|
1 Upstream fixes already included in the latest community updates to coolkey v1.1.0 |
|
2 |
|
3 Adds header definitions for newer CAC and PIV card support. |
|
4 |
|
5 --- ORIGINAL/./src/coolkey/slot.h 2016-06-24 16:07:28.549068021 -0400 |
|
6 +++ ././src/coolkey/slot.h 2016-06-27 14:01:31.527689321 -0400 |
|
7 @@ -79,9 +79,11 @@ |
|
8 bool CUIDIsEqual(const CKYBuffer *cuid) const; |
|
9 unsigned short getVersion() const; |
|
10 unsigned short getDataVersion() const; |
|
11 + unsigned char getFirstCacCert() const; |
|
12 void setCUID(const CKYBuffer *cuid); |
|
13 void setVersion(unsigned short version); |
|
14 void setDataVersion(unsigned short version); |
|
15 + void setFirstCacCert(unsigned char firstCacCert); |
|
16 bool isValid() const; |
|
17 int size() const; |
|
18 const unsigned char *getCUID() const; |
|
19 @@ -90,6 +92,7 @@ |
|
20 void setSize(int size); |
|
21 void readData(CKYBuffer *data) const; |
|
22 void writeData(const CKYBuffer *data); |
|
23 + void initCACHeaders(void); |
|
24 void readCACCert(CKYBuffer *data, CKYByte instance) const; |
|
25 void writeCACCert(const CKYBuffer *data, CKYByte instance); |
|
26 void clearValid(CKYByte instance); |
|
27 @@ -211,24 +214,27 @@ |
|
28 State state; |
|
29 CKYByte keyNum; |
|
30 CKYBuffer result; |
|
31 + PKCS11Object::KeyType keyType; |
|
32 |
|
33 - CryptOpState() : state(NOT_INITIALIZED), keyNum(0) |
|
34 + CryptOpState() : state(NOT_INITIALIZED), keyNum(0), keyType(PKCS11Object::unknown) |
|
35 { CKYBuffer_InitEmpty(&result); } |
|
36 CryptOpState(const CryptOpState &cpy) : |
|
37 - state(cpy.state), keyNum(cpy.keyNum) { |
|
38 + state(cpy.state), keyNum(cpy.keyNum), keyType(cpy.keyType) { |
|
39 CKYBuffer_InitFromCopy(&result, &cpy.result); |
|
40 } |
|
41 CryptOpState &operator=(const CryptOpState &cpy) { |
|
42 state = cpy.state, |
|
43 keyNum = cpy.keyNum; |
|
44 + keyType = cpy.keyType; |
|
45 CKYBuffer_Replace(&result, 0, CKYBuffer_Data(&cpy.result), |
|
46 CKYBuffer_Size(&cpy.result)); |
|
47 return *this; |
|
48 } |
|
49 ~CryptOpState() { CKYBuffer_FreeData(&result); } |
|
50 - void initialize(CKYByte keyNum) { |
|
51 + void initialize(CKYByte keyNum, PKCS11Object::KeyType theKeyType) { |
|
52 state = IN_PROCESS; |
|
53 this->keyNum = keyNum; |
|
54 + this->keyType = theKeyType; |
|
55 CKYBuffer_Resize(&result, 0); |
|
56 } |
|
57 }; |
|
58 @@ -258,6 +264,7 @@ |
|
59 |
|
60 CryptOpState signatureState; |
|
61 CryptOpState decryptionState; |
|
62 + CryptOpState keyAgreementState; |
|
63 }; |
|
64 |
|
65 typedef list<Session> SessionList; |
|
66 @@ -267,13 +274,11 @@ |
|
67 class CryptParams { |
|
68 private: |
|
69 unsigned int keySize; // in bits |
|
70 - protected: |
|
71 - unsigned int getKeySize() const { return keySize; } |
|
72 public: |
|
73 - // !!!XXX hack. The right way to get the key size is to get all the |
|
74 - // key information from the token with MSCListKeys, the same way |
|
75 - // we get all the object information with MSCListObjects. |
|
76 - enum { FIXED_KEY_SIZE = 1024 }; |
|
77 + // set the actual key size obtained from the card |
|
78 + void setKeySize(unsigned int newKeySize) { keySize = newKeySize; } |
|
79 + unsigned int getKeySize() const { return keySize; } |
|
80 + enum { DEFAULT_KEY_SIZE = 1024, ECC_DEFAULT_KEY_SIZE=256 }; |
|
81 |
|
82 |
|
83 CryptParams(unsigned int keySize_) : keySize(keySize_) { } |
|
84 @@ -295,6 +300,13 @@ |
|
85 const CKYBuffer *paddedOutput) const = 0; |
|
86 }; |
|
87 |
|
88 +#define MAX_CERT_SLOTS 10 |
|
89 +typedef enum { |
|
90 + ALG_NONE= 0x0, |
|
91 + ALG_ECC = 0x1, |
|
92 + ALG_RSA = 0x2 |
|
93 +} SlotAlgs; |
|
94 + |
|
95 class Slot { |
|
96 |
|
97 public: |
|
98 @@ -304,12 +316,15 @@ |
|
99 ATR_MATCH = 0x04, |
|
100 APPLET_SELECTABLE = 0x08, |
|
101 APPLET_PERSONALIZED = 0x10, |
|
102 - CAC_CARD = 0x20 |
|
103 + CAC_CARD = 0x20, |
|
104 + PIV_CARD = 0x40 |
|
105 }; |
|
106 enum { |
|
107 NONCE_SIZE = 8 |
|
108 }; |
|
109 |
|
110 + static const SlotState GOV_CARD = (SlotState)(CAC_CARD|PIV_CARD); |
|
111 + |
|
112 private: |
|
113 Log *log; |
|
114 char *readerName; |
|
115 @@ -329,6 +344,8 @@ |
|
116 CKYBuffer nonce; |
|
117 CKYBuffer cardATR; |
|
118 CKYBuffer mCUID; |
|
119 + CKYBuffer cardAID[MAX_CERT_SLOTS]; |
|
120 + unsigned short cardEF[MAX_CERT_SLOTS]; |
|
121 bool isVersion1Key; |
|
122 bool needLogin; |
|
123 long publicFree; |
|
124 @@ -336,7 +353,12 @@ |
|
125 long privateFree; |
|
126 bool fullTokenName; |
|
127 bool mCoolkey; |
|
128 - |
|
129 + bool mOldCAC; |
|
130 + bool mCACLocalLogin; |
|
131 + int pivContainer; |
|
132 + int pivKey; |
|
133 + int maxCacCerts; |
|
134 + SlotAlgs algs; |
|
135 //enum { RW_SESSION_HANDLE = 1, RO_SESSION_HANDLE = 2 }; |
|
136 |
|
137 #ifdef USE_SHMEM |
|
138 @@ -383,6 +405,7 @@ |
|
139 const CKYBuffer *getATR(); |
|
140 bool isLoggedIn(); |
|
141 bool needLoggedIn(); |
|
142 + bool getPIVLoginType(); |
|
143 void testNonce(); |
|
144 |
|
145 void addKeyObject(list<PKCS11Object>& objectList, |
|
146 @@ -392,6 +415,7 @@ |
|
147 const CKYBuffer *derCert, CK_OBJECT_HANDLE handle); |
|
148 void addObject(list<PKCS11Object>& objectList, |
|
149 const ListObjectInfo& info, CK_OBJECT_HANDLE handle); |
|
150 + PKCS11Object *createSecretKeyObject(CK_OBJECT_HANDLE handle, CKYBuffer *secretKeyBuffer,CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount); |
|
151 |
|
152 void ensureValidSession(SessionHandleSuffix suffix); |
|
153 |
|
154 @@ -399,8 +423,12 @@ |
|
155 list<ListObjectInfo> fetchCombinedObjects(const CKYBuffer *header); |
|
156 list<ListObjectInfo> fetchSeparateObjects(); |
|
157 |
|
158 + CKYStatus getCACAid(); |
|
159 + CKYStatus readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize); |
|
160 + CKYStatus readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize); |
|
161 + |
|
162 void selectApplet(); |
|
163 - void selectCACApplet(CKYByte instance); |
|
164 + void selectCACApplet(CKYByte instance,bool do_disconnect); |
|
165 void unloadObjects(); |
|
166 void loadCACObjects(); |
|
167 void loadCACCert(CKYByte instance); |
|
168 @@ -422,14 +450,27 @@ |
|
169 |
|
170 void cryptRSA(SessionHandleSuffix suffix, CK_BYTE_PTR pInput, |
|
171 CK_ULONG ulInputLen, CK_BYTE_PTR pOutput, |
|
172 - CK_ULONG_PTR pulOutputLen, const CryptParams& params); |
|
173 + CK_ULONG_PTR pulOutputLen, CryptParams& params); |
|
174 |
|
175 - void performRSAOp(CKYBuffer *out, const CKYBuffer *input, CKYByte keyNum, |
|
176 - CKYByte direction); |
|
177 + void performRSAOp(CKYBuffer *out, const CKYBuffer *input, unsigned int keySize, |
|
178 + CKYByte keyNum, CKYByte direction); |
|
179 + |
|
180 + void signECC(SessionHandleSuffix suffix, CK_BYTE_PTR pInput, |
|
181 + CK_ULONG ulInputLen, CK_BYTE_PTR pOutput, |
|
182 + CK_ULONG_PTR pulOutputLen, CryptParams& params); |
|
183 + |
|
184 + void performECCSignature(CKYBuffer *out, const CKYBuffer *input, |
|
185 + unsigned int keySize, CKYByte keyNum); |
|
186 + void performECCKeyAgreement(CK_MECHANISM_TYPE deriveMech, |
|
187 + CKYBuffer *publicDataBuffer, |
|
188 + CKYBuffer *secretKeyBuffer, CKYByte keyNum, unsigned int keySize); |
|
189 |
|
190 void processComputeCrypt(CKYBuffer *result, const CKYAPDU *apdu); |
|
191 |
|
192 CKYByte objectHandleToKeyNum(CK_OBJECT_HANDLE hKey); |
|
193 + unsigned int calcECCKeySize(CKYByte keyNum); |
|
194 + void initCACShMem(void); |
|
195 + void verifyCACShMem(void); |
|
196 Slot(const Slot &cpy) |
|
197 #ifdef USE_SHMEM |
|
198 : shmem(readerName) |
|
199 @@ -460,6 +501,11 @@ |
|
200 return (char )((objectID >> 16) & 0xff) - '0'; |
|
201 } |
|
202 |
|
203 + // actually get the size of a key in bits from the card |
|
204 + unsigned int getRSAKeySize(CKYByte keyNum); |
|
205 + unsigned int getECCKeySize(CKYByte keyNum); |
|
206 + |
|
207 + PKCS11Object::KeyType getKeyTypeFromHandle(CK_OBJECT_HANDLE hKey); |
|
208 |
|
209 SessionHandleSuffix openSession(Session::Type type); |
|
210 void closeSession(SessionHandleSuffix handleSuffix); |
|
211 @@ -501,6 +547,16 @@ |
|
212 CK_ULONG len); |
|
213 void generateRandom(SessionHandleSuffix suffix, CK_BYTE_PTR data, |
|
214 CK_ULONG len); |
|
215 + |
|
216 + void derive(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism, |
|
217 + CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_PTR pTemplate, |
|
218 + CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); |
|
219 + |
|
220 + void deriveECC(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism, |
|
221 + CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, |
|
222 + CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, CryptParams& params); |
|
223 + |
|
224 + SlotAlgs getAlgs() { return algs; } |
|
225 }; |
|
226 |
|
227 class SlotList { |
|
228 @@ -527,6 +583,8 @@ |
|
229 * has called 'C_GetSlotList' with a NULL parameter */ |
|
230 void updateReaderList(); |
|
231 |
|
232 + /* see if a reader name exists in a caller provided reader name list. */ |
|
233 + bool readerNameExistsInList(const char *readerName,CKYReaderNameList *readerNameList ); |
|
234 bool readerExists(const char *readerName, unsigned int *hint = 0); |
|
235 public: |
|
236 SlotList(Log *log); |
|
237 @@ -592,6 +650,10 @@ |
|
238 void seedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, |
|
239 CK_ULONG ulDataLen); |
|
240 |
|
241 + void derive(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, |
|
242 + CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_PTR pTemplate, |
|
243 + CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); |
|
244 + |
|
245 |
|
246 }; |
|
247 #endif |