diff -up ./src/coolkey/object.cpp.cardos-5-3 ./src/coolkey/object.cpp
--- ./src/coolkey/object.cpp.cardos-5-3 2017-03-16 17:14:02.415338726 -0700
+++ ./src/coolkey/object.cpp 2017-03-16 17:14:02.419338794 -0700
@@ -32,7 +32,7 @@ const CKYByte eccOID[] = {0x2a,0x86,0x48
void dump(const char *label, const CKYBuffer *buf)
{
CKYSize i;
- CKYSize size = CKYBuffer_Size(buf);
+ CKYSize size = buf ? CKYBuffer_Size(buf) : 0;
#define ROW_LENGTH 60
char string[ROW_LENGTH+1];
char *bp = &string[0];
diff -up ./src/coolkey/object.h.cardos-5-3 ./src/coolkey/object.h
--- ./src/coolkey/object.h.cardos-5-3 2017-03-16 17:14:02.415338726 -0700
+++ ./src/coolkey/object.h 2017-03-16 17:14:02.419338794 -0700
@@ -200,9 +200,11 @@ class PKCS11Object {
CK_USER_TYPE getUser(void) const { return user; }
void setKeyType(KeyType theType) { keyType = theType; }
void setKeySize(unsigned int keySize_) { keySize = keySize_; }
+ void setUser(CK_USER_TYPE user_) { user = user_; }
const CKYBuffer *getAuthId(void) const { return &authId; }
const CKYBuffer *getPinAuthId(void) const { return &pinAuthId; }
const PK15ObjectPath &getObjectPath() const { return objectPath; }
+ void setObjectPath(const PK15ObjectPath &newPath) { objectPath = newPath; }
void completeKey(const PKCS11Object &cert);
};
@@ -308,6 +310,7 @@ class PK15Object : public PKCS11Object {
bool isLocal(void) const { return
(pinInfo.pinFlags & P15PinLocal) ? true : false; }
const P15PinInfo *getPinInfo(void) const { return &pinInfo; }
+ void setPinRef(CK_BYTE pinRef) { pinInfo.pinRef = pinRef; }
};
class Reader : public PKCS11Object {
diff -up ./src/coolkey/slot.cpp.cardos-5-3 ./src/coolkey/slot.cpp
--- ./src/coolkey/slot.cpp.cardos-5-3 2017-03-16 17:14:02.416338743 -0700
+++ ./src/coolkey/slot.cpp 2017-03-17 13:48:26.661205327 -0700
@@ -41,6 +41,7 @@
#define PRINTF(args)
#endif
// #define DISPLAY_WHOLE_GET_DATA 1
+void dump(const char *label, const CKYBuffer *buf);
// The Cyberflex Access 32k egate ATR
@@ -467,6 +468,8 @@ Slot::Slot(const char *readerName_, Log
}
CKYBuffer_InitEmpty(&cardATR);
CKYBuffer_InitEmpty(&mCUID);
+ CKYBuffer_InitEmpty(&candidateUserAuthId);
+ CKYBuffer_InitEmpty(&candidateContextSpecificAuthId);
for (int i=0; i < MAX_CERT_SLOTS; i++) {
CKYBuffer_InitEmpty(&cardAID[i]);
}
@@ -540,6 +543,8 @@ Slot::~Slot()
CKYBuffer_FreeData(&nonce);
CKYBuffer_FreeData(&cardATR);
CKYBuffer_FreeData(&mCUID);
+ CKYBuffer_FreeData(&candidateUserAuthId);
+ CKYBuffer_FreeData(&candidateContextSpecificAuthId);
CKYBuffer_FreeData(&p15AID);
CKYBuffer_FreeData(&p15odf);
CKYBuffer_FreeData(&p15tokenInfo);
@@ -1272,6 +1277,41 @@ class ObjectKeyCKAIDMatch {
}
};
+#ifdef DEBUG
+void
+dumpPin(const char *label, const PK15Object *pin)
+{
+ const P15PinInfo *pinInfo = pin->getPinInfo();
+ const PK15ObjectPath &pinPath=pin->getObjectPath();
+ unsigned int pin_type = (unsigned int) pinInfo->pinType;
+ const char *pin_name[3] = {"BCD", "ASCIINum", "UTF8" };
+
+ printf("Pin Object %s\n",label);
+ printf(" Pin flags=0x%08lx\n",pinInfo->pinFlags);
+ printf(" Pin type=%d (%s)\n",(int) pin_type,
+ pin_type < 3U ? pin_name[pin_type] :
+ "Invalid");
+ printf(" Pin length= %d (%d - %d)\n",(int)pinInfo->storedLength,
+ (int)pinInfo->minLength,
+ (int)pinInfo->maxLength);
+ printf(" Pin pad = 0x%02x,<%c>\n", pinInfo->padChar, pinInfo->padChar);
+ printf(" Pin Ref = 0x%02x\n", pinInfo->pinRef);
+ printf(" Pin Path index = %ld\n",(long)pinPath.getIndex());
+ printf(" Pin Path size = %ld\n",(long)pinPath.getLength());
+ dump(" Pin Path:",pinPath.getPath());
+}
+
+void
+dumpPath(const char *label, const PK15ObjectPath &path)
+{
+ printf(" Path for %s\n", label);
+ printf(" index = %ld\n",(long)path.getIndex());
+ printf(" size = %ld\n",(long)path.getLength());
+ dump(" objPath:",path.getPath());
+}
+#endif
+
+
CKYStatus
Slot::parseEF_Directory(const CKYByte *current,
CKYSize size, PK15ObjectType type)
@@ -1326,7 +1366,22 @@ Slot::parseEF_Directory(const CKYByte *c
auth[CKU_SO] = new PK15Object(obj);
}
} else if (auth[CKU_USER] == NULL) {
+ const CKYBuffer *authid = obj.getPinAuthId();
auth[CKU_USER] = new PK15Object(obj);
+ if ((CKYBuffer_Size(&candidateUserAuthId) != 0)
+ && !CKYBuffer_IsEqual(authid, &candidateUserAuthId)) {
+ /* validate our candidates */
+ if ((CKYBuffer_Size(&candidateContextSpecificAuthId)
+ == 0) || (CKYBuffer_IsEqual(
+ &candidateContextSpecificAuthId, authid))) {
+ CKYBuffer_Replace(&candidateContextSpecificAuthId,0,
+ CKYBuffer_Data(&candidateUserAuthId),
+ CKYBuffer_Size(&candidateUserAuthId));
+ }
+ CKYBuffer_Replace(&candidateUserAuthId, 0,
+ CKYBuffer_Data(authid), CKYBuffer_Size(authid));
+ }
+
} else if (auth[CKU_CONTEXT_SPECIFIC] == NULL) {
ObjectIter iter;
const CKYBuffer *authid = obj.getPinAuthId();
@@ -1339,6 +1394,8 @@ Slot::parseEF_Directory(const CKYByte *c
if( CKYBuffer_IsEqual(iter->getAuthId(),authid)) {
iter->setAttributeBool(CKA_ALWAYS_AUTHENTICATE,
TRUE);
+ iter->setUser(CKU_CONTEXT_SPECIFIC);
+printf("Setting Context Specific pin on key\n");
}
}
}
@@ -1349,7 +1406,19 @@ Slot::parseEF_Directory(const CKYByte *c
{
ObjectConstIter iter;
const CKYBuffer *id;
+ const CKYBuffer *authid;
+ authid = obj.getAuthId();
+ if (authid) {
+ if (CKYBuffer_Size(&candidateUserAuthId) == 0) {
+ CKYBuffer_Replace(&candidateUserAuthId, 0,
+ CKYBuffer_Data(authid), CKYBuffer_Size(authid));
+ } else if (!CKYBuffer_IsEqual(&candidateUserAuthId,
+ authid)) {
+ CKYBuffer_Replace(&candidateContextSpecificAuthId,0,
+ CKYBuffer_Data(authid), CKYBuffer_Size(authid));
+ }
+ }
id = obj.getAttribute(CKA_ID);
if ((!id) || (CKYBuffer_Size(id) != 1)) {
break;
@@ -1386,6 +1455,31 @@ Slot::parseEF_Directory(const CKYByte *c
tokenObjects.push_back(obj);
} while ( false );
}
+
+ /* handle the case where we have context specific with the same user pin */
+ if ((type == PK15AuthObj)
+ && (CKYBuffer_Size(&candidateContextSpecificAuthId) != 0)
+ && (auth[CKU_CONTEXT_SPECIFIC] == NULL)) {
+ ObjectIter iter;
+
+ /* these should put on the individual keys */
+ auth[CKU_CONTEXT_SPECIFIC] = new PK15Object(*auth[CKU_USER]);
+ /* set the pin ref for the context specific auth */
+ auth[CKU_CONTEXT_SPECIFIC]->setPinRef(
+ (CK_BYTE) CKYBuffer_GetChar(&candidateContextSpecificAuthId,0));
+ for( iter = tokenObjects.begin(); iter != tokenObjects.end(); ++iter) {
+ const CKYBuffer *authid = iter->getAuthId();
+ if(authid &&
+ CKYBuffer_IsEqual(authid,&candidateContextSpecificAuthId)) {
+ iter->setAttributeBool(CKA_ALWAYS_AUTHENTICATE, TRUE);
+ iter->setUser(CKU_CONTEXT_SPECIFIC);
+ /* auth[CKU_CONTEXT_SPECIFIC]->
+ setObjectPath(iter->getObjectPath()); */
+ }
+ }
+
+
+ }
CKYBuffer_FreeData(&file);
return CKYSUCCESS;
}
@@ -2221,6 +2315,12 @@ Slot::unloadObjects()
tokenManufacturer = NULL;
}
CKYBuffer_Resize(&p15serialNumber,0);
+ CKYBuffer_Resize(&candidateUserAuthId,0);
+ CKYBuffer_Resize(&candidateContextSpecificAuthId,0);
+ for (int i=0; i < MAX_AUTH_USERS; i++) {
+ if (auth[i]) delete auth[i];
+ auth[i]=NULL;
+ }
}
#ifdef USE_SHMEM
@@ -3766,7 +3866,6 @@ Slot::attemptLogin(CK_USER_TYPE user, bo
contextPinCache.clearPin();
}
}
-void dump(const char *label, const CKYBuffer *buf);
void
Slot::attemptP15Login(CK_USER_TYPE user)
@@ -3794,7 +3893,6 @@ Slot::attemptP15Login(CK_USER_TYPE user)
throw PKCS11Exception(CKR_DEVICE_ERROR, "Applet select return 0x%04x",
result);
}
-
status = P15Applet_VerifyPIN(conn,
(const char *)CKYBuffer_Data(pinCachePtr->get()),
auth[user]->getPinInfo(), &result);
@@ -4636,7 +4734,14 @@ Slot::cryptRSA(SessionHandleSuffix suffi
params.padInput(&inputPad, &input);
performRSAOp(&output, &inputPad, params.getKeySize(), key,
params.getDirection());
- params.unpadOutput(result, &output);
+ if (CKYBuffer_Size(&output) < CKYBuffer_Size(&inputPad)) {
+ /* if the size is smaller than the input, treat it as
+ * unpadded */
+ CKYBuffer_Replace(result, 0, CKYBuffer_Data(&output),
+ CKYBuffer_Size(&output));
+ } else {
+ params.unpadOutput(result, &output);
+ }
CKYBuffer_FreeData(&input);
CKYBuffer_FreeData(&inputPad);
CKYBuffer_FreeData(&output);
@@ -4787,9 +4892,8 @@ retry:
} else if (state & CAC_CARD) {
status = CACApplet_SignDecrypt(conn, input, output, &result);
} else if (state & P15_CARD) {
- status = P15Applet_SignDecrypt(conn, key->getKeyRef(), keySize/8,
+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(), (keySize/8)*2,
CKY_DIR_ENCRYPT, input, output, &result);
-
} else {
status = CKYApplet_ComputeECCSignature(conn, objectToKeyNum(key), input, NULL, output, getNonce(), &result);
}
@@ -4861,8 +4965,32 @@ retry:
} else if (state & CAC_CARD) {
status = CACApplet_SignDecrypt(conn, input, output, &result);
} else if (state & P15_CARD) {
- status = P15Applet_SignDecrypt(conn, key->getKeyRef(), keySize/8,
- direction, input, output, &result);
+ if (direction == CKY_DIR_DECRYPT) {
+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(),
+ keySize/8, direction, input, output, &result);
+ } else {
+ CKYBuffer unpadInput;
+ CKYBuffer_InitEmpty(&unpadInput);
+ stripRSAPadding(&unpadInput, input); /* will throw exception
+ * on error */
+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(), keySize/8,
+ direction, &unpadInput, output, &result);
+ CKYBuffer_FreeData(&unpadInput);
+ /* if it didn't work, try full padded the input first */
+ if ((status != CKYSUCCESS)
+ && (result != CKYISO_CONDITION_NOT_SATISFIED)
+ && (result != CKYISO_SECURITY_NOT_SATISFIED)) {
+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(),
+ keySize/8, direction, input, output, &result);
+ }
+ /* finally just lie and try to "decrypt" the buffer */
+ if ((status != CKYSUCCESS)
+ && (result != CKYISO_CONDITION_NOT_SATISFIED)
+ && (result != CKYISO_SECURITY_NOT_SATISFIED)) {
+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(),
+ keySize/8, CKY_DIR_DECRYPT, input, output, &result);
+ }
+ }
} else {
status = CKYApplet_ComputeCrypt(conn, objectToKeyNum(key),
CKY_RSA_NO_PAD, direction, input, NULL, output,
@@ -4883,8 +5011,7 @@ retry:
throw PKCS11Exception(CKR_DATA_INVALID);
}
// version0 keys could be logged out in the middle by someone else,
- // reauthenticate... This code can go away when we depricate.
- // version0 applets.
+ // reauthenticate...
if (!isVersion1Key && !loginAttempted &&
userPinCache(key->getUser())->isValid() &&
(result == CKYISO_UNAUTHORIZED)) {
diff -up ./src/coolkey/slot.h.cardos-5-3 ./src/coolkey/slot.h
--- ./src/coolkey/slot.h.cardos-5-3 2017-03-16 17:14:02.417338760 -0700
+++ ./src/coolkey/slot.h 2017-03-16 17:14:02.421338828 -0700
@@ -368,6 +368,8 @@ class Slot {
CKYBuffer p15tokenInfo;
CKYBuffer p15odf;
CKYBuffer p15serialNumber;
+ CKYBuffer candidateUserAuthId;
+ CKYBuffer candidateContextSpecificAuthId;
//enum { RW_SESSION_HANDLE = 1, RO_SESSION_HANDLE = 2 };
#ifdef USE_SHMEM
diff -up ./src/libckyapplet/cky_applet.c.cardos-5-3 ./src/libckyapplet/cky_applet.c
--- ./src/libckyapplet/cky_applet.c.cardos-5-3 2017-03-16 17:14:02.404338539 -0700
+++ ./src/libckyapplet/cky_applet.c 2017-03-16 17:14:02.422338845 -0700
@@ -1316,8 +1316,6 @@ P15Applet_SignDecrypt(CKYCardConnection
int appendLength = length;
int hasPad = 0;
- /* Hack, lie and say we are always doing encipherment */
- direction = CKY_DIR_DECRYPT;
CKYBuffer_Resize(result,0);
/*
* first set the security environment
@@ -1367,7 +1365,7 @@ P15Applet_SignDecrypt(CKYCardConnection
}
CKYBuffer_AppendBuffer(&tmp, data, offset, appendLength);
pso.chain = 0;
- pso.retLen = dataSize;
+ pso.retLen = keySize;
ret = CKYApplet_HandleAPDU(conn,
P15AppletFactory_PerformSecurityOperation, &pso, NULL,