static void ask_for_password(char **pwd, int *pwdlen)
{
char *refpwd = NULL;
printf( "\nThe DKEK share will be enciphered using a key derived from a user supplied password.\n");
printf( "The security of the DKEK share relies on a well chosen and sufficiently long password.\n");
printf( "The recommended length is more than 10 characters, which are mixed letters, numbers and\n");
printf("symbols.\n\n");
printf( "Please keep the generated DKEK share file in a safe location. We also recommend to keep a\n");
printf( "paper printout, in case the electronic version becomes unavailable. A printable version\n");
printf( "of the file can be generated using \"openssl base64 -in <filename>\".\n");
while (1) {
printf("Enter password to encrypt DKEK share : ");
util_getpass(pwd, NULL, stdin);
printf("\n");
if (strlen(*pwd) < 6) {
printf("Password way to short. Please retry.\n");
continue;
}
printf("Please retype password to confirm : ");
util_getpass(&refpwd, NULL, stdin);
printf("\n");
if (strcmp(*pwd, refpwd)) {
printf("Passwords do not match. Please retry.\n");
continue;
}
*pwdlen = strlen(*pwd);
break;
}
OPENSSL_cleanse(refpwd, strlen(refpwd));
free(refpwd);
}
static void wrap_key(sc_card_t *card, u8 keyid, const char *outf, const char *pin)
{
sc_cardctl_sc_hsm_wrapped_key_t wrapped_key;
struct sc_pin_cmd_data data;
sc_file_t *file = NULL;
sc_path_t path;
FILE *out = NULL;
u8 fid[2];
u8 ef_prkd[MAX_PRKD];
u8 ef_cert[MAX_CERT];
u8 keyblob[MAX_WRAPPED_KEY];
u8 *key;
u8 *ptr;
char *lpin = NULL;
size_t key_len;
int r, ef_prkd_len, ef_cert_len;
if (pin == NULL) {
printf("Enter User PIN : ");
util_getpass(&lpin, NULL, stdin);
printf("\n");
} else {
lpin = (u8 *)pin;
}
memset(&data, 0, sizeof(data));
data.cmd = SC_PIN_CMD_VERIFY;
data.pin_type = SC_AC_CHV;
data.pin_reference = ID_USER_PIN;
data.pin1.data = lpin;
data.pin1.len = strlen(lpin);
r = sc_pin_cmd(card, &data, NULL);
if (r < 0) {
fprintf(stderr, "PIN verification failed with %s\n", sc_strerror(r));
return;
}
if (pin == NULL) {
free(lpin);
}
wrapped_key.key_id = keyid;
r = sc_card_ctl(card, SC_CARDCTL_SC_HSM_WRAP_KEY, (void *)&wrapped_key);
if (r == SC_ERROR_INS_NOT_SUPPORTED) { // Not supported or not initialized for key shares
return;
}
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_SC_HSM_WRAP_KEY, *) failed with %s\n", sc_strerror(r));
return;
}
fid[0] = PRKD_PREFIX;
fid[1] = keyid;
ef_prkd_len = 0;
/* Try to select a related EF containing the PKCS#15 description of the key */
sc_path_set(&path, SC_PATH_TYPE_FILE_ID, fid, sizeof(fid), 0, 0);
r = sc_select_file(card, &path, NULL);
if (r == SC_SUCCESS) {
ef_prkd_len = sc_read_binary(card, 0, ef_prkd, sizeof(ef_prkd), 0);
if (ef_prkd_len < 0) {
fprintf(stderr, "Error reading PRKD file %s. Skipping.\n", sc_strerror(ef_prkd_len));
ef_prkd_len = 0;
} else {
ef_prkd_len = determineLength(ef_prkd, ef_prkd_len);
}
}
fid[0] = EE_CERTIFICATE_PREFIX;
fid[1] = keyid;
ef_cert_len = 0;
/* Try to select a related EF containing the certificate for the key */
sc_path_set(&path, SC_PATH_TYPE_FILE_ID, fid, sizeof(fid), 0, 0);
r = sc_select_file(card, &path, NULL);
if (r == SC_SUCCESS) {
ef_cert_len = sc_read_binary(card, 0, ef_cert, sizeof(ef_cert), 0);
if (ef_cert_len < 0) {
fprintf(stderr, "Error reading certificate %s. Skipping\n", sc_strerror(ef_cert_len));
ef_cert_len = 0;
} else {
ef_cert_len = determineLength(ef_cert, ef_cert_len);
}
}
ptr = keyblob;
// Encode key in octet string object
sc_asn1_write_element(card->ctx, SC_ASN1_OCTET_STRING,
wrapped_key.wrapped_key, wrapped_key.wrapped_key_length,
&key, &key_len);
memcpy(ptr, key, key_len);
ptr += key_len;
free(key);
// Add private key description
if (ef_prkd_len > 0) {
memcpy(ptr, ef_prkd, ef_prkd_len);
ptr += ef_prkd_len;
}
// Add certificate
if (ef_cert_len > 0) {
memcpy(ptr, ef_cert, ef_cert_len);
ptr += ef_cert_len;
}
// Encode key in octet string object
sc_asn1_write_element(card->ctx, SC_ASN1_SEQUENCE|SC_ASN1_CONS,
keyblob, ptr - keyblob,
&key, &key_len);
out = fopen(outf, "wb");
if (out == NULL) {
perror(outf);
free(key);
return;
}
if (fwrite(key, 1, key_len, out) != key_len) {
perror(outf);
free(key);
return;
}
free(key);
fclose(out);
}
static void import_dkek_share(sc_card_t *card, const char *inf, int iter, char *password, int num_of_password_shares)
{
sc_cardctl_sc_hsm_dkek_t dkekinfo;
EVP_CIPHER_CTX ctx;
FILE *in = NULL;
u8 filebuff[64],key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH],outbuff[64];
char *pwd = NULL;
int r, outlen, pwdlen;
in = fopen(inf, "rb");
if (in == NULL) {
perror(inf);
return;
}
if (fread(filebuff, 1, sizeof(filebuff), in) != sizeof(filebuff)) {
perror(inf);
return;
}
fclose(in);
if (memcmp(filebuff, magic, sizeof(magic) - 1)) {
printf("File %s is not a DKEK share\n", inf);
return;
}
if (password == NULL) {
if (num_of_password_shares == -1) {
printf("Enter password to decrypt DKEK share : ");
util_getpass(&pwd, NULL, stdin);
pwdlen = strlen(pwd);
printf("\n");
} else {
r = recreate_password_from_shares(&pwd, &pwdlen, num_of_password_shares);
if (r < 0) {
return;
}
}
} else {
pwd = password;
pwdlen = strlen(password);
}
printf("Deciphering DKEK share, please wait...\n");
EVP_BytesToKey(EVP_aes_256_cbc(), EVP_md5(), filebuff + 8, (u8 *)pwd, pwdlen, iter, key, iv);
OPENSSL_cleanse(pwd, strlen(pwd));
if (password == NULL) {
free(pwd);
}
EVP_CIPHER_CTX_init(&ctx);
EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, iv);
if (!EVP_DecryptUpdate(&ctx, outbuff, &outlen, filebuff + 16, sizeof(filebuff) - 16)) {
printf("Error decrypting DKEK share. Password correct ?\n");
return;
}
if (!EVP_DecryptFinal_ex(&ctx, outbuff + outlen, &r)) {
printf("Error decrypting DKEK share. Password correct ?\n");
return;
}
memset(&dkekinfo, 0, sizeof(dkekinfo));
memcpy(dkekinfo.dkek_share, outbuff, sizeof(dkekinfo.dkek_share));
dkekinfo.importShare = 1;
OPENSSL_cleanse(outbuff, sizeof(outbuff));
r = sc_card_ctl(card, SC_CARDCTL_SC_HSM_IMPORT_DKEK_SHARE, (void *)&dkekinfo);
OPENSSL_cleanse(&dkekinfo.dkek_share, sizeof(dkekinfo.dkek_share));
EVP_CIPHER_CTX_cleanup(&ctx);
if (r == SC_ERROR_INS_NOT_SUPPORTED) { // Not supported or not initialized for key shares
printf("Not supported by card or card not initialized for key share usage\n");
return;
}
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_SC_HSM_IMPORT_DKEK_SHARE, *) failed with %s\n", sc_strerror(r));
return;
}
printf("DKEK share imported\n");
print_dkek_info(&dkekinfo);
}
static void unwrap_key(sc_card_t *card, u8 keyid, const char *inf, const char *pin, int force)
{
sc_cardctl_sc_hsm_wrapped_key_t wrapped_key;
struct sc_pin_cmd_data data;
u8 keyblob[MAX_WRAPPED_KEY];
const u8 *ptr,*prkd,*cert;
FILE *in = NULL;
sc_path_t path;
u8 fid[2];
char *lpin = NULL;
unsigned int cla, tag;
int r, keybloblen;
size_t len, olen, prkd_len, cert_len;
in = fopen(inf, "rb");
if (in == NULL) {
perror(inf);
return;
}
if ((keybloblen = fread(keyblob, 1, sizeof(keyblob), in)) < 0) {
perror(inf);
return;
}
fclose(in);
ptr = keyblob;
if ((sc_asn1_read_tag(&ptr, keybloblen, &cla, &tag, &len) != SC_SUCCESS) ||
((cla & SC_ASN1_TAG_CONSTRUCTED) != SC_ASN1_TAG_CONSTRUCTED) ||
((tag != SC_ASN1_TAG_SEQUENCE)) ){
fprintf(stderr, "Invalid wrapped key format (Outer sequence).\n");
return;
}
if ((sc_asn1_read_tag(&ptr, len, &cla, &tag, &olen) != SC_SUCCESS) ||
(cla & SC_ASN1_TAG_CONSTRUCTED) ||
((tag != SC_ASN1_TAG_OCTET_STRING)) ){
fprintf(stderr, "Invalid wrapped key format (Key binary).\n");
return;
}
wrapped_key.wrapped_key = (u8 *)ptr;
wrapped_key.wrapped_key_length = olen;
ptr += olen;
prkd = ptr;
prkd_len = determineLength(ptr, keybloblen - (ptr - keyblob));
ptr += prkd_len;
cert = ptr;
cert_len = determineLength(ptr, keybloblen - (ptr - keyblob));
printf("Wrapped key contains:\n");
printf(" Key blob\n");
if (prkd_len > 0) {
printf(" Private Key Description (PRKD)\n");
}
if (cert_len > 0) {
printf(" Certificate\n");
}
if ((prkd_len > 0) && !force) {
fid[0] = PRKD_PREFIX;
fid[1] = keyid;
/* Try to select a related EF containing the PKCS#15 description of the key */
sc_path_set(&path, SC_PATH_TYPE_FILE_ID, fid, sizeof(fid), 0, 0);
r = sc_select_file(card, &path, NULL);
if (r == SC_SUCCESS) {
fprintf(stderr, "Found existing private key description in EF with fid %02x%02x. Please remove key first, select unused key reference or use --force.\n", fid[0], fid[1]);
return;
}
}
if ((cert_len > 0) && !force) {
fid[0] = EE_CERTIFICATE_PREFIX;
fid[1] = keyid;
/* Try to select a related EF containing the certificate */
sc_path_set(&path, SC_PATH_TYPE_FILE_ID, fid, sizeof(fid), 0, 0);
r = sc_select_file(card, &path, NULL);
if (r == SC_SUCCESS) {
fprintf(stderr, "Found existing certificate in EF with fid %02x%02x. Please remove certificate first, select unused key reference or use --force.\n", fid[0], fid[1]);
return;
}
}
if (pin == NULL) {
printf("Enter User PIN : ");
util_getpass(&lpin, NULL, stdin);
printf("\n");
} else {
lpin = (u8 *)pin;
}
memset(&data, 0, sizeof(data));
data.cmd = SC_PIN_CMD_VERIFY;
data.pin_type = SC_AC_CHV;
data.pin_reference = ID_USER_PIN;
data.pin1.data = lpin;
data.pin1.len = strlen(lpin);
r = sc_pin_cmd(card, &data, NULL);
if (r < 0) {
fprintf(stderr, "PIN verification failed with %s\n", sc_strerror(r));
return;
}
if (pin == NULL) {
free(lpin);
}
if (force) {
fid[0] = KEY_PREFIX;
fid[1] = keyid;
sc_path_set(&path, SC_PATH_TYPE_FILE_ID, fid, 2, 0, -1);
sc_delete_file(card, &path);
}
wrapped_key.key_id = keyid;
r = sc_card_ctl(card, SC_CARDCTL_SC_HSM_UNWRAP_KEY, (void *)&wrapped_key);
if (r == SC_ERROR_INS_NOT_SUPPORTED) { // Not supported or not initialized for key shares
return;
}
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_SC_HSM_UNWRAP_KEY, *) failed with %s\n", sc_strerror(r));
return;
}
if (prkd_len > 0) {
r = update_ef(card, PRKD_PREFIX, keyid, force, prkd, prkd_len);
if (r < 0) {
fprintf(stderr, "Updating private key description failed with %s\n", sc_strerror(r));
return;
}
}
if (cert_len > 0) {
r = update_ef(card, EE_CERTIFICATE_PREFIX, keyid, force, cert, cert_len);
if (r < 0) {
fprintf(stderr, "Updating certificate failed with %s\n", sc_strerror(r));
return;
}
}
printf("Key successfully imported\n");
}
static void initialize(sc_card_t *card, const char *so_pin, const char *user_pin, int retry_counter, int dkek_shares)
{
sc_cardctl_sc_hsm_init_param_t param;
size_t len;
char *_so_pin = NULL, *_user_pin = NULL;
int r;
if (so_pin == NULL) {
printf("Enter SO-PIN (16 hexadecimal characters) : ");
util_getpass(&_so_pin, NULL, stdin);
printf("\n");
} else {
_so_pin = (char *)so_pin;
}
len = sizeof(param.init_code);
r = sc_hex_to_bin(_so_pin, param.init_code, &len);
if (r < 0) {
fprintf(stderr, "Error decoding initialization code (%s)\n", sc_strerror(r));
return;
}
if (len != 8) {
fprintf(stderr, "SO-PIN must be a hexadecimal string of 16 characters\n");
return;
}
if (user_pin == NULL) {
printf("Enter initial User-PIN (6 - 16 characters) : ");
util_getpass(&_user_pin, NULL, stdin);
printf("\n");
} else {
_user_pin = (char *)user_pin;
}
param.user_pin_len = strlen(_user_pin);
if (param.user_pin_len < 6) {
fprintf(stderr, "PIN must be at least 6 characters long\n");
return;
}
if (param.user_pin_len > 16) {
fprintf(stderr, "PIN must not be longer than 16 characters\n");
return;
}
if ((param.user_pin_len == 6) && (retry_counter > 3)) {
fprintf(stderr, "Retry counter must not exceed 3 for a 6 digit PIN. Use a longer PIN for a higher retry counter.\n");
return;
}
if ((param.user_pin_len == 7) && (retry_counter > 5)) {
fprintf(stderr, "Retry counter must not exceed 5 for a 7 digit PIN. Use a longer PIN for a higher retry counter.\n");
return;
}
if (retry_counter > 10) {
fprintf(stderr, "Retry counter must not exceed 10\n");
return;
}
param.user_pin = (u8 *)_user_pin;
param.user_pin_retry_counter = (u8)retry_counter;
param.options[0] = 0x00;
param.options[1] = 0x01;
param.dkek_shares = (char)dkek_shares;
r = sc_card_ctl(card, SC_CARDCTL_SC_HSM_INITIALIZE, (void *)¶m);
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_SC_HSM_INITIALIZE, *) failed with %s\n", sc_strerror(r));
}
}
static int do_verify(int argc, char **argv)
{
const id2str_t typeNames[] = {
{ SC_AC_CHV, "CHV" },
{ SC_AC_AUT, "KEY" },
{ SC_AC_AUT, "AUT" },
{ SC_AC_PRO, "PRO" },
{ SC_AC_NONE, NULL, }
};
int r, tries_left = -1;
u8 buf[64];
size_t buflen = sizeof(buf), i;
struct sc_pin_cmd_data data;
int prefix_len = 0;
if (argc < 1 || argc > 2)
return usage(do_verify);
memset(&data, 0, sizeof(data));
data.cmd = SC_PIN_CMD_VERIFY;
data.pin_type = SC_AC_NONE;
for (i = 0; typeNames[i].str; i++) {
prefix_len = strlen(typeNames[i].str);
if (strncasecmp(argv[0], typeNames[i].str, prefix_len) == 0) {
data.pin_type = typeNames[i].id;
break;
}
}
if (data.pin_type == SC_AC_NONE) {
printf("Invalid type.\n");
return usage(do_verify);
}
if (sscanf(argv[0] + prefix_len, "%d", &data.pin_reference) != 1) {
printf("Invalid key reference.\n");
return usage(do_verify);
}
if (argc < 2) {
if (card->reader->capabilities & SC_READER_CAP_PIN_PAD) {
printf("Please enter PIN on the reader's pin pad.\n");
data.pin1.prompt = "Please enter PIN";
data.flags |= SC_PIN_CMD_USE_PINPAD;
}
else {
char *pin = NULL;
size_t len = 0;
printf("Please enter PIN: ");
r = util_getpass(&pin, &len, stdin);
if (r < 0) {
printf("No PIN entered - aborting VERIFY.\n");
return -1;
}
if (strlcpy((char *)buf, pin, sizeof(buf)) >= sizeof(buf)) {
free(pin);
printf("PIN too long - aborting VERIFY.\n");
return -1;
}
free(pin);
data.pin1.data = buf;
data.pin1.len = strlen((char *)buf);
}
} else {
r = parse_string_or_hexdata(argv[1], buf, &buflen);
if (0 != r) {
printf("Invalid key value.\n");
return usage(do_verify);
}
data.pin1.data = buf;
data.pin1.len = buflen;
}
r = sc_pin_cmd(card, &data, &tries_left);
if (r) {
if (r == SC_ERROR_PIN_CODE_INCORRECT) {
if (tries_left >= 0)
printf("Incorrect code, %d tries left.\n", tries_left);
else
printf("Incorrect code.\n");
} else
printf("Unable to verify PIN code: %s\n", sc_strerror(r));
return -1;
}
printf("Code correct.\n");
return 0;
}
static int print_dkek_share(sc_card_t *card, const char *inf, int iter, const char *password, int num_of_password_shares)
{
// hex output can be used in the SCSH shell with the
// decrypt_keyblob.js file
sc_cardctl_sc_hsm_dkek_t dkekinfo;
EVP_CIPHER_CTX *ctx = NULL;
FILE *in = NULL;
u8 filebuff[64],key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH],outbuff[64];
char *pwd = NULL;
int r, outlen, pwdlen;
u8 i;
if (inf == NULL) {
fprintf(stderr, "No file name specified for DKEK share\n");
return -1;
}
in = fopen(inf, "rb");
if (in == NULL) {
perror(inf);
return -1;
}
if (fread(filebuff, 1, sizeof(filebuff), in) != sizeof(filebuff)) {
perror(inf);
fclose(in);
return -1;
}
fclose(in);
if (memcmp(filebuff, magic, sizeof(magic) - 1)) {
fprintf(stderr, "File %s is not a DKEK share\n", inf);
return -1;
}
if (password == NULL) {
if (num_of_password_shares == -1) {
printf("Enter password to decrypt DKEK share : ");
util_getpass(&pwd, NULL, stdin);
pwdlen = strlen(pwd);
printf("\n");
} else {
r = recreate_password_from_shares(&pwd, &pwdlen, num_of_password_shares);
if (r < 0) {
return -1;
}
}
} else {
pwd = (char *) password;
pwdlen = strlen(password);
}
printf("Deciphering DKEK share, please wait...\n");
EVP_BytesToKey(EVP_aes_256_cbc(), EVP_md5(), filebuff + 8, (u8 *)pwd, pwdlen, iter, key, iv);
OPENSSL_cleanse(pwd, strlen(pwd));
if (password == NULL) {
free(pwd);
}
ctx = EVP_CIPHER_CTX_new();
EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv);
if (!EVP_DecryptUpdate(ctx, outbuff, &outlen, filebuff + 16, sizeof(filebuff) - 16)) {
fprintf(stderr, "Error decrypting DKEK share. Password correct ?\n");
return -1;
}
if (!EVP_DecryptFinal_ex(ctx, outbuff + outlen, &r)) {
fprintf(stderr, "Error decrypting DKEK share. Password correct ?\n");
return -1;
}
memset(&dkekinfo, 0, sizeof(dkekinfo));
memcpy(dkekinfo.dkek_share, outbuff, sizeof(dkekinfo.dkek_share));
dkekinfo.importShare = 1;
OPENSSL_cleanse(outbuff, sizeof(outbuff));
printf("DKEK Share HEX: \n\n");
for (i = 0; i < sizeof(dkekinfo.dkek_share); i++)
{
printf("%02X", dkekinfo.dkek_share[i]);
}
printf("\n\n");
OPENSSL_cleanse(&dkekinfo.dkek_share, sizeof(dkekinfo.dkek_share));
EVP_CIPHER_CTX_free(ctx);
if (r == SC_ERROR_INS_NOT_SUPPORTED) { // Not supported or not initialized for key shares
fprintf(stderr, "Not supported by card or card not initialized for key share usage\n");
return -1;
}
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_SC_HSM_IMPORT_DKEK_SHARE, *) failed with %s\n", sc_strerror(r));
return -1;
}
//printf("DKEK share imported\n");
//print_dkek_info(&dkekinfo);
return 0;
}
static int initialize(sc_card_t *card, const char *so_pin, const char *user_pin, const char* serial)
{
sc_cardctl_gids_init_param_t param;
size_t len;
char *_so_pin = NULL, *_user_pin = NULL, *_serial = NULL;
int r;
memset(¶m, 0, sizeof(sc_cardctl_gids_init_param_t));
if (so_pin == NULL) {
printf("Enter admin key (48 hexadecimal characters) : \n");
printf("Press Enter to set the admin key to 00...00\n");
util_getpass(&_so_pin, NULL, stdin);
printf("\n");
} else {
_so_pin = (char *)so_pin;
}
len = sizeof(param.init_code);
r = sc_hex_to_bin(_so_pin, param.init_code, &len);
if (r < 0) {
fprintf(stderr, "Error decoding initialization code (%s)\n", sc_strerror(r));
return -1;
}
if (len == 0) {
} else if (len != 24) {
fprintf(stderr, "The admin key must be a hexadecimal string of 48 characters\n");
return -1;
}
if (user_pin == NULL) {
printf("Enter initial User-PIN (4 - 16 characters) : ");
util_getpass(&_user_pin, NULL, stdin);
printf("\n");
} else {
_user_pin = (char *)user_pin;
}
if (serial == NULL) {
printf("Enter serial number (32 hexadecimal characters): \n");
printf("Press Enter to set a random serial number\n");
util_getpass(&_serial, NULL, stdin);
printf("\n");
} else {
_serial = (char *)serial;
}
if (_serial[0] == '\0') {
memset(param.cardid, 0, sizeof(param.cardid));
} else if (strlen(_serial) != 32) {
fprintf(stderr, "the serial number must be a hexadecimal string of 32 characters\n");
return -1;
} else {
len = sizeof(param.cardid);
r = sc_hex_to_bin(_serial, param.cardid, &len);
if (r < 0) {
fprintf(stderr, "Error decoding serial number (%s)\n", sc_strerror(r));
return -1;
}
}
param.user_pin_len = strlen(_user_pin);
if (param.user_pin_len < 4) {
fprintf(stderr, "PIN must be at least 4 characters long\n");
return -1;
}
if (param.user_pin_len > 16) {
fprintf(stderr, "PIN must not be longer than 16 characters\n");
return -1;
}
param.user_pin = (u8 *)_user_pin;
r = sc_card_ctl(card, SC_CARDCTL_GIDS_INITIALIZE, (void *)¶m);
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_GIDS_INITIALIZE, *) failed with %s\n", sc_strerror(r));
}
return 0;
}
static int changeAdminKey(sc_card_t* card, const char *so_pin, const char* new_key) {
char *_so_pin = NULL, *_new_key = NULL;
size_t len;
u8 key[24];
int r;
if (so_pin == NULL) {
printf("============================================================\n");
printf("WARNING\n");
printf("Entering an incorrect admin key can break your card\n");
printf("WARNING\n");
printf("============================================================\n");
printf("Enter admin key (48 hexadecimal characters) : ");
util_getpass(&_so_pin, NULL, stdin);
printf("\n");
} else {
_so_pin = (char *)so_pin;
}
len = sizeof(key);
r = sc_hex_to_bin(_so_pin, key, &len);
if (r < 0) {
fprintf(stderr, "Error decoding initialization code (%s)\n", sc_strerror(r));
return -1;
}
if (len != 24) {
fprintf(stderr, "admin key must be a hexadecimal string of 48 characters\n");
return -1;
}
r = sc_card_ctl(card, SC_CARDCTL_GIDS_AUTHENTICATE_ADMIN, (void *)key);
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_GIDS_AUTHENTICATE_ADMIN, *) failed with %s\n", sc_strerror(r));
return -1;
}
if (new_key == NULL) {
printf("Enter new admin key (48 hexadecimal characters) : ");
util_getpass(&_so_pin, NULL, stdin);
printf("\n");
} else {
_new_key = (char *)new_key;
}
len = sizeof(key);
r = sc_hex_to_bin(_new_key, key, &len);
if (r < 0) {
fprintf(stderr, "Error decoding initialization code (%s)\n", sc_strerror(r));
return -1;
}
if (len != 24) {
fprintf(stderr, "admin key must be a hexadecimal string of 48 characters\n");
return -1;
}
r = sc_card_ctl(card, SC_CARDCTL_GIDS_SET_ADMIN_KEY, (void *)key);
sc_logout(card);
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_GIDS_SET_ADMIN_KEY, *) failed with %s\n", sc_strerror(r));
return -1;
}
return 0;
}
static int unblock(sc_card_t* card, const char *so_pin, const char *user_pin) {
int r;
char *_so_pin = NULL, *_user_pin = NULL;
size_t len;
u8 key[24];
struct sc_pin_cmd_data data;
memset(&data, 0, sizeof(struct sc_pin_cmd_data));
if (so_pin == NULL) {
printf("============================================================\n");
printf("WARNING\n");
printf("Entering an incorrect admin key can break your card\n");
printf("WARNING\n");
printf("============================================================\n");
printf("Enter admin key (48 hexadecimal characters) : ");
util_getpass(&_so_pin, NULL, stdin);
printf("\n");
} else {
_so_pin = (char *)so_pin;
}
len = sizeof(key);
r = sc_hex_to_bin(_so_pin, key, &len);
if (r < 0) {
fprintf(stderr, "Error decoding initialization code (%s)\n", sc_strerror(r));
return -1;
}
if (len != 24) {
fprintf(stderr, "admin key must be a hexadecimal string of 48 characters\n");
return -1;
}
r = sc_card_ctl(card, SC_CARDCTL_GIDS_AUTHENTICATE_ADMIN, (void *)key);
if (r < 0) {
fprintf(stderr, "sc_card_ctl(*, SC_CARDCTL_GIDS_AUTHENTICATE_ADMIN, *) failed with %s\n", sc_strerror(r));
return -1;
}
printf("Administrator authentication successful\n");
printf("Setting the new PIN\n");
if (user_pin == NULL) {
printf("Enter User-PIN (4 - 16 characters) : ");
util_getpass(&_user_pin, NULL, stdin);
printf("\n");
} else {
_user_pin = (char *)user_pin;
}
data.pin_type = SC_AC_CHV;
data.cmd = SC_PIN_CMD_UNBLOCK;
data.pin2.len = strlen(_user_pin);
data.pin2.data = (unsigned char*) _user_pin;
data.pin_reference = 0x80;
r = sc_pin_cmd(card, &data, NULL);
if (r < 0) {
fprintf(stderr, "reset pin failed with %s\n", sc_strerror(r));
return -1;
}
printf("Unblock PIN done successfuly\n");
// the card should have deauthenticated the admin, but to be sure:
sc_logout(card);
return 0;
}
