| blob | cefc38333f40dab0a9314b439ed71e9e5471f529 |
1 /*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
13 /*
14 * NSS headers
15 */
17 /* avoid including prototypes.h that redefines uint32 */
18 #define NO_NSPR_10_SUPPORT
20 #include <nss.h>
21 #include <pk11pub.h>
22 #include <cert.h>
23 #include <key.h>
24 #include <secmod.h>
25 #include <prthread.h>
26 #include <secerr.h>
49 VCardEmulTriState failedX509;
50 };
57 VCardEmulType default_type;
59 PRBool present;
62 };
64 /*
65 * NSS Specific options
66 */
70 VCardEmulType card_type;
74 };
80 VCardEmulType hw_card_type;
82 PRBool use_hw;
83 };
87 /* if we have more that just the slot, define
88 * VCardEmulStruct here */
90 /*
91 * allocate the set of arrays for certs, cert_len, key
92 */
93 static void
96 {
100 }
102 /*
103 * Emulator specific card information
104 */
109 {
111 /* currently we don't need anything other than the slot */
113 }
115 static void
117 {
121 }
123 }
127 {
128 /* note, the card is holding the reference, no need to get another one */
130 }
133 /*
134 * key functions
135 */
136 /* private constructure */
139 {
145 /* NOTE: if we aren't logged into the token, this could return NULL */
146 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
147 * use the DER version of this function */
151 }
153 /* destructor */
154 void
156 {
159 }
163 }
166 }
169 }
170 }
172 /*
173 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
174 */
177 {
180 }
181 /* NOTE: if we aren't logged into the token, this could return NULL */
184 }
186 /*
187 * Map NSS errors to 7816 errors
188 */
189 static vcard_7816_status_t
191 {
206 }
208 }
210 /* RSA sign/decrypt with the key, signature happens 'in place' */
211 vcard_7816_status_t
214 {
218 SECStatus rv;
225 /* couldn't get the key, indicate that we aren't logged in */
227 }
230 /* couldn't get the key, indicate that we aren't logged in */
232 }
235 /*
236 * this is only true of the rsa signature
237 */
241 }
242 /* be able to handle larger keys if necessariy */
246 }
248 /*
249 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
250 * choke when they try to do the actual operations. Try to detect
251 * those cases and treat them as if the token didn't claim support for
252 * X_509.
253 */
263 }
264 /*
265 * we've had a successful X509 operation, this failure must be
266 * somethine else
267 */
271 }
272 /*
273 * key->failedX509 must be Unknown at this point, try the
274 * non-x_509 case
275 */
276 }
277 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
278 /* is this a PKCS #1 formatted signature? */
283 /* rsa signature pad */
286 }
287 }
289 /* yes, we have a properly formated PKCS #1 signature */
290 /*
291 * NOTE: even if we accidentally got an encrypt buffer, which
292 * through shear luck started with 00, 01, ff, 00, it won't matter
293 * because the resulting Sign operation will effectively decrypt
294 * the real buffer.
295 */
296 SECItem signature;
297 SECItem hash;
299 i++;
308 }
311 /*
312 * we got here because either the X509 attempt failed, or the
313 * token couldn't do the X509 operation, in either case stay
314 * with the PKCS version for future operations on this key
315 */
318 }
319 }
322 /*
323 * OK now we've decrypted the payload, package it up in PKCS #1 for the
324 * upper layer.
325 */
329 /*
330 * padding for PKCS #1 encrypted data is a string of random bytes. The
331 * random butes protect against potential decryption attacks against RSA.
332 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
333 * them. This shouldn't matter to the upper level code which should just
334 * strip this code out anyway, so We'll pad with a constant 3.
335 */
341 /*
342 * we got here because either the X509 attempt failed, or the
343 * token couldn't do the X509 operation, in either case stay
344 * with the PKCS version for future operations on this key
345 */
347 cleanup:
350 }
352 }
354 /*
355 * Login functions
356 */
357 /* return the number of login attempts still possible on the card. if unknown,
358 * return -1 */
359 int
361 {
363 }
365 /* login into the card, return the 7816 status word (sw2 || sw1) */
366 vcard_7816_status_t
368 {
372 SECStatus rv;
376 }
378 /* We depend on the PKCS #11 module internal login state here because we
379 * create a separate process to handle each guest instance. If we needed
380 * to handle multiple guests from one process, then we would need to keep
381 * a lot of extra state in our card structure
382 * */
387 /* handle CAC expanded pins correctly */
390 }
394 to be snooped */
398 }
399 /* map the error from port get error */
401 }
403 void
405 {
410 }
412 /*
413 * if we reset the card (either power on or power off), we lose our login
414 * state
415 */
416 /* TODO: we may also need to send insertion/removal events? */
419 }
424 {
430 }
438 }
440 }
444 }
446 /*
447 * create a new reader emul
448 */
451 {
463 }
465 static void
467 {
470 }
473 }
476 }
478 }
480 /*
481 * TODO: move this to emulater non-specific file
482 */
483 static VCardEmulType
485 {
491 }
494 }
495 /*
496 * TODO: move this to emulater non-specific file
497 */
500 {
506 }
509 }
511 /* pull the slot out of the reader private data */
514 {
518 }
520 }
522 /*
523 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
524 * historical bytes for any software emulated card. The remaining bytes can be
525 * used to indicate the actual emulator
526 */
530 void
532 {
538 }
542 }
544 /*
545 * create a new card from certs and keys
546 */
551 {
555 VCardEmulType type;
560 /* ignore the inserted card */
563 }
567 }
570 /* params these can be NULL */
575 }
580 }
583 }
586 /*
587 * 'clone' a physical card as a virtual card
588 */
591 {
592 /*
593 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
594 * us the real certs until we log in.
595 */
607 }
612 }
614 /* count the certs */
618 cert_count++;
619 }
621 /* allocate the arrays */
624 /* fill in the arrays */
628 SECItem derCert;
630 SECStatus rv;
636 }
637 /* create floating temp cert. This gives us a cert structure even if
638 * the token isn't logged in */
644 }
649 cert_count++;
651 }
653 /* now create the card */
660 }
665 /*
666 * This thread looks for card and reader insertions and puts events on the
667 * event queue
668 */
669 static void
671 {
679 /*
680 * XXX - the latency value doesn't matter one bit. you only get no
681 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
682 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
683 * value we pass get's dropped on the floor before C_WaitForSlotEvent
684 * is called.
685 */
688 /* this could be just a no event indication */
691 }
693 }
696 /* new vreader */
698 default_type_params);
700 vreader_emul_delete);
706 }
707 /* card remove/insert */
714 }
718 }
724 }
727 }
733 }
735 /* if the card is inserted when we start up, make sure our state is correct */
736 static void
738 {
746 }
747 }
749 /*
750 * each module has a separate wait call, create a thread for each module that
751 * we are using.
752 */
753 static void
755 {
759 }
768 };
771 /*
772 * NSS needs the app to supply a password prompt. In our case the only time
773 * the password is supplied is as part of the Login APDU. The actual password
774 * is passed in the pw_arg in that case. In all other cases pw_arg should be
775 * NULL.
776 */
779 {
780 /* if it didn't work the first time, don't keep trying */
783 }
784 /* we are looking up a password when we don't have one in hand */
787 }
788 /* TODO: we really should verify that were are using the right slot */
790 }
792 /* Force a card removal even if the card is not physically removed */
793 VCardEmulError
795 {
798 }
800 /* OK, remove it */
803 }
805 /* Re-insert of a card that has been removed by force removal */
806 VCardEmulError
808 {
814 }
817 /* if it's a softcard, get the saved vcard from the reader emul structure */
821 /* it must be a physical card, rebuild it */
823 /* physical card has been removed, not way to reinsert it */
825 }
827 }
832 }
835 static PRBool
837 {
845 }
852 }
853 }
856 }
858 /* Previously we returned FAIL if no readers found. This makes
859 * no sense when using hardware, since there may be no readers connected
860 * at the time vcard_emul_init is called, but they will be properly
861 * recognized later. So Instead return FAIL only if no_hw==1 and no
862 * vcards can be created (indicates error with certificates provided
863 * or db), or if any other higher level error (NSS error, missing coolkey). */
866 VCardEmulError
868 {
869 SECStatus rv;
880 }
887 }
889 /* first initialize NSS */
894 #ifndef _WIN32
896 #else
900 }
904 #endif
908 }
911 }
912 /* Set password callback function */
915 /* set up soft cards emulated by software certs rather than physical cards
916 * */
928 }
932 vreader_emul_delete);
940 /* we should have a better way of identifying certs than by
941 * nickname here */
944 NULL);
947 }
951 /* this is safe because the key is still holding a cert reference */
953 cert_count++;
954 }
960 /* allow insertion and removal of soft cards */
965 }
969 }
971 /* if we aren't suppose to use hw, skip looking up hardware tokens */
975 }
977 /* make sure we have some PKCS #11 module loaded */
985 }
986 }
989 /* now examine all the slots, finding which should be readers */
990 /* We should control this with options. For now we mirror out any
991 * removable hardware slot */
999 /* Ignore the internal module */
1002 }
1007 /* only map removable HW slots */
1010 }
1012 /*
1013 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1014 * any hardware readers. This causes problems, warn user of
1015 * problems.
1016 */
1020 }
1024 vreader_emul_delete);
1033 }
1034 }
1036 }
1041 }
1043 /* Recreate card insert events for all readers (user should
1044 * deduce implied reader insert. perhaps do a reader insert as well?)
1045 */
1046 void
1048 {
1058 }
1061 }
1063 /*
1064 * Silly little functions to help parsing our argument string
1065 */
1066 static int
1068 {
1073 count++;
1074 }
1077 }
1078 }
1080 }
1084 {
1086 }
1088 }
1092 {
1094 }
1096 }
1099 /*
1100 * We really want to use some existing argument parsing library here. That
1101 * would give us a consistent look */
1103 #define READER_STEP 4
1105 /* Expects "args" to be at the beginning of a token (ie right after the ','
1106 * ending the previous token), and puts the next token start in "token",
1107 * and its length in "token_length". "token" will not be nul-terminated.
1108 * After calling the macro, "args" will be advanced to the beginning of
1109 * the next token.
1110 * This macro may call continue or break.
1111 */
1112 #define NEXT_TOKEN(token) \
1113 (token) = args; \
1115 if (*args == 0) { \
1116 break; \
1117 } \
1119 args++; \
1120 continue; \
1121 } \
1122 (token##_length) = args - (token); \
1123 args = strip(args+1);
1125 VCardEmulOptions *
1127 {
1131 /* Allow the future use of allocating the options structure on the fly */
1139 }
1140 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1141 * cert_2,cert_3...) */
1150 VCardEmulType type;
1157 }
1172 }
1177 reader_count);
1178 }
1193 }
1195 args++;
1196 }
1198 /* use_hw= */
1205 }
1207 /* hw_type= */
1212 /* hw_params= */
1219 /* db="/data/base/path" */
1225 }
1226 args++;
1231 args++;
1232 }
1235 }
1239 }
1241 void
1243 {
1260 "These parameters come as a single string separated by blanks or newlines."
1268 }