| blob | 07b446481e7a75d4573824279f1ac096ee924404 |
1 /*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
13 /*
14 * NSS headers
15 */
17 /* avoid including prototypes.h that redefines uint32 */
18 #define NO_NSPR_10_SUPPORT
20 #include <nss.h>
21 #include <pk11pub.h>
22 #include <cert.h>
23 #include <key.h>
24 #include <secmod.h>
25 #include <prthread.h>
26 #include <secerr.h>
49 VCardEmulTriState failedX509;
50 };
57 VCardEmulType default_type;
59 PRBool present;
62 };
64 /*
65 * NSS Specific options
66 */
70 VCardEmulType card_type;
74 };
80 VCardEmulType hw_card_type;
82 PRBool use_hw;
83 };
87 /* if we have more that just the slot, define
88 * VCardEmulStruct here */
90 /*
91 * allocate the set of arrays for certs, cert_len, key
92 */
93 static void
96 {
100 }
102 /*
103 * Emulator specific card information
104 */
109 {
111 /* currently we don't need anything other than the slot */
113 }
115 static void
117 {
121 }
123 }
127 {
128 /* note, the card is holding the reference, no need to get another one */
130 }
133 /*
134 * key functions
135 */
136 /* private constructure */
139 {
145 /* NOTE: if we aren't logged into the token, this could return NULL */
146 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
147 * use the DER version of this function */
151 }
153 /* destructor */
154 void
156 {
159 }
163 }
166 }
169 }
170 }
172 /*
173 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
174 */
177 {
180 }
181 /* NOTE: if we aren't logged into the token, this could return NULL */
184 }
186 /*
187 * Map NSS errors to 7816 errors
188 */
189 static vcard_7816_status_t
191 {
206 }
208 }
210 /* RSA sign/decrypt with the key, signature happens 'in place' */
211 vcard_7816_status_t
214 {
218 SECStatus rv;
225 /* couldn't get the key, indicate that we aren't logged in */
227 }
230 /* couldn't get the key, indicate that we aren't logged in */
232 }
235 /*
236 * this is only true of the rsa signature
237 */
241 }
242 /* be able to handle larger keys if necessariy */
246 }
248 /*
249 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
250 * choke when they try to do the actual operations. Try to detect
251 * those cases and treat them as if the token didn't claim support for
252 * X_509.
253 */
263 }
264 /*
265 * we've had a successful X509 operation, this failure must be
266 * somethine else
267 */
271 }
272 /*
273 * key->failedX509 must be Unknown at this point, try the
274 * non-x_509 case
275 */
276 }
277 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
278 /* is this a PKCS #1 formatted signature? */
283 /* rsa signature pad */
286 }
287 }
289 /* yes, we have a properly formatted PKCS #1 signature */
290 /*
291 * NOTE: even if we accidentally got an encrypt buffer, which
292 * through sheer luck started with 00, 01, ff, 00, it won't matter
293 * because the resulting Sign operation will effectively decrypt
294 * the real buffer.
295 */
296 SECItem signature;
297 SECItem hash;
299 i++;
308 }
311 /*
312 * we got here because either the X509 attempt failed, or the
313 * token couldn't do the X509 operation, in either case stay
314 * with the PKCS version for future operations on this key
315 */
318 }
319 }
322 /*
323 * OK now we've decrypted the payload, package it up in PKCS #1 for the
324 * upper layer.
325 */
329 /*
330 * padding for PKCS #1 encrypted data is a string of random bytes. The
331 * random butes protect against potential decryption attacks against RSA.
332 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
333 * them. This shouldn't matter to the upper level code which should just
334 * strip this code out anyway, so We'll pad with a constant 3.
335 */
341 /*
342 * we got here because either the X509 attempt failed, or the
343 * token couldn't do the X509 operation, in either case stay
344 * with the PKCS version for future operations on this key
345 */
347 cleanup:
350 }
352 }
354 /*
355 * Login functions
356 */
357 /* return the number of login attempts still possible on the card. if unknown,
358 * return -1 */
359 int
361 {
363 }
365 /* login into the card, return the 7816 status word (sw2 || sw1) */
366 vcard_7816_status_t
368 {
372 SECStatus rv;
376 }
378 /* We depend on the PKCS #11 module internal login state here because we
379 * create a separate process to handle each guest instance. If we needed
380 * to handle multiple guests from one process, then we would need to keep
381 * a lot of extra state in our card structure
382 * */
387 /* handle CAC expanded pins correctly */
390 }
394 to be snooped */
398 }
399 /* map the error from port get error */
401 }
403 void
405 {
410 }
412 /*
413 * if we reset the card (either power on or power off), we lose our login
414 * state
415 */
416 /* TODO: we may also need to send insertion/removal events? */
419 }
424 {
430 }
438 }
440 }
444 }
446 /*
447 * create a new reader emul
448 */
451 {
463 }
465 static void
467 {
470 }
473 }
476 }
478 /*
479 * TODO: move this to emulater non-specific file
480 */
481 static VCardEmulType
483 {
489 }
492 }
493 /*
494 * TODO: move this to emulater non-specific file
495 */
498 {
504 }
507 }
509 /* pull the slot out of the reader private data */
512 {
516 }
518 }
520 /*
521 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
522 * historical bytes for any software emulated card. The remaining bytes can be
523 * used to indicate the actual emulator
524 */
528 void
530 {
536 }
540 }
542 /*
543 * create a new card from certs and keys
544 */
549 {
553 VCardEmulType type;
558 /* ignore the inserted card */
561 }
565 }
568 /* params these can be NULL */
573 }
578 }
581 }
584 /*
585 * 'clone' a physical card as a virtual card
586 */
589 {
590 /*
591 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
592 * us the real certs until we log in.
593 */
605 }
610 }
612 /* count the certs */
616 cert_count++;
617 }
619 /* allocate the arrays */
622 /* fill in the arrays */
626 SECItem derCert;
628 SECStatus rv;
634 }
635 /* create floating temp cert. This gives us a cert structure even if
636 * the token isn't logged in */
642 }
647 cert_count++;
649 }
651 /* now create the card */
658 }
663 /*
664 * This thread looks for card and reader insertions and puts events on the
665 * event queue
666 */
667 static void
669 {
677 /*
678 * XXX - the latency value doesn't matter one bit. you only get no
679 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
680 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
681 * value we pass get's dropped on the floor before C_WaitForSlotEvent
682 * is called.
683 */
686 /* this could be just a no event indication */
689 }
691 }
694 /* new vreader */
696 default_type_params);
698 vreader_emul_delete);
704 }
705 /* card remove/insert */
712 }
716 }
722 }
725 }
731 }
733 /* if the card is inserted when we start up, make sure our state is correct */
734 static void
736 {
744 }
745 }
747 /*
748 * each module has a separate wait call, create a thread for each module that
749 * we are using.
750 */
751 static void
753 {
757 }
766 };
769 /*
770 * NSS needs the app to supply a password prompt. In our case the only time
771 * the password is supplied is as part of the Login APDU. The actual password
772 * is passed in the pw_arg in that case. In all other cases pw_arg should be
773 * NULL.
774 */
777 {
778 /* if it didn't work the first time, don't keep trying */
781 }
782 /* we are looking up a password when we don't have one in hand */
785 }
786 /* TODO: we really should verify that were are using the right slot */
788 }
790 /* Force a card removal even if the card is not physically removed */
791 VCardEmulError
793 {
796 }
798 /* OK, remove it */
801 }
803 /* Re-insert of a card that has been removed by force removal */
804 VCardEmulError
806 {
812 }
815 /* if it's a softcard, get the saved vcard from the reader emul structure */
819 /* it must be a physical card, rebuild it */
821 /* physical card has been removed, not way to reinsert it */
823 }
825 }
830 }
833 static PRBool
835 {
843 }
850 }
851 }
854 }
856 /* Previously we returned FAIL if no readers found. This makes
857 * no sense when using hardware, since there may be no readers connected
858 * at the time vcard_emul_init is called, but they will be properly
859 * recognized later. So Instead return FAIL only if no_hw==1 and no
860 * vcards can be created (indicates error with certificates provided
861 * or db), or if any other higher level error (NSS error, missing coolkey). */
864 VCardEmulError
866 {
867 SECStatus rv;
878 }
885 }
887 /* first initialize NSS */
892 #ifndef _WIN32
894 #else
898 }
902 #endif
906 }
909 }
910 /* Set password callback function */
913 /* set up soft cards emulated by software certs rather than physical cards
914 * */
926 }
930 vreader_emul_delete);
938 /* we should have a better way of identifying certs than by
939 * nickname here */
942 NULL);
945 }
949 /* this is safe because the key is still holding a cert reference */
951 cert_count++;
952 }
958 /* allow insertion and removal of soft cards */
963 }
967 }
969 /* if we aren't suppose to use hw, skip looking up hardware tokens */
973 }
975 /* make sure we have some PKCS #11 module loaded */
983 }
984 }
987 /* now examine all the slots, finding which should be readers */
988 /* We should control this with options. For now we mirror out any
989 * removable hardware slot */
997 /* Ignore the internal module */
1000 }
1005 /* only map removable HW slots */
1008 }
1010 /*
1011 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1012 * any hardware readers. This causes problems, warn user of
1013 * problems.
1014 */
1018 }
1022 vreader_emul_delete);
1031 }
1032 }
1034 }
1039 }
1041 /* Recreate card insert events for all readers (user should
1042 * deduce implied reader insert. perhaps do a reader insert as well?)
1043 */
1044 void
1046 {
1056 }
1059 }
1061 /*
1062 * Silly little functions to help parsing our argument string
1063 */
1064 static int
1066 {
1071 count++;
1072 }
1075 }
1076 }
1078 }
1082 {
1084 }
1086 }
1090 {
1092 }
1094 }
1097 /*
1098 * We really want to use some existing argument parsing library here. That
1099 * would give us a consistent look */
1101 #define READER_STEP 4
1103 /* Expects "args" to be at the beginning of a token (ie right after the ','
1104 * ending the previous token), and puts the next token start in "token",
1105 * and its length in "token_length". "token" will not be nul-terminated.
1106 * After calling the macro, "args" will be advanced to the beginning of
1107 * the next token.
1108 * This macro may call continue or break.
1109 */
1110 #define NEXT_TOKEN(token) \
1111 (token) = args; \
1113 if (*args == 0) { \
1114 break; \
1115 } \
1117 args++; \
1118 continue; \
1119 } \
1120 (token##_length) = args - (token); \
1121 args = strip(args+1);
1123 VCardEmulOptions *
1125 {
1129 /* Allow the future use of allocating the options structure on the fly */
1137 }
1138 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1139 * cert_2,cert_3...) */
1148 VCardEmulType type;
1155 }
1170 }
1175 reader_count);
1176 }
1191 }
1193 args++;
1194 }
1196 /* use_hw= */
1203 }
1205 /* hw_type= */
1210 /* hw_params= */
1217 /* db="/data/base/path" */
1223 }
1224 args++;
1229 args++;
1230 }
1233 }
1237 }
1239 void
1241 {
1258 "These parameters come as a single string separated by blanks or newlines."
1266 }