1
/* card-dinsig.c - German signature law (DINSIG) functions
2
* Copyright (C) 2002 Free Software Foundation, Inc.
4
* This file is part of GnuPG.
6
* GnuPG is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* GnuPG is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
21
/* The German signature law and its bylaw (SigG and SigV) is currently
22
used with an interface specification described in DIN V 66291-1.
23
The AID to be used is: 'D27600006601'.
25
The file IDs for certificates utilize the generic format:
27
C being the hex digit 'C' (12).
28
x being the service indicator:
29
'0' := SigG conform digital signature.
30
'1' := entity authentication.
31
'2' := key encipherment.
32
'3' := data encipherment.
34
other values are reserved for future use.
35
y being the security environment number using '0' for cards
36
not supporting a SE number.
37
z being the certificate type:
38
'0' := C.CH (base certificate of ard holder) or C.ICC.
39
'1' .. '7' := C.CH (business or professional certificate
41
'8' .. 'D' := C.CA (certificate of a CA issue by the Root-CA).
42
'E' := C.RCA (self certified certificate of the Root-CA).
45
The file IDs used by default are:
46
'1F00' EF.SSD (security service descriptor). [o,o]
47
'2F02' EF.GDO (global data objects) [m,m]
48
'A000' EF.PROT (signature log). Cyclic file with 20 records of 53 byte.
49
Read and update after user authentication. [o,o]
50
'B000' EF.PK.RCA.DS (public keys of Root-CA). Size is 512b or size
51
of keys. [m (unless a 'C00E' is present),m]
52
'B001' EF.PK.CA.DS (public keys of CAs). Size is 512b or size
54
'C00n' EF.C.CH.DS (digital signature certificate of card holder)
55
with n := 0 .. 7. Size is 2k or size of cert. Read and
56
update allowed after user authentication. [m,m]
57
'C00m' EF.C.CA.DS (digital signature certificate of CA)
58
with m := 8 .. E. Size is 1k or size of cert. Read always
59
allowed, update after uder authentication. [o,o]
60
'C100' EF.C.ICC.AUT (AUT certificate of ICC) [o,m]
61
'C108' EF.C.CA.AUT (AUT certificate of CA) [o,m]
62
'D000' EF.DM (display message) [-,m]
64
The letters in brackets indicate optional or mandatory files: The
65
first for card terminals under full control and the second for
66
"business" card terminals.
68
FIXME: Needs a lot more explanation.
81
#include <opensc/pkcs15.h>
85
#include "card-common.h"
87
static int dinsig_read_cert (CARD card, const char *certidstr,
88
unsigned char **cert, size_t *ncert);
92
/* See card.c for interface description. Frankly we don't do any real
93
enumeration but just check whether the well know files are
96
dinsig_enum_keypairs (CARD card, int idx,
97
unsigned char *keygrip, char **keyid)
104
/* fixme: We should locate the application via the EF(DIR) and not
105
assume a Netkey card */
107
rc = dinsig_read_cert (card, "DINSIG-DF01.C000", &buf, &buflen);
109
rc = dinsig_read_cert (card, "DINSIG-DF01.C200", &buf, &buflen);
115
rc = ksba_cert_new (&cert);
122
rc = ksba_cert_init_from_mem (cert, buf, buflen);
126
log_error ("failed to parse the certificate at idx %d: %s\n",
127
idx, gpg_strerror (rc));
128
ksba_cert_release (cert);
131
if (card_help_get_keygrip (cert, keygrip))
133
log_error ("failed to calculate the keygrip at index %d\n", idx);
134
ksba_cert_release (cert);
135
return gpg_error (GPG_ERR_CARD);
137
ksba_cert_release (cert);
142
*keyid = xtrymalloc (17);
144
return gpg_error (gpg_err_code_from_errno (errno));
146
strcpy (*keyid, "DINSIG-DF01.C000");
148
strcpy (*keyid, "DINSIG-DF01.C200");
156
/* See card.c for interface description */
158
dinsig_read_cert (CARD card, const char *certidstr,
159
unsigned char **cert, size_t *ncert)
163
struct sc_file *file;
167
if (!strcmp (certidstr, "DINSIG-DF01.C000"))
168
sc_format_path ("3F00DF01C000", &path);
169
else if (!strcmp (certidstr, "DINSIG-DF01.C200"))
170
sc_format_path ("3F00DF01C200", &path);
172
return gpg_error (GPG_ERR_INV_ID);
174
rc = sc_select_file (card->scard, &path, &file);
177
log_error ("sc_select_file failed: %s\n", sc_strerror (rc));
178
return map_sc_err (rc);
180
if (file->type != SC_FILE_TYPE_WORKING_EF
181
|| file->ef_structure != SC_FILE_EF_TRANSPARENT)
183
log_error ("wrong type or structure of certificate EF\n");
185
return gpg_error (GPG_ERR_CARD);
187
if (file->size < 20) /* check against a somewhat arbitrary length */
189
log_error ("certificate EF too short\n");
191
return gpg_error (GPG_ERR_CARD);
193
buf = xtrymalloc (file->size);
196
gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
201
rc = sc_read_binary (card->scard, 0, buf, file->size, 0);
202
if (rc >= 0 && rc != file->size)
204
log_error ("short read on certificate EF\n");
207
return gpg_error (GPG_ERR_CARD);
212
log_error ("error reading certificate EF: %s\n", sc_strerror (rc));
214
return map_sc_err (rc);
218
/* The object is not a plain certificate but wrapped into id-at
219
userCertificate - fixme: we should check the specs and decided
220
whether libksba should support it */
221
if (buflen > 9 && buf[0] == 0x30 && buf[4] == 6 && buf[5] == 3
222
&& buf[6] == 0x55 && buf[7] == 4 && buf[8] == 0x24)
224
/* We have to strip the padding. Although this is a good idea
225
anyway, we have to do it due to a KSBA problem; KSBA does not
226
work correct when the buffer is larger than the ASN.1
227
structure and the certificates here are padded with FF. So
228
as a workaround we look at the outer structure to get the
229
size of the entire thing and adjust the buflen. We can only
230
do this when there is a 2 byte length field */
234
seqlen = ((buf[2] << 8) | buf[3]) + 4;
238
memmove (buf, buf+9, buflen-9);
250
/* Bind our operations to the card */
252
card_dinsig_bind (CARD card)
254
card->fnc.enum_keypairs = dinsig_enum_keypairs;
255
card->fnc.read_cert = dinsig_read_cert;
258
#endif /*HAVE_OPENSC*/