2 * implement the applets for the CAC card.
4 * This code is licensed under the GNU LGPL, version 2.1 or later.
5 * See the COPYING.LIB file in the top-level directory.
8 #include "qemu-common.h"
12 #include "vcard_emul.h"
13 #include "card_7816.h"
15 /* private data for PKI applets */
16 typedef struct CACPKIAppletDataStruct
{
19 unsigned char *cert_buffer
;
21 unsigned char *sign_buffer
;
27 * CAC applet private data
29 struct VCardAppletPrivateStruct
{
31 CACPKIAppletData pki_data
;
37 * handle all the APDU's that are common to all CAC applets
40 cac_common_process_apdu(VCard
*card
, VCardAPDU
*apdu
, VCardResponse
**response
)
43 VCardStatus ret
= VCARD_FAIL
;
45 switch (apdu
->a_ins
) {
46 case VCARD7816_INS_SELECT_FILE
:
47 if (apdu
->a_p1
!= 0x02) {
48 /* let the 7816 code handle applet switches */
52 /* handle file id setting */
53 if (apdu
->a_Lc
!= 2) {
54 *response
= vcard_make_response(
55 VCARD7816_STATUS_ERROR_DATA_INVALID
);
59 /* CAC 1.0 only supports ef = 0 */
60 ef
= apdu
->a_body
[0] | (apdu
->a_body
[1] << 8);
62 *response
= vcard_make_response(
63 VCARD7816_STATUS_ERROR_FILE_NOT_FOUND
);
67 *response
= vcard_make_response(VCARD7816_STATUS_SUCCESS
);
70 case VCARD7816_INS_GET_RESPONSE
:
71 case VCARD7816_INS_VERIFY
:
72 /* let the 7816 code handle these */
75 case CAC_GET_PROPERTIES
:
77 /* skip these for now, this will probably be needed */
78 *response
= vcard_make_response(VCARD7816_STATUS_ERROR_P1_P2_INCORRECT
);
82 *response
= vcard_make_response(
83 VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED
);
91 * reset the inter call state between applet selects
94 cac_applet_pki_reset(VCard
*card
, int channel
)
96 VCardAppletPrivate
*applet_private
;
97 CACPKIAppletData
*pki_applet
;
98 applet_private
= vcard_get_current_applet_private(card
, channel
);
99 assert(applet_private
);
100 pki_applet
= &(applet_private
->u
.pki_data
);
102 pki_applet
->cert_buffer
= NULL
;
103 if (pki_applet
->sign_buffer
) {
104 g_free(pki_applet
->sign_buffer
);
105 pki_applet
->sign_buffer
= NULL
;
107 pki_applet
->cert_buffer_len
= 0;
108 pki_applet
->sign_buffer_len
= 0;
113 cac_applet_pki_process_apdu(VCard
*card
, VCardAPDU
*apdu
,
114 VCardResponse
**response
)
116 CACPKIAppletData
*pki_applet
;
117 VCardAppletPrivate
*applet_private
;
119 unsigned char *sign_buffer
;
120 vcard_7816_status_t status
;
121 VCardStatus ret
= VCARD_FAIL
;
123 applet_private
= vcard_get_current_applet_private(card
, apdu
->a_channel
);
124 assert(applet_private
);
125 pki_applet
= &(applet_private
->u
.pki_data
);
127 switch (apdu
->a_ins
) {
128 case CAC_UPDATE_BUFFER
:
129 *response
= vcard_make_response(
130 VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED
);
133 case CAC_GET_CERTIFICATE
:
134 if ((apdu
->a_p2
!= 0) || (apdu
->a_p1
!= 0)) {
135 *response
= vcard_make_response(
136 VCARD7816_STATUS_ERROR_P1_P2_INCORRECT
);
139 assert(pki_applet
->cert
!= NULL
);
141 if (pki_applet
->cert_buffer
== NULL
) {
142 pki_applet
->cert_buffer
= pki_applet
->cert
;
143 pki_applet
->cert_buffer_len
= pki_applet
->cert_len
;
145 size
= MIN(size
, pki_applet
->cert_buffer_len
);
146 next
= MIN(255, pki_applet
->cert_buffer_len
- size
);
147 *response
= vcard_response_new_bytes(
148 card
, pki_applet
->cert_buffer
, size
,
150 VCARD7816_SW1_WARNING_CHANGE
:
151 VCARD7816_SW1_SUCCESS
,
153 pki_applet
->cert_buffer
+= size
;
154 pki_applet
->cert_buffer_len
-= size
;
155 if ((*response
== NULL
) || (next
== 0)) {
156 pki_applet
->cert_buffer
= NULL
;
158 if (*response
== NULL
) {
159 *response
= vcard_make_response(
160 VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE
);
164 case CAC_SIGN_DECRYPT
:
165 if (apdu
->a_p2
!= 0) {
166 *response
= vcard_make_response(
167 VCARD7816_STATUS_ERROR_P1_P2_INCORRECT
);
172 sign_buffer
= g_realloc(pki_applet
->sign_buffer
,
173 pki_applet
->sign_buffer_len
+ size
);
174 memcpy(sign_buffer
+pki_applet
->sign_buffer_len
, apdu
->a_body
, size
);
175 size
+= pki_applet
->sign_buffer_len
;
176 switch (apdu
->a_p1
) {
178 /* p1 == 0x80 means we haven't yet sent the whole buffer, wait for
180 pki_applet
->sign_buffer
= sign_buffer
;
181 pki_applet
->sign_buffer_len
= size
;
182 *response
= vcard_make_response(VCARD7816_STATUS_SUCCESS
);
185 /* we now have the whole buffer, do the operation, result will be
186 * in the sign_buffer */
187 status
= vcard_emul_rsa_op(card
, pki_applet
->key
,
189 if (status
!= VCARD7816_STATUS_SUCCESS
) {
190 *response
= vcard_make_response(status
);
193 *response
= vcard_response_new(card
, sign_buffer
, size
, apdu
->a_Le
,
194 VCARD7816_STATUS_SUCCESS
);
195 if (*response
== NULL
) {
196 *response
= vcard_make_response(
197 VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE
);
201 *response
= vcard_make_response(
202 VCARD7816_STATUS_ERROR_P1_P2_INCORRECT
);
206 pki_applet
->sign_buffer
= NULL
;
207 pki_applet
->sign_buffer_len
= 0;
210 case CAC_READ_BUFFER
:
211 /* new CAC call, go ahead and use the old version for now */
212 /* TODO: implement */
213 *response
= vcard_make_response(
214 VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED
);
218 ret
= cac_common_process_apdu(card
, apdu
, response
);
226 cac_applet_id_process_apdu(VCard
*card
, VCardAPDU
*apdu
,
227 VCardResponse
**response
)
229 VCardStatus ret
= VCARD_FAIL
;
231 switch (apdu
->a_ins
) {
232 case CAC_UPDATE_BUFFER
:
233 *response
= vcard_make_response(
234 VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED
);
237 case CAC_READ_BUFFER
:
238 /* new CAC call, go ahead and use the old version for now */
239 /* TODO: implement */
240 *response
= vcard_make_response(
241 VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED
);
245 ret
= cac_common_process_apdu(card
, apdu
, response
);
253 * TODO: if we ever want to support general CAC middleware, we will need to
254 * implement the various containers.
257 cac_applet_container_process_apdu(VCard
*card
, VCardAPDU
*apdu
,
258 VCardResponse
**response
)
260 VCardStatus ret
= VCARD_FAIL
;
262 switch (apdu
->a_ins
) {
263 case CAC_READ_BUFFER
:
264 case CAC_UPDATE_BUFFER
:
265 *response
= vcard_make_response(
266 VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED
);
270 ret
= cac_common_process_apdu(card
, apdu
, response
);
277 * utilities for creating and destroying the private applet data
280 cac_delete_pki_applet_private(VCardAppletPrivate
*applet_private
)
282 CACPKIAppletData
*pki_applet_data
;
284 if (applet_private
== NULL
) {
287 pki_applet_data
= &(applet_private
->u
.pki_data
);
288 if (pki_applet_data
->cert
!= NULL
) {
289 g_free(pki_applet_data
->cert
);
291 if (pki_applet_data
->sign_buffer
!= NULL
) {
292 g_free(pki_applet_data
->sign_buffer
);
294 if (pki_applet_data
->key
!= NULL
) {
295 vcard_emul_delete_key(pki_applet_data
->key
);
297 g_free(applet_private
);
300 static VCardAppletPrivate
*
301 cac_new_pki_applet_private(const unsigned char *cert
,
302 int cert_len
, VCardKey
*key
)
304 CACPKIAppletData
*pki_applet_data
;
305 VCardAppletPrivate
*applet_private
;
307 applet_private
= g_new0(VCardAppletPrivate
, 1);
308 pki_applet_data
= &(applet_private
->u
.pki_data
);
309 pki_applet_data
->cert
= (unsigned char *)g_malloc(cert_len
+1);
311 * if we want to support compression, then we simply change the 0 to a 1
312 * and compress the cert data with libz
314 pki_applet_data
->cert
[0] = 0; /* not compressed */
315 memcpy(&pki_applet_data
->cert
[1], cert
, cert_len
);
316 pki_applet_data
->cert_len
= cert_len
+1;
318 pki_applet_data
->key
= key
;
319 return applet_private
;
324 * create a new cac applet which links to a given cert
327 cac_new_pki_applet(int i
, const unsigned char *cert
,
328 int cert_len
, VCardKey
*key
)
330 VCardAppletPrivate
*applet_private
;
332 unsigned char pki_aid
[] = { 0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x00 };
333 int pki_aid_len
= sizeof(pki_aid
);
335 pki_aid
[pki_aid_len
-1] = i
;
337 applet_private
= cac_new_pki_applet_private(cert
, cert_len
, key
);
338 if (applet_private
== NULL
) {
341 applet
= vcard_new_applet(cac_applet_pki_process_apdu
, cac_applet_pki_reset
,
342 pki_aid
, pki_aid_len
);
343 if (applet
== NULL
) {
346 vcard_set_applet_private(applet
, applet_private
,
347 cac_delete_pki_applet_private
);
348 applet_private
= NULL
;
353 if (applet_private
!= NULL
) {
354 cac_delete_pki_applet_private(applet_private
);
360 static unsigned char cac_default_container_aid
[] = {
361 0xa0, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00 };
362 static unsigned char cac_id_aid
[] = {
363 0xa0, 0x00, 0x00, 0x00, 0x79, 0x03, 0x00 };
365 * Initialize the cac card. This is the only public function in this file. All
366 * the rest are connected through function pointers.
369 cac_card_init(VReader
*reader
, VCard
*card
,
371 unsigned char * const *cert
,
373 VCardKey
*key
[] /* adopt the keys*/,
379 /* CAC Cards are VM Cards */
380 vcard_set_type(card
, VCARD_VM
);
382 /* create one PKI applet for each cert */
383 for (i
= 0; i
< cert_count
; i
++) {
384 applet
= cac_new_pki_applet(i
, cert
[i
], cert_len
[i
], key
[i
]);
385 if (applet
== NULL
) {
388 vcard_add_applet(card
, applet
);
391 /* create a default blank container applet */
392 applet
= vcard_new_applet(cac_applet_container_process_apdu
,
393 NULL
, cac_default_container_aid
,
394 sizeof(cac_default_container_aid
));
395 if (applet
== NULL
) {
398 vcard_add_applet(card
, applet
);
400 /* create a default blank container applet */
401 applet
= vcard_new_applet(cac_applet_id_process_apdu
,
404 if (applet
== NULL
) {
407 vcard_add_applet(card
, applet
);