pool/coolkey
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7fbf4fb2e0
coolkey/coolkey-1.1.0-rhel7-alt-cac.patch

859 lines
27 KiB
Diff
Raw Normal View History

Accepting request 511246 from home:AndreasStieger:branches:security:chipcard bsc#1049213 OBS-URL: https://build.opensuse.org/request/show/511246 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/coolkey?expand=0&rev=17
2017-07-21 13:25:57 +02:00
diff -up ./src/coolkey/coolkey.cpp.alt-cac ./src/coolkey/coolkey.cpp
--- ./src/coolkey/coolkey.cpp.alt-cac 2016-12-01 15:37:49.106167768 -0800
+++ ./src/coolkey/coolkey.cpp 2016-12-01 15:37:49.113167892 -0800
@@ -80,9 +80,16 @@ ecMechanismList[] = {
{CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},
{CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }
};
+static const MechInfo
+allMechanismList[] = {
+ {CKM_RSA_PKCS, { 1024, 4096, CKF_HW | CKF_SIGN | CKF_DECRYPT } },
+ {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},
+ {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }
+};
unsigned int numRSAMechanisms = sizeof(rsaMechanismList)/sizeof(MechInfo);
unsigned int numECMechanisms = sizeof(ecMechanismList)/sizeof(MechInfo);
+unsigned int numAllMechanisms = sizeof(allMechanismList)/sizeof(MechInfo);
/* ------------------------------------------------------------ */
@@ -382,13 +389,22 @@ C_GetMechanismList(CK_SLOT_ID slotID, CK
return CKR_TOKEN_NOT_PRESENT;
}
- if ( slot->getIsECC()) {
+ switch (slot->getAlgs()) {
+ case ALG_ECC|ALG_RSA:
+ mechanismList = allMechanismList;
+ numMechanisms = numAllMechanisms;
+ break;
+ case ALG_ECC:
mechanismList = ecMechanismList;
numMechanisms = numECMechanisms;
- } else {
+ break;
+ case ALG_NONE:
+ case ALG_RSA:
+ default:
mechanismList = rsaMechanismList;
numMechanisms = numRSAMechanisms;
- }
+ break;
+ }
if( pMechanismList != NULL ) {
if( *pulCount < numMechanisms ) {
@@ -438,13 +454,22 @@ C_GetMechanismInfo(CK_SLOT_ID slotID, CK
return CKR_TOKEN_NOT_PRESENT;
}
- if ( slot->getIsECC()) {
+ switch (slot->getAlgs()) {
+ case ALG_ECC|ALG_RSA:
+ mechanismList = allMechanismList;
+ numMechanisms = numAllMechanisms;
+ break;
+ case ALG_ECC:
mechanismList = ecMechanismList;
numMechanisms = numECMechanisms;
- } else {
+ break;
+ case ALG_NONE:
+ case ALG_RSA:
+ default:
mechanismList = rsaMechanismList;
numMechanisms = numRSAMechanisms;
- }
+ break;
+ }
for(unsigned int i=0; i < numMechanisms; ++i ) {
if( mechanismList[i].mech == type ) {
diff -up ./src/coolkey/object.cpp.alt-cac ./src/coolkey/object.cpp
--- ./src/coolkey/object.cpp.alt-cac 2016-12-01 15:37:49.097167608 -0800
+++ ./src/coolkey/object.cpp 2016-12-01 15:37:49.114167910 -0800
@@ -1232,7 +1232,7 @@ Reader::Reader(unsigned long muscleObjID
}
-CACPrivKey::CACPrivKey(CKYByte instance, const PKCS11Object &cert) :
+CACPrivKey::CACPrivKey(CKYByte instance, const PKCS11Object &cert,bool isPIV) :
PKCS11Object( ((int)'k') << 24 | ((int)instance+'0') << 16,
instance | 0x400)
{
@@ -1242,7 +1242,9 @@ CACPrivKey::CACPrivKey(CKYByte instance,
/* So we know what the key is supposed to be used for based on
* the instance */
- if (instance == 2) {
+ /* instance 2 is usually a decryption cert. >2 are usually old decryption
+ * certs */
+ if (instance == 2 || (instance > (isPIV ? 3 : 2))) {
decrypt = TRUE;
}
@@ -1305,8 +1307,8 @@ CACPrivKey::CACPrivKey(CKYByte instance,
CKYBuffer_FreeData(&param2);
}
-CACPubKey::CACPubKey(CKYByte instance, const PKCS11Object &cert) :
- PKCS11Object( ((int)'k') << 24 | ((int)(instance+'5')) << 16,
+CACPubKey::CACPubKey(CKYByte instance, const PKCS11Object &cert, bool isPIV) :
+ PKCS11Object( ((int)'k') << 24 | ((int)(instance+'a')) << 16,
instance | 0x500)
{
CKYBuffer id;
@@ -1315,7 +1317,7 @@ CACPubKey::CACPubKey(CKYByte instance, c
/* So we know what the key is supposed to be used for based on
* the instance */
- if (instance == 2) {
+ if (instance == 2 || (instance > (isPIV ? 3 : 2))) {
encrypt = TRUE;
}
@@ -1359,6 +1361,9 @@ CACPubKey::CACPubKey(CKYByte instance, c
setAttribute(CKA_EC_POINT, &param1);
setAttribute(CKA_EC_PARAMS, &param2);
setAttributeULong(CKA_KEY_TYPE, CKK_EC);
+ setAttributeBool(CKA_VERIFY_RECOVER, FALSE);
+ setAttributeBool(CKA_ENCRYPT, FALSE);
+ setAttributeBool(CKA_DERIVE, encrypt);
break;
default:
break;
@@ -1376,6 +1381,26 @@ static const char *CAC_Label[] = {
"CAC ID Certificate",
"CAC Email Signature Certificate",
"CAC Email Encryption Certificate",
+ "CAC Cert 3",
+ "CAC Cert 4",
+ "CAC Cert 5",
+ "CAC Cert 6",
+ "CAC Cert 7",
+ "CAC Cert 8",
+ "CAC Cert 9",
+};
+
+static const char *PIV_Label[] = {
+ "PIV ID Certificate",
+ "PIV Email Signature Certificate",
+ "PIV Email Encryption Certificate",
+ "PIV Card Authentication Certificate",
+ "PIV Cert 4",
+ "PIV Cert 5",
+ "PIV Cert 6",
+ "PIV Cert 7",
+ "PIV Cert 8",
+ "PIV Cert 9",
};
static const unsigned char CN_DATA[] = { 0x55, 0x4, 0x3 };
@@ -1454,7 +1479,7 @@ GetUserName(const CKYBuffer *dn)
return string;
}
-CACCert::CACCert(CKYByte instance, const CKYBuffer *derCert) :
+CACCert::CACCert(CKYByte instance, const CKYBuffer *derCert, bool isPIV) :
PKCS11Object( ((int)'c') << 24 | ((int)instance+'0') << 16,
instance | 0x600)
{
@@ -1471,7 +1496,7 @@ CACCert::CACCert(CKYByte instance, const
setAttribute(CKA_ID, &id);
CKYBuffer_FreeData(&id);
setAttributeULong(CKA_CERTIFICATE_TYPE, CKC_X_509);
- setAttribute(CKA_LABEL, CAC_Label[instance]);
+ setAttribute(CKA_LABEL, isPIV ? PIV_Label[instance] : CAC_Label[instance]);
CKYBuffer derSerial; CKYBuffer_InitEmpty(&derSerial);
CKYBuffer derSubject; CKYBuffer_InitEmpty(&derSubject);
diff -up ./src/coolkey/object.h.alt-cac ./src/coolkey/object.h
--- ./src/coolkey/object.h.alt-cac 2016-12-01 15:37:49.087167430 -0800
+++ ./src/coolkey/object.h 2016-12-01 15:37:49.115167928 -0800
@@ -219,17 +219,17 @@ class Cert : public PKCS11Object {
class CACPrivKey : public PKCS11Object {
public:
- CACPrivKey(CKYByte instance, const PKCS11Object &cert);
+ CACPrivKey(CKYByte instance, const PKCS11Object &cert, bool isPIV);
};
class CACPubKey : public PKCS11Object {
public:
- CACPubKey(CKYByte instance, const PKCS11Object &cert);
+ CACPubKey(CKYByte instance, const PKCS11Object &cert, bool isPIV);
};
class CACCert : public PKCS11Object {
public:
- CACCert(CKYByte instance, const CKYBuffer *derCert);
+ CACCert(CKYByte instance, const CKYBuffer *derCert, bool isPIV);
};
typedef enum { PK15StateInit, PK15StateNeedObject,
diff -up ./src/coolkey/slot.cpp.alt-cac ./src/coolkey/slot.cpp
--- ./src/coolkey/slot.cpp.alt-cac 2016-12-01 15:37:49.110167839 -0800
+++ ./src/coolkey/slot.cpp 2016-12-01 15:57:37.307994776 -0800
@@ -415,8 +415,9 @@ Slot::Slot(const char *readerName_, Log
slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN),
isVersion1Key(false), needLogin(false), fullTokenName(false),
mCoolkey(false), mOldCAC(false), mCACLocalLogin(false),
- pivContainer(-1), pivKey(-1), mECC(false), p15aid(0), p15odfAddr(0),
- p15tokenInfoAddr(0), p15Instance(0),
+ pivContainer(-1), pivKey(-1), maxCacCerts(MAX_CERT_SLOTS),
+ algs(ALG_NONE), p15aid(0), p15odfAddr(0), p15tokenInfoAddr(0),
+ p15Instance(0),
#ifdef USE_SHMEM
shmem(readerName_),
#endif
@@ -776,6 +777,7 @@ Slot::connectToToken()
state |= PIV_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;
isVersion1Key = 0;
needLogin = true;
+ maxCacCerts = MAX_CERT_SLOTS;
mCoolkey = 0;
mOldCAC = 0;
mCACLocalLogin = getPIVLoginType();
@@ -927,8 +929,12 @@ Slot::getCACAid()
}
/* yes, fill in the old applets */
mOldCAC = true;
+ maxCacCerts = 1;
for (i=1; i< MAX_CERT_SLOTS; i++) {
- CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);
+ status = CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);
+ if (status == CKYSUCCESS) {
+ maxCacCerts = i+1;
+ }
}
return CKYSUCCESS;
}
@@ -986,6 +992,7 @@ Slot::getCACAid()
if (certSlot == 0) {
status = CKYAPDUFAIL; /* probably neeed a beter error code */
}
+ maxCacCerts = certSlot;
done:
CKYBuffer_FreeData(&tBuf);
@@ -2168,12 +2175,11 @@ Slot::addKeyObject(list<PKCS11Object>& o
}
keyObj.completeKey(*iter);
- /* For now this is how we determine what type of key.
- Also for now, allow only one or the other */
+ /* use key object to determine what algorithms we support */
if ( keyObj.getKeyType() == PKCS11Object::ecc) {
- mECC = true;
+ algs = (SlotAlgs) (algs | ALG_ECC);
} else {
- mECC = false;
+ algs = (SlotAlgs) (algs | ALG_RSA);
}
}
@@ -2205,7 +2211,7 @@ Slot::addCertObject(list<PKCS11Object>&
void
Slot::unloadObjects()
{
- mECC = false;
+ algs = ALG_NONE;
tokenObjects.clear();
free(personName);
personName = NULL;
@@ -2269,29 +2275,42 @@ Slot::unloadObjects()
// Shared memory segments are fixed size (equal to the object memory size of
// the token).
//
+//
+//
+
+struct SlotDataPair {
+ unsigned long dataOffset;
+ unsigned long dataSize;
+};
struct SlotSegmentHeader {
unsigned short version;
unsigned short headerSize;
unsigned char valid;
- unsigned char reserved;
+ unsigned char firstCacCert;
unsigned char cuid[10];
- unsigned short reserved2;
+
+ unsigned short reserved;
unsigned short dataVersion;
unsigned short dataHeaderOffset;
unsigned short dataOffset;
unsigned long dataHeaderSize;
unsigned long dataSize;
- unsigned long cert2Offset;
- unsigned long cert2Size;
+ unsigned long nextDataOffset;
+ SlotDataPair cacCerts[MAX_CERT_SLOTS];
};
+const unsigned char NOT_A_CAC=0xff; /* place in firstCacCert field */
+const unsigned short CAC_DATA_VERSION=2;
+
+
#define MAX_OBJECT_STORE_SIZE 15000
//
// previous development versions used a segment prefix of
// "coolkeypk11s"
//
-#define SEGMENT_PREFIX "coolkeypk11s"
+#define SEGMENT_PREFIX "coolkeypk11t" // update segment since the old cache was
+ // incompatible
#define CAC_FAKE_CUID "CAC Certs"
SlotMemSegment::SlotMemSegment(const char *readerName):
segmentAddr(NULL), segmentSize(0), segment(NULL)
@@ -2320,9 +2339,8 @@ SlotMemSegment::SlotMemSegment(const cha
return;
}
- SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
if (needInit) {
- segmentHeader->valid = 0;
+ clearValid(0);
}
segmentSize = segment->getSHMemSize();
}
@@ -2396,6 +2414,18 @@ SlotMemSegment::getDataVersion() const
return segmentHeader->dataVersion;
}
+unsigned char
+SlotMemSegment::getFirstCacCert() const
+{
+ if (!segment) {
+ return NOT_A_CAC;
+ }
+
+ SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
+
+ return segmentHeader->firstCacCert;
+}
+
void
SlotMemSegment::setVersion(unsigned short version)
{
@@ -2419,6 +2449,18 @@ SlotMemSegment::setDataVersion(unsigned
segmentHeader->dataVersion = version;
}
+void
+SlotMemSegment::setFirstCacCert(unsigned char firstCacCert)
+{
+ if (!segment) {
+ return;
+ }
+
+ SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
+
+ segmentHeader->firstCacCert = firstCacCert;
+}
+
bool
SlotMemSegment::isValid() const
{
@@ -2493,23 +2535,13 @@ SlotMemSegment::readCACCert(CKYBuffer *o
int size;
CKYByte *data;
- switch (instance) {
- case 0:
- data = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];
- size = segmentHeader->dataHeaderSize;
- break;
- case 1:
- data = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];
- size = segmentHeader->dataSize;
- break;
- case 2:
- data = (CKYByte *) &segmentAddr[segmentHeader->cert2Offset];
- size = segmentHeader->cert2Size;
- break;
- default:
+ if (instance >= MAX_CERT_SLOTS) {
CKYBuffer_Resize(objData, 0);
return;
}
+ data = (CKYByte *) &segmentAddr[segmentHeader->cacCerts[instance]
+ .dataOffset];
+ size = segmentHeader->cacCerts[instance].dataSize;
CKYBuffer_Replace(objData, 0, data, size);
}
@@ -2523,30 +2555,20 @@ SlotMemSegment::writeCACCert(const CKYBu
SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
int size = CKYBuffer_Size(data);
CKYByte *shmData;
- switch (instance) {
- case 0:
- segmentHeader->headerSize = sizeof *segmentHeader;
- segmentHeader->dataHeaderOffset = sizeof *segmentHeader;
- segmentHeader->dataHeaderSize = size;
- segmentHeader->dataOffset = segmentHeader->dataHeaderOffset + size;
- segmentHeader->dataSize = 0;
- segmentHeader->cert2Offset = segmentHeader->dataOffset;
- segmentHeader->cert2Size = 0;
- shmData = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];
- break;
- case 1:
- segmentHeader->dataSize = size;
- segmentHeader->cert2Offset = segmentHeader->dataOffset + size;
- segmentHeader->cert2Size = 0;
- shmData = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];
- break;
- case 2:
- segmentHeader->cert2Size = size;
- shmData = (CKYByte *) &segmentAddr[segmentHeader->cert2Offset];
- break;
- default:
+
+ if (instance >= MAX_CERT_SLOTS) {
return;
}
+
+ if (segmentHeader->firstCacCert == NOT_A_CAC) {
+ segmentHeader->firstCacCert = instance;
+ }
+ unsigned long dataOffset = segmentHeader->nextDataOffset;
+ segmentHeader->cacCerts[instance].dataOffset = dataOffset;
+ segmentHeader->nextDataOffset += size;
+ segmentHeader->cacCerts[instance].dataSize = size;
+ shmData = (CKYByte *) &segmentAddr[dataOffset];
+
memcpy(shmData, CKYBuffer_Data(data), size);
}
@@ -2558,15 +2580,18 @@ SlotMemSegment::clearValid(CKYByte insta
return;
}
SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;
- switch (instance) {
- case 0:
- segmentHeader->headerSize = 0;
- segmentHeader->dataHeaderSize = 0;
- /* fall through */
- case 1:
- segmentHeader->dataSize = 0;
+
+ segmentHeader->headerSize = sizeof *segmentHeader;
+ segmentHeader->dataHeaderOffset = sizeof *segmentHeader;
+ segmentHeader->dataHeaderSize = 0;
+ segmentHeader->dataSize = 0;
+ for (int i=0; i < MAX_CERT_SLOTS; i++) {
+ segmentHeader->cacCerts[i].dataSize = 0;
}
+ segmentHeader->dataOffset = sizeof *segmentHeader;
+ segmentHeader->nextDataOffset = sizeof *segmentHeader;
segmentHeader->valid = 0;
+ segmentHeader->firstCacCert = NOT_A_CAC;
}
void
@@ -2882,8 +2907,7 @@ berProcess(CKYBuffer *buf, int matchTag,
CKYStatus
-Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
- bool throwException)
+Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize)
{
CKYStatus status;
CKYISOStatus apduRC;
@@ -2897,9 +2921,6 @@ Slot::readCACCertificateFirst(CKYBuffer
CKYBuffer_InitEmpty(&certInfo);
CKYBuffer_Resize(cert, 0);
status = PIVApplet_GetCertificate(conn, cert, pivContainer, &apduRC);
- if (throwException && (status != CKYSUCCESS)) {
- handleConnectionError();
- }
/* actually, on success, we need to parse the certificate and find the
* propper tag */
if (status == CKYSUCCESS) {
@@ -2940,10 +2961,10 @@ Slot::readCACCertificateFirst(CKYBuffer
if (mOldCAC) {
/* get the first 100 bytes of the cert */
status = CACApplet_GetCertificateFirst(conn, cert, nextSize, &apduRC);
- if (throwException && (status != CKYSUCCESS)) {
- handleConnectionError();
+ if (status == CKYSUCCESS) {
+ return status;
}
- return status;
+ /* try to use CACApplet_ReadFile before we give up */
}
CKYBuffer tBuf;
@@ -2959,11 +2980,11 @@ Slot::readCACCertificateFirst(CKYBuffer
/* handle the new CAC card read */
/* read the TLV */
- status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
+ status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, &apduRC);
if (status != CKYSUCCESS) {
goto done;
}
- status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
+ status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, &apduRC);
if (status != CKYSUCCESS) {
goto done;
}
@@ -3199,14 +3220,12 @@ Slot::loadCACCert(CKYByte instance)
CKYStatus status = CKYSUCCESS;
CKYBuffer cert;
CKYBuffer rawCert;
- CKYBuffer shmCert;
CKYSize nextSize;
OSTime time = OSTimeNow();
CKYBuffer_InitEmpty(&cert);
CKYBuffer_InitEmpty(&rawCert);
- CKYBuffer_InitEmpty(&shmCert);
//
// not all CAC cards have all the PKI instances
@@ -3215,78 +3234,24 @@ Slot::loadCACCert(CKYByte instance)
try {
selectCACApplet(instance, false);
} catch(PKCS11Exception& e) {
- // all CAC's must have instance '0', throw the error it
- // they don't.
- if (instance == 0) throw e;
- // If the CAC doesn't have instance '2', and we were updating
- // the shared memory, set it to valid now.
- if ((instance == 2) && !shmem.isValid()) {
- shmem.setValid();
- }
return;
}
log->log("CAC Cert %d: select CAC applet: %d ms\n",
instance, OSTimeNow() - time);
- if (instance == 0) {
- readCACCertificateFirst(&rawCert, &nextSize, true);
-
- if(CKYBuffer_Size(&rawCert) <= 1) {
- handleConnectionError();
- }
- log->log("CAC Cert %d: fetch CAC Cert: %d ms\n",
- instance, OSTimeNow() - time);
- }
-
- unsigned short dataVersion = 1;
- CKYBool needRead = 1;
-
/* see if it matches the shared memory */
- if (shmem.isValid() && shmem.getDataVersion() == dataVersion) {
- shmem.readCACCert(&shmCert, instance);
- CKYSize certSize = CKYBuffer_Size(&rawCert);
- CKYSize shmCertSize = CKYBuffer_Size(&shmCert);
- const CKYByte *shmData = CKYBuffer_Data(&shmCert);
-
- if (instance != 0) {
- needRead = 0;
- }
-
- if (shmCertSize >= certSize) {
- if (memcmp(shmData, CKYBuffer_Data(&rawCert), certSize) == 0) {
- /* yes it does, no need to read the rest of the cert, use
- * the cache */
- CKYBuffer_Replace(&rawCert, 0, shmData, shmCertSize);
- needRead = 0;
- }
- }
- if (!needRead && (shmCertSize == 0)) {
+ if (shmem.isValid() && shmem.getDataVersion() == CAC_DATA_VERSION) {
+ shmem.readCACCert(&rawCert, instance);
+ if (CKYBuffer_Size(&rawCert) == 0) {
/* no cert of this type, just return */
return;
}
- }
- CKYBuffer_FreeData(&shmCert);
-
- if (needRead) {
- /* it doesn't, read the new cert and update the cache */
- if (instance == 0) {
- shmem.clearValid(0);
- shmem.setVersion(SHMEM_VERSION);
- shmem.setDataVersion(dataVersion);
- } else {
- status = readCACCertificateFirst(&rawCert, &nextSize, false);
-
- if ((status != CKYSUCCESS) || (CKYBuffer_Size(&rawCert) <= 1)) {
- /* CAC only requires the Certificate in pki '0' */
- /* if pki '1' or '2' are empty, treat it as a non-fatal error*/
- if (instance == 2) {
- /* we've attempted to read all the certs, shared memory
- * is now valid */
- shmem.setValid();
- }
- return;
- }
+ } else {
+ status = readCACCertificateFirst(&rawCert, &nextSize);
+ if ((status != CKYSUCCESS) || (CKYBuffer_Size(&rawCert) <= 1)) {
+ /*this cert doesn't exist, go to the next one */
+ return;
}
if (nextSize) {
@@ -3298,9 +3263,6 @@ Slot::loadCACCert(CKYByte instance)
handleConnectionError();
}
shmem.writeCACCert(&rawCert, instance);
- if (instance == 2) {
- shmem.setValid();
- }
}
@@ -3368,14 +3330,17 @@ Slot::loadCACCert(CKYByte instance)
log->log("CAC Cert %d: Cert has been uncompressed: %d ms\n",
instance, OSTimeNow() - time);
- CACCert certObj(instance, &cert);
- CACPrivKey privKey(instance, certObj);
- CACPubKey pubKey(instance, certObj);
+ bool isPIV = (bool)((state & PIV_CARD) == PIV_CARD);
+ CACCert certObj(instance, &cert, isPIV);
+ CACPrivKey privKey(instance, certObj, isPIV);
+ CACPubKey pubKey(instance, certObj, isPIV);
tokenObjects.push_back(privKey);
tokenObjects.push_back(pubKey);
tokenObjects.push_back(certObj);
if ( pubKey.getKeyType() == PKCS11Object::ecc) {
- mECC = 1;
+ algs = (SlotAlgs) (algs | ALG_ECC);
+ } else {
+ algs = (SlotAlgs) (algs | ALG_RSA);
}
if (personName == NULL) {
@@ -3388,6 +3353,94 @@ Slot::loadCACCert(CKYByte instance)
}
void
+Slot::initCACShMem(void)
+{
+ bool failed = false;
+
+ unsigned char firstCert = shmem.getFirstCacCert();
+
+ log->log("init CACShMem: \n");
+ /* check to make sure the shared memory is initialized with a CAC card */
+ if (shmem.isValid() && shmem.getDataVersion() == CAC_DATA_VERSION
+ && firstCert != NOT_A_CAC) {
+ CKYBuffer rawCert;
+ CKYBuffer shmCert;
+ CKYSize nextSize;
+
+ log->log("init CACShMem: valid CAC cache found firstCert = %d\n",
+ firstCert);
+ CKYBuffer_InitEmpty(&rawCert);
+ CKYBuffer_InitEmpty(&shmCert);
+
+
+ /* yes, see if it's this cac card by comparing the first cert
+ * in the chain */
+
+ /* see if the first cert is in the expected slot */
+ try {
+ selectCACApplet(firstCert, false);
+ } catch(PKCS11Exception& e) {
+ failed = true;
+ log->log("init CACShMem: applet select failed firstCert = %d\n",
+ firstCert);
+ }
+ if (!failed) {
+ CKYStatus status = readCACCertificateFirst(&rawCert, &nextSize);
+ if ((status != CKYSUCCESS) || CKYBuffer_Size(&rawCert) <= 1) {
+ failed = true;
+ log->log("init CACShMem: read Cert failed firstCert = %d\n",
+ firstCert);
+ }
+ }
+ if (!failed) {
+ shmem.readCACCert(&shmCert, firstCert);
+ CKYSize certSize = CKYBuffer_Size(&rawCert);
+ CKYSize shmCertSize = CKYBuffer_Size(&shmCert);
+ const CKYByte *shmData = CKYBuffer_Data(&shmCert);
+
+ if (shmCertSize >= certSize) {
+ if (memcmp(shmData, CKYBuffer_Data(&rawCert), certSize) == 0) {
+ /* this card is cached, go on and use the cache */
+ log->log("init CACShMem: entries match, using cache\n");
+ CKYBuffer_FreeData(&rawCert);
+ CKYBuffer_FreeData(&shmCert);
+ return;
+ }
+ }
+ log->log("init CACShMem: no entry match certSize=%d"
+ " shmCertSize=%d\n",certSize, shmCertSize);
+ }
+ CKYBuffer_FreeData(&rawCert);
+ CKYBuffer_FreeData(&shmCert);
+ }
+
+ log->log("init CACShMem: starting new cache valid=%d version=%d "
+ " firstCert=%d\n",shmem.isValid(), shmem.getDataVersion(),
+ firstCert);
+ /* cache is either invalid or for another card, start initializing it */
+ shmem.clearValid(0);
+ shmem.setVersion(SHMEM_VERSION);
+ shmem.setDataVersion(CAC_DATA_VERSION);
+}
+
+void
+Slot::verifyCACShMem(void)
+{
+ /* if the memory is valid, then nothing to do */
+ if (shmem.isValid()) {
+ return;
+ }
+ /* if we didn't find any cert fail */
+ if (shmem.getFirstCacCert() == NOT_A_CAC) {
+ shmem.clearValid(0);
+ disconnect();
+ throw PKCS11Exception(CKR_DEVICE_REMOVED);
+ }
+ /* we're all set, let others see our results */
+ shmem.setValid();
+}
+
+void
Slot::loadObjects()
{
// throw away all token objects!
@@ -3406,9 +3459,11 @@ Slot::loadObjects()
std::list<ListObjectInfo>::iterator iter;
if (state & GOV_CARD) {
- loadCACCert(0);
- loadCACCert(1);
- loadCACCert(2);
+ initCACShMem();
+ for (int i=0; i < maxCacCerts; i++) {
+ loadCACCert(i);
+ }
+ verifyCACShMem();
status = trans.end();
loadReaderObject();
return;
@@ -4720,10 +4775,6 @@ Slot::performECCSignature(CKYBuffer *out
CKYStatus status = trans.begin(conn);
if( status != CKYSUCCESS ) handleConnectionError();
- if (!mECC) {
- throw PKCS11Exception(CKR_FUNCTION_NOT_SUPPORTED);
- }
-
CKYISOStatus result;
bool loginAttempted = false;
@@ -4790,9 +4841,6 @@ Slot::performRSAOp(CKYBuffer *output, co
unsigned int keySize, const PKCS11Object *key,
CKYByte direction)
{
- if ( mECC ) {
- throw PKCS11Exception(CKR_FUNCTION_NOT_SUPPORTED);
- }
//
// establish a transaction
@@ -5145,10 +5193,6 @@ Slot::performECCKeyAgreement(CK_MECHANIS
CKYBuffer *publicDataBuffer, CKYBuffer *secretKeyBuffer,
const PKCS11Object *key, unsigned int keySize)
{
- if (!mECC) {
- throw PKCS11Exception(CKR_FUNCTION_NOT_SUPPORTED);
- }
-
Transaction trans;
CKYStatus status = trans.begin(conn);
if( status != CKYSUCCESS ) handleConnectionError();
diff -up ./src/coolkey/slot.h.alt-cac ./src/coolkey/slot.h
--- ./src/coolkey/slot.h.alt-cac 2016-12-01 15:37:49.104167732 -0800
+++ ./src/coolkey/slot.h 2016-12-01 15:37:49.117167964 -0800
@@ -79,9 +79,11 @@ public:
bool CUIDIsEqual(const CKYBuffer *cuid) const;
unsigned short getVersion() const;
unsigned short getDataVersion() const;
+ unsigned char getFirstCacCert() const;
void setCUID(const CKYBuffer *cuid);
void setVersion(unsigned short version);
void setDataVersion(unsigned short version);
+ void setFirstCacCert(unsigned char firstCacCert);
bool isValid() const;
int size() const;
const unsigned char *getCUID() const;
@@ -90,6 +92,7 @@ public:
void setSize(int size);
void readData(CKYBuffer *data) const;
void writeData(const CKYBuffer *data);
+ void initCACHeaders(void);
void readCACCert(CKYBuffer *data, CKYByte instance) const;
void writeCACCert(const CKYBuffer *data, CKYByte instance);
void clearValid(CKYByte instance);
@@ -294,7 +297,13 @@ class CryptParams {
const CKYBuffer *paddedOutput) const = 0;
};
-#define MAX_CERT_SLOTS 3
+#define MAX_CERT_SLOTS 10
+typedef enum {
+ ALG_NONE= 0x0,
+ ALG_ECC = 0x1,
+ ALG_RSA = 0x2
+} SlotAlgs;
+
#define MAX_AUTH_USERS 3
class Slot {
@@ -349,7 +358,8 @@ class Slot {
bool mCACLocalLogin;
int pivContainer;
int pivKey;
- bool mECC;
+ int maxCacCerts;
+ SlotAlgs algs;
unsigned short p15aid;
unsigned short p15odfAddr;
unsigned short p15tokenInfoAddr;
@@ -424,8 +434,7 @@ class Slot {
list<ListObjectInfo> fetchSeparateObjects();
CKYStatus getCACAid();
- CKYStatus readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
- bool throwException);
+ CKYStatus readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize);
CKYStatus readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize);
CKYStatus getP15Params();
@@ -485,6 +494,8 @@ class Slot {
void processComputeCrypt(CKYBuffer *result, const CKYAPDU *apdu);
CKYByte objectToKeyNum(const PKCS11Object *key);
+ void initCACShMem(void);
+ void verifyCACShMem(void);
Slot(const Slot &cpy)
#ifdef USE_SHMEM
: shmem(readerName)
@@ -580,7 +591,7 @@ class Slot {
CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, CryptParams& params);
- bool getIsECC() { return mECC; }
+ SlotAlgs getAlgs() { return algs; }
};
class SlotList {
Reference in New Issue Copy Permalink