+++ /dev/null
-/*
- * implement the applets for the CAC card.
- *
- * This code is licensed under the GNU LGPL, version 2.1 or later.
- * See the COPYING.LIB file in the top-level directory.
- */
-
-#include "glib-compat.h"
-
-#include <string.h>
-#include <stdbool.h>
-
-#include "cac.h"
-#include "vcard.h"
-#include "vcard_emul.h"
-#include "card_7816.h"
-
-/* private data for PKI applets */
-typedef struct CACPKIAppletDataStruct {
- unsigned char *cert;
- int cert_len;
- unsigned char *cert_buffer;
- int cert_buffer_len;
- unsigned char *sign_buffer;
- int sign_buffer_len;
- VCardKey *key;
-} CACPKIAppletData;
-
-/*
- * CAC applet private data
- */
-struct VCardAppletPrivateStruct {
- union {
- CACPKIAppletData pki_data;
- void *reserved;
- } u;
-};
-
-/*
- * handle all the APDU's that are common to all CAC applets
- */
-static VCardStatus
-cac_common_process_apdu(VCard *card, VCardAPDU *apdu, VCardResponse **response)
-{
- int ef;
- VCardStatus ret = VCARD_FAIL;
-
- switch (apdu->a_ins) {
- case VCARD7816_INS_SELECT_FILE:
- if (apdu->a_p1 != 0x02) {
- /* let the 7816 code handle applet switches */
- ret = VCARD_NEXT;
- break;
- }
- /* handle file id setting */
- if (apdu->a_Lc != 2) {
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_DATA_INVALID);
- ret = VCARD_DONE;
- break;
- }
- /* CAC 1.0 only supports ef = 0 */
- ef = apdu->a_body[0] | (apdu->a_body[1] << 8);
- if (ef != 0) {
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_FILE_NOT_FOUND);
- ret = VCARD_DONE;
- break;
- }
- *response = vcard_make_response(VCARD7816_STATUS_SUCCESS);
- ret = VCARD_DONE;
- break;
- case VCARD7816_INS_GET_RESPONSE:
- case VCARD7816_INS_VERIFY:
- /* let the 7816 code handle these */
- ret = VCARD_NEXT;
- break;
- case CAC_GET_PROPERTIES:
- case CAC_GET_ACR:
- /* skip these for now, this will probably be needed */
- *response = vcard_make_response(VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
- ret = VCARD_DONE;
- break;
- default:
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
- ret = VCARD_DONE;
- break;
- }
- return ret;
-}
-
-/*
- * reset the inter call state between applet selects
- */
-static VCardStatus
-cac_applet_pki_reset(VCard *card, int channel)
-{
- VCardAppletPrivate *applet_private;
- CACPKIAppletData *pki_applet;
- applet_private = vcard_get_current_applet_private(card, channel);
- assert(applet_private);
- pki_applet = &(applet_private->u.pki_data);
-
- pki_applet->cert_buffer = NULL;
- g_free(pki_applet->sign_buffer);
- pki_applet->sign_buffer = NULL;
- pki_applet->cert_buffer_len = 0;
- pki_applet->sign_buffer_len = 0;
- return VCARD_DONE;
-}
-
-static VCardStatus
-cac_applet_pki_process_apdu(VCard *card, VCardAPDU *apdu,
- VCardResponse **response)
-{
- CACPKIAppletData *pki_applet;
- VCardAppletPrivate *applet_private;
- int size, next;
- unsigned char *sign_buffer;
- bool retain_sign_buffer = FALSE;
- vcard_7816_status_t status;
- VCardStatus ret = VCARD_FAIL;
-
- applet_private = vcard_get_current_applet_private(card, apdu->a_channel);
- assert(applet_private);
- pki_applet = &(applet_private->u.pki_data);
-
- switch (apdu->a_ins) {
- case CAC_UPDATE_BUFFER:
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED);
- ret = VCARD_DONE;
- break;
- case CAC_GET_CERTIFICATE:
- if ((apdu->a_p2 != 0) || (apdu->a_p1 != 0)) {
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
- break;
- }
- assert(pki_applet->cert != NULL);
- size = apdu->a_Le;
- if (pki_applet->cert_buffer == NULL) {
- pki_applet->cert_buffer = pki_applet->cert;
- pki_applet->cert_buffer_len = pki_applet->cert_len;
- }
- size = MIN(size, pki_applet->cert_buffer_len);
- next = MIN(255, pki_applet->cert_buffer_len - size);
- *response = vcard_response_new_bytes(
- card, pki_applet->cert_buffer, size,
- apdu->a_Le, next ?
- VCARD7816_SW1_WARNING_CHANGE :
- VCARD7816_SW1_SUCCESS,
- next);
- pki_applet->cert_buffer += size;
- pki_applet->cert_buffer_len -= size;
- if ((*response == NULL) || (next == 0)) {
- pki_applet->cert_buffer = NULL;
- }
- if (*response == NULL) {
- *response = vcard_make_response(
- VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE);
- }
- ret = VCARD_DONE;
- break;
- case CAC_SIGN_DECRYPT:
- if (apdu->a_p2 != 0) {
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
- break;
- }
- size = apdu->a_Lc;
-
- sign_buffer = g_realloc(pki_applet->sign_buffer,
- pki_applet->sign_buffer_len + size);
- memcpy(sign_buffer+pki_applet->sign_buffer_len, apdu->a_body, size);
- size += pki_applet->sign_buffer_len;
- switch (apdu->a_p1) {
- case 0x80:
- /* p1 == 0x80 means we haven't yet sent the whole buffer, wait for
- * the rest */
- pki_applet->sign_buffer = sign_buffer;
- pki_applet->sign_buffer_len = size;
- *response = vcard_make_response(VCARD7816_STATUS_SUCCESS);
- retain_sign_buffer = TRUE;
- break;
- case 0x00:
- /* we now have the whole buffer, do the operation, result will be
- * in the sign_buffer */
- status = vcard_emul_rsa_op(card, pki_applet->key,
- sign_buffer, size);
- if (status != VCARD7816_STATUS_SUCCESS) {
- *response = vcard_make_response(status);
- break;
- }
- *response = vcard_response_new(card, sign_buffer, size, apdu->a_Le,
- VCARD7816_STATUS_SUCCESS);
- if (*response == NULL) {
- *response = vcard_make_response(
- VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE);
- }
- break;
- default:
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
- break;
- }
- if (!retain_sign_buffer) {
- g_free(sign_buffer);
- pki_applet->sign_buffer = NULL;
- pki_applet->sign_buffer_len = 0;
- }
- ret = VCARD_DONE;
- break;
- case CAC_READ_BUFFER:
- /* new CAC call, go ahead and use the old version for now */
- /* TODO: implement */
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
- ret = VCARD_DONE;
- break;
- default:
- ret = cac_common_process_apdu(card, apdu, response);
- break;
- }
- return ret;
-}
-
-
-static VCardStatus
-cac_applet_id_process_apdu(VCard *card, VCardAPDU *apdu,
- VCardResponse **response)
-{
- VCardStatus ret = VCARD_FAIL;
-
- switch (apdu->a_ins) {
- case CAC_UPDATE_BUFFER:
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED);
- ret = VCARD_DONE;
- break;
- case CAC_READ_BUFFER:
- /* new CAC call, go ahead and use the old version for now */
- /* TODO: implement */
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
- ret = VCARD_DONE;
- break;
- default:
- ret = cac_common_process_apdu(card, apdu, response);
- break;
- }
- return ret;
-}
-
-
-/*
- * TODO: if we ever want to support general CAC middleware, we will need to
- * implement the various containers.
- */
-static VCardStatus
-cac_applet_container_process_apdu(VCard *card, VCardAPDU *apdu,
- VCardResponse **response)
-{
- VCardStatus ret = VCARD_FAIL;
-
- switch (apdu->a_ins) {
- case CAC_READ_BUFFER:
- case CAC_UPDATE_BUFFER:
- *response = vcard_make_response(
- VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
- ret = VCARD_DONE;
- break;
- default:
- ret = cac_common_process_apdu(card, apdu, response);
- break;
- }
- return ret;
-}
-
-/*
- * utilities for creating and destroying the private applet data
- */
-static void
-cac_delete_pki_applet_private(VCardAppletPrivate *applet_private)
-{
- CACPKIAppletData *pki_applet_data;
-
- if (applet_private == NULL) {
- return;
- }
- pki_applet_data = &(applet_private->u.pki_data);
- g_free(pki_applet_data->cert);
- g_free(pki_applet_data->sign_buffer);
- if (pki_applet_data->key != NULL) {
- vcard_emul_delete_key(pki_applet_data->key);
- }
- g_free(applet_private);
-}
-
-static VCardAppletPrivate *
-cac_new_pki_applet_private(const unsigned char *cert,
- int cert_len, VCardKey *key)
-{
- CACPKIAppletData *pki_applet_data;
- VCardAppletPrivate *applet_private;
-
- applet_private = g_new0(VCardAppletPrivate, 1);
- pki_applet_data = &(applet_private->u.pki_data);
- pki_applet_data->cert = (unsigned char *)g_malloc(cert_len+1);
- /*
- * if we want to support compression, then we simply change the 0 to a 1
- * and compress the cert data with libz
- */
- pki_applet_data->cert[0] = 0; /* not compressed */
- memcpy(&pki_applet_data->cert[1], cert, cert_len);
- pki_applet_data->cert_len = cert_len+1;
-
- pki_applet_data->key = key;
- return applet_private;
-}
-
-
-/*
- * create a new cac applet which links to a given cert
- */
-static VCardApplet *
-cac_new_pki_applet(int i, const unsigned char *cert,
- int cert_len, VCardKey *key)
-{
- VCardAppletPrivate *applet_private;
- VCardApplet *applet;
- unsigned char pki_aid[] = { 0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x00 };
- int pki_aid_len = sizeof(pki_aid);
-
- pki_aid[pki_aid_len-1] = i;
-
- applet_private = cac_new_pki_applet_private(cert, cert_len, key);
- if (applet_private == NULL) {
- goto failure;
- }
- applet = vcard_new_applet(cac_applet_pki_process_apdu, cac_applet_pki_reset,
- pki_aid, pki_aid_len);
- if (applet == NULL) {
- goto failure;
- }
- vcard_set_applet_private(applet, applet_private,
- cac_delete_pki_applet_private);
- applet_private = NULL;
-
- return applet;
-
-failure:
- if (applet_private != NULL) {
- cac_delete_pki_applet_private(applet_private);
- }
- return NULL;
-}
-
-
-static unsigned char cac_default_container_aid[] = {
- 0xa0, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00 };
-static unsigned char cac_id_aid[] = {
- 0xa0, 0x00, 0x00, 0x00, 0x79, 0x03, 0x00 };
-/*
- * Initialize the cac card. This is the only public function in this file. All
- * the rest are connected through function pointers.
- */
-VCardStatus
-cac_card_init(VReader *reader, VCard *card,
- const char *params,
- unsigned char * const *cert,
- int cert_len[],
- VCardKey *key[] /* adopt the keys*/,
- int cert_count)
-{
- int i;
- VCardApplet *applet;
-
- /* CAC Cards are VM Cards */
- vcard_set_type(card, VCARD_VM);
-
- /* create one PKI applet for each cert */
- for (i = 0; i < cert_count; i++) {
- applet = cac_new_pki_applet(i, cert[i], cert_len[i], key[i]);
- if (applet == NULL) {
- goto failure;
- }
- vcard_add_applet(card, applet);
- }
-
- /* create a default blank container applet */
- applet = vcard_new_applet(cac_applet_container_process_apdu,
- NULL, cac_default_container_aid,
- sizeof(cac_default_container_aid));
- if (applet == NULL) {
- goto failure;
- }
- vcard_add_applet(card, applet);
-
- /* create a default blank container applet */
- applet = vcard_new_applet(cac_applet_id_process_apdu,
- NULL, cac_id_aid,
- sizeof(cac_id_aid));
- if (applet == NULL) {
- goto failure;
- }
- vcard_add_applet(card, applet);
- return VCARD_DONE;
-
-failure:
- return VCARD_FAIL;
-}
-
Code Review / kvmfornfv.git / blobdiff