Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sc-hsm-tool: Add options for public key authentication #1711

Closed
wants to merge 23 commits into from
Closed

sc-hsm-tool: Add options for public key authentication #1711

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
eee3f76
pkcs11-tool: Add prime521v1 curve
Mar 29, 2019
4a8d484
pkcs11-tool: Add secp521k1 curve
Mar 29, 2019
81ca015
sc-hsm-tool: Add options for public key auth
May 15, 2018
ccdbc6d
sc-hsm: Initialize card with public key auth
May 15, 2018
dec0dd3
sc-hsm-tool: Add option --export-for-pub-key-auth
Aug 8, 2018
0a074f5
sc-hsm-tool: Add option --register-public-key
Aug 8, 2018
9e5058c
sc-hsm-tool: Add option --public-key-auth-status
Jun 11, 2019
997b2f7
coding style
Jun 18, 2019
e9be520
convert spaces to tabs (consistent coding style)
Jun 20, 2019
ad35788
sc-hsm: use memcpy() instead of strncpy()
Jun 20, 2019
b340b09
sc-hsm: use smaller recvbuf
Jun 20, 2019
99faf14
sc-hsm: use sc_format_apdu_ex()
Jun 20, 2019
bf097e4
sc-hsm-tool: use fread_to_eof()
Jun 20, 2019
1e46ee4
sc-hsm: fix messed up formatting
Jun 20, 2019
60004bb
sc-hsm: fix error message
Jun 20, 2019
6c69699
sc-hsm-tool: improve argument checks
Jun 20, 2019
6287346
Revert "sc-hsm-tool: use fread_to_eof()"
Jun 20, 2019
5f14397
sc-hsm-tool: simplify argument checks
Jun 20, 2019
953b64f
sc-hsm-tool: use goto for error handling
Jun 20, 2019
de3d8e4
sc-hsm: strlen() -> strnlen()
Jun 20, 2019
5729c5e
sc-hsm-tool: check for expected tags (.pka files)
Jun 20, 2019
c06a843
adjust sc_format_apdu_ex() calls
Oct 17, 2019
1eddb58
check for possible out of bounds write
Oct 29, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
sc-hsm-tool: Add option --register-public-key
  • Loading branch information
Frank Braun committed Oct 29, 2019
commit 0a074f5fdc841f0cbbc0786c9fd951c1a9680ef7
193 changes: 192 additions & 1 deletion src/libopensc/card-sc-hsm.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1432,10 +1432,199 @@ static int sc_hsm_unwrap_key(sc_card_t *card, sc_cardctl_sc_hsm_wrapped_key_t *p
r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(ctx, r, "APDU transmit failed");

r = sc_check_sw(card, apdu.sw1, apdu.sw2);
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(ctx, r, "Check SW error");

LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}



static int get_CAR(u8 *carstr, sc_context_t *ctx, const u8 *buf, size_t buflen)
{
const u8 *cb = NULL, *car = NULL;
size_t taglen;

LOG_FUNC_CALLED(ctx);

/* find embedded Certificate Body (should be right at the start) */
if (!(cb = sc_asn1_find_tag(ctx, buf, buflen, 0x7F4E, &taglen))) {
LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN);
}
buf = cb;
buflen = taglen;
frankbraun marked this conversation as resolved.
Show resolved Hide resolved

/* find embedded Certification Authority Reference (CAR) */
if (!(car = sc_asn1_find_tag(ctx, buf, buflen, 0x42, &taglen))) {
LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN);
}

/* return CAR */
strncpy((char*) carstr, (const char*) car, taglen);
frankbraun marked this conversation as resolved.
Show resolved Hide resolved
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you also want to look at OpenPACE for more extended parsing/verification of CVCs. If you want to keep this self sustained within OpenSC, you should use sc_pkcs15emu_sc_hsm_decode_cvc()

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to parse this with sc_pkcs15emu_sc_hsm_decode_cvc(), but wasn't able to. I got the following error:

Required ASN.1 object not found

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is not to parse ASN.1 by hand. Please check what object is missing and why.



static int verify_certificate(sc_card_t *card, const u8 *cert, size_t cert_len, const u8 *chr, size_t chr_len)
{
u8 tag = SC_ASN1_TAG_CONTEXT | SC_ASN1_TAG_BIT_STRING; /* 0x83 */
size_t pukref_len, car_len;
u8 car[BUFSIZ] = { 0 };
u8 pukref[BUFSIZ];
sc_apdu_t apdu;
u8 *ptr;
int r;

LOG_FUNC_CALLED(card->ctx);

/* check if public key is already known */
if ((r = sc_asn1_put_tag(tag, chr, chr_len, pukref, sizeof(pukref), &ptr)) < 0) {
fprintf(stderr, "Error formatting ASN.1 sequence: %s\n", sc_strerror(r));
LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN);
}
pukref_len = ptr - pukref;

sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0x22, 0x81, 0xB6);
apdu.cla = 0x00;
apdu.lc = pukref_len;
apdu.data = pukref;
apdu.datalen = pukref_len;

r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");

r = sc_check_sw(card, apdu.sw1, apdu.sw2);
if (!r) {
/* already known */
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}
if (apdu.sw1 != 0x6A && apdu.sw2 != 0x88) {
LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN, "Check SW error");
}

/* select public key for verification */
r = get_CAR(car, card->ctx, cert, cert_len);
LOG_TEST_RET(card->ctx, r, "cannot parse CAR");
car_len = strlen((const char*) car);
frankbraun marked this conversation as resolved.
Show resolved Hide resolved

if ((r = sc_asn1_put_tag(tag, car, car_len, pukref, sizeof(pukref), &ptr)) < 0) {
fprintf(stderr, "Error formatting ASN.1 sequence: %s\n", sc_strerror(r));
LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN);
}
pukref_len = ptr - pukref;

sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0x22, 0x81, 0xB6);
apdu.cla = 0x00;
frankbraun marked this conversation as resolved.
Show resolved Hide resolved
apdu.lc = pukref_len;
apdu.data = pukref;
apdu.datalen = pukref_len;

r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(card->ctx, r, "Check SW error");

/* verify certificate */
sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0x2A, 0x00, 0xBE);
apdu.cla = 0x00;
apdu.lc = cert_len;
apdu.data = cert;
apdu.datalen = cert_len;

r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(card->ctx, r, "Check SW error");

LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}



static int sc_hsm_register_public_key(sc_card_t *card, sc_cardctl_sc_hsm_public_key_t *params)
{
u8 tag = SC_ASN1_TAG_CONTEXT | SC_ASN1_TAG_BIT_STRING; /* 0x83 */
size_t outer_car_len, pukref_len;
u8 recvbuf[MAX_EXT_APDU_LENGTH];
sc_context_t *ctx = card->ctx;
const u8 *outer_car = NULL;
u8 pukref[BUFSIZ];
sc_apdu_t apdu;
u8 *ptr;
int r;

LOG_FUNC_CALLED(card->ctx);

/* get status */
#if 1
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_EXT, 0x54, 0x00, 0x00);
apdu.cla = 0x80;
apdu.resp = recvbuf;
apdu.resplen = sizeof(recvbuf);
apdu.le = 4;

r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(ctx, r, "APDU transmit failed");

r = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(ctx, r, "Check SW error");

printf("numberOfPublicKeys=%d\n", recvbuf[0]);
printf("missingPublicKeys=%d\n", recvbuf[1]);
printf("requiredPublicKeysForAuthentication=%d\n", recvbuf[2]);
printf("authenticatedPublicKeys=%d\n", recvbuf[3]);
#endif

/* verify dicacert */
r = verify_certificate(card, params->dicacert, params->dicacert_length, params->dicacert_chr, params->dicacert_chr_length);
LOG_TEST_RET(ctx, r, "device issuer certificate verification failed");

/* verify devcert */
r = verify_certificate(card, params->devcert, params->devcert_length, params->devcert_chr, params->devcert_chr_length);
LOG_TEST_RET(ctx, r, "device issuer certificate verification failed");
frankbraun marked this conversation as resolved.
Show resolved Hide resolved

/* manage SE */
if (!(outer_car = sc_asn1_find_tag(ctx, params->pk, params->pk_length, 0x42, &outer_car_len))) {
LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN);
}

if ((r = sc_asn1_put_tag(tag, outer_car, outer_car_len, pukref, sizeof(pukref), &ptr)) < 0) {
fprintf(stderr, "Error formatting ASN.1 sequence: %s\n", sc_strerror(r));
LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN);
}
pukref_len = ptr - pukref;

sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0x22, 0x81, 0xB6);
apdu.cla = 0x00;
apdu.lc = pukref_len;
apdu.data = pukref;
apdu.datalen = pukref_len;

r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(card->ctx, r, "Check SW error");

/* manage public key authentication */
sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x54, 0x00, 0x00);
apdu.cla = 0x80;
apdu.lc = params->pk_length;
apdu.data = params->pk;
apdu.datalen = params->pk_length;
apdu.resp = recvbuf;
apdu.resplen = sizeof(recvbuf);
apdu.le = 4;
frankbraun marked this conversation as resolved.
Show resolved Hide resolved

r = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(ctx, r, "APDU transmit failed");
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(ctx, r, "Check SW error");

printf("numberOfPublicKeys=%d\n", recvbuf[0]);
printf("missingPublicKeys=%d\n", recvbuf[1]);
printf("requiredPublicKeysForAuthentication=%d\n", recvbuf[2]);
printf("authenticatedPublicKeys=%d\n", recvbuf[3]);

LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}

Expand Down Expand Up @@ -1605,6 +1794,8 @@ static int sc_hsm_card_ctl(sc_card_t *card, unsigned long cmd, void *ptr)
return sc_hsm_wrap_key(card, (sc_cardctl_sc_hsm_wrapped_key_t *)ptr);
case SC_CARDCTL_SC_HSM_UNWRAP_KEY:
return sc_hsm_unwrap_key(card, (sc_cardctl_sc_hsm_wrapped_key_t *)ptr);
case SC_CARDCTL_SC_HSM_REGISTER_PUBLIC_KEY:
return sc_hsm_register_public_key(card, (sc_cardctl_sc_hsm_public_key_t *)ptr);
}
return SC_ERROR_NOT_SUPPORTED;
}
Expand Down
14 changes: 14 additions & 0 deletions src/libopensc/cardctl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,7 @@ enum {
SC_CARDCTL_SC_HSM_IMPORT_DKEK_SHARE,
SC_CARDCTL_SC_HSM_WRAP_KEY,
SC_CARDCTL_SC_HSM_UNWRAP_KEY,
SC_CARDCTL_SC_HSM_REGISTER_PUBLIC_KEY,

/*
* DNIe specific calls
Expand Down Expand Up @@ -1041,6 +1042,19 @@ typedef struct sc_cardctl_sc_hsm_wrapped_key {
size_t wrapped_key_length; /* Length of key blob */
} sc_cardctl_sc_hsm_wrapped_key_t;

typedef struct sc_cardctl_sc_hsm_public_key {
const u8 *pk; /* Public key */
size_t pk_length; /* Length of key */
const u8 *devcert; /* Device certificate */
size_t devcert_length; /* Length of device certificate */
const u8 *dicacert; /* Device issuer certificate */
size_t dicacert_length; /* Length of device issuer certificate */
const u8 *devcert_chr; /* Device certificate CHR */
size_t devcert_chr_length; /* Length of device certificate CHR */
const u8 *dicacert_chr; /* Device issuer certificate CHR */
size_t dicacert_chr_length; /* Device issuer certificate CHR length */
} sc_cardctl_sc_hsm_public_key_t;

/*
* isoApplet
*/
Expand Down
Loading