1 /*
2 * PKCS15 emulation layer for Portugal eID card.
3 *
4 * Copyright (C) 2016-2017, Nuno Goncalves <nunojpg@gmail.com>
5 * Copyright (C) 2009, Joao Poupino <joao.poupino@ist.utl.pt>
6 * Copyright (C) 2004, Martin Paljak <martin@martinpaljak.net>
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 * Based on the PKCS#15 emulation layer for EstEID card by Martin Paljak
23 *
24 */
25
26 /*
27 * The card has a valid PKCS#15 file system. However, the private keys
28 * are missing the SC_PKCS15_CO_FLAG_PRIVATE flag and this causes problems
29 * with some applications (i.e. they don't work).
30 *
31 * The three main objectives of the emulation layer are:
32 *
33 * 1. Add the necessary SC_PKCS15_CO_FLAG_PRIVATE flag to private keys.
34 * 2. Hide "superfluous" PKCS#15 objects, e.g. PUKs (the user can't use them).
35 * 3. Improve usability by providing more descriptive names for the PINs, Keys, etc.
36 *
37 */
38
39 #if HAVE_CONFIG_H
40 #include "config.h"
41 #endif
42
43 #include <stdlib.h>
44 #include <string.h>
45 #include <stdio.h>
46
47 #include "common/compat_strlcpy.h"
48 #include "internal.h"
49 #include "pkcs15.h"
50
51 static int pteid_detect_card(struct sc_card *card);
52
53 static
dump_ef(sc_card_t * card,const char * path,u8 * buf,size_t * buf_len)54 int dump_ef(sc_card_t * card, const char *path, u8 * buf, size_t * buf_len)
55 {
56 int rv;
57 sc_file_t *file = NULL;
58 sc_path_t scpath;
59 sc_format_path(path, &scpath);
60 rv = sc_select_file(card, &scpath, &file);
61 if (rv < 0) {
62 sc_file_free(file);
63 return rv;
64 }
65 if (file->size > *buf_len) {
66 sc_file_free(file);
67 return SC_ERROR_BUFFER_TOO_SMALL;
68 }
69 rv = sc_read_binary(card, 0, buf, file->size, 0);
70 sc_file_free(file);
71 if (rv < 0)
72 return rv;
73 *buf_len = rv;
74
75 return SC_SUCCESS;
76 }
77
78 static const struct sc_asn1_entry c_asn1_odf[] = {
79 {"privateKeys", SC_ASN1_STRUCT, SC_ASN1_CTX | 0 | SC_ASN1_CONS, 0, NULL, NULL},
80 {"publicKeys", SC_ASN1_STRUCT, SC_ASN1_CTX | 1 | SC_ASN1_CONS, 0, NULL, NULL},
81 {"trustedPublicKeys", SC_ASN1_STRUCT, SC_ASN1_CTX | 2 | SC_ASN1_CONS, 0, NULL, NULL},
82 {"secretKeys", SC_ASN1_STRUCT, SC_ASN1_CTX | 3 | SC_ASN1_CONS, 0, NULL, NULL},
83 {"certificates", SC_ASN1_STRUCT, SC_ASN1_CTX | 4 | SC_ASN1_CONS, 0, NULL, NULL},
84 {"trustedCertificates", SC_ASN1_STRUCT, SC_ASN1_CTX | 5 | SC_ASN1_CONS, 0, NULL, NULL},
85 {"usefulCertificates", SC_ASN1_STRUCT, SC_ASN1_CTX | 6 | SC_ASN1_CONS, 0, NULL, NULL},
86 {"dataObjects", SC_ASN1_STRUCT, SC_ASN1_CTX | 7 | SC_ASN1_CONS, 0, NULL, NULL},
87 {"authObjects", SC_ASN1_STRUCT, SC_ASN1_CTX | 8 | SC_ASN1_CONS, 0, NULL, NULL},
88 {NULL, 0, 0, 0, NULL, NULL}
89 };
90
91 static const unsigned int odf_indexes[] = {
92 SC_PKCS15_PRKDF, //0
93 SC_PKCS15_PUKDF, //1
94 SC_PKCS15_PUKDF_TRUSTED, //2
95 SC_PKCS15_SKDF, //3
96 SC_PKCS15_CDF, //4
97 SC_PKCS15_CDF_TRUSTED, //5
98 SC_PKCS15_CDF_USEFUL, //6
99 SC_PKCS15_DODF, //7
100 SC_PKCS15_AODF, //8
101 };
102
103 static
parse_odf(const u8 * buf,size_t buflen,struct sc_pkcs15_card * p15card)104 int parse_odf(const u8 * buf, size_t buflen, struct sc_pkcs15_card *p15card)
105 {
106 const u8 *p = buf;
107 size_t left = buflen;
108 int r, i, type;
109 sc_path_t path;
110 struct sc_asn1_entry asn1_obj_or_path[] = {
111 {"path", SC_ASN1_PATH, SC_ASN1_CONS | SC_ASN1_SEQUENCE, 0,
112 &path, NULL},
113 {NULL, 0, 0, 0, NULL, NULL}
114 };
115 struct sc_asn1_entry asn1_odf[10];
116
117 sc_path_t path_prefix;
118
119 sc_format_path("3F004F00", &path_prefix);
120
121 sc_copy_asn1_entry(c_asn1_odf, asn1_odf);
122 for (i = 0; asn1_odf[i].name != NULL; i++)
123 sc_format_asn1_entry(asn1_odf + i, asn1_obj_or_path, NULL, 0);
124 while (left > 0) {
125 r = sc_asn1_decode_choice(p15card->card->ctx, asn1_odf, p, left,
126 &p, &left);
127 if (r == SC_ERROR_ASN1_END_OF_CONTENTS)
128 break;
129 if (r < 0)
130 return r;
131 type = r;
132 r = sc_pkcs15_make_absolute_path(&path_prefix, &path);
133 if (r < 0)
134 return r;
135 r = sc_pkcs15_add_df(p15card, odf_indexes[type], &path);
136 if (r)
137 return r;
138 }
139 return 0;
140 }
141
sc_pkcs15emu_pteid_init(sc_pkcs15_card_t * p15card)142 static int sc_pkcs15emu_pteid_init(sc_pkcs15_card_t * p15card)
143 {
144 u8 buf[1024];
145 sc_pkcs15_df_t *df;
146 sc_pkcs15_object_t *p15_obj;
147 sc_path_t path;
148 struct sc_file *file = NULL;
149 size_t len;
150 int rv;
151 int i;
152
153 sc_context_t *ctx = p15card->card->ctx;
154 LOG_FUNC_CALLED(ctx);
155
156 /* Check for correct card atr */
157 if (pteid_detect_card(p15card->card) != SC_SUCCESS)
158 return SC_ERROR_WRONG_CARD;
159
160 sc_log(p15card->card->ctx, "Selecting application DF");
161 sc_format_path("4F00", &path);
162 rv = sc_select_file(p15card->card, &path, &file);
163 if (rv != SC_SUCCESS || !file)
164 return SC_ERROR_INTERNAL;
165 /* set the application DF */
166 sc_file_free(p15card->file_app);
167 p15card->file_app = file;
168
169 /* Load TokenInfo */
170 len = sizeof(buf);
171 rv = dump_ef(p15card->card, "4F005032", buf, &len);
172 if (rv != SC_SUCCESS) {
173 sc_log(ctx, "Reading of EF.TOKENINFO failed: %d", rv);
174 LOG_FUNC_RETURN(ctx, rv);
175 }
176 rv = sc_pkcs15_parse_tokeninfo(p15card->card->ctx, p15card->tokeninfo,
177 buf, len);
178 if (rv != SC_SUCCESS) {
179 sc_log(ctx, "Decoding of EF.TOKENINFO failed: %d", rv);
180 LOG_FUNC_RETURN(ctx, rv);
181 }
182
183 p15card->tokeninfo->flags |= SC_PKCS15_TOKEN_PRN_GENERATION
184 | SC_PKCS15_TOKEN_EID_COMPLIANT
185 | SC_PKCS15_TOKEN_READONLY;
186
187 /* Load ODF */
188 len = sizeof(buf);
189 rv = dump_ef(p15card->card, "4F005031", buf, &len);
190 if (rv != SC_SUCCESS) {
191 sc_log(ctx, "Reading of ODF failed: %d", rv);
192 LOG_FUNC_RETURN(ctx, rv);
193 }
194 rv = parse_odf(buf, len, p15card);
195 if (rv != SC_SUCCESS) {
196 sc_log(ctx, "Decoding of ODF failed: %d", rv);
197 LOG_FUNC_RETURN(ctx, rv);
198 }
199
200 /* Decode EF.PrKDF, EF.PuKDF, EF.CDF and EF.AODF */
201 for (df = p15card->df_list; df != NULL; df = df->next) {
202 if (df->type == SC_PKCS15_PRKDF) {
203 rv = sc_pkcs15_parse_df(p15card, df);
204 if (rv != SC_SUCCESS) {
205 sc_log(ctx,
206 "Decoding of EF.PrKDF (%s) failed: %d",
207 sc_print_path(&df->path), rv);
208 }
209 }
210 if (df->type == SC_PKCS15_PUKDF) {
211 rv = sc_pkcs15_parse_df(p15card, df);
212 if (rv != SC_SUCCESS) {
213 sc_log(ctx,
214 "Decoding of EF.PuKDF (%s) failed: %d",
215 sc_print_path(&df->path), rv);
216 }
217 }
218 if (df->type == SC_PKCS15_CDF) {
219 rv = sc_pkcs15_parse_df(p15card, df);
220 if (rv != SC_SUCCESS) {
221 sc_log(ctx,
222 "Decoding of EF.CDF (%s) failed: %d",
223 sc_print_path(&df->path), rv);
224 }
225 }
226 if (df->type == SC_PKCS15_AODF) {
227 rv = sc_pkcs15_parse_df(p15card, df);
228 if (rv != SC_SUCCESS) {
229 sc_log(ctx,
230 "Decoding of EF.AODF (%s) failed: %d",
231 sc_print_path(&df->path), rv);
232 }
233 }
234 }
235
236 p15_obj = p15card->obj_list;
237 while (p15_obj != NULL) {
238 if ( p15_obj->df && (p15_obj->df->type == SC_PKCS15_PRKDF) ) {
239 struct sc_pkcs15_prkey_info *prkey_info = (sc_pkcs15_prkey_info_t *) p15_obj->data;
240 prkey_info->access_flags = SC_PKCS15_PRKEY_ACCESS_SENSITIVE
241 | SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE
242 | SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE
243 | SC_PKCS15_PRKEY_ACCESS_LOCAL;
244 p15_obj->flags = SC_PKCS15_CO_FLAG_PRIVATE;
245 }
246
247
248 if ( p15_obj->df && (p15_obj->df->type == SC_PKCS15_AODF) ) {
249 static const char *pteid_pin_names[3] = {
250 "Auth PIN",
251 "Sign PIN",
252 "Address PIN"
253 };
254
255 struct sc_pin_cmd_data pin_cmd_data;
256 struct sc_pkcs15_auth_info *pin_info = (sc_pkcs15_auth_info_t *) p15_obj->data;
257
258 strlcpy(p15_obj->label, pteid_pin_names[pin_info->auth_id.value[0]-1], sizeof(p15_obj->label));
259
260 pin_info->attrs.pin.flags |= SC_PKCS15_PIN_FLAG_NEEDS_PADDING;
261 pin_info->tries_left = -1;
262 pin_info->max_tries = 3;
263 pin_info->auth_method = SC_AC_CHV;
264
265 memset(&pin_cmd_data, 0, sizeof(pin_cmd_data));
266 pin_cmd_data.cmd = SC_PIN_CMD_GET_INFO;
267 pin_cmd_data.pin_type = pin_info->attrs.pin.type;
268 pin_cmd_data.pin_reference = pin_info->attrs.pin.reference;
269 rv = sc_pin_cmd(p15card->card, &pin_cmd_data, NULL);
270 if (rv == SC_SUCCESS) {
271 pin_info->tries_left = pin_cmd_data.pin1.tries_left;
272 pin_info->logged_in = pin_cmd_data.pin1.logged_in;
273 }
274 }
275 /* Remove found public keys as cannot be read_binary()'d */
276 if ( p15_obj->df && (p15_obj->df->type == SC_PKCS15_PUKDF) ) {
277 sc_pkcs15_object_t *puk = p15_obj;
278 p15_obj = p15_obj->next;
279 sc_pkcs15_remove_object(p15card, puk);
280 sc_pkcs15_free_object(puk);
281 } else {
282 p15_obj = p15_obj->next;
283 }
284 }
285
286 /* Add data objects */
287 for (i = 0; i < 5; i++) {
288 static const char *object_labels[5] = {
289 "Trace",
290 "Citizen Data",
291 "Citizen Address Data",
292 "SOd",
293 "Citizen Notepad",
294 };
295 static const char *object_authids[5] = {NULL, NULL, "3", NULL, NULL};
296 static const char *object_paths[5] = {
297 "3f000003",
298 "3f005f00ef02",
299 "3f005f00ef05",
300 "3f005f00ef06",
301 "3f005f00ef07",
302 };
303 static const int object_flags[5] = {
304 0,
305 0,
306 SC_PKCS15_CO_FLAG_PRIVATE,
307 0,
308 0,
309 };
310 struct sc_pkcs15_data_info obj_info;
311 struct sc_pkcs15_object obj_obj;
312
313 memset(&obj_info, 0, sizeof(obj_info));
314 memset(&obj_obj, 0, sizeof(obj_obj));
315
316 sc_format_path(object_paths[i], &obj_info.path);
317 strlcpy(obj_info.app_label, object_labels[i], SC_PKCS15_MAX_LABEL_SIZE);
318 if (object_authids[i] != NULL)
319 sc_pkcs15_format_id(object_authids[i], &obj_obj.auth_id);
320 strlcpy(obj_obj.label, object_labels[i], SC_PKCS15_MAX_LABEL_SIZE);
321 obj_obj.flags = object_flags[i];
322
323 rv = sc_pkcs15emu_object_add(p15card, SC_PKCS15_TYPE_DATA_OBJECT, &obj_obj, &obj_info);
324 if (rv != SC_SUCCESS){
325 sc_log(ctx, "Object add failed: %d", rv);
326 break;
327 }
328 }
329
330 LOG_FUNC_RETURN(ctx, SC_SUCCESS);
331 }
332
pteid_detect_card(struct sc_card * card)333 static int pteid_detect_card(struct sc_card *card)
334 {
335 if (card->type == SC_CARD_TYPE_GEMSAFEV1_PTEID)
336 return SC_SUCCESS;
337 return SC_ERROR_WRONG_CARD;
338 }
339
sc_pkcs15emu_pteid_init_ex(sc_pkcs15_card_t * p15card,struct sc_aid * aid)340 int sc_pkcs15emu_pteid_init_ex(sc_pkcs15_card_t *p15card, struct sc_aid *aid)
341 {
342 int r=SC_SUCCESS;
343 sc_context_t *ctx = p15card->card->ctx;
344 LOG_FUNC_CALLED(ctx);
345
346 /* check for proper card */
347 r = pteid_detect_card(p15card->card);
348 if (r == SC_ERROR_WRONG_CARD)
349 LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_CARD);
350 /* ok: initialize and return */
351 LOG_FUNC_RETURN(ctx, sc_pkcs15emu_pteid_init(p15card));
352 }
353