Upstream fixes already included in the latest community updates to coolkey v1.1.0

Adds support and fixes for newer versions of CAC and PIV cards.

Addresses issues seen with pcscd restart.

--- ORIGINAL/./src/coolkey/slot.cpp	2016-06-24 16:07:20.111616788 -0400

+++ ././src/coolkey/slot.cpp	2016-06-27 21:05:04.901200633 -0400

@@ -56,6 +56,34 @@

 {  0x3B, 0x6F, 0x00, 0xFF, 0x52, 0x53, 0x41, 0x53, 0x65, 0x63, 0x75, 0x72,

    0x49, 0x44, 0x28, 0x52, 0x29, 0x31, 0x30 };

+

+/* ECC curve information

+ *    Provide information for the limited set of curves supported by our smart card(s).

+ *    

+ */

+

+typedef struct curveBytes2Name {

+    const CKYByte * bytes;

+    const char *curveName;

+    unsigned int length;

+

+} CurveBytes2Name;

+

+/* First byte is length of oid byte array. */

+

+const CKYByte nistp256[] = { 0x8, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};

+const CKYByte nistp384[] = { 0x5, 0x2b, 0x81, 0x04, 0x00, 0x22 };

+const CKYByte nistp521[] = { 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23 };

+

+const int numECCurves = 3;

+

+static CurveBytes2Name curveBytesNamePair[] =

+{

+ { nistp256, "nistp256", 256 },

+ { nistp384, "nistp384", 384 },

+ { nistp521, "nistp521", 521 }

+};

+

 SlotList::SlotList(Log *log_) : log(log_)

 {

     // initialize things to NULL so we can recover from an exception

@@ -138,7 +166,11 @@

 	    throw PKCS11Exception(CKR_HOST_MEMORY);

 	memset(newSlots, 0, numReaders*sizeof(Slot*));

-        memcpy(newSlots, slots, sizeof(slots[0]) * numSlots);

+        /* keep coverity happy, even though slot == NULL implies that

+	 * numSlots == 0 */

+	if (slots) { 

+            memcpy(newSlots, slots, sizeof(slots[0]) * numSlots);

+	}

 	for (unsigned int i=numSlots; i < numReaders; i++) {

 	    newSlots[i] = new

@@ -205,6 +237,29 @@

     return FALSE;

 }

+bool

+SlotList::readerNameExistsInList(const char *readerName,CKYReaderNameList *readerNameList)

+{

+    if( !readerName || !readerNameList) {

+        return FALSE;

+    }

+

+    int i = 0;

+    int readerNameCnt = CKYReaderNameList_GetCount(*readerNameList);

+

+    const char *curReaderName = NULL;

+    for(i=0; i < readerNameCnt; i++) {

+        curReaderName = CKYReaderNameList_GetValue(*readerNameList,i);

+

+        if(!strcmp(curReaderName,readerName)) {

+            return TRUE;

+        }

+        

+    }

+    

+    return FALSE;

+}

+

 /*

  * you need to hold the ReaderList Lock before you can update the ReaderList

  */

@@ -216,32 +271,19 @@

     CKYStatus status = CKYCardContext_ListReaders(context, &readerNames);

     if ( status != CKYSUCCESS ) {

-	throw PKCS11Exception(CKR_GENERAL_ERROR,

+	/* if the service is stopped, treat it as if we have no readers */

+ 	if ((CKYCardContext_GetLastError(context) != SCARD_E_NO_SERVICE) && 

+	    (CKYCardContext_GetLastError(context) != SCARD_E_SERVICE_STOPPED)) {

+	    throw PKCS11Exception(CKR_GENERAL_ERROR,

                 "Failed to list readers: 0x%x\n", 

 				CKYCardContext_GetLastError(context));

+	}

     }

-    if (!readerStates) {

+    if (readerStates == NULL && readerNames != NULL) {

 	/* fresh Reader State list, just create it */

 	readerStates = CKYReader_CreateArray(readerNames, (CKYSize *)&numReaders);

-	/* if we have no readers, make sure we have at least one to keep things

-	 * happy */

-	if (readerStates == NULL &&

-			 CKYReaderNameList_GetCount(readerNames) == 0) {

-	    readerStates = (SCARD_READERSTATE *)

-				malloc(sizeof(SCARD_READERSTATE));

-	    if (readerStates) {

-		CKYReader_Init(readerStates);

-		status = CKYReader_SetReaderName(readerStates, "E-Gate 0 0");

-		if (status != CKYSUCCESS) {

- 		    CKYReader_DestroyArray(readerStates, 1);

-		    readerStates = NULL;

-		} else {

-		    numReaders = 1;

-		}

-	    }

-	}

 	CKYReaderNameList_Destroy(readerNames);

 	if (readerStates == NULL) {

@@ -251,6 +293,16 @@

 	return;

     }

+    if (readerStates == NULL) {

+	/* if we didn't have any readers before and we did get new names, 

+	 * that is handled above. If we didn't have any readers before, and

+	 * we didn't get any names, there is nothing to update. blow out now.

+	 * This more efficient and makes coverity happy (since coverity doesn't

+	 * know numReaders and readerStates are linked). */

+	return;

+    }

+

+

     /* it would be tempting at this point just to see if we have more readers

      * then specified previously. The problem with this is it is possible that

      * some readers have been deleted, so the only way to tell if we have

@@ -258,6 +310,33 @@

      * don't recognize.

      */

+    /* Iterate through all the readers to see if we need to make unavailable any

+     * freshly removed readers. Also, see if any previously removed

+     * readers have come back from the dead and don't need to be ignored.

+     */

+

+    const char *curReaderName = NULL;

+    unsigned long knownState = 0;

+    for(unsigned int ri = 0 ; ri < numReaders; ri ++)  {

+        knownState = CKYReader_GetKnownState(&readerStates[ri]);

+ 

+        curReaderName =  CKYReader_GetReaderName(&readerStates[ri]); 

+        if(readerNames && readerNameExistsInList(curReaderName,&readerNames)) {

+            CKYReader_SetKnownState(&readerStates[ri], 

+		 knownState & ~SCARD_STATE_IGNORE); 

+        } else {

+	    if (!(knownState & SCARD_STATE_UNAVAILABLE))

+		CKYReader_SetKnownState(&readerStates[ri], 

+		 knownState | SCARD_STATE_UNAVAILABLE | SCARD_STATE_CHANGED);

+	}

+    } 

+

+    if (readerNames == NULL) {

+        /* OK we've marked everything unavailable, we clearly

+	 * aren't adding any readers, so we can blow out here */

+	return;

+    }

+

     const char *newReadersData[MAX_READER_DELTA];

     const char **newReaders = &newReadersData[0];

     unsigned int newReaderCount = 0;

@@ -330,7 +409,9 @@

     : log(log_), readerName(NULL), personName(NULL), manufacturer(NULL),

 	slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN), 

 	isVersion1Key(false), needLogin(false), fullTokenName(false), 

-	mCoolkey(false),

+	mCoolkey(false), mOldCAC(false),mCACLocalLogin(false),

+	pivContainer(-1), pivKey(-1), maxCacCerts(MAX_CERT_SLOTS), 

+	algs(ALG_NONE), 

 #ifdef USE_SHMEM

 	shmem(readerName_),

 #endif

@@ -370,6 +451,9 @@

     }

     CKYBuffer_InitEmpty(&cardATR);

     CKYBuffer_InitEmpty(&mCUID);

+    for (int i=0; i < MAX_CERT_SLOTS; i++) {

+	CKYBuffer_InitEmpty(&cardAID[i]);

+    }

   } catch(PKCS11Exception &) {

 	if (conn) {

 	    CKYCardConnection_Destroy(conn);

@@ -437,6 +521,9 @@

     CKYBuffer_FreeData(&nonce);

     CKYBuffer_FreeData(&cardATR);

     CKYBuffer_FreeData(&mCUID);

+    for (int i=0; i < MAX_CERT_SLOTS; i++) {

+	CKYBuffer_FreeData(&cardAID[i]);

+    }

 }

 template <class C>

@@ -527,10 +614,39 @@

     return rv;

 }

+bool

+Slot::getPIVLoginType(void)

+{

+    CKYStatus status;

+    CKYISOStatus apduRC;

+    CKYBuffer buffer;

+    bool local = true;

+

+    CKYBuffer_InitEmpty(&buffer);

+

+    /* get the discovery object */

+    status = PIVApplet_GetCertificate(conn, &buffer, 0x7e, &apduRC);

+    if (status != CKYSUCCESS) {

+	/* Discovery object optional, PIV defaults to local */

+	goto done;

+    }

+    /* techically we probably should parse out the TLVs, but the PIV

+     * specifies exactly what they should be, so we know exactly which

+     * byte to look at */

+    if ((CKYBuffer_Size(&buffer) >= 20) && 

+			(CKYBuffer_GetChar(&buffer,17) == 0x60)) {

+	/* This tells us we should use global login for this piv card */

+	local = false;

+    }

+done:

+    CKYBuffer_FreeData(&buffer);

+    return true;

+}

+

 void

 Slot::connectToToken()

 {

-    CKYStatus status;

+    CKYStatus status = CKYSCARDERR;

     OSTime time = OSTimeNow();

     mCoolkey = 0;

@@ -539,13 +655,32 @@

     // try to connect to the card

     if( ! CKYCardConnection_IsConnected(conn) ) {

-        status = CKYCardConnection_Connect(conn, readerName);

-        if( status != CKYSUCCESS ) {

-            log->log("Unable to connect to token\n");

+        int i = 0;

+    //for cranky readers try again a few more times

+	status = CKYSCARDERR;

+        while( i++ < 5 && status != CKYSUCCESS )

+        {

+            status = CKYCardConnection_Connect(conn, readerName);

+            if( status != CKYSUCCESS && 

+                CKYCardConnection_GetLastError(conn) == SCARD_E_PROTO_MISMATCH ) 

+            {

+                log->log("Unable to connect to token status %d ConnGetGetLastError %x .\n",status,CKYCardConnection_GetLastError(conn));

+

+            }

+            else

+            {

+                break;

+            }

+            OSSleep(100000);

+        }

+

+        if( status != CKYSUCCESS)

+        {

             state = UNKNOWN;

             return;

         }

     }

+

     log->log("time connect: Connect Time %d ms\n", OSTimeNow() - time);

     if (!slotInfoFound) {

 	readSlotInfo();

@@ -564,15 +699,10 @@

         state = CARD_PRESENT;

     }

-    if ( CKYBuffer_DataIsEqual(&cardATR, ATR, sizeof (ATR)) || 

-		CKYBuffer_DataIsEqual(&cardATR, ATR1, sizeof(ATR1)) ||

-		CKYBuffer_DataIsEqual(&cardATR, ATR2, sizeof(ATR2)) ) {

-

-        if (Params::hasParam("noAppletOK"))

-        {      

-            state |=  APPLET_SELECTABLE;

-	    mCoolkey = 1;

-        }

+    if (Params::hasParam("noAppletOK"))

+    {      

+        state |=  APPLET_SELECTABLE;

+	mCoolkey = 1;

     }

     /* support CAC card. identify the card based on applets, not the ATRS */

@@ -613,17 +743,30 @@

     // see if the applet is selectable

     log->log("time connnect: Begin transaction %d ms\n", OSTimeNow() - time);

+    status = PIVApplet_Select(conn, NULL);

+    if (status == CKYSUCCESS) {

+	 /* CARD is a PIV card */

+	 state |= PIV_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;

+	 isVersion1Key = 0;

+	 needLogin = 1;

+	 maxCacCerts = MAX_CERT_SLOTS;

+         mCoolkey = 0;

+	 mOldCAC = 0;

+	 mCACLocalLogin = getPIVLoginType();

+	return;

+    } 

     status = CKYApplet_SelectCoolKeyManager(conn, NULL);

     if (status != CKYSUCCESS) {

         log->log("CoolKey Select failed 0x%x\n", status);

-	status = CACApplet_SelectPKI(conn, 0, NULL);

+	status = getCACAid();

 	if (status != CKYSUCCESS) {

-            log->log("CAC Select failed 0x%x\n", status);

+	    log->log("CAC Select failed 0x%x\n", status);

 	    if (status == CKYSCARDERR) {

-		log->log("CAC Card Failure 0x%x\n", 

-			CKYCardConnection_GetLastError(conn));

-		disconnect();

+		    log->log("Card Failure 0x%x\n",

+				CKYCardConnection_GetLastError(conn));

+		    disconnect();

 	    }

+	    /* CARD is unknown */

 	    return;

 	}

 	state |= CAC_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;

@@ -633,10 +776,11 @@

          * unfriendly */

 	isVersion1Key = 0;

 	needLogin = 1;

-

+        mCoolkey = 0;

+	mCACLocalLogin = false;

 	return;

     }

-    mCoolkey = 1;

+    mCoolkey = 1; /* coolkey applet selected */

     log->log("time connect: Select Applet %d ms\n", OSTimeNow() - time);

     state |= APPLET_SELECTABLE;

@@ -700,8 +844,8 @@

 	}

     } else {

 	loggedIn = false;

+	pinCache.invalidate();

 	if (hard) {

-	    pinCache.invalidate();

 	    pinCache.clearPin();

 	}

     }

@@ -716,17 +860,113 @@

     invalidateLogin(false);

 }

+CKYStatus

+Slot::getCACAid()

+{

+    CKYBuffer tBuf;

+    CKYBuffer vBuf;

+    CKYSize tlen, vlen;

+    CKYOffset toffset, voffset;

+    int certSlot = 0;

+    int i,length = 0;

+    CKYStatus status;

+

+    CKYBuffer_InitEmpty(&tBuf);

+    CKYBuffer_InitEmpty(&vBuf);

+

+    /* clear out the card AID's */

+    for (i=0; i < MAX_CERT_SLOTS; i++) {

+	CKYBuffer_Resize(&cardAID[i],0);

+    }

+

+    status = CACApplet_SelectCCC(conn,NULL);

+    if (status != CKYSUCCESS) {

+	/* are we an old CAC */

+	status = CACApplet_SelectPKI(conn, &cardAID[0], 0, NULL);

+	if (status != CKYSUCCESS) {

+	   /* no, just fail */

+	   return status;

+	}

+	/* yes, fill in the old applets */

+	mOldCAC = true;

+	for (i=1; i< MAX_CERT_SLOTS; i++) {

+	    CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);

+	}

+	maxCacCerts = 3;

+	return CKYSUCCESS;

+    }

+    /* definately not an old CAC */

+    mOldCAC = false;

+

+    /* read the TLV */

+    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);

+    if (status != CKYSUCCESS) {

+	goto done;

+    }

+    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);

+    if (status != CKYSUCCESS) {

+	goto done;

+    }

+    tlen = CKYBuffer_Size(&tBuf);

+    vlen = CKYBuffer_Size(&vBuf);

+

+    for(toffset = 2, voffset=2; 

+	certSlot < MAX_CERT_SLOTS && toffset < tlen && voffset < vlen ; 

+		voffset += length) {

+

+	CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);

+	length = CKYBuffer_GetChar(&tBuf, toffset+1);

+	toffset += 2;

+	if (length == 0xff) {

+	    length = CKYBuffer_GetShortLE(&tBuf, toffset);

+	    toffset +=2;

+	}

+	if (tag != CAC_TAG_CARDURL) {

+	    continue;

+	}

+	/* CARDURL tags must be at least 10 bytes long */

+	if (length < 10) {

+	    continue;

+	}

+	/* check the app type, should be TLV_APP_PKI */

+	if (CKYBuffer_GetChar(&vBuf, voffset+5) != CAC_TLV_APP_PKI) {

+	    continue;

+	}

+	status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf, voffset, 5);

+	if (status != CKYSUCCESS) {

+	    goto done;

+	}

+	status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf, 

+								voffset+8, 2);

+	if (status != CKYSUCCESS) {

+	    goto done;

+	}

+	cardEF[certSlot] = CKYBuffer_GetShortLE(&vBuf, voffset+6);

+

+	certSlot++;

+    }

+    status = CKYSUCCESS;

+    if (certSlot == 0) {

+	status = CKYAPDUFAIL; /* probably neeed a beter error code */

+    }

+    maxCacCerts = certSlot;

+

+done:

+    CKYBuffer_FreeData(&tBuf);

+    CKYBuffer_FreeData(&vBuf);

+    return status;

+}

+

 void

 Slot::refreshTokenState()

 {

     if( cardStateMayHaveChanged() ) {

-log->log("card changed\n");

+        log->log("card changed\n");

 	invalidateLogin(true);

         closeAllSessions();

 	unloadObjects();

         connectToToken();

-

         if( state & APPLET_PERSONALIZED ) {

             try {

                 loadObjects();

@@ -924,7 +1164,7 @@

 //

 #define COOLKEY "CoolKey"

 #define POSSESSION " for "

-    if (!personName || personName == "") {

+    if (!personName || personName[0] == '\0' ) {

 	const int coolKeySize = sizeof(COOLKEY) ;

 	memcpy(label, COOLKEY, coolKeySize-1);

 	makeSerialString(&label[coolKeySize], maxSize-coolKeySize, cuid);

@@ -964,7 +1204,7 @@

 struct _manList {

      unsigned short type;

-     char *string;

+     const char *string;

 };

 static const struct _manList  manList[] = {

@@ -1046,6 +1286,7 @@

     return CKR_OK;

+

 }

 void

@@ -1066,7 +1307,16 @@

     bool found = FALSE;

     CKYStatus status;

     SCARD_READERSTATE *myReaderStates = NULL;

+    static SCARD_READERSTATE pnp = { 0 };

     unsigned int myNumReaders = 0;

+

+    readerListLock.getLock();

+    if (pnp.szReader == 0) {

+	    CKYReader_Init(&pnp);

+	    pnp.szReader = "\\\\?PnP?\\Notification";

+    }

+    readerListLock.releaseLock();

+

 #ifndef notdef

     do {

 	readerListLock.getLock();

@@ -1079,52 +1329,98 @@

 	    }

 	    throw;

 	}

-	if (myNumReaders != numReaders) {

+

+	/* Before round-tripping to the daemon for the duration of the