void EstEIDKeyRecord::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls) {
FLOG;
// @@@ Key 1 has any acl for sign, key 2 has pin1 acl, and key3 has pin1
// acl with auto-lock which we express as a prompted password subject.
if (!mAclEntries) {
mAclEntries.allocator(Allocator::standard());
// Anyone can read the DB record for this key (which is a reference
// CSSM_KEY)
mAclEntries.add(CssmClient::AclFactory::AnySubject(mAclEntries.allocator()), AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
// Using this key to sign or decrypt will require PIN1
// mAclEntries.add(CssmClient::AclFactory::PinSubject( mAclEntries.allocator(), 1), AclAuthorizationSet((mSignOnly ? CSSM_ACL_AUTHORIZATION_SIGN : CSSM_ACL_AUTHORIZATION_DECRYPT), 0));
char tmptag[20];
int pinNum = 1;
// This is hardcoded for now.
// Apparently, more than one PIN slot is not supported.
snprintf(tmptag, sizeof(tmptag), "PIN%d", pinNum);
// PIN needs to be entered only once if this key is associated with PIN #1
// and doesn't have the user consent bit set
mAclEntries.add(CssmClient::AclFactory::PinSubject(mAclEntries.allocator(), pinNum),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_ENCRYPT,
CSSM_ACL_AUTHORIZATION_DECRYPT,
CSSM_ACL_AUTHORIZATION_SIGN,
CSSM_ACL_AUTHORIZATION_MAC,
CSSM_ACL_AUTHORIZATION_DERIVE,
0), tmptag);
}
count = mAclEntries.size();
acls = mAclEntries.entries();
}
void PIVKeyRecord::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
if (!mAclEntries) {
mAclEntries.allocator(Allocator::standard());
// Anyone can read the DB record for this key (which is a reference
// CSSM_KEY)
mAclEntries.add(CssmClient::AclFactory::AnySubject(
mAclEntries.allocator()),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
CssmData prompt;
char tmptag[20];
const uint32 slot = 1; // hardwired for now, but...
snprintf(tmptag, sizeof(tmptag), "PIN%d", slot);
if(isUserConsent()) { // PIN1 must be entered every time
mAclEntries.add(
CssmClient::AclFactory::PromptPWSubject(mAclEntries.allocator(), prompt),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_SIGN, CSSM_ACL_AUTHORIZATION_DECRYPT, 0),
tmptag);
} else {
// Using this key to sign or decrypt will require PIN1
mAclEntries.add(CssmClient::AclFactory::PinSubject(
mAclEntries.allocator(), 1),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_SIGN, CSSM_ACL_AUTHORIZATION_DECRYPT, 0),
tmptag);
}
}
count = mAclEntries.size();
acls = mAclEntries.entries();
}
void BELPICKeyRecord::getAcl(const char *tag, uint32 & count,
AclEntryInfo * &acls)
{
// @@@ Key 1 has any acl for sign, key 2 has pin1 acl, and key3 has pin1
// acl with auto-lock which we express as a prompted password subject.
if (!mAclEntries)
{
mAclEntries.allocator(Allocator::standard());
// Anyone can read the DB record for this key (which is a reference
// CSSM_KEY)
mAclEntries.
add(CssmClient::AclFactory::
AnySubject(mAclEntries.allocator()),
AclAuthorizationSet
(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
// Setup the remainder of the acl based on the key type.
//PIN1 is hardcoded for now
// Apparently, PINS other than '1' are not yet supported by TokenD.
char tmptag[20];
snprintf(tmptag, sizeof(tmptag), "PIN%d", 1);
if (*mKeyId == 0x82)
{
if (mPPDU == true)
{
mAclEntries.
add(CssmClient::AclFactory::
AnySubject(mAclEntries.
allocator()),
AclAuthorizationSet
(CSSM_ACL_AUTHORIZATION_SIGN, 0),
tmptag);
} else
{
mAclEntries.
add(CssmClient::AclFactory::
PinSubject(mAclEntries.
allocator(), 1),
AclAuthorizationSet
(CSSM_ACL_AUTHORIZATION_SIGN, 0),
tmptag);
}
} else if (*mKeyId == 0x83)
{
CssmData prompt;
mAclEntries.
add(CssmClient::AclFactory::
PromptPWSubject(mAclEntries.allocator(),
prompt),
AclAuthorizationSet
(CSSM_ACL_AUTHORIZATION_SIGN, 0), tmptag);
}
}
count = mAclEntries.size();
acls = mAclEntries.entries();
}
void PIVProtectedRecord::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
if (!mAclEntries) {
mAclEntries.allocator(Allocator::standard());
// Reading this object's data requires PIN1
mAclEntries.add(CssmClient::AclFactory::PinSubject(
mAclEntries.allocator(), 1),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
}
count = mAclEntries.size();
acls = mAclEntries.entries();
}
void OpenSCCertificateRecord::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
sc_debug(mToken->mScCtx, "In OpenSCCertificateRecord::getAcl, tag is: %s\n", tag);
if (!mAclEntries) {
mAclEntries.allocator(Allocator::standard());
// certificates are for public inspection
mAclEntries.add(CssmClient::AclFactory::AnySubject(
mAclEntries.allocator()),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
}
count = mAclEntries.size();
acls = mAclEntries.entries();
sc_debug(mToken->mScCtx, " returned %d ACL entries\n", count);
}
void OpenSCKeyRecord::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
sc_debug(mToken->mScCtx, "In OpenSCKeyRecord::getAcl, tag is: %s\n", tag);
if (!mAclEntries) {
mAclEntries.allocator(Allocator::standard());
// Anyone can read the DB record for this key (which is a reference CSSM_KEY)
sc_debug(mToken->mScCtx, "DB read for a reference key object is always OK\n");
// Anyone can read the DB record for this key (which is a reference
// CSSM_KEY)
mAclEntries.add(CssmClient::AclFactory::AnySubject(
mAclEntries.allocator()),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
// The pinNum uniquely identifies the AuthID of the PIN needed to use this key,
// so when OpenSCToken::verifyPIN() is called with this pinNum, we know which
// PIN we have to verify
int pinNum = mToken->getRefFromPinMap(&mPrKeyObj->auth_id);
sc_debug(mToken->mScCtx, " auth_id for PIN: %s, pinNum = %d\n",
sc_pkcs15_print_id(&mPrKeyObj->auth_id), pinNum);
if (pinNum != -1) {
char tmptag[20];
// This is hardcoded for now.
// Apparently, more than one PIN slot is not supported.
snprintf(tmptag, sizeof(tmptag), "PIN%d", 1);
if(mObject->user_consent) {
// PIN for this key must be entered every time
// This will be used for user consent keys like the non repudiation keys
// from national eID cards)
CssmData prompt;
mAclEntries.add(CssmClient::AclFactory::PromptPWSubject(mAclEntries.allocator(), prompt),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_SIGN,
0), tmptag);
} else if (pinNum == 1) {
// PIN needs to be entered only once if this key is associated with PIN #1
// and doesn't have the user consent bit set
mAclEntries.add(CssmClient::AclFactory::PinSubject(mAclEntries.allocator(), pinNum),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_ENCRYPT,
CSSM_ACL_AUTHORIZATION_DECRYPT,
CSSM_ACL_AUTHORIZATION_SIGN,
CSSM_ACL_AUTHORIZATION_MAC,
CSSM_ACL_AUTHORIZATION_DERIVE,
0), tmptag);
} else {
// All other keys without the user consent bit set.
// This is just a temporary workaround, until proper PIN slots are supported.
CssmData prompt;
mAclEntries.add(CssmClient::AclFactory::PromptPWSubject(mAclEntries.allocator(), prompt),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_ENCRYPT,
CSSM_ACL_AUTHORIZATION_DECRYPT,
CSSM_ACL_AUTHORIZATION_SIGN,
CSSM_ACL_AUTHORIZATION_MAC,
CSSM_ACL_AUTHORIZATION_DERIVE,
0), tmptag);
}
}
}
count = mAclEntries.size();
acls = mAclEntries.entries();
// Notify the tokend object with the PIN it should verify
mToken->setCurrentPIN(mToken->getRefFromPinMap(&mPrKeyObj->auth_id));
sc_debug(mToken->mScCtx, " retuning %d ACL entries\n", count);
}