| blob | d9761eedc2e2492ce6b36fa016fbb99b6b36191e |
1 /*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
13 /*
14 * NSS headers
15 */
17 /* avoid including prototypes.h that redefines uint32 */
18 #define NO_NSPR_10_SUPPORT
20 #include <nss.h>
21 #include <pk11pub.h>
22 #include <cert.h>
23 #include <key.h>
24 #include <secmod.h>
25 #include <prthread.h>
26 #include <secerr.h>
49 VCardEmulTriState failedX509;
50 };
57 VCardEmulType default_type;
59 PRBool present;
62 };
64 /*
65 * NSS Specific options
66 */
70 VCardEmulType card_type;
74 };
80 VCardEmulType hw_card_type;
82 PRBool use_hw;
83 };
87 /* if we have more that just the slot, define
88 * VCardEmulStruct here */
90 /*
91 * allocate the set of arrays for certs, cert_len, key
92 */
93 static void
96 {
100 }
102 /*
103 * Emulator specific card information
104 */
109 {
111 /* currently we don't need anything other than the slot */
113 }
115 static void
117 {
121 }
123 }
127 {
128 /* note, the card is holding the reference, no need to get another one */
130 }
133 /*
134 * key functions
135 */
136 /* private constructure */
139 {
145 /* NOTE: if we aren't logged into the token, this could return NULL */
146 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
147 * use the DER version of this function */
151 }
153 /* destructor */
154 void
156 {
159 }
163 }
166 }
169 }
170 }
172 /*
173 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
174 */
177 {
180 }
181 /* NOTE: if we aren't logged into the token, this could return NULL */
184 }
186 /*
187 * Map NSS errors to 7816 errors
188 */
189 static vcard_7816_status_t
191 {
206 }
208 }
210 /* RSA sign/decrypt with the key, signature happens 'in place' */
211 vcard_7816_status_t
214 {
218 SECStatus rv;
225 /* couldn't get the key, indicate that we aren't logged in */
227 }
230 /* couldn't get the key, indicate that we aren't logged in */
232 }
235 /*
236 * this is only true of the rsa signature
237 */
241 }
242 /* be able to handle larger keys if necessariy */
246 }
248 /*
249 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
250 * choke when they try to do the actual operations. Try to detect
251 * those cases and treat them as if the token didn't claim support for
252 * X_509.
253 */
263 }
264 /*
265 * we've had a successful X509 operation, this failure must be
266 * somethine else
267 */
271 }
272 /*
273 * key->failedX509 must be Unknown at this point, try the
274 * non-x_509 case
275 */
276 }
277 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
278 /* is this a PKCS #1 formatted signature? */
283 /* rsa signature pad */
286 }
287 }
289 /* yes, we have a properly formatted PKCS #1 signature */
290 /*
291 * NOTE: even if we accidentally got an encrypt buffer, which
292 * through sheer luck started with 00, 01, ff, 00, it won't matter
293 * because the resulting Sign operation will effectively decrypt
294 * the real buffer.
295 */
296 SECItem signature;
297 SECItem hash;
299 i++;
308 }
311 /*
312 * we got here because either the X509 attempt failed, or the
313 * token couldn't do the X509 operation, in either case stay
314 * with the PKCS version for future operations on this key
315 */
318 }
319 }
322 /*
323 * OK now we've decrypted the payload, package it up in PKCS #1 for the
324 * upper layer.
325 */
329 /*
330 * padding for PKCS #1 encrypted data is a string of random bytes. The
331 * random butes protect against potential decryption attacks against RSA.
332 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
333 * them. This shouldn't matter to the upper level code which should just
334 * strip this code out anyway, so We'll pad with a constant 3.
335 */
341 /*
342 * we got here because either the X509 attempt failed, or the
343 * token couldn't do the X509 operation, in either case stay
344 * with the PKCS version for future operations on this key
345 */
347 cleanup:
350 }
352 }
354 /*
355 * Login functions
356 */
357 /* return the number of login attempts still possible on the card. if unknown,
358 * return -1 */
359 int
361 {
363 }
365 /* login into the card, return the 7816 status word (sw2 || sw1) */
366 vcard_7816_status_t
368 {
372 SECStatus rv;
376 }
378 /* We depend on the PKCS #11 module internal login state here because we
379 * create a separate process to handle each guest instance. If we needed
380 * to handle multiple guests from one process, then we would need to keep
381 * a lot of extra state in our card structure
382 * */
387 /* handle CAC expanded pins correctly */
390 }
394 to be snooped */
398 }
399 /* map the error from port get error */
401 }
403 void
405 {
410 }
415 }
416 }
418 void
420 {
421 /*
422 * if we reset the card (either power on or power off), we lose our login
423 * state
424 */
427 /* TODO: we may also need to send insertion/removal events? */
428 }
432 {
438 }
446 }
448 }
452 }
454 /*
455 * create a new reader emul
456 */
459 {
471 }
473 static void
475 {
478 }
481 }
484 }
486 /*
487 * TODO: move this to emulater non-specific file
488 */
489 static VCardEmulType
491 {
497 }
500 }
501 /*
502 * TODO: move this to emulater non-specific file
503 */
506 {
512 }
515 }
517 /* pull the slot out of the reader private data */
520 {
524 }
526 }
528 /*
529 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
530 * historical bytes for any software emulated card. The remaining bytes can be
531 * used to indicate the actual emulator
532 */
536 void
538 {
544 }
548 }
550 /*
551 * create a new card from certs and keys
552 */
557 {
561 VCardEmulType type;
566 /* ignore the inserted card */
569 }
573 }
576 /* params these can be NULL */
581 }
586 }
589 }
592 /*
593 * 'clone' a physical card as a virtual card
594 */
597 {
598 /*
599 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
600 * us the real certs until we log in.
601 */
613 }
618 }
620 /* count the certs */
624 cert_count++;
625 }
627 /* allocate the arrays */
630 /* fill in the arrays */
634 SECItem derCert;
636 SECStatus rv;
642 }
643 /* create floating temp cert. This gives us a cert structure even if
644 * the token isn't logged in */
650 }
655 cert_count++;
657 }
659 /* now create the card */
666 }
671 /*
672 * This thread looks for card and reader insertions and puts events on the
673 * event queue
674 */
675 static void
677 {
685 /*
686 * XXX - the latency value doesn't matter one bit. you only get no
687 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
688 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
689 * value we pass get's dropped on the floor before C_WaitForSlotEvent
690 * is called.
691 */
694 /* this could be just a no event indication */
697 }
699 }
702 /* new vreader */
704 default_type_params);
706 vreader_emul_delete);
712 }
713 /* card remove/insert */
720 }
724 }
730 }
733 }
739 }
741 /* if the card is inserted when we start up, make sure our state is correct */
742 static void
744 {
752 }
753 }
755 /*
756 * each module has a separate wait call, create a thread for each module that
757 * we are using.
758 */
759 static void
761 {
765 }
774 };
777 /*
778 * NSS needs the app to supply a password prompt. In our case the only time
779 * the password is supplied is as part of the Login APDU. The actual password
780 * is passed in the pw_arg in that case. In all other cases pw_arg should be
781 * NULL.
782 */
785 {
786 /* if it didn't work the first time, don't keep trying */
789 }
790 /* we are looking up a password when we don't have one in hand */
793 }
794 /* TODO: we really should verify that were are using the right slot */
796 }
798 /* Force a card removal even if the card is not physically removed */
799 VCardEmulError
801 {
804 }
806 /* OK, remove it */
809 }
811 /* Re-insert of a card that has been removed by force removal */
812 VCardEmulError
814 {
820 }
823 /* if it's a softcard, get the saved vcard from the reader emul structure */
827 /* it must be a physical card, rebuild it */
829 /* physical card has been removed, not way to reinsert it */
831 }
833 }
838 }
841 static PRBool
843 {
851 }
858 }
859 }
862 }
864 /* Previously we returned FAIL if no readers found. This makes
865 * no sense when using hardware, since there may be no readers connected
866 * at the time vcard_emul_init is called, but they will be properly
867 * recognized later. So Instead return FAIL only if no_hw==1 and no
868 * vcards can be created (indicates error with certificates provided
869 * or db), or if any other higher level error (NSS error, missing coolkey). */
872 VCardEmulError
874 {
875 SECStatus rv;
886 }
893 }
895 /* first initialize NSS */
900 #ifndef _WIN32
902 #else
906 }
910 #endif
914 }
917 }
918 /* Set password callback function */
921 /* set up soft cards emulated by software certs rather than physical cards
922 * */
934 }
938 vreader_emul_delete);
946 /* we should have a better way of identifying certs than by
947 * nickname here */
950 NULL);
953 }
957 /* this is safe because the key is still holding a cert reference */
959 cert_count++;
960 }
966 /* allow insertion and removal of soft cards */
971 }
975 }
977 /* if we aren't suppose to use hw, skip looking up hardware tokens */
981 }
983 /* make sure we have some PKCS #11 module loaded */
991 }
992 }
995 /* now examine all the slots, finding which should be readers */
996 /* We should control this with options. For now we mirror out any
997 * removable hardware slot */
1005 /* Ignore the internal module */
1008 }
1013 /* only map removable HW slots */
1016 }
1018 /*
1019 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1020 * any hardware readers. This causes problems, warn user of
1021 * problems.
1022 */
1026 }
1030 vreader_emul_delete);
1039 }
1040 }
1042 }
1047 }
1049 /* Recreate card insert events for all readers (user should
1050 * deduce implied reader insert. perhaps do a reader insert as well?)
1051 */
1052 void
1054 {
1064 }
1067 }
1069 /*
1070 * Silly little functions to help parsing our argument string
1071 */
1072 static int
1074 {
1079 count++;
1080 }
1083 }
1084 }
1086 }
1090 {
1092 }
1094 }
1098 {
1100 }
1102 }
1105 /*
1106 * We really want to use some existing argument parsing library here. That
1107 * would give us a consistent look */
1109 #define READER_STEP 4
1111 /* Expects "args" to be at the beginning of a token (ie right after the ','
1112 * ending the previous token), and puts the next token start in "token",
1113 * and its length in "token_length". "token" will not be nul-terminated.
1114 * After calling the macro, "args" will be advanced to the beginning of
1115 * the next token.
1116 * This macro may call continue or break.
1117 */
1118 #define NEXT_TOKEN(token) \
1119 (token) = args; \
1121 if (*args == 0) { \
1122 break; \
1123 } \
1125 args++; \
1126 continue; \
1127 } \
1128 (token##_length) = args - (token); \
1129 args = strip(args+1);
1131 VCardEmulOptions *
1133 {
1137 /* Allow the future use of allocating the options structure on the fly */
1145 }
1146 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1147 * cert_2,cert_3...) */
1156 VCardEmulType type;
1163 }
1178 }
1183 reader_count);
1184 }
1199 }
1201 args++;
1202 }
1204 /* use_hw= */
1211 }
1213 /* hw_type= */
1218 /* hw_params= */
1225 /* db="/data/base/path" */
1231 }
1232 args++;
1237 args++;
1238 }
1241 }
1245 }
1247 void
1249 {
1266 "These parameters come as a single string separated by blanks or newlines."
1274 }