| blob | fb429b1f825c5061c2b0bc33add3f4defcd305d7 |
1 /*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
13 /*
14 * NSS headers
15 */
17 /* avoid including prototypes.h that redefines uint32 */
18 #define NO_NSPR_10_SUPPORT
20 #include <nss.h>
21 #include <pk11pub.h>
22 #include <cert.h>
23 #include <key.h>
24 #include <secmod.h>
25 #include <prthread.h>
26 #include <secerr.h>
49 VCardEmulTriState failedX509;
50 };
57 VCardEmulType default_type;
59 PRBool present;
62 };
64 /*
65 * NSS Specific options
66 */
70 VCardEmulType card_type;
74 };
80 VCardEmulType hw_card_type;
82 PRBool use_hw;
83 };
87 /* if we have more that just the slot, define
88 * VCardEmulStruct here */
90 /*
91 * allocate the set of arrays for certs, cert_len, key
92 */
93 static void
96 {
100 }
102 /*
103 * Emulator specific card information
104 */
109 {
111 /* currently we don't need anything other than the slot */
113 }
115 static void
117 {
121 }
123 }
127 {
128 /* note, the card is holding the reference, no need to get another one */
130 }
133 /*
134 * key functions
135 */
136 /* private constructure */
139 {
145 /* NOTE: if we aren't logged into the token, this could return NULL */
146 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
147 * use the DER version of this function */
151 }
153 /* destructor */
154 void
156 {
159 }
163 }
166 }
169 }
170 }
172 /*
173 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
174 */
177 {
180 }
181 /* NOTE: if we aren't logged into the token, this could return NULL */
184 }
186 /*
187 * Map NSS errors to 7816 errors
188 */
189 static vcard_7816_status_t
191 {
206 }
208 }
210 /* RSA sign/decrypt with the key, signature happens 'in place' */
211 vcard_7816_status_t
214 {
218 SECStatus rv;
225 /* couldn't get the key, indicate that we aren't logged in */
227 }
230 /* couldn't get the key, indicate that we aren't logged in */
232 }
235 /*
236 * this is only true of the rsa signature
237 */
241 }
242 /* be able to handle larger keys if necessariy */
246 }
248 /*
249 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
250 * choke when they try to do the actual operations. Try to detect
251 * those cases and treat them as if the token didn't claim support for
252 * X_509.
253 */
263 }
264 /*
265 * we've had a successful X509 operation, this failure must be
266 * somethine else
267 */
271 }
272 /*
273 * key->failedX509 must be Unknown at this point, try the
274 * non-x_509 case
275 */
276 }
277 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
278 /* is this a PKCS #1 formatted signature? */
283 /* rsa signature pad */
286 }
287 }
289 /* yes, we have a properly formated PKCS #1 signature */
290 /*
291 * NOTE: even if we accidentally got an encrypt buffer, which
292 * through shear luck started with 00, 01, ff, 00, it won't matter
293 * because the resulting Sign operation will effectively decrypt
294 * the real buffer.
295 */
296 SECItem signature;
297 SECItem hash;
299 i++;
308 }
311 /*
312 * we got here because either the X509 attempt failed, or the
313 * token couldn't do the X509 operation, in either case stay
314 * with the PKCS version for future operations on this key
315 */
318 }
319 }
322 /*
323 * OK now we've decrypted the payload, package it up in PKCS #1 for the
324 * upper layer.
325 */
329 /*
330 * padding for PKCS #1 encrypted data is a string of random bytes. The
331 * random butes protect against potential decryption attacks against RSA.
332 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
333 * them. This shouldn't matter to the upper level code which should just
334 * strip this code out anyway, so We'll pad with a constant 3.
335 */
341 /*
342 * we got here because either the X509 attempt failed, or the
343 * token couldn't do the X509 operation, in either case stay
344 * with the PKCS version for future operations on this key
345 */
347 cleanup:
350 }
352 }
354 /*
355 * Login functions
356 */
357 /* return the number of login attempts still possible on the card. if unknown,
358 * return -1 */
359 int
361 {
363 }
365 /* login into the card, return the 7816 status word (sw2 || sw1) */
366 vcard_7816_status_t
368 {
372 SECStatus rv;
376 }
378 /* We depend on the PKCS #11 module internal login state here because we
379 * create a separate process to handle each guest instance. If we needed
380 * to handle multiple guests from one process, then we would need to keep
381 * a lot of extra state in our card structure
382 * */
387 /* handle CAC expanded pins correctly */
390 }
394 to be snooped */
398 }
399 /* map the error from port get error */
401 }
403 void
405 {
410 }
412 /*
413 * if we reset the card (either power on or power off), we lose our login
414 * state
415 */
416 /* TODO: we may also need to send insertion/removal events? */
419 }
424 {
430 }
437 }
439 }
442 }
444 /*
445 * create a new reader emul
446 */
449 {
461 }
463 static void
465 {
468 }
471 }
474 }
476 }
478 /*
479 * TODO: move this to emulater non-specific file
480 */
481 static VCardEmulType
483 {
489 }
492 }
493 /*
494 * TODO: move this to emulater non-specific file
495 */
498 {
504 }
507 }
509 /* pull the slot out of the reader private data */
512 {
516 }
518 }
520 /*
521 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
522 * historical bytes for any software emulated card. The remaining bytes can be
523 * used to indicate the actual emulator
524 */
528 void
530 {
536 }
540 }
542 /*
543 * create a new card from certs and keys
544 */
549 {
553 VCardEmulType type;
558 /* ignore the inserted card */
561 }
565 }
568 /* params these can be NULL */
573 }
578 }
581 }
584 /*
585 * 'clone' a physical card as a virtual card
586 */
589 {
590 /*
591 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
592 * us the real certs until we log in.
593 */
605 }
610 }
612 /* count the certs */
616 cert_count++;
617 }
622 }
624 /* allocate the arrays */
627 /* fill in the arrays */
631 SECItem derCert;
633 SECStatus rv;
639 }
640 /* create floating temp cert. This gives us a cert structure even if
641 * the token isn't logged in */
647 }
652 cert_count++;
654 }
656 /* now create the card */
663 }
668 /*
669 * This thread looks for card and reader insertions and puts events on the
670 * event queue
671 */
672 static void
674 {
682 /*
683 * XXX - the latency value doesn't matter one bit. you only get no
684 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
685 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
686 * value we pass get's dropped on the floor before C_WaitForSlotEvent
687 * is called.
688 */
691 /* this could be just a no event indication */
694 }
696 }
699 /* new vreader */
701 default_type_params);
703 vreader_emul_delete);
709 }
710 /* card remove/insert */
717 }
721 }
727 }
730 }
736 }
738 /* if the card is inserted when we start up, make sure our state is correct */
739 static void
741 {
749 }
750 }
752 /*
753 * each module has a separate wait call, create a thread for each module that
754 * we are using.
755 */
756 static void
758 {
762 }
771 };
774 /*
775 * NSS needs the app to supply a password prompt. In our case the only time
776 * the password is supplied is as part of the Login APDU. The actual password
777 * is passed in the pw_arg in that case. In all other cases pw_arg should be
778 * NULL.
779 */
782 {
783 /* if it didn't work the first time, don't keep trying */
786 }
787 /* we are looking up a password when we don't have one in hand */
790 }
791 /* TODO: we really should verify that were are using the right slot */
793 }
795 /* Force a card removal even if the card is not physically removed */
796 VCardEmulError
798 {
801 }
803 /* OK, remove it */
806 }
808 /* Re-insert of a card that has been removed by force removal */
809 VCardEmulError
811 {
817 }
820 /* if it's a softcard, get the saved vcard from the reader emul structure */
824 /* it must be a physical card, rebuild it */
826 /* physical card has been removed, not way to reinsert it */
828 }
830 }
835 }
838 static PRBool
840 {
848 }
855 }
856 }
859 }
861 /* Previously we returned FAIL if no readers found. This makes
862 * no sense when using hardware, since there may be no readers connected
863 * at the time vcard_emul_init is called, but they will be properly
864 * recognized later. So Instead return FAIL only if no_hw==1 and no
865 * vcards can be created (indicates error with certificates provided
866 * or db), or if any other higher level error (NSS error, missing coolkey). */
869 VCardEmulError
871 {
872 SECStatus rv;
883 }
890 }
892 /* first initialize NSS */
897 #ifndef _WIN32
899 #else
903 }
907 #endif
911 }
914 }
915 /* Set password callback function */
918 /* set up soft cards emulated by software certs rather than physical cards
919 * */
931 }
935 vreader_emul_delete);
944 /* we should have a better way of identifying certs than by
945 * nickname here */
948 NULL);
951 }
955 /* this is safe because the key is still holding a cert reference */
957 cert_count++;
958 }
964 /* allow insertion and removal of soft cards */
969 }
973 }
975 /* if we aren't suppose to use hw, skip looking up hardware tokens */
979 }
981 /* make sure we have some PKCS #11 module loaded */
989 }
990 }
993 /* now examine all the slots, finding which should be readers */
994 /* We should control this with options. For now we mirror out any
995 * removable hardware slot */
1003 /* Ignore the internal module */
1006 }
1011 /* only map removable HW slots */
1014 }
1016 /*
1017 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1018 * any hardware readers. This causes problems, warn user of
1019 * problems.
1020 */
1024 }
1028 vreader_emul_delete);
1037 }
1038 }
1040 }
1045 }
1047 /* Recreate card insert events for all readers (user should
1048 * deduce implied reader insert. perhaps do a reader insert as well?)
1049 */
1050 void
1052 {
1062 }
1063 }
1065 /*
1066 * Silly little functions to help parsing our argument string
1067 */
1068 static int
1070 {
1075 count++;
1076 }
1079 }
1080 }
1082 }
1086 {
1088 }
1090 }
1094 {
1096 }
1098 }
1101 /*
1102 * We really want to use some existing argument parsing library here. That
1103 * would give us a consistent look */
1105 #define READER_STEP 4
1107 /* Expects "args" to be at the beginning of a token (ie right after the ','
1108 * ending the previous token), and puts the next token start in "token",
1109 * and its length in "token_length". "token" will not be nul-terminated.
1110 * After calling the macro, "args" will be advanced to the beginning of
1111 * the next token.
1112 * This macro may call continue or break.
1113 */
1114 #define NEXT_TOKEN(token) \
1115 (token) = args; \
1117 if (*args == 0) { \
1118 break; \
1119 } \
1121 args++; \
1122 continue; \
1123 } \
1124 (token##_length) = args - (token); \
1125 args = strip(args+1);
1127 VCardEmulOptions *
1129 {
1133 /* Allow the future use of allocating the options structure on the fly */
1141 }
1142 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1143 * cert_2,cert_3...) */
1152 VCardEmulType type;
1159 }
1173 }
1181 }
1182 }
1198 }
1200 args++;
1201 }
1203 /* use_hw= */
1210 }
1212 /* hw_type= */
1217 /* hw_params= */
1224 /* db="/data/base/path" */
1230 }
1231 args++;
1236 args++;
1237 }
1240 }
1244 }
1246 void
1248 {
1265 "These parameters come as a single string separated by blanks or newlines."
1273 }