| blob | 1a3e5683bca14fde85dcfc03108233d419923e29 |
1 /*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
13 /*
14 * NSS headers
15 */
17 /* avoid including prototypes.h that redefines uint32 */
18 #define NO_NSPR_10_SUPPORT
20 #include <nss.h>
21 #include <pk11pub.h>
22 #include <cert.h>
23 #include <key.h>
24 #include <secmod.h>
25 #include <prthread.h>
26 #include <secerr.h>
49 VCardEmulTriState failedX509;
50 };
57 VCardEmulType default_type;
59 PRBool present;
62 };
64 /*
65 * NSS Specific options
66 */
70 VCardEmulType card_type;
74 };
80 VCardEmulType hw_card_type;
82 PRBool use_hw;
83 };
87 /* if we have more that just the slot, define
88 * VCardEmulStruct here */
90 /*
91 * allocate the set of arrays for certs, cert_len, key
92 */
93 static PRBool
96 {
104 }
106 /*
107 * Emulator specific card information
108 */
113 {
115 /* currently we don't need anything other than the slot */
117 }
119 static void
121 {
125 }
127 }
131 {
132 /* note, the card is holding the reference, no need to get another one */
134 }
137 /*
138 * key functions
139 */
140 /* private constructure */
143 {
149 /* NOTE: if we aren't logged into the token, this could return NULL */
150 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
151 * use the DER version of this function */
155 }
157 /* destructor */
158 void
160 {
163 }
167 }
170 }
173 }
174 }
176 /*
177 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
178 */
181 {
184 }
185 /* NOTE: if we aren't logged into the token, this could return NULL */
188 }
190 /*
191 * Map NSS errors to 7816 errors
192 */
193 static vcard_7816_status_t
195 {
210 }
212 }
214 /* RSA sign/decrypt with the key, signature happens 'in place' */
215 vcard_7816_status_t
218 {
222 SECStatus rv;
229 /* couldn't get the key, indicate that we aren't logged in */
231 }
234 /* couldn't get the key, indicate that we aren't logged in */
236 }
239 /*
240 * this is only true of the rsa signature
241 */
245 }
246 /* be able to handle larger keys if necessariy */
250 }
252 /*
253 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
254 * choke when they try to do the actual operations. Try to detect
255 * those cases and treat them as if the token didn't claim support for
256 * X_509.
257 */
267 }
268 /*
269 * we've had a successful X509 operation, this failure must be
270 * somethine else
271 */
275 }
276 /*
277 * key->failedX509 must be Unknown at this point, try the
278 * non-x_509 case
279 */
280 }
281 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
282 /* is this a PKCS #1 formatted signature? */
287 /* rsa signature pad */
290 }
291 }
293 /* yes, we have a properly formated PKCS #1 signature */
294 /*
295 * NOTE: even if we accidentally got an encrypt buffer, which
296 * through shear luck started with 00, 01, ff, 00, it won't matter
297 * because the resulting Sign operation will effectively decrypt
298 * the real buffer.
299 */
300 SECItem signature;
301 SECItem hash;
303 i++;
312 }
315 /*
316 * we got here because either the X509 attempt failed, or the
317 * token couldn't do the X509 operation, in either case stay
318 * with the PKCS version for future operations on this key
319 */
322 }
323 }
326 /*
327 * OK now we've decrypted the payload, package it up in PKCS #1 for the
328 * upper layer.
329 */
333 /*
334 * padding for PKCS #1 encrypted data is a string of random bytes. The
335 * random butes protect against potential decryption attacks against RSA.
336 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
337 * them. This shouldn't matter to the upper level code which should just
338 * strip this code out anyway, so We'll pad with a constant 3.
339 */
345 /*
346 * we got here because either the X509 attempt failed, or the
347 * token couldn't do the X509 operation, in either case stay
348 * with the PKCS version for future operations on this key
349 */
351 cleanup:
354 }
356 }
358 /*
359 * Login functions
360 */
361 /* return the number of login attempts still possible on the card. if unknown,
362 * return -1 */
363 int
365 {
367 }
369 /* login into the card, return the 7816 status word (sw2 || sw1) */
370 vcard_7816_status_t
372 {
376 SECStatus rv;
380 }
382 /* We depend on the PKCS #11 module internal login state here because we
383 * create a separate process to handle each guest instance. If we needed
384 * to handle multiple guests from one process, then we would need to keep
385 * a lot of extra state in our card structure
386 * */
391 /* handle CAC expanded pins correctly */
394 }
398 to be snooped */
402 }
403 /* map the error from port get error */
405 }
407 void
409 {
414 }
416 /*
417 * if we reset the card (either power on or power off), we lose our login
418 * state
419 */
420 /* TODO: we may also need to send insertion/removal events? */
423 }
428 {
434 }
441 }
443 }
446 }
448 /*
449 * create a new reader emul
450 */
453 {
465 }
467 static void
469 {
472 }
475 }
478 }
480 }
482 /*
483 * TODO: move this to emulater non-specific file
484 */
485 static VCardEmulType
487 {
493 }
496 }
497 /*
498 * TODO: move this to emulater non-specific file
499 */
502 {
508 }
511 }
513 /* pull the slot out of the reader private data */
516 {
520 }
522 }
524 /*
525 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
526 * historical bytes for any software emulated card. The remaining bytes can be
527 * used to indicate the actual emulator
528 */
532 void
534 {
540 }
544 }
546 /*
547 * create a new card from certs and keys
548 */
553 {
557 VCardEmulType type;
562 /* ignore the inserted card */
565 }
569 }
572 /* params these can be NULL */
577 }
582 }
585 }
588 /*
589 * 'clone' a physical card as a virtual card
590 */
593 {
594 /*
595 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
596 * us the real certs until we log in.
597 */
604 PRBool ret;
610 }
615 }
617 /* count the certs */
621 cert_count++;
622 }
627 }
629 /* allocate the arrays */
633 }
635 /* fill in the arrays */
639 SECItem derCert;
641 SECStatus rv;
647 }
648 /* create floating temp cert. This gives us a cert structure even if
649 * the token isn't logged in */
655 }
660 cert_count++;
662 }
664 /* now create the card */
671 }
676 /*
677 * This thread looks for card and reader insertions and puts events on the
678 * event queue
679 */
680 static void
682 {
690 /*
691 * XXX - the latency value doesn't matter one bit. you only get no
692 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
693 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
694 * value we pass get's dropped on the floor before C_WaitForSlotEvent
695 * is called.
696 */
699 /* this could be just a no event indication */
702 }
704 }
707 /* new vreader */
709 default_type_params);
711 vreader_emul_delete);
717 }
718 /* card remove/insert */
725 }
729 }
735 }
738 }
744 }
746 /* if the card is inserted when we start up, make sure our state is correct */
747 static void
749 {
757 }
758 }
760 /*
761 * each module has a separate wait call, create a thread for each module that
762 * we are using.
763 */
764 static void
766 {
770 }
779 };
782 /*
783 * NSS needs the app to supply a password prompt. In our case the only time
784 * the password is supplied is as part of the Login APDU. The actual password
785 * is passed in the pw_arg in that case. In all other cases pw_arg should be
786 * NULL.
787 */
790 {
791 /* if it didn't work the first time, don't keep trying */
794 }
795 /* we are looking up a password when we don't have one in hand */
798 }
799 /* TODO: we really should verify that were are using the right slot */
801 }
803 /* Force a card removal even if the card is not physically removed */
804 VCardEmulError
806 {
809 }
811 /* OK, remove it */
814 }
816 /* Re-insert of a card that has been removed by force removal */
817 VCardEmulError
819 {
825 }
828 /* if it's a softcard, get the saved vcard from the reader emul structure */
832 /* it must be a physical card, rebuild it */
834 /* physical card has been removed, not way to reinsert it */
836 }
838 }
843 }
846 static PRBool
848 {
856 }
863 }
864 }
867 }
869 /* Previously we returned FAIL if no readers found. This makes
870 * no sense when using hardware, since there may be no readers connected
871 * at the time vcard_emul_init is called, but they will be properly
872 * recognized later. So Instead return FAIL only if no_hw==1 and no
873 * vcards can be created (indicates error with certificates provided
874 * or db), or if any other higher level error (NSS error, missing coolkey). */
877 VCardEmulError
879 {
880 SECStatus rv;
891 }
898 }
900 /* first initialize NSS */
905 #ifndef _WIN32
907 #else
911 }
915 #endif
919 }
922 }
923 /* Set password callback function */
926 /* set up soft cards emulated by software certs rather than physical cards
927 * */
939 }
943 vreader_emul_delete);
951 }
954 /* we should have a better way of identifying certs than by
955 * nickname here */
958 NULL);
961 }
965 /* this is safe because the key is still holding a cert reference */
967 cert_count++;
968 }
974 /* allow insertion and removal of soft cards */
979 }
983 }
985 /* if we aren't suppose to use hw, skip looking up hardware tokens */
989 }
991 /* make sure we have some PKCS #11 module loaded */
999 }
1000 }
1003 /* now examine all the slots, finding which should be readers */
1004 /* We should control this with options. For now we mirror out any
1005 * removable hardware slot */
1013 /* Ignore the internal module */
1016 }
1021 /* only map removable HW slots */
1024 }
1026 /*
1027 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1028 * any hardware readers. This causes problems, warn user of
1029 * problems.
1030 */
1034 }
1038 vreader_emul_delete);
1047 }
1048 }
1050 }
1055 }
1057 /* Recreate card insert events for all readers (user should
1058 * deduce implied reader insert. perhaps do a reader insert as well?)
1059 */
1060 void
1062 {
1072 }
1073 }
1075 /*
1076 * Silly little functions to help parsing our argument string
1077 */
1078 static int
1080 {
1085 count++;
1086 }
1089 }
1090 }
1092 }
1096 {
1098 }
1100 }
1104 {
1106 }
1108 }
1111 /*
1112 * We really want to use some existing argument parsing library here. That
1113 * would give us a consistent look */
1115 #define READER_STEP 4
1117 /* Expects "args" to be at the beginning of a token (ie right after the ','
1118 * ending the previous token), and puts the next token start in "token",
1119 * and its length in "token_length". "token" will not be nul-terminated.
1120 * After calling the macro, "args" will be advanced to the beginning of
1121 * the next token.
1122 * This macro may call continue or break.
1123 */
1124 #define NEXT_TOKEN(token) \
1125 (token) = args; \
1127 if (*args == 0) { \
1128 break; \
1129 } \
1131 args++; \
1132 continue; \
1133 } \
1134 (token##_length) = args - (token); \
1135 args = strip(args+1);
1137 VCardEmulOptions *
1139 {
1143 /* Allow the future use of allocating the options structure on the fly */
1151 }
1152 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1153 * cert_2,cert_3...) */
1162 VCardEmulType type;
1169 }
1183 }
1191 }
1192 }
1208 }
1210 args++;
1211 }
1213 /* use_hw= */
1220 }
1222 /* hw_type= */
1227 /* hw_params= */
1234 /* db="/data/base/path" */
1240 }
1241 args++;
1246 args++;
1247 }
1250 }
1254 }
1256 void
1258 {
1275 "These parameters come as a single string separated by blanks or newlines."
1283 }