From c706491fc9b08d4cc6d7b254cf936d6b8d8691bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nguy=E1=BB=85n=20H=E1=BB=93ng=20Qu=C3=A2n?= Date: Wed, 20 Feb 2013 11:54:30 +0700 Subject: [PATCH 01/18] OpenPGP: Detect and support Gnuk Token. http://www.fsij.org/gnuk/ --- src/libopensc/card-openpgp.c | 61 ++++++++++++++++++++++++++++++++++---------- src/libopensc/cards.h | 1 + src/tools/openpgp-tool.c | 9 +++++-- 3 files changed, 56 insertions(+), 15 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index 743e79c..716052b 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -43,6 +43,7 @@ static struct sc_atr_table pgp_atrs[] = { { "3b:fa:13:00:ff:81:31:80:45:00:31:c1:73:c0:01:00:00:90:00:b1", NULL, "OpenPGP card v1.0/1.1", SC_CARD_TYPE_OPENPGP_V1, 0, NULL }, { "3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c", NULL, "CryptoStick v1.2 (OpenPGP v2.0)", SC_CARD_TYPE_OPENPGP_V2, 0, NULL }, + { "3b:da:11:ff:81:b1:fe:55:1f:03:00:31:84:73:80:01:80:00:90:00:e4", NULL, "Gnuk v1.0.x (OpenPGP v2.0)", SC_CARD_TYPE_OPENPGP_GNUK, 0, NULL }, { NULL, NULL, NULL, 0, 0, NULL } }; @@ -307,6 +308,8 @@ pgp_init(sc_card_t *card) int r; struct blob *child = NULL; + LOG_FUNC_CALLED(card->ctx); + priv = calloc (1, sizeof *priv); if (!priv) return SC_ERROR_OUT_OF_MEMORY; @@ -315,11 +318,11 @@ pgp_init(sc_card_t *card) card->cla = 0x00; /* set pointer to correct list of card objects */ - priv->pgp_objects = (card->type == SC_CARD_TYPE_OPENPGP_V2) + priv->pgp_objects = (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK) ? pgp2_objects : pgp1_objects; /* set detailed card version */ - priv->bcd_version = (card->type == SC_CARD_TYPE_OPENPGP_V2) + priv->bcd_version = (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK) ? OPENPGP_CARD_2_0 : OPENPGP_CARD_1_1; /* select application "OpenPGP" */ @@ -428,7 +431,8 @@ pgp_get_card_features(sc_card_t *card) if ((pgp_get_blob(card, blob73, 0x00c0, &blob) >= 0) && (blob->data != NULL) && (blob->len > 0)) { /* in v2.0 bit 0x04 in first byte means "algorithm attributes changeable */ - if ((blob->data[0] & 0x04) && (card->type == SC_CARD_TYPE_OPENPGP_V2)) + if ((blob->data[0] & 0x04) && + (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK)) priv->ext_caps |= EXT_CAP_ALG_ATTR_CHANGEABLE; /* bit 0x08 in first byte means "support for private use DOs" */ if (blob->data[0] & 0x08) @@ -445,7 +449,8 @@ pgp_get_card_features(sc_card_t *card) priv->ext_caps |= EXT_CAP_GET_CHALLENGE; } /* in v2.0 bit 0x80 in first byte means "support Secure Messaging" */ - if ((blob->data[0] & 0x80) && (card->type == SC_CARD_TYPE_OPENPGP_V2)) + if ((blob->data[0] & 0x80) && + (card->type == SC_CARD_TYPE_OPENPGP_V2 || card->type == SC_CARD_TYPE_OPENPGP_GNUK)) priv->ext_caps |= EXT_CAP_SM; if ((priv->bcd_version >= OPENPGP_CARD_2_0) && (blob->len >= 10)) { @@ -1055,12 +1060,18 @@ static int pgp_get_pubkey(sc_card_t *card, unsigned int tag, u8 *buf, size_t buf_len) { sc_apdu_t apdu; + u8 apdu_case = SC_APDU_CASE_4; u8 idbuf[2]; int r; sc_log(card->ctx, "called, tag=%04x\n", tag); - sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x47, 0x81, 0); + /* With Gnuk token, force to use short APDU */ + if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) { + apdu_case = SC_APDU_CASE_4_SHORT; + } + + sc_format_apdu(card, &apdu, apdu_case, 0x47, 0x81, 0); apdu.lc = 2; apdu.data = ushort2bebytes(idbuf, tag); apdu.datalen = 2; @@ -1152,6 +1163,7 @@ pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len) u8 ins = 0xDA; u8 p1 = tag >> 8; u8 p2 = tag & 0xFF; + u8 apdu_case = SC_APDU_CASE_3; int r; LOG_FUNC_CALLED(card->ctx); @@ -1193,13 +1205,17 @@ pgp_put_data(sc_card_t *card, unsigned int tag, const u8 *buf, size_t buf_len) /* Build APDU */ if (buf != NULL && buf_len > 0) { - sc_format_apdu(card, &apdu, SC_APDU_CASE_3, ins, p1, p2); + /* Force short APDU for Gnuk */ + if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) { + apdu_case = SC_APDU_CASE_3_SHORT; + } + sc_format_apdu(card, &apdu, apdu_case, ins, p1, p2); /* if card/reader does not support extended APDUs, but chaining, then set it */ if (((card->caps & SC_CARD_CAP_APDU_EXT) == 0) && (priv->ext_caps & EXT_CAP_CHAINING)) apdu.flags |= SC_APDU_FLAGS_CHAINING; - apdu.data = buf; + apdu.data = (u8 *)buf; apdu.datalen = buf_len; apdu.lc = buf_len; } @@ -1326,6 +1342,7 @@ pgp_compute_signature(sc_card_t *card, const u8 *data, struct pgp_priv_data *priv = DRVDATA(card); sc_security_env_t *env = &priv->sec_env; sc_apdu_t apdu; + u8 apdu_case = SC_APDU_CASE_4; int r; LOG_FUNC_CALLED(card->ctx); @@ -1334,14 +1351,19 @@ pgp_compute_signature(sc_card_t *card, const u8 *data, LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS, "invalid operation"); + /* Force short APDU for Gnuk Token */ + if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) { + apdu_case = SC_APDU_CASE_4_SHORT; + } + switch (env->key_ref[0]) { case 0x00: /* signature key */ /* PSO SIGNATURE */ - sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A); + sc_format_apdu(card, &apdu, apdu_case, 0x2A, 0x9E, 0x9A); break; case 0x02: /* authentication key */ /* INTERNAL AUTHENTICATE */ - sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x88, 0, 0); + sc_format_apdu(card, &apdu, apdu_case, 0x88, 0, 0); break; case 0x01: default: @@ -1350,7 +1372,7 @@ pgp_compute_signature(sc_card_t *card, const u8 *data, } apdu.lc = data_len; - apdu.data = data; + apdu.data = (u8 *)data; apdu.datalen = data_len; apdu.le = ((outlen >= 256) && !(card->caps & SC_CARD_CAP_APDU_EXT)) ? 256 : outlen; apdu.resp = out; @@ -1374,6 +1396,7 @@ pgp_decipher(sc_card_t *card, const u8 *in, size_t inlen, struct pgp_priv_data *priv = DRVDATA(card); sc_security_env_t *env = &priv->sec_env; sc_apdu_t apdu; + u8 apdu_case = SC_APDU_CASE_4; u8 *temp = NULL; int r; @@ -1398,7 +1421,7 @@ pgp_decipher(sc_card_t *card, const u8 *in, size_t inlen, case 0x01: /* Decryption key */ case 0x02: /* authentication key */ /* PSO DECIPHER */ - sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x80, 0x86); + sc_format_apdu(card, &apdu, apdu_case, 0x2A, 0x80, 0x86); break; case 0x00: /* signature key */ default: @@ -1407,8 +1430,13 @@ pgp_decipher(sc_card_t *card, const u8 *in, size_t inlen, "invalid key reference"); } + /* Gnuk only supports short APDU, so we need to use command chaining */ + if (card->type == SC_CARD_TYPE_OPENPGP_GNUK) { + apdu.flags |= SC_APDU_FLAGS_CHAINING; + } + apdu.lc = inlen; - apdu.data = in; + apdu.data = (u8 *)in; apdu.datalen = inlen; apdu.le = ((outlen >= 256) && !(card->caps & SC_CARD_CAP_APDU_EXT)) ? 256 : outlen; apdu.resp = out; @@ -1794,6 +1822,11 @@ static int pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_in LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); } + if (card->type == SC_CARD_TYPE_OPENPGP_GNUK && key_info->modulus_len != 2048) { + sc_log(card->ctx, "Gnuk does not support other key length than 2048."); + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); + } + /* Set attributes for new-generated key */ r = pgp_update_new_algo_attr(card, key_info); LOG_TEST_RET(card->ctx, r, "Cannot set attributes for new-generated key"); @@ -1801,7 +1834,9 @@ static int pgp_gen_key(sc_card_t *card, sc_cardctl_openpgp_keygen_info_t *key_in /* Test whether we will need extended APDU. 1900 is an * arbitrary modulus length which for sure fits into a short APDU. * This idea is borrowed from GnuPG code. */ - if (card->caps & SC_CARD_CAP_APDU_EXT && key_info->modulus_len > 1900) { + if (card->caps & SC_CARD_CAP_APDU_EXT + && key_info->modulus_len > 1900 + && card->type != SC_CARD_TYPE_OPENPGP_GNUK) { /* We won't store to apdu variable yet, because it will be reset in * sc_format_apdu() */ apdu_le = card->max_recv_size; diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h index 0fbf9ca..01b08fd 100644 --- a/src/libopensc/cards.h +++ b/src/libopensc/cards.h @@ -104,6 +104,7 @@ enum { SC_CARD_TYPE_OPENPGP_BASE = 9000, SC_CARD_TYPE_OPENPGP_V1, SC_CARD_TYPE_OPENPGP_V2, + SC_CARD_TYPE_OPENPGP_GNUK, /* jcop driver */ SC_CARD_TYPE_JCOP_BASE = 10000, diff --git a/src/tools/openpgp-tool.c b/src/tools/openpgp-tool.c index 7058aaa..8b5e327 100644 --- a/src/tools/openpgp-tool.c +++ b/src/tools/openpgp-tool.c @@ -32,6 +32,7 @@ #include "libopensc/asn1.h" #include "libopensc/cards.h" #include "libopensc/cardctl.h" +#include "libopensc/log.h" #include "util.h" #define OPT_RAW 256 @@ -216,7 +217,7 @@ static void display_data(const struct ef_name_map *mapping, char *value) } else { const char *label = mapping->name; - printf("%s:%*s%s\n", label, 10-strlen(label), "", value); + printf("%s:%*s%s\n", label, 10 - (int)strlen(label), "", value); } } } @@ -390,6 +391,8 @@ int do_genkey(sc_card_t *card, u8 key_id, unsigned int key_len) sc_path_t path; sc_file_t *file; + LOG_FUNC_CALLED(card->ctx); + if (key_id < 1 || key_id > 3) { printf("Unknown key ID %d.\n", key_id); return 1; @@ -481,8 +484,10 @@ int main(int argc, char **argv) /* check card type */ if ((card->type != SC_CARD_TYPE_OPENPGP_V1) && - (card->type != SC_CARD_TYPE_OPENPGP_V2)) { + (card->type != SC_CARD_TYPE_OPENPGP_V2) && + (card->type != SC_CARD_TYPE_OPENPGP_GNUK)) { util_error("not an OpenPGP card"); + sc_log(card->ctx, "Card type %X", card->type); exit_status = EXIT_FAILURE; goto out; } -- 1.9.3