rpms / coolkey

Clone
Source Code
GIT

Blame SOURCES/coolkey-cac.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta
  1.   78b7b260d31a12ce5a44f33226c8a257916cd564
  2.   SOURCES
  3.   coolkey-cac.patch
Blob History Raw
78b7b2 
diff -up ./src/coolkey/slot.cpp.cac ./src/coolkey/slot.cpp
78b7b2 
--- ./src/coolkey/slot.cpp.cac	2010-06-16 13:43:51.477181000 -0700
78b7b2 
+++ ./src/coolkey/slot.cpp	2010-06-16 13:43:51.535179000 -0700
78b7b2 
@@ -372,7 +372,7 @@ Slot::Slot(const char *readerName_, Log
78b7b2 
     : log(log_), readerName(NULL), personName(NULL), manufacturer(NULL),
78b7b2 
 	slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN),
78b7b2 
 	isVersion1Key(false), needLogin(false), fullTokenName(false),
78b7b2 
-	mCoolkey(false),
78b7b2 
+	mCoolkey(false), mOldCAC(false),
78b7b2 
 #ifdef USE_SHMEM
78b7b2 
 	shmem(readerName_),
78b7b2 
 #endif
78b7b2 
@@ -412,6 +412,9 @@ Slot::Slot(const char *readerName_, Log
78b7b2 
     }
78b7b2 
     CKYBuffer_InitEmpty(&cardATR);
78b7b2 
     CKYBuffer_InitEmpty(&mCUID);
78b7b2 
+    for (int i=0; i < MAX_CERT_SLOTS; i++) {
78b7b2 
+	CKYBuffer_InitEmpty(&cardAID[i]);
78b7b2 
+    }
78b7b2 
   } catch(PKCS11Exception &) {
78b7b2 
 	if (conn) {
78b7b2 
 	    CKYCardConnection_Destroy(conn);
78b7b2 
@@ -479,6 +482,9 @@ Slot::~Slot()
78b7b2 
     CKYBuffer_FreeData(&nonce);
78b7b2 
     CKYBuffer_FreeData(&cardATR);
78b7b2 
     CKYBuffer_FreeData(&mCUID);
78b7b2 
+    for (int i=0; i < MAX_CERT_SLOTS; i++) {
78b7b2 
+	CKYBuffer_FreeData(&cardAID[i]);
78b7b2 
+    }
78b7b2 
 }
78b7b2
78b7b2 
 template <class C>
78b7b2 
@@ -671,15 +677,9 @@ Slot::connectToToken()
78b7b2 
     status = CKYApplet_SelectCoolKeyManager(conn, NULL);
78b7b2 
     if (status != CKYSUCCESS) {
78b7b2 
         log->log("CoolKey Select failed 0x%x\n", status);
78b7b2 
-	status = CACApplet_SelectPKI(conn, 0, NULL);
78b7b2 
+	status = getCACAid();
78b7b2 
 	if (status != CKYSUCCESS) {
78b7b2 
-            log->log("CAC Select failed 0x%x\n", status);
78b7b2 
-	    if (status == CKYSCARDERR) {
78b7b2 
-		log->log("CAC Card Failure 0x%x\n",
78b7b2 
-			CKYCardConnection_GetLastError(conn));
78b7b2 
-		disconnect();
78b7b2 
-	    }
78b7b2 
-	    return;
78b7b2 
+	    goto loser;
78b7b2 
 	}
78b7b2 
 	state |= CAC_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;
78b7b2 
 	/* skip the read of the cuid. We really don't need it and,
78b7b2 
@@ -690,6 +690,15 @@ Slot::connectToToken()
78b7b2 
 	needLogin = 1;
78b7b2 
         mCoolkey = 0;
78b7b2 
 	return;
78b7b2 
+
78b7b2 
+loser:
78b7b2 
+        log->log("CAC Select failed 0x%x\n", status);
78b7b2 
+	if (status == CKYSCARDERR) {
78b7b2 
+	    log->log("CAC Card Failure 0x%x\n",
78b7b2 
+			CKYCardConnection_GetLastError(conn));
78b7b2 
+	    disconnect();
78b7b2 
+	}
78b7b2 
+	return;
78b7b2 
     }
78b7b2 
     mCoolkey = 1;
78b7b2 
     log->log("time connect: Select Applet %d ms\n", OSTimeNow() - time);
78b7b2 
@@ -771,17 +780,111 @@ Slot::disconnect()
78b7b2 
     invalidateLogin(false);
78b7b2 
 }
78b7b2
78b7b2 
+CKYStatus
78b7b2 
+Slot::getCACAid()
78b7b2 
+{
78b7b2 
+    CKYBuffer tBuf;
78b7b2 
+    CKYBuffer vBuf;
78b7b2 
+    CKYSize tlen, vlen;
78b7b2 
+    CKYOffset toffset, voffset;
78b7b2 
+    int certSlot = 0;
78b7b2 
+    int i,length = 0;
78b7b2 
+    CKYStatus status;
78b7b2 
+
78b7b2 
+    CKYBuffer_InitEmpty(&tBuf);
78b7b2 
+    CKYBuffer_InitEmpty(&vBuf);
78b7b2 
+
78b7b2 
+    /* clear out the card AID's */
78b7b2 
+    for (i=0; i < MAX_CERT_SLOTS; i++) {
78b7b2 
+	CKYBuffer_Resize(&cardAID[i],0);
78b7b2 
+    }
78b7b2 
+
78b7b2 
+    status = CACApplet_SelectCCC(conn,NULL);
78b7b2 
+    if (status != CKYSUCCESS) {
78b7b2 
+	/* are we an old CAC */
78b7b2 
+	status = CACApplet_SelectPKI(conn, &cardAID[0], 0, NULL);
78b7b2 
+	if (status != CKYSUCCESS) {
78b7b2 
+	   /* no, just fail */
78b7b2 
+	   return status;
78b7b2 
+	}
78b7b2 
+	/* yes, fill in the old applets */
78b7b2 
+	mOldCAC = true;
78b7b2 
+	for (i=1; i< MAX_CERT_SLOTS; i++) {
78b7b2 
+	    CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);
78b7b2 
+	}
78b7b2 
+	return CKYSUCCESS;
78b7b2 
+    }
78b7b2 
+    /* definately not an old CAC */
78b7b2 
+    mOldCAC = false;
78b7b2 
+
78b7b2 
+    /* read the TLV */
78b7b2 
+    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
78b7b2 
+    if (status != CKYSUCCESS) {
78b7b2 
+	goto done;
78b7b2 
+    }
78b7b2 
+    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
78b7b2 
+    if (status != CKYSUCCESS) {
78b7b2 
+	goto done;
78b7b2 
+    }
78b7b2 
+    tlen = CKYBuffer_Size(&tBuf);
78b7b2 
+    vlen = CKYBuffer_Size(&vBuf);
78b7b2 
+
78b7b2 
+    for(toffset = 2, voffset=2;
78b7b2 
+	certSlot < MAX_CERT_SLOTS && toffset < tlen && voffset < vlen ;
78b7b2 
+		voffset += length) {
78b7b2 
+
78b7b2 
+	CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);
78b7b2 
+	length = CKYBuffer_GetChar(&tBuf, toffset+1);
78b7b2 
+	toffset += 2;
78b7b2 
+	if (length == 0xff) {
78b7b2 
+	    length = CKYBuffer_GetShortLE(&tBuf, toffset);
78b7b2 
+	    toffset +=2;
78b7b2 
+	}
78b7b2 
+	if (tag != CAC_TAG_CARDURL) {
78b7b2 
+	    continue;
78b7b2 
+	}
78b7b2 
+	/* CARDURL tags must be at least 10 bytes long */
78b7b2 
+	if (length < 10) {
78b7b2 
+	    continue;
78b7b2 
+	}
78b7b2 
+	/* check the app type, should be TLV_APP_PKI */
78b7b2 
+	if (CKYBuffer_GetChar(&vBuf, voffset+5) != CAC_TLV_APP_PKI) {
78b7b2 
+	    continue;
78b7b2 
+	}
78b7b2 
+	status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf, voffset, 5);
78b7b2 
+	if (status != CKYSUCCESS) {
78b7b2 
+	    goto done;
78b7b2 
+	}
78b7b2 
+	status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf,
78b7b2 
+								voffset+8, 2);
78b7b2 
+	if (status != CKYSUCCESS) {
78b7b2 
+	    goto done;
78b7b2 
+	}
78b7b2 
+	cardEF[certSlot] = CKYBuffer_GetShortLE(&vBuf, voffset+6);
78b7b2 
+
78b7b2 
+	certSlot++;
78b7b2 
+    }
78b7b2 
+    status = CKYSUCCESS;
78b7b2 
+    if (certSlot == 0) {
78b7b2 
+	status = CKYAPDUFAIL; /* probably neeed a beter error code */
78b7b2 
+    }
78b7b2 
+
78b7b2 
+done:
78b7b2 
+    CKYBuffer_FreeData(&tBuf);
78b7b2 
+    CKYBuffer_FreeData(&vBuf);
78b7b2 
+    return status;
78b7b2 
+}
78b7b2 
+
78b7b2 
 void
78b7b2 
 Slot::refreshTokenState()
78b7b2 
 {
78b7b2 
     if( cardStateMayHaveChanged() ) {
78b7b2 
-log->log("card changed\n");
78b7b2 
+        log->log("card changed\n");
78b7b2 
 	invalidateLogin(true);
78b7b2 
         closeAllSessions();
78b7b2 
 	unloadObjects();
78b7b2 
         connectToToken();
78b7b2
78b7b2 
-
78b7b2 
         if( state & APPLET_PERSONALIZED ) {
78b7b2 
             try {
78b7b2 
                 loadObjects();
78b7b2 
@@ -1019,7 +1122,7 @@ Slot::makeModelString(char *model, int m
78b7b2
78b7b2 
 struct _manList {
78b7b2 
      unsigned short type;
78b7b2 
-     char *string;
78b7b2 
+     const char *string;
78b7b2 
 };
78b7b2
78b7b2 
 static const struct _manList  manList[] = {
78b7b2 
@@ -1280,13 +1383,30 @@ void
78b7b2 
 Slot::selectCACApplet(CKYByte instance)
78b7b2 
 {
78b7b2 
     CKYStatus status;
78b7b2 
-    status = CACApplet_SelectPKI(conn, instance, NULL);
78b7b2 
+    CKYBuffer *aid = &cardAID[instance];
78b7b2 
+
78b7b2 
+    if (CKYBuffer_Size(aid) == 0) {
78b7b2 
+        disconnect();
78b7b2 
+        throw PKCS11Exception(CKR_DEVICE_REMOVED);
78b7b2 
+	return;
78b7b2 
+    }
78b7b2 
+
78b7b2 
+    status = CKYApplet_SelectFile(conn, aid, NULL);
78b7b2 
     if ( status == CKYSCARDERR ) handleConnectionError();
78b7b2 
     if ( status != CKYSUCCESS) {
78b7b2 
         // could not select applet: this just means it's not there
78b7b2 
         disconnect();
78b7b2 
         throw PKCS11Exception(CKR_DEVICE_REMOVED);
78b7b2 
     }
78b7b2 
+    if (mOldCAC) {
78b7b2 
+	return;
78b7b2 
+    }
78b7b2 
+    status = CACApplet_SelectFile(conn, cardEF[instance], NULL);
78b7b2 
+    if ( status == CKYSCARDERR ) handleConnectionError();
78b7b2 
+    if ( status != CKYSUCCESS) {
78b7b2 
+        disconnect();
78b7b2 
+        throw PKCS11Exception(CKR_DEVICE_REMOVED);
78b7b2 
+    }
78b7b2 
 }
78b7b2 
 // assume we are already in a transaction
78b7b2 
 void
78b7b2 
@@ -2059,10 +2179,85 @@ Slot::fetchCombinedObjects(const CKYBuff
78b7b2 
     return objInfoList;
78b7b2 
 }
78b7b2
78b7b2 
+CKYStatus
78b7b2 
+Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
78b7b2 
+			      bool throwException)
78b7b2 
+{
78b7b2 
+    CKYStatus status;
78b7b2 
+    CKYISOStatus apduRC;
78b7b2 
+
78b7b2 
+    if (mOldCAC) {
78b7b2 
+	/* get the first 100 bytes of the cert */
78b7b2 
+	status = CACApplet_GetCertificateFirst(conn, cert, nextSize, &apduRC);
78b7b2 
+	if (throwException && (status != CKYSUCCESS)) {
78b7b2 
+	    handleConnectionError();
78b7b2 
+	}
78b7b2 
+	return status;
78b7b2 
+    }
78b7b2 
+
78b7b2 
+    CKYBuffer tBuf;
78b7b2 
+    CKYBuffer vBuf;
78b7b2 
+    CKYSize tlen, vlen;
78b7b2 
+    CKYOffset toffset, voffset;
78b7b2 
+    int length = 0;
78b7b2 
+
78b7b2 
+    CKYBuffer_InitEmpty(&tBuf);
78b7b2 
+    CKYBuffer_InitEmpty(&vBuf);
78b7b2 
+    CKYBuffer_Resize(cert, 0);
78b7b2 
+
78b7b2 
+    /* handle the new CAC card read */
78b7b2 
+    /* read the TLV */
78b7b2 
+    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
78b7b2 
+    if (status != CKYSUCCESS) {
78b7b2 
+	goto done;
78b7b2 
+    }
78b7b2 
+    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
78b7b2 
+    if (status != CKYSUCCESS) {
78b7b2 
+	goto done;
78b7b2 
+    }
78b7b2 
+    tlen = CKYBuffer_Size(&tBuf);
78b7b2 
+    vlen = CKYBuffer_Size(&vBuf);
78b7b2 
+
78b7b2 
+    /* look for the Cert out of the TLV */
78b7b2 
+    for(toffset = 2, voffset=2; toffset < tlen && voffset < vlen ;
78b7b2 
+		voffset += length) {
78b7b2 
+
78b7b2 
+	CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);
78b7b2 
+	length = CKYBuffer_GetChar(&tBuf, toffset+1);
78b7b2 
+	toffset += 2;
78b7b2 
+	if (length == 0xff) {
78b7b2 
+	    length = CKYBuffer_GetShortLE(&tBuf, toffset);
78b7b2 
+	    toffset +=2;
78b7b2 
+	}
78b7b2 
+	if (tag != CAC_TAG_CERTIFICATE) {
78b7b2 
+	    continue;
78b7b2 
+	}
78b7b2 
+	CKYBuffer_AppendBuffer(cert, &vBuf, voffset, length);
78b7b2 
+	break;
78b7b2 
+    }
78b7b2 
+    status = CKYSUCCESS;
78b7b2 
+
78b7b2 
+done:
78b7b2 
+    CKYBuffer_FreeData(&tBuf);
78b7b2 
+    CKYBuffer_FreeData(&vBuf);
78b7b2 
+    return status;
78b7b2 
+}
78b7b2 
+
78b7b2 
+/*
78b7b2 
+ * only necessary for old CAC cards. New CAC cards have to read the
78b7b2 
+ * whole cert in anyway above....
78b7b2 
+ */
78b7b2 
+CKYStatus
78b7b2 
+Slot::readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize)
78b7b2 
+{
78b7b2 
+    CKYISOStatus apduRC;
78b7b2 
+    assert(mOldCAC);
78b7b2 
+    return CACApplet_GetCertificateAppend(conn, cert, nextSize, &apduRC);
78b7b2 
+}
78b7b2 
+
78b7b2 
 void
78b7b2 
 Slot::loadCACCert(CKYByte instance)
78b7b2 
 {
78b7b2 
-    CKYISOStatus apduRC;
78b7b2 
     CKYStatus status = CKYSUCCESS;
78b7b2 
     CKYBuffer cert;
78b7b2 
     CKYBuffer rawCert;
78b7b2 
@@ -2097,12 +2292,7 @@ Slot::loadCACCert(CKYByte instance)
78b7b2 
 						 instance, OSTimeNow() - time);
78b7b2
78b7b2 
     if (instance == 0) {
78b7b2 
-	/* get the first 100 bytes of the cert */
78b7b2 
-	status = CACApplet_GetCertificateFirst(conn, &rawCert,
78b7b2 
-						&nextSize, &apduRC);
78b7b2 
-	if (status != CKYSUCCESS) {
78b7b2 
-	    handleConnectionError();
78b7b2 
-	}
78b7b2 
+	readCACCertificateFirst(&rawCert, &nextSize, true);
78b7b2 
 	log->log("CAC Cert %d: fetch CAC Cert:  %d ms\n",
78b7b2 
 						instance, OSTimeNow() - time);
78b7b2 
     }
78b7b2 
@@ -2143,8 +2333,7 @@ Slot::loadCACCert(CKYByte instance)
78b7b2 
 	    shmem.setVersion(SHMEM_VERSION);
78b7b2 
 	    shmem.setDataVersion(dataVersion);
78b7b2 
 	} else {
78b7b2 
-	    status = CACApplet_GetCertificateFirst(conn, &rawCert,
78b7b2 
-						&nextSize, &apduRC);
78b7b2 
+	    status = readCACCertificateFirst(&rawCert, &nextSize, false);
78b7b2
78b7b2 
 	    if (status != CKYSUCCESS) {
78b7b2 
 		/* CAC only requires the Certificate in pki '0' */
78b7b2 
@@ -2159,8 +2348,7 @@ Slot::loadCACCert(CKYByte instance)
78b7b2 
 	}
78b7b2
78b7b2 
 	if (nextSize) {
78b7b2 
-	    status = CACApplet_GetCertificateAppend(conn, &rawCert,
78b7b2 
-						nextSize, &apduRC);
78b7b2 
+	    status = readCACCertificateAppend(&rawCert, nextSize);
78b7b2 
 	}
78b7b2 
 	log->log("CAC Cert %d: Fetch rest :  %d ms\n",
78b7b2 
 						instance, OSTimeNow() - time);
78b7b2 
@@ -2176,9 +2364,10 @@ Slot::loadCACCert(CKYByte instance)
78b7b2
78b7b2 
     log->log("CAC Cert %d: Cert has been read:  %d ms\n",
78b7b2 
 						instance, OSTimeNow() - time);
78b7b2 
-    if (CKYBuffer_GetChar(&rawCert,0) == 1) {
78b7b2 
+    if (!mOldCAC || CKYBuffer_GetChar(&rawCert,0) == 1) {
78b7b2 
 	CKYSize guessFinalSize = CKYBuffer_Size(&rawCert);
78b7b2 
 	CKYSize certSize = 0;
78b7b2 
+	CKYOffset offset = mOldCAC ? 1 : 0;
78b7b2 
 	int zret = Z_MEM_ERROR;
78b7b2
78b7b2 
 	do {
78b7b2 
@@ -2189,7 +2378,8 @@ Slot::loadCACCert(CKYByte instance)
78b7b2 
 	    }
78b7b2 
 	    certSize = guessFinalSize;
78b7b2 
 	    zret = uncompress((Bytef *)CKYBuffer_Data(&cert),&certSize,
78b7b2 
-			CKYBuffer_Data(&rawCert)+1, CKYBuffer_Size(&rawCert)-1);
78b7b2 
+			CKYBuffer_Data(&rawCert)+offset,
78b7b2 
+			CKYBuffer_Size(&rawCert)-offset);
78b7b2 
 	} while (zret == Z_BUF_ERROR);
78b7b2
78b7b2 
 	if (zret != Z_OK) {
78b7b2 
@@ -2526,7 +2716,7 @@ Slot::attemptCACLogin()
78b7b2 
     switch( result ) {
78b7b2 
       case CKYISO_SUCCESS:
78b7b2 
         break;
78b7b2 
-      case 6981:
78b7b2 
+      case 0x6981:
78b7b2 
         throw PKCS11Exception(CKR_PIN_LOCKED);
78b7b2 
       default:
78b7b2 
 	if ((result & 0xff00) == 0x6300) {
78b7b2 
diff -up ./src/coolkey/slot.h.cac ./src/coolkey/slot.h
78b7b2 
--- ./src/coolkey/slot.h.cac	2010-06-16 13:43:51.344185000 -0700
78b7b2 
+++ ./src/coolkey/slot.h	2010-06-16 13:43:51.546179000 -0700
78b7b2 
@@ -294,6 +294,7 @@ class CryptParams {
78b7b2 
 				 const CKYBuffer *paddedOutput) const = 0;
78b7b2 
 };
78b7b2
78b7b2 
+#define MAX_CERT_SLOTS 3
78b7b2 
 class Slot {
78b7b2
78b7b2 
   public:
78b7b2 
@@ -328,6 +329,8 @@ class Slot {
78b7b2 
     CKYBuffer nonce;
78b7b2 
     CKYBuffer cardATR;
78b7b2 
     CKYBuffer mCUID;
78b7b2 
+    CKYBuffer cardAID[MAX_CERT_SLOTS];
78b7b2 
+    unsigned short cardEF[MAX_CERT_SLOTS];
78b7b2 
     bool isVersion1Key;
78b7b2 
     bool needLogin;
78b7b2 
     long publicFree;
78b7b2 
@@ -335,6 +338,7 @@ class Slot {
78b7b2 
     long privateFree;
78b7b2 
     bool fullTokenName;
78b7b2 
     bool mCoolkey;
78b7b2 
+    bool mOldCAC;
78b7b2
78b7b2 
     //enum { RW_SESSION_HANDLE = 1, RO_SESSION_HANDLE = 2 };
78b7b2
78b7b2 
@@ -398,6 +402,11 @@ class Slot {
78b7b2 
     list<ListObjectInfo> fetchCombinedObjects(const CKYBuffer *header);
78b7b2 
     list<ListObjectInfo> fetchSeparateObjects();
78b7b2
78b7b2 
+    CKYStatus getCACAid();
78b7b2 
+    CKYStatus readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
78b7b2 
+                              bool throwException);
78b7b2 
+    CKYStatus readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize);
78b7b2 
+
78b7b2 
     void selectApplet();
78b7b2 
     void selectCACApplet(CKYByte instance);
78b7b2 
     void unloadObjects();
78b7b2 
diff -up ./src/libckyapplet/cky_applet.c.cac ./src/libckyapplet/cky_applet.c
78b7b2 
--- ./src/libckyapplet/cky_applet.c.cac	2010-06-16 13:43:51.357181000 -0700
78b7b2 
+++ ./src/libckyapplet/cky_applet.c	2010-06-16 14:47:41.305529000 -0700
78b7b2 
@@ -41,7 +41,13 @@
78b7b2 
 CKYStatus
78b7b2 
 CKYAppletFactory_SelectFile(CKYAPDU *apdu, const void *param)
78b7b2 
 {
78b7b2 
-    return CKYAPDUFactory_SelectFile(apdu,(const CKYBuffer *)param);
78b7b2 
+    return CKYAPDUFactory_SelectFile(apdu, 4, 0, (const CKYBuffer *)param);
78b7b2 
+}
78b7b2 
+
78b7b2 
+CKYStatus
78b7b2 
+CACAppletFactory_SelectFile(CKYAPDU *apdu, const void *param)
78b7b2 
+{
78b7b2 
+    return CKYAPDUFactory_SelectFile(apdu, 2, 12, (const CKYBuffer *)param);
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
@@ -225,10 +231,17 @@ CKYAppletFactory_GetBuiltinACL(CKYAPDU *
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
-CACAppletFactory_SignDecrypt(CKYAPDU *apdu, const void *param)
78b7b2 
+CACAppletFactory_SignDecryptStep(CKYAPDU *apdu, const void *param)
78b7b2 
+{
78b7b2 
+    const CKYBuffer *buf=(CKYBuffer *)param;
78b7b2 
+    return CACAPDUFactory_SignDecrypt(apdu, CAC_P1_STEP, buf);
78b7b2 
+}
78b7b2 
+
78b7b2 
+CKYStatus
78b7b2 
+CACAppletFactory_SignDecryptFinal(CKYAPDU *apdu, const void *param)
78b7b2 
 {
78b7b2 
     const CKYBuffer *buf=(CKYBuffer *)param;
78b7b2 
-    return CACAPDUFactory_SignDecrypt(apdu, buf);
78b7b2 
+    return CACAPDUFactory_SignDecrypt(apdu, CAC_P1_FINAL, buf);
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
@@ -246,6 +259,13 @@ CACAppletFactory_GetCertificate(CKYAPDU
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
+CACAppletFactory_ReadFile(CKYAPDU *apdu, const void *param)
78b7b2 
+{
78b7b2 
+    const CACAppletArgReadFile *rfs = (const CACAppletArgReadFile *)param;
78b7b2 
+    return CACAPDUFactory_ReadFile(apdu, rfs->offset, rfs->type, rfs->count);
78b7b2 
+}
78b7b2 
+
78b7b2 
+CKYStatus
78b7b2 
 CACAppletFactory_GetProperties(CKYAPDU *apdu, const void *param)
78b7b2 
 {
78b7b2 
     return CACAPDUFactory_GetProperties(apdu);
78b7b2 
@@ -457,7 +477,7 @@ CKYApplet_SelectFile(CKYCardConnection *
78b7b2 
 							 CKYISOStatus *apduRC)
78b7b2 
 {
78b7b2 
     return CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, AID, NULL,
78b7b2 
-		0, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
+		CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
 }
78b7b2
78b7b2 
 static CKYByte coolkeyid[] = {0x62, 0x76, 0x01, 0xff, 0x00, 0x00, 0x00 };
78b7b2 
@@ -477,22 +497,23 @@ CKYApplet_SelectCoolKeyManager(CKYCardCo
78b7b2 
     return ret;
78b7b2 
 }
78b7b2
78b7b2 
-static CKYByte CACPKIid[] = {0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x00 };
78b7b2 
+static CKYByte CACPKIid[] = { 0xa0, 0x00, 0x00, 0x00, 0x79, 0x01 };
78b7b2 
 /*
78b7b2 
  * Select the CoolKey applet. Must happen after we start a transaction and
78b7b2 
  * before we issue any applet specific command.
78b7b2 
  */
78b7b2 
 CKYStatus
78b7b2 
-CACApplet_SelectPKI(CKYCardConnection *conn, CKYByte instance,
78b7b2 
-			       CKYISOStatus *apduRC)
78b7b2 
+CACApplet_SelectPKI(CKYCardConnection *conn, CKYBuffer *cacAID,
78b7b2 
+				CKYByte instance, CKYISOStatus *apduRC)
78b7b2 
 {
78b7b2 
     CKYStatus ret;
78b7b2 
-    CKYBuffer CACPKIAID;
78b7b2 
-    CKYBuffer_InitFromData(&CACPKIAID, CACPKIid, sizeof(CACPKIid));
78b7b2 
-    CKYBuffer_SetChar(&CACPKIAID, 6, instance);
78b7b2 
-    ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CACPKIAID,
78b7b2 
+    CKYBuffer_AppendData(cacAID, CACPKIid, sizeof(CACPKIid));
78b7b2 
+    CKYBuffer_AppendChar(cacAID, instance);
78b7b2 
+    ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, cacAID,
78b7b2 
 		 NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
-    CKYBuffer_FreeData(&CACPKIAID);
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	CKYBuffer_Resize(cacAID, 0);
78b7b2 
+    }
78b7b2 
     return ret;
78b7b2 
 }
78b7b2
78b7b2 
@@ -515,11 +536,38 @@ CACApplet_SelectCardManager(CKYCardConne
78b7b2 
     CKYBuffer CAC_CM_AID;
78b7b2 
     CKYBuffer_InitFromData(&CAC_CM_AID, cacmgrid, sizeof(cacmgrid));
78b7b2 
     ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CAC_CM_AID,
78b7b2 
-		 NULL, 0, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
+		 NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
     CKYBuffer_FreeData(&CAC_CM_AID);
78b7b2 
     return ret;
78b7b2 
 }
78b7b2
78b7b2 
+static CKYByte cacCCCid[] = {0xa0, 0x00, 0x00, 0x01, 0x16, 0xdb, 0x00 };
78b7b2 
+CKYStatus
78b7b2 
+CACApplet_SelectCCC(CKYCardConnection *conn, CKYISOStatus *apduRC)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+    CKYBuffer CAC_CM_AID;
78b7b2 
+    CKYBuffer_InitFromData(&CAC_CM_AID, cacCCCid, sizeof(cacCCCid));
78b7b2 
+    ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CAC_CM_AID,
78b7b2 
+		 NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
+    CKYBuffer_FreeData(&CAC_CM_AID);
78b7b2 
+    return ret;
78b7b2 
+}
78b7b2 
+
78b7b2 
+CKYStatus
78b7b2 
+CACApplet_SelectFile(CKYCardConnection *conn, unsigned short ef,
78b7b2 
+						 CKYISOStatus *apduRC)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+    CKYBuffer efBuf;
78b7b2 
+    CKYBuffer_InitEmpty(&efBuf);
78b7b2 
+    CKYBuffer_AppendShortLE(&efBuf, ef);
78b7b2 
+    ret = CKYApplet_HandleAPDU(conn, CACAppletFactory_SelectFile, &efBuf,
78b7b2 
+		 NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
+    CKYBuffer_FreeData(&efBuf);
78b7b2 
+    return ret;
78b7b2 
+}
78b7b2 
+
78b7b2 
 /*
78b7b2 
  * GetCPLC cluster -- must be called with CM selected
78b7b2 
  */
78b7b2 
@@ -673,8 +721,8 @@ CKYApplet_ComputeCryptProcess(CKYCardCon
78b7b2 
     ccd.keyNumber = keyNumber;
78b7b2 
     ccd.location = location;
78b7b2 
     ccd.data = data;
78b7b2 
-    return CKYApplet_HandleAPDU(conn, CKYAppletFactory_ComputeCryptProcess, &ccd,
78b7b2 
-	nonce, 0, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
+    return CKYApplet_HandleAPDU(conn, CKYAppletFactory_ComputeCryptProcess,
78b7b2 
+	&ccd, nonce, 0, CKYAppletFill_Null, NULL, apduRC);
78b7b2 
 }
78b7b2
78b7b2 
 /* computeCrypt returns data in the form :
78b7b2 
@@ -832,11 +880,39 @@ CACApplet_SignDecrypt(CKYCardConnection
78b7b2 
 	 	CKYBuffer *result, CKYISOStatus *apduRC)
78b7b2 
 {
78b7b2 
     CKYStatus ret;
78b7b2 
-
78b7b2 
-    ret = CKYApplet_HandleAPDU(conn,
78b7b2 
-			    CACAppletFactory_SignDecrypt, data, NULL,
78b7b2 
-			    CKYBuffer_Size(data), CKYAppletFill_ReplaceBuffer,
78b7b2 
+    CKYSize dataSize = CKYBuffer_Size(data);
78b7b2 
+    CKYOffset offset = 0;
78b7b2 
+    CKYBuffer tmp;
78b7b2 
+
78b7b2 
+    CKYBuffer_InitEmpty(&tmp);
78b7b2 
+
78b7b2 
+    CKYBuffer_Resize(result, 0);
78b7b2 
+    for(offset = 0; (dataSize-offset) > CKY_MAX_WRITE_CHUNK_SIZE;
78b7b2 
+				offset += CKY_MAX_WRITE_CHUNK_SIZE) {
78b7b2 
+	CKYBuffer_Resize(&tmp,0);
78b7b2 
+	CKYBuffer_AppendBuffer(&tmp, data, offset, CKY_MAX_WRITE_CHUNK_SIZE);
78b7b2 
+        ret = CKYApplet_HandleAPDU(conn, CACAppletFactory_SignDecryptStep,
78b7b2 
+			    &tmp, NULL, CKY_SIZE_UNKNOWN,
78b7b2 
+			    CKYAppletFill_AppendBuffer,
78b7b2 
 			    result, apduRC);
78b7b2 
+	if (ret != CKYSUCCESS) {
78b7b2 
+	    goto done;
78b7b2 
+	}
78b7b2 
+    }
78b7b2 
+    CKYBuffer_Resize(&tmp,0);
78b7b2 
+    CKYBuffer_AppendBuffer(&tmp, data, offset, dataSize - offset);
78b7b2 
+    ret = CKYApplet_HandleAPDU(conn, CACAppletFactory_SignDecryptFinal,
78b7b2 
+			    &tmp, NULL, CKY_SIZE_UNKNOWN,
78b7b2 
+			    CKYAppletFill_AppendBuffer,
78b7b2 
+			    result, apduRC);
78b7b2 
+
78b7b2 
+    if ((ret == CKYSUCCESS) && (CKYBuffer_Size(result) != dataSize)) {
78b7b2 
+	/* RSA returns the same data size as input, didn't happen, so
78b7b2 
+	 * something is wrong. */
78b7b2 
+    }
78b7b2 
+
78b7b2 
+done:
78b7b2 
+    CKYBuffer_FreeData(&tmp);
78b7b2 
     return ret;
78b7b2 
 }
78b7b2
78b7b2 
@@ -895,6 +971,63 @@ CACApplet_GetCertificate(CKYCardConnecti
78b7b2 
     }
78b7b2 
     return ret;
78b7b2 
 }
78b7b2 
+
78b7b2 
+/*
78b7b2 
+ * Read a CAC Tag/Value file
78b7b2 
+ */
78b7b2 
+CKYStatus
78b7b2 
+CACApplet_ReadFile(CKYCardConnection *conn, CKYByte type, CKYBuffer *buffer,
78b7b2 
+		    CKYISOStatus *apduRC)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+    CKYISOStatus status;
78b7b2 
+    CKYByte maxtransfer;
78b7b2 
+    unsigned short offset = 0;
78b7b2 
+    unsigned short size;
78b7b2 
+    CACAppletArgReadFile rfs;
78b7b2 
+
78b7b2 
+    CKYBuffer_Resize(buffer,0);
78b7b2 
+    if (apduRC == NULL) {
78b7b2 
+	apduRC = &status;
78b7b2 
+    }
78b7b2 
+    rfs.offset = 0;
78b7b2 
+    rfs.count = 2;
78b7b2 
+    rfs.type = type;
78b7b2 
+
78b7b2 
+    /* APDU's are expensive, Grab a big chunk of the file first if possible */
78b7b2 
+    ret = CKYApplet_HandleAPDU(conn,
78b7b2 
+			    CACAppletFactory_ReadFile, &rfs, NULL,
78b7b2 
+			    rfs.count, CKYAppletFill_AppendBuffer,
78b7b2 
+			    buffer, apduRC);
78b7b2 
+    /* file is probably smaller than 100 bytes, get the actual size first */
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	return ret;
78b7b2 
+    }
78b7b2 
+    size = CKYBuffer_GetShortLE(buffer, 0) + 2 /* include the length itself */;
78b7b2 
+    maxtransfer = CKY_MAX_READ_CHUNK_SIZE;
78b7b2 
+    /* get the rest of the buffer if necessary */
78b7b2 
+    for (offset = CKYBuffer_Size(buffer); size > offset;
78b7b2 
+				offset = CKYBuffer_Size(buffer)) {
78b7b2 
+	rfs.offset = offset;
78b7b2 
+	rfs.count = MIN(size - offset, maxtransfer);
78b7b2 
+	ret = CKYApplet_HandleAPDU(conn,
78b7b2 
+			    CACAppletFactory_ReadFile, &rfs, NULL,
78b7b2 
+			    rfs.count, CKYAppletFill_AppendBuffer,
78b7b2 
+			    buffer, apduRC);
78b7b2 
+	if (ret != CKYSUCCESS) {
78b7b2 
+	    if (*apduRC == CAC_INVALID_PARAMS) {
78b7b2 
+		maxtransfer = maxtransfer/2;
78b7b2 
+		if (maxtransfer == 0) {
78b7b2 
+		    return ret;
78b7b2 
+		}
78b7b2 
+	    } else {
78b7b2 
+		return ret;
78b7b2 
+	    }
78b7b2 
+ 	}
78b7b2 
+    }
78b7b2 
+    return ret;
78b7b2 
+}
78b7b2 
+
78b7b2 
 CKYStatus
78b7b2 
 CACApplet_GetCertificateFirst(CKYCardConnection *conn, CKYBuffer *cert,
78b7b2 
 			CKYSize *nextSize, CKYISOStatus *apduRC)
78b7b2 
diff -up ./src/libckyapplet/cky_applet.h.cac ./src/libckyapplet/cky_applet.h
78b7b2 
--- ./src/libckyapplet/cky_applet.h.cac	2010-06-16 13:43:51.370181000 -0700
78b7b2 
+++ ./src/libckyapplet/cky_applet.h	2010-06-16 13:43:51.572179000 -0700
78b7b2 
@@ -71,6 +71,15 @@ typedef unsigned short CKYISOStatus; /*
78b7b2 
 #define CKYISO_INTERNAL_ERROR        0x9cff  /* Reserved for debugging,
78b7b2 
 					     * shouldn't happen */
78b7b2
78b7b2 
+#define CAC_INVALID_PARAMS	    0x6a83
78b7b2 
+#define CAC_TAG_FILE			1
78b7b2 
+#define CAC_VALUE_FILE			2
78b7b2 
+
78b7b2 
+
78b7b2 
+#define CAC_TAG_CARDURL			0xf3
78b7b2 
+#define CAC_TAG_CERTIFICATE		0x70
78b7b2 
+#define CAC_TLV_APP_PKI			0x04
78b7b2 
+
78b7b2 
 /*
78b7b2 
  * Pin Constants as used by our applet
78b7b2 
  */
78b7b2 
@@ -209,6 +218,12 @@ typedef struct _CKYAppletArgComputeCrypt
78b7b2 
     const CKYBuffer *sig;
78b7b2 
 } CKYAppletArgComputeCrypt;
78b7b2
78b7b2 
+typedef struct _CACAppletArgReadFile {
78b7b2 
+    CKYByte   type;
78b7b2 
+    CKYByte   count;
78b7b2 
+    unsigned short offset;
78b7b2 
+} CACAppletArgReadFile;
78b7b2 
+
78b7b2 
 /* fills in an APDU from a structure -- form of all the generic factories*/
78b7b2 
 typedef CKYStatus (*CKYAppletFactory)(CKYAPDU *apdu, const void *param);
78b7b2 
 /* fills in an a structure from a response -- form of all the fill structures*/
78b7b2 
@@ -451,9 +466,17 @@ CKYStatus CKYApplet_DeleteObject(CKYCard
78b7b2 
 /* Select the CAC card manager.  Can happen with either applet selected */
78b7b2 
 CKYStatus CACApplet_SelectCardManager(CKYCardConnection *conn,
78b7b2 
 							CKYISOStatus *apduRC);
78b7b2 
-/* Can happen with either applet selected */
78b7b2 
-CKYStatus CACApplet_SelectPKI(CKYCardConnection *conn, CKYByte instance,
78b7b2 
-			      CKYISOStatus *apduRC);
78b7b2 
+/* Select the CAC CC container. Can happen with either applet selected */
78b7b2 
+CKYStatus CACApplet_SelectCCC(CKYCardConnection *conn, CKYISOStatus *apduRC);
78b7b2 
+/* Select an old CAC applet and fill in the cardAID */
78b7b2 
+CKYStatus CACApplet_SelectPKI(CKYCardConnection *conn, CKYBuffer *cardAid,
78b7b2 
+			      CKYByte instance, CKYISOStatus *apduRC);
78b7b2 
+/* read a TLV file */
78b7b2 
+CKYStatus CACApplet_ReadFile(CKYCardConnection *conn, CKYByte type,
78b7b2 
+			     CKYBuffer *buffer, CKYISOStatus *apduRC);
78b7b2 
+CKYStatus CACApplet_SelectFile(CKYCardConnection *conn, unsigned short ef,
78b7b2 
+			     CKYISOStatus *apduRC);
78b7b2 
+
78b7b2 
 /* must happen with PKI applet selected */
78b7b2 
 CKYStatus CACApplet_SignDecrypt(CKYCardConnection *conn, const CKYBuffer *data,
78b7b2 
 		CKYBuffer *result, CKYISOStatus *apduRC);
78b7b2 
diff -up ./src/libckyapplet/cky_base.c.cac ./src/libckyapplet/cky_base.c
78b7b2 
--- ./src/libckyapplet/cky_base.c.cac	2006-06-09 11:44:17.000000000 -0700
78b7b2 
+++ ./src/libckyapplet/cky_base.c	2010-06-16 13:43:51.583179000 -0700
78b7b2 
@@ -220,6 +220,22 @@ CKYBuffer_AppendShort(CKYBuffer *buf, un
78b7b2 
     return CKYSUCCESS;
78b7b2 
 }
78b7b2
78b7b2 
+/* append a short in network order */
78b7b2 
+CKYStatus
78b7b2 
+CKYBuffer_AppendShortLE(CKYBuffer *buf, unsigned short val)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+
78b7b2 
+    ret = CKYBuffer_Reserve(buf, buf->len + 2);
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	return ret;
78b7b2 
+    }
78b7b2 
+    buf->data[buf->len+1] = (CKYByte) ((val >> 8) & 0xff);
78b7b2 
+    buf->data[buf->len+0] = (CKYByte) ((val >> 0) & 0xff);
78b7b2 
+    buf->len += 2;
78b7b2 
+    return CKYSUCCESS;
78b7b2 
+}
78b7b2 
+
78b7b2 
 /* append a long in applet order */
78b7b2 
 CKYStatus
78b7b2 
 CKYBuffer_AppendLong(CKYBuffer *buf, unsigned long val)
78b7b2 
@@ -238,6 +254,24 @@ CKYBuffer_AppendLong(CKYBuffer *buf, uns
78b7b2 
     return CKYSUCCESS;
78b7b2 
 }
78b7b2
78b7b2 
+/* append a long in applet order */
78b7b2 
+CKYStatus
78b7b2 
+CKYBuffer_AppendLongLE(CKYBuffer *buf, unsigned long val)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+
78b7b2 
+    ret = CKYBuffer_Reserve(buf, buf->len + 4);
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	return ret;
78b7b2 
+    }
78b7b2 
+    buf->data[buf->len+3] = (CKYByte) ((val >> 24) & 0xff);
78b7b2 
+    buf->data[buf->len+2] = (CKYByte) ((val >> 16) & 0xff);
78b7b2 
+    buf->data[buf->len+1] = (CKYByte) ((val >>  8) & 0xff);
78b7b2 
+    buf->data[buf->len+0] = (CKYByte) ((val >>  0) & 0xff);
78b7b2 
+    buf->len += 4;
78b7b2 
+    return CKYSUCCESS;
78b7b2 
+}
78b7b2 
+
78b7b2 
 CKYStatus
78b7b2 
 CKYBuffer_Replace(CKYBuffer *buf, CKYOffset offset, const CKYByte *data, CKYSize len)
78b7b2 
 {
78b7b2 
@@ -351,6 +385,22 @@ CKYBuffer_SetShort(CKYBuffer *buf, CKYOf
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
+CKYBuffer_SetShortLE(CKYBuffer *buf, CKYOffset offset, unsigned short val)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+
78b7b2 
+    if (buf->len < offset+2) {
78b7b2 
+	ret = CKYBuffer_Resize(buf,offset+2);
78b7b2 
+	if (ret != CKYSUCCESS) {
78b7b2 
+	    return ret;
78b7b2 
+	}
78b7b2 
+    }
78b7b2 
+    buf->data[offset+1] = (CKYByte) ((val >> 8) & 0xff);
78b7b2 
+    buf->data[offset+0] = (CKYByte) ((val >> 0) & 0xff);
78b7b2 
+    return CKYSUCCESS;
78b7b2 
+}
78b7b2 
+
78b7b2 
+CKYStatus
78b7b2 
 CKYBuffer_SetLong(CKYBuffer *buf, CKYOffset offset, unsigned long val)
78b7b2 
 {
78b7b2 
     CKYStatus ret;
78b7b2 
@@ -368,6 +418,24 @@ CKYBuffer_SetLong(CKYBuffer *buf, CKYOff
78b7b2 
     return CKYSUCCESS;
78b7b2 
 }
78b7b2
78b7b2 
+CKYStatus
78b7b2 
+CKYBuffer_SetLongLE(CKYBuffer *buf, CKYOffset offset, unsigned long val)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+
78b7b2 
+    if (buf->len < offset+4) {
78b7b2 
+	ret = CKYBuffer_Resize(buf,offset+4);
78b7b2 
+	if (ret != CKYSUCCESS) {
78b7b2 
+	    return ret;
78b7b2 
+	}
78b7b2 
+    }
78b7b2 
+    buf->data[offset+3] = (CKYByte) ((val >> 24) & 0xff);
78b7b2 
+    buf->data[offset+2] = (CKYByte) ((val >> 16) & 0xff);
78b7b2 
+    buf->data[offset+1] = (CKYByte) ((val >>  8) & 0xff);
78b7b2 
+    buf->data[offset+0] = (CKYByte) ((val >>  0) & 0xff);
78b7b2 
+    return CKYSUCCESS;
78b7b2 
+}
78b7b2 
+
78b7b2 
 CKYByte
78b7b2 
 CKYBuffer_GetChar(const CKYBuffer *buf, CKYOffset offset)
78b7b2 
 {
78b7b2 
@@ -388,6 +456,18 @@ CKYBuffer_GetShort(const CKYBuffer *buf,
78b7b2 
     val |= ((unsigned short)buf->data[offset+1]) << 0;
78b7b2 
     return val;
78b7b2 
 }
78b7b2 
+
78b7b2 
+unsigned short
78b7b2 
+CKYBuffer_GetShortLE(const CKYBuffer *buf, CKYOffset offset)
78b7b2 
+{
78b7b2 
+    unsigned short val;
78b7b2 
+    if (buf->len < offset+2) {
78b7b2 
+	return 0;
78b7b2 
+    }
78b7b2 
+    val  = ((unsigned short)buf->data[offset+1]) << 8;
78b7b2 
+    val |= ((unsigned short)buf->data[offset+0]) << 0;
78b7b2 
+    return val;
78b7b2 
+}
78b7b2
78b7b2 
 unsigned long
78b7b2 
 CKYBuffer_GetLong(const CKYBuffer *buf, CKYOffset offset)
78b7b2 
@@ -402,6 +482,20 @@ CKYBuffer_GetLong(const CKYBuffer *buf,
78b7b2 
     val |= ((unsigned long)buf->data[offset+3]) << 0;
78b7b2 
     return val;
78b7b2 
 }
78b7b2 
+
78b7b2 
+unsigned long
78b7b2 
+CKYBuffer_GetLongLE(const CKYBuffer *buf, CKYOffset offset)
78b7b2 
+{
78b7b2 
+    unsigned long val;
78b7b2 
+    if (buf->len < offset+4) {
78b7b2 
+	return 0;
78b7b2 
+    }
78b7b2 
+    val  = ((unsigned long)buf->data[offset+3]) << 24;
78b7b2 
+    val |= ((unsigned long)buf->data[offset+2]) << 16;
78b7b2 
+    val |= ((unsigned long)buf->data[offset+1]) << 8;
78b7b2 
+    val |= ((unsigned long)buf->data[offset+0]) << 0;
78b7b2 
+    return val;
78b7b2 
+}
78b7b2
78b7b2 
 CKYStatus
78b7b2 
 CKYBuffer_Resize(CKYBuffer *buf, CKYSize newLen)
78b7b2 
diff -up ./src/libckyapplet/cky_base.h.cac ./src/libckyapplet/cky_base.h
78b7b2 
--- ./src/libckyapplet/cky_base.h.cac	2006-06-09 11:44:17.000000000 -0700
78b7b2 
+++ ./src/libckyapplet/cky_base.h	2010-06-16 13:43:51.592179000 -0700
78b7b2 
@@ -170,9 +170,15 @@ CKYStatus CKYBuffer_AppendChar(CKYBuffer
78b7b2 
 /* append a short in applet order */
78b7b2 
 CKYStatus CKYBuffer_AppendShort(CKYBuffer *buf, unsigned short val);
78b7b2
78b7b2 
+/* append a short in little endian order */
78b7b2 
+CKYStatus CKYBuffer_AppendShortLE(CKYBuffer *buf, unsigned short val);
78b7b2 
+
78b7b2 
 /* append a long in applet order */
78b7b2 
 CKYStatus CKYBuffer_AppendLong(CKYBuffer *buf, unsigned long val);
78b7b2
78b7b2 
+/* append a long in little endian order */
78b7b2 
+CKYStatus CKYBuffer_AppendLongLE(CKYBuffer *buf, unsigned long val);
78b7b2 
+
78b7b2 
 /* append data. the data starts at data and extends len bytes */
78b7b2 
 CKYStatus CKYBuffer_AppendData(CKYBuffer *buf, const CKYByte *data, CKYSize len);
78b7b2
78b7b2 
@@ -210,12 +216,18 @@ CKYStatus CKYBuffer_SetChars(CKYBuffer *
78b7b2 
 CKYStatus CKYBuffer_SetShort(CKYBuffer *buf, CKYOffset offset, unsigned short val);
78b7b2 
 CKYStatus CKYBuffer_SetLong(CKYBuffer *buf, CKYOffset offset, unsigned long val);
78b7b2
78b7b2 
+/* These functions work in little endian order */
78b7b2 
+CKYStatus CKYBuffer_SetShortLE(CKYBuffer *buf, CKYOffset offset, unsigned short val);
78b7b2 
+CKYStatus CKYBuffer_SetLongLE(CKYBuffer *buf, CKYOffset offset, unsigned long val);
78b7b2 
 /* read a character from offset. If offset is beyond the end of the buffer,
78b7b2 
  * then the function returns '0' */
78b7b2 
 CKYByte CKYBuffer_GetChar(const CKYBuffer *buf, CKYOffset offset);
78b7b2 
 /* These functions work in applet order */
78b7b2 
 unsigned short CKYBuffer_GetShort(const CKYBuffer *buf, CKYOffset offset);
78b7b2 
 unsigned long CKYBuffer_GetLong(const CKYBuffer *buf, CKYOffset offset);
78b7b2 
+/* These functions work in little endian order */
78b7b2 
+unsigned short CKYBuffer_GetShortLE(const CKYBuffer *buf, CKYOffset offset);
78b7b2 
+unsigned long CKYBuffer_GetLongLE(const CKYBuffer *buf, CKYOffset offset);
78b7b2
78b7b2 
 /* clear out all the data in a buffer */
78b7b2 
 void CKYBuffer_Zero(CKYBuffer *buf);
78b7b2 
diff -up ./src/libckyapplet/cky_factory.c.cac ./src/libckyapplet/cky_factory.c
78b7b2 
--- ./src/libckyapplet/cky_factory.c.cac	2010-06-16 13:43:51.393185000 -0700
78b7b2 
+++ ./src/libckyapplet/cky_factory.c	2010-06-16 14:48:08.885473000 -0700
78b7b2 
@@ -25,12 +25,13 @@
78b7b2 
  * special commands can be issued at any time
78b7b2 
  */
78b7b2 
 CKYStatus
78b7b2 
-CKYAPDUFactory_SelectFile(CKYAPDU *apdu, const CKYBuffer *AID)
78b7b2 
+CKYAPDUFactory_SelectFile(CKYAPDU *apdu, CKYByte p1, CKYByte p2,
78b7b2 
+			  const CKYBuffer *AID)
78b7b2 
 {
78b7b2 
     CKYAPDU_SetCLA(apdu, CKY_CLASS_ISO7816);
78b7b2 
     CKYAPDU_SetINS(apdu, CKY_INS_SELECT_FILE);
78b7b2 
-    CKYAPDU_SetP1(apdu, 0x04);
78b7b2 
-    CKYAPDU_SetP2(apdu, 0x00);
78b7b2 
+    CKYAPDU_SetP1(apdu, p1);
78b7b2 
+    CKYAPDU_SetP2(apdu, p2);
78b7b2 
     return CKYAPDU_SetSendDataBuffer(apdu, AID);
78b7b2 
 }
78b7b2
78b7b2 
@@ -131,6 +132,7 @@ fail:
78b7b2 
     return ret;
78b7b2 
 }
78b7b2
78b7b2 
+
78b7b2 
 CKYStatus
78b7b2 
 CKYAPDUFactory_ComputeCryptFinal(CKYAPDU *apdu, CKYByte keyNumber,
78b7b2 
 		CKYByte location, const CKYBuffer *data, const CKYBuffer *sig)
78b7b2 
@@ -572,11 +574,11 @@ CKYAPDUFactory_GetBuiltinACL(CKYAPDU *ap
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
-CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, const CKYBuffer *data)
78b7b2 
+CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, CKYByte type, const CKYBuffer *data)
78b7b2 
 {
78b7b2 
     CKYAPDU_SetCLA(apdu, CKY_CLASS_ISO7816);
78b7b2 
     CKYAPDU_SetINS(apdu, CAC_INS_SIGN_DECRYPT);
78b7b2 
-    CKYAPDU_SetP1(apdu, 0x00);
78b7b2 
+    CKYAPDU_SetP1(apdu, type);
78b7b2 
     CKYAPDU_SetP2(apdu, 0x00);
78b7b2 
     return CKYAPDU_SetSendDataBuffer(apdu, data);
78b7b2 
 }
78b7b2 
@@ -592,6 +594,36 @@ CACAPDUFactory_GetCertificate(CKYAPDU *a
78b7b2 
 }
78b7b2
78b7b2 
 CKYStatus
78b7b2 
+CACAPDUFactory_ReadFile(CKYAPDU *apdu, unsigned short offset,
78b7b2 
+					CKYByte type, CKYByte count)
78b7b2 
+{
78b7b2 
+    CKYStatus ret;
78b7b2 
+    CKYBuffer buf;
78b7b2 
+
78b7b2 
+    CKYBuffer_InitEmpty(&buf;;
78b7b2 
+    CKYAPDU_SetCLA(apdu, CKY_CLASS_GLOBAL_PLATFORM);
78b7b2 
+    CKYAPDU_SetINS(apdu, CAC_INS_READ_FILE);
78b7b2 
+    CKYAPDU_SetP1(apdu, (offset >> 8) & 0xff);
78b7b2 
+    CKYAPDU_SetP2(apdu, offset & 0xff);
78b7b2 
+    ret = CKYBuffer_Reserve(&buf, 2);
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	    goto fail;
78b7b2 
+    }
78b7b2 
+    ret = CKYBuffer_AppendChar(&buf, type);
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	    goto fail;
78b7b2 
+    }
78b7b2 
+    ret = CKYBuffer_AppendChar(&buf, count);
78b7b2 
+    if (ret != CKYSUCCESS) {
78b7b2 
+	    goto fail;
78b7b2 
+    }
78b7b2 
+    ret = CKYAPDU_SetSendDataBuffer(apdu, &buf;;
78b7b2 
+fail:
78b7b2 
+    CKYBuffer_FreeData(&buf;;
78b7b2 
+    return ret;
78b7b2 
+}
78b7b2 
+
78b7b2 
+CKYStatus
78b7b2 
 CACAPDUFactory_GetProperties(CKYAPDU *apdu)
78b7b2 
 {
78b7b2 
     CKYAPDU_SetCLA(apdu, CKY_CLASS_ISO7816);
78b7b2 
diff -up ./src/libckyapplet/cky_factory.h.cac ./src/libckyapplet/cky_factory.h
78b7b2 
--- ./src/libckyapplet/cky_factory.h.cac	2010-06-16 13:43:51.402181000 -0700
78b7b2 
+++ ./src/libckyapplet/cky_factory.h	2010-06-16 14:43:20.867049000 -0700
78b7b2 
@@ -86,7 +86,11 @@
78b7b2 
 #define CAC_INS_SIGN_DECRYPT	0x42
78b7b2 
 #define CAC_INS_VERIFY_PIN	0x20
78b7b2 
 #define CAC_INS_GET_PROPERTIES	0x56
78b7b2 
+#define CAC_INS_READ_FILE	0x52
78b7b2 
+
78b7b2 
 #define CAC_SIZE_GET_PROPERTIES	48
78b7b2 
+#define CAC_P1_STEP		0x80
78b7b2 
+#define CAC_P1_FINAL		0x00
78b7b2
78b7b2 
 /*
78b7b2 
  * Fixed return sized from various commands
78b7b2 
@@ -169,7 +173,8 @@
78b7b2 
 CKY_BEGIN_PROTOS
78b7b2
78b7b2 
 /* function based factorys */
78b7b2 
-CKYStatus CKYAPDUFactory_SelectFile(CKYAPDU *apdu, const CKYBuffer *AID);
78b7b2 
+CKYStatus CKYAPDUFactory_SelectFile(CKYAPDU *apdu, CKYByte p1, CKYByte p2,
78b7b2 
+				    const CKYBuffer *AID);
78b7b2 
 CKYStatus CKYAPDUFactory_SelectCardManager(CKYAPDU *apdu);
78b7b2 
 CKYStatus CKYAPDUFactory_GetCPLCData(CKYAPDU *apdu);
78b7b2 
 CKYStatus CKYAPDUFactory_ListKeys(CKYAPDU *apdu, CKYByte sequence);
78b7b2 
@@ -211,9 +216,12 @@ CKYStatus CKYAPDUFactory_SeedRandom(CKYA
78b7b2 
 CKYStatus CKYAPDUFactory_GetIssuerInfo(CKYAPDU *apdu);
78b7b2 
 CKYStatus CKYAPDUFactory_GetBuiltinACL(CKYAPDU *apdu);
78b7b2
78b7b2 
-CKYStatus CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, const CKYBuffer *data);
78b7b2 
+CKYStatus CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, CKYByte type,
78b7b2 
+				     const CKYBuffer *data);
78b7b2 
 CKYStatus CACAPDUFactory_VerifyPIN(CKYAPDU *apdu, const char *pin);
78b7b2 
 CKYStatus CACAPDUFactory_GetCertificate(CKYAPDU *apdu, CKYSize size);
78b7b2 
+CKYStatus CACAPDUFactory_ReadFile(CKYAPDU *apdu, unsigned short offset,
78b7b2 
+				  CKYByte type, CKYByte count);
78b7b2 
 CKYStatus CACAPDUFactory_GetProperties(CKYAPDU *apdu);
78b7b2
78b7b2 
 CKY_END_PROTOS

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation