aboutsummaryrefslogtreecommitdiff
path: root/system/coolkey/patches/coolkey-cac.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/coolkey/patches/coolkey-cac.patch')
-rw-r--r--system/coolkey/patches/coolkey-cac.patch1013
1 files changed, 1013 insertions, 0 deletions
diff --git a/system/coolkey/patches/coolkey-cac.patch b/system/coolkey/patches/coolkey-cac.patch
new file mode 100644
index 0000000000000..a2a9732716e52
--- /dev/null
+++ b/system/coolkey/patches/coolkey-cac.patch
@@ -0,0 +1,1013 @@
+diff -up ./src/coolkey/slot.cpp.cac ./src/coolkey/slot.cpp
+--- ./src/coolkey/slot.cpp.cac 2010-06-16 13:43:51.477181000 -0700
++++ ./src/coolkey/slot.cpp 2010-06-16 13:43:51.535179000 -0700
+@@ -372,7 +372,7 @@ Slot::Slot(const char *readerName_, Log
+ : log(log_), readerName(NULL), personName(NULL), manufacturer(NULL),
+ slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN),
+ isVersion1Key(false), needLogin(false), fullTokenName(false),
+- mCoolkey(false),
++ mCoolkey(false), mOldCAC(false),
+ #ifdef USE_SHMEM
+ shmem(readerName_),
+ #endif
+@@ -412,6 +412,9 @@ Slot::Slot(const char *readerName_, Log
+ }
+ CKYBuffer_InitEmpty(&cardATR);
+ CKYBuffer_InitEmpty(&mCUID);
++ for (int i=0; i < MAX_CERT_SLOTS; i++) {
++ CKYBuffer_InitEmpty(&cardAID[i]);
++ }
+ } catch(PKCS11Exception &) {
+ if (conn) {
+ CKYCardConnection_Destroy(conn);
+@@ -479,6 +482,9 @@ Slot::~Slot()
+ CKYBuffer_FreeData(&nonce);
+ CKYBuffer_FreeData(&cardATR);
+ CKYBuffer_FreeData(&mCUID);
++ for (int i=0; i < MAX_CERT_SLOTS; i++) {
++ CKYBuffer_FreeData(&cardAID[i]);
++ }
+ }
+
+ template <class C>
+@@ -671,15 +677,9 @@ Slot::connectToToken()
+ status = CKYApplet_SelectCoolKeyManager(conn, NULL);
+ if (status != CKYSUCCESS) {
+ log->log("CoolKey Select failed 0x%x\n", status);
+- status = CACApplet_SelectPKI(conn, 0, NULL);
++ status = getCACAid();
+ if (status != CKYSUCCESS) {
+- log->log("CAC Select failed 0x%x\n", status);
+- if (status == CKYSCARDERR) {
+- log->log("CAC Card Failure 0x%x\n",
+- CKYCardConnection_GetLastError(conn));
+- disconnect();
+- }
+- return;
++ goto loser;
+ }
+ state |= CAC_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;
+ /* skip the read of the cuid. We really don't need it and,
+@@ -690,6 +690,15 @@ Slot::connectToToken()
+ needLogin = 1;
+ mCoolkey = 0;
+ return;
++
++loser:
++ log->log("CAC Select failed 0x%x\n", status);
++ if (status == CKYSCARDERR) {
++ log->log("CAC Card Failure 0x%x\n",
++ CKYCardConnection_GetLastError(conn));
++ disconnect();
++ }
++ return;
+ }
+ mCoolkey = 1;
+ log->log("time connect: Select Applet %d ms\n", OSTimeNow() - time);
+@@ -771,17 +780,111 @@ Slot::disconnect()
+ invalidateLogin(false);
+ }
+
++CKYStatus
++Slot::getCACAid()
++{
++ CKYBuffer tBuf;
++ CKYBuffer vBuf;
++ CKYSize tlen, vlen;
++ CKYOffset toffset, voffset;
++ int certSlot = 0;
++ int i,length = 0;
++ CKYStatus status;
++
++ CKYBuffer_InitEmpty(&tBuf);
++ CKYBuffer_InitEmpty(&vBuf);
++
++ /* clear out the card AID's */
++ for (i=0; i < MAX_CERT_SLOTS; i++) {
++ CKYBuffer_Resize(&cardAID[i],0);
++ }
++
++ status = CACApplet_SelectCCC(conn,NULL);
++ if (status != CKYSUCCESS) {
++ /* are we an old CAC */
++ status = CACApplet_SelectPKI(conn, &cardAID[0], 0, NULL);
++ if (status != CKYSUCCESS) {
++ /* no, just fail */
++ return status;
++ }
++ /* yes, fill in the old applets */
++ mOldCAC = true;
++ for (i=1; i< MAX_CERT_SLOTS; i++) {
++ CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);
++ }
++ return CKYSUCCESS;
++ }
++ /* definately not an old CAC */
++ mOldCAC = false;
++
++ /* read the TLV */
++ status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
++ if (status != CKYSUCCESS) {
++ goto done;
++ }
++ status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
++ if (status != CKYSUCCESS) {
++ goto done;
++ }
++ tlen = CKYBuffer_Size(&tBuf);
++ vlen = CKYBuffer_Size(&vBuf);
++
++ for(toffset = 2, voffset=2;
++ certSlot < MAX_CERT_SLOTS && toffset < tlen && voffset < vlen ;
++ voffset += length) {
++
++ CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);
++ length = CKYBuffer_GetChar(&tBuf, toffset+1);
++ toffset += 2;
++ if (length == 0xff) {
++ length = CKYBuffer_GetShortLE(&tBuf, toffset);
++ toffset +=2;
++ }
++ if (tag != CAC_TAG_CARDURL) {
++ continue;
++ }
++ /* CARDURL tags must be at least 10 bytes long */
++ if (length < 10) {
++ continue;
++ }
++ /* check the app type, should be TLV_APP_PKI */
++ if (CKYBuffer_GetChar(&vBuf, voffset+5) != CAC_TLV_APP_PKI) {
++ continue;
++ }
++ status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf, voffset, 5);
++ if (status != CKYSUCCESS) {
++ goto done;
++ }
++ status = CKYBuffer_AppendBuffer(&cardAID[certSlot], &vBuf,
++ voffset+8, 2);
++ if (status != CKYSUCCESS) {
++ goto done;
++ }
++ cardEF[certSlot] = CKYBuffer_GetShortLE(&vBuf, voffset+6);
++
++ certSlot++;
++ }
++ status = CKYSUCCESS;
++ if (certSlot == 0) {
++ status = CKYAPDUFAIL; /* probably neeed a beter error code */
++ }
++
++done:
++ CKYBuffer_FreeData(&tBuf);
++ CKYBuffer_FreeData(&vBuf);
++ return status;
++}
++
+ void
+ Slot::refreshTokenState()
+ {
+ if( cardStateMayHaveChanged() ) {
+-log->log("card changed\n");
++ log->log("card changed\n");
+ invalidateLogin(true);
+ closeAllSessions();
+ unloadObjects();
+ connectToToken();
+
+-
+ if( state & APPLET_PERSONALIZED ) {
+ try {
+ loadObjects();
+@@ -1019,7 +1122,7 @@ Slot::makeModelString(char *model, int m
+
+ struct _manList {
+ unsigned short type;
+- char *string;
++ const char *string;
+ };
+
+ static const struct _manList manList[] = {
+@@ -1280,13 +1383,30 @@ void
+ Slot::selectCACApplet(CKYByte instance)
+ {
+ CKYStatus status;
+- status = CACApplet_SelectPKI(conn, instance, NULL);
++ CKYBuffer *aid = &cardAID[instance];
++
++ if (CKYBuffer_Size(aid) == 0) {
++ disconnect();
++ throw PKCS11Exception(CKR_DEVICE_REMOVED);
++ return;
++ }
++
++ status = CKYApplet_SelectFile(conn, aid, NULL);
+ if ( status == CKYSCARDERR ) handleConnectionError();
+ if ( status != CKYSUCCESS) {
+ // could not select applet: this just means it's not there
+ disconnect();
+ throw PKCS11Exception(CKR_DEVICE_REMOVED);
+ }
++ if (mOldCAC) {
++ return;
++ }
++ status = CACApplet_SelectFile(conn, cardEF[instance], NULL);
++ if ( status == CKYSCARDERR ) handleConnectionError();
++ if ( status != CKYSUCCESS) {
++ disconnect();
++ throw PKCS11Exception(CKR_DEVICE_REMOVED);
++ }
+ }
+ // assume we are already in a transaction
+ void
+@@ -2059,10 +2179,85 @@ Slot::fetchCombinedObjects(const CKYBuff
+ return objInfoList;
+ }
+
++CKYStatus
++Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
++ bool throwException)
++{
++ CKYStatus status;
++ CKYISOStatus apduRC;
++
++ if (mOldCAC) {
++ /* get the first 100 bytes of the cert */
++ status = CACApplet_GetCertificateFirst(conn, cert, nextSize, &apduRC);
++ if (throwException && (status != CKYSUCCESS)) {
++ handleConnectionError();
++ }
++ return status;
++ }
++
++ CKYBuffer tBuf;
++ CKYBuffer vBuf;
++ CKYSize tlen, vlen;
++ CKYOffset toffset, voffset;
++ int length = 0;
++
++ CKYBuffer_InitEmpty(&tBuf);
++ CKYBuffer_InitEmpty(&vBuf);
++ CKYBuffer_Resize(cert, 0);
++
++ /* handle the new CAC card read */
++ /* read the TLV */
++ status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);
++ if (status != CKYSUCCESS) {
++ goto done;
++ }
++ status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);
++ if (status != CKYSUCCESS) {
++ goto done;
++ }
++ tlen = CKYBuffer_Size(&tBuf);
++ vlen = CKYBuffer_Size(&vBuf);
++
++ /* look for the Cert out of the TLV */
++ for(toffset = 2, voffset=2; toffset < tlen && voffset < vlen ;
++ voffset += length) {
++
++ CKYByte tag = CKYBuffer_GetChar(&tBuf, toffset);
++ length = CKYBuffer_GetChar(&tBuf, toffset+1);
++ toffset += 2;
++ if (length == 0xff) {
++ length = CKYBuffer_GetShortLE(&tBuf, toffset);
++ toffset +=2;
++ }
++ if (tag != CAC_TAG_CERTIFICATE) {
++ continue;
++ }
++ CKYBuffer_AppendBuffer(cert, &vBuf, voffset, length);
++ break;
++ }
++ status = CKYSUCCESS;
++
++done:
++ CKYBuffer_FreeData(&tBuf);
++ CKYBuffer_FreeData(&vBuf);
++ return status;
++}
++
++/*
++ * only necessary for old CAC cards. New CAC cards have to read the
++ * whole cert in anyway above....
++ */
++CKYStatus
++Slot::readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize)
++{
++ CKYISOStatus apduRC;
++ assert(mOldCAC);
++ return CACApplet_GetCertificateAppend(conn, cert, nextSize, &apduRC);
++}
++
+ void
+ Slot::loadCACCert(CKYByte instance)
+ {
+- CKYISOStatus apduRC;
+ CKYStatus status = CKYSUCCESS;
+ CKYBuffer cert;
+ CKYBuffer rawCert;
+@@ -2097,12 +2292,7 @@ Slot::loadCACCert(CKYByte instance)
+ instance, OSTimeNow() - time);
+
+ if (instance == 0) {
+- /* get the first 100 bytes of the cert */
+- status = CACApplet_GetCertificateFirst(conn, &rawCert,
+- &nextSize, &apduRC);
+- if (status != CKYSUCCESS) {
+- handleConnectionError();
+- }
++ readCACCertificateFirst(&rawCert, &nextSize, true);
+ log->log("CAC Cert %d: fetch CAC Cert: %d ms\n",
+ instance, OSTimeNow() - time);
+ }
+@@ -2143,8 +2333,7 @@ Slot::loadCACCert(CKYByte instance)
+ shmem.setVersion(SHMEM_VERSION);
+ shmem.setDataVersion(dataVersion);
+ } else {
+- status = CACApplet_GetCertificateFirst(conn, &rawCert,
+- &nextSize, &apduRC);
++ status = readCACCertificateFirst(&rawCert, &nextSize, false);
+
+ if (status != CKYSUCCESS) {
+ /* CAC only requires the Certificate in pki '0' */
+@@ -2159,8 +2348,7 @@ Slot::loadCACCert(CKYByte instance)
+ }
+
+ if (nextSize) {
+- status = CACApplet_GetCertificateAppend(conn, &rawCert,
+- nextSize, &apduRC);
++ status = readCACCertificateAppend(&rawCert, nextSize);
+ }
+ log->log("CAC Cert %d: Fetch rest : %d ms\n",
+ instance, OSTimeNow() - time);
+@@ -2176,9 +2364,10 @@ Slot::loadCACCert(CKYByte instance)
+
+ log->log("CAC Cert %d: Cert has been read: %d ms\n",
+ instance, OSTimeNow() - time);
+- if (CKYBuffer_GetChar(&rawCert,0) == 1) {
++ if (!mOldCAC || CKYBuffer_GetChar(&rawCert,0) == 1) {
+ CKYSize guessFinalSize = CKYBuffer_Size(&rawCert);
+ CKYSize certSize = 0;
++ CKYOffset offset = mOldCAC ? 1 : 0;
+ int zret = Z_MEM_ERROR;
+
+ do {
+@@ -2189,7 +2378,8 @@ Slot::loadCACCert(CKYByte instance)
+ }
+ certSize = guessFinalSize;
+ zret = uncompress((Bytef *)CKYBuffer_Data(&cert),&certSize,
+- CKYBuffer_Data(&rawCert)+1, CKYBuffer_Size(&rawCert)-1);
++ CKYBuffer_Data(&rawCert)+offset,
++ CKYBuffer_Size(&rawCert)-offset);
+ } while (zret == Z_BUF_ERROR);
+
+ if (zret != Z_OK) {
+@@ -2526,7 +2716,7 @@ Slot::attemptCACLogin()
+ switch( result ) {
+ case CKYISO_SUCCESS:
+ break;
+- case 6981:
++ case 0x6981:
+ throw PKCS11Exception(CKR_PIN_LOCKED);
+ default:
+ if ((result & 0xff00) == 0x6300) {
+diff -up ./src/coolkey/slot.h.cac ./src/coolkey/slot.h
+--- ./src/coolkey/slot.h.cac 2010-06-16 13:43:51.344185000 -0700
++++ ./src/coolkey/slot.h 2010-06-16 13:43:51.546179000 -0700
+@@ -294,6 +294,7 @@ class CryptParams {
+ const CKYBuffer *paddedOutput) const = 0;
+ };
+
++#define MAX_CERT_SLOTS 3
+ class Slot {
+
+ public:
+@@ -328,6 +329,8 @@ class Slot {
+ CKYBuffer nonce;
+ CKYBuffer cardATR;
+ CKYBuffer mCUID;
++ CKYBuffer cardAID[MAX_CERT_SLOTS];
++ unsigned short cardEF[MAX_CERT_SLOTS];
+ bool isVersion1Key;
+ bool needLogin;
+ long publicFree;
+@@ -335,6 +338,7 @@ class Slot {
+ long privateFree;
+ bool fullTokenName;
+ bool mCoolkey;
++ bool mOldCAC;
+
+ //enum { RW_SESSION_HANDLE = 1, RO_SESSION_HANDLE = 2 };
+
+@@ -398,6 +402,11 @@ class Slot {
+ list<ListObjectInfo> fetchCombinedObjects(const CKYBuffer *header);
+ list<ListObjectInfo> fetchSeparateObjects();
+
++ CKYStatus getCACAid();
++ CKYStatus readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize,
++ bool throwException);
++ CKYStatus readCACCertificateAppend(CKYBuffer *cert, CKYSize nextSize);
++
+ void selectApplet();
+ void selectCACApplet(CKYByte instance);
+ void unloadObjects();
+diff -up ./src/libckyapplet/cky_applet.c.cac ./src/libckyapplet/cky_applet.c
+--- ./src/libckyapplet/cky_applet.c.cac 2010-06-16 13:43:51.357181000 -0700
++++ ./src/libckyapplet/cky_applet.c 2010-06-16 14:47:41.305529000 -0700
+@@ -41,7 +41,13 @@
+ CKYStatus
+ CKYAppletFactory_SelectFile(CKYAPDU *apdu, const void *param)
+ {
+- return CKYAPDUFactory_SelectFile(apdu,(const CKYBuffer *)param);
++ return CKYAPDUFactory_SelectFile(apdu, 4, 0, (const CKYBuffer *)param);
++}
++
++CKYStatus
++CACAppletFactory_SelectFile(CKYAPDU *apdu, const void *param)
++{
++ return CKYAPDUFactory_SelectFile(apdu, 2, 12, (const CKYBuffer *)param);
+ }
+
+ CKYStatus
+@@ -225,10 +231,17 @@ CKYAppletFactory_GetBuiltinACL(CKYAPDU *
+ }
+
+ CKYStatus
+-CACAppletFactory_SignDecrypt(CKYAPDU *apdu, const void *param)
++CACAppletFactory_SignDecryptStep(CKYAPDU *apdu, const void *param)
++{
++ const CKYBuffer *buf=(CKYBuffer *)param;
++ return CACAPDUFactory_SignDecrypt(apdu, CAC_P1_STEP, buf);
++}
++
++CKYStatus
++CACAppletFactory_SignDecryptFinal(CKYAPDU *apdu, const void *param)
+ {
+ const CKYBuffer *buf=(CKYBuffer *)param;
+- return CACAPDUFactory_SignDecrypt(apdu, buf);
++ return CACAPDUFactory_SignDecrypt(apdu, CAC_P1_FINAL, buf);
+ }
+
+ CKYStatus
+@@ -246,6 +259,13 @@ CACAppletFactory_GetCertificate(CKYAPDU
+ }
+
+ CKYStatus
++CACAppletFactory_ReadFile(CKYAPDU *apdu, const void *param)
++{
++ const CACAppletArgReadFile *rfs = (const CACAppletArgReadFile *)param;
++ return CACAPDUFactory_ReadFile(apdu, rfs->offset, rfs->type, rfs->count);
++}
++
++CKYStatus
+ CACAppletFactory_GetProperties(CKYAPDU *apdu, const void *param)
+ {
+ return CACAPDUFactory_GetProperties(apdu);
+@@ -457,7 +477,7 @@ CKYApplet_SelectFile(CKYCardConnection *
+ CKYISOStatus *apduRC)
+ {
+ return CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, AID, NULL,
+- 0, CKYAppletFill_Null, NULL, apduRC);
++ CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
+ }
+
+ static CKYByte coolkeyid[] = {0x62, 0x76, 0x01, 0xff, 0x00, 0x00, 0x00 };
+@@ -477,22 +497,23 @@ CKYApplet_SelectCoolKeyManager(CKYCardCo
+ return ret;
+ }
+
+-static CKYByte CACPKIid[] = {0xa0, 0x00, 0x00, 0x00, 0x79, 0x01, 0x00 };
++static CKYByte CACPKIid[] = { 0xa0, 0x00, 0x00, 0x00, 0x79, 0x01 };
+ /*
+ * Select the CoolKey applet. Must happen after we start a transaction and
+ * before we issue any applet specific command.
+ */
+ CKYStatus
+-CACApplet_SelectPKI(CKYCardConnection *conn, CKYByte instance,
+- CKYISOStatus *apduRC)
++CACApplet_SelectPKI(CKYCardConnection *conn, CKYBuffer *cacAID,
++ CKYByte instance, CKYISOStatus *apduRC)
+ {
+ CKYStatus ret;
+- CKYBuffer CACPKIAID;
+- CKYBuffer_InitFromData(&CACPKIAID, CACPKIid, sizeof(CACPKIid));
+- CKYBuffer_SetChar(&CACPKIAID, 6, instance);
+- ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CACPKIAID,
++ CKYBuffer_AppendData(cacAID, CACPKIid, sizeof(CACPKIid));
++ CKYBuffer_AppendChar(cacAID, instance);
++ ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, cacAID,
+ NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
+- CKYBuffer_FreeData(&CACPKIAID);
++ if (ret != CKYSUCCESS) {
++ CKYBuffer_Resize(cacAID, 0);
++ }
+ return ret;
+ }
+
+@@ -515,11 +536,38 @@ CACApplet_SelectCardManager(CKYCardConne
+ CKYBuffer CAC_CM_AID;
+ CKYBuffer_InitFromData(&CAC_CM_AID, cacmgrid, sizeof(cacmgrid));
+ ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CAC_CM_AID,
+- NULL, 0, CKYAppletFill_Null, NULL, apduRC);
++ NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
+ CKYBuffer_FreeData(&CAC_CM_AID);
+ return ret;
+ }
+
++static CKYByte cacCCCid[] = {0xa0, 0x00, 0x00, 0x01, 0x16, 0xdb, 0x00 };
++CKYStatus
++CACApplet_SelectCCC(CKYCardConnection *conn, CKYISOStatus *apduRC)
++{
++ CKYStatus ret;
++ CKYBuffer CAC_CM_AID;
++ CKYBuffer_InitFromData(&CAC_CM_AID, cacCCCid, sizeof(cacCCCid));
++ ret = CKYApplet_HandleAPDU(conn, CKYAppletFactory_SelectFile, &CAC_CM_AID,
++ NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
++ CKYBuffer_FreeData(&CAC_CM_AID);
++ return ret;
++}
++
++CKYStatus
++CACApplet_SelectFile(CKYCardConnection *conn, unsigned short ef,
++ CKYISOStatus *apduRC)
++{
++ CKYStatus ret;
++ CKYBuffer efBuf;
++ CKYBuffer_InitEmpty(&efBuf);
++ CKYBuffer_AppendShortLE(&efBuf, ef);
++ ret = CKYApplet_HandleAPDU(conn, CACAppletFactory_SelectFile, &efBuf,
++ NULL, CKY_SIZE_UNKNOWN, CKYAppletFill_Null, NULL, apduRC);
++ CKYBuffer_FreeData(&efBuf);
++ return ret;
++}
++
+ /*
+ * GetCPLC cluster -- must be called with CM selected
+ */
+@@ -673,8 +721,8 @@ CKYApplet_ComputeCryptProcess(CKYCardCon
+ ccd.keyNumber = keyNumber;
+ ccd.location = location;
+ ccd.data = data;
+- return CKYApplet_HandleAPDU(conn, CKYAppletFactory_ComputeCryptProcess, &ccd,
+- nonce, 0, CKYAppletFill_Null, NULL, apduRC);
++ return CKYApplet_HandleAPDU(conn, CKYAppletFactory_ComputeCryptProcess,
++ &ccd, nonce, 0, CKYAppletFill_Null, NULL, apduRC);
+ }
+
+ /* computeCrypt returns data in the form :
+@@ -832,11 +880,39 @@ CACApplet_SignDecrypt(CKYCardConnection
+ CKYBuffer *result, CKYISOStatus *apduRC)
+ {
+ CKYStatus ret;
+-
+- ret = CKYApplet_HandleAPDU(conn,
+- CACAppletFactory_SignDecrypt, data, NULL,
+- CKYBuffer_Size(data), CKYAppletFill_ReplaceBuffer,
++ CKYSize dataSize = CKYBuffer_Size(data);
++ CKYOffset offset = 0;
++ CKYBuffer tmp;
++
++ CKYBuffer_InitEmpty(&tmp);
++
++ CKYBuffer_Resize(result, 0);
++ for(offset = 0; (dataSize-offset) > CKY_MAX_WRITE_CHUNK_SIZE;
++ offset += CKY_MAX_WRITE_CHUNK_SIZE) {
++ CKYBuffer_Resize(&tmp,0);
++ CKYBuffer_AppendBuffer(&tmp, data, offset, CKY_MAX_WRITE_CHUNK_SIZE);
++ ret = CKYApplet_HandleAPDU(conn, CACAppletFactory_SignDecryptStep,
++ &tmp, NULL, CKY_SIZE_UNKNOWN,
++ CKYAppletFill_AppendBuffer,
+ result, apduRC);
++ if (ret != CKYSUCCESS) {
++ goto done;
++ }
++ }
++ CKYBuffer_Resize(&tmp,0);
++ CKYBuffer_AppendBuffer(&tmp, data, offset, dataSize - offset);
++ ret = CKYApplet_HandleAPDU(conn, CACAppletFactory_SignDecryptFinal,
++ &tmp, NULL, CKY_SIZE_UNKNOWN,
++ CKYAppletFill_AppendBuffer,
++ result, apduRC);
++
++ if ((ret == CKYSUCCESS) && (CKYBuffer_Size(result) != dataSize)) {
++ /* RSA returns the same data size as input, didn't happen, so
++ * something is wrong. */
++ }
++
++done:
++ CKYBuffer_FreeData(&tmp);
+ return ret;
+ }
+
+@@ -895,6 +971,63 @@ CACApplet_GetCertificate(CKYCardConnecti
+ }
+ return ret;
+ }
++
++/*
++ * Read a CAC Tag/Value file
++ */
++CKYStatus
++CACApplet_ReadFile(CKYCardConnection *conn, CKYByte type, CKYBuffer *buffer,
++ CKYISOStatus *apduRC)
++{
++ CKYStatus ret;
++ CKYISOStatus status;
++ CKYByte maxtransfer;
++ unsigned short offset = 0;
++ unsigned short size;
++ CACAppletArgReadFile rfs;
++
++ CKYBuffer_Resize(buffer,0);
++ if (apduRC == NULL) {
++ apduRC = &status;
++ }
++ rfs.offset = 0;
++ rfs.count = 2;
++ rfs.type = type;
++
++ /* APDU's are expensive, Grab a big chunk of the file first if possible */
++ ret = CKYApplet_HandleAPDU(conn,
++ CACAppletFactory_ReadFile, &rfs, NULL,
++ rfs.count, CKYAppletFill_AppendBuffer,
++ buffer, apduRC);
++ /* file is probably smaller than 100 bytes, get the actual size first */
++ if (ret != CKYSUCCESS) {
++ return ret;
++ }
++ size = CKYBuffer_GetShortLE(buffer, 0) + 2 /* include the length itself */;
++ maxtransfer = CKY_MAX_READ_CHUNK_SIZE;
++ /* get the rest of the buffer if necessary */
++ for (offset = CKYBuffer_Size(buffer); size > offset;
++ offset = CKYBuffer_Size(buffer)) {
++ rfs.offset = offset;
++ rfs.count = MIN(size - offset, maxtransfer);
++ ret = CKYApplet_HandleAPDU(conn,
++ CACAppletFactory_ReadFile, &rfs, NULL,
++ rfs.count, CKYAppletFill_AppendBuffer,
++ buffer, apduRC);
++ if (ret != CKYSUCCESS) {
++ if (*apduRC == CAC_INVALID_PARAMS) {
++ maxtransfer = maxtransfer/2;
++ if (maxtransfer == 0) {
++ return ret;
++ }
++ } else {
++ return ret;
++ }
++ }
++ }
++ return ret;
++}
++
+ CKYStatus
+ CACApplet_GetCertificateFirst(CKYCardConnection *conn, CKYBuffer *cert,
+ CKYSize *nextSize, CKYISOStatus *apduRC)
+diff -up ./src/libckyapplet/cky_applet.h.cac ./src/libckyapplet/cky_applet.h
+--- ./src/libckyapplet/cky_applet.h.cac 2010-06-16 13:43:51.370181000 -0700
++++ ./src/libckyapplet/cky_applet.h 2010-06-16 13:43:51.572179000 -0700
+@@ -71,6 +71,15 @@ typedef unsigned short CKYISOStatus; /*
+ #define CKYISO_INTERNAL_ERROR 0x9cff /* Reserved for debugging,
+ * shouldn't happen */
+
++#define CAC_INVALID_PARAMS 0x6a83
++#define CAC_TAG_FILE 1
++#define CAC_VALUE_FILE 2
++
++
++#define CAC_TAG_CARDURL 0xf3
++#define CAC_TAG_CERTIFICATE 0x70
++#define CAC_TLV_APP_PKI 0x04
++
+ /*
+ * Pin Constants as used by our applet
+ */
+@@ -209,6 +218,12 @@ typedef struct _CKYAppletArgComputeCrypt
+ const CKYBuffer *sig;
+ } CKYAppletArgComputeCrypt;
+
++typedef struct _CACAppletArgReadFile {
++ CKYByte type;
++ CKYByte count;
++ unsigned short offset;
++} CACAppletArgReadFile;
++
+ /* fills in an APDU from a structure -- form of all the generic factories*/
+ typedef CKYStatus (*CKYAppletFactory)(CKYAPDU *apdu, const void *param);
+ /* fills in an a structure from a response -- form of all the fill structures*/
+@@ -451,9 +466,17 @@ CKYStatus CKYApplet_DeleteObject(CKYCard
+ /* Select the CAC card manager. Can happen with either applet selected */
+ CKYStatus CACApplet_SelectCardManager(CKYCardConnection *conn,
+ CKYISOStatus *apduRC);
+-/* Can happen with either applet selected */
+-CKYStatus CACApplet_SelectPKI(CKYCardConnection *conn, CKYByte instance,
+- CKYISOStatus *apduRC);
++/* Select the CAC CC container. Can happen with either applet selected */
++CKYStatus CACApplet_SelectCCC(CKYCardConnection *conn, CKYISOStatus *apduRC);
++/* Select an old CAC applet and fill in the cardAID */
++CKYStatus CACApplet_SelectPKI(CKYCardConnection *conn, CKYBuffer *cardAid,
++ CKYByte instance, CKYISOStatus *apduRC);
++/* read a TLV file */
++CKYStatus CACApplet_ReadFile(CKYCardConnection *conn, CKYByte type,
++ CKYBuffer *buffer, CKYISOStatus *apduRC);
++CKYStatus CACApplet_SelectFile(CKYCardConnection *conn, unsigned short ef,
++ CKYISOStatus *apduRC);
++
+ /* must happen with PKI applet selected */
+ CKYStatus CACApplet_SignDecrypt(CKYCardConnection *conn, const CKYBuffer *data,
+ CKYBuffer *result, CKYISOStatus *apduRC);
+diff -up ./src/libckyapplet/cky_base.c.cac ./src/libckyapplet/cky_base.c
+--- ./src/libckyapplet/cky_base.c.cac 2006-06-09 11:44:17.000000000 -0700
++++ ./src/libckyapplet/cky_base.c 2010-06-16 13:43:51.583179000 -0700
+@@ -220,6 +220,22 @@ CKYBuffer_AppendShort(CKYBuffer *buf, un
+ return CKYSUCCESS;
+ }
+
++/* append a short in network order */
++CKYStatus
++CKYBuffer_AppendShortLE(CKYBuffer *buf, unsigned short val)
++{
++ CKYStatus ret;
++
++ ret = CKYBuffer_Reserve(buf, buf->len + 2);
++ if (ret != CKYSUCCESS) {
++ return ret;
++ }
++ buf->data[buf->len+1] = (CKYByte) ((val >> 8) & 0xff);
++ buf->data[buf->len+0] = (CKYByte) ((val >> 0) & 0xff);
++ buf->len += 2;
++ return CKYSUCCESS;
++}
++
+ /* append a long in applet order */
+ CKYStatus
+ CKYBuffer_AppendLong(CKYBuffer *buf, unsigned long val)
+@@ -238,6 +254,24 @@ CKYBuffer_AppendLong(CKYBuffer *buf, uns
+ return CKYSUCCESS;
+ }
+
++/* append a long in applet order */
++CKYStatus
++CKYBuffer_AppendLongLE(CKYBuffer *buf, unsigned long val)
++{
++ CKYStatus ret;
++
++ ret = CKYBuffer_Reserve(buf, buf->len + 4);
++ if (ret != CKYSUCCESS) {
++ return ret;
++ }
++ buf->data[buf->len+3] = (CKYByte) ((val >> 24) & 0xff);
++ buf->data[buf->len+2] = (CKYByte) ((val >> 16) & 0xff);
++ buf->data[buf->len+1] = (CKYByte) ((val >> 8) & 0xff);
++ buf->data[buf->len+0] = (CKYByte) ((val >> 0) & 0xff);
++ buf->len += 4;
++ return CKYSUCCESS;
++}
++
+ CKYStatus
+ CKYBuffer_Replace(CKYBuffer *buf, CKYOffset offset, const CKYByte *data, CKYSize len)
+ {
+@@ -351,6 +385,22 @@ CKYBuffer_SetShort(CKYBuffer *buf, CKYOf
+ }
+
+ CKYStatus
++CKYBuffer_SetShortLE(CKYBuffer *buf, CKYOffset offset, unsigned short val)
++{
++ CKYStatus ret;
++
++ if (buf->len < offset+2) {
++ ret = CKYBuffer_Resize(buf,offset+2);
++ if (ret != CKYSUCCESS) {
++ return ret;
++ }
++ }
++ buf->data[offset+1] = (CKYByte) ((val >> 8) & 0xff);
++ buf->data[offset+0] = (CKYByte) ((val >> 0) & 0xff);
++ return CKYSUCCESS;
++}
++
++CKYStatus
+ CKYBuffer_SetLong(CKYBuffer *buf, CKYOffset offset, unsigned long val)
+ {
+ CKYStatus ret;
+@@ -368,6 +418,24 @@ CKYBuffer_SetLong(CKYBuffer *buf, CKYOff
+ return CKYSUCCESS;
+ }
+
++CKYStatus
++CKYBuffer_SetLongLE(CKYBuffer *buf, CKYOffset offset, unsigned long val)
++{
++ CKYStatus ret;
++
++ if (buf->len < offset+4) {
++ ret = CKYBuffer_Resize(buf,offset+4);
++ if (ret != CKYSUCCESS) {
++ return ret;
++ }
++ }
++ buf->data[offset+3] = (CKYByte) ((val >> 24) & 0xff);
++ buf->data[offset+2] = (CKYByte) ((val >> 16) & 0xff);
++ buf->data[offset+1] = (CKYByte) ((val >> 8) & 0xff);
++ buf->data[offset+0] = (CKYByte) ((val >> 0) & 0xff);
++ return CKYSUCCESS;
++}
++
+ CKYByte
+ CKYBuffer_GetChar(const CKYBuffer *buf, CKYOffset offset)
+ {
+@@ -388,6 +456,18 @@ CKYBuffer_GetShort(const CKYBuffer *buf,
+ val |= ((unsigned short)buf->data[offset+1]) << 0;
+ return val;
+ }
++
++unsigned short
++CKYBuffer_GetShortLE(const CKYBuffer *buf, CKYOffset offset)
++{
++ unsigned short val;
++ if (buf->len < offset+2) {
++ return 0;
++ }
++ val = ((unsigned short)buf->data[offset+1]) << 8;
++ val |= ((unsigned short)buf->data[offset+0]) << 0;
++ return val;
++}
+
+ unsigned long
+ CKYBuffer_GetLong(const CKYBuffer *buf, CKYOffset offset)
+@@ -402,6 +482,20 @@ CKYBuffer_GetLong(const CKYBuffer *buf,
+ val |= ((unsigned long)buf->data[offset+3]) << 0;
+ return val;
+ }
++
++unsigned long
++CKYBuffer_GetLongLE(const CKYBuffer *buf, CKYOffset offset)
++{
++ unsigned long val;
++ if (buf->len < offset+4) {
++ return 0;
++ }
++ val = ((unsigned long)buf->data[offset+3]) << 24;
++ val |= ((unsigned long)buf->data[offset+2]) << 16;
++ val |= ((unsigned long)buf->data[offset+1]) << 8;
++ val |= ((unsigned long)buf->data[offset+0]) << 0;
++ return val;
++}
+
+ CKYStatus
+ CKYBuffer_Resize(CKYBuffer *buf, CKYSize newLen)
+diff -up ./src/libckyapplet/cky_base.h.cac ./src/libckyapplet/cky_base.h
+--- ./src/libckyapplet/cky_base.h.cac 2006-06-09 11:44:17.000000000 -0700
++++ ./src/libckyapplet/cky_base.h 2010-06-16 13:43:51.592179000 -0700
+@@ -170,9 +170,15 @@ CKYStatus CKYBuffer_AppendChar(CKYBuffer
+ /* append a short in applet order */
+ CKYStatus CKYBuffer_AppendShort(CKYBuffer *buf, unsigned short val);
+
++/* append a short in little endian order */
++CKYStatus CKYBuffer_AppendShortLE(CKYBuffer *buf, unsigned short val);
++
+ /* append a long in applet order */
+ CKYStatus CKYBuffer_AppendLong(CKYBuffer *buf, unsigned long val);
+
++/* append a long in little endian order */
++CKYStatus CKYBuffer_AppendLongLE(CKYBuffer *buf, unsigned long val);
++
+ /* append data. the data starts at data and extends len bytes */
+ CKYStatus CKYBuffer_AppendData(CKYBuffer *buf, const CKYByte *data, CKYSize len);
+
+@@ -210,12 +216,18 @@ CKYStatus CKYBuffer_SetChars(CKYBuffer *
+ CKYStatus CKYBuffer_SetShort(CKYBuffer *buf, CKYOffset offset, unsigned short val);
+ CKYStatus CKYBuffer_SetLong(CKYBuffer *buf, CKYOffset offset, unsigned long val);
+
++/* These functions work in little endian order */
++CKYStatus CKYBuffer_SetShortLE(CKYBuffer *buf, CKYOffset offset, unsigned short val);
++CKYStatus CKYBuffer_SetLongLE(CKYBuffer *buf, CKYOffset offset, unsigned long val);
+ /* read a character from offset. If offset is beyond the end of the buffer,
+ * then the function returns '0' */
+ CKYByte CKYBuffer_GetChar(const CKYBuffer *buf, CKYOffset offset);
+ /* These functions work in applet order */
+ unsigned short CKYBuffer_GetShort(const CKYBuffer *buf, CKYOffset offset);
+ unsigned long CKYBuffer_GetLong(const CKYBuffer *buf, CKYOffset offset);
++/* These functions work in little endian order */
++unsigned short CKYBuffer_GetShortLE(const CKYBuffer *buf, CKYOffset offset);
++unsigned long CKYBuffer_GetLongLE(const CKYBuffer *buf, CKYOffset offset);
+
+ /* clear out all the data in a buffer */
+ void CKYBuffer_Zero(CKYBuffer *buf);
+diff -up ./src/libckyapplet/cky_factory.c.cac ./src/libckyapplet/cky_factory.c
+--- ./src/libckyapplet/cky_factory.c.cac 2010-06-16 13:43:51.393185000 -0700
++++ ./src/libckyapplet/cky_factory.c 2010-06-16 14:48:08.885473000 -0700
+@@ -25,12 +25,13 @@
+ * special commands can be issued at any time
+ */
+ CKYStatus
+-CKYAPDUFactory_SelectFile(CKYAPDU *apdu, const CKYBuffer *AID)
++CKYAPDUFactory_SelectFile(CKYAPDU *apdu, CKYByte p1, CKYByte p2,
++ const CKYBuffer *AID)
+ {
+ CKYAPDU_SetCLA(apdu, CKY_CLASS_ISO7816);
+ CKYAPDU_SetINS(apdu, CKY_INS_SELECT_FILE);
+- CKYAPDU_SetP1(apdu, 0x04);
+- CKYAPDU_SetP2(apdu, 0x00);
++ CKYAPDU_SetP1(apdu, p1);
++ CKYAPDU_SetP2(apdu, p2);
+ return CKYAPDU_SetSendDataBuffer(apdu, AID);
+ }
+
+@@ -131,6 +132,7 @@ fail:
+ return ret;
+ }
+
++
+ CKYStatus
+ CKYAPDUFactory_ComputeCryptFinal(CKYAPDU *apdu, CKYByte keyNumber,
+ CKYByte location, const CKYBuffer *data, const CKYBuffer *sig)
+@@ -572,11 +574,11 @@ CKYAPDUFactory_GetBuiltinACL(CKYAPDU *ap
+ }
+
+ CKYStatus
+-CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, const CKYBuffer *data)
++CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, CKYByte type, const CKYBuffer *data)
+ {
+ CKYAPDU_SetCLA(apdu, CKY_CLASS_ISO7816);
+ CKYAPDU_SetINS(apdu, CAC_INS_SIGN_DECRYPT);
+- CKYAPDU_SetP1(apdu, 0x00);
++ CKYAPDU_SetP1(apdu, type);
+ CKYAPDU_SetP2(apdu, 0x00);
+ return CKYAPDU_SetSendDataBuffer(apdu, data);
+ }
+@@ -592,6 +594,36 @@ CACAPDUFactory_GetCertificate(CKYAPDU *a
+ }
+
+ CKYStatus
++CACAPDUFactory_ReadFile(CKYAPDU *apdu, unsigned short offset,
++ CKYByte type, CKYByte count)
++{
++ CKYStatus ret;
++ CKYBuffer buf;
++
++ CKYBuffer_InitEmpty(&buf);
++ CKYAPDU_SetCLA(apdu, CKY_CLASS_GLOBAL_PLATFORM);
++ CKYAPDU_SetINS(apdu, CAC_INS_READ_FILE);
++ CKYAPDU_SetP1(apdu, (offset >> 8) & 0xff);
++ CKYAPDU_SetP2(apdu, offset & 0xff);
++ ret = CKYBuffer_Reserve(&buf, 2);
++ if (ret != CKYSUCCESS) {
++ goto fail;
++ }
++ ret = CKYBuffer_AppendChar(&buf, type);
++ if (ret != CKYSUCCESS) {
++ goto fail;
++ }
++ ret = CKYBuffer_AppendChar(&buf, count);
++ if (ret != CKYSUCCESS) {
++ goto fail;
++ }
++ ret = CKYAPDU_SetSendDataBuffer(apdu, &buf);
++fail:
++ CKYBuffer_FreeData(&buf);
++ return ret;
++}
++
++CKYStatus
+ CACAPDUFactory_GetProperties(CKYAPDU *apdu)
+ {
+ CKYAPDU_SetCLA(apdu, CKY_CLASS_ISO7816);
+diff -up ./src/libckyapplet/cky_factory.h.cac ./src/libckyapplet/cky_factory.h
+--- ./src/libckyapplet/cky_factory.h.cac 2010-06-16 13:43:51.402181000 -0700
++++ ./src/libckyapplet/cky_factory.h 2010-06-16 14:43:20.867049000 -0700
+@@ -86,7 +86,11 @@
+ #define CAC_INS_SIGN_DECRYPT 0x42
+ #define CAC_INS_VERIFY_PIN 0x20
+ #define CAC_INS_GET_PROPERTIES 0x56
++#define CAC_INS_READ_FILE 0x52
++
+ #define CAC_SIZE_GET_PROPERTIES 48
++#define CAC_P1_STEP 0x80
++#define CAC_P1_FINAL 0x00
+
+ /*
+ * Fixed return sized from various commands
+@@ -169,7 +173,8 @@
+ CKY_BEGIN_PROTOS
+
+ /* function based factorys */
+-CKYStatus CKYAPDUFactory_SelectFile(CKYAPDU *apdu, const CKYBuffer *AID);
++CKYStatus CKYAPDUFactory_SelectFile(CKYAPDU *apdu, CKYByte p1, CKYByte p2,
++ const CKYBuffer *AID);
+ CKYStatus CKYAPDUFactory_SelectCardManager(CKYAPDU *apdu);
+ CKYStatus CKYAPDUFactory_GetCPLCData(CKYAPDU *apdu);
+ CKYStatus CKYAPDUFactory_ListKeys(CKYAPDU *apdu, CKYByte sequence);
+@@ -211,9 +216,12 @@ CKYStatus CKYAPDUFactory_SeedRandom(CKYA
+ CKYStatus CKYAPDUFactory_GetIssuerInfo(CKYAPDU *apdu);
+ CKYStatus CKYAPDUFactory_GetBuiltinACL(CKYAPDU *apdu);
+
+-CKYStatus CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, const CKYBuffer *data);
++CKYStatus CACAPDUFactory_SignDecrypt(CKYAPDU *apdu, CKYByte type,
++ const CKYBuffer *data);
+ CKYStatus CACAPDUFactory_VerifyPIN(CKYAPDU *apdu, const char *pin);
+ CKYStatus CACAPDUFactory_GetCertificate(CKYAPDU *apdu, CKYSize size);
++CKYStatus CACAPDUFactory_ReadFile(CKYAPDU *apdu, unsigned short offset,
++ CKYByte type, CKYByte count);
+ CKYStatus CACAPDUFactory_GetProperties(CKYAPDU *apdu);
+
+ CKY_END_PROTOS