1
/* card-p15.c - PKCS-15 based card access
2
* Copyright (C) 2002 Free Software Foundation, Inc.
4
* This file is part of GnuPG.
6
* GnuPG is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* GnuPG is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
29
#include <opensc/pkcs15.h>
33
#include "card-common.h"
38
struct sc_pkcs15_object *prkey_rsa_objs[32];
40
struct sc_pkcs15_object *cert_objs[32];
44
/* Allocate private data. */
46
init_private_data (CARD card)
48
struct p15private_s *priv;
52
return 0; /* already done. */
54
priv = xtrycalloc (1, sizeof *priv);
56
return gpg_error (gpg_err_code_from_errno (errno));
58
/* OpenSC (0.7.0) is a bit strange in that the get_objects functions
59
tries to be a bit too clever and implicitly does an enumeration
60
which eventually leads to the fact that every call to this
61
fucntion returns one more macthing object. The old code in
62
p15_enum_keypairs assume that it would alwyas return the same
63
numer of objects and used this to figure out what the last object
64
enumerated is. We now do an enum_objects just once and keep it
65
in the private data. */
66
rc = sc_pkcs15_get_objects (card->p15card, SC_PKCS15_TYPE_PRKEY_RSA,
68
DIM (priv->prkey_rsa_objs));
71
log_error ("private keys enumeration failed: %s\n", sc_strerror (rc));
73
return gpg_error (GPG_ERR_CARD);
75
priv->n_prkey_rsa_objs = rc;
77
/* Read all certificate objects. */
78
rc = sc_pkcs15_get_objects (card->p15card, SC_PKCS15_TYPE_CERT_X509,
80
DIM (priv->cert_objs));
83
log_error ("private keys enumeration failed: %s\n", sc_strerror (rc));
85
return gpg_error (GPG_ERR_CARD);
87
priv->n_cert_objs = rc;
94
/* Release private data used in this module. */
96
p15_release_private_data (CARD card)
100
xfree (card->p15priv);
101
card->p15priv = NULL;
106
/* See card.c for interface description */
108
p15_enum_keypairs (CARD card, int idx,
109
unsigned char *keygrip, char **keyid)
112
struct p15private_s *priv;
113
struct sc_pkcs15_object *tmpobj;
115
struct sc_pkcs15_prkey_info *pinfo;
116
struct sc_pkcs15_cert_info *certinfo;
117
struct sc_pkcs15_cert *certder;
120
rc = init_private_data (card);
123
priv = card->p15priv;
124
nobjs = priv->n_prkey_rsa_objs;
128
pinfo = priv->prkey_rsa_objs[idx]->data;
130
/* now we need to read the certificate so that we can calculate the
132
rc = sc_pkcs15_find_cert_by_id (card->p15card, &pinfo->id, &tmpobj);
135
log_info ("certificate for private key %d not found: %s\n",
136
idx, sc_strerror (rc));
137
/* note, that we return the ID anyway */
138
rc = gpg_error (GPG_ERR_MISSING_CERT);
141
certinfo = tmpobj->data;
142
rc = sc_pkcs15_read_certificate (card->p15card, certinfo, &certder);
145
log_info ("failed to read certificate for private key %d: %s\n",
146
idx, sc_strerror (rc));
147
return gpg_error (GPG_ERR_CARD);
150
rc = ksba_cert_new (&cert);
153
sc_pkcs15_free_certificate (certder);
156
rc = ksba_cert_init_from_mem (cert, certder->data, certder->data_len);
157
sc_pkcs15_free_certificate (certder);
160
log_error ("failed to parse the certificate for private key %d: %s\n",
161
idx, gpg_strerror (rc));
162
ksba_cert_release (cert);
165
if (card_help_get_keygrip (cert, keygrip))
167
log_error ("failed to calculate the keygrip of private key %d\n", idx);
168
ksba_cert_release (cert);
169
return gpg_error (GPG_ERR_CARD);
171
ksba_cert_release (cert);
180
*keyid = p = xtrymalloc (9+pinfo->id.len*2+1);
182
return gpg_error (gpg_err_code_from_errno (errno));
183
p = stpcpy (p, "P15-5015.");
184
for (i=0; i < pinfo->id.len; i++, p += 2)
185
sprintf (p, "%02X", pinfo->id.value[i]);
192
/* See card.c for interface description */
194
p15_enum_certs (CARD card, int idx, char **certid, int *type)
197
struct p15private_s *priv;
198
struct sc_pkcs15_object *obj;
199
struct sc_pkcs15_cert_info *cinfo;
202
rc = init_private_data (card);
205
priv = card->p15priv;
206
nobjs = priv->n_cert_objs;
210
obj = priv->cert_objs[idx];
218
*certid = p = xtrymalloc (9+cinfo->id.len*2+1);
220
return gpg_error (gpg_err_code_from_errno (errno));
221
p = stpcpy (p, "P15-5015.");
222
for (i=0; i < cinfo->id.len; i++, p += 2)
223
sprintf (p, "%02X", cinfo->id.value[i]);
229
*type = 0; /* unknown */
230
else if (obj->df->type == SC_PKCS15_CDF)
232
else if (obj->df->type == SC_PKCS15_CDF_TRUSTED)
234
else if (obj->df->type == SC_PKCS15_CDF_USEFUL)
237
*type = 0; /* error -> unknown */
246
idstr_to_id (const char *idstr, struct sc_pkcs15_id *id)
251
/* For now we only support the standard DF */
252
if (strncmp (idstr, "P15-5015.", 9) )
253
return gpg_error (GPG_ERR_INV_ID);
254
for (s=idstr+9, n=0; hexdigitp (s); s++, n++)
257
return gpg_error (GPG_ERR_INV_ID); /*invalid or odd number of digits*/
259
if (!n || n > SC_PKCS15_MAX_ID_SIZE)
260
return gpg_error (GPG_ERR_INV_ID); /* empty or too large */
261
for (s=idstr+9, n=0; *s; s += 2, n++)
262
id->value[n] = xtoi_2 (s);
268
/* See card.c for interface description */
270
p15_read_cert (CARD card, const char *certidstr,
271
unsigned char **cert, size_t *ncert)
273
struct sc_pkcs15_object *tmpobj;
274
struct sc_pkcs15_id certid;
275
struct sc_pkcs15_cert_info *certinfo;
276
struct sc_pkcs15_cert *certder;
279
if (!card || !certidstr || !cert || !ncert)
280
return gpg_error (GPG_ERR_INV_VALUE);
282
return gpg_error (GPG_ERR_NO_PKCS15_APP);
284
rc = idstr_to_id (certidstr, &certid);
288
rc = sc_pkcs15_find_cert_by_id (card->p15card, &certid, &tmpobj);
291
log_info ("certificate '%s' not found: %s\n",
292
certidstr, sc_strerror (rc));
295
certinfo = tmpobj->data;
296
rc = sc_pkcs15_read_certificate (card->p15card, certinfo, &certder);
299
log_info ("failed to read certificate '%s': %s\n",
300
certidstr, sc_strerror (rc));
301
return gpg_error (GPG_ERR_CARD);
304
*cert = xtrymalloc (certder->data_len);
307
gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
308
sc_pkcs15_free_certificate (certder);
311
memcpy (*cert, certder->data, certder->data_len);
312
*ncert = certder->data_len;
313
sc_pkcs15_free_certificate (certder);
322
p15_prepare_key (CARD card, const char *keyidstr,
323
int (pincb)(void*, const char *, char **),
324
void *pincb_arg, struct sc_pkcs15_object **r_keyobj)
326
struct sc_pkcs15_id keyid;
327
struct sc_pkcs15_pin_info *pin;
328
struct sc_pkcs15_object *keyobj, *pinobj;
332
rc = idstr_to_id (keyidstr, &keyid);
336
rc = sc_pkcs15_find_prkey_by_id (card->p15card, &keyid, &keyobj);
339
log_error ("private key not found: %s\n", sc_strerror(rc));
340
return gpg_error (GPG_ERR_NO_SECKEY);
343
rc = sc_pkcs15_find_pin_by_auth_id (card->p15card,
344
&keyobj->auth_id, &pinobj);
347
log_error ("failed to find PIN by auth ID: %s\n", sc_strerror (rc));
348
return gpg_error (GPG_ERR_BAD_PIN_METHOD);
352
/* Fixme: pack this into a verification loop */
353
/* Fixme: we might want to pass pin->min_length and
354
pin->stored_length */
355
rc = pincb (pincb_arg, pinobj->label, &pinvalue);
358
log_info ("PIN callback returned error: %s\n", gpg_strerror (rc));
362
rc = sc_pkcs15_verify_pin (card->p15card, pin,
363
pinvalue, strlen (pinvalue));
367
log_info ("PIN verification failed: %s\n", sc_strerror (rc));
368
return gpg_error (GPG_ERR_BAD_PIN);
371
/* fixme: check wheter we need to release KEYOBJ in case of an error */
377
/* See card.c for interface description */
379
p15_sign (CARD card, const char *keyidstr, int hashalgo,
380
int (pincb)(void*, const char *, char **),
382
const void *indata, size_t indatalen,
383
unsigned char **outdata, size_t *outdatalen )
385
unsigned int cryptflags;
386
struct sc_pkcs15_object *keyobj;
388
unsigned char *outbuf = NULL;
391
if (hashalgo != GCRY_MD_SHA1)
392
return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
394
rc = p15_prepare_key (card, keyidstr, pincb, pincb_arg, &keyobj);
398
cryptflags = SC_ALGORITHM_RSA_PAD_PKCS1;
401
outbuf = xtrymalloc (outbuflen);
403
return gpg_error (gpg_err_code_from_errno (errno));
405
rc = sc_pkcs15_compute_signature (card->p15card, keyobj,
411
log_error ("failed to create signature: %s\n", sc_strerror (rc));
412
rc = gpg_error (GPG_ERR_CARD);
427
/* See card.c for description */
429
p15_decipher (CARD card, const char *keyidstr,
430
int (pincb)(void*, const char *, char **),
432
const void *indata, size_t indatalen,
433
unsigned char **outdata, size_t *outdatalen )
435
struct sc_pkcs15_object *keyobj;
437
unsigned char *outbuf = NULL;
440
rc = p15_prepare_key (card, keyidstr, pincb, pincb_arg, &keyobj);
444
if (card && card->scard && card->scard->driver
445
&& !strcasecmp (card->scard->driver->short_name, "tcos"))
447
/* very ugly hack to force the use of a local key. We need this
448
until we have fixed the initialization code for TCOS cards */
449
struct sc_pkcs15_prkey_info *prkey = keyobj->data;
450
if ( !(prkey->key_reference & 0x80))
452
prkey->key_reference |= 0x80;
453
log_debug ("using TCOS hack to force the use of local keys\n");
455
if (*keyidstr && keyidstr[strlen(keyidstr)-1] == '6')
457
prkey->key_reference |= 1;
458
log_debug ("warning: using even more TCOS hacks\n");
462
outbuflen = indatalen < 256? 256 : indatalen;
463
outbuf = xtrymalloc (outbuflen);
465
return gpg_error (gpg_err_code_from_errno (errno));
467
rc = sc_pkcs15_decipher (card->p15card, keyobj,
473
log_error ("failed to decipher the data: %s\n", sc_strerror (rc));
474
rc = gpg_error (GPG_ERR_CARD);
490
/* Bind our operations to the card */
492
card_p15_bind (CARD card)
494
card->fnc.enum_keypairs = p15_enum_keypairs;
495
card->fnc.enum_certs = p15_enum_certs;
496
card->fnc.read_cert = p15_read_cert;
497
card->fnc.sign = p15_sign;
498
card->fnc.decipher = p15_decipher;
500
#endif /*HAVE_OPENSC*/