2
* implement the applets for the CAC card.
4
* This code is licensed under the GNU LGPL, version 2.1 or later.
5
* See the COPYING.LIB file in the top-level directory.
8
#include "qemu-common.h"
12
#include "vcard_emul.h"
13
#include "card_7816.h"
15
#define CAC_GET_PROPERTIES 0x56
16
#define CAC_GET_ACR 0x4c
17
#define CAC_READ_BUFFER 0x52
18
#define CAC_UPDATE_BUFFER 0x58
19
#define CAC_SIGN_DECRYPT 0x42
20
#define CAC_GET_CERTIFICATE 0x36
22
/* private data for PKI applets */
23
typedef struct CACPKIAppletDataStruct {
26
unsigned char *cert_buffer;
28
unsigned char *sign_buffer;
34
* CAC applet private data
36
struct VCardAppletPrivateStruct {
38
CACPKIAppletData pki_data;
44
* handle all the APDU's that are common to all CAC applets
47
cac_common_process_apdu(VCard *card, VCardAPDU *apdu, VCardResponse **response)
51
switch (apdu->a_ins) {
52
case VCARD7816_INS_SELECT_FILE:
53
if (apdu->a_p1 != 0x02) {
54
/* let the 7816 code handle applet switches */
57
/* handle file id setting */
58
if (apdu->a_Lc != 2) {
59
*response = vcard_make_response(
60
VCARD7816_STATUS_ERROR_DATA_INVALID);
63
/* CAC 1.0 only supports ef = 0 */
64
ef = apdu->a_body[0] | (apdu->a_body[1] << 8);
66
*response = vcard_make_response(
67
VCARD7816_STATUS_ERROR_FILE_NOT_FOUND);
70
*response = vcard_make_response(VCARD7816_STATUS_SUCCESS);
72
case VCARD7816_INS_GET_RESPONSE:
73
case VCARD7816_INS_VERIFY:
74
/* let the 7816 code handle these */
76
case CAC_GET_PROPERTIES:
78
/* skip these for now, this will probably be needed */
79
*response = vcard_make_response(VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
82
*response = vcard_make_response(
83
VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
88
* reset the inter call state between applet selects
91
cac_applet_pki_reset(VCard *card, int channel)
93
VCardAppletPrivate *applet_private = NULL;
94
CACPKIAppletData *pki_applet = NULL;
95
applet_private = vcard_get_current_applet_private(card, channel);
96
assert(applet_private);
97
pki_applet = &(applet_private->u.pki_data);
99
pki_applet->cert_buffer = NULL;
100
if (pki_applet->sign_buffer) {
101
g_free(pki_applet->sign_buffer);
102
pki_applet->sign_buffer = NULL;
104
pki_applet->cert_buffer_len = 0;
105
pki_applet->sign_buffer_len = 0;
110
cac_applet_pki_process_apdu(VCard *card, VCardAPDU *apdu,
111
VCardResponse **response)
113
CACPKIAppletData *pki_applet = NULL;
114
VCardAppletPrivate *applet_private = NULL;
116
unsigned char *sign_buffer;
117
vcard_7816_status_t status;
119
applet_private = vcard_get_current_applet_private(card, apdu->a_channel);
120
assert(applet_private);
121
pki_applet = &(applet_private->u.pki_data);
123
switch (apdu->a_ins) {
124
case CAC_UPDATE_BUFFER:
125
*response = vcard_make_response(
126
VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED);
128
case CAC_GET_CERTIFICATE:
129
if ((apdu->a_p2 != 0) || (apdu->a_p1 != 0)) {
130
*response = vcard_make_response(
131
VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
134
assert(pki_applet->cert != NULL);
136
if (pki_applet->cert_buffer == NULL) {
137
pki_applet->cert_buffer = pki_applet->cert;
138
pki_applet->cert_buffer_len = pki_applet->cert_len;
140
size = MIN(size, pki_applet->cert_buffer_len);
141
next = MIN(255, pki_applet->cert_buffer_len - size);
142
*response = vcard_response_new_bytes(
143
card, pki_applet->cert_buffer, size,
145
VCARD7816_SW1_WARNING_CHANGE :
146
VCARD7816_SW1_SUCCESS,
148
pki_applet->cert_buffer += size;
149
pki_applet->cert_buffer_len -= size;
150
if ((*response == NULL) || (next == 0)) {
151
pki_applet->cert_buffer = NULL;
153
if (*response == NULL) {
154
*response = vcard_make_response(
155
VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE);
158
case CAC_SIGN_DECRYPT:
159
if (apdu->a_p2 != 0) {
160
*response = vcard_make_response(
161
VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
166
sign_buffer = realloc(pki_applet->sign_buffer,
167
pki_applet->sign_buffer_len+size);
168
if (sign_buffer == NULL) {
169
g_free(pki_applet->sign_buffer);
170
pki_applet->sign_buffer = NULL;
171
pki_applet->sign_buffer_len = 0;
172
*response = vcard_make_response(
173
VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE);
176
memcpy(sign_buffer+pki_applet->sign_buffer_len, apdu->a_body, size);
177
size += pki_applet->sign_buffer_len;
178
switch (apdu->a_p1) {
180
/* p1 == 0x80 means we haven't yet sent the whole buffer, wait for
182
pki_applet->sign_buffer = sign_buffer;
183
pki_applet->sign_buffer_len = size;
184
*response = vcard_make_response(VCARD7816_STATUS_SUCCESS);
187
/* we now have the whole buffer, do the operation, result will be
188
* in the sign_buffer */
189
status = vcard_emul_rsa_op(card, pki_applet->key,
191
if (status != VCARD7816_STATUS_SUCCESS) {
192
*response = vcard_make_response(status);
195
*response = vcard_response_new(card, sign_buffer, size, apdu->a_Le,
196
VCARD7816_STATUS_SUCCESS);
197
if (*response == NULL) {
198
*response = vcard_make_response(
199
VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE);
203
*response = vcard_make_response(
204
VCARD7816_STATUS_ERROR_P1_P2_INCORRECT);
208
pki_applet->sign_buffer = NULL;
209
pki_applet->sign_buffer_len = 0;
211
case CAC_READ_BUFFER:
212
/* new CAC call, go ahead and use the old version for now */
213
/* TODO: implement */
214
*response = vcard_make_response(
215
VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
218
return cac_common_process_apdu(card, apdu, response);
223
cac_applet_id_process_apdu(VCard *card, VCardAPDU *apdu,
224
VCardResponse **response)
226
switch (apdu->a_ins) {
227
case CAC_UPDATE_BUFFER:
228
*response = vcard_make_response(
229
VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED);
231
case CAC_READ_BUFFER:
232
/* new CAC call, go ahead and use the old version for now */
233
/* TODO: implement */
234
*response = vcard_make_response(
235
VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
238
return cac_common_process_apdu(card, apdu, response);
243
* TODO: if we ever want to support general CAC middleware, we will need to
244
* implement the various containers.
247
cac_applet_container_process_apdu(VCard *card, VCardAPDU *apdu,
248
VCardResponse **response)
250
switch (apdu->a_ins) {
251
case CAC_READ_BUFFER:
252
case CAC_UPDATE_BUFFER:
253
*response = vcard_make_response(
254
VCARD7816_STATUS_ERROR_COMMAND_NOT_SUPPORTED);
259
return cac_common_process_apdu(card, apdu, response);
263
* utilities for creating and destroying the private applet data
266
cac_delete_pki_applet_private(VCardAppletPrivate *applet_private)
268
CACPKIAppletData *pki_applet_data = NULL;
270
if (applet_private == NULL) {
273
pki_applet_data = &(applet_private->u.pki_data);
274
if (pki_applet_data->cert != NULL) {
275
g_free(pki_applet_data->cert);
277
if (pki_applet_data->sign_buffer != NULL) {
278
g_free(pki_applet_data->sign_buffer);
280
if (pki_applet_data->key != NULL) {
281
vcard_emul_delete_key(pki_applet_data->key);
283
g_free(applet_private);
286
static VCardAppletPrivate *
287
cac_new_pki_applet_private(const unsigned char *cert,
288
int cert_len, VCardKey *key)
290
CACPKIAppletData *pki_applet_data = NULL;
291
VCardAppletPrivate *applet_private = NULL;
292
applet_private = (VCardAppletPrivate *)g_malloc(sizeof(VCardAppletPrivate));
294
pki_applet_data = &(applet_private->u.pki_data);
295
pki_applet_data->cert_buffer = NULL;
296
pki_applet_data->cert_buffer_len = 0;
297
pki_applet_data->sign_buffer = NULL;
298
pki_applet_data->sign_buffer_len = 0;
299
pki_applet_data->key = NULL;
300
pki_applet_data->cert = (unsigned char *)g_malloc(cert_len+1);
302
* if we want to support compression, then we simply change the 0 to a 1
303
* and compress the cert data with libz
305
pki_applet_data->cert[0] = 0; /* not compressed */
306
memcpy(&pki_applet_data->cert[1], cert, cert_len);
307
pki_applet_data->cert_len = cert_len+1;
309
pki_applet_data->key = key;
310
return applet_private;
315
* create a new cac applet which links to a given cert
318
cac_new_pki_applet(int i, const unsigned char *cert,
319
int cert_len, VCardKey *key)
321
VCardAppletPrivate *applet_private = NULL;
322
VCardApplet *applet = NULL;
323
unsigned char pki_aid[] = { 0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x00 };
324
int pki_aid_len = sizeof(pki_aid);
326
pki_aid[pki_aid_len-1] = i;
328
applet_private = cac_new_pki_applet_private(cert, cert_len, key);
329
if (applet_private == NULL) {
332
applet = vcard_new_applet(cac_applet_pki_process_apdu, cac_applet_pki_reset,
333
pki_aid, pki_aid_len);
334
if (applet == NULL) {
337
vcard_set_applet_private(applet, applet_private,
338
cac_delete_pki_applet_private);
339
applet_private = NULL;
344
if (applet_private != NULL) {
345
cac_delete_pki_applet_private(applet_private);
351
static unsigned char cac_default_container_aid[] = {
352
0xa0, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00 };
353
static unsigned char cac_id_aid[] = {
354
0xa0, 0x00, 0x00, 0x00, 0x79, 0x03, 0x00 };
356
* Initialize the cac card. This is the only public function in this file. All
357
* the rest are connected through function pointers.
360
cac_card_init(VReader *reader, VCard *card,
362
unsigned char * const *cert,
364
VCardKey *key[] /* adopt the keys*/,
370
/* CAC Cards are VM Cards */
371
vcard_set_type(card, VCARD_VM);
373
/* create one PKI applet for each cert */
374
for (i = 0; i < cert_count; i++) {
375
applet = cac_new_pki_applet(i, cert[i], cert_len[i], key[i]);
376
if (applet == NULL) {
379
vcard_add_applet(card, applet);
382
/* create a default blank container applet */
383
applet = vcard_new_applet(cac_applet_container_process_apdu,
384
NULL, cac_default_container_aid,
385
sizeof(cac_default_container_aid));
386
if (applet == NULL) {
389
vcard_add_applet(card, applet);
391
/* create a default blank container applet */
392
applet = vcard_new_applet(cac_applet_id_process_apdu,
395
if (applet == NULL) {
398
vcard_add_applet(card, applet);