obj, newpin, newpinlen);
566
567 out:
568 sc_unlock(card);
569 return r;
570 }
571
572 /*
573 * Unblock a PIN.
574 */
sc_pkcs15_unblock_pin(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj,const u8 * puk,size_t puklen,const u8 * newpin,size_t newpinlen)575 int sc_pkcs15_unblock_pin(struct sc_pkcs15_card *p15card,
576 struct sc_pkcs15_object *pin_obj,
577 const u8 *puk, size_t puklen,
578 const u8 *newpin, size_t newpinlen)
579 {
580 struct sc_context *ctx = p15card->card->ctx;
581 struct sc_pin_cmd_data data;
582 struct sc_pkcs15_object *puk_obj;
583 struct sc_pkcs15_auth_info *puk_info = NULL;
584 int pukref = 0;
585 struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
586 struct sc_card *card = p15card->card;
587 int r;
588
589 LOG_FUNC_CALLED(ctx);
590 if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
591 LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
592
593 /* make sure the pins are in valid range */
594 r = _validate_pin(p15card, auth_info, newpinlen);
595 LOG_TEST_RET(ctx, r, "New PIN value do not conform PIN policy");
596
597 /* get pin_info object of the puk (this is a little bit complicated
598 * as we don't have the id of the puk (at least now))
599 * note: for compatibility reasons we give no error if no puk object
600 * is found */
601 /* first step: try to get the pkcs15 object of the puk */
602 r = sc_pkcs15_find_pin_by_auth_id(p15card, &pin_obj->auth_id, &puk_obj);
603 if (r >= 0 && puk_obj) {
604 /* second step: get the pkcs15 info object of the puk */
605 puk_info = (struct sc_pkcs15_auth_info *)puk_obj->data;
606 pukref = puk_info->attrs.pin.reference;
607 }
608
609 if (!puk_info) {
610 sc_log(ctx, "Unable to get puk object, using pin object instead!");
611 puk_info = auth_info;
612 }
613 /* make sure the puk is in valid range */
614 r = _validate_pin(p15card, puk_info, puklen);
615 LOG_TEST_RET(ctx, r, "PIN do not conforms PIN policy");
616
617 /*
618 * With the current card driver interface we have no way of specifying different padding
619 * flags for the PIN and the PUK. Therefore reject this case.
620 */
621 if ((auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING) !=
622 (puk_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING)) {
623 LOG_TEST_RET(ctx, r, "Padding mismatch for PIN/PUK");
624 }
625
626 r = sc_lock(card);
627 LOG_TEST_RET(ctx, r, "sc_lock() failed");
628
629 /* the path in the pin object is optional */
630 if ((auth_info->path.len > 0) || ((auth_info->path.aid.len > 0))) {
631 r = sc_select_file(card, &auth_info->path, NULL);
632 if (r)
633 goto out;
634 }
635
636 /* set pin_cmd data */
637 memset(&data, 0, sizeof(data));
638 data.cmd = SC_PIN_CMD_UNBLOCK;
639 data.pin_type = SC_AC_CHV;
640 data.pin_reference = auth_info->attrs.pin.reference;
641 data.puk_reference = pukref;
642 data.pin1.data = puk;
643 data.pin1.len = puklen;
644 data.pin1.pad_char = puk_info->attrs.pin.pad_char;
645 data.pin1.min_length = puk_info->attrs.pin.min_length;
646 data.pin1.max_length = puk_info->attrs.pin.max_length;
647 data.pin1.pad_length = puk_info->attrs.pin.stored_length;
648 data.pin2.data = newpin;
649 data.pin2.len = newpinlen;
650 data.pin2.pad_char = auth_info->attrs.pin.pad_char;
651 data.pin2.min_length = auth_info->attrs.pin.min_length;
652 data.pin2.max_length = auth_info->attrs.pin.max_length;
653 data.pin2.pad_length = auth_info->attrs.pin.stored_length;
654
655 if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_NEEDS_PADDING)
656 data.flags |= SC_PIN_CMD_NEED_PADDING;
657
658 switch (auth_info->attrs.pin.type) {
659 case SC_PKCS15_PIN_TYPE_BCD:
660 data.pin1.encoding = SC_PIN_ENCODING_BCD;
661 break;
662 case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC:
663 data.pin1.encoding = SC_PIN_ENCODING_ASCII;
664 break;
665 }
666
667 switch (puk_info->attrs.pin.type) {
668 case SC_PKCS15_PIN_TYPE_BCD:
669 data.pin2.encoding = SC_PIN_ENCODING_BCD;
670 break;
671 case SC_PKCS15_PIN_TYPE_ASCII_NUMERIC:
672 data.pin2.encoding = SC_PIN_ENCODING_ASCII;
673 break;
674 }
675
676 if((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD
677 || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH)) {
678 data.flags |= SC_PIN_CMD_USE_PINPAD;
679 if (auth_info->attrs.pin.flags & SC_PKCS15_PIN_FLAG_SO_PIN) {
680 data.pin1.prompt = "Please enter PUK";
681 data.pin2.prompt = "Please enter new SO PIN";
682 }
683 else {
684 data.pin1.prompt = "Please enter PUK";
685 data.pin2.prompt = "Please enter new PIN";
686 }
687 }
688
689 r = sc_pin_cmd(card, &data, &auth_info->tries_left);
690 if (r == SC_SUCCESS)
691 sc_pkcs15_pincache_add(p15card, pin_obj, newpin, newpinlen);
692
693 out:
694 sc_unlock(card);
695 LOG_FUNC_RETURN(ctx, r);
696 }
697
sc_pkcs15_get_pin_info(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj)698 int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card,
699 struct sc_pkcs15_object *pin_obj)
700 {
701 int r;
702 struct sc_pin_cmd_data data;
703 struct sc_card *card = p15card->card;
704 struct sc_context *ctx = card->ctx;
705 struct sc_pkcs15_auth_info *pin_info = (struct sc_pkcs15_auth_info *) pin_obj->data;
706
707 LOG_FUNC_CALLED(ctx);
708
709 r = sc_lock(card);
710 if (r != SC_SUCCESS)
711 return r;
712
713 if (pin_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) {
714 r = SC_ERROR_INVALID_DATA;
715 goto out;
716 }
717
718 /* the path in the pin object is optional */
719 if ((pin_info->path.len > 0) || ((pin_info->path.aid.len > 0))) {
720 r = sc_select_file(card, &pin_info->path, NULL);
721 if (r)
722 goto out;
723 }
724
725 /* Try to update PIN info from card */
726 memset(&data, 0, sizeof(data));
727 data.cmd = SC_PIN_CMD_GET_INFO;
728 data.pin_type = pin_info->auth_method;
729 data.pin_reference = pin_info->attrs.pin.reference;
730
731 r = sc_pin_cmd(card, &data, NULL);
732 if (r == SC_SUCCESS) {
733 if (data.pin1.max_tries > 0)
734 pin_info->max_tries = data.pin1.max_tries;
735 /* tries_left must be supported or sc_pin_cmd should not return SC_SUCCESS */
736 pin_info->tries_left = data.pin1.tries_left;
737 pin_info->logged_in = data.pin1.logged_in;
738 }
739
740 out:
741 sc_unlock(card);
742 LOG_FUNC_RETURN(ctx, r);
743 }
744
745
sc_pkcs15_free_auth_info(sc_pkcs15_auth_info_t * auth_info)746 void sc_pkcs15_free_auth_info(sc_pkcs15_auth_info_t *auth_info)
747 {
748 free(auth_info);
749 }
750
751
752 /* Add a PIN to the PIN cache related to the card. Some operations can trigger re-authentication later. */
sc_pkcs15_pincache_add(struct sc_pkcs15_card * p15card,struct sc_pkcs15_object * pin_obj,const u8 * pin,size_t pinlen)753 void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pin_obj,
754 const u8 *pin, size_t pinlen)
755 {
756 struct sc_context *ctx = p15card->card->ctx;
757 struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
758 struct sc_pkcs15_object *obj = NULL;
759 int r;
760
761 LOG_FUNC_CALLED(ctx);
762
763 if (!pin || !pinlen) {
764 sc_log(ctx, "No cache for zero length PIN");
765 return;
766 }
767 else if (!p15card->opts.use_pin_cache) {
768 sc_log(ctx, "PIN caching not enabled");
769 return;
770 }
771 else if (auth_info->auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) {
772 sc_log(ctx, "only 'PIN' auth. object can be cached");
773 return;
774 }
775
776 /* If the PIN protects an object with user consent, don't cache it */
777
778 obj = p15card->obj_list;
779 while (obj != NULL) {
780 /* Compare 'sc_pkcs15_object.auth_id' with 'sc_pkcs15_pin_info.auth_id'.
781 * In accordance with PKCS#15 "6.1.8 CommonObjectAttributes" and
782 * "6.1.16 CommonAuthenticationObjectAttributes" with the exception that
783 * "CommonObjectAttributes.accessControlRules" are not taken into account. */
784
785 if (sc_pkcs15_compare_id(&obj->auth_id, &auth_info->auth_id)) {
786 /* Caching is refused, if the protected object requires user consent */
787 if (!p15card->opts.pin_cache_ignore_user_consent) {
788 if (obj->user_consent > 0) {
789 sc_log(ctx, "caching refused (user consent)");
790 return;
791 }
792 }
793 }
794
795 obj = obj->next;
796 }
797
798 r = sc_pkcs15_allocate_object_content(ctx, pin_obj, pin, pinlen);
799 if (r != SC_SUCCESS) {
800 sc_log(ctx, "Failed to allocate object content");
801 return;
802 }
803
804 pin_obj->usage_counter = 0;
805 sc_log(ctx, "PIN(%s) cached", pin_obj->label);
806 }
807
808 /* Validate the PIN code associated with an object */
809 int
sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card * p15card,const sc_pkcs15_object_t * obj)810 sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs15_object_t *obj)
811 {
812 struct sc_context *ctx = p15card->card->ctx;
813 sc_pkcs15_object_t *pin_obj;
814 int r;
815
816 LOG_FUNC_CALLED(ctx);
817 if (!p15card->opts.use_pin_cache)
818 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
819
820 /* Apps that do not support CK_ALWAYS_AUTHENTICATE
821 * may need pin_cache_ignore_user_consent = 1 */
822 if (!p15card->opts.pin_cache_ignore_user_consent) {
823 if (obj->user_consent)
824 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
825 }
826
827 if ((p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD
828 || p15card->card->caps & SC_CARD_CAP_PROTECTED_AUTHENTICATION_PATH))
829 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
830
831 r = sc_pkcs15_find_pin_by_auth_id(p15card, &obj->auth_id, &pin_obj);
832 if (r != SC_SUCCESS) {
833 sc_log(ctx, "Could not find pin object for auth_id %s", sc_pkcs15_print_id(&obj->auth_id));
834 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
835 }
836
837 if (pin_obj->usage_counter >= p15card->opts.pin_cache_counter) {
838 sc_pkcs15_free_object_content(pin_obj);
839 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
840 }
841
842 if (!pin_obj->content.value || !pin_obj->content.len)
843 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
844
845 pin_obj->usage_counter++;
846 r = _sc_pkcs15_verify_pin(p15card, pin_obj, pin_obj->content.value, pin_obj->content.len);
847 if (r != SC_SUCCESS) {
848 /* Ensure that wrong PIN isn't used again */
849 sc_pkcs15_free_object_content(pin_obj);
850
851 sc_log(ctx, "Verify PIN error %i", r);
852 return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
853 }
854
855 LOG_FUNC_RETURN(ctx, SC_SUCCESS);
856 }
857
sc_pkcs15_pincache_clear(struct sc_pkcs15_card * p15card)858 void sc_pkcs15_pincache_clear(struct sc_pkcs15_card *p15card)
859 {
860 struct sc_pkcs15_object *objs[32];
861 int i, r;
862
863 LOG_FUNC_CALLED(p15card->card->ctx);
864 r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 32);
865 for (i = 0; i < r; i++)
866 sc_pkcs15_free_object_content(objs[i]);
867 }
868
869