|
 |
be16f9 |
diff -up ./src/coolkey/slot.cpp.alt-tokens-2 ./src/coolkey/slot.cpp
|
|
|
be16f9 |
--- ./src/coolkey/slot.cpp.alt-tokens-2 2018-06-25 17:58:23.472185284 -0700
|
|
|
be16f9 |
+++ ./src/coolkey/slot.cpp 2018-06-25 18:02:29.714918126 -0700
|
|
|
be16f9 |
@@ -415,8 +415,9 @@ Slot::Slot(const char *readerName_, Log
|
|
|
be16f9 |
tokenManufacturer(NULL),
|
|
|
be16f9 |
slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN),
|
|
|
be16f9 |
isVersion1Key(false), needLogin(false), fullTokenName(false),
|
|
|
be16f9 |
- mCoolkey(false), mOldCAC(false), mCACLocalLogin(false),
|
|
|
be16f9 |
- pivContainer(-1), pivKey(-1), maxCacCerts(MAX_CERT_SLOTS),
|
|
|
be16f9 |
+ mCoolkey(false), mOldCAC(false), mCACLocalLogin(false), mCAC_ACA(false),
|
|
|
be16f9 |
+ pivContainer(-1), pivKey(-1),
|
|
|
be16f9 |
+ minCacCerts(0), maxCacCerts(MAX_CERT_SLOTS),
|
|
|
be16f9 |
algs(ALG_NONE), p15aid(0), p15odfAddr(0), p15tokenInfoAddr(0),
|
|
|
be16f9 |
p15Instance(0),
|
|
|
be16f9 |
#ifdef USE_SHMEM
|
|
|
be16f9 |
@@ -782,9 +783,11 @@ Slot::connectToToken()
|
|
|
be16f9 |
state |= PIV_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;
|
|
|
be16f9 |
isVersion1Key = 0;
|
|
|
be16f9 |
needLogin = true;
|
|
|
be16f9 |
+ minCacCerts = 0;
|
|
|
be16f9 |
maxCacCerts = MAX_CERT_SLOTS;
|
|
|
be16f9 |
mCoolkey = 0;
|
|
|
be16f9 |
mOldCAC = 0;
|
|
|
be16f9 |
+ mCAC_ACA = 0;
|
|
|
be16f9 |
mCACLocalLogin = getPIVLoginType();
|
|
|
be16f9 |
return;
|
|
|
be16f9 |
}
|
|
|
be16f9 |
@@ -924,23 +927,29 @@ Slot::getCACAid()
|
|
|
be16f9 |
CKYBuffer_Resize(&cardAID[i],0);
|
|
|
be16f9 |
}
|
|
|
be16f9 |
|
|
|
be16f9 |
+ mCAC_ACA=false;
|
|
|
be16f9 |
status = CACApplet_SelectCCC(conn,NULL);
|
|
|
be16f9 |
if (status != CKYSUCCESS) {
|
|
|
be16f9 |
/* are we an old CAC */
|
|
|
be16f9 |
- status = CACApplet_SelectPKI(conn, &cardAID[0], 0, NULL);
|
|
|
be16f9 |
- if (status != CKYSUCCESS) {
|
|
|
be16f9 |
- /* no, just fail */
|
|
|
be16f9 |
- return status;
|
|
|
be16f9 |
- }
|
|
|
be16f9 |
- /* yes, fill in the old applets */
|
|
|
be16f9 |
- mOldCAC = true;
|
|
|
be16f9 |
- maxCacCerts = 1;
|
|
|
be16f9 |
- for (i=1; i< MAX_CERT_SLOTS; i++) {
|
|
|
be16f9 |
+ maxCacCerts = 0;
|
|
|
be16f9 |
+ minCacCerts = -1;
|
|
|
be16f9 |
+ status = CACApplet_SelectACA(conn,NULL);
|
|
|
be16f9 |
+ if (status == CKYSUCCESS) {
|
|
|
be16f9 |
+ mCAC_ACA = true;
|
|
|
be16f9 |
+ }
|
|
|
be16f9 |
+ for (i=0; i< MAX_CERT_SLOTS; i++) {
|
|
|
be16f9 |
status = CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);
|
|
|
be16f9 |
if (status == CKYSUCCESS) {
|
|
|
be16f9 |
+ if (minCacCerts == -1) {
|
|
|
be16f9 |
+ minCacCerts = i;
|
|
|
be16f9 |
+ }
|
|
|
be16f9 |
maxCacCerts = i+1;
|
|
|
be16f9 |
}
|
|
|
be16f9 |
}
|
|
|
be16f9 |
+ if (minCacCerts == -1) {
|
|
|
be16f9 |
+ return status;
|
|
|
be16f9 |
+ }
|
|
|
be16f9 |
+ mOldCAC = true;
|
|
|
be16f9 |
return CKYSUCCESS;
|
|
|
be16f9 |
}
|
|
|
be16f9 |
/* definately not an old CAC */
|
|
|
be16f9 |
@@ -997,6 +1006,7 @@ Slot::getCACAid()
|
|
|
be16f9 |
if (certSlot == 0) {
|
|
|
be16f9 |
status = CKYAPDUFAIL; /* probably neeed a beter error code */
|
|
|
be16f9 |
}
|
|
|
be16f9 |
+ minCacCerts = 0;
|
|
|
be16f9 |
maxCacCerts = certSlot;
|
|
|
be16f9 |
|
|
|
be16f9 |
done:
|
|
|
be16f9 |
@@ -3840,7 +3850,16 @@ Slot::login(SessionHandleSuffix handleSu
|
|
|
be16f9 |
if(status != CKYSUCCESS ) handleConnectionError();
|
|
|
be16f9 |
|
|
|
be16f9 |
if (state & GOV_CARD) {
|
|
|
be16f9 |
- selectCACApplet(0, true);
|
|
|
be16f9 |
+ if (mCAC_ACA) {
|
|
|
be16f9 |
+ status = CACApplet_SelectACA(conn,NULL);
|
|
|
be16f9 |
+ if ( status == CKYSCARDERR ) handleConnectionError();
|
|
|
be16f9 |
+ if ( status != CKYSUCCESS) {
|
|
|
be16f9 |
+ disconnect();
|
|
|
be16f9 |
+ throw PKCS11Exception(CKR_DEVICE_REMOVED);
|
|
|
be16f9 |
+ }
|
|
|
be16f9 |
+ } else {
|
|
|
be16f9 |
+ selectCACApplet(minCacCerts, true);
|
|
|
be16f9 |
+ }
|
|
|
be16f9 |
} else if ((state & P15_CARD)== 0) {
|
|
|
be16f9 |
/* p15 does the select in attemptLogin */
|
|
|
be16f9 |
selectApplet();
|
|
|
be16f9 |
diff -up ./src/coolkey/slot.h.alt-tokens-2 ./src/coolkey/slot.h
|
|
|
be16f9 |
--- ./src/coolkey/slot.h.alt-tokens-2 2018-06-25 17:58:23.473185283 -0700
|
|
|
be16f9 |
+++ ./src/coolkey/slot.h 2018-06-25 17:58:23.475185280 -0700
|
|
|
be16f9 |
@@ -356,8 +356,10 @@ class Slot {
|
|
|
be16f9 |
bool mCoolkey;
|
|
|
be16f9 |
bool mOldCAC;
|
|
|
be16f9 |
bool mCACLocalLogin;
|
|
|
be16f9 |
+ bool mCAC_ACA;
|
|
|
be16f9 |
int pivContainer;
|
|
|
be16f9 |
int pivKey;
|
|
|
be16f9 |
+ int minCacCerts;
|
|
|
be16f9 |
int maxCacCerts;
|
|
|
be16f9 |
SlotAlgs algs;
|
|
|
be16f9 |
unsigned short p15aid;
|
|
|
be16f9 |
diff -up ./src/libckyapplet/cky_applet.c.alt-tokens-2 ./src/libckyapplet/cky_applet.c
|
|
|
be16f9 |
--- ./src/libckyapplet/cky_applet.c.alt-tokens-2 2018-06-25 17:58:23.473185283 -0700
|
|
|
be16f9 |
+++ ./src/libckyapplet/cky_applet.c 2018-06-25 17:58:23.475185280 -0700
|
|
|
be16f9 |
@@ -626,6 +626,19 @@ CACApplet_SelectCCC(CKYCardConnection *c
|
|
|
be16f9 |
return ret;
|
|
|
be16f9 |
}
|
|
|
be16f9 |
|
|
|
be16f9 |
+static CKYByte cacACAid[] = {0xa0, 0x00, 0x00, 0x00, 0x79, 0x10, 0x00 };
|
|
|
be16f9 |
+CKYStatus
|
|
|
be16f9 |
+CACApplet_SelectACA(CKYCardConnection *conn, CKYISOStatus *apduRC)
|
|
|
be16f9 |
+{
|
|
|
be16f9 |
+ CKYStatus ret;
|
|
|
be16f9 |
+ CKYBuffer CAC_CM_AID;
|
|
|
be16f9 |
+ CKYBuffer_InitFromData(&CAC_CM_AID, cacACAid, sizeof(cacACAid));
|
|
|
be16f9 |
+ ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CAC_CM_AID,
|
|
|
be16f9 |
+ NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
|
|
|
be16f9 |
+ CKYBuffer_FreeData(&CAC_CM_AID);
|
|
|
be16f9 |
+ return ret;
|
|
|
be16f9 |
+}
|
|
|
be16f9 |
+
|
|
|
be16f9 |
CKYStatus
|
|
|
be16f9 |
CACApplet_SelectFile(CKYCardConnection *conn, unsigned short ef,
|
|
|
be16f9 |
CKYISOStatus *apduRC)
|
|
|
be16f9 |
diff -up ./src/libckyapplet/cky_applet.h.alt-tokens-2 ./src/libckyapplet/cky_applet.h
|
|
|
be16f9 |
--- ./src/libckyapplet/cky_applet.h.alt-tokens-2 2018-06-25 17:58:23.457185300 -0700
|
|
|
be16f9 |
+++ ./src/libckyapplet/cky_applet.h 2018-06-25 17:58:23.475185280 -0700
|
|
|
be16f9 |
@@ -539,6 +539,8 @@ CKYStatus CACApplet_SelectCardManager(CK
|
|
|
be16f9 |
CKYISOStatus *apduRC);
|
|
|
be16f9 |
/* Select the CAC CC container. Can happen with either applet selected */
|
|
|
be16f9 |
CKYStatus CACApplet_SelectCCC(CKYCardConnection *conn, CKYISOStatus *apduRC);
|
|
|
be16f9 |
+/* Select the CAC ACA container. Can happen with either applet selected */
|
|
|
be16f9 |
+CKYStatus CACApplet_SelectACA(CKYCardConnection *conn, CKYISOStatus *apduRC);
|
|
|
be16f9 |
/* Select an old CAC applet and fill in the cardAID */
|
|
|
be16f9 |
CKYStatus CACApplet_SelectPKI(CKYCardConnection *conn, CKYBuffer *cardAid,
|
|
|
be16f9 |
CKYByte instance, CKYISOStatus *apduRC);
|