1 /* app-openpgp.c - The OpenPGP card application.
2 * Copyright (C) 2003, 2004, 2005, 2007, 2008,
3 * 2009, 2013, 2014, 2015 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
23 CHV means Card Holder Verification and is nothing else than a PIN
24 or password. That term seems to have been used originally with GSM
25 cards. Version v2 of the specs changes the term to the clearer
26 term PW for password. We use the terms here interchangeable
27 because we do not want to change existing strings i18n wise.
29 Version 2 of the specs also drops the separate PW2 which was
30 required in v1 due to ISO requirements. It is now possible to have
31 one physical PW but two reference to it so that they can be
32 individually be verified (e.g. to implement a forced verification
33 for one key). Thus you will noticed the use of PW2 with the verify
34 command but not with change_reference_data because the latter
35 operates directly on the physical PW.
37 The Reset Code (RC) as implemented by v2 cards uses the same error
38 counter as the PW2 of v1 cards. By default no RC is set and thus
39 that error counter is set to 0. After setting the RC the error
40 counter will be initialized to 3.
53 #if GNUPG_MAJOR_VERSION == 1
54 /* This is used with GnuPG version < 1.9. The code has been source
55 copied from the current GnuPG >= 1.9 and is maintained over
61 #else /* GNUPG_MAJOR_VERSION != 1 */
63 #endif /* GNUPG_MAJOR_VERSION != 1 */
68 #include "app-common.h"
71 #include "openpgpdefs.h"
74 /* A table describing the DOs of the card. */
78 int get_from; /* Constructed DO with this DO or 0 for direct access. */
82 int get_immediate_in_v11:1; /* Enable a hack to bypass the cache of
83 this data object if it is used in 1.1
84 and later versions of the card. This
85 does not work with composite DO and
86 is currently only useful for the CHV
88 int try_extlen:1; /* Large object; try to use an extended
92 { 0x005E, 0, 0, 1, 0, 0, 0, 0, "Login Data" },
93 { 0x5F50, 0, 0, 0, 0, 0, 0, 0, "URL" },
94 { 0x5F52, 0, 0, 1, 0, 0, 0, 0, "Historical Bytes" },
95 { 0x0065, 1, 0, 1, 0, 0, 0, 0, "Cardholder Related Data"},
96 { 0x005B, 0, 0x65, 0, 0, 0, 0, 0, "Name" },
97 { 0x5F2D, 0, 0x65, 0, 0, 0, 0, 0, "Language preferences" },
98 { 0x5F35, 0, 0x65, 0, 0, 0, 0, 0, "Sex" },
99 { 0x006E, 1, 0, 1, 0, 0, 0, 0, "Application Related Data" },
100 { 0x004F, 0, 0x6E, 1, 0, 0, 0, 0, "AID" },
101 { 0x0073, 1, 0, 1, 0, 0, 0, 0, "Discretionary Data Objects" },
102 { 0x0047, 0, 0x6E, 1, 1, 0, 0, 0, "Card Capabilities" },
103 { 0x00C0, 0, 0x6E, 1, 1, 0, 0, 0, "Extended Card Capabilities" },
104 { 0x00C1, 0, 0x6E, 1, 1, 0, 0, 0, "Algorithm Attributes Signature" },
105 { 0x00C2, 0, 0x6E, 1, 1, 0, 0, 0, "Algorithm Attributes Decryption" },
106 { 0x00C3, 0, 0x6E, 1, 1, 0, 0, 0, "Algorithm Attributes Authentication" },
107 { 0x00C4, 0, 0x6E, 1, 0, 1, 1, 0, "CHV Status Bytes" },
108 { 0x00C5, 0, 0x6E, 1, 0, 0, 0, 0, "Fingerprints" },
109 { 0x00C6, 0, 0x6E, 1, 0, 0, 0, 0, "CA Fingerprints" },
110 { 0x00CD, 0, 0x6E, 1, 0, 0, 0, 0, "Generation time" },
111 { 0x007A, 1, 0, 1, 0, 0, 0, 0, "Security Support Template" },
112 { 0x0093, 0, 0x7A, 1, 1, 0, 0, 0, "Digital Signature Counter" },
113 { 0x0101, 0, 0, 0, 0, 0, 0, 0, "Private DO 1"},
114 { 0x0102, 0, 0, 0, 0, 0, 0, 0, "Private DO 2"},
115 { 0x0103, 0, 0, 0, 0, 0, 0, 0, "Private DO 3"},
116 { 0x0104, 0, 0, 0, 0, 0, 0, 0, "Private DO 4"},
117 { 0x7F21, 1, 0, 1, 0, 0, 0, 1, "Cardholder certificate"},
119 { 0x7F74, 0, 0, 1, 0, 0, 0, 0, "General Feature Management"},
120 { 0x00D5, 0, 0, 1, 0, 0, 0, 0, "AES key data"},
134 /* The format of RSA private keys. */
146 /* One cache item for DOs. */
148 struct cache_s *next;
151 unsigned char data[1];
155 /* Object with application (i.e. OpenPGP card) specific data. */
157 /* A linked list with cached DOs. */
158 struct cache_s *cache;
160 /* Keep track of the public keys. */
163 int read_done; /* True if we have at least tried to read them. */
164 unsigned char *key; /* This is a malloced buffer with a canonical
165 encoded S-expression encoding a public
166 key. Might be NULL if key is not
168 size_t keylen; /* The length of the above S-expression. This
169 is usually only required for cross checks
170 because the length of an S-expression is
171 implicitly available. */
174 unsigned char status_indicator; /* The card status indicator. */
176 unsigned int manufacturer:16; /* Manufacturer ID from the s/n. */
178 /* Keep track of the ISO card capabilities. */
181 unsigned int cmd_chaining:1; /* Command chaining is supported. */
182 unsigned int ext_lc_le:1; /* Extended Lc and Le are supported. */
185 /* Keep track of extended card capabilities. */
188 unsigned int is_v2:1; /* This is a v2.0 compatible card. */
189 unsigned int sm_supported:1; /* Secure Messaging is supported. */
190 unsigned int get_challenge:1;
191 unsigned int key_import:1;
192 unsigned int change_force_chv:1;
193 unsigned int private_dos:1;
194 unsigned int algo_attr_change:1; /* Algorithm attributes changeable. */
195 unsigned int has_decrypt:1; /* Support symmetric decryption. */
196 unsigned int has_button:1;
197 unsigned int sm_algo:2; /* Symmetric crypto algo for SM. */
198 unsigned int max_certlen_3:16;
199 unsigned int max_get_challenge:16; /* Maximum size for get_challenge. */
202 /* Flags used to control the application. */
205 unsigned int no_sync:1; /* Do not sync CHV1 and CHV2 */
206 unsigned int def_chv2:1; /* Use 123456 for CHV2. */
209 /* Pinpad request specified on card. */
212 unsigned int specified:1;
222 unsigned int n_bits; /* Size of the modulus in bits. The rest
223 of this strucuire is only valid if
225 unsigned int e_bits; /* Size of the public exponent in bits. */
226 rsa_key_format_t format;
236 #define ECC_FLAG_DJB_TWEAK (1 << 0)
237 #define ECC_FLAG_PUBKEY (1 << 1)
240 /***** Local prototypes *****/
241 static unsigned long convert_sig_counter_value (const unsigned char *value,
243 static unsigned long get_sig_counter (app_t app);
244 static gpg_error_t do_auth (app_t app, const char *keyidstr,
245 gpg_error_t (*pincb)(void*, const char *, char **),
247 const void *indata, size_t indatalen,
248 unsigned char **outdata, size_t *outdatalen);
249 static void parse_algorithm_attribute (app_t app, int keyno);
250 static gpg_error_t change_keyattr_from_string
252 gpg_error_t (*pincb)(void*, const char *, char **),
254 const void *value, size_t valuelen);
262 do_deinit (app_t app)
264 if (app && app->app_local)
266 struct cache_s *c, *c2;
269 for (c = app->app_local->cache; c; c = c2)
275 for (i=0; i < DIM (app->app_local->pk); i++)
277 xfree (app->app_local->pk[i].key);
278 app->app_local->pk[i].read_done = 0;
280 xfree (app->app_local);
281 app->app_local = NULL;
286 /* Wrapper around iso7816_get_data which first tries to get the data
287 from the cache. With GET_IMMEDIATE passed as true, the cache is
288 bypassed. With TRY_EXTLEN extended lengths APDUs are use if
289 supported by the card. */
291 get_cached_data (app_t app, int tag,
292 unsigned char **result, size_t *resultlen,
293 int get_immediate, int try_extlen)
307 for (c=app->app_local->cache; c; c = c->next)
312 p = xtrymalloc (c->length);
314 return gpg_error (gpg_err_code_from_errno (errno));
315 memcpy (p, c->data, c->length);
319 *resultlen = c->length;
325 if (try_extlen && app->app_local->cardcap.ext_lc_le)
326 exmode = app->app_local->extcap.max_certlen_3;
330 err = iso7816_get_data (app->slot, exmode, tag, &p, &len);
336 /* Check whether we should cache this object. */
340 for (i=0; data_objects[i].tag; i++)
341 if (data_objects[i].tag == tag)
343 if (data_objects[i].dont_cache)
348 /* Okay, cache it. */
349 for (c=app->app_local->cache; c; c = c->next)
350 assert (c->tag != tag);
352 c = xtrymalloc (sizeof *c + len);
355 memcpy (c->data, p, len);
358 c->next = app->app_local->cache;
359 app->app_local->cache = c;
365 /* Remove DO at TAG from the cache. */
367 flush_cache_item (app_t app, int tag)
369 struct cache_s *c, *cprev;
375 for (c=app->app_local->cache, cprev=NULL; c ; cprev=c, c = c->next)
379 cprev->next = c->next;
381 app->app_local->cache = c->next;
384 for (c=app->app_local->cache; c ; c = c->next)
386 assert (c->tag != tag); /* Oops: duplicated entry. */
391 /* Try again if we have an outer tag. */
392 for (i=0; data_objects[i].tag; i++)
393 if (data_objects[i].tag == tag && data_objects[i].get_from
394 && data_objects[i].get_from != tag)
395 flush_cache_item (app, data_objects[i].get_from);
398 /* Flush all entries from the cache which might be out of sync after
401 flush_cache_after_error (app_t app)
405 for (i=0; data_objects[i].tag; i++)
406 if (data_objects[i].flush_on_error)
407 flush_cache_item (app, data_objects[i].tag);
411 /* Flush the entire cache. */
413 flush_cache (app_t app)
415 if (app && app->app_local)
417 struct cache_s *c, *c2;
419 for (c = app->app_local->cache; c; c = c2)
424 app->app_local->cache = NULL;
429 /* Get the DO identified by TAG from the card in SLOT and return a
430 buffer with its content in RESULT and NBYTES. The return value is
431 NULL if not found or a pointer which must be used to release the
432 buffer holding value. */
434 get_one_do (app_t app, int tag, unsigned char **result, size_t *nbytes,
438 unsigned char *buffer;
440 unsigned char *value;
451 for (i=0; data_objects[i].tag && data_objects[i].tag != tag; i++)
454 if (app->card_version > 0x0100 && data_objects[i].get_immediate_in_v11)
457 rc = iso7816_get_data (app->slot, exmode, tag, &buffer, &buflen);
470 if (data_objects[i].tag && data_objects[i].get_from)
472 rc = get_cached_data (app, data_objects[i].get_from,
474 (data_objects[i].dont_cache
475 || data_objects[i].get_immediate_in_v11),
476 data_objects[i].try_extlen);
479 const unsigned char *s;
481 s = find_tlv_unchecked (buffer, buflen, tag, &valuelen);
483 value = NULL; /* not found */
484 else if (valuelen > buflen - (s - buffer))
486 log_error ("warning: constructed DO too short\n");
488 xfree (buffer); buffer = NULL;
491 value = buffer + (s - buffer);
495 if (!value) /* Not in a constructed DO, try simple. */
497 rc = get_cached_data (app, tag, &buffer, &buflen,
498 (data_objects[i].dont_cache
499 || data_objects[i].get_immediate_in_v11),
500 data_objects[i].try_extlen);
520 dump_all_do (int slot)
523 unsigned char *buffer;
526 for (i=0; data_objects[i].tag; i++)
528 if (data_objects[i].get_from)
531 /* We don't try extended length APDU because such large DO would
532 be pretty useless in a log file. */
533 rc = iso7816_get_data (slot, 0, data_objects[i].tag, &buffer, &buflen);
534 if (gpg_err_code (rc) == GPG_ERR_NO_OBJ)
537 log_info ("DO '%s' not available: %s\n",
538 data_objects[i].desc, gpg_strerror (rc));
541 if (data_objects[i].binary)
543 log_info ("DO '%s': ", data_objects[i].desc);
544 log_printhex ("", buffer, buflen);
547 log_info ("DO '%s': '%.*s'\n",
548 data_objects[i].desc,
549 (int)buflen, buffer); /* FIXME: sanitize */
551 if (data_objects[i].constructed)
553 for (j=0; data_objects[j].tag; j++)
555 const unsigned char *value;
558 if (j==i || data_objects[i].tag != data_objects[j].get_from)
560 value = find_tlv_unchecked (buffer, buflen,
561 data_objects[j].tag, &valuelen);
564 else if (valuelen > buflen - (value - buffer))
565 log_error ("warning: constructed DO too short\n");
568 if (data_objects[j].binary)
570 log_info ("DO '%s': ", data_objects[j].desc);
572 log_info ("[%u]\n", (unsigned int)valuelen);
574 log_printhex ("", value, valuelen);
577 log_info ("DO '%s': '%.*s'\n",
578 data_objects[j].desc,
579 (int)valuelen, value); /* FIXME: sanitize */
584 xfree (buffer); buffer = NULL;
589 /* Count the number of bits, assuming the A represents an unsigned big
590 integer of length LEN bytes. */
592 count_bits (const unsigned char *a, size_t len)
594 unsigned int n = len * 8;
597 for (; len && !*a; len--, a++, n -=8)
601 for (i=7; i && !(*a & (1<<i)); i--)
607 /* GnuPG makes special use of the login-data DO, this function parses
608 the login data to store the flags for later use. It may be called
609 at any time and should be called after changing the login-data DO.
611 Everything up to a LF is considered a mailbox or account name. If
612 the first LF is followed by DC4 (0x14) control sequence are
613 expected up to the next LF. Control sequences are separated by FS
614 (0x18) and consist of key=value pairs. There are two keys defined:
618 Where FLAGS is a plain hexadecimal number representing flag values.
619 The lsb is here the rightmost bit. Defined flags bits are:
621 Bit 0 = CHV1 and CHV2 are not syncronized
622 Bit 1 = CHV2 has been been set to the default PIN of "123456"
623 (this implies that bit 0 is also set).
627 Where PINPAD_REQUEST is in the format of: <n> or <n>,<m>.
628 N for user PIN, M for admin PIN. If M is missing it means M=N.
629 0 means to force not to use pinpad.
633 parse_login_data (app_t app)
635 unsigned char *buffer, *p;
640 app->app_local->flags.no_sync = 0;
641 app->app_local->flags.def_chv2 = 0;
642 app->app_local->pinpad.specified = 0;
643 app->app_local->pinpad.fixedlen_user = -1;
644 app->app_local->pinpad.fixedlen_admin = -1;
647 relptr = get_one_do (app, 0x005E, &buffer, &buflen, NULL);
650 for (; buflen; buflen--, buffer++)
653 if (buflen < 2 || buffer[1] != '\x14')
656 return; /* No control sequences. */
665 if (buflen > 1 && *buffer == 'F' && buffer[1] == '=')
667 /* Flags control sequence found. */
670 /* For now we are only interested in the last digit, so skip
671 any leading digits but bail out on invalid characters. */
672 for (p=buffer+2, len = buflen-2; len && hexdigitp (p); p++, len--)
673 lastdig = xtoi_1 (p);
676 if (len && !(*p == '\n' || *p == '\x18'))
677 goto next; /* Invalid characters in field. */
678 app->app_local->flags.no_sync = !!(lastdig & 1);
679 app->app_local->flags.def_chv2 = (lastdig & 3) == 3;
681 else if (buflen > 1 && *buffer == 'P' && buffer[1] == '=')
683 /* Pinpad request control sequence found. */
694 n = strtol (buffer, &q, 10);
695 if (q >= (char *)buffer + buflen
696 || *q == '\x18' || *q == '\n')
700 if (*q++ != ',' || !digitp (q))
702 m = strtol (q, &q, 10);
705 if (buflen < ((unsigned char *)q - buffer))
708 buflen -= ((unsigned char *)q - buffer);
711 if (buflen && !(*buffer == '\n' || *buffer == '\x18'))
713 app->app_local->pinpad.specified = 1;
714 app->app_local->pinpad.fixedlen_user = n;
715 app->app_local->pinpad.fixedlen_admin = m;
720 /* Skip to FS (0x18) or LF (\n). */
721 for (; buflen && *buffer != '\x18' && *buffer != '\n'; buflen--)
724 while (buflen && *buffer != '\n');
730 #define MAX_ARGS_STORE_FPR 3
732 /* Note, that FPR must be at least 20 bytes. */
734 store_fpr (app_t app, int keynumber, u32 timestamp, unsigned char *fpr,
737 unsigned int n, nbits;
738 unsigned char *buffer, *p;
741 const unsigned char *m[MAX_ARGS_STORE_FPR];
742 size_t mlen[MAX_ARGS_STORE_FPR];
747 n = 6; /* key packet version, 4-byte timestamps, and algorithm */
748 if (algo == PUBKEY_ALGO_ECDH)
754 for (i = 0; i < argc; i++)
756 m[i] = va_arg (ap, const unsigned char *);
757 mlen[i] = va_arg (ap, size_t);
758 if (algo == PUBKEY_ALGO_RSA || i == 1)
764 p = buffer = xtrymalloc (3 + n);
766 return gpg_error_from_syserror ();
768 *p++ = 0x99; /* ctb */
769 *p++ = n >> 8; /* 2 byte length header */
771 *p++ = 4; /* key packet version */
772 *p++ = timestamp >> 24;
773 *p++ = timestamp >> 16;
774 *p++ = timestamp >> 8;
778 for (i = 0; i < argc; i++)
780 if (algo == PUBKEY_ALGO_RSA || i == 1)
782 nbits = count_bits (m[i], mlen[i]);
786 memcpy (p, m[i], mlen[i]);
790 gcry_md_hash_buffer (GCRY_MD_SHA1, fpr, buffer, n+3);
794 tag = (app->card_version > 0x0007? 0xC7 : 0xC6) + keynumber;
795 flush_cache_item (app, 0xC5);
796 tag2 = 0xCE + keynumber;
797 flush_cache_item (app, 0xCD);
799 rc = iso7816_put_data (app->slot, 0, tag, fpr, 20);
801 log_error (_("failed to store the fingerprint: %s\n"),gpg_strerror (rc));
803 if (!rc && app->card_version > 0x0100)
805 unsigned char buf[4];
807 buf[0] = timestamp >> 24;
808 buf[1] = timestamp >> 16;
809 buf[2] = timestamp >> 8;
812 rc = iso7816_put_data (app->slot, 0, tag2, buf, 4);
814 log_error (_("failed to store the creation date: %s\n"),
823 send_fpr_if_not_null (ctrl_t ctrl, const char *keyword,
824 int number, const unsigned char *fpr)
830 for (i=0; i < 20 && !fpr[i]; i++)
833 return; /* All zero. */
834 bin2hex (fpr, 20, buf);
836 *numbuf = 0; /* Don't print the key number */
838 sprintf (numbuf, "%d", number);
839 send_status_info (ctrl, keyword,
840 numbuf, (size_t)strlen(numbuf),
841 buf, (size_t)strlen (buf), NULL, 0);
845 send_fprtime_if_not_null (ctrl_t ctrl, const char *keyword,
846 int number, const unsigned char *stamp)
848 char numbuf1[50], numbuf2[50];
851 value = buf32_to_ulong (stamp);
854 sprintf (numbuf1, "%d", number);
855 sprintf (numbuf2, "%lu", value);
856 send_status_info (ctrl, keyword,
857 numbuf1, (size_t)strlen(numbuf1),
858 numbuf2, (size_t)strlen(numbuf2), NULL, 0);
862 send_key_data (ctrl_t ctrl, const char *name,
863 const unsigned char *a, size_t alen)
868 buffer = buf = bin2hex (a, alen, NULL);
871 log_error ("memory allocation error in send_key_data\n");
874 buflen = strlen (buffer);
876 /* 768 is the hexified size for the modulus of an 3072 bit key. We
877 use extra chunks to transmit larger data (i.e for 4096 bit). */
878 for ( ;buflen > 768; buflen -= 768, buf += 768)
879 send_status_info (ctrl, "KEY-DATA",
883 send_status_info (ctrl, "KEY-DATA",
884 name, (size_t)strlen(name),
892 send_key_attr (ctrl_t ctrl, app_t app, const char *keyword, int keyno)
896 assert (keyno >=0 && keyno < DIM(app->app_local->keyattr));
898 if (app->app_local->keyattr[keyno].key_type == KEY_TYPE_RSA)
899 snprintf (buffer, sizeof buffer, "%d 1 rsa%u %u %d",
901 app->app_local->keyattr[keyno].rsa.n_bits,
902 app->app_local->keyattr[keyno].rsa.e_bits,
903 app->app_local->keyattr[keyno].rsa.format);
904 else if (app->app_local->keyattr[keyno].key_type == KEY_TYPE_ECC)
906 snprintf (buffer, sizeof buffer, "%d %d %s",
908 keyno==1? PUBKEY_ALGO_ECDH :
909 (app->app_local->keyattr[keyno].ecc.flags & ECC_FLAG_DJB_TWEAK)?
910 PUBKEY_ALGO_EDDSA : PUBKEY_ALGO_ECDSA,
911 app->app_local->keyattr[keyno].ecc.curve);
914 snprintf (buffer, sizeof buffer, "%d 0 0 UNKNOWN", keyno+1);
916 send_status_direct (ctrl, keyword, buffer);
920 #define RSA_SMALL_SIZE_KEY 1952
921 #define RSA_SMALL_SIZE_OP 2048
924 determine_rsa_response (app_t app, int keyno)
928 size = 2 + 3 /* header */
929 + 4 /* tag+len */ + app->app_local->keyattr[keyno].rsa.n_bits/8
930 + 2 /* tag+len */ + app->app_local->keyattr[keyno].rsa.e_bits/8;
936 /* Implement the GETATTR command. This is similar to the LEARN
937 command but returns just one value via the status interface. */
939 do_getattr (app_t app, ctrl_t ctrl, const char *name)
946 { "DISP-NAME", 0x005B },
947 { "LOGIN-DATA", 0x005E },
948 { "DISP-LANG", 0x5F2D },
949 { "DISP-SEX", 0x5F35 },
950 { "PUBKEY-URL", 0x5F50 },
951 { "KEY-FPR", 0x00C5, 3 },
952 { "KEY-TIME", 0x00CD, 4 },
953 { "KEY-ATTR", 0x0000, -5 },
954 { "CA-FPR", 0x00C6, 3 },
955 { "CHV-STATUS", 0x00C4, 1 },
956 { "SIG-COUNTER", 0x0093, 2 },
957 { "SERIALNO", 0x004F, -1 },
959 { "EXTCAP", 0x0000, -2 },
960 { "PRIVATE-DO-1", 0x0101 },
961 { "PRIVATE-DO-2", 0x0102 },
962 { "PRIVATE-DO-3", 0x0103 },
963 { "PRIVATE-DO-4", 0x0104 },
964 { "$AUTHKEYID", 0x0000, -3 },
965 { "$DISPSERIALNO",0x0000, -4 },
970 unsigned char *value;
973 for (idx=0; table[idx].name && strcmp (table[idx].name, name); idx++)
975 if (!table[idx].name)
976 return gpg_error (GPG_ERR_INV_NAME);
978 if (table[idx].special == -1)
980 /* The serial number is very special. We could have used the
981 AID DO to retrieve it. The AID DO is available anyway but
982 not hex formatted. */
983 char *serial = app_get_serialno (app);
987 send_status_direct (ctrl, "SERIALNO", serial);
992 if (table[idx].special == -2)
996 snprintf (tmp, sizeof tmp,
997 "gc=%d ki=%d fc=%d pd=%d mcl3=%u aac=%d "
998 "sm=%d si=%u dec=%d bt=%d",
999 app->app_local->extcap.get_challenge,
1000 app->app_local->extcap.key_import,
1001 app->app_local->extcap.change_force_chv,
1002 app->app_local->extcap.private_dos,
1003 app->app_local->extcap.max_certlen_3,
1004 app->app_local->extcap.algo_attr_change,
1005 (app->app_local->extcap.sm_supported
1006 ? (app->app_local->extcap.sm_algo == 0? CIPHER_ALGO_3DES :
1007 (app->app_local->extcap.sm_algo == 1?
1008 CIPHER_ALGO_AES : CIPHER_ALGO_AES256))
1010 app->app_local->status_indicator,
1011 app->app_local->extcap.has_decrypt,
1012 app->app_local->extcap.has_button);
1013 send_status_info (ctrl, table[idx].name, tmp, strlen (tmp), NULL, 0);
1016 if (table[idx].special == -3)
1018 char const tmp[] = "OPENPGP.3";
1019 send_status_info (ctrl, table[idx].name, tmp, strlen (tmp), NULL, 0);
1022 if (table[idx].special == -4)
1024 char *serial = app_get_serialno (app);
1028 if (strlen (serial) > 16+12)
1030 send_status_info (ctrl, table[idx].name, serial+16, 12, NULL, 0);
1036 return gpg_error (GPG_ERR_INV_NAME);
1038 if (table[idx].special == -5)
1040 for (i=0; i < 3; i++)
1041 send_key_attr (ctrl, app, table[idx].name, i);
1045 relptr = get_one_do (app, table[idx].tag, &value, &valuelen, &rc);
1048 if (table[idx].special == 1)
1052 for (i=0,*numbuf=0; i < valuelen && i < 7; i++)
1053 sprintf (numbuf+strlen (numbuf), " %d", value[i]);
1054 send_status_info (ctrl, table[idx].name,
1055 numbuf, strlen (numbuf), NULL, 0);
1057 else if (table[idx].special == 2)
1061 sprintf (numbuf, "%lu", convert_sig_counter_value (value, valuelen));
1062 send_status_info (ctrl, table[idx].name,
1063 numbuf, strlen (numbuf), NULL, 0);
1065 else if (table[idx].special == 3)
1068 for (i=0; i < 3; i++)
1069 send_fpr_if_not_null (ctrl, table[idx].name, i+1, value+i*20);
1071 else if (table[idx].special == 4)
1074 for (i=0; i < 3; i++)
1075 send_fprtime_if_not_null (ctrl, table[idx].name, i+1, value+i*4);
1078 send_status_info (ctrl, table[idx].name, value, valuelen, NULL, 0);
1085 /* Retrieve the fingerprint from the card inserted in SLOT and write
1086 the according hex representation to FPR. Caller must have provide
1087 a buffer at FPR of least 41 bytes. Returns 0 on success or an
1089 #if GNUPG_MAJOR_VERSION > 1
1091 retrieve_fpr_from_card (app_t app, int keyno, char *fpr)
1093 gpg_error_t err = 0;
1095 unsigned char *value;
1098 assert (keyno >=0 && keyno <= 2);
1100 relptr = get_one_do (app, 0x00C5, &value, &valuelen, NULL);
1101 if (relptr && valuelen >= 60)
1102 bin2hex (value+keyno*20, 20, fpr);
1104 err = gpg_error (GPG_ERR_NOT_FOUND);
1108 #endif /*GNUPG_MAJOR_VERSION > 1*/
1111 /* Retrieve the public key material for the RSA key, whose fingerprint
1112 is FPR, from gpg output, which can be read through the stream FP.
1113 The RSA modulus will be stored at the address of M and MLEN, the
1114 public exponent at E and ELEN. Returns zero on success, an error
1115 code on failure. Caller must release the allocated buffers at M
1116 and E if the function returns success. */
1117 #if GNUPG_MAJOR_VERSION > 1
1119 retrieve_key_material (FILE *fp, const char *hexkeyid,
1120 const unsigned char **m, size_t *mlen,
1121 const unsigned char **e, size_t *elen)
1123 gcry_error_t err = 0;
1124 char *line = NULL; /* read_line() buffer. */
1125 size_t line_size = 0; /* Helper for for read_line. */
1126 int found_key = 0; /* Helper to find a matching key. */
1127 unsigned char *m_new = NULL;
1128 unsigned char *e_new = NULL;
1132 /* Loop over all records until we have found the subkey
1133 corresponding to the fingerprint. Inm general the first record
1134 should be the pub record, but we don't rely on that. Given that
1135 we only need to look at one key, it is sufficient to compare the
1136 keyid so that we don't need to look at "fpr" records. */
1140 char *fields[6] = { NULL, NULL, NULL, NULL, NULL, NULL };
1147 i = read_line (fp, &line, &line_size, &max_length);
1152 err = gpg_error_from_syserror ();
1153 goto leave; /* Error. */
1157 err = gpg_error (GPG_ERR_TRUNCATED);
1158 goto leave; /* Line truncated - we better stop processing. */
1161 /* Parse the line into fields. */
1162 for (nfields=0, p=line; p && nfields < DIM (fields); nfields++)
1164 fields[nfields] = p;
1165 p = strchr (p, ':');
1170 continue; /* No fields at all - skip line. */
1174 if ( (!strcmp (fields[0], "sub") || !strcmp (fields[0], "pub") )
1175 && nfields > 4 && !strcmp (fields[4], hexkeyid))
1180 if ( !strcmp (fields[0], "sub") || !strcmp (fields[0], "pub") )
1181 break; /* Next key - stop. */
1183 if ( strcmp (fields[0], "pkd") )
1184 continue; /* Not a key data record. */
1185 i = 0; /* Avoid erroneous compiler warning. */
1186 if ( nfields < 4 || (i = atoi (fields[1])) < 0 || i > 1
1187 || (!i && m_new) || (i && e_new))
1189 err = gpg_error (GPG_ERR_GENERAL);
1190 goto leave; /* Error: Invalid key data record or not an RSA key. */
1193 err = gcry_mpi_scan (&mpi, GCRYMPI_FMT_HEX, fields[3], 0, NULL);
1197 err = gcry_mpi_aprint (GCRYMPI_FMT_STD, &m_new, &m_new_n, mpi);
1199 err = gcry_mpi_aprint (GCRYMPI_FMT_STD, &e_new, &e_new_n, mpi);
1200 gcry_mpi_release (mpi);
1215 err = gpg_error (GPG_ERR_GENERAL);
1223 #endif /*GNUPG_MAJOR_VERSION > 1*/
1227 rsa_read_pubkey (app_t app, ctrl_t ctrl, u32 created_at, int keyno,
1228 const unsigned char *data, size_t datalen, gcry_sexp_t *r_sexp)
1231 const unsigned char *m, *e;
1233 unsigned char *mbuf = NULL, *ebuf = NULL;
1235 m = find_tlv (data, datalen, 0x0081, &mlen);
1238 log_error (_("response does not contain the RSA modulus\n"));
1239 return gpg_error (GPG_ERR_CARD);
1242 e = find_tlv (data, datalen, 0x0082, &elen);
1245 log_error (_("response does not contain the RSA public exponent\n"));
1246 return gpg_error (GPG_ERR_CARD);
1251 send_key_data (ctrl, "n", m, mlen);
1252 send_key_data (ctrl, "e", e, elen);
1255 for (; mlen && !*m; mlen--, m++) /* strip leading zeroes */
1257 for (; elen && !*e; elen--, e++) /* strip leading zeroes */
1262 unsigned char fprbuf[20];
1264 err = store_fpr (app, keyno, created_at, fprbuf, PUBKEY_ALGO_RSA,
1269 send_fpr_if_not_null (ctrl, "KEY-FPR", -1, fprbuf);
1272 mbuf = xtrymalloc (mlen + 1);
1275 err = gpg_error_from_syserror ();
1278 /* Prepend numbers with a 0 if needed. */
1279 if (mlen && (*m & 0x80))
1282 memcpy (mbuf+1, m, mlen);
1286 memcpy (mbuf, m, mlen);
1288 ebuf = xtrymalloc (elen + 1);
1291 err = gpg_error_from_syserror ();
1294 /* Prepend numbers with a 0 if needed. */
1295 if (elen && (*e & 0x80))
1298 memcpy (ebuf+1, e, elen);
1302 memcpy (ebuf, e, elen);
1304 err = gcry_sexp_build (r_sexp, NULL, "(public-key(rsa(n%b)(e%b)))",
1305 (int)mlen, mbuf, (int)elen, ebuf);
1313 /* Determine KDF hash algorithm and KEK encryption algorithm by CURVE. */
1314 static const unsigned char*
1315 ecdh_params (const char *curve)
1319 openpgp_curve_to_oid (curve, &nbits);
1321 /* See RFC-6637 for those constants.
1322 0x03: Number of bytes
1323 0x01: Version for this parameter format
1328 return (const unsigned char*)"\x03\x01\x08\x07";
1329 else if (nbits <= 384)
1330 return (const unsigned char*)"\x03\x01\x09\x08";
1332 return (const unsigned char*)"\x03\x01\x0a\x09";
1336 ecc_read_pubkey (app_t app, ctrl_t ctrl, u32 created_at, int keyno,
1337 const unsigned char *data, size_t datalen, gcry_sexp_t *r_sexp)
1340 unsigned char *qbuf = NULL;
1341 const unsigned char *ecc_q;
1343 gcry_mpi_t oid = NULL;
1347 const unsigned char *oidbuf;
1352 ecc_q = find_tlv (data, datalen, 0x0086, &ecc_q_len);
1355 log_error (_("response does not contain the EC public key\n"));
1356 return gpg_error (GPG_ERR_CARD);
1359 curve = app->app_local->keyattr[keyno].ecc.curve;
1360 oidstr = openpgp_curve_to_oid (curve, NULL);
1361 err = openpgp_oid_from_str (oidstr, &oid);
1364 oidbuf = gcry_mpi_get_opaque (oid, &n);
1367 err = gpg_error_from_syserror ();
1372 qbuf = xtrymalloc (ecc_q_len + 1);
1375 err = gpg_error_from_syserror ();
1379 if ((app->app_local->keyattr[keyno].ecc.flags & ECC_FLAG_DJB_TWEAK))
1380 { /* Prepend 0x40 prefix. */
1382 memcpy (qbuf+1, ecc_q, ecc_q_len);
1386 memcpy (qbuf, ecc_q, ecc_q_len);
1390 send_key_data (ctrl, "q", qbuf, ecc_q_len);
1391 send_key_data (ctrl, "curve", oidbuf, oid_len);
1397 send_key_data (ctrl, "kdf/kek", ecdh_params (curve), (size_t)4);
1398 algo = PUBKEY_ALGO_ECDH;
1402 if ((app->app_local->keyattr[keyno].ecc.flags & ECC_FLAG_DJB_TWEAK))
1403 algo = PUBKEY_ALGO_EDDSA;
1405 algo = PUBKEY_ALGO_ECDSA;
1410 unsigned char fprbuf[20];
1412 err = store_fpr (app, keyno, created_at, fprbuf, algo, oidbuf, oid_len,
1413 qbuf, ecc_q_len, ecdh_params (curve), (size_t)4);
1417 send_fpr_if_not_null (ctrl, "KEY-FPR", -1, fprbuf);
1420 if (!(app->app_local->keyattr[keyno].ecc.flags & ECC_FLAG_DJB_TWEAK))
1421 format = "(public-key(ecc(curve%s)(q%b)))";
1422 else if (keyno == 1)
1423 format = "(public-key(ecc(curve%s)(flags djb-tweak)(q%b)))";
1425 format = "(public-key(ecc(curve%s)(flags eddsa)(q%b)))";
1427 err = gcry_sexp_build (r_sexp, NULL, format,
1428 app->app_local->keyattr[keyno].ecc.curve,
1429 (int)ecc_q_len, qbuf);
1431 gcry_mpi_release (oid);
1437 /* Parse tag-length-value data for public key in BUFFER of BUFLEN
1438 length. Key of KEYNO in APP is updated with an S-expression of
1439 public key. When CTRL is not NULL, fingerprint is computed with
1440 CREATED_AT, and fingerprint is written to the card, and key data
1441 and fingerprint are send back to the client side.
1444 read_public_key (app_t app, ctrl_t ctrl, u32 created_at, int keyno,
1445 const unsigned char *buffer, size_t buflen)
1448 const unsigned char *data;
1450 gcry_sexp_t s_pkey = NULL;
1452 data = find_tlv (buffer, buflen, 0x7F49, &datalen);
1455 log_error (_("response does not contain the public key data\n"));
1456 return gpg_error (GPG_ERR_CARD);
1459 if (app->app_local->keyattr[keyno].key_type == KEY_TYPE_RSA)
1460 err = rsa_read_pubkey (app, ctrl, created_at, keyno,
1461 data, datalen, &s_pkey);
1462 else if (app->app_local->keyattr[keyno].key_type == KEY_TYPE_ECC)
1463 err = ecc_read_pubkey (app, ctrl, created_at, keyno,
1464 data, datalen, &s_pkey);
1466 err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
1470 unsigned char *keybuf;
1473 len = gcry_sexp_sprint (s_pkey, GCRYSEXP_FMT_CANON, NULL, 0);
1474 keybuf = xtrymalloc (len);
1477 err = gpg_error_from_syserror ();
1478 gcry_sexp_release (s_pkey);
1482 gcry_sexp_sprint (s_pkey, GCRYSEXP_FMT_CANON, keybuf, len);
1483 gcry_sexp_release (s_pkey);
1485 app->app_local->pk[keyno].key = keybuf;
1486 /* Decrement for trailing '\0' */
1487 app->app_local->pk[keyno].keylen = len - 1;
1494 /* Get the public key for KEYNO and store it as an S-expresion with
1495 the APP handle. On error that field gets cleared. If we already
1496 know about the public key we will just return. Note that this does
1497 not mean a key is available; this is solely indicated by the
1498 presence of the app->app_local->pk[KEYNO].key field.
1500 Note that GnuPG 1.x does not need this and it would be too time
1501 consuming to send it just for the fun of it. However, given that we
1502 use the same code in gpg 1.4, we can't use the gcry S-expresion
1503 here but need to open encode it. */
1504 #if GNUPG_MAJOR_VERSION > 1
1506 get_public_key (app_t app, int keyno)
1508 gpg_error_t err = 0;
1509 unsigned char *buffer;
1510 const unsigned char *m, *e;
1514 char *keybuf = NULL;
1518 if (keyno < 0 || keyno > 2)
1519 return gpg_error (GPG_ERR_INV_ID);
1521 /* Already cached? */
1522 if (app->app_local->pk[keyno].read_done)
1525 xfree (app->app_local->pk[keyno].key);
1526 app->app_local->pk[keyno].key = NULL;
1527 app->app_local->pk[keyno].keylen = 0;
1529 m = e = NULL; /* (avoid cc warning) */
1531 if (app->card_version > 0x0100)
1533 int exmode, le_value;
1535 /* We may simply read the public key out of these cards. */
1536 if (app->app_local->cardcap.ext_lc_le
1537 && app->app_local->keyattr[keyno].key_type == KEY_TYPE_RSA
1538 && app->app_local->keyattr[keyno].rsa.n_bits > RSA_SMALL_SIZE_KEY)
1540 exmode = 1; /* Use extended length. */
1541 le_value = determine_rsa_response (app, keyno);
1546 le_value = 256; /* Use legacy value. */
1549 err = iso7816_read_public_key (app->slot, exmode,
1550 (keyno == 0? "\xB6" :
1551 keyno == 1? "\xB8" : "\xA4"),
1552 2, le_value, &buffer, &buflen);
1555 log_error (_("reading public key failed: %s\n"), gpg_strerror (err));
1559 err = read_public_key (app, NULL, 0U, keyno, buffer, buflen);
1563 /* Due to a design problem in v1.0 cards we can't get the public
1564 key out of these cards without doing a verify on CHV3.
1565 Clearly that is not an option and thus we try to locate the
1566 key using an external helper.
1568 The helper we use here is gpg itself, which should know about
1569 the key in any case. */
1573 char *command = NULL;
1577 buffer = NULL; /* We don't need buffer. */
1579 err = retrieve_fpr_from_card (app, keyno, fpr);
1582 log_error ("error while retrieving fpr from card: %s\n",
1583 gpg_strerror (err));
1586 hexkeyid = fpr + 24;
1588 ret = gpgrt_asprintf
1589 (&command, "gpg --list-keys --with-colons --with-key-data '%s'", fpr);
1592 err = gpg_error_from_syserror ();
1596 fp = popen (command, "r");
1600 err = gpg_error_from_syserror ();
1601 log_error ("running gpg failed: %s\n", gpg_strerror (err));
1605 err = retrieve_key_material (fp, hexkeyid, &m, &mlen, &e, &elen);
1609 log_error ("error while retrieving key material through pipe: %s\n",
1610 gpg_strerror (err));
1614 err = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%b)(e%b)))",
1615 (int)mlen, m, (int)elen, e);
1619 len = gcry_sexp_sprint (s_pkey, GCRYSEXP_FMT_CANON, NULL, 0);
1621 keybuf = xtrymalloc (len);
1624 err = gpg_error_from_syserror ();
1625 gcry_sexp_release (s_pkey);
1629 gcry_sexp_sprint (s_pkey, GCRYSEXP_FMT_CANON, keybuf, len);
1630 gcry_sexp_release (s_pkey);
1632 app->app_local->pk[keyno].key = (unsigned char*)keybuf;
1633 /* Decrement for trailing '\0' */
1634 app->app_local->pk[keyno].keylen = len - 1;
1638 /* Set a flag to indicate that we tried to read the key. */
1639 app->app_local->pk[keyno].read_done = 1;
1644 #endif /* GNUPG_MAJOR_VERSION > 1 */
1648 /* Send the KEYPAIRINFO back. KEY needs to be in the range [1,3].
1649 This is used by the LEARN command. */
1651 send_keypair_info (app_t app, ctrl_t ctrl, int key)
1653 int keyno = key - 1;
1654 gpg_error_t err = 0;
1655 /* Note that GnuPG 1.x does not need this and it would be too time
1656 consuming to send it just for the fun of it. */
1657 #if GNUPG_MAJOR_VERSION > 1
1658 unsigned char grip[20];
1662 err = get_public_key (app, keyno);
1666 assert (keyno >= 0 && keyno <= 2);
1667 if (!app->app_local->pk[keyno].key)
1668 goto leave; /* No such key - ignore. */
1670 err = keygrip_from_canon_sexp (app->app_local->pk[keyno].key,
1671 app->app_local->pk[keyno].keylen,
1676 bin2hex (grip, 20, gripstr);
1678 sprintf (idbuf, "OPENPGP.%d", keyno+1);
1679 send_status_info (ctrl, "KEYPAIRINFO",
1681 idbuf, strlen (idbuf),
1685 #endif /* GNUPG_MAJOR_VERSION > 1 */
1691 /* Handle the LEARN command for OpenPGP. */
1693 do_learn_status (app_t app, ctrl_t ctrl, unsigned int flags)
1697 do_getattr (app, ctrl, "EXTCAP");
1698 do_getattr (app, ctrl, "DISP-NAME");
1699 do_getattr (app, ctrl, "DISP-LANG");
1700 do_getattr (app, ctrl, "DISP-SEX");
1701 do_getattr (app, ctrl, "PUBKEY-URL");
1702 do_getattr (app, ctrl, "LOGIN-DATA");
1703 do_getattr (app, ctrl, "KEY-FPR");
1704 if (app->card_version > 0x0100)
1705 do_getattr (app, ctrl, "KEY-TIME");
1706 do_getattr (app, ctrl, "CA-FPR");
1707 do_getattr (app, ctrl, "CHV-STATUS");
1708 do_getattr (app, ctrl, "SIG-COUNTER");
1709 if (app->app_local->extcap.private_dos)
1711 do_getattr (app, ctrl, "PRIVATE-DO-1");
1712 do_getattr (app, ctrl, "PRIVATE-DO-2");
1714 do_getattr (app, ctrl, "PRIVATE-DO-3");
1716 do_getattr (app, ctrl, "PRIVATE-DO-4");
1718 send_keypair_info (app, ctrl, 1);
1719 send_keypair_info (app, ctrl, 2);
1720 send_keypair_info (app, ctrl, 3);
1721 /* Note: We do not send the Cardholder Certificate, because that is
1722 relatively long and for OpenPGP applications not really needed. */
1727 /* Handle the READKEY command for OpenPGP. On success a canonical
1728 encoded S-expression with the public key will get stored at PK and
1729 its length (for assertions) at PKLEN; the caller must release that
1730 buffer. On error PK and PKLEN are not changed and an error code is
1733 do_readkey (app_t app, int advanced, const char *keyid,
1734 unsigned char **pk, size_t *pklen)
1736 #if GNUPG_MAJOR_VERSION > 1
1741 if (!strcmp (keyid, "OPENPGP.1"))
1743 else if (!strcmp (keyid, "OPENPGP.2"))
1745 else if (!strcmp (keyid, "OPENPGP.3"))
1748 return gpg_error (GPG_ERR_INV_ID);
1750 err = get_public_key (app, keyno);
1754 buf = app->app_local->pk[keyno].key;
1756 return gpg_error (GPG_ERR_NO_PUBKEY);
1762 err = gcry_sexp_new (&s_key, buf, app->app_local->pk[keyno].keylen, 0);
1766 *pklen = gcry_sexp_sprint (s_key, GCRYSEXP_FMT_ADVANCED, NULL, 0);
1767 *pk = xtrymalloc (*pklen);
1770 err = gpg_error_from_syserror ();
1775 gcry_sexp_sprint (s_key, GCRYSEXP_FMT_ADVANCED, *pk, *pklen);
1776 gcry_sexp_release (s_key);
1777 /* Decrement for trailing '\0' */
1778 *pklen = *pklen - 1;
1782 *pklen = app->app_local->pk[keyno].keylen;
1783 *pk = xtrymalloc (*pklen);
1786 err = gpg_error_from_syserror ();
1790 memcpy (*pk, buf, *pklen);
1795 return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
1799 /* Read the standard certificate of an OpenPGP v2 card. It is
1800 returned in a freshly allocated buffer with that address stored at
1801 CERT and the length of the certificate stored at CERTLEN. CERTID
1802 needs to be set to "OPENPGP.3". */
1804 do_readcert (app_t app, const char *certid,
1805 unsigned char **cert, size_t *certlen)
1807 #if GNUPG_MAJOR_VERSION > 1
1809 unsigned char *buffer;
1815 if (strcmp (certid, "OPENPGP.3"))
1816 return gpg_error (GPG_ERR_INV_ID);
1817 if (!app->app_local->extcap.is_v2)
1818 return gpg_error (GPG_ERR_NOT_FOUND);
1820 relptr = get_one_do (app, 0x7F21, &buffer, &buflen, NULL);
1822 return gpg_error (GPG_ERR_NOT_FOUND);
1825 err = gpg_error (GPG_ERR_NOT_FOUND);
1826 else if (!(*cert = xtrymalloc (buflen)))
1827 err = gpg_error_from_syserror ();
1830 memcpy (*cert, buffer, buflen);
1837 return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
1842 /* Decide if we use the pinpad of the reader for PIN input according
1843 to the user preference on the card, and the capability of the
1844 reader. This routine is only called when the reader has pinpad.
1845 Returns 0 if we use pinpad, 1 otherwise. */
1847 check_pinpad_request (app_t app, pininfo_t *pininfo, int admin_pin)
1849 if (app->app_local->pinpad.specified == 0) /* No preference on card. */
1851 if (pininfo->fixedlen == 0) /* Reader has varlen capability. */
1852 return 0; /* Then, use pinpad. */
1855 * Reader has limited capability, and it may not match PIN of
1862 pininfo->fixedlen = app->app_local->pinpad.fixedlen_admin;
1864 pininfo->fixedlen = app->app_local->pinpad.fixedlen_user;
1866 if (pininfo->fixedlen == 0 /* User requests disable pinpad. */
1867 || pininfo->fixedlen < pininfo->minlen
1868 || pininfo->fixedlen > pininfo->maxlen
1869 /* Reader doesn't have the capability to input a PIN which
1870 * length is FIXEDLEN. */)
1877 /* Verify a CHV either using using the pinentry or if possible by
1878 using a pinpad. PINCB and PINCB_ARG describe the usual callback
1879 for the pinentry. CHVNO must be either 1 or 2. SIGCOUNT is only
1880 used with CHV1. PINVALUE is the address of a pointer which will
1881 receive a newly allocated block with the actual PIN (this is useful
1882 in case that PIN shall be used for another verify operation). The
1883 caller needs to free this value. If the function returns with
1884 success and NULL is stored at PINVALUE, the caller should take this
1885 as an indication that the pinpad has been used.
1888 verify_a_chv (app_t app,
1889 gpg_error_t (*pincb)(void*, const char *, char **),
1891 int chvno, unsigned long sigcount, char **pinvalue)
1894 char *prompt_buffer = NULL;
1899 assert (chvno == 1 || chvno == 2);
1903 if (chvno == 2 && app->app_local->flags.def_chv2)
1905 /* Special case for def_chv2 mechanism. */
1907 log_info (_("using default PIN as %s\n"), "CHV2");
1908 rc = iso7816_verify (app->slot, 0x82, "123456", 6);
1911 /* Verification of CHV2 with the default PIN failed,
1912 although the card pretends to have the default PIN set as
1913 CHV2. We better disable the def_chv2 flag now. */
1914 log_info (_("failed to use default PIN as %s: %s"
1915 " - disabling further default use\n"),
1916 "CHV2", gpg_strerror (rc));
1917 app->app_local->flags.def_chv2 = 0;
1922 memset (&pininfo, 0, sizeof pininfo);
1923 pininfo.fixedlen = -1;
1924 pininfo.minlen = minlen;
1929 #define PROMPTSTRING _("||Please enter the PIN%%0A[sigs done: %lu]")
1930 size_t promptsize = strlen (PROMPTSTRING) + 50;
1932 prompt_buffer = xtrymalloc (promptsize);
1934 return gpg_error_from_syserror ();
1935 snprintf (prompt_buffer, promptsize, PROMPTSTRING, sigcount);
1936 prompt = prompt_buffer;
1940 prompt = _("||Please enter the PIN");
1943 if (!opt.disable_pinpad
1944 && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo)
1945 && !check_pinpad_request (app, &pininfo, 0))
1947 /* The reader supports the verify command through the pinpad.
1948 Note that the pincb appends a text to the prompt telling the
1949 user to use the pinpad. */
1950 rc = pincb (pincb_arg, prompt, NULL);
1952 xfree (prompt_buffer);
1953 prompt_buffer = NULL;
1956 log_info (_("PIN callback returned error: %s\n"),
1960 rc = iso7816_verify_kp (app->slot, 0x80+chvno, &pininfo);
1961 /* Dismiss the prompt. */
1962 pincb (pincb_arg, NULL, NULL);
1964 assert (!*pinvalue);
1968 /* The reader has no pinpad or we don't want to use it. */
1969 rc = pincb (pincb_arg, prompt, pinvalue);
1971 xfree (prompt_buffer);
1972 prompt_buffer = NULL;
1975 log_info (_("PIN callback returned error: %s\n"),
1980 if (strlen (*pinvalue) < minlen)
1982 log_error (_("PIN for CHV%d is too short;"
1983 " minimum length is %d\n"), chvno, minlen);
1986 return gpg_error (GPG_ERR_BAD_PIN);
1989 rc = iso7816_verify (app->slot, 0x80+chvno,
1990 *pinvalue, strlen (*pinvalue));
1995 log_error (_("verify CHV%d failed: %s\n"), chvno, gpg_strerror (rc));
1998 flush_cache_after_error (app);
2005 /* Verify CHV2 if required. Depending on the configuration of the
2006 card CHV1 will also be verified. */
2008 verify_chv2 (app_t app,
2009 gpg_error_t (*pincb)(void*, const char *, char **),
2016 return 0; /* We already verified CHV2. */
2018 rc = verify_a_chv (app, pincb, pincb_arg, 2, 0, &pinvalue);
2023 if (!app->did_chv1 && !app->force_chv1 && pinvalue)
2025 /* For convenience we verify CHV1 here too. We do this only if
2026 the card is not configured to require a verification before
2027 each CHV1 controlled operation (force_chv1) and if we are not
2028 using the pinpad (PINVALUE == NULL). */
2029 rc = iso7816_verify (app->slot, 0x81, pinvalue, strlen (pinvalue));
2030 if (gpg_err_code (rc) == GPG_ERR_BAD_PIN)
2031 rc = gpg_error (GPG_ERR_PIN_NOT_SYNCED);
2034 log_error (_("verify CHV%d failed: %s\n"), 1, gpg_strerror (rc));
2035 flush_cache_after_error (app);
2047 /* Build the prompt to enter the Admin PIN. The prompt depends on the
2048 current sdtate of the card. */
2050 build_enter_admin_pin_prompt (app_t app, char **r_prompt)
2053 unsigned char *value;
2060 relptr = get_one_do (app, 0x00C4, &value, &valuelen, NULL);
2061 if (!relptr || valuelen < 7)
2063 log_error (_("error retrieving CHV status from card\n"));
2065 return gpg_error (GPG_ERR_CARD);
2069 log_info (_("card is permanently locked!\n"));
2071 return gpg_error (GPG_ERR_BAD_PIN);
2073 remaining = value[6];
2076 log_info (ngettext("%d Admin PIN attempt remaining before card"
2077 " is permanently locked\n",
2078 "%d Admin PIN attempts remaining before card"
2079 " is permanently locked\n",
2080 remaining), remaining);
2084 /* TRANSLATORS: Do not translate the "|A|" prefix but keep it at
2085 the start of the string. Use %%0A to force a linefeed. */
2086 prompt = xtryasprintf (_("|A|Please enter the Admin PIN%%0A"
2087 "[remaining attempts: %d]"), remaining);
2090 prompt = xtrystrdup (_("|A|Please enter the Admin PIN"));
2093 return gpg_error_from_syserror ();
2100 /* Verify CHV3 if required. */
2102 verify_chv3 (app_t app,
2103 gpg_error_t (*pincb)(void*, const char *, char **),
2108 #if GNUPG_MAJOR_VERSION != 1
2109 if (!opt.allow_admin)
2111 log_info (_("access to admin commands is not configured\n"));
2112 return gpg_error (GPG_ERR_EACCES);
2122 memset (&pininfo, 0, sizeof pininfo);
2123 pininfo.fixedlen = -1;
2124 pininfo.minlen = minlen;
2126 rc = build_enter_admin_pin_prompt (app, &prompt);
2130 if (!opt.disable_pinpad
2131 && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo)
2132 && !check_pinpad_request (app, &pininfo, 1))
2134 /* The reader supports the verify command through the pinpad. */
2135 rc = pincb (pincb_arg, prompt, NULL);
2140 log_info (_("PIN callback returned error: %s\n"),
2144 rc = iso7816_verify_kp (app->slot, 0x83, &pininfo);
2145 /* Dismiss the prompt. */
2146 pincb (pincb_arg, NULL, NULL);
2152 rc = pincb (pincb_arg, prompt, &pinvalue);
2157 log_info (_("PIN callback returned error: %s\n"),
2162 if (strlen (pinvalue) < minlen)
2164 log_error (_("PIN for CHV%d is too short;"
2165 " minimum length is %d\n"), 3, minlen);
2167 return gpg_error (GPG_ERR_BAD_PIN);
2170 rc = iso7816_verify (app->slot, 0x83, pinvalue, strlen (pinvalue));
2176 log_error (_("verify CHV%d failed: %s\n"), 3, gpg_strerror (rc));
2177 flush_cache_after_error (app);
2186 /* Handle the SETATTR operation. All arguments are already basically
2189 do_setattr (app_t app, const char *name,
2190 gpg_error_t (*pincb)(void*, const char *, char **),
2192 const unsigned char *value, size_t valuelen)
2201 unsigned int need_v2:1;
2203 { "DISP-NAME", 0x005B, 3 },
2204 { "LOGIN-DATA", 0x005E, 3, 2 },
2205 { "DISP-LANG", 0x5F2D, 3 },
2206 { "DISP-SEX", 0x5F35, 3 },
2207 { "PUBKEY-URL", 0x5F50, 3 },
2208 { "CHV-STATUS-1", 0x00C4, 3, 1 },
2209 { "CA-FPR-1", 0x00CA, 3 },
2210 { "CA-FPR-2", 0x00CB, 3 },
2211 { "CA-FPR-3", 0x00CC, 3 },
2212 { "PRIVATE-DO-1", 0x0101, 2 },
2213 { "PRIVATE-DO-2", 0x0102, 3 },
2214 { "PRIVATE-DO-3", 0x0103, 2 },
2215 { "PRIVATE-DO-4", 0x0104, 3 },
2216 { "CERT-3", 0x7F21, 3, 0, 1 },
2217 { "SM-KEY-ENC", 0x00D1, 3, 0, 1 },
2218 { "SM-KEY-MAC", 0x00D2, 3, 0, 1 },
2219 { "KEY-ATTR", 0, 0, 3, 1 },
2220 { "AESKEY", 0x00D5, 3, 0, 1 },
2225 for (idx=0; table[idx].name && strcmp (table[idx].name, name); idx++)
2227 if (!table[idx].name)
2228 return gpg_error (GPG_ERR_INV_NAME);
2229 if (table[idx].need_v2 && !app->app_local->extcap.is_v2)
2230 return gpg_error (GPG_ERR_NOT_SUPPORTED); /* Not yet supported. */
2232 if (table[idx].special == 3)
2233 return change_keyattr_from_string (app, pincb, pincb_arg, value, valuelen);
2235 switch (table[idx].need_chv)
2238 rc = verify_chv2 (app, pincb, pincb_arg);
2241 rc = verify_chv3 (app, pincb, pincb_arg);
2249 /* Flush the cache before writing it, so that the next get operation
2250 will reread the data from the card and thus get synced in case of
2251 errors (e.g. data truncated by the card). */
2252 flush_cache_item (app, table[idx].tag);
2254 if (app->app_local->cardcap.ext_lc_le && valuelen > 254)
2255 exmode = 1; /* Use extended length w/o a limit. */
2256 else if (app->app_local->cardcap.cmd_chaining && valuelen > 254)
2257 exmode = -254; /* Command chaining with max. 254 bytes. */
2260 rc = iso7816_put_data (app->slot, exmode, table[idx].tag, value, valuelen);
2262 log_error ("failed to set '%s': %s\n", table[idx].name, gpg_strerror (rc));
2264 if (table[idx].special == 1)
2265 app->force_chv1 = (valuelen && *value == 0);
2266 else if (table[idx].special == 2)
2267 parse_login_data (app);
2273 /* Handle the WRITECERT command for OpenPGP. This rites the standard
2274 certifciate to the card; CERTID needs to be set to "OPENPGP.3".
2275 PINCB and PINCB_ARG are the usual arguments for the pinentry
2278 do_writecert (app_t app, ctrl_t ctrl,
2279 const char *certidstr,
2280 gpg_error_t (*pincb)(void*, const char *, char **),
2282 const unsigned char *certdata, size_t certdatalen)
2285 #if GNUPG_MAJOR_VERSION > 1
2286 if (strcmp (certidstr, "OPENPGP.3"))
2287 return gpg_error (GPG_ERR_INV_ID);
2288 if (!certdata || !certdatalen)
2289 return gpg_error (GPG_ERR_INV_ARG);
2290 if (!app->app_local->extcap.is_v2)
2291 return gpg_error (GPG_ERR_NOT_SUPPORTED);
2292 if (certdatalen > app->app_local->extcap.max_certlen_3)
2293 return gpg_error (GPG_ERR_TOO_LARGE);
2294 return do_setattr (app, "CERT-3", pincb, pincb_arg, certdata, certdatalen);
2296 return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
2302 /* Handle the PASSWD command. The following combinations are
2305 Flags CHVNO Vers. Description
2306 RESET 1 1 Verify CHV3 and set a new CHV1 and CHV2
2307 RESET 1 2 Verify PW3 and set a new PW1.
2308 RESET 2 1 Verify CHV3 and set a new CHV1 and CHV2.
2309 RESET 2 2 Verify PW3 and set a new Reset Code.
2310 RESET 3 any Returns GPG_ERR_INV_ID.
2311 - 1 1 Verify CHV2 and set a new CHV1 and CHV2.
2312 - 1 2 Verify PW1 and set a new PW1.
2313 - 2 1 Verify CHV2 and set a new CHV1 and CHV2.
2314 - 2 2 Verify Reset Code and set a new PW1.
2315 - 3 any Verify CHV3/PW3 and set a new CHV3/PW3.
2318 do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr,
2320 gpg_error_t (*pincb)(void*, const char *, char **),
2324 int chvno = atoi (chvnostr);
2325 char *resetcode = NULL;
2326 char *oldpinvalue = NULL;
2327 char *pinvalue = NULL;
2328 int reset_mode = !!(flags & APP_CHANGE_FLAG_RESET);
2329 int set_resetcode = 0;
2335 memset (&pininfo, 0, sizeof pininfo);
2336 pininfo.fixedlen = -1;
2337 pininfo.minlen = minlen;
2339 if (reset_mode && chvno == 3)
2341 rc = gpg_error (GPG_ERR_INV_ID);
2345 if (!app->app_local->extcap.is_v2)
2347 /* Version 1 cards. */
2349 if (reset_mode || chvno == 3)
2351 /* We always require that the PIN is entered. */
2353 rc = verify_chv3 (app, pincb, pincb_arg);
2357 else if (chvno == 1 || chvno == 2)
2359 /* On a v1.x card CHV1 and CVH2 should always have the same
2360 value, thus we enforce it here. */
2361 int save_force = app->force_chv1;
2363 app->force_chv1 = 0;
2366 rc = verify_chv2 (app, pincb, pincb_arg);
2367 app->force_chv1 = save_force;
2373 rc = gpg_error (GPG_ERR_INV_ID);
2379 /* Version 2 cards. */
2381 if (!opt.disable_pinpad
2382 && !iso7816_check_pinpad (app->slot,
2383 ISO7816_CHANGE_REFERENCE_DATA, &pininfo)
2384 && !check_pinpad_request (app, &pininfo, chvno == 3))
2389 /* To reset a PIN the Admin PIN is required. */
2392 rc = verify_chv3 (app, pincb, pincb_arg);
2399 else if (chvno == 1 || chvno == 3)
2403 char *promptbuf = NULL;
2409 rc = build_enter_admin_pin_prompt (app, &promptbuf);
2415 prompt = _("||Please enter the PIN");
2416 rc = pincb (pincb_arg, prompt, &oldpinvalue);
2421 log_info (_("PIN callback returned error: %s\n"),
2426 if (strlen (oldpinvalue) < minlen)
2428 log_info (_("PIN for CHV%d is too short;"
2429 " minimum length is %d\n"), chvno, minlen);
2430 rc = gpg_error (GPG_ERR_BAD_PIN);
2435 else if (chvno == 2)
2437 /* There is no PW2 for v2 cards. We use this condition to
2438 allow a PW reset using the Reset Code. */
2440 unsigned char *value;
2446 relptr = get_one_do (app, 0x00C4, &value, &valuelen, NULL);
2447 if (!relptr || valuelen < 7)
2449 log_error (_("error retrieving CHV status from card\n"));
2451 rc = gpg_error (GPG_ERR_CARD);
2454 remaining = value[5];
2458 log_error (_("Reset Code not or not anymore available\n"));
2459 rc = gpg_error (GPG_ERR_BAD_PIN);
2463 rc = pincb (pincb_arg,
2464 _("||Please enter the Reset Code for the card"),
2468 log_info (_("PIN callback returned error: %s\n"),
2472 if (strlen (resetcode) < minlen)
2474 log_info (_("Reset Code is too short; minimum length is %d\n"),
2476 rc = gpg_error (GPG_ERR_BAD_PIN);
2482 rc = gpg_error (GPG_ERR_INV_ID);
2490 app->did_chv1 = app->did_chv2 = 0;
2494 /* TRANSLATORS: Do not translate the "|*|" prefixes but
2495 keep it at the start of the string. We need this elsewhere
2496 to get some infos on the string. */
2497 rc = pincb (pincb_arg, set_resetcode? _("|RN|New Reset Code") :
2498 chvno == 3? _("|AN|New Admin PIN") : _("|N|New PIN"),
2502 log_error (_("error getting new PIN: %s\n"), gpg_strerror (rc));
2512 buffer = xtrymalloc (strlen (resetcode) + strlen (pinvalue) + 1);
2514 rc = gpg_error_from_syserror ();
2517 strcpy (stpcpy (buffer, resetcode), pinvalue);
2518 rc = iso7816_reset_retry_counter_with_rc (app->slot, 0x81,
2519 buffer, strlen (buffer));
2520 wipememory (buffer, strlen (buffer));
2524 else if (set_resetcode)
2526 if (strlen (pinvalue) < 8)
2528 log_error (_("Reset Code is too short; minimum length is %d\n"), 8);
2529 rc = gpg_error (GPG_ERR_BAD_PIN);
2532 rc = iso7816_put_data (app->slot, 0, 0xD3,
2533 pinvalue, strlen (pinvalue));
2535 else if (reset_mode)
2537 rc = iso7816_reset_retry_counter (app->slot, 0x81,
2538 pinvalue, strlen (pinvalue));
2539 if (!rc && !app->app_local->extcap.is_v2)
2540 rc = iso7816_reset_retry_counter (app->slot, 0x82,
2541 pinvalue, strlen (pinvalue));
2543 else if (!app->app_local->extcap.is_v2)
2545 /* Version 1 cards. */
2546 if (chvno == 1 || chvno == 2)
2548 rc = iso7816_change_reference_data (app->slot, 0x81, NULL, 0,
2549 pinvalue, strlen (pinvalue));
2551 rc = iso7816_change_reference_data (app->slot, 0x82, NULL, 0,
2552 pinvalue, strlen (pinvalue));
2554 else /* CHVNO == 3 */
2556 rc = iso7816_change_reference_data (app->slot, 0x80 + chvno, NULL, 0,
2557 pinvalue, strlen (pinvalue));
2562 /* Version 2 cards. */
2563 assert (chvno == 1 || chvno == 3);
2567 rc = pincb (pincb_arg,
2569 _("||Please enter the Admin PIN and New Admin PIN") :
2570 _("||Please enter the PIN and New PIN"), NULL);
2573 log_info (_("PIN callback returned error: %s\n"),
2577 rc = iso7816_change_reference_data_kp (app->slot, 0x80 + chvno, 0,
2579 pincb (pincb_arg, NULL, NULL); /* Dismiss the prompt. */
2582 rc = iso7816_change_reference_data (app->slot, 0x80 + chvno,
2583 oldpinvalue, strlen (oldpinvalue),
2584 pinvalue, strlen (pinvalue));
2589 wipememory (pinvalue, strlen (pinvalue));
2593 flush_cache_after_error (app);
2598 wipememory (resetcode, strlen (resetcode));
2603 wipememory (oldpinvalue, strlen (oldpinvalue));
2604 xfree (oldpinvalue);
2610 /* Check whether a key already exists. KEYIDX is the index of the key
2611 (0..2). If FORCE is TRUE a diagnositic will be printed but no
2612 error returned if the key already exists. The flag GENERATING is
2613 only used to print correct messages. */
2615 does_key_exist (app_t app, int keyidx, int generating, int force)
2617 const unsigned char *fpr;
2618 unsigned char *buffer;
2622 assert (keyidx >=0 && keyidx <= 2);
2624 if (iso7816_get_data (app->slot, 0, 0x006E, &buffer, &buflen))
2626 log_error (_("error reading application data\n"));
2627 return gpg_error (GPG_ERR_GENERAL);
2629 fpr = find_tlv (buffer, buflen, 0x00C5, &n);
2632 log_error (_("error reading fingerprint DO\n"));
2634 return gpg_error (GPG_ERR_GENERAL);
2637 for (i=0; i < 20 && !fpr[i]; i++)
2640 if (i!=20 && !force)
2642 log_error (_("key already exists\n"));
2643 return gpg_error (GPG_ERR_EEXIST);
2646 log_info (_("existing key will be replaced\n"));
2647 else if (generating)
2648 log_info (_("generating new key\n"));
2650 log_info (_("writing new key\n"));
2655 /* Create a TLV tag and value and store it at BUFFER. Return the length
2656 of tag and length. A LENGTH greater than 65535 is truncated. */
2658 add_tlv (unsigned char *buffer, unsigned int tag, size_t length)
2660 unsigned char *p = buffer;
2662 assert (tag <= 0xffff);
2668 else if (length < 256)
2675 if (length > 0xffff)
2687 build_privkey_template (app_t app, int keyno,
2688 const unsigned char *rsa_n, size_t rsa_n_len,
2689 const unsigned char *rsa_e, size_t rsa_e_len,
2690 const unsigned char *rsa_p, size_t rsa_p_len,
2691 const unsigned char *rsa_q, size_t rsa_q_len,
2692 const unsigned char *rsa_u, size_t rsa_u_len,
2693 const unsigned char *rsa_dp, size_t rsa_dp_len,
2694 const unsigned char *rsa_dq, size_t rsa_dq_len,
2695 unsigned char **result, size_t *resultlen)
2697 size_t rsa_e_reqlen;
2698 unsigned char privkey[7*(1+3+3)];
2700 unsigned char exthdr[2+2+3];
2702 unsigned char suffix[2+3];
2706 unsigned char *template;
2707 size_t template_size;
2712 switch (app->app_local->keyattr[keyno].rsa.format)
2721 return gpg_error (GPG_ERR_INV_VALUE);
2724 /* Get the required length for E. Rounded up to the nearest byte */
2725 rsa_e_reqlen = (app->app_local->keyattr[keyno].rsa.e_bits + 7) / 8;
2726 assert (rsa_e_len <= rsa_e_reqlen);
2728 /* Build the 7f48 cardholder private key template. */
2732 tp += add_tlv (tp, 0x91, rsa_e_reqlen);
2733 datalen += rsa_e_reqlen;
2735 tp += add_tlv (tp, 0x92, rsa_p_len);
2736 datalen += rsa_p_len;
2738 tp += add_tlv (tp, 0x93, rsa_q_len);
2739 datalen += rsa_q_len;
2741 if (app->app_local->keyattr[keyno].rsa.format == RSA_CRT
2742 || app->app_local->keyattr[keyno].rsa.format == RSA_CRT_N)
2744 tp += add_tlv (tp, 0x94, rsa_u_len);
2745 datalen += rsa_u_len;
2746 tp += add_tlv (tp, 0x95, rsa_dp_len);
2747 datalen += rsa_dp_len;
2748 tp += add_tlv (tp, 0x96, rsa_dq_len);
2749 datalen += rsa_dq_len;
2752 if (app->app_local->keyattr[keyno].rsa.format == RSA_STD_N
2753 || app->app_local->keyattr[keyno].rsa.format == RSA_CRT_N)
2755 tp += add_tlv (tp, 0x97, rsa_n_len);
2756 datalen += rsa_n_len;
2758 privkey_len = tp - privkey;
2760 /* Build the extended header list without the private key template. */
2762 *tp++ = keyno ==0 ? 0xb6 : keyno == 1? 0xb8 : 0xa4;
2764 tp += add_tlv (tp, 0x7f48, privkey_len);
2765 exthdr_len = tp - exthdr;
2767 /* Build the 5f48 suffix of the data. */
2769 tp += add_tlv (tp, 0x5f48, datalen);
2770 suffix_len = tp - suffix;
2772 /* Now concatenate everything. */
2773 template_size = (1 + 3 /* 0x4d and len. */
2778 tp = template = xtrymalloc_secure (template_size);
2780 return gpg_error_from_syserror ();
2782 tp += add_tlv (tp, 0x4d, exthdr_len + privkey_len + suffix_len + datalen);
2783 memcpy (tp, exthdr, exthdr_len);
2785 memcpy (tp, privkey, privkey_len);
2787 memcpy (tp, suffix, suffix_len);
2790 memcpy (tp, rsa_e, rsa_e_len);
2791 if (rsa_e_len < rsa_e_reqlen)
2793 /* Right justify E. */
2794 memmove (tp + rsa_e_reqlen - rsa_e_len, tp, rsa_e_len);
2795 memset (tp, 0, rsa_e_reqlen - rsa_e_len);
2799 memcpy (tp, rsa_p, rsa_p_len);
2802 memcpy (tp, rsa_q, rsa_q_len);
2805 if (app->app_local->keyattr[keyno].rsa.format == RSA_CRT
2806 || app->app_local->keyattr[keyno].rsa.format == RSA_CRT_N)
2808 memcpy (tp, rsa_u, rsa_u_len);
2810 memcpy (tp, rsa_dp, rsa_dp_len);
2812 memcpy (tp, rsa_dq, rsa_dq_len);
2816 if (app->app_local->keyattr[keyno].rsa.format == RSA_STD_N
2817 || app->app_local->keyattr[keyno].rsa.format == RSA_CRT_N)
2819 memcpy (tp, rsa_n, rsa_n_len);
2823 /* Sanity check. We don't know the exact length because we
2824 allocated 3 bytes for the first length header. */
2825 assert (tp - template <= template_size);
2828 *resultlen = tp - template;
2833 build_ecc_privkey_template (app_t app, int keyno,
2834 const unsigned char *ecc_d, size_t ecc_d_len,
2835 const unsigned char *ecc_q, size_t ecc_q_len,
2836 unsigned char **result, size_t *resultlen)
2838 unsigned char privkey[2+2];
2840 unsigned char exthdr[2+2+1];
2842 unsigned char suffix[2+1];
2846 unsigned char *template;
2847 size_t template_size;
2848 int pubkey_required;
2850 pubkey_required = !!(app->app_local->keyattr[keyno].ecc.flags
2856 /* Build the 7f48 cardholder private key template. */
2860 tp += add_tlv (tp, 0x92, ecc_d_len);
2861 datalen += ecc_d_len;
2863 if (pubkey_required)
2865 tp += add_tlv (tp, 0x99, ecc_q_len);
2866 datalen += ecc_q_len;
2869 privkey_len = tp - privkey;
2872 /* Build the extended header list without the private key template. */
2874 *tp++ = keyno ==0 ? 0xb6 : keyno == 1? 0xb8 : 0xa4;
2876 tp += add_tlv (tp, 0x7f48, privkey_len);
2877 exthdr_len = tp - exthdr;
2879 /* Build the 5f48 suffix of the data. */
2881 tp += add_tlv (tp, 0x5f48, datalen);
2882 suffix_len = tp - suffix;
2884 /* Now concatenate everything. */
2885 template_size = (1 + 1 /* 0x4d and len. */
2890 if (exthdr_len + privkey_len + suffix_len + datalen >= 128)
2892 tp = template = xtrymalloc_secure (template_size);
2894 return gpg_error_from_syserror ();
2896 tp += add_tlv (tp, 0x4d, exthdr_len + privkey_len + suffix_len + datalen);
2897 memcpy (tp, exthdr, exthdr_len);
2899 memcpy (tp, privkey, privkey_len);
2901 memcpy (tp, suffix, suffix_len);
2904 memcpy (tp, ecc_d, ecc_d_len);
2907 if (pubkey_required)
2909 memcpy (tp, ecc_q, ecc_q_len);
2913 assert (tp - template == template_size);
2916 *resultlen = tp - template;
2921 /* Helper for do_writekley to change the size of a key. Not ethat
2922 this deletes the entire key without asking. */
2924 change_keyattr (app_t app, int keyno, const unsigned char *buf, size_t buflen,
2925 gpg_error_t (*pincb)(void*, const char *, char **),
2930 assert (keyno >=0 && keyno <= 2);
2932 /* Prepare for storing the key. */
2933 err = verify_chv3 (app, pincb, pincb_arg);
2937 /* Change the attribute. */
2938 err = iso7816_put_data (app->slot, 0, 0xC1+keyno, buf, buflen);
2940 log_error ("error changing key attribute (key=%d)\n", keyno+1);
2942 log_info ("key attribute changed (key=%d)\n", keyno+1);
2944 parse_algorithm_attribute (app, keyno);
2953 change_rsa_keyattr (app_t app, int keyno, unsigned int nbits,
2954 gpg_error_t (*pincb)(void*, const char *, char **),
2957 gpg_error_t err = 0;
2962 /* Read the current attributes into a buffer. */
2963 relptr = get_one_do (app, 0xC1+keyno, &buf, &buflen, NULL);
2965 err = gpg_error (GPG_ERR_CARD);
2966 else if (buflen < 6 || buf[0] != PUBKEY_ALGO_RSA)
2968 /* Attriutes too short or not an RSA key. */
2970 err = gpg_error (GPG_ERR_CARD);
2974 /* We only change n_bits and don't touch anything else. Before we
2975 do so, we round up NBITS to a sensible way in the same way as
2976 gpg's key generation does it. This may help to sort out problems
2977 with a few bits too short keys. */
2978 nbits = ((nbits + 31) / 32) * 32;
2979 buf[1] = (nbits >> 8);
2981 err = change_keyattr (app, keyno, buf, buflen, pincb, pincb_arg);
2989 /* Helper to process an setattr command for name KEY-ATTR.
2990 In (VALUE,VALUELEN), it expects following string:
2991 RSA: "--force <key> <algo> rsa<nbits>"
2992 ECC: "--force <key> <algo> <curvename>"
2995 change_keyattr_from_string (app_t app,
2996 gpg_error_t (*pincb)(void*, const char *, char **),
2998 const void *value, size_t valuelen)
3000 gpg_error_t err = 0;
3002 int key, keyno, algo;
3005 /* VALUE is expected to be a string but not guaranteed to be
3006 terminated. Thus copy it to an allocated buffer first. */
3007 string = xtrymalloc (valuelen+1);
3009 return gpg_error_from_syserror ();
3010 memcpy (string, value, valuelen);
3011 string[valuelen] = 0;
3013 /* Because this function deletes the key we require the string
3014 "--force" in the data to make clear that something serious might
3016 sscanf (string, "--force %d %d %n", &key, &algo, &n);
3019 err = gpg_error (GPG_ERR_INV_DATA);
3024 if (keyno < 0 || keyno > 2)
3025 err = gpg_error (GPG_ERR_INV_ID);
3026 else if (algo == PUBKEY_ALGO_RSA)
3031 nbits = strtoul (string+n+3, NULL, 10);
3033 err = gpg_error (GPG_ERR_INV_DATA);
3034 else if (nbits < 1024)
3035 err = gpg_error (GPG_ERR_TOO_SHORT);
3036 else if (nbits > 4096)
3037 err = gpg_error (GPG_ERR_TOO_LARGE);
3039 err = change_rsa_keyattr (app, keyno, nbits, pincb, pincb_arg);
3041 else if (algo == PUBKEY_ALGO_ECDH || algo == PUBKEY_ALGO_ECDSA
3042 || algo == PUBKEY_ALGO_EDDSA)
3046 const unsigned char *oidbuf;
3049 oidstr = openpgp_curve_to_oid (string+n, NULL);
3052 err = gpg_error (GPG_ERR_INV_DATA);
3056 err = openpgp_oid_from_str (oidstr, &oid);
3060 oidbuf = gcry_mpi_get_opaque (oid, &n);
3063 /* We have enough room at STRING. */
3065 memcpy (string+1, oidbuf+1, oid_len-1);
3066 err = change_keyattr (app, keyno, string, oid_len, pincb, pincb_arg);
3067 gcry_mpi_release (oid);
3070 err = gpg_error (GPG_ERR_PUBKEY_ALGO);
3079 rsa_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **),
3080 void *pincb_arg, int keyno,
3081 const unsigned char *buf, size_t buflen, int depth)
3084 const unsigned char *tok;
3086 int last_depth1, last_depth2;
3087 const unsigned char *rsa_n = NULL;
3088 const unsigned char *rsa_e = NULL;
3089 const unsigned char *rsa_p = NULL;
3090 const unsigned char *rsa_q = NULL;
3091 size_t rsa_n_len, rsa_e_len, rsa_p_len, rsa_q_len;
3093 unsigned int maxbits;
3094 unsigned char *template = NULL;
3096 size_t template_len;
3097 unsigned char fprbuf[20];
3100 if (app->app_local->keyattr[keyno].key_type != KEY_TYPE_RSA)
3102 log_error (_("unsupported algorithm: %s"), "RSA");
3103 err = gpg_error (GPG_ERR_INV_VALUE);
3107 last_depth1 = depth;
3108 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3109 && depth && depth >= last_depth1)
3113 err = gpg_error (GPG_ERR_UNKNOWN_SEXP);
3116 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3118 if (tok && toklen == 1)
3120 const unsigned char **mpi;
3125 case 'n': mpi = &rsa_n; mpi_len = &rsa_n_len; break;
3126 case 'e': mpi = &rsa_e; mpi_len = &rsa_e_len; break;
3127 case 'p': mpi = &rsa_p; mpi_len = &rsa_p_len; break;
3128 case 'q': mpi = &rsa_q; mpi_len = &rsa_q_len;break;
3129 default: mpi = NULL; mpi_len = NULL; break;
3133 err = gpg_error (GPG_ERR_DUP_VALUE);
3136 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3140 /* Strip off leading zero bytes and save. */
3141 for (;toklen && !*tok; toklen--, tok++)
3147 /* Skip until end of list. */
3148 last_depth2 = depth;
3149 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3150 && depth && depth >= last_depth2)
3155 /* Parse other attributes. */
3156 last_depth1 = depth;
3157 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3158 && depth && depth >= last_depth1)
3162 err = gpg_error (GPG_ERR_UNKNOWN_SEXP);
3165 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3167 if (tok && toklen == 10 && !memcmp ("created-at", tok, toklen))
3169 if ((err = parse_sexp (&buf,&buflen,&depth,&tok,&toklen)))
3173 for (created_at=0; toklen && *tok && *tok >= '0' && *tok <= '9';
3175 created_at = created_at*10 + (*tok - '0');
3178 /* Skip until end of list. */
3179 last_depth2 = depth;
3180 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3181 && depth && depth >= last_depth2)
3188 /* Check that we have all parameters and that they match the card
3192 log_error (_("creation timestamp missing\n"));
3193 err = gpg_error (GPG_ERR_INV_VALUE);
3197 maxbits = app->app_local->keyattr[keyno].rsa.n_bits;
3198 nbits = rsa_n? count_bits (rsa_n, rsa_n_len) : 0;
3200 log_info ("RSA modulus size is %u bits (%u bytes)\n",
3201 nbits, (unsigned int)rsa_n_len);
3202 if (nbits && nbits != maxbits
3203 && app->app_local->extcap.algo_attr_change)
3205 /* Try to switch the key to a new length. */
3206 err = change_rsa_keyattr (app, keyno, nbits, pincb, pincb_arg);
3208 maxbits = app->app_local->keyattr[keyno].rsa.n_bits;
3210 if (nbits != maxbits)
3212 log_error (_("RSA modulus missing or not of size %d bits\n"),
3214 err = gpg_error (GPG_ERR_BAD_SECKEY);
3218 maxbits = app->app_local->keyattr[keyno].rsa.e_bits;
3219 if (maxbits > 32 && !app->app_local->extcap.is_v2)
3220 maxbits = 32; /* Our code for v1 does only support 32 bits. */
3221 nbits = rsa_e? count_bits (rsa_e, rsa_e_len) : 0;
3222 if (nbits < 2 || nbits > maxbits)
3224 log_error (_("RSA public exponent missing or larger than %d bits\n"),
3226 err = gpg_error (GPG_ERR_BAD_SECKEY);
3230 maxbits = app->app_local->keyattr[keyno].rsa.n_bits/2;
3231 nbits = rsa_p? count_bits (rsa_p, rsa_p_len) : 0;
3232 if (nbits != maxbits)
3234 log_error (_("RSA prime %s missing or not of size %d bits\n"),
3236 err = gpg_error (GPG_ERR_BAD_SECKEY);
3239 nbits = rsa_q? count_bits (rsa_q, rsa_q_len) : 0;
3240 if (nbits != maxbits)
3242 log_error (_("RSA prime %s missing or not of size %d bits\n"),
3244 err = gpg_error (GPG_ERR_BAD_SECKEY);
3248 /* We need to remove the cached public key. */
3249 xfree (app->app_local->pk[keyno].key);
3250 app->app_local->pk[keyno].key = NULL;
3251 app->app_local->pk[keyno].keylen = 0;
3252 app->app_local->pk[keyno].read_done = 0;
3255 if (app->app_local->extcap.is_v2)
3257 unsigned char *rsa_u, *rsa_dp, *rsa_dq;
3258 size_t rsa_u_len, rsa_dp_len, rsa_dq_len;
3259 gcry_mpi_t mpi_e, mpi_p, mpi_q;
3260 gcry_mpi_t mpi_u = gcry_mpi_snew (0);
3261 gcry_mpi_t mpi_dp = gcry_mpi_snew (0);
3262 gcry_mpi_t mpi_dq = gcry_mpi_snew (0);
3263 gcry_mpi_t mpi_tmp = gcry_mpi_snew (0);
3266 /* Calculate the u, dp and dq components needed by RSA_CRT cards */
3267 gcry_mpi_scan (&mpi_e, GCRYMPI_FMT_USG, rsa_e, rsa_e_len, NULL);
3268 gcry_mpi_scan (&mpi_p, GCRYMPI_FMT_USG, rsa_p, rsa_p_len, NULL);
3269 gcry_mpi_scan (&mpi_q, GCRYMPI_FMT_USG, rsa_q, rsa_q_len, NULL);
3271 gcry_mpi_invm (mpi_u, mpi_q, mpi_p);
3272 gcry_mpi_sub_ui (mpi_tmp, mpi_p, 1);
3273 gcry_mpi_invm (mpi_dp, mpi_e, mpi_tmp);
3274 gcry_mpi_sub_ui (mpi_tmp, mpi_q, 1);
3275 gcry_mpi_invm (mpi_dq, mpi_e, mpi_tmp);
3277 gcry_mpi_aprint (GCRYMPI_FMT_USG, &rsa_u, &rsa_u_len, mpi_u);
3278 gcry_mpi_aprint (GCRYMPI_FMT_USG, &rsa_dp, &rsa_dp_len, mpi_dp);
3279 gcry_mpi_aprint (GCRYMPI_FMT_USG, &rsa_dq, &rsa_dq_len, mpi_dq);
3281 gcry_mpi_release (mpi_e);
3282 gcry_mpi_release (mpi_p);
3283 gcry_mpi_release (mpi_q);
3284 gcry_mpi_release (mpi_u);
3285 gcry_mpi_release (mpi_dp);
3286 gcry_mpi_release (mpi_dq);
3287 gcry_mpi_release (mpi_tmp);
3289 /* Build the private key template as described in section 4.3.3.7 of
3290 the OpenPGP card specs version 2.0. */
3291 err = build_privkey_template (app, keyno,
3299 &template, &template_len);
3307 /* Prepare for storing the key. */
3308 err = verify_chv3 (app, pincb, pincb_arg);
3312 /* Store the key. */
3313 if (app->app_local->cardcap.ext_lc_le && template_len > 254)
3314 exmode = 1; /* Use extended length w/o a limit. */
3315 else if (app->app_local->cardcap.cmd_chaining && template_len > 254)
3319 err = iso7816_put_data_odd (app->slot, exmode, 0x3fff,
3320 template, template_len);
3324 /* Build the private key template as described in section 4.3.3.6 of
3325 the OpenPGP card specs version 1.1:
3326 0xC0 <length> public exponent
3327 0xC1 <length> prime p
3328 0xC2 <length> prime q
3330 assert (rsa_e_len <= 4);
3331 template_len = (1 + 1 + 4
3333 + 1 + 1 + rsa_q_len);
3334 template = tp = xtrymalloc_secure (template_len);
3337 err = gpg_error_from_syserror ();
3342 memcpy (tp, rsa_e, rsa_e_len);
3345 /* Right justify E. */
3346 memmove (tp+4-rsa_e_len, tp, rsa_e_len);
3347 memset (tp, 0, 4-rsa_e_len);
3353 memcpy (tp, rsa_p, rsa_p_len);
3358 memcpy (tp, rsa_q, rsa_q_len);
3361 assert (tp - template == template_len);
3363 /* Prepare for storing the key. */
3364 err = verify_chv3 (app, pincb, pincb_arg);
3368 /* Store the key. */
3369 err = iso7816_put_data (app->slot, 0,
3370 (app->card_version > 0x0007? 0xE0:0xE9)+keyno,
3371 template, template_len);
3375 log_error (_("failed to store the key: %s\n"), gpg_strerror (err));
3379 err = store_fpr (app, keyno, created_at, fprbuf, PUBKEY_ALGO_RSA,
3380 rsa_n, rsa_n_len, rsa_e, rsa_e_len);
3392 ecc_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **),
3393 void *pincb_arg, int keyno,
3394 const unsigned char *buf, size_t buflen, int depth)
3397 const unsigned char *tok;
3399 int last_depth1, last_depth2;
3400 const unsigned char *ecc_q = NULL;
3401 const unsigned char *ecc_d = NULL;
3402 size_t ecc_q_len, ecc_d_len;
3403 const char *curve = NULL;
3406 int flag_djb_tweak = 0;
3408 gcry_mpi_t oid = NULL;
3409 const unsigned char *oidbuf;
3412 unsigned char fprbuf[20];
3414 /* (private-key(ecc(curve%s)(q%m)(d%m))(created-at%d)):
3415 curve = "NIST P-256" */
3416 /* (private-key(ecc(curve%s)(q%m)(d%m))(created-at%d)):
3417 curve = "secp256k1" */
3418 /* (private-key(ecc(curve%s)(flags eddsa)(q%m)(d%m))(created-at%d)):
3419 curve = "Ed25519" */
3420 last_depth1 = depth;
3421 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3422 && depth && depth >= last_depth1)
3426 err = gpg_error (GPG_ERR_UNKNOWN_SEXP);
3429 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3432 if (tok && toklen == 5 && !memcmp (tok, "curve", 5))
3436 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3439 curve_name = xtrymalloc (toklen+1);
3442 err = gpg_error_from_syserror ();
3446 memcpy (curve_name, tok, toklen);
3447 curve_name[toklen] = 0;
3448 curve = openpgp_is_curve_supported (curve_name, NULL, NULL);
3451 else if (tok && toklen == 5 && !memcmp (tok, "flags", 5))
3453 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3458 if ((toklen == 5 && !memcmp (tok, "eddsa", 5))
3459 || (toklen == 9 && !memcmp (tok, "djb-tweak", 9)))
3463 else if (tok && toklen == 1)
3465 const unsigned char **buf2;
3467 int native = flag_djb_tweak;
3471 case 'q': buf2 = &ecc_q; buf2len = &ecc_q_len; break;
3472 case 'd': buf2 = &ecc_d; buf2len = &ecc_d_len; native = 0; break;
3473 default: buf2 = NULL; buf2len = NULL; break;
3477 err = gpg_error (GPG_ERR_DUP_VALUE);
3480 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3485 /* Strip off leading zero bytes and save. */
3486 for (;toklen && !*tok; toklen--, tok++)
3493 /* Skip until end of list. */
3494 last_depth2 = depth;
3495 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3496 && depth && depth >= last_depth2)
3501 /* Parse other attributes. */
3502 last_depth1 = depth;
3503 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3504 && depth && depth >= last_depth1)
3508 err = gpg_error (GPG_ERR_UNKNOWN_SEXP);
3511 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3513 if (tok && toklen == 10 && !memcmp ("created-at", tok, toklen))
3515 if ((err = parse_sexp (&buf,&buflen,&depth,&tok,&toklen)))
3519 for (created_at=0; toklen && *tok && *tok >= '0' && *tok <= '9';
3521 created_at = created_at*10 + (*tok - '0');
3524 /* Skip until end of list. */
3525 last_depth2 = depth;
3526 while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
3527 && depth && depth >= last_depth2)
3534 /* Check that we have all parameters and that they match the card
3538 log_error (_("unsupported curve\n"));
3539 err = gpg_error (GPG_ERR_INV_VALUE);
3544 log_error (_("creation timestamp missing\n"));
3545 err = gpg_error (GPG_ERR_INV_VALUE);
3548 if (flag_djb_tweak && keyno != 1)
3549 algo = PUBKEY_ALGO_EDDSA;
3550 else if (keyno == 1)
3551 algo = PUBKEY_ALGO_ECDH;
3553 algo = PUBKEY_ALGO_ECDSA;
3555 oidstr = openpgp_curve_to_oid (curve, NULL);
3556 err = openpgp_oid_from_str (oidstr, &oid);
3559 oidbuf = gcry_mpi_get_opaque (oid, &n);
3562 err = gpg_error_from_syserror ();
3567 if (app->app_local->keyattr[keyno].key_type != KEY_TYPE_ECC
3568 || app->app_local->keyattr[keyno].ecc.curve != curve
3569 || (flag_djb_tweak !=
3570 (app->app_local->keyattr[keyno].ecc.flags & ECC_FLAG_DJB_TWEAK)))
3572 if (app->app_local->extcap.algo_attr_change)
3574 unsigned char *keyattr;
3578 err = gpg_error (GPG_ERR_INTERNAL);
3581 keyattr = xtrymalloc (oid_len);
3584 err = gpg_error_from_syserror ();
3588 memcpy (keyattr+1, oidbuf+1, oid_len-1);
3589 err = change_keyattr (app, keyno, keyattr, oid_len, pincb, pincb_arg);
3596 log_error ("key attribute on card doesn't match\n");
3597 err = gpg_error (GPG_ERR_INV_VALUE);
3603 log_info ("ECC private key size is %u bytes\n", (unsigned int)ecc_d_len);
3605 /* We need to remove the cached public key. */
3606 xfree (app->app_local->pk[keyno].key);
3607 app->app_local->pk[keyno].key = NULL;
3608 app->app_local->pk[keyno].keylen = 0;
3609 app->app_local->pk[keyno].read_done = 0;
3611 if (app->app_local->extcap.is_v2)
3613 /* Build the private key template as described in section 4.3.3.7 of
3614 the OpenPGP card specs version 2.0. */
3615 unsigned char *template;
3616 size_t template_len;
3619 err = build_ecc_privkey_template (app, keyno,
3622 &template, &template_len);
3626 /* Prepare for storing the key. */
3627 err = verify_chv3 (app, pincb, pincb_arg);
3634 /* Store the key. */
3635 if (app->app_local->cardcap.ext_lc_le && template_len > 254)
3636 exmode = 1; /* Use extended length w/o a limit. */
3637 else if (app->app_local->cardcap.cmd_chaining && template_len > 254)
3641 err = iso7816_put_data_odd (app->slot, exmode, 0x3fff,
3642 template, template_len);
3646 err = gpg_error (GPG_ERR_NOT_SUPPORTED);
3650 log_error (_("failed to store the key: %s\n"), gpg_strerror (err));
3654 err = store_fpr (app, keyno, created_at, fprbuf, algo, oidbuf, oid_len,
3655 ecc_q, ecc_q_len, ecdh_params (curve), (size_t)4);
3658 gcry_mpi_release (oid);
3662 /* Handle the WRITEKEY command for OpenPGP. This function expects a
3663 canonical encoded S-expression with the secret key in KEYDATA and
3664 its length (for assertions) in KEYDATALEN. KEYID needs to be the
3665 usual keyid which for OpenPGP is the string "OPENPGP.n" with
3666 n=1,2,3. Bit 0 of FLAGS indicates whether an existing key shall
3667 get overwritten. PINCB and PINCB_ARG are the usual arguments for
3668 the pinentry callback. */
3670 do_writekey (app_t app, ctrl_t ctrl,
3671 const char *keyid, unsigned int flags,
3672 gpg_error_t (*pincb)(void*, const char *, char **),
3674 const unsigned char *keydata, size_t keydatalen)
3677 int force = (flags & 1);
3679 const unsigned char *buf, *tok;
3680 size_t buflen, toklen;
3685 if (!strcmp (keyid, "OPENPGP.1"))
3687 else if (!strcmp (keyid, "OPENPGP.2"))
3689 else if (!strcmp (keyid, "OPENPGP.3"))
3692 return gpg_error (GPG_ERR_INV_ID);
3694 err = does_key_exist (app, keyno, 0, force);
3700 Parse the S-expression
3703 buflen = keydatalen;
3705 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3707 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3709 if (!tok || toklen != 11 || memcmp ("private-key", tok, toklen))
3713 else if (toklen == 21 && !memcmp ("protected-private-key", tok, toklen))
3714 log_info ("protected-private-key passed to writekey\n");
3715 else if (toklen == 20 && !memcmp ("shadowed-private-key", tok, toklen))
3716 log_info ("shadowed-private-key passed to writekey\n");
3717 err = gpg_error (GPG_ERR_BAD_SECKEY);
3720 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3722 if ((err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen)))
3724 if (tok && toklen == 3 && memcmp ("rsa", tok, toklen) == 0)
3725 err = rsa_writekey (app, pincb, pincb_arg, keyno, buf, buflen, depth);
3726 else if (tok && toklen == 3 && memcmp ("ecc", tok, toklen) == 0)
3727 err = ecc_writekey (app, pincb, pincb_arg, keyno, buf, buflen, depth);
3730 err = gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
3740 /* Handle the GENKEY command. */
3742 do_genkey (app_t app, ctrl_t ctrl, const char *keynostr, unsigned int flags,
3744 gpg_error_t (*pincb)(void*, const char *, char **),
3749 unsigned char *buffer = NULL;
3750 const unsigned char *keydata;
3751 size_t buflen, keydatalen;
3753 int keyno = atoi (keynostr) - 1;
3754 int force = (flags & 1);
3757 int le_value = 256; /* Use legacy value. */
3759 if (keyno < 0 || keyno > 2)
3760 return gpg_error (GPG_ERR_INV_ID);
3762 /* We flush the cache to increase the traffic before a key
3763 generation. This _might_ help a card to gather more entropy. */
3766 /* Obviously we need to remove the cached public key. */
3767 xfree (app->app_local->pk[keyno].key);
3768 app->app_local->pk[keyno].key = NULL;
3769 app->app_local->pk[keyno].keylen = 0;
3770 app->app_local->pk[keyno].read_done = 0;
3772 /* Check whether a key already exists. */
3773 err = does_key_exist (app, keyno, 1, force);
3777 if (app->app_local->keyattr[keyno].key_type == KEY_TYPE_RSA)
3779 unsigned int keybits = app->app_local->keyattr[keyno].rsa.n_bits;
3781 /* Because we send the key parameter back via status lines we need
3782 to put a limit on the max. allowed keysize. 2048 bit will
3783 already lead to a 527 byte long status line and thus a 4096 bit
3784 key would exceed the Assuan line length limit. */
3786 return gpg_error (GPG_ERR_TOO_LARGE);
3788 if (app->app_local->cardcap.ext_lc_le && keybits > RSA_SMALL_SIZE_KEY
3789 && app->app_local->keyattr[keyno].key_type == KEY_TYPE_RSA)
3791 exmode = 1; /* Use extended length w/o a limit. */
3792 le_value = determine_rsa_response (app, keyno);
3793 /* No need to check le_value because it comes from a 16 bit
3794 value and thus can't create an overflow on a 32 bit
3799 /* Prepare for key generation by verifying the Admin PIN. */
3800 err = verify_chv3 (app, pincb, pincb_arg);
3805 log_info (_("please wait while key is being generated ...\n"));
3806 start_at = time (NULL);
3807 err = iso7816_generate_keypair (app->slot, exmode,
3808 (keyno == 0? "\xB6" :
3809 keyno == 1? "\xB8" : "\xA4"),
3810 2, le_value, &buffer, &buflen);
3813 log_error (_("generating key failed\n"));
3814 return gpg_error (GPG_ERR_CARD);
3818 int nsecs = (int)(time (NULL) - start_at);
3819 log_info (ngettext("key generation completed (%d second)\n",
3820 "key generation completed (%d seconds)\n",
3824 keydata = find_tlv (buffer, buflen, 0x7F49, &keydatalen);
3827 err = gpg_error (GPG_ERR_CARD);
3828 log_error (_("response does not contain the public key data\n"));
3832 created_at = (u32)(createtime? createtime : gnupg_get_time ());
3833 sprintf (numbuf, "%u", created_at);
3834 send_status_info (ctrl, "KEY-CREATED-AT",
3835 numbuf, (size_t)strlen(numbuf), NULL, 0);
3837 err = read_public_key (app, ctrl, created_at, keyno, buffer, buflen);
3844 static unsigned long
3845 convert_sig_counter_value (const unsigned char *value, size_t valuelen)
3850 ul = (value[0] << 16) | (value[1] << 8) | value[2];
3853 log_error (_("invalid structure of OpenPGP card (DO 0x93)\n"));
3859 static unsigned long
3860 get_sig_counter (app_t app)
3863 unsigned char *value;
3867 relptr = get_one_do (app, 0x0093, &value, &valuelen, NULL);
3870 ul = convert_sig_counter_value (value, valuelen);
3876 compare_fingerprint (app_t app, int keyno, unsigned char *sha1fpr)
3878 const unsigned char *fpr;
3879 unsigned char *buffer;
3883 assert (keyno >= 0 && keyno <= 2);
3885 rc = get_cached_data (app, 0x006E, &buffer, &buflen, 0, 0);
3888 log_error (_("error reading application data\n"));
3889 return gpg_error (GPG_ERR_GENERAL);
3891 fpr = find_tlv (buffer, buflen, 0x00C5, &n);
3892 if (!fpr || n != 60)
3895 log_error (_("error reading fingerprint DO\n"));
3896 return gpg_error (GPG_ERR_GENERAL);
3899 for (i=0; i < 20; i++)
3900 if (sha1fpr[i] != fpr[i])
3903 log_info (_("fingerprint on card does not match requested one\n"));
3904 return gpg_error (GPG_ERR_WRONG_SECKEY);
3911 /* If a fingerprint has been specified check it against the one on the
3912 card. This allows for a meaningful error message in case the key
3913 on the card has been replaced but the shadow information known to
3914 gpg has not been updated. If there is no fingerprint we assume
3915 that this is okay. */
3917 check_against_given_fingerprint (app_t app, const char *fpr, int key)
3919 unsigned char tmp[20];
3923 for (s=fpr, n=0; hexdigitp (s); s++, n++)
3926 return gpg_error (GPG_ERR_INV_ID);
3930 return gpg_error (GPG_ERR_INV_ID);
3932 for (s=fpr, n=0; n < 20; s += 2, n++)
3933 tmp[n] = xtoi_2 (s);
3934 return compare_fingerprint (app, key-1, tmp);
3939 /* Compute a digital signature on INDATA which is expected to be the
3940 raw message digest. For this application the KEYIDSTR consists of
3941 the serialnumber and the fingerprint delimited by a slash.
3943 Note that this function may return the error code
3944 GPG_ERR_WRONG_CARD to indicate that the card currently present does
3945 not match the one required for the requested action (e.g. the
3946 serial number does not match).
3948 As a special feature a KEYIDSTR of "OPENPGP.3" redirects the
3949 operation to the auth command.
3952 do_sign (app_t app, const char *keyidstr, int hashalgo,
3953 gpg_error_t (*pincb)(void*, const char *, char **),
3955 const void *indata, size_t indatalen,
3956 unsigned char **outdata, size_t *outdatalen )
3958 static unsigned char rmd160_prefix[15] = /* Object ID is 1.3.36.3.2.1 */
3959 { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03,
3960 0x02, 0x01, 0x05, 0x00, 0x04, 0x14 };
3961 static unsigned char sha1_prefix[15] = /* (1.3.14.3.2.26) */
3962 { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
3963 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
3964 static unsigned char sha224_prefix[19] = /* (2.16.840.1.101.3.4.2.4) */
3965 { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
3966 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
3968 static unsigned char sha256_prefix[19] = /* (2.16.840.1.101.3.4.2.1) */
3969 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
3970 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
3972 static unsigned char sha384_prefix[19] = /* (2.16.840.1.101.3.4.2.2) */
3973 { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
3974 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
3976 static unsigned char sha512_prefix[19] = /* (2.16.840.1.101.3.4.2.3) */
3977 { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
3978 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
3981 unsigned char data[19+64];
3983 unsigned char tmp_sn[20]; /* Actually 16 bytes but also for the fpr. */
3986 const char *fpr = NULL;
3987 unsigned long sigcount;
3989 int exmode, le_value;
3991 if (!keyidstr || !*keyidstr)
3992 return gpg_error (GPG_ERR_INV_VALUE);
3994 /* Strip off known prefixes. */
3995 #define X(a,b,c,d) \
3996 if (hashalgo == GCRY_MD_ ## a \
3998 && indatalen == sizeof b ## _prefix + (c) \
3999 && !memcmp (indata, b ## _prefix, sizeof b ## _prefix)) \
4001 indata = (const char*)indata + sizeof b ## _prefix; \
4002 indatalen -= sizeof b ## _prefix; \
4005 if (indatalen == 20)
4006 ; /* Assume a plain SHA-1 or RMD160 digest has been given. */
4007 else X(SHA1, sha1, 20, 1)
4008 else X(RMD160, rmd160, 20, 1)
4009 else X(SHA224, sha224, 28, app->app_local->extcap.is_v2)
4010 else X(SHA256, sha256, 32, app->app_local->extcap.is_v2)
4011 else X(SHA384, sha384, 48, app->app_local->extcap.is_v2)
4012 else X(SHA512, sha512, 64, app->app_local->extcap.is_v2)
4013 else if ((indatalen == 28 || indatalen == 32
4014 || indatalen == 48 || indatalen ==64)
4015 && app->app_local->extcap.is_v2)
4016 ; /* Assume a plain SHA-3 digest has been given. */
4019 log_error (_("card does not support digest algorithm %s\n"),
4020 gcry_md_algo_name (hashalgo));
4021 /* Or the supplied digest length does not match an algorithm. */
4022 return gpg_error (GPG_ERR_INV_VALUE);
4026 /* Check whether an OpenPGP card of any version has been requested. */
4027 if (!strcmp (keyidstr, "OPENPGP.1"))
4029 else if (!strcmp (keyidstr, "OPENPGP.3"))
4031 else if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
4032 return gpg_error (GPG_ERR_INV_ID);
4035 for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
4038 return gpg_error (GPG_ERR_INV_ID);
4040 ; /* no fingerprint given: we allow this for now. */
4044 return gpg_error (GPG_ERR_INV_ID);
4046 for (s=keyidstr, n=0; n < 16; s += 2, n++)
4047 tmp_sn[n] = xtoi_2 (s);
4049 if (app->serialnolen != 16)
4050 return gpg_error (GPG_ERR_INV_CARD);
4051 if (memcmp (app->serialno, tmp_sn, 16))
4052 return gpg_error (GPG_ERR_WRONG_CARD);
4055 /* If a fingerprint has been specified check it against the one on
4056 the card. This is allows for a meaningful error message in case
4057 the key on the card has been replaced but the shadow information
4058 known to gpg was not updated. If there is no fingerprint, gpg
4059 will detect a bogus signature anyway due to the
4060 verify-after-signing feature. */
4061 rc = fpr? check_against_given_fingerprint (app, fpr, 1) : 0;
4065 /* Concatenate prefix and digest. */
4067 if (hashalgo == GCRY_MD_ ## a && (d) ) \
4069 datalen = sizeof b ## _prefix + indatalen; \
4070 assert (datalen <= sizeof data); \
4071 memcpy (data, b ## _prefix, sizeof b ## _prefix); \
4072 memcpy (data + sizeof b ## _prefix, indata, indatalen); \
4076 || app->app_local->keyattr[use_auth? 2: 0].key_type == KEY_TYPE_RSA)
4079 else X(RMD160, rmd160, 1)
4080 else X(SHA224, sha224, app->app_local->extcap.is_v2)
4081 else X(SHA256, sha256, app->app_local->extcap.is_v2)
4082 else X(SHA384, sha384, app->app_local->extcap.is_v2)
4083 else X(SHA512, sha512, app->app_local->extcap.is_v2)
4085 return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
4089 datalen = indatalen;
4090 memcpy (data, indata, indatalen);
4094 /* Redirect to the AUTH command if asked to. */
4097 return do_auth (app, "OPENPGP.3", pincb, pincb_arg,
4099 outdata, outdatalen);
4102 /* Show the number of signature done using this key. */
4103 sigcount = get_sig_counter (app);
4104 log_info (_("signatures created so far: %lu\n"), sigcount);
4106 /* Check CHV if needed. */
4107 if (!app->did_chv1 || app->force_chv1 )
4111 rc = verify_a_chv (app, pincb, pincb_arg, 1, sigcount, &pinvalue);
4117 /* For cards with versions < 2 we want to keep CHV1 and CHV2 in
4118 sync, thus we verify CHV2 here using the given PIN. Cards
4119 with version2 to not have the need for a separate CHV2 and
4120 internally use just one. Obviously we can't do that if the
4121 pinpad has been used. */
4122 if (!app->did_chv2 && pinvalue && !app->app_local->extcap.is_v2)
4124 rc = iso7816_verify (app->slot, 0x82, pinvalue, strlen (pinvalue));
4125 if (gpg_err_code (rc) == GPG_ERR_BAD_PIN)
4126 rc = gpg_error (GPG_ERR_PIN_NOT_SYNCED);
4129 log_error (_("verify CHV%d failed: %s\n"), 2, gpg_strerror (rc));
4131 flush_cache_after_error (app);
4140 if (app->app_local->cardcap.ext_lc_le
4141 && app->app_local->keyattr[0].key_type == KEY_TYPE_RSA
4142 && app->app_local->keyattr[0].rsa.n_bits > RSA_SMALL_SIZE_OP)
4144 exmode = 1; /* Use extended length. */
4145 le_value = app->app_local->keyattr[0].rsa.n_bits / 8;
4152 rc = iso7816_compute_ds (app->slot, exmode, data, datalen, le_value,
4153 outdata, outdatalen);
4157 /* Compute a digital signature using the INTERNAL AUTHENTICATE command
4158 on INDATA which is expected to be the raw message digest. For this
4159 application the KEYIDSTR consists of the serialnumber and the
4160 fingerprint delimited by a slash. Optionally the id OPENPGP.3 may
4163 Note that this function may return the error code
4164 GPG_ERR_WRONG_CARD to indicate that the card currently present does
4165 not match the one required for the requested action (e.g. the
4166 serial number does not match). */
4168 do_auth (app_t app, const char *keyidstr,
4169 gpg_error_t (*pincb)(void*, const char *, char **),
4171 const void *indata, size_t indatalen,
4172 unsigned char **outdata, size_t *outdatalen )
4175 unsigned char tmp_sn[20]; /* Actually 16 but we use it also for the fpr. */
4178 const char *fpr = NULL;
4180 if (!keyidstr || !*keyidstr)
4181 return gpg_error (GPG_ERR_INV_VALUE);
4182 if (app->app_local->keyattr[2].key_type == KEY_TYPE_RSA
4183 && indatalen > 101) /* For a 2048 bit key. */
4184 return gpg_error (GPG_ERR_INV_VALUE);
4186 if (app->app_local->keyattr[2].key_type == KEY_TYPE_ECC)
4188 if (!(app->app_local->keyattr[2].ecc.flags & ECC_FLAG_DJB_TWEAK)
4189 && (indatalen == 51 || indatalen == 67 || indatalen == 83))
4191 const char *p = (const char *)indata + 19;
4197 const char *p = (const char *)indata + 15;
4203 /* Check whether an OpenPGP card of any version has been requested. */
4204 if (!strcmp (keyidstr, "OPENPGP.3"))
4206 else if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
4207 return gpg_error (GPG_ERR_INV_ID);
4210 for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
4213 return gpg_error (GPG_ERR_INV_ID);
4215 ; /* no fingerprint given: we allow this for now. */
4219 return gpg_error (GPG_ERR_INV_ID);
4221 for (s=keyidstr, n=0; n < 16; s += 2, n++)
4222 tmp_sn[n] = xtoi_2 (s);
4224 if (app->serialnolen != 16)
4225 return gpg_error (GPG_ERR_INV_CARD);
4226 if (memcmp (app->serialno, tmp_sn, 16))
4227 return gpg_error (GPG_ERR_WRONG_CARD);
4230 /* If a fingerprint has been specified check it against the one on
4231 the card. This is allows for a meaningful error message in case
4232 the key on the card has been replaced but the shadow information
4233 known to gpg was not updated. If there is no fingerprint, gpg
4234 will detect a bogus signature anyway due to the
4235 verify-after-signing feature. */
4236 rc = fpr? check_against_given_fingerprint (app, fpr, 3) : 0;
4240 rc = verify_chv2 (app, pincb, pincb_arg);
4243 int exmode, le_value;
4245 if (app->app_local->cardcap.ext_lc_le
4246 && app->app_local->keyattr[2].key_type == KEY_TYPE_RSA
4247 && app->app_local->keyattr[2].rsa.n_bits > RSA_SMALL_SIZE_OP)
4249 exmode = 1; /* Use extended length. */
4250 le_value = app->app_local->keyattr[2].rsa.n_bits / 8;
4257 rc = iso7816_internal_authenticate (app->slot, exmode,
4258 indata, indatalen, le_value,
4259 outdata, outdatalen);
4266 do_decipher (app_t app, const char *keyidstr,
4267 gpg_error_t (*pincb)(void*, const char *, char **),
4269 const void *indata, size_t indatalen,
4270 unsigned char **outdata, size_t *outdatalen,
4271 unsigned int *r_info)
4274 unsigned char tmp_sn[20]; /* actually 16 but we use it also for the fpr. */
4277 const char *fpr = NULL;
4278 int exmode, le_value;
4279 unsigned char *fixbuf = NULL;
4283 if (!keyidstr || !*keyidstr || !indatalen)
4284 return gpg_error (GPG_ERR_INV_VALUE);
4286 /* Check whether an OpenPGP card of any version has been requested. */
4287 if (!strcmp (keyidstr, "OPENPGP.2"))
4289 else if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
4290 return gpg_error (GPG_ERR_INV_ID);
4293 for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
4296 return gpg_error (GPG_ERR_INV_ID);
4298 ; /* no fingerprint given: we allow this for now. */
4302 return gpg_error (GPG_ERR_INV_ID);
4304 for (s=keyidstr, n=0; n < 16; s += 2, n++)
4305 tmp_sn[n] = xtoi_2 (s);
4307 if (app->serialnolen != 16)
4308 return gpg_error (GPG_ERR_INV_CARD);
4309 if (memcmp (app->serialno, tmp_sn, 16))
4310 return gpg_error (GPG_ERR_WRONG_CARD);
4313 /* If a fingerprint has been specified check it against the one on
4314 the card. This is allows for a meaningful error message in case
4315 the key on the card has been replaced but the shadow information
4316 known to gpg was not updated. If there is no fingerprint, the
4317 decryption won't produce the right plaintext anyway. */
4318 rc = fpr? check_against_given_fingerprint (app, fpr, 2) : 0;
4322 rc = verify_chv2 (app, pincb, pincb_arg);
4326 if ((indatalen == 16 + 1 || indatalen == 32 + 1)
4327 && ((char *)indata)[0] == 0x02)
4329 /* PSO:DECIPHER with symmetric key. */
4332 else if (app->app_local->keyattr[1].key_type == KEY_TYPE_RSA)
4334 /* We might encounter a couple of leading zeroes in the
4335 cryptogram. Due to internal use of MPIs these leading zeroes
4336 are stripped. However the OpenPGP card expects exactly 128
4337 bytes for the cryptogram (for a 1k key). Thus we need to fix
4338 it up. We do this for up to 16 leading zero bytes; a
4339 cryptogram with more than this is with a very high
4340 probability anyway broken. If a signed conversion was used
4341 we may also encounter one leading zero followed by the correct
4342 length. We fix that as well. */
4343 if (indatalen >= (128-16) && indatalen < 128) /* 1024 bit key. */
4344 fixuplen = 128 - indatalen;
4345 else if (indatalen >= (192-16) && indatalen < 192) /* 1536 bit key. */
4346 fixuplen = 192 - indatalen;
4347 else if (indatalen >= (256-16) && indatalen < 256) /* 2048 bit key. */
4348 fixuplen = 256 - indatalen;
4349 else if (indatalen >= (384-16) && indatalen < 384) /* 3072 bit key. */
4350 fixuplen = 384 - indatalen;
4351 else if (indatalen >= (512-16) && indatalen < 512) /* 4096 bit key. */
4352 fixuplen = 512 - indatalen;
4353 else if (!*(const char *)indata && (indatalen == 129
4357 || indatalen == 513))
4364 /* While we have to prepend stuff anyway, we can also
4365 include the padding byte here so that iso1816_decipher
4366 does not need to do another data mangling. */
4369 fixbuf = xtrymalloc (fixuplen + indatalen);
4371 return gpg_error_from_syserror ();
4373 memset (fixbuf, 0, fixuplen);
4374 memcpy (fixbuf+fixuplen, indata, indatalen);
4376 indatalen = fixuplen + indatalen;
4377 padind = -1; /* Already padded. */
4379 else if (fixuplen < 0)
4381 /* We use the extra leading zero as the padding byte. */
4385 else if (app->app_local->keyattr[1].key_type == KEY_TYPE_ECC)
4387 int old_format_len = 0;
4389 if ((app->app_local->keyattr[1].ecc.flags & ECC_FLAG_DJB_TWEAK))
4391 if (indatalen > 32 && (indatalen % 2))
4393 * Skip the prefix. It may be 0x40 (in new format), or MPI
4394 * head of 0x00 (in old format).
4396 indata = (const char *)indata + 1;
4399 else if (indatalen < 32)
4401 * Old format trancated by MPI handling.
4403 old_format_len = indatalen;
4409 fixbuf = xtrymalloc (fixuplen + indatalen);
4411 return gpg_error_from_syserror ();
4413 /* Build 'Cipher DO' */
4415 fixbuf[1] = (char)(indatalen+5);
4418 fixbuf[4] = (char)(indatalen+2);
4420 fixbuf[6] = (char)indatalen;
4423 memset (fixbuf+fixuplen, 0, 32 - old_format_len);
4424 memcpy (fixbuf+fixuplen + 32 - old_format_len,
4425 indata, old_format_len);
4429 memcpy (fixbuf+fixuplen, indata, indatalen);
4432 indatalen = fixuplen + indatalen;
4437 return gpg_error (GPG_ERR_INV_VALUE);
4439 if (app->app_local->cardcap.ext_lc_le
4441 || (app->app_local->keyattr[1].key_type == KEY_TYPE_RSA
4442 && app->app_local->keyattr[1].rsa.n_bits > RSA_SMALL_SIZE_OP)))
4444 exmode = 1; /* Extended length w/o a limit. */
4445 le_value = app->app_local->keyattr[1].rsa.n_bits / 8;
4447 else if (app->app_local->cardcap.cmd_chaining && indatalen > 254)
4449 exmode = -254; /* Command chaining with max. 254 bytes. */
4453 exmode = le_value = 0;
4455 rc = iso7816_decipher (app->slot, exmode,
4456 indata, indatalen, le_value, padind,
4457 outdata, outdatalen);
4459 if (app->app_local->keyattr[1].key_type == KEY_TYPE_ECC)
4461 unsigned char prefix = 0;
4463 if (app->app_local->keyattr[1].ecc.flags & ECC_FLAG_DJB_TWEAK)
4465 else if ((*outdatalen % 2) == 0) /* No 0x04 -> x-coordinate only */
4469 { /* Add the prefix */
4470 fixbuf = xtrymalloc (*outdatalen + 1);
4474 return gpg_error_from_syserror ();
4477 memcpy (fixbuf+1, *outdata, *outdatalen);
4480 *outdatalen = *outdatalen + 1;
4484 if (gpg_err_code (rc) == GPG_ERR_CARD /* actual SW is 0x640a */
4485 && app->app_local->manufacturer == 5
4486 && app->card_version == 0x0200)
4487 log_info ("NOTE: Cards with manufacturer id 5 and s/n <= 346 (0x15a)"
4488 " do not work with encryption keys > 2048 bits\n");
4490 *r_info |= APP_DECIPHER_INFO_NOPAD;
4496 /* Perform a simple verify operation for CHV1 and CHV2, so that
4497 further operations won't ask for CHV2 and it is possible to do a
4498 cheap check on the PIN: If there is something wrong with the PIN
4499 entry system, only the regular CHV will get blocked and not the
4500 dangerous CHV3. KEYIDSTR is the usual card's serial number; an
4501 optional fingerprint part will be ignored.
4503 There is a special mode if the keyidstr is "<serialno>[CHV3]" with
4504 the "[CHV3]" being a literal string: The Admin Pin is checked if
4505 and only if the retry counter is still at 3. */
4507 do_check_pin (app_t app, const char *keyidstr,
4508 gpg_error_t (*pincb)(void*, const char *, char **),
4511 unsigned char tmp_sn[20];
4516 if (!keyidstr || !*keyidstr)
4517 return gpg_error (GPG_ERR_INV_VALUE);
4519 /* Check whether an OpenPGP card of any version has been requested. */
4520 if (strlen (keyidstr) < 32 || strncmp (keyidstr, "D27600012401", 12))
4521 return gpg_error (GPG_ERR_INV_ID);
4523 for (s=keyidstr, n=0; hexdigitp (s); s++, n++)
4526 return gpg_error (GPG_ERR_INV_ID);
4528 ; /* No fingerprint given: we allow this for now. */
4530 ; /* We ignore a fingerprint. */
4531 else if (!strcmp (s, "[CHV3]") )
4534 return gpg_error (GPG_ERR_INV_ID);
4536 for (s=keyidstr, n=0; n < 16; s += 2, n++)
4537 tmp_sn[n] = xtoi_2 (s);
4539 if (app->serialnolen != 16)
4540 return gpg_error (GPG_ERR_INV_CARD);
4541 if (memcmp (app->serialno, tmp_sn, 16))
4542 return gpg_error (GPG_ERR_WRONG_CARD);
4544 /* Yes, there is a race conditions: The user might pull the card
4545 right here and we won't notice that. However this is not a
4546 problem and the check above is merely for a graceful failure
4547 between operations. */
4552 unsigned char *value;
4556 relptr = get_one_do (app, 0x00C4, &value, &valuelen, NULL);
4557 if (!relptr || valuelen < 7)
4559 log_error (_("error retrieving CHV status from card\n"));
4561 return gpg_error (GPG_ERR_CARD);
4568 log_info (_("card is permanently locked!\n"));
4569 return gpg_error (GPG_ERR_BAD_PIN);
4573 log_info (_("verification of Admin PIN is currently prohibited "
4574 "through this command\n"));
4575 return gpg_error (GPG_ERR_GENERAL);
4578 app->did_chv3 = 0; /* Force verification. */
4579 return verify_chv3 (app, pincb, pincb_arg);
4582 return verify_chv2 (app, pincb, pincb_arg);
4586 /* Show information about card capabilities. */
4588 show_caps (struct app_local_s *s)
4590 log_info ("Version-2 ......: %s\n", s->extcap.is_v2? "yes":"no");
4591 log_info ("Get-Challenge ..: %s", s->extcap.get_challenge? "yes":"no");
4592 if (s->extcap.get_challenge)
4593 log_printf (" (%u bytes max)", s->extcap.max_get_challenge);
4594 log_info ("Key-Import .....: %s\n", s->extcap.key_import? "yes":"no");
4595 log_info ("Change-Force-PW1: %s\n", s->extcap.change_force_chv? "yes":"no");
4596 log_info ("Private-DOs ....: %s\n", s->extcap.private_dos? "yes":"no");
4597 log_info ("Algo-Attr-Change: %s\n", s->extcap.algo_attr_change? "yes":"no");
4598 log_info ("SM-Support .....: %s", s->extcap.sm_supported? "yes":"no");
4599 if (s->extcap.sm_supported)
4600 log_printf (" (%s)", s->extcap.sm_algo==2? "3DES":
4601 (s->extcap.sm_algo==2? "AES-128" : "AES-256"));
4602 log_info ("Max-Cert3-Len ..: %u\n", s->extcap.max_certlen_3);
4603 log_info ("Cmd-Chaining ...: %s\n", s->cardcap.cmd_chaining?"yes":"no");
4604 log_info ("Ext-Lc-Le ......: %s\n", s->cardcap.ext_lc_le?"yes":"no");
4605 log_info ("Status Indicator: %02X\n", s->status_indicator);
4606 log_info ("Symmetric crypto: %s\n", s->extcap.has_decrypt? "yes":"no");
4607 log_info ("Button..........: %s\n", s->extcap.has_button? "yes":"no");
4609 log_info ("GnuPG-No-Sync ..: %s\n", s->flags.no_sync? "yes":"no");
4610 log_info ("GnuPG-Def-PW2 ..: %s\n", s->flags.def_chv2? "yes":"no");
4614 /* Parse the historical bytes in BUFFER of BUFLEN and store them in
4617 parse_historical (struct app_local_s *apploc,
4618 const unsigned char * buffer, size_t buflen)
4620 /* Example buffer: 00 31 C5 73 C0 01 80 00 90 00 */
4623 log_error ("warning: historical bytes are too short\n");
4624 return; /* Too short. */
4628 log_error ("warning: bad category indicator in historical bytes\n");
4632 /* Skip category indicator. */
4636 /* Get the status indicator. */
4637 apploc->status_indicator = buffer[buflen-3];
4640 /* Parse the compact TLV. */
4643 unsigned int tag = (*buffer & 0xf0) >> 4;
4644 unsigned int len = (*buffer & 0x0f);
4647 log_error ("warning: bad Compact-TLV in historical bytes\n");
4648 return; /* Error. */
4652 if (tag == 7 && len == 3)
4654 /* Card capabilities. */
4655 apploc->cardcap.cmd_chaining = !!(buffer[2] & 0x80);
4656 apploc->cardcap.ext_lc_le = !!(buffer[2] & 0x40);
4665 * Check if the OID in an DER encoding is available by GnuPG/libgcrypt,
4666 * and return the curve name. Return NULL if not available.
4667 * The constant string is not allocated dynamically, never free it.
4670 ecc_curve (unsigned char *buf, size_t buflen)
4675 unsigned char *oidbuf;
4677 oidbuf = xtrymalloc (buflen + 1);
4681 memcpy (oidbuf+1, buf, buflen);
4683 oid = gcry_mpi_set_opaque (NULL, oidbuf, (buflen+1) * 8);
4690 oidstr = openpgp_oid_to_str (oid);
4691 gcry_mpi_release (oid);
4695 result = openpgp_oid_to_curve (oidstr, 1);
4701 /* Parse and optionally show the algorithm attributes for KEYNO.
4702 KEYNO must be in the range 0..2. */
4704 parse_algorithm_attribute (app_t app, int keyno)
4706 unsigned char *buffer;
4709 const char desc[3][5] = {"sign", "encr", "auth"};
4711 assert (keyno >=0 && keyno <= 2);
4713 app->app_local->keyattr[keyno].key_type = KEY_TYPE_RSA;
4714 app->app_local->keyattr[keyno].rsa.n_bits = 0;
4716 relptr = get_one_do (app, 0xC1+keyno, &buffer, &buflen, NULL);
4719 log_error ("error reading DO 0x%02X\n", 0xc1+keyno);
4724 log_error ("error reading DO 0x%02X\n", 0xc1+keyno);
4730 log_info ("Key-Attr-%s ..: ", desc[keyno]);
4731 if (*buffer == PUBKEY_ALGO_RSA && (buflen == 5 || buflen == 6))
4733 app->app_local->keyattr[keyno].rsa.n_bits = (buffer[1]<<8 | buffer[2]);
4734 app->app_local->keyattr[keyno].rsa.e_bits = (buffer[3]<<8 | buffer[4]);
4735 app->app_local->keyattr[keyno].rsa.format = 0;
4737 app->app_local->keyattr[keyno].rsa.format = RSA_STD;
4739 app->app_local->keyattr[keyno].rsa.format = (buffer[5] == 0? RSA_STD :
4740 buffer[5] == 1? RSA_STD_N :
4741 buffer[5] == 2? RSA_CRT :
4742 buffer[5] == 3? RSA_CRT_N :
4747 ("RSA, n=%u, e=%u, fmt=%s\n",
4748 app->app_local->keyattr[keyno].rsa.n_bits,
4749 app->app_local->keyattr[keyno].rsa.e_bits,
4750 app->app_local->keyattr[keyno].rsa.format == RSA_STD? "std" :
4751 app->app_local->keyattr[keyno].rsa.format == RSA_STD_N?"std+n":
4752 app->app_local->keyattr[keyno].rsa.format == RSA_CRT? "crt" :
4753 app->app_local->keyattr[keyno].rsa.format == RSA_CRT_N?"crt+n":"?");
4755 else if (*buffer == PUBKEY_ALGO_ECDH || *buffer == PUBKEY_ALGO_ECDSA
4756 || *buffer == PUBKEY_ALGO_EDDSA)
4759 int oidlen = buflen - 1;
4761 app->app_local->keyattr[keyno].ecc.flags = 0;
4763 if (buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff)
4764 { /* Found "pubkey required"-byte for private key template. */
4766 if (buffer[buflen-1] == 0xff)
4767 app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY;
4770 curve = ecc_curve (buffer + 1, oidlen);
4773 log_printhex ("Curve with OID not supported: ", buffer+1, buflen-1);
4776 app->app_local->keyattr[keyno].key_type = KEY_TYPE_ECC;
4777 app->app_local->keyattr[keyno].ecc.curve = curve;
4778 if (*buffer == PUBKEY_ALGO_EDDSA
4779 || (*buffer == PUBKEY_ALGO_ECDH
4780 && !strcmp (app->app_local->keyattr[keyno].ecc.curve,
4782 app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_DJB_TWEAK;
4785 ("ECC, curve=%s%s\n", app->app_local->keyattr[keyno].ecc.curve,
4786 !(app->app_local->keyattr[keyno].ecc.flags & ECC_FLAG_DJB_TWEAK)?
4787 "": keyno==1? " (djb-tweak)": " (eddsa)");
4790 else if (opt.verbose)
4791 log_printhex ("", buffer, buflen);
4796 /* Select the OpenPGP application on the card in SLOT. This function
4797 must be used before any other OpenPGP application functions. */
4799 app_select_openpgp (app_t app)
4801 static char const aid[] = { 0xD2, 0x76, 0x00, 0x01, 0x24, 0x01 };
4802 int slot = app->slot;
4804 unsigned char *buffer;
4808 /* Note that the card can't cope with P2=0xCO, thus we need to pass a
4809 special flag value. */
4810 rc = iso7816_select_application (slot, aid, sizeof aid, 0x0001);
4813 unsigned int manufacturer;
4815 app->apptype = "OPENPGP";
4820 app->app_local = NULL;
4822 /* The OpenPGP card returns the serial number as part of the
4823 AID; because we prefer to use OpenPGP serial numbers, we
4824 replace a possibly already set one from a EF.GDO with this
4825 one. Note, that for current OpenPGP cards, no EF.GDO exists
4826 and thus it won't matter at all. */
4827 rc = iso7816_get_data (slot, 0, 0x004F, &buffer, &buflen);
4833 log_printhex ("", buffer, buflen);
4836 app->card_version = buffer[6] << 8;
4837 app->card_version |= buffer[7];
4838 manufacturer = (buffer[8]<<8 | buffer[9]);
4840 xfree (app->serialno);
4841 app->serialno = buffer;
4842 app->serialnolen = buflen;
4844 app->app_local = xtrycalloc (1, sizeof *app->app_local);
4845 if (!app->app_local)
4847 rc = gpg_error (gpg_err_code_from_errno (errno));
4851 app->app_local->manufacturer = manufacturer;
4853 if (app->card_version >= 0x0200)
4854 app->app_local->extcap.is_v2 = 1;
4857 /* Read the historical bytes. */
4858 relptr = get_one_do (app, 0x5f52, &buffer, &buflen, NULL);
4863 log_info ("Historical Bytes: ");
4864 log_printhex ("", buffer, buflen);
4866 parse_historical (app->app_local, buffer, buflen);
4870 /* Read the force-chv1 flag. */
4871 relptr = get_one_do (app, 0x00C4, &buffer, &buflen, NULL);
4874 log_error (_("can't access %s - invalid OpenPGP card?\n"),
4875 "CHV Status Bytes");
4878 app->force_chv1 = (buflen && *buffer == 0);
4881 /* Read the extended capabilities. */
4882 relptr = get_one_do (app, 0x00C0, &buffer, &buflen, NULL);
4885 log_error (_("can't access %s - invalid OpenPGP card?\n"),
4886 "Extended Capability Flags" );
4891 app->app_local->extcap.sm_supported = !!(*buffer & 0x80);
4892 app->app_local->extcap.get_challenge = !!(*buffer & 0x40);
4893 app->app_local->extcap.key_import = !!(*buffer & 0x20);
4894 app->app_local->extcap.change_force_chv = !!(*buffer & 0x10);
4895 app->app_local->extcap.private_dos = !!(*buffer & 0x08);
4896 app->app_local->extcap.algo_attr_change = !!(*buffer & 0x04);
4897 app->app_local->extcap.has_decrypt = !!(*buffer & 0x02);
4901 /* Available with v2 cards. */
4902 app->app_local->extcap.sm_algo = buffer[1];
4903 app->app_local->extcap.max_get_challenge
4904 = (buffer[2] << 8 | buffer[3]);
4905 app->app_local->extcap.max_certlen_3 = (buffer[4] << 8 | buffer[5]);
4909 /* Some of the first cards accidentally don't set the
4910 CHANGE_FORCE_CHV bit but allow it anyway. */
4911 if (app->card_version <= 0x0100 && manufacturer == 1)
4912 app->app_local->extcap.change_force_chv = 1;
4914 /* Check optional DO of "General Feature Management" for button. */
4915 relptr = get_one_do (app, 0x7f74, &buffer, &buflen, NULL);
4917 /* It must be: 03 81 01 20 */
4918 app->app_local->extcap.has_button = 1;
4920 parse_login_data (app);
4923 show_caps (app->app_local);
4925 parse_algorithm_attribute (app, 0);
4926 parse_algorithm_attribute (app, 1);
4927 parse_algorithm_attribute (app, 2);
4929 if (opt.verbose > 1)
4932 app->fnc.deinit = do_deinit;
4933 app->fnc.learn_status = do_learn_status;
4934 app->fnc.readcert = do_readcert;
4935 app->fnc.readkey = do_readkey;
4936 app->fnc.getattr = do_getattr;
4937 app->fnc.setattr = do_setattr;
4938 app->fnc.writecert = do_writecert;
4939 app->fnc.writekey = do_writekey;
4940 app->fnc.genkey = do_genkey;
4941 app->fnc.sign = do_sign;
4942 app->fnc.auth = do_auth;
4943 app->fnc.decipher = do_decipher;
4944 app->fnc.change_pin = do_change_pin;
4945 app->fnc.check_pin = do_check_pin;