diff options
Diffstat (limited to 'libcacard/vcard_emul_nss.c')
-rw-r--r-- | libcacard/vcard_emul_nss.c | 1274 |
1 files changed, 0 insertions, 1274 deletions
diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c deleted file mode 100644 index d9761eedc2..0000000000 --- a/libcacard/vcard_emul_nss.c +++ /dev/null @@ -1,1274 +0,0 @@ -/* - * This is the actual card emulator. - * - * These functions can be implemented in different ways on different platforms - * using the underlying system primitives. For Linux it uses NSS, though direct - * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be - * used. On Windows CAPI could be used. - * - * This work is licensed under the terms of the GNU LGPL, version 2.1 or later. - * See the COPYING.LIB file in the top-level directory. - */ - -/* - * NSS headers - */ - -/* avoid including prototypes.h that redefines uint32 */ -#define NO_NSPR_10_SUPPORT - -#include <nss.h> -#include <pk11pub.h> -#include <cert.h> -#include <key.h> -#include <secmod.h> -#include <prthread.h> -#include <secerr.h> - -#include "glib-compat.h" - -#include "vcard.h" -#include "card_7816t.h" -#include "vcard_emul.h" -#include "vreader.h" -#include "vevent.h" - -#include "vcardt_internal.h" - - -typedef enum { - VCardEmulUnknown = -1, - VCardEmulFalse = 0, - VCardEmulTrue = 1 -} VCardEmulTriState; - -struct VCardKeyStruct { - CERTCertificate *cert; - PK11SlotInfo *slot; - SECKEYPrivateKey *key; - VCardEmulTriState failedX509; -}; - - -typedef struct VirtualReaderOptionsStruct VirtualReaderOptions; - -struct VReaderEmulStruct { - PK11SlotInfo *slot; - VCardEmulType default_type; - char *type_params; - PRBool present; - int series; - VCard *saved_vcard; -}; - -/* - * NSS Specific options - */ -struct VirtualReaderOptionsStruct { - char *name; - char *vname; - VCardEmulType card_type; - char *type_params; - char **cert_name; - int cert_count; -}; - -struct VCardEmulOptionsStruct { - void *nss_db; - VirtualReaderOptions *vreader; - int vreader_count; - VCardEmulType hw_card_type; - const char *hw_type_params; - PRBool use_hw; -}; - -static int nss_emul_init; - -/* if we have more that just the slot, define - * VCardEmulStruct here */ - -/* - * allocate the set of arrays for certs, cert_len, key - */ -static void -vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp, - VCardKey ***keysp, int cert_count) -{ - *certsp = g_new(unsigned char *, cert_count); - *cert_lenp = g_new(int, cert_count); - *keysp = g_new(VCardKey *, cert_count); -} - -/* - * Emulator specific card information - */ -typedef struct CardEmulCardStruct CardEmulPrivate; - -static VCardEmul * -vcard_emul_new_card(PK11SlotInfo *slot) -{ - PK11_ReferenceSlot(slot); - /* currently we don't need anything other than the slot */ - return (VCardEmul *)slot; -} - -static void -vcard_emul_delete_card(VCardEmul *vcard_emul) -{ - PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul; - if (slot == NULL) { - return; - } - PK11_FreeSlot(slot); -} - -static PK11SlotInfo * -vcard_emul_card_get_slot(VCard *card) -{ - /* note, the card is holding the reference, no need to get another one */ - return (PK11SlotInfo *)vcard_get_private(card); -} - - -/* - * key functions - */ -/* private constructure */ -static VCardKey * -vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert) -{ - VCardKey *key; - - key = g_new(VCardKey, 1); - key->slot = PK11_ReferenceSlot(slot); - key->cert = CERT_DupCertificate(cert); - /* NOTE: if we aren't logged into the token, this could return NULL */ - /* NOTE: the cert is a temp cert, not necessarily the cert in the token, - * use the DER version of this function */ - key->key = PK11_FindKeyByDERCert(slot, cert, NULL); - key->failedX509 = VCardEmulUnknown; - return key; -} - -/* destructor */ -void -vcard_emul_delete_key(VCardKey *key) -{ - if (!nss_emul_init || (key == NULL)) { - return; - } - if (key->key) { - SECKEY_DestroyPrivateKey(key->key); - key->key = NULL; - } - if (key->cert) { - CERT_DestroyCertificate(key->cert); - } - if (key->slot) { - PK11_FreeSlot(key->slot); - } -} - -/* - * grab the nss key from a VCardKey. If it doesn't exist, try to look it up - */ -static SECKEYPrivateKey * -vcard_emul_get_nss_key(VCardKey *key) -{ - if (key->key) { - return key->key; - } - /* NOTE: if we aren't logged into the token, this could return NULL */ - key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL); - return key->key; -} - -/* - * Map NSS errors to 7816 errors - */ -static vcard_7816_status_t -vcard_emul_map_error(int error) -{ - switch (error) { - case SEC_ERROR_TOKEN_NOT_LOGGED_IN: - return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; - case SEC_ERROR_BAD_DATA: - case SEC_ERROR_OUTPUT_LEN: - case SEC_ERROR_INPUT_LEN: - case SEC_ERROR_INVALID_ARGS: - case SEC_ERROR_INVALID_ALGORITHM: - case SEC_ERROR_NO_KEY: - case SEC_ERROR_INVALID_KEY: - case SEC_ERROR_DECRYPTION_DISALLOWED: - return VCARD7816_STATUS_ERROR_DATA_INVALID; - case SEC_ERROR_NO_MEMORY: - return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE; - } - return VCARD7816_STATUS_EXC_ERROR_CHANGE; -} - -/* RSA sign/decrypt with the key, signature happens 'in place' */ -vcard_7816_status_t -vcard_emul_rsa_op(VCard *card, VCardKey *key, - unsigned char *buffer, int buffer_size) -{ - SECKEYPrivateKey *priv_key; - unsigned signature_len; - PK11SlotInfo *slot; - SECStatus rv; - unsigned char buf[2048]; - unsigned char *bp = NULL; - int pad_len; - vcard_7816_status_t ret = VCARD7816_STATUS_SUCCESS; - - if ((!nss_emul_init) || (key == NULL)) { - /* couldn't get the key, indicate that we aren't logged in */ - return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; - } - priv_key = vcard_emul_get_nss_key(key); - if (priv_key == NULL) { - /* couldn't get the key, indicate that we aren't logged in */ - return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; - } - slot = vcard_emul_card_get_slot(card); - - /* - * this is only true of the rsa signature - */ - signature_len = PK11_SignatureLen(priv_key); - if (buffer_size != signature_len) { - return VCARD7816_STATUS_ERROR_DATA_INVALID; - } - /* be able to handle larger keys if necessariy */ - bp = &buf[0]; - if (sizeof(buf) < signature_len) { - bp = g_malloc(signature_len); - } - - /* - * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then - * choke when they try to do the actual operations. Try to detect - * those cases and treat them as if the token didn't claim support for - * X_509. - */ - if (key->failedX509 != VCardEmulTrue - && PK11_DoesMechanism(slot, CKM_RSA_X_509)) { - rv = PK11_PrivDecryptRaw(priv_key, bp, &signature_len, signature_len, - buffer, buffer_size); - if (rv == SECSuccess) { - assert(buffer_size == signature_len); - memcpy(buffer, bp, signature_len); - key->failedX509 = VCardEmulFalse; - goto cleanup; - } - /* - * we've had a successful X509 operation, this failure must be - * somethine else - */ - if (key->failedX509 == VCardEmulFalse) { - ret = vcard_emul_map_error(PORT_GetError()); - goto cleanup; - } - /* - * key->failedX509 must be Unknown at this point, try the - * non-x_509 case - */ - } - /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */ - /* is this a PKCS #1 formatted signature? */ - if ((buffer[0] == 0) && (buffer[1] == 1)) { - int i; - - for (i = 2; i < buffer_size; i++) { - /* rsa signature pad */ - if (buffer[i] != 0xff) { - break; - } - } - if ((i < buffer_size) && (buffer[i] == 0)) { - /* yes, we have a properly formatted PKCS #1 signature */ - /* - * NOTE: even if we accidentally got an encrypt buffer, which - * through sheer luck started with 00, 01, ff, 00, it won't matter - * because the resulting Sign operation will effectively decrypt - * the real buffer. - */ - SECItem signature; - SECItem hash; - - i++; - hash.data = &buffer[i]; - hash.len = buffer_size - i; - signature.data = bp; - signature.len = signature_len; - rv = PK11_Sign(priv_key, &signature, &hash); - if (rv != SECSuccess) { - ret = vcard_emul_map_error(PORT_GetError()); - goto cleanup; - } - assert(buffer_size == signature.len); - memcpy(buffer, bp, signature.len); - /* - * we got here because either the X509 attempt failed, or the - * token couldn't do the X509 operation, in either case stay - * with the PKCS version for future operations on this key - */ - key->failedX509 = VCardEmulTrue; - goto cleanup; - } - } - pad_len = buffer_size - signature_len; - assert(pad_len < 4); - /* - * OK now we've decrypted the payload, package it up in PKCS #1 for the - * upper layer. - */ - buffer[0] = 0; - buffer[1] = 2; /* RSA_encrypt */ - pad_len -= 3; /* format is 0 || 2 || pad || 0 || data */ - /* - * padding for PKCS #1 encrypted data is a string of random bytes. The - * random butes protect against potential decryption attacks against RSA. - * Since PrivDecrypt has already stripped those bytes, we can't reconstruct - * them. This shouldn't matter to the upper level code which should just - * strip this code out anyway, so We'll pad with a constant 3. - */ - memset(&buffer[2], 0x03, pad_len); - pad_len += 2; /* index to the end of the pad */ - buffer[pad_len] = 0; - pad_len++; /* index to the start of the data */ - memcpy(&buffer[pad_len], bp, signature_len); - /* - * we got here because either the X509 attempt failed, or the - * token couldn't do the X509 operation, in either case stay - * with the PKCS version for future operations on this key - */ - key->failedX509 = VCardEmulTrue; -cleanup: - if (bp != buf) { - g_free(bp); - } - return ret; -} - -/* - * Login functions - */ -/* return the number of login attempts still possible on the card. if unknown, - * return -1 */ -int -vcard_emul_get_login_count(VCard *card) -{ - return -1; -} - -/* login into the card, return the 7816 status word (sw2 || sw1) */ -vcard_7816_status_t -vcard_emul_login(VCard *card, unsigned char *pin, int pin_len) -{ - PK11SlotInfo *slot; - unsigned char *pin_string; - int i; - SECStatus rv; - - if (!nss_emul_init) { - return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; - } - slot = vcard_emul_card_get_slot(card); - /* We depend on the PKCS #11 module internal login state here because we - * create a separate process to handle each guest instance. If we needed - * to handle multiple guests from one process, then we would need to keep - * a lot of extra state in our card structure - * */ - pin_string = g_malloc(pin_len+1); - memcpy(pin_string, pin, pin_len); - pin_string[pin_len] = 0; - - /* handle CAC expanded pins correctly */ - for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) { - pin_string[i] = 0; - } - - rv = PK11_Authenticate(slot, PR_FALSE, pin_string); - memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory - to be snooped */ - g_free(pin_string); - if (rv == SECSuccess) { - return VCARD7816_STATUS_SUCCESS; - } - /* map the error from port get error */ - return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; -} - -void -vcard_emul_logout(VCard *card) -{ - PK11SlotInfo *slot; - - if (!nss_emul_init) { - return; - } - - slot = vcard_emul_card_get_slot(card); - if (PK11_IsLoggedIn(slot, NULL)) { - PK11_Logout(slot); /* NOTE: ignoring SECStatus return value */ - } -} - -void -vcard_emul_reset(VCard *card, VCardPower power) -{ - /* - * if we reset the card (either power on or power off), we lose our login - * state - */ - vcard_emul_logout(card); - - /* TODO: we may also need to send insertion/removal events? */ -} - -static VReader * -vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot) -{ - VReaderList *reader_list = vreader_get_reader_list(); - VReaderListEntry *current_entry; - - if (reader_list == NULL) { - return NULL; - } - for (current_entry = vreader_list_get_first(reader_list); current_entry; - current_entry = vreader_list_get_next(current_entry)) { - VReader *reader = vreader_list_get_reader(current_entry); - VReaderEmul *reader_emul = vreader_get_private(reader); - if (reader_emul->slot == slot) { - vreader_list_delete(reader_list); - return reader; - } - vreader_free(reader); - } - - vreader_list_delete(reader_list); - return NULL; -} - -/* - * create a new reader emul - */ -static VReaderEmul * -vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params) -{ - VReaderEmul *new_reader_emul; - - new_reader_emul = g_new(VReaderEmul, 1); - - new_reader_emul->slot = PK11_ReferenceSlot(slot); - new_reader_emul->default_type = type; - new_reader_emul->type_params = g_strdup(params); - new_reader_emul->present = PR_FALSE; - new_reader_emul->series = 0; - new_reader_emul->saved_vcard = NULL; - return new_reader_emul; -} - -static void -vreader_emul_delete(VReaderEmul *vreader_emul) -{ - if (vreader_emul == NULL) { - return; - } - if (vreader_emul->slot) { - PK11_FreeSlot(vreader_emul->slot); - } - g_free(vreader_emul->type_params); - g_free(vreader_emul); -} - -/* - * TODO: move this to emulater non-specific file - */ -static VCardEmulType -vcard_emul_get_type(VReader *vreader) -{ - VReaderEmul *vreader_emul; - - vreader_emul = vreader_get_private(vreader); - if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) { - return vreader_emul->default_type; - } - - return vcard_emul_type_select(vreader); -} -/* - * TODO: move this to emulater non-specific file - */ -static const char * -vcard_emul_get_type_params(VReader *vreader) -{ - VReaderEmul *vreader_emul; - - vreader_emul = vreader_get_private(vreader); - if (vreader_emul && vreader_emul->type_params) { - return vreader_emul->type_params; - } - - return ""; -} - -/* pull the slot out of the reader private data */ -static PK11SlotInfo * -vcard_emul_reader_get_slot(VReader *vreader) -{ - VReaderEmul *vreader_emul = vreader_get_private(vreader); - if (vreader_emul == NULL) { - return NULL; - } - return vreader_emul->slot; -} - -/* - * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate - * historical bytes for any software emulated card. The remaining bytes can be - * used to indicate the actual emulator - */ -static unsigned char *nss_atr; -static int nss_atr_len; - -void -vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len) -{ - int len; - assert(atr != NULL); - - if (nss_atr == NULL) { - nss_atr = vcard_alloc_atr("NSS", &nss_atr_len); - } - len = MIN(nss_atr_len, *atr_len); - memcpy(atr, nss_atr, len); - *atr_len = len; -} - -/* - * create a new card from certs and keys - */ -static VCard * -vcard_emul_make_card(VReader *reader, - unsigned char * const *certs, int *cert_len, - VCardKey *keys[], int cert_count) -{ - VCardEmul *vcard_emul; - VCard *vcard; - PK11SlotInfo *slot; - VCardEmulType type; - const char *params; - - type = vcard_emul_get_type(reader); - - /* ignore the inserted card */ - if (type == VCARD_EMUL_NONE) { - return NULL; - } - slot = vcard_emul_reader_get_slot(reader); - if (slot == NULL) { - return NULL; - } - - params = vcard_emul_get_type_params(reader); - /* params these can be NULL */ - - vcard_emul = vcard_emul_new_card(slot); - if (vcard_emul == NULL) { - return NULL; - } - vcard = vcard_new(vcard_emul, vcard_emul_delete_card); - if (vcard == NULL) { - vcard_emul_delete_card(vcard_emul); - return NULL; - } - vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count); - return vcard; -} - - -/* - * 'clone' a physical card as a virtual card - */ -static VCard * -vcard_emul_mirror_card(VReader *vreader) -{ - /* - * lookup certs using the C_FindObjects. The Stan Cert handle won't give - * us the real certs until we log in. - */ - PK11GenericObject *firstObj, *thisObj; - int cert_count; - unsigned char **certs; - int *cert_len; - VCardKey **keys; - PK11SlotInfo *slot; - VCard *card; - - slot = vcard_emul_reader_get_slot(vreader); - if (slot == NULL) { - return NULL; - } - - firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE); - if (firstObj == NULL) { - return NULL; - } - - /* count the certs */ - cert_count = 0; - for (thisObj = firstObj; thisObj; - thisObj = PK11_GetNextGenericObject(thisObj)) { - cert_count++; - } - - /* allocate the arrays */ - vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count); - - /* fill in the arrays */ - cert_count = 0; - for (thisObj = firstObj; thisObj; - thisObj = PK11_GetNextGenericObject(thisObj)) { - SECItem derCert; - CERTCertificate *cert; - SECStatus rv; - - rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj, - CKA_VALUE, &derCert); - if (rv != SECSuccess) { - continue; - } - /* create floating temp cert. This gives us a cert structure even if - * the token isn't logged in */ - cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert, - NULL, PR_FALSE, PR_TRUE); - SECITEM_FreeItem(&derCert, PR_FALSE); - if (cert == NULL) { - continue; - } - - certs[cert_count] = cert->derCert.data; - cert_len[cert_count] = cert->derCert.len; - keys[cert_count] = vcard_emul_make_key(slot, cert); - cert_count++; - CERT_DestroyCertificate(cert); /* key obj still has a reference */ - } - - /* now create the card */ - card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); - g_free(certs); - g_free(cert_len); - g_free(keys); - - return card; -} - -static VCardEmulType default_card_type = VCARD_EMUL_NONE; -static const char *default_type_params = ""; - -/* - * This thread looks for card and reader insertions and puts events on the - * event queue - */ -static void -vcard_emul_event_thread(void *arg) -{ - PK11SlotInfo *slot; - VReader *vreader; - VReaderEmul *vreader_emul; - VCard *vcard; - SECMODModule *module = (SECMODModule *)arg; - - do { - /* - * XXX - the latency value doesn't matter one bit. you only get no - * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500), - * hard coded in coolkey. And it isn't coolkey's fault - the timeout - * value we pass get's dropped on the floor before C_WaitForSlotEvent - * is called. - */ - slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500); - if (slot == NULL) { - /* this could be just a no event indication */ - if (PORT_GetError() == SEC_ERROR_NO_EVENT) { - continue; - } - break; - } - vreader = vcard_emul_find_vreader_from_slot(slot); - if (vreader == NULL) { - /* new vreader */ - vreader_emul = vreader_emul_new(slot, default_card_type, - default_type_params); - vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, - vreader_emul_delete); - PK11_FreeSlot(slot); - slot = NULL; - vreader_add_reader(vreader); - vreader_free(vreader); - continue; - } - /* card remove/insert */ - vreader_emul = vreader_get_private(vreader); - if (PK11_IsPresent(slot)) { - int series = PK11_GetSlotSeries(slot); - if (series != vreader_emul->series) { - if (vreader_emul->present) { - vreader_insert_card(vreader, NULL); - } - vcard = vcard_emul_mirror_card(vreader); - vreader_insert_card(vreader, vcard); - vcard_free(vcard); - } - vreader_emul->series = series; - vreader_emul->present = 1; - vreader_free(vreader); - PK11_FreeSlot(slot); - continue; - } - if (vreader_emul->present) { - vreader_insert_card(vreader, NULL); - } - vreader_emul->series = 0; - vreader_emul->present = 0; - PK11_FreeSlot(slot); - vreader_free(vreader); - } while (1); -} - -/* if the card is inserted when we start up, make sure our state is correct */ -static void -vcard_emul_init_series(VReader *vreader, VCard *vcard) -{ - VReaderEmul *vreader_emul = vreader_get_private(vreader); - PK11SlotInfo *slot = vreader_emul->slot; - - vreader_emul->present = PK11_IsPresent(slot); - vreader_emul->series = PK11_GetSlotSeries(slot); - if (vreader_emul->present == 0) { - vreader_insert_card(vreader, NULL); - } -} - -/* - * each module has a separate wait call, create a thread for each module that - * we are using. - */ -static void -vcard_emul_new_event_thread(SECMODModule *module) -{ - PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread, - module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, 0); -} - -static const VCardEmulOptions default_options = { - .nss_db = NULL, - .vreader = NULL, - .vreader_count = 0, - .hw_card_type = VCARD_EMUL_CAC, - .hw_type_params = "", - .use_hw = PR_TRUE -}; - - -/* - * NSS needs the app to supply a password prompt. In our case the only time - * the password is supplied is as part of the Login APDU. The actual password - * is passed in the pw_arg in that case. In all other cases pw_arg should be - * NULL. - */ -static char * -vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg) -{ - /* if it didn't work the first time, don't keep trying */ - if (retries) { - return NULL; - } - /* we are looking up a password when we don't have one in hand */ - if (pw_arg == NULL) { - return NULL; - } - /* TODO: we really should verify that were are using the right slot */ - return PORT_Strdup(pw_arg); -} - -/* Force a card removal even if the card is not physically removed */ -VCardEmulError -vcard_emul_force_card_remove(VReader *vreader) -{ - if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) { - return VCARD_EMUL_FAIL; /* card is already removed */ - } - - /* OK, remove it */ - vreader_insert_card(vreader, NULL); - return VCARD_EMUL_OK; -} - -/* Re-insert of a card that has been removed by force removal */ -VCardEmulError -vcard_emul_force_card_insert(VReader *vreader) -{ - VReaderEmul *vreader_emul; - VCard *vcard; - - if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) { - return VCARD_EMUL_FAIL; /* card is already removed */ - } - vreader_emul = vreader_get_private(vreader); - - /* if it's a softcard, get the saved vcard from the reader emul structure */ - if (vreader_emul->saved_vcard) { - vcard = vcard_reference(vreader_emul->saved_vcard); - } else { - /* it must be a physical card, rebuild it */ - if (!PK11_IsPresent(vreader_emul->slot)) { - /* physical card has been removed, not way to reinsert it */ - return VCARD_EMUL_FAIL; - } - vcard = vcard_emul_mirror_card(vreader); - } - vreader_insert_card(vreader, vcard); - vcard_free(vcard); - - return VCARD_EMUL_OK; -} - - -static PRBool -module_has_removable_hw_slots(SECMODModule *mod) -{ - int i; - PRBool ret = PR_FALSE; - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); - - if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return ret; - } - SECMOD_GetReadLock(moduleLock); - for (i = 0; i < mod->slotCount; i++) { - PK11SlotInfo *slot = mod->slots[i]; - if (PK11_IsRemovable(slot) && PK11_IsHW(slot)) { - ret = PR_TRUE; - break; - } - } - SECMOD_ReleaseReadLock(moduleLock); - return ret; -} - -/* Previously we returned FAIL if no readers found. This makes - * no sense when using hardware, since there may be no readers connected - * at the time vcard_emul_init is called, but they will be properly - * recognized later. So Instead return FAIL only if no_hw==1 and no - * vcards can be created (indicates error with certificates provided - * or db), or if any other higher level error (NSS error, missing coolkey). */ -static int vcard_emul_init_called; - -VCardEmulError -vcard_emul_init(const VCardEmulOptions *options) -{ - SECStatus rv; - PRBool has_readers = PR_FALSE; - VReader *vreader; - VReaderEmul *vreader_emul; - SECMODListLock *module_lock; - SECMODModuleList *module_list; - SECMODModuleList *mlp; - int i; - - if (vcard_emul_init_called) { - return VCARD_EMUL_INIT_ALREADY_INITED; - } - vcard_emul_init_called = 1; - vreader_init(); - vevent_queue_init(); - - if (options == NULL) { - options = &default_options; - } - - /* first initialize NSS */ - if (options->nss_db) { - rv = NSS_Init(options->nss_db); - } else { - gchar *path; -#ifndef _WIN32 - path = g_strdup("/etc/pki/nssdb"); -#else - if (g_get_system_config_dirs() == NULL || - g_get_system_config_dirs()[0] == NULL) { - return VCARD_EMUL_FAIL; - } - - path = g_build_filename( - g_get_system_config_dirs()[0], "pki", "nssdb", NULL); -#endif - - rv = NSS_Init(path); - g_free(path); - } - if (rv != SECSuccess) { - return VCARD_EMUL_FAIL; - } - /* Set password callback function */ - PK11_SetPasswordFunc(vcard_emul_get_password); - - /* set up soft cards emulated by software certs rather than physical cards - * */ - for (i = 0; i < options->vreader_count; i++) { - int j; - int cert_count; - unsigned char **certs; - int *cert_len; - VCardKey **keys; - PK11SlotInfo *slot; - - slot = PK11_FindSlotByName(options->vreader[i].name); - if (slot == NULL) { - continue; - } - vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, - options->vreader[i].type_params); - vreader = vreader_new(options->vreader[i].vname, vreader_emul, - vreader_emul_delete); - vreader_add_reader(vreader); - - vcard_emul_alloc_arrays(&certs, &cert_len, &keys, - options->vreader[i].cert_count); - - cert_count = 0; - for (j = 0; j < options->vreader[i].cert_count; j++) { - /* we should have a better way of identifying certs than by - * nickname here */ - CERTCertificate *cert = PK11_FindCertFromNickname( - options->vreader[i].cert_name[j], - NULL); - if (cert == NULL) { - continue; - } - certs[cert_count] = cert->derCert.data; - cert_len[cert_count] = cert->derCert.len; - keys[cert_count] = vcard_emul_make_key(slot, cert); - /* this is safe because the key is still holding a cert reference */ - CERT_DestroyCertificate(cert); - cert_count++; - } - if (cert_count) { - VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, - keys, cert_count); - vreader_insert_card(vreader, vcard); - vcard_emul_init_series(vreader, vcard); - /* allow insertion and removal of soft cards */ - vreader_emul->saved_vcard = vcard_reference(vcard); - vcard_free(vcard); - vreader_free(vreader); - has_readers = PR_TRUE; - } - g_free(certs); - g_free(cert_len); - g_free(keys); - } - - /* if we aren't suppose to use hw, skip looking up hardware tokens */ - if (!options->use_hw) { - nss_emul_init = has_readers; - return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; - } - - /* make sure we have some PKCS #11 module loaded */ - module_lock = SECMOD_GetDefaultModuleListLock(); - module_list = SECMOD_GetDefaultModuleList(); - SECMOD_GetReadLock(module_lock); - for (mlp = module_list; mlp; mlp = mlp->next) { - SECMODModule *module = mlp->module; - if (module_has_removable_hw_slots(module)) { - break; - } - } - SECMOD_ReleaseReadLock(module_lock); - - /* now examine all the slots, finding which should be readers */ - /* We should control this with options. For now we mirror out any - * removable hardware slot */ - default_card_type = options->hw_card_type; - default_type_params = g_strdup(options->hw_type_params); - - SECMOD_GetReadLock(module_lock); - for (mlp = module_list; mlp; mlp = mlp->next) { - SECMODModule *module = mlp->module; - - /* Ignore the internal module */ - if (module == NULL || module == SECMOD_GetInternalModule()) { - continue; - } - - for (i = 0; i < module->slotCount; i++) { - PK11SlotInfo *slot = module->slots[i]; - - /* only map removable HW slots */ - if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { - continue; - } - if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) { - /* - * coolkey <= 1.1.0-20 emulates this reader if it can't find - * any hardware readers. This causes problems, warn user of - * problems. - */ - fprintf(stderr, "known bad coolkey version - see " - "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n"); - continue; - } - vreader_emul = vreader_emul_new(slot, options->hw_card_type, - options->hw_type_params); - vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, - vreader_emul_delete); - vreader_add_reader(vreader); - - if (PK11_IsPresent(slot)) { - VCard *vcard; - vcard = vcard_emul_mirror_card(vreader); - vreader_insert_card(vreader, vcard); - vcard_emul_init_series(vreader, vcard); - vcard_free(vcard); - } - } - vcard_emul_new_event_thread(module); - } - SECMOD_ReleaseReadLock(module_lock); - nss_emul_init = PR_TRUE; - - return VCARD_EMUL_OK; -} - -/* Recreate card insert events for all readers (user should - * deduce implied reader insert. perhaps do a reader insert as well?) - */ -void -vcard_emul_replay_insertion_events(void) -{ - VReaderListEntry *current_entry; - VReaderListEntry *next_entry; - VReaderList *list = vreader_get_reader_list(); - - for (current_entry = vreader_list_get_first(list); current_entry; - current_entry = next_entry) { - VReader *vreader = vreader_list_get_reader(current_entry); - next_entry = vreader_list_get_next(current_entry); - vreader_queue_card_event(vreader); - } - - vreader_list_delete(list); -} - -/* - * Silly little functions to help parsing our argument string - */ -static int -count_tokens(const char *str, char token, char token_end) -{ - int count = 0; - - for (; *str; str++) { - if (*str == token) { - count++; - } - if (*str == token_end) { - break; - } - } - return count; -} - -static const char * -strip(const char *str) -{ - for (; *str && isspace(*str); str++) { - } - return str; -} - -static const char * -find_blank(const char *str) -{ - for (; *str && !isspace(*str); str++) { - } - return str; -} - - -/* - * We really want to use some existing argument parsing library here. That - * would give us a consistent look */ -static VCardEmulOptions options; -#define READER_STEP 4 - -/* Expects "args" to be at the beginning of a token (ie right after the ',' - * ending the previous token), and puts the next token start in "token", - * and its length in "token_length". "token" will not be nul-terminated. - * After calling the macro, "args" will be advanced to the beginning of - * the next token. - * This macro may call continue or break. - */ -#define NEXT_TOKEN(token) \ - (token) = args; \ - args = strpbrk(args, ",)"); \ - if (*args == 0) { \ - break; \ - } \ - if (*args == ')') { \ - args++; \ - continue; \ - } \ - (token##_length) = args - (token); \ - args = strip(args+1); - -VCardEmulOptions * -vcard_emul_options(const char *args) -{ - int reader_count = 0; - VCardEmulOptions *opts; - - /* Allow the future use of allocating the options structure on the fly */ - memcpy(&options, &default_options, sizeof(options)); - opts = &options; - - do { - args = strip(args); /* strip off the leading spaces */ - if (*args == ',') { - continue; - } - /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol) - * cert_2,cert_3...) */ - if (strncmp(args, "soft=", 5) == 0) { - const char *name; - size_t name_length; - const char *vname; - size_t vname_length; - const char *type_params; - size_t type_params_length; - char type_str[100]; - VCardEmulType type; - int count, i; - VirtualReaderOptions *vreaderOpt; - - args = strip(args + 5); - if (*args != '(') { - continue; - } - args = strip(args+1); - - NEXT_TOKEN(name) - NEXT_TOKEN(vname) - NEXT_TOKEN(type_params) - type_params_length = MIN(type_params_length, sizeof(type_str)-1); - memcpy(type_str, type_params, type_params_length); - type_str[type_params_length] = '\0'; - type = vcard_emul_type_from_string(type_str); - - NEXT_TOKEN(type_params) - - if (*args == 0) { - break; - } - - if (opts->vreader_count >= reader_count) { - reader_count += READER_STEP; - opts->vreader = g_renew(VirtualReaderOptions, opts->vreader, - reader_count); - } - vreaderOpt = &opts->vreader[opts->vreader_count]; - vreaderOpt->name = g_strndup(name, name_length); - vreaderOpt->vname = g_strndup(vname, vname_length); - vreaderOpt->card_type = type; - vreaderOpt->type_params = - g_strndup(type_params, type_params_length); - count = count_tokens(args, ',', ')') + 1; - vreaderOpt->cert_count = count; - vreaderOpt->cert_name = g_new(char *, count); - for (i = 0; i < count; i++) { - const char *cert = args; - args = strpbrk(args, ",)"); - vreaderOpt->cert_name[i] = g_strndup(cert, args - cert); - args = strip(args+1); - } - if (*args == ')') { - args++; - } - opts->vreader_count++; - /* use_hw= */ - } else if (strncmp(args, "use_hw=", 7) == 0) { - args = strip(args+7); - if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') { - opts->use_hw = PR_FALSE; - } else { - opts->use_hw = PR_TRUE; - } - args = find_blank(args); - /* hw_type= */ - } else if (strncmp(args, "hw_type=", 8) == 0) { - args = strip(args+8); - opts->hw_card_type = vcard_emul_type_from_string(args); - args = find_blank(args); - /* hw_params= */ - } else if (strncmp(args, "hw_params=", 10) == 0) { - const char *params; - args = strip(args+10); - params = args; - args = find_blank(args); - opts->hw_type_params = g_strndup(params, args-params); - /* db="/data/base/path" */ - } else if (strncmp(args, "db=", 3) == 0) { - const char *db; - args = strip(args+3); - if (*args != '"') { - continue; - } - args++; - db = args; - args = strpbrk(args, "\"\n"); - opts->nss_db = g_strndup(db, args-db); - if (*args != 0) { - args++; - } - } else { - args = find_blank(args); - } - } while (*args != 0); - - return opts; -} - -void -vcard_emul_usage(void) -{ - fprintf(stderr, -"emul args: comma separated list of the following arguments\n" -" db={nss_database} (default sql:/etc/pki/nssdb)\n" -" use_hw=[yes|no] (default yes)\n" -" hw_type={card_type_to_emulate} (default CAC)\n" -" hw_param={param_for_card} (default \"\")\n" -" soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n" -" {cert1},{cert2},{cert3} (default none)\n" -"\n" -" {nss_database} The location of the NSS cert & key database\n" -" {card_type_to_emulate} What card interface to present to the guest\n" -" {param_for_card} Card interface specific parameters\n" -" {slot_name} NSS slot that contains the certs\n" -" {vreader_name} Virtual reader name to present to the guest\n" -" {certN} Nickname of the certificate n on the virtual card\n" -"\n" -"These parameters come as a single string separated by blanks or newlines." -"\n" -"Unless use_hw is set to no, all tokens that look like removable hardware\n" -"tokens will be presented to the guest using the emulator specified by\n" -"hw_type, and parameters of hw_param.\n" -"\n" -"If more one or more soft= parameters are specified, these readers will be\n" -"presented to the guest\n"); -} |