static int sc_pkcs15emu_sc_hsm_add_pubkey(sc_pkcs15_card_t *p15card, sc_pkcs15_prkey_info_t *key_info, char *label)
{
struct sc_context *ctx = p15card->card->ctx;
sc_card_t *card = p15card->card;
sc_pkcs15_pubkey_info_t pubkey_info;
sc_pkcs15_object_t pubkey_obj;
struct sc_pkcs15_pubkey pubkey;
u8 efbin[1024];
sc_cvc_t cvc;
u8 *cvcpo;
size_t cvclen;
int r;
/* EF.CERT is selected */
r = sc_read_binary(p15card->card, 0, efbin, sizeof(efbin), 0);
LOG_TEST_RET(ctx, r, "Could not read CSR from EF");
cvcpo = efbin;
cvclen = r;
memset(&cvc, 0, sizeof(cvc));
r = sc_pkcs15emu_sc_hsm_decode_cvc(p15card, (const u8 **)&cvcpo, &cvclen, &cvc);
LOG_TEST_RET(ctx, r, "Could decode certificate signing request");
memset(&pubkey, 0, sizeof(pubkey));
r = sc_pkcs15emu_sc_hsm_get_public_key(ctx, &cvc, &pubkey);
LOG_TEST_RET(card->ctx, r, "Could not extract public key");
memset(&pubkey_info, 0, sizeof(pubkey_info));
memset(&pubkey_obj, 0, sizeof(pubkey_obj));
r = sc_pkcs15_encode_pubkey(ctx, &pubkey, &pubkey_obj.content.value, &pubkey_obj.content.len);
LOG_TEST_RET(ctx, r, "Could not encode public key");
r = sc_pkcs15_encode_pubkey(ctx, &pubkey, &pubkey_info.direct.raw.value, &pubkey_info.direct.raw.len);
LOG_TEST_RET(ctx, r, "Could not encode public key");
r = sc_pkcs15_encode_pubkey_as_spki(ctx, &pubkey, &pubkey_info.direct.spki.value, &pubkey_info.direct.spki.len);
LOG_TEST_RET(ctx, r, "Could not encode public key");
pubkey_info.id = key_info->id;
strlcpy(pubkey_obj.label, label, sizeof(pubkey_obj.label));
if (pubkey.algorithm == SC_ALGORITHM_RSA) {
pubkey_info.modulus_length = pubkey.u.rsa.modulus.len << 3;
r = sc_pkcs15emu_add_rsa_pubkey(p15card, &pubkey_obj, &pubkey_info);
} else {
/* TODO fix if support of non multiple of 8 curves are added */
pubkey_info.field_length = cvc.primeOrModuluslen << 3;
r = sc_pkcs15emu_add_ec_pubkey(p15card, &pubkey_obj, &pubkey_info);
}
LOG_TEST_RET(ctx, r, "Could not add public key");
sc_pkcs15emu_sc_hsm_free_cvc(&cvc);
sc_pkcs15_erase_pubkey(&pubkey);
return SC_SUCCESS;
}
static int sc_pkcs15emu_sc_hsm_add_pubkey(sc_pkcs15_card_t *p15card, sc_pkcs15_prkey_info_t *key_info, char *label) {
sc_card_t *card = p15card->card;
sc_pkcs15_pubkey_info_t pubkey_info;
sc_pkcs15_object_t pubkey_obj;
struct sc_pkcs15_pubkey pubkey;
u8 efbin[1024];
sc_cvc_t cvc;
u8 *cvcpo;
size_t cvclen;
int r;
// EF.CERT is selected
r = sc_read_binary(p15card->card, 0, efbin, sizeof(efbin), 0);
LOG_TEST_RET(card->ctx, r, "Could not read CSR from EF");
cvcpo = efbin;
cvclen = r;
memset(&cvc, 0, sizeof(cvc));
r = sc_pkcs15emu_sc_hsm_decode_cvc(p15card, (const u8 **)&cvcpo, &cvclen, &cvc);
LOG_TEST_RET(card->ctx, r, "Could decode certificate signing request");
if (cvc.publicPoint || cvc.publicPointlen) {
// ToDo implement support for EC Public Keys
return SC_SUCCESS;
} else {
pubkey.algorithm = SC_ALGORITHM_RSA;
pubkey.u.rsa.modulus.data = cvc.primeOrModulus;
pubkey.u.rsa.modulus.len = cvc.primeOrModuluslen;
pubkey.u.rsa.exponent.data = cvc.coefficientAorExponent;
pubkey.u.rsa.exponent.len = cvc.coefficientAorExponentlen;
}
memset(&pubkey_info, 0, sizeof(pubkey_info));
memset(&pubkey_obj, 0, sizeof(pubkey_obj));
sc_pkcs15_encode_pubkey(p15card->card->ctx, &pubkey, &pubkey_obj.content.value, &pubkey_obj.content.len);
pubkey_info.id = key_info->id;
strlcpy(pubkey_obj.label, label, sizeof(pubkey_obj.label));
r = sc_pkcs15emu_add_rsa_pubkey(p15card, &pubkey_obj, &pubkey_info);
LOG_TEST_RET(card->ctx, r, "Could not add public key");
sc_pkcs15emu_sc_hsm_free_cvc(&cvc);
return SC_SUCCESS;
}
/*
* Encode a pubkey as a SPKI, useful for pkcs15-tool, and for PKCS#15 files.
*/
int
sc_pkcs15_encode_pubkey_as_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey,
u8 **buf, size_t *len)
{
int r;
struct sc_asn1_entry asn1_spki_key[2],
asn1_spki_key_items[3];
struct sc_pkcs15_u8 pkey;
size_t key_len;
LOG_FUNC_CALLED(ctx);
pkey.value = NULL;
pkey.len = 0;
sc_log(ctx, "Encoding public key with algorithm %i", pubkey->algorithm);
if (!pubkey->alg_id) {
pubkey->alg_id = calloc(1, sizeof(struct sc_algorithm_id));
if (!pubkey->alg_id)
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
sc_init_oid(&pubkey->alg_id->oid);
pubkey->alg_id->algorithm = pubkey->algorithm;
}
/* make sure we have a der encoded value first */
if (pubkey->data.value == NULL){
r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pubkey->data.value, &pubkey->data.len);
LOG_TEST_RET(ctx, r, "public key encoding failed");
}
switch (pubkey->algorithm) {
case SC_ALGORITHM_EC:
/*
* most keys, but not EC have only one encoding.
* For a SPKI, the ecpoint is placed directly in the
* BIT STRING
*/
key_len = pubkey->u.ec.ecpointQ.len * 8;
pkey.value = pubkey->u.ec.ecpointQ.value;
pkey.len = 0; /* flag as do not delete */
/* TODO make sure algorithm params are available*/
/* if not can we copy them from the u.ec */
r = 0;
break;
case SC_ALGORITHM_GOSTR3410:
/* TODO is this needed? does it cause mem leak? */
pubkey->alg_id->params = &pubkey->u.gostr3410.params;
r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len);
key_len = pkey.len * 8;
break;
default:
r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len);
key_len = pkey.len * 8;
break;
}
if (r == 0) {
sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key);
sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items);
sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1);
sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1);
sc_format_asn1_entry(asn1_spki_key_items + 1, pkey.value, &key_len, 1);
r = sc_asn1_encode(ctx, asn1_spki_key, buf, len);
}
if (pkey.len && pkey.value)
free(pkey.value);
LOG_FUNC_RETURN(ctx, r);
}
int main(int argc, char *argv[])
{
int r, c, long_optind = 0;
sc_context_param_t ctx_param;
sc_card_t *card = NULL;
sc_context_t *ctx = NULL;
sc_file_t *file = NULL;
sc_path_t path;
RSA *rsa = NULL;
BIGNUM *bn = NULL;
BIO *mem = NULL;
static const char *pin = NULL;
static const char *puk = NULL;
while (1)
{
c = getopt_long(argc, argv, "r:wgol:ix:y:nut:fj:k:hv", \
options, &long_optind);
if (c == -1)
break;
if (c == '?' || c == 'h')
util_print_usage_and_die(app_name, options, option_help, NULL);
switch (c)
{
case 'r':
opt_reader = optarg;
break;
case 'w':
opt_wait = 1;
break;
case 'g':
if(keylen == 0) keylen = 1536;
break;
case 'o':
overwrite = 1;
break;
case 'l':
keylen = atoi(optarg);
break;
case 'i':
install_pin = 1;
break;
case 'x':
util_get_pin(optarg, &pin);
break;
case 'y':
util_get_pin(optarg, &puk);
break;
case 'n':
new_pin = 1;
break;
case 'u':
unlock = 1;
break;
case 't':
cert = optarg;
break;
case 'f':
finalize = 1;
break;
case 'j':
get_filename = optarg;
break;
case 'k':
put_filename = optarg;
break;
case 'v':
verbose++;
break;
}
}
memset(&ctx_param, 0, sizeof(ctx_param));
ctx_param.ver = 0;
ctx_param.app_name = argv[0];
r = sc_context_create(&ctx, &ctx_param);
if (r)
{
printf("Failed to establish context: %s\n", sc_strerror(r));
return 1;
}
if (verbose > 1) {
ctx->debug = verbose;
sc_ctx_log_to_file(ctx, "stderr");
}
if (opt_driver != NULL)
{
r = sc_set_card_driver(ctx, opt_driver);
if (r)
{
printf("Driver '%s' not found!\n", opt_driver);
goto out;
}
}
r = util_connect_card(ctx, &card, opt_reader, opt_wait, 0);
if (r)
goto out;
sc_format_path("3F00", &path);
r = sc_select_file(card, &path, NULL);
if(r) goto out;
if(install_pin)
{
sc_format_path("AAAA", &path);
r = sc_select_file(card, &path, NULL);
if(r)
{
if(r != SC_ERROR_FILE_NOT_FOUND) goto out;
file = sc_file_new();
if(file == NULL)
{
printf("Not enougth memory.\n");
goto out;
}
file->type = SC_FILE_TYPE_INTERNAL_EF;
file->ef_structure = SC_FILE_EF_TRANSPARENT;
file->shareable = 0;
file->id = 0xAAAA;
file->size = 37;
r = sc_file_add_acl_entry(file, SC_AC_OP_READ, SC_AC_NONE, 0);
if(r) goto out;
r = sc_file_add_acl_entry(file, SC_AC_OP_UPDATE, SC_AC_NONE, 0);
if(r) goto out;
r = sc_file_add_acl_entry(file, SC_AC_OP_ERASE, SC_AC_NONE, 0);
if(r) goto out;
/* sc_format_path("3F00AAAA", &(file->path)); */
file->path = path;
r = sc_create_file(card, file);
if(r) goto out;
}
if(pin != NULL)
{
sc_changekey_t ck;
struct sc_pin_cmd_pin pin_cmd;
int ret;
memset(&pin_cmd, 0, sizeof(pin_cmd));
memset(&ck, 0, sizeof(ck));
memcpy(ck.key_template, "\x1e\x00\x00\x10", 4);
pin_cmd.encoding = SC_PIN_ENCODING_GLP;
pin_cmd.len = strlen(pin);
pin_cmd.data = (u8*)pin;
pin_cmd.max_length = 8;
ret = sc_build_pin(ck.new_key.key_value,
sizeof(ck.new_key.key_value), &pin_cmd, 1);
if(ret < 0)
goto out;
ck.new_key.key_len = ret;
r = sc_card_ctl(card, SC_CARDCTL_WESTCOS_CHANGE_KEY, &ck);
if(r) goto out;
}
if(puk != NULL)
{
sc_changekey_t ck;
struct sc_pin_cmd_pin puk_cmd;
int ret;
memset(&puk_cmd, 0, sizeof(puk_cmd));
memset(&ck, 0, sizeof(ck));
memcpy(ck.key_template, "\x1e\x00\x00\x20", 4);
puk_cmd.encoding = SC_PIN_ENCODING_GLP;
puk_cmd.len = strlen(puk);
puk_cmd.data = (u8*)puk;
puk_cmd.max_length = 8;
ret = sc_build_pin(ck.new_key.key_value,
sizeof(ck.new_key.key_value), &puk_cmd, 1);
if(ret < 0)
goto out;
ck.new_key.key_len = ret;
r = sc_card_ctl(card, SC_CARDCTL_WESTCOS_CHANGE_KEY, &ck);
if(r) goto out;
}
}
if(new_pin)
{
if(change_pin(card, 0, pin, puk))
printf("Wrong pin.\n");
goto out;
}
if(unlock)
{
if(unlock_pin(card, 0, puk, pin))
printf("Error unblocking pin.\n");
goto out;
}
printf("verify pin.\n");
{
if(verify_pin(card, 0, pin))
{
printf("Wrong pin.\n");
goto out;
}
}
if(keylen)
{
size_t lg;
struct sc_pkcs15_pubkey key;
struct sc_pkcs15_pubkey_rsa *dst = &(key.u.rsa);
u8 *pdata;
memset(&key, 0, sizeof(key));
key.algorithm = SC_ALGORITHM_RSA;
printf("Generate key of length %d.\n", keylen);
#if OPENSSL_VERSION_NUMBER>=0x00908000L
rsa = RSA_new();
bn = BN_new();
mem = BIO_new(BIO_s_mem());
if(rsa == NULL || bn == NULL || mem == NULL)
{
printf("Not enougth memory.\n");
goto out;
}
if(!BN_set_word(bn, RSA_F4) ||
!RSA_generate_key_ex(rsa, keylen, bn, NULL))
#else
rsa = RSA_generate_key(keylen, RSA_F4, NULL, NULL);
mem = BIO_new(BIO_s_mem());
if(mem == NULL)
{
printf("Not enougth memory.\n");
goto out;
}
if (!rsa)
#endif
{
printf("RSA_generate_key_ex return %ld\n", ERR_get_error());
goto out;
}
RSA_set_method(rsa, RSA_PKCS1_OpenSSL());
if(!i2d_RSAPrivateKey_bio(mem, rsa))
{
printf("i2d_RSAPrivateKey_bio return %ld\n", ERR_get_error());
goto out;
}
lg = BIO_get_mem_data(mem, &pdata);
sc_format_path("0001", &path);
r = sc_select_file(card, &path, NULL);
if(r)
{
if(r != SC_ERROR_FILE_NOT_FOUND) goto out;
file = sc_file_new();
if(file == NULL)
{
printf("Not enougth memory.\n");
goto out;
}
file->type = SC_FILE_TYPE_WORKING_EF;
file->ef_structure = SC_FILE_EF_TRANSPARENT;
file->shareable = 0;
file->size = ((lg/4)+1)*4;
r = sc_file_add_acl_entry(file, SC_AC_OP_READ, SC_AC_CHV, 0);
if(r) goto out;
r = sc_file_add_acl_entry(file, SC_AC_OP_UPDATE, SC_AC_CHV, 0);
if(r) goto out;
r = sc_file_add_acl_entry(file, SC_AC_OP_ERASE, SC_AC_CHV, 0);
if(r) goto out;
file->path = path;
printf("File key creation %s, size %"SC_FORMAT_LEN_SIZE_T"d.\n",
file->path.value,
file->size);
r = sc_create_file(card, file);
if(r) goto out;
}
else
{
if(!overwrite)
{
printf("Key file already exist,"\
" use -o to replace it.\n");
goto out;
}
}
printf("Private key length is %"SC_FORMAT_LEN_SIZE_T"d\n", lg);
printf("Write private key.\n");
r = sc_update_binary(card,0,pdata,lg,0);
if(r<0) goto out;
printf("Private key correctly written.\n");
r = create_file_cert(card);
if(r) goto out;
{
const BIGNUM *rsa_n, *rsa_e;
RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
if (!do_convert_bignum(&dst->modulus, rsa_n)
|| !do_convert_bignum(&dst->exponent, rsa_e))
goto out;
}
r = sc_pkcs15_encode_pubkey(ctx, &key, &pdata, &lg);
if(r) goto out;
printf("Public key length %"SC_FORMAT_LEN_SIZE_T"d\n", lg);
sc_format_path("3F000002", &path);
r = sc_select_file(card, &path, NULL);
if(r) goto out;
printf("Write public key.\n");
r = sc_update_binary(card,0,pdata,lg,0);
if(r<0) goto out;
printf("Public key correctly written.\n");
}
if(cert)
{
BIO *bio;
X509 *xp;
u8 *pdata;
bio = BIO_new(BIO_s_file());
if (BIO_read_filename(bio, cert) <= 0)
{
BIO_free(bio);
printf("Can't open file %s.\n", cert);
goto out;
}
xp = PEM_read_bio_X509(bio, NULL, NULL, NULL);
BIO_free(bio);
if (xp == NULL)
{
print_openssl_error();
goto out;
}
else
{
int lg = cert2der(xp, &pdata);
sc_format_path("0002", &path);
r = sc_select_file(card, &path, NULL);
if(r) goto out;
/* FIXME: verify if the file has a compatible size... */
printf("Write certificate %s.\n", cert);
r = sc_update_binary(card,0,pdata,lg,0);
if(r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)
{
if(verify_pin(card, 0, pin))
{
printf("Wrong pin.\n");
}
else
{
r = sc_update_binary(card,0,pdata,lg,0);
}
}
if(r<0)
{
if(pdata) free(pdata);
goto out;
}
if(xp) X509_free(xp);
if(pdata) free(pdata);
printf("Certificate correctly written.\n");
}
}
if(finalize)
{
int mode = SC_CARDCTRL_LIFECYCLE_USER;
if(card->atr.value[10] != 0x82)
{
sc_format_path("0001", &path);
r = sc_select_file(card, &path, NULL);
if(r)
{
printf("This card don't have private key"\
" and can't be finalize.\n");
goto out;
}
printf("Finalize card...\n");
if(sc_card_ctl(card, SC_CARDCTL_WESTCOS_AUT_KEY, NULL) ||
sc_card_ctl(card, SC_CARDCTL_LIFECYCLE_SET, &mode))
{
printf("Error finalizing card,"\
" card isn't secure.\n");
goto out;
}
}
printf("Card correctly finalized.\n");
}
if(get_filename)
{
FILE *fp;
u8 *b;
if(file)
{
sc_file_free(file);
file = NULL;
}
sc_format_path(get_filename, &path);
r = sc_select_file(card, &path, &file);
if(r)
{
printf("Error file not found.\n");
goto out;
}
b = malloc(file->size);
if(b == NULL)
{
printf("Not enougth memory.\n");
goto out;
}
r = sc_read_binary(card, 0, b, file->size, 0);
if(r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)
{
if(verify_pin(card, 0, pin))
{
printf("Wrong pin.\n");
goto out;
}
r = sc_read_binary(card, 0, b, file->size, 0);
}
if(r<0)
{
printf("Error reading file.\n");
goto out;
}
fp = fopen(get_filename, "wb");
fwrite(b, 1, file->size, fp);
fclose(fp);
free(b);
}
if(put_filename)
{
FILE *fp;
u8 *b;
if(file)
{
sc_file_free(file);
file = NULL;
}
sc_format_path(put_filename, &path);
r = sc_select_file(card, &path, &file);
if(r)
{
printf("File not found.\n");
goto out;
}
b = malloc(file->size);
if(b == NULL)
{
printf("Not enougth memory.\n");
goto out;
}
memset(b, 0, file->size);
fp = fopen(put_filename, "rb");
fread(b, 1, file->size, fp);
fclose(fp);
r = sc_update_binary(card, 0, b, file->size, 0);
if(r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)
{
if(verify_pin(card, 0, pin))
{
printf("Wrong pin.\n");
}
else
{
r = sc_update_binary(card, 0, b, file->size, 0);
}
}
if(r<0)
{
free(b);
printf("Error writing file.\n");
goto out;
}
free(b);
}
out:
if(mem)
BIO_free(mem);
if(bn)
BN_free(bn);
if(rsa)
RSA_free(rsa);
if(file)
sc_file_free(file);
if (card)
{
sc_unlock(card);
sc_disconnect_card(card);
}
sc_release_context(ctx);
return EXIT_SUCCESS;
}
