Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1 | /* |
| 2 | * This is the actual card emulator. |
| 3 | * |
| 4 | * These functions can be implemented in different ways on different platforms |
| 5 | * using the underlying system primitives. For Linux it uses NSS, though direct |
| 6 | * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be |
| 7 | * used. On Windows CAPI could be used. |
| 8 | * |
| 9 | * This work is licensed under the terms of the GNU LGPL, version 2.1 or later. |
| 10 | * See the COPYING.LIB file in the top-level directory. |
| 11 | */ |
| 12 | |
| 13 | /* |
| 14 | * NSS headers |
| 15 | */ |
| 16 | |
| 17 | /* avoid including prototypes.h that redefines uint32 */ |
| 18 | #define NO_NSPR_10_SUPPORT |
| 19 | |
| 20 | #include <nss.h> |
| 21 | #include <pk11pub.h> |
| 22 | #include <cert.h> |
| 23 | #include <key.h> |
| 24 | #include <secmod.h> |
| 25 | #include <prthread.h> |
| 26 | #include <secerr.h> |
| 27 | |
| 28 | #include "qemu-common.h" |
| 29 | |
| 30 | #include "vcard.h" |
| 31 | #include "card_7816t.h" |
| 32 | #include "vcard_emul.h" |
| 33 | #include "vreader.h" |
| 34 | #include "vevent.h" |
| 35 | |
Alon Levy | 0b6a16c | 2013-03-05 16:27:43 +0200 | [diff] [blame] | 36 | #include "libcacard/vcardt_internal.h" |
| 37 | |
| 38 | |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 39 | typedef enum { |
| 40 | VCardEmulUnknown = -1, |
| 41 | VCardEmulFalse = 0, |
| 42 | VCardEmulTrue = 1 |
| 43 | } VCardEmulTriState; |
| 44 | |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 45 | struct VCardKeyStruct { |
| 46 | CERTCertificate *cert; |
| 47 | PK11SlotInfo *slot; |
| 48 | SECKEYPrivateKey *key; |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 49 | VCardEmulTriState failedX509; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 50 | }; |
| 51 | |
| 52 | |
| 53 | typedef struct VirtualReaderOptionsStruct VirtualReaderOptions; |
| 54 | |
| 55 | struct VReaderEmulStruct { |
| 56 | PK11SlotInfo *slot; |
| 57 | VCardEmulType default_type; |
| 58 | char *type_params; |
| 59 | PRBool present; |
| 60 | int series; |
| 61 | VCard *saved_vcard; |
| 62 | }; |
| 63 | |
| 64 | /* |
| 65 | * NSS Specific options |
| 66 | */ |
| 67 | struct VirtualReaderOptionsStruct { |
| 68 | char *name; |
| 69 | char *vname; |
| 70 | VCardEmulType card_type; |
| 71 | char *type_params; |
| 72 | char **cert_name; |
| 73 | int cert_count; |
| 74 | }; |
| 75 | |
| 76 | struct VCardEmulOptionsStruct { |
| 77 | void *nss_db; |
| 78 | VirtualReaderOptions *vreader; |
| 79 | int vreader_count; |
| 80 | VCardEmulType hw_card_type; |
| 81 | const char *hw_type_params; |
| 82 | PRBool use_hw; |
| 83 | }; |
| 84 | |
| 85 | static int nss_emul_init; |
| 86 | |
| 87 | /* if we have more that just the slot, define |
| 88 | * VCardEmulStruct here */ |
| 89 | |
| 90 | /* |
| 91 | * allocate the set of arrays for certs, cert_len, key |
| 92 | */ |
| 93 | static PRBool |
| 94 | vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp, |
| 95 | VCardKey ***keysp, int cert_count) |
| 96 | { |
| 97 | *certsp = NULL; |
| 98 | *cert_lenp = NULL; |
| 99 | *keysp = NULL; |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 100 | *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count); |
| 101 | *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count); |
| 102 | *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 103 | return PR_TRUE; |
| 104 | } |
| 105 | |
| 106 | /* |
| 107 | * Emulator specific card information |
| 108 | */ |
| 109 | typedef struct CardEmulCardStruct CardEmulPrivate; |
| 110 | |
| 111 | static VCardEmul * |
| 112 | vcard_emul_new_card(PK11SlotInfo *slot) |
| 113 | { |
| 114 | PK11_ReferenceSlot(slot); |
| 115 | /* currently we don't need anything other than the slot */ |
| 116 | return (VCardEmul *)slot; |
| 117 | } |
| 118 | |
| 119 | static void |
| 120 | vcard_emul_delete_card(VCardEmul *vcard_emul) |
| 121 | { |
| 122 | PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul; |
| 123 | if (slot == NULL) { |
| 124 | return; |
| 125 | } |
| 126 | PK11_FreeSlot(slot); |
| 127 | } |
| 128 | |
| 129 | static PK11SlotInfo * |
| 130 | vcard_emul_card_get_slot(VCard *card) |
| 131 | { |
| 132 | /* note, the card is holding the reference, no need to get another one */ |
| 133 | return (PK11SlotInfo *)vcard_get_private(card); |
| 134 | } |
| 135 | |
| 136 | |
| 137 | /* |
| 138 | * key functions |
| 139 | */ |
| 140 | /* private constructure */ |
| 141 | static VCardKey * |
| 142 | vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert) |
| 143 | { |
| 144 | VCardKey *key; |
| 145 | |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 146 | key = (VCardKey *)g_malloc(sizeof(VCardKey)); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 147 | key->slot = PK11_ReferenceSlot(slot); |
| 148 | key->cert = CERT_DupCertificate(cert); |
| 149 | /* NOTE: if we aren't logged into the token, this could return NULL */ |
| 150 | /* NOTE: the cert is a temp cert, not necessarily the cert in the token, |
| 151 | * use the DER version of this function */ |
| 152 | key->key = PK11_FindKeyByDERCert(slot, cert, NULL); |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 153 | key->failedX509 = VCardEmulUnknown; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 154 | return key; |
| 155 | } |
| 156 | |
| 157 | /* destructor */ |
| 158 | void |
| 159 | vcard_emul_delete_key(VCardKey *key) |
| 160 | { |
| 161 | if (!nss_emul_init || (key == NULL)) { |
| 162 | return; |
| 163 | } |
| 164 | if (key->key) { |
| 165 | SECKEY_DestroyPrivateKey(key->key); |
| 166 | key->key = NULL; |
| 167 | } |
| 168 | if (key->cert) { |
| 169 | CERT_DestroyCertificate(key->cert); |
| 170 | } |
| 171 | if (key->slot) { |
| 172 | PK11_FreeSlot(key->slot); |
| 173 | } |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 174 | } |
| 175 | |
| 176 | /* |
| 177 | * grab the nss key from a VCardKey. If it doesn't exist, try to look it up |
| 178 | */ |
| 179 | static SECKEYPrivateKey * |
| 180 | vcard_emul_get_nss_key(VCardKey *key) |
| 181 | { |
| 182 | if (key->key) { |
| 183 | return key->key; |
| 184 | } |
| 185 | /* NOTE: if we aren't logged into the token, this could return NULL */ |
| 186 | key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL); |
| 187 | return key->key; |
| 188 | } |
| 189 | |
| 190 | /* |
| 191 | * Map NSS errors to 7816 errors |
| 192 | */ |
| 193 | static vcard_7816_status_t |
| 194 | vcard_emul_map_error(int error) |
| 195 | { |
| 196 | switch (error) { |
| 197 | case SEC_ERROR_TOKEN_NOT_LOGGED_IN: |
| 198 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; |
| 199 | case SEC_ERROR_BAD_DATA: |
| 200 | case SEC_ERROR_OUTPUT_LEN: |
| 201 | case SEC_ERROR_INPUT_LEN: |
| 202 | case SEC_ERROR_INVALID_ARGS: |
| 203 | case SEC_ERROR_INVALID_ALGORITHM: |
| 204 | case SEC_ERROR_NO_KEY: |
| 205 | case SEC_ERROR_INVALID_KEY: |
| 206 | case SEC_ERROR_DECRYPTION_DISALLOWED: |
| 207 | return VCARD7816_STATUS_ERROR_DATA_INVALID; |
| 208 | case SEC_ERROR_NO_MEMORY: |
| 209 | return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE; |
| 210 | } |
| 211 | return VCARD7816_STATUS_EXC_ERROR_CHANGE; |
| 212 | } |
| 213 | |
| 214 | /* RSA sign/decrypt with the key, signature happens 'in place' */ |
| 215 | vcard_7816_status_t |
| 216 | vcard_emul_rsa_op(VCard *card, VCardKey *key, |
| 217 | unsigned char *buffer, int buffer_size) |
| 218 | { |
| 219 | SECKEYPrivateKey *priv_key; |
| 220 | unsigned signature_len; |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 221 | PK11SlotInfo *slot; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 222 | SECStatus rv; |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 223 | unsigned char buf[2048]; |
| 224 | unsigned char *bp = NULL; |
| 225 | int pad_len; |
| 226 | vcard_7816_status_t ret = VCARD7816_STATUS_SUCCESS; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 227 | |
| 228 | if ((!nss_emul_init) || (key == NULL)) { |
| 229 | /* couldn't get the key, indicate that we aren't logged in */ |
| 230 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; |
| 231 | } |
| 232 | priv_key = vcard_emul_get_nss_key(key); |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 233 | if (priv_key == NULL) { |
| 234 | /* couldn't get the key, indicate that we aren't logged in */ |
| 235 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; |
| 236 | } |
| 237 | slot = vcard_emul_card_get_slot(card); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 238 | |
| 239 | /* |
| 240 | * this is only true of the rsa signature |
| 241 | */ |
| 242 | signature_len = PK11_SignatureLen(priv_key); |
| 243 | if (buffer_size != signature_len) { |
| 244 | return VCARD7816_STATUS_ERROR_DATA_INVALID; |
| 245 | } |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 246 | /* be able to handle larger keys if necessariy */ |
| 247 | bp = &buf[0]; |
| 248 | if (sizeof(buf) < signature_len) { |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 249 | bp = g_malloc(signature_len); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 250 | } |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 251 | |
| 252 | /* |
| 253 | * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then |
| 254 | * choke when they try to do the actual operations. Try to detect |
| 255 | * those cases and treat them as if the token didn't claim support for |
| 256 | * X_509. |
| 257 | */ |
| 258 | if (key->failedX509 != VCardEmulTrue |
| 259 | && PK11_DoesMechanism(slot, CKM_RSA_X_509)) { |
| 260 | rv = PK11_PrivDecryptRaw(priv_key, bp, &signature_len, signature_len, |
| 261 | buffer, buffer_size); |
| 262 | if (rv == SECSuccess) { |
| 263 | assert(buffer_size == signature_len); |
| 264 | memcpy(buffer, bp, signature_len); |
| 265 | key->failedX509 = VCardEmulFalse; |
| 266 | goto cleanup; |
| 267 | } |
| 268 | /* |
| 269 | * we've had a successful X509 operation, this failure must be |
| 270 | * somethine else |
| 271 | */ |
| 272 | if (key->failedX509 == VCardEmulFalse) { |
| 273 | ret = vcard_emul_map_error(PORT_GetError()); |
| 274 | goto cleanup; |
| 275 | } |
| 276 | /* |
| 277 | * key->failedX509 must be Unknown at this point, try the |
| 278 | * non-x_509 case |
| 279 | */ |
| 280 | } |
| 281 | /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */ |
| 282 | /* is this a PKCS #1 formatted signature? */ |
| 283 | if ((buffer[0] == 0) && (buffer[1] == 1)) { |
| 284 | int i; |
| 285 | |
| 286 | for (i = 2; i < buffer_size; i++) { |
| 287 | /* rsa signature pad */ |
| 288 | if (buffer[i] != 0xff) { |
| 289 | break; |
| 290 | } |
| 291 | } |
| 292 | if ((i < buffer_size) && (buffer[i] == 0)) { |
| 293 | /* yes, we have a properly formated PKCS #1 signature */ |
| 294 | /* |
| 295 | * NOTE: even if we accidentally got an encrypt buffer, which |
| 296 | * through shear luck started with 00, 01, ff, 00, it won't matter |
| 297 | * because the resulting Sign operation will effectively decrypt |
| 298 | * the real buffer. |
| 299 | */ |
| 300 | SECItem signature; |
| 301 | SECItem hash; |
| 302 | |
| 303 | i++; |
| 304 | hash.data = &buffer[i]; |
| 305 | hash.len = buffer_size - i; |
| 306 | signature.data = bp; |
| 307 | signature.len = signature_len; |
| 308 | rv = PK11_Sign(priv_key, &signature, &hash); |
| 309 | if (rv != SECSuccess) { |
| 310 | ret = vcard_emul_map_error(PORT_GetError()); |
| 311 | goto cleanup; |
| 312 | } |
| 313 | assert(buffer_size == signature.len); |
| 314 | memcpy(buffer, bp, signature.len); |
| 315 | /* |
| 316 | * we got here because either the X509 attempt failed, or the |
| 317 | * token couldn't do the X509 operation, in either case stay |
| 318 | * with the PKCS version for future operations on this key |
| 319 | */ |
| 320 | key->failedX509 = VCardEmulTrue; |
| 321 | goto cleanup; |
| 322 | } |
| 323 | } |
| 324 | pad_len = buffer_size - signature_len; |
| 325 | assert(pad_len < 4); |
| 326 | /* |
| 327 | * OK now we've decrypted the payload, package it up in PKCS #1 for the |
| 328 | * upper layer. |
| 329 | */ |
| 330 | buffer[0] = 0; |
| 331 | buffer[1] = 2; /* RSA_encrypt */ |
| 332 | pad_len -= 3; /* format is 0 || 2 || pad || 0 || data */ |
| 333 | /* |
| 334 | * padding for PKCS #1 encrypted data is a string of random bytes. The |
| 335 | * random butes protect against potential decryption attacks against RSA. |
| 336 | * Since PrivDecrypt has already stripped those bytes, we can't reconstruct |
| 337 | * them. This shouldn't matter to the upper level code which should just |
| 338 | * strip this code out anyway, so We'll pad with a constant 3. |
| 339 | */ |
| 340 | memset(&buffer[2], 0x03, pad_len); |
| 341 | pad_len += 2; /* index to the end of the pad */ |
| 342 | buffer[pad_len] = 0; |
| 343 | pad_len++; /* index to the start of the data */ |
| 344 | memcpy(&buffer[pad_len], bp, signature_len); |
| 345 | /* |
| 346 | * we got here because either the X509 attempt failed, or the |
| 347 | * token couldn't do the X509 operation, in either case stay |
| 348 | * with the PKCS version for future operations on this key |
| 349 | */ |
| 350 | key->failedX509 = VCardEmulTrue; |
| 351 | cleanup: |
| 352 | if (bp != buf) { |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 353 | g_free(bp); |
Robert Relyea | 010debe | 2011-06-28 17:28:22 +0200 | [diff] [blame] | 354 | } |
| 355 | return ret; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 356 | } |
| 357 | |
| 358 | /* |
| 359 | * Login functions |
| 360 | */ |
| 361 | /* return the number of login attempts still possible on the card. if unknown, |
| 362 | * return -1 */ |
| 363 | int |
| 364 | vcard_emul_get_login_count(VCard *card) |
| 365 | { |
| 366 | return -1; |
| 367 | } |
| 368 | |
| 369 | /* login into the card, return the 7816 status word (sw2 || sw1) */ |
| 370 | vcard_7816_status_t |
| 371 | vcard_emul_login(VCard *card, unsigned char *pin, int pin_len) |
| 372 | { |
| 373 | PK11SlotInfo *slot; |
| 374 | unsigned char *pin_string = NULL; |
| 375 | int i; |
| 376 | SECStatus rv; |
| 377 | |
| 378 | if (!nss_emul_init) { |
| 379 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; |
| 380 | } |
| 381 | slot = vcard_emul_card_get_slot(card); |
| 382 | /* We depend on the PKCS #11 module internal login state here because we |
| 383 | * create a separate process to handle each guest instance. If we needed |
| 384 | * to handle multiple guests from one process, then we would need to keep |
| 385 | * a lot of extra state in our card structure |
| 386 | * */ |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 387 | pin_string = g_malloc(pin_len+1); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 388 | memcpy(pin_string, pin, pin_len); |
| 389 | pin_string[pin_len] = 0; |
| 390 | |
| 391 | /* handle CAC expanded pins correctly */ |
| 392 | for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) { |
| 393 | pin_string[i] = 0; |
| 394 | } |
| 395 | |
| 396 | rv = PK11_Authenticate(slot, PR_FALSE, pin_string); |
| 397 | memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory |
| 398 | to be snooped */ |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 399 | g_free(pin_string); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 400 | if (rv == SECSuccess) { |
| 401 | return VCARD7816_STATUS_SUCCESS; |
| 402 | } |
| 403 | /* map the error from port get error */ |
| 404 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; |
| 405 | } |
| 406 | |
| 407 | void |
| 408 | vcard_emul_reset(VCard *card, VCardPower power) |
| 409 | { |
| 410 | PK11SlotInfo *slot; |
| 411 | |
| 412 | if (!nss_emul_init) { |
| 413 | return; |
| 414 | } |
| 415 | |
| 416 | /* |
| 417 | * if we reset the card (either power on or power off), we lose our login |
| 418 | * state |
| 419 | */ |
| 420 | /* TODO: we may also need to send insertion/removal events? */ |
| 421 | slot = vcard_emul_card_get_slot(card); |
| 422 | PK11_Logout(slot); /* NOTE: ignoring SECStatus return value */ |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 423 | } |
| 424 | |
| 425 | |
| 426 | static VReader * |
| 427 | vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot) |
| 428 | { |
| 429 | VReaderList *reader_list = vreader_get_reader_list(); |
| 430 | VReaderListEntry *current_entry = NULL; |
| 431 | |
| 432 | if (reader_list == NULL) { |
| 433 | return NULL; |
| 434 | } |
| 435 | for (current_entry = vreader_list_get_first(reader_list); current_entry; |
| 436 | current_entry = vreader_list_get_next(current_entry)) { |
| 437 | VReader *reader = vreader_list_get_reader(current_entry); |
| 438 | VReaderEmul *reader_emul = vreader_get_private(reader); |
| 439 | if (reader_emul->slot == slot) { |
| 440 | return reader; |
| 441 | } |
| 442 | vreader_free(reader); |
| 443 | } |
| 444 | |
| 445 | return NULL; |
| 446 | } |
| 447 | |
| 448 | /* |
| 449 | * create a new reader emul |
| 450 | */ |
| 451 | static VReaderEmul * |
| 452 | vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params) |
| 453 | { |
| 454 | VReaderEmul *new_reader_emul; |
| 455 | |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 456 | new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul)); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 457 | |
| 458 | new_reader_emul->slot = PK11_ReferenceSlot(slot); |
| 459 | new_reader_emul->default_type = type; |
Markus Armbruster | be168af | 2013-01-22 11:08:04 +0100 | [diff] [blame] | 460 | new_reader_emul->type_params = g_strdup(params); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 461 | new_reader_emul->present = PR_FALSE; |
| 462 | new_reader_emul->series = 0; |
| 463 | new_reader_emul->saved_vcard = NULL; |
| 464 | return new_reader_emul; |
| 465 | } |
| 466 | |
| 467 | static void |
| 468 | vreader_emul_delete(VReaderEmul *vreader_emul) |
| 469 | { |
| 470 | if (vreader_emul == NULL) { |
| 471 | return; |
| 472 | } |
| 473 | if (vreader_emul->slot) { |
| 474 | PK11_FreeSlot(vreader_emul->slot); |
| 475 | } |
| 476 | if (vreader_emul->type_params) { |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 477 | g_free(vreader_emul->type_params); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 478 | } |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 479 | g_free(vreader_emul); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 480 | } |
| 481 | |
| 482 | /* |
| 483 | * TODO: move this to emulater non-specific file |
| 484 | */ |
| 485 | static VCardEmulType |
| 486 | vcard_emul_get_type(VReader *vreader) |
| 487 | { |
| 488 | VReaderEmul *vreader_emul; |
| 489 | |
| 490 | vreader_emul = vreader_get_private(vreader); |
| 491 | if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) { |
| 492 | return vreader_emul->default_type; |
| 493 | } |
| 494 | |
| 495 | return vcard_emul_type_select(vreader); |
| 496 | } |
| 497 | /* |
| 498 | * TODO: move this to emulater non-specific file |
| 499 | */ |
| 500 | static const char * |
| 501 | vcard_emul_get_type_params(VReader *vreader) |
| 502 | { |
| 503 | VReaderEmul *vreader_emul; |
| 504 | |
| 505 | vreader_emul = vreader_get_private(vreader); |
| 506 | if (vreader_emul && vreader_emul->type_params) { |
| 507 | return vreader_emul->type_params; |
| 508 | } |
| 509 | |
| 510 | return ""; |
| 511 | } |
| 512 | |
| 513 | /* pull the slot out of the reader private data */ |
| 514 | static PK11SlotInfo * |
| 515 | vcard_emul_reader_get_slot(VReader *vreader) |
| 516 | { |
| 517 | VReaderEmul *vreader_emul = vreader_get_private(vreader); |
| 518 | if (vreader_emul == NULL) { |
| 519 | return NULL; |
| 520 | } |
| 521 | return vreader_emul->slot; |
| 522 | } |
| 523 | |
| 524 | /* |
Alon Levy | 0b6a16c | 2013-03-05 16:27:43 +0200 | [diff] [blame] | 525 | * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 526 | * historical bytes for any software emulated card. The remaining bytes can be |
| 527 | * used to indicate the actual emulator |
| 528 | */ |
Alon Levy | 0b6a16c | 2013-03-05 16:27:43 +0200 | [diff] [blame] | 529 | static unsigned char *nss_atr; |
| 530 | static int nss_atr_len; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 531 | |
| 532 | void |
| 533 | vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len) |
| 534 | { |
Alon Levy | 0b6a16c | 2013-03-05 16:27:43 +0200 | [diff] [blame] | 535 | int len; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 536 | assert(atr != NULL); |
| 537 | |
Alon Levy | 0b6a16c | 2013-03-05 16:27:43 +0200 | [diff] [blame] | 538 | if (nss_atr == NULL) { |
| 539 | nss_atr = vcard_alloc_atr("NSS", &nss_atr_len); |
| 540 | } |
| 541 | len = MIN(nss_atr_len, *atr_len); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 542 | memcpy(atr, nss_atr, len); |
| 543 | *atr_len = len; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 544 | } |
| 545 | |
| 546 | /* |
| 547 | * create a new card from certs and keys |
| 548 | */ |
| 549 | static VCard * |
| 550 | vcard_emul_make_card(VReader *reader, |
| 551 | unsigned char * const *certs, int *cert_len, |
| 552 | VCardKey *keys[], int cert_count) |
| 553 | { |
| 554 | VCardEmul *vcard_emul; |
| 555 | VCard *vcard; |
| 556 | PK11SlotInfo *slot; |
| 557 | VCardEmulType type; |
| 558 | const char *params; |
| 559 | |
| 560 | type = vcard_emul_get_type(reader); |
| 561 | |
| 562 | /* ignore the inserted card */ |
| 563 | if (type == VCARD_EMUL_NONE) { |
| 564 | return NULL; |
| 565 | } |
| 566 | slot = vcard_emul_reader_get_slot(reader); |
| 567 | if (slot == NULL) { |
| 568 | return NULL; |
| 569 | } |
| 570 | |
| 571 | params = vcard_emul_get_type_params(reader); |
| 572 | /* params these can be NULL */ |
| 573 | |
| 574 | vcard_emul = vcard_emul_new_card(slot); |
| 575 | if (vcard_emul == NULL) { |
| 576 | return NULL; |
| 577 | } |
| 578 | vcard = vcard_new(vcard_emul, vcard_emul_delete_card); |
| 579 | if (vcard == NULL) { |
| 580 | vcard_emul_delete_card(vcard_emul); |
| 581 | return NULL; |
| 582 | } |
| 583 | vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count); |
| 584 | return vcard; |
| 585 | } |
| 586 | |
| 587 | |
| 588 | /* |
| 589 | * 'clone' a physical card as a virtual card |
| 590 | */ |
| 591 | static VCard * |
| 592 | vcard_emul_mirror_card(VReader *vreader) |
| 593 | { |
| 594 | /* |
| 595 | * lookup certs using the C_FindObjects. The Stan Cert handle won't give |
| 596 | * us the real certs until we log in. |
| 597 | */ |
| 598 | PK11GenericObject *firstObj, *thisObj; |
| 599 | int cert_count; |
| 600 | unsigned char **certs; |
| 601 | int *cert_len; |
| 602 | VCardKey **keys; |
| 603 | PK11SlotInfo *slot; |
| 604 | PRBool ret; |
Christophe Fergeau | ee83d41 | 2011-07-04 18:10:43 +0200 | [diff] [blame] | 605 | VCard *card; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 606 | |
| 607 | slot = vcard_emul_reader_get_slot(vreader); |
| 608 | if (slot == NULL) { |
| 609 | return NULL; |
| 610 | } |
| 611 | |
| 612 | firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE); |
| 613 | if (firstObj == NULL) { |
| 614 | return NULL; |
| 615 | } |
| 616 | |
| 617 | /* count the certs */ |
| 618 | cert_count = 0; |
| 619 | for (thisObj = firstObj; thisObj; |
| 620 | thisObj = PK11_GetNextGenericObject(thisObj)) { |
| 621 | cert_count++; |
| 622 | } |
| 623 | |
| 624 | if (cert_count == 0) { |
| 625 | PK11_DestroyGenericObjects(firstObj); |
| 626 | return NULL; |
| 627 | } |
| 628 | |
| 629 | /* allocate the arrays */ |
| 630 | ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count); |
| 631 | if (ret == PR_FALSE) { |
| 632 | return NULL; |
| 633 | } |
| 634 | |
| 635 | /* fill in the arrays */ |
| 636 | cert_count = 0; |
| 637 | for (thisObj = firstObj; thisObj; |
| 638 | thisObj = PK11_GetNextGenericObject(thisObj)) { |
| 639 | SECItem derCert; |
| 640 | CERTCertificate *cert; |
| 641 | SECStatus rv; |
| 642 | |
| 643 | rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj, |
| 644 | CKA_VALUE, &derCert); |
| 645 | if (rv != SECSuccess) { |
| 646 | continue; |
| 647 | } |
| 648 | /* create floating temp cert. This gives us a cert structure even if |
| 649 | * the token isn't logged in */ |
| 650 | cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert, |
| 651 | NULL, PR_FALSE, PR_TRUE); |
| 652 | SECITEM_FreeItem(&derCert, PR_FALSE); |
| 653 | if (cert == NULL) { |
| 654 | continue; |
| 655 | } |
| 656 | |
| 657 | certs[cert_count] = cert->derCert.data; |
| 658 | cert_len[cert_count] = cert->derCert.len; |
| 659 | keys[cert_count] = vcard_emul_make_key(slot, cert); |
| 660 | cert_count++; |
| 661 | CERT_DestroyCertificate(cert); /* key obj still has a reference */ |
| 662 | } |
| 663 | |
| 664 | /* now create the card */ |
Christophe Fergeau | ee83d41 | 2011-07-04 18:10:43 +0200 | [diff] [blame] | 665 | card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 666 | g_free(certs); |
| 667 | g_free(cert_len); |
| 668 | g_free(keys); |
Christophe Fergeau | ee83d41 | 2011-07-04 18:10:43 +0200 | [diff] [blame] | 669 | |
| 670 | return card; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 671 | } |
| 672 | |
| 673 | static VCardEmulType default_card_type = VCARD_EMUL_NONE; |
| 674 | static const char *default_type_params = ""; |
| 675 | |
| 676 | /* |
| 677 | * This thread looks for card and reader insertions and puts events on the |
| 678 | * event queue |
| 679 | */ |
| 680 | static void |
| 681 | vcard_emul_event_thread(void *arg) |
| 682 | { |
| 683 | PK11SlotInfo *slot; |
| 684 | VReader *vreader; |
| 685 | VReaderEmul *vreader_emul; |
| 686 | VCard *vcard; |
| 687 | SECMODModule *module = (SECMODModule *)arg; |
| 688 | |
| 689 | do { |
Alon Levy | 1b902f7 | 2012-03-22 19:44:49 +0200 | [diff] [blame] | 690 | /* |
| 691 | * XXX - the latency value doesn't matter one bit. you only get no |
| 692 | * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500), |
| 693 | * hard coded in coolkey. And it isn't coolkey's fault - the timeout |
| 694 | * value we pass get's dropped on the floor before C_WaitForSlotEvent |
| 695 | * is called. |
| 696 | */ |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 697 | slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500); |
| 698 | if (slot == NULL) { |
Alon Levy | 1b902f7 | 2012-03-22 19:44:49 +0200 | [diff] [blame] | 699 | /* this could be just a no event indication */ |
| 700 | if (PORT_GetError() == SEC_ERROR_NO_EVENT) { |
| 701 | continue; |
| 702 | } |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 703 | break; |
| 704 | } |
| 705 | vreader = vcard_emul_find_vreader_from_slot(slot); |
| 706 | if (vreader == NULL) { |
| 707 | /* new vreader */ |
| 708 | vreader_emul = vreader_emul_new(slot, default_card_type, |
| 709 | default_type_params); |
| 710 | vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, |
| 711 | vreader_emul_delete); |
| 712 | PK11_FreeSlot(slot); |
| 713 | slot = NULL; |
| 714 | vreader_add_reader(vreader); |
| 715 | vreader_free(vreader); |
| 716 | continue; |
| 717 | } |
| 718 | /* card remove/insert */ |
| 719 | vreader_emul = vreader_get_private(vreader); |
| 720 | if (PK11_IsPresent(slot)) { |
| 721 | int series = PK11_GetSlotSeries(slot); |
| 722 | if (series != vreader_emul->series) { |
| 723 | if (vreader_emul->present) { |
| 724 | vreader_insert_card(vreader, NULL); |
| 725 | } |
| 726 | vcard = vcard_emul_mirror_card(vreader); |
| 727 | vreader_insert_card(vreader, vcard); |
| 728 | vcard_free(vcard); |
| 729 | } |
| 730 | vreader_emul->series = series; |
| 731 | vreader_emul->present = 1; |
| 732 | vreader_free(vreader); |
| 733 | PK11_FreeSlot(slot); |
| 734 | continue; |
| 735 | } |
| 736 | if (vreader_emul->present) { |
| 737 | vreader_insert_card(vreader, NULL); |
| 738 | } |
| 739 | vreader_emul->series = 0; |
| 740 | vreader_emul->present = 0; |
| 741 | PK11_FreeSlot(slot); |
| 742 | vreader_free(vreader); |
| 743 | } while (1); |
| 744 | } |
| 745 | |
| 746 | /* if the card is inserted when we start up, make sure our state is correct */ |
| 747 | static void |
| 748 | vcard_emul_init_series(VReader *vreader, VCard *vcard) |
| 749 | { |
| 750 | VReaderEmul *vreader_emul = vreader_get_private(vreader); |
| 751 | PK11SlotInfo *slot = vreader_emul->slot; |
| 752 | |
| 753 | vreader_emul->present = PK11_IsPresent(slot); |
| 754 | vreader_emul->series = PK11_GetSlotSeries(slot); |
| 755 | if (vreader_emul->present == 0) { |
| 756 | vreader_insert_card(vreader, NULL); |
| 757 | } |
| 758 | } |
| 759 | |
| 760 | /* |
| 761 | * each module has a separate wait call, create a thread for each module that |
| 762 | * we are using. |
| 763 | */ |
| 764 | static void |
| 765 | vcard_emul_new_event_thread(SECMODModule *module) |
| 766 | { |
| 767 | PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread, |
| 768 | module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD, |
| 769 | PR_UNJOINABLE_THREAD, 0); |
| 770 | } |
| 771 | |
| 772 | static const VCardEmulOptions default_options = { |
| 773 | .nss_db = NULL, |
| 774 | .vreader = NULL, |
| 775 | .vreader_count = 0, |
| 776 | .hw_card_type = VCARD_EMUL_CAC, |
| 777 | .hw_type_params = "", |
| 778 | .use_hw = PR_TRUE |
| 779 | }; |
| 780 | |
| 781 | |
| 782 | /* |
| 783 | * NSS needs the app to supply a password prompt. In our case the only time |
| 784 | * the password is supplied is as part of the Login APDU. The actual password |
| 785 | * is passed in the pw_arg in that case. In all other cases pw_arg should be |
| 786 | * NULL. |
| 787 | */ |
| 788 | static char * |
| 789 | vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg) |
| 790 | { |
| 791 | /* if it didn't work the first time, don't keep trying */ |
| 792 | if (retries) { |
| 793 | return NULL; |
| 794 | } |
| 795 | /* we are looking up a password when we don't have one in hand */ |
| 796 | if (pw_arg == NULL) { |
| 797 | return NULL; |
| 798 | } |
| 799 | /* TODO: we really should verify that were are using the right slot */ |
| 800 | return PORT_Strdup(pw_arg); |
| 801 | } |
| 802 | |
| 803 | /* Force a card removal even if the card is not physically removed */ |
| 804 | VCardEmulError |
| 805 | vcard_emul_force_card_remove(VReader *vreader) |
| 806 | { |
| 807 | if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) { |
| 808 | return VCARD_EMUL_FAIL; /* card is already removed */ |
| 809 | } |
| 810 | |
| 811 | /* OK, remove it */ |
| 812 | vreader_insert_card(vreader, NULL); |
| 813 | return VCARD_EMUL_OK; |
| 814 | } |
| 815 | |
| 816 | /* Re-insert of a card that has been removed by force removal */ |
| 817 | VCardEmulError |
| 818 | vcard_emul_force_card_insert(VReader *vreader) |
| 819 | { |
| 820 | VReaderEmul *vreader_emul; |
| 821 | VCard *vcard; |
| 822 | |
| 823 | if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) { |
| 824 | return VCARD_EMUL_FAIL; /* card is already removed */ |
| 825 | } |
| 826 | vreader_emul = vreader_get_private(vreader); |
| 827 | |
| 828 | /* if it's a softcard, get the saved vcard from the reader emul structure */ |
| 829 | if (vreader_emul->saved_vcard) { |
| 830 | vcard = vcard_reference(vreader_emul->saved_vcard); |
| 831 | } else { |
| 832 | /* it must be a physical card, rebuild it */ |
| 833 | if (!PK11_IsPresent(vreader_emul->slot)) { |
| 834 | /* physical card has been removed, not way to reinsert it */ |
| 835 | return VCARD_EMUL_FAIL; |
| 836 | } |
| 837 | vcard = vcard_emul_mirror_card(vreader); |
| 838 | } |
| 839 | vreader_insert_card(vreader, vcard); |
| 840 | vcard_free(vcard); |
| 841 | |
| 842 | return VCARD_EMUL_OK; |
| 843 | } |
| 844 | |
| 845 | |
| 846 | static PRBool |
| 847 | module_has_removable_hw_slots(SECMODModule *mod) |
| 848 | { |
| 849 | int i; |
| 850 | PRBool ret = PR_FALSE; |
| 851 | SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); |
| 852 | |
| 853 | if (!moduleLock) { |
| 854 | PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
| 855 | return ret; |
| 856 | } |
| 857 | SECMOD_GetReadLock(moduleLock); |
| 858 | for (i = 0; i < mod->slotCount; i++) { |
| 859 | PK11SlotInfo *slot = mod->slots[i]; |
| 860 | if (PK11_IsRemovable(slot) && PK11_IsHW(slot)) { |
| 861 | ret = PR_TRUE; |
| 862 | break; |
| 863 | } |
| 864 | } |
| 865 | SECMOD_ReleaseReadLock(moduleLock); |
| 866 | return ret; |
| 867 | } |
| 868 | |
| 869 | /* Previously we returned FAIL if no readers found. This makes |
| 870 | * no sense when using hardware, since there may be no readers connected |
| 871 | * at the time vcard_emul_init is called, but they will be properly |
| 872 | * recognized later. So Instead return FAIL only if no_hw==1 and no |
| 873 | * vcards can be created (indicates error with certificates provided |
| 874 | * or db), or if any other higher level error (NSS error, missing coolkey). */ |
| 875 | static int vcard_emul_init_called; |
| 876 | |
| 877 | VCardEmulError |
| 878 | vcard_emul_init(const VCardEmulOptions *options) |
| 879 | { |
| 880 | SECStatus rv; |
Marc-André Lureau | ad2181f | 2013-03-20 14:07:49 +0100 | [diff] [blame] | 881 | PRBool ret, has_readers = PR_FALSE; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 882 | VReader *vreader; |
| 883 | VReaderEmul *vreader_emul; |
| 884 | SECMODListLock *module_lock; |
| 885 | SECMODModuleList *module_list; |
| 886 | SECMODModuleList *mlp; |
| 887 | int i; |
| 888 | |
| 889 | if (vcard_emul_init_called) { |
| 890 | return VCARD_EMUL_INIT_ALREADY_INITED; |
| 891 | } |
| 892 | vcard_emul_init_called = 1; |
| 893 | vreader_init(); |
| 894 | vevent_queue_init(); |
| 895 | |
| 896 | if (options == NULL) { |
| 897 | options = &default_options; |
| 898 | } |
| 899 | |
| 900 | /* first initialize NSS */ |
| 901 | if (options->nss_db) { |
| 902 | rv = NSS_Init(options->nss_db); |
| 903 | } else { |
Marc-André Lureau | 667e0b4 | 2013-03-20 14:07:48 +0100 | [diff] [blame] | 904 | gchar *path; |
Marc-André Lureau | e2d9c5e | 2013-02-27 21:08:06 +0100 | [diff] [blame] | 905 | #ifndef _WIN32 |
| 906 | path = g_strdup("/etc/pki/nssdb"); |
| 907 | #else |
| 908 | if (g_get_system_config_dirs() == NULL || |
| 909 | g_get_system_config_dirs()[0] == NULL) { |
| 910 | return VCARD_EMUL_FAIL; |
| 911 | } |
| 912 | |
| 913 | path = g_build_filename( |
| 914 | g_get_system_config_dirs()[0], "pki", "nssdb", NULL); |
| 915 | #endif |
Marc-André Lureau | e2d9c5e | 2013-02-27 21:08:06 +0100 | [diff] [blame] | 916 | |
Marc-André Lureau | 667e0b4 | 2013-03-20 14:07:48 +0100 | [diff] [blame] | 917 | rv = NSS_Init(path); |
Marc-André Lureau | e2d9c5e | 2013-02-27 21:08:06 +0100 | [diff] [blame] | 918 | g_free(path); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 919 | } |
| 920 | if (rv != SECSuccess) { |
| 921 | return VCARD_EMUL_FAIL; |
| 922 | } |
| 923 | /* Set password callback function */ |
| 924 | PK11_SetPasswordFunc(vcard_emul_get_password); |
| 925 | |
| 926 | /* set up soft cards emulated by software certs rather than physical cards |
| 927 | * */ |
| 928 | for (i = 0; i < options->vreader_count; i++) { |
| 929 | int j; |
| 930 | int cert_count; |
| 931 | unsigned char **certs; |
| 932 | int *cert_len; |
| 933 | VCardKey **keys; |
| 934 | PK11SlotInfo *slot; |
| 935 | |
| 936 | slot = PK11_FindSlotByName(options->vreader[i].name); |
| 937 | if (slot == NULL) { |
| 938 | continue; |
| 939 | } |
| 940 | vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, |
| 941 | options->vreader[i].type_params); |
| 942 | vreader = vreader_new(options->vreader[i].vname, vreader_emul, |
| 943 | vreader_emul_delete); |
| 944 | vreader_add_reader(vreader); |
| 945 | cert_count = options->vreader[i].cert_count; |
| 946 | |
| 947 | ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, |
| 948 | options->vreader[i].cert_count); |
| 949 | if (ret == PR_FALSE) { |
| 950 | continue; |
| 951 | } |
| 952 | cert_count = 0; |
| 953 | for (j = 0; j < options->vreader[i].cert_count; j++) { |
| 954 | /* we should have a better way of identifying certs than by |
| 955 | * nickname here */ |
| 956 | CERTCertificate *cert = PK11_FindCertFromNickname( |
| 957 | options->vreader[i].cert_name[j], |
| 958 | NULL); |
| 959 | if (cert == NULL) { |
| 960 | continue; |
| 961 | } |
| 962 | certs[cert_count] = cert->derCert.data; |
| 963 | cert_len[cert_count] = cert->derCert.len; |
| 964 | keys[cert_count] = vcard_emul_make_key(slot, cert); |
| 965 | /* this is safe because the key is still holding a cert reference */ |
| 966 | CERT_DestroyCertificate(cert); |
| 967 | cert_count++; |
| 968 | } |
| 969 | if (cert_count) { |
| 970 | VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, |
| 971 | keys, cert_count); |
| 972 | vreader_insert_card(vreader, vcard); |
| 973 | vcard_emul_init_series(vreader, vcard); |
| 974 | /* allow insertion and removal of soft cards */ |
| 975 | vreader_emul->saved_vcard = vcard_reference(vcard); |
| 976 | vcard_free(vcard); |
| 977 | vreader_free(vreader); |
| 978 | has_readers = PR_TRUE; |
| 979 | } |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 980 | g_free(certs); |
| 981 | g_free(cert_len); |
| 982 | g_free(keys); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 983 | } |
| 984 | |
| 985 | /* if we aren't suppose to use hw, skip looking up hardware tokens */ |
| 986 | if (!options->use_hw) { |
| 987 | nss_emul_init = has_readers; |
| 988 | return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; |
| 989 | } |
| 990 | |
| 991 | /* make sure we have some PKCS #11 module loaded */ |
| 992 | module_lock = SECMOD_GetDefaultModuleListLock(); |
| 993 | module_list = SECMOD_GetDefaultModuleList(); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 994 | SECMOD_GetReadLock(module_lock); |
| 995 | for (mlp = module_list; mlp; mlp = mlp->next) { |
| 996 | SECMODModule *module = mlp->module; |
| 997 | if (module_has_removable_hw_slots(module)) { |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 998 | break; |
| 999 | } |
| 1000 | } |
| 1001 | SECMOD_ReleaseReadLock(module_lock); |
| 1002 | |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1003 | /* now examine all the slots, finding which should be readers */ |
| 1004 | /* We should control this with options. For now we mirror out any |
| 1005 | * removable hardware slot */ |
| 1006 | default_card_type = options->hw_card_type; |
Markus Armbruster | be168af | 2013-01-22 11:08:04 +0100 | [diff] [blame] | 1007 | default_type_params = g_strdup(options->hw_type_params); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1008 | |
| 1009 | SECMOD_GetReadLock(module_lock); |
| 1010 | for (mlp = module_list; mlp; mlp = mlp->next) { |
| 1011 | SECMODModule *module = mlp->module; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1012 | |
Alon Levy | 4e33988 | 2012-03-22 19:58:58 +0200 | [diff] [blame] | 1013 | /* Ignore the internal module */ |
| 1014 | if (module == NULL || module == SECMOD_GetInternalModule()) { |
| 1015 | continue; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1016 | } |
| 1017 | |
| 1018 | for (i = 0; i < module->slotCount; i++) { |
| 1019 | PK11SlotInfo *slot = module->slots[i]; |
| 1020 | |
| 1021 | /* only map removable HW slots */ |
| 1022 | if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { |
| 1023 | continue; |
| 1024 | } |
Alon Levy | 6f06f17 | 2012-03-22 20:00:36 +0200 | [diff] [blame] | 1025 | if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) { |
| 1026 | /* |
| 1027 | * coolkey <= 1.1.0-20 emulates this reader if it can't find |
| 1028 | * any hardware readers. This causes problems, warn user of |
| 1029 | * problems. |
| 1030 | */ |
| 1031 | fprintf(stderr, "known bad coolkey version - see " |
| 1032 | "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n"); |
| 1033 | continue; |
| 1034 | } |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1035 | vreader_emul = vreader_emul_new(slot, options->hw_card_type, |
| 1036 | options->hw_type_params); |
| 1037 | vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, |
| 1038 | vreader_emul_delete); |
| 1039 | vreader_add_reader(vreader); |
| 1040 | |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1041 | if (PK11_IsPresent(slot)) { |
| 1042 | VCard *vcard; |
| 1043 | vcard = vcard_emul_mirror_card(vreader); |
| 1044 | vreader_insert_card(vreader, vcard); |
| 1045 | vcard_emul_init_series(vreader, vcard); |
| 1046 | vcard_free(vcard); |
| 1047 | } |
| 1048 | } |
Alon Levy | 4e33988 | 2012-03-22 19:58:58 +0200 | [diff] [blame] | 1049 | vcard_emul_new_event_thread(module); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1050 | } |
| 1051 | SECMOD_ReleaseReadLock(module_lock); |
Alon Levy | 4e33988 | 2012-03-22 19:58:58 +0200 | [diff] [blame] | 1052 | nss_emul_init = PR_TRUE; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1053 | |
| 1054 | return VCARD_EMUL_OK; |
| 1055 | } |
| 1056 | |
| 1057 | /* Recreate card insert events for all readers (user should |
| 1058 | * deduce implied reader insert. perhaps do a reader insert as well?) |
| 1059 | */ |
| 1060 | void |
| 1061 | vcard_emul_replay_insertion_events(void) |
| 1062 | { |
| 1063 | VReaderListEntry *current_entry; |
| 1064 | VReaderListEntry *next_entry = NULL; |
| 1065 | VReaderList *list = vreader_get_reader_list(); |
| 1066 | |
| 1067 | for (current_entry = vreader_list_get_first(list); current_entry; |
| 1068 | current_entry = next_entry) { |
| 1069 | VReader *vreader = vreader_list_get_reader(current_entry); |
| 1070 | next_entry = vreader_list_get_next(current_entry); |
| 1071 | vreader_queue_card_event(vreader); |
| 1072 | } |
| 1073 | } |
| 1074 | |
| 1075 | /* |
| 1076 | * Silly little functions to help parsing our argument string |
| 1077 | */ |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1078 | static int |
| 1079 | count_tokens(const char *str, char token, char token_end) |
| 1080 | { |
| 1081 | int count = 0; |
| 1082 | |
| 1083 | for (; *str; str++) { |
| 1084 | if (*str == token) { |
| 1085 | count++; |
| 1086 | } |
| 1087 | if (*str == token_end) { |
| 1088 | break; |
| 1089 | } |
| 1090 | } |
| 1091 | return count; |
| 1092 | } |
| 1093 | |
| 1094 | static const char * |
| 1095 | strip(const char *str) |
| 1096 | { |
Alon Levy | 685ff50 | 2011-04-13 14:42:00 +0300 | [diff] [blame] | 1097 | for (; *str && isspace(*str); str++) { |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1098 | } |
| 1099 | return str; |
| 1100 | } |
| 1101 | |
| 1102 | static const char * |
| 1103 | find_blank(const char *str) |
| 1104 | { |
Alon Levy | 685ff50 | 2011-04-13 14:42:00 +0300 | [diff] [blame] | 1105 | for (; *str && !isspace(*str); str++) { |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1106 | } |
| 1107 | return str; |
| 1108 | } |
| 1109 | |
| 1110 | |
| 1111 | /* |
| 1112 | * We really want to use some existing argument parsing library here. That |
Stefan Weil | fc27eef | 2011-04-28 17:20:31 +0200 | [diff] [blame] | 1113 | * would give us a consistent look */ |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1114 | static VCardEmulOptions options; |
| 1115 | #define READER_STEP 4 |
| 1116 | |
Christophe Fergeau | d246b3c | 2011-07-22 13:42:19 +0200 | [diff] [blame] | 1117 | /* Expects "args" to be at the beginning of a token (ie right after the ',' |
| 1118 | * ending the previous token), and puts the next token start in "token", |
| 1119 | * and its length in "token_length". "token" will not be nul-terminated. |
| 1120 | * After calling the macro, "args" will be advanced to the beginning of |
| 1121 | * the next token. |
| 1122 | * This macro may call continue or break. |
| 1123 | */ |
| 1124 | #define NEXT_TOKEN(token) \ |
| 1125 | (token) = args; \ |
| 1126 | args = strpbrk(args, ",)"); \ |
| 1127 | if (*args == 0) { \ |
| 1128 | break; \ |
| 1129 | } \ |
| 1130 | if (*args == ')') { \ |
| 1131 | args++; \ |
| 1132 | continue; \ |
| 1133 | } \ |
| 1134 | (token##_length) = args - (token); \ |
| 1135 | args = strip(args+1); |
| 1136 | |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1137 | VCardEmulOptions * |
| 1138 | vcard_emul_options(const char *args) |
| 1139 | { |
| 1140 | int reader_count = 0; |
| 1141 | VCardEmulOptions *opts; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1142 | |
| 1143 | /* Allow the future use of allocating the options structure on the fly */ |
| 1144 | memcpy(&options, &default_options, sizeof(options)); |
| 1145 | opts = &options; |
| 1146 | |
| 1147 | do { |
| 1148 | args = strip(args); /* strip off the leading spaces */ |
| 1149 | if (*args == ',') { |
| 1150 | continue; |
| 1151 | } |
| 1152 | /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol) |
| 1153 | * cert_2,cert_3...) */ |
| 1154 | if (strncmp(args, "soft=", 5) == 0) { |
| 1155 | const char *name; |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1156 | size_t name_length; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1157 | const char *vname; |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1158 | size_t vname_length; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1159 | const char *type_params; |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1160 | size_t type_params_length; |
| 1161 | char type_str[100]; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1162 | VCardEmulType type; |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1163 | int count, i; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1164 | VirtualReaderOptions *vreaderOpt = NULL; |
| 1165 | |
| 1166 | args = strip(args + 5); |
| 1167 | if (*args != '(') { |
| 1168 | continue; |
| 1169 | } |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1170 | args = strip(args+1); |
| 1171 | |
Christophe Fergeau | d246b3c | 2011-07-22 13:42:19 +0200 | [diff] [blame] | 1172 | NEXT_TOKEN(name) |
| 1173 | NEXT_TOKEN(vname) |
| 1174 | NEXT_TOKEN(type_params) |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1175 | type_params_length = MIN(type_params_length, sizeof(type_str)-1); |
Jim Meyering | 2e67978 | 2012-10-04 13:09:59 +0200 | [diff] [blame] | 1176 | pstrcpy(type_str, type_params_length, type_params); |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1177 | type = vcard_emul_type_from_string(type_str); |
| 1178 | |
Christophe Fergeau | d246b3c | 2011-07-22 13:42:19 +0200 | [diff] [blame] | 1179 | NEXT_TOKEN(type_params) |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1180 | |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1181 | if (*args == 0) { |
| 1182 | break; |
| 1183 | } |
| 1184 | |
| 1185 | if (opts->vreader_count >= reader_count) { |
| 1186 | reader_count += READER_STEP; |
| 1187 | vreaderOpt = realloc(opts->vreader, |
| 1188 | reader_count * sizeof(*vreaderOpt)); |
| 1189 | if (vreaderOpt == NULL) { |
| 1190 | return opts; /* we're done */ |
| 1191 | } |
| 1192 | } |
| 1193 | opts->vreader = vreaderOpt; |
| 1194 | vreaderOpt = &vreaderOpt[opts->vreader_count]; |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 1195 | vreaderOpt->name = g_strndup(name, name_length); |
| 1196 | vreaderOpt->vname = g_strndup(vname, vname_length); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1197 | vreaderOpt->card_type = type; |
| 1198 | vreaderOpt->type_params = |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 1199 | g_strndup(type_params, type_params_length); |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1200 | count = count_tokens(args, ',', ')') + 1; |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1201 | vreaderOpt->cert_count = count; |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 1202 | vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *)); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1203 | for (i = 0; i < count; i++) { |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1204 | const char *cert = args; |
| 1205 | args = strpbrk(args, ",)"); |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 1206 | vreaderOpt->cert_name[i] = g_strndup(cert, args - cert); |
Christophe Fergeau | a5aa842 | 2011-07-22 13:42:18 +0200 | [diff] [blame] | 1207 | args = strip(args+1); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1208 | } |
| 1209 | if (*args == ')') { |
| 1210 | args++; |
| 1211 | } |
| 1212 | opts->vreader_count++; |
| 1213 | /* use_hw= */ |
| 1214 | } else if (strncmp(args, "use_hw=", 7) == 0) { |
| 1215 | args = strip(args+7); |
| 1216 | if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') { |
| 1217 | opts->use_hw = PR_FALSE; |
| 1218 | } else { |
| 1219 | opts->use_hw = PR_TRUE; |
| 1220 | } |
| 1221 | args = find_blank(args); |
| 1222 | /* hw_type= */ |
| 1223 | } else if (strncmp(args, "hw_type=", 8) == 0) { |
| 1224 | args = strip(args+8); |
| 1225 | opts->hw_card_type = vcard_emul_type_from_string(args); |
| 1226 | args = find_blank(args); |
| 1227 | /* hw_params= */ |
| 1228 | } else if (strncmp(args, "hw_params=", 10) == 0) { |
| 1229 | const char *params; |
| 1230 | args = strip(args+10); |
| 1231 | params = args; |
| 1232 | args = find_blank(args); |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 1233 | opts->hw_type_params = g_strndup(params, args-params); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1234 | /* db="/data/base/path" */ |
| 1235 | } else if (strncmp(args, "db=", 3) == 0) { |
| 1236 | const char *db; |
| 1237 | args = strip(args+3); |
| 1238 | if (*args != '"') { |
| 1239 | continue; |
| 1240 | } |
| 1241 | args++; |
| 1242 | db = args; |
| 1243 | args = strpbrk(args, "\"\n"); |
Anthony Liguori | 7267c09 | 2011-08-20 22:09:37 -0500 | [diff] [blame] | 1244 | opts->nss_db = g_strndup(db, args-db); |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1245 | if (*args != 0) { |
| 1246 | args++; |
| 1247 | } |
| 1248 | } else { |
| 1249 | args = find_blank(args); |
| 1250 | } |
| 1251 | } while (*args != 0); |
| 1252 | |
| 1253 | return opts; |
| 1254 | } |
| 1255 | |
| 1256 | void |
| 1257 | vcard_emul_usage(void) |
| 1258 | { |
| 1259 | fprintf(stderr, |
| 1260 | "emul args: comma separated list of the following arguments\n" |
| 1261 | " db={nss_database} (default sql:/etc/pki/nssdb)\n" |
| 1262 | " use_hw=[yes|no] (default yes)\n" |
| 1263 | " hw_type={card_type_to_emulate} (default CAC)\n" |
| 1264 | " hw_param={param_for_card} (default \"\")\n" |
| 1265 | " soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n" |
| 1266 | " {cert1},{cert2},{cert3} (default none)\n" |
| 1267 | "\n" |
| 1268 | " {nss_database} The location of the NSS cert & key database\n" |
| 1269 | " {card_type_to_emulate} What card interface to present to the guest\n" |
| 1270 | " {param_for_card} Card interface specific parameters\n" |
| 1271 | " {slot_name} NSS slot that contains the certs\n" |
Dong Xu Wang | cba919d | 2011-11-22 18:06:18 +0800 | [diff] [blame] | 1272 | " {vreader_name} Virtual reader name to present to the guest\n" |
Robert Relyea | 111a38b | 2010-11-28 16:36:38 +0200 | [diff] [blame] | 1273 | " {certN} Nickname of the certificate n on the virtual card\n" |
| 1274 | "\n" |
| 1275 | "These parameters come as a single string separated by blanks or newlines." |
| 1276 | "\n" |
| 1277 | "Unless use_hw is set to no, all tokens that look like removable hardware\n" |
| 1278 | "tokens will be presented to the guest using the emulator specified by\n" |
| 1279 | "hw_type, and parameters of hw_param.\n" |
| 1280 | "\n" |
| 1281 | "If more one or more soft= parameters are specified, these readers will be\n" |
| 1282 | "presented to the guest\n"); |
| 1283 | } |