]> git.proxmox.com Git - qemu.git/blame - libcacard/vcard_emul_nss.c
projects / qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
libcacard: move atr setting from macro to function
[qemu.git] / libcacard / vcard_emul_nss.c
CommitLineData
111a38b0
RR		 1/*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
12
13/*
14 * NSS headers
15 */
16
17/* avoid including prototypes.h that redefines uint32 */
18#define NO_NSPR_10_SUPPORT
19
20#include <nss.h>
21#include <pk11pub.h>
22#include <cert.h>
23#include <key.h>
24#include <secmod.h>
25#include <prthread.h>
26#include <secerr.h>
27
28#include "qemu-common.h"
29
30#include "vcard.h"
31#include "card_7816t.h"
32#include "vcard_emul.h"
33#include "vreader.h"
34#include "vevent.h"
35
0b6a16c1
AL		 36#include "libcacard/vcardt_internal.h"
37
38
010debef
RR		 39typedef enum {
40 VCardEmulUnknown = -1,
41 VCardEmulFalse = 0,
42 VCardEmulTrue = 1
43} VCardEmulTriState;
44
111a38b0
RR		 45struct VCardKeyStruct {
46 CERTCertificate *cert;
47 PK11SlotInfo *slot;
48 SECKEYPrivateKey *key;
010debef 49 VCardEmulTriState failedX509;
111a38b0
RR		 50};
51
52
53typedef struct VirtualReaderOptionsStruct VirtualReaderOptions;
54
55struct VReaderEmulStruct {
56 PK11SlotInfo *slot;
57 VCardEmulType default_type;
58 char *type_params;
59 PRBool present;
60 int series;
61 VCard *saved_vcard;
62};
63
64/*
65 * NSS Specific options
66 */
67struct VirtualReaderOptionsStruct {
68 char *name;
69 char *vname;
70 VCardEmulType card_type;
71 char *type_params;
72 char **cert_name;
73 int cert_count;
74};
75
76struct VCardEmulOptionsStruct {
77 void *nss_db;
78 VirtualReaderOptions *vreader;
79 int vreader_count;
80 VCardEmulType hw_card_type;
81 const char *hw_type_params;
82 PRBool use_hw;
83};
84
85static int nss_emul_init;
86
87/* if we have more that just the slot, define
88 * VCardEmulStruct here */
89
90/*
91 * allocate the set of arrays for certs, cert_len, key
92 */
93static PRBool
94vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp,
95 VCardKey ***keysp, int cert_count)
96{
97 *certsp = NULL;
98 *cert_lenp = NULL;
99 *keysp = NULL;
7267c094
AL		 100 *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count);
101 *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count);
102 *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count);
111a38b0
RR		 103 return PR_TRUE;
104}
105
106/*
107 * Emulator specific card information
108 */
109typedef struct CardEmulCardStruct CardEmulPrivate;
110
111static VCardEmul *
112vcard_emul_new_card(PK11SlotInfo *slot)
113{
114 PK11_ReferenceSlot(slot);
115 /* currently we don't need anything other than the slot */
116 return (VCardEmul *)slot;
117}
118
119static void
120vcard_emul_delete_card(VCardEmul *vcard_emul)
121{
122 PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul;
123 if (slot == NULL) {
124 return;
125 }
126 PK11_FreeSlot(slot);
127}
128
129static PK11SlotInfo *
130vcard_emul_card_get_slot(VCard *card)
131{
132 /* note, the card is holding the reference, no need to get another one */
133 return (PK11SlotInfo *)vcard_get_private(card);
134}
135
136
137/*
138 * key functions
139 */
140/* private constructure */
141static VCardKey *
142vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
143{
144 VCardKey *key;
145
7267c094 146 key = (VCardKey *)g_malloc(sizeof(VCardKey));
111a38b0
RR		 147 key->slot = PK11_ReferenceSlot(slot);
148 key->cert = CERT_DupCertificate(cert);
149 /* NOTE: if we aren't logged into the token, this could return NULL */
150 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
151 * use the DER version of this function */
152 key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
010debef 153 key->failedX509 = VCardEmulUnknown;
111a38b0
RR		 154 return key;
155}
156
157/* destructor */
158void
159vcard_emul_delete_key(VCardKey *key)
160{
161 if (!nss_emul_init || (key == NULL)) {
162 return;
163 }
164 if (key->key) {
165 SECKEY_DestroyPrivateKey(key->key);
166 key->key = NULL;
167 }
168 if (key->cert) {
169 CERT_DestroyCertificate(key->cert);
170 }
171 if (key->slot) {
172 PK11_FreeSlot(key->slot);
173 }
111a38b0
RR		 174}
175
176/*
177 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
178 */
179static SECKEYPrivateKey *
180vcard_emul_get_nss_key(VCardKey *key)
181{
182 if (key->key) {
183 return key->key;
184 }
185 /* NOTE: if we aren't logged into the token, this could return NULL */
186 key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
187 return key->key;
188}
189
190/*
191 * Map NSS errors to 7816 errors
192 */
193static vcard_7816_status_t
194vcard_emul_map_error(int error)
195{
196 switch (error) {
197 case SEC_ERROR_TOKEN_NOT_LOGGED_IN:
198 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
199 case SEC_ERROR_BAD_DATA:
200 case SEC_ERROR_OUTPUT_LEN:
201 case SEC_ERROR_INPUT_LEN:
202 case SEC_ERROR_INVALID_ARGS:
203 case SEC_ERROR_INVALID_ALGORITHM:
204 case SEC_ERROR_NO_KEY:
205 case SEC_ERROR_INVALID_KEY:
206 case SEC_ERROR_DECRYPTION_DISALLOWED:
207 return VCARD7816_STATUS_ERROR_DATA_INVALID;
208 case SEC_ERROR_NO_MEMORY:
209 return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE;
210 }
211 return VCARD7816_STATUS_EXC_ERROR_CHANGE;
212}
213
214/* RSA sign/decrypt with the key, signature happens 'in place' */
215vcard_7816_status_t
216vcard_emul_rsa_op(VCard *card, VCardKey *key,
217 unsigned char *buffer, int buffer_size)
218{
219 SECKEYPrivateKey *priv_key;
220 unsigned signature_len;
010debef 221 PK11SlotInfo *slot;
111a38b0 222 SECStatus rv;
010debef
RR		 223 unsigned char buf[2048];
224 unsigned char *bp = NULL;
225 int pad_len;
226 vcard_7816_status_t ret = VCARD7816_STATUS_SUCCESS;
111a38b0
RR		 227
228 if ((!nss_emul_init) || (key == NULL)) {
229 /* couldn't get the key, indicate that we aren't logged in */
230 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
231 }
232 priv_key = vcard_emul_get_nss_key(key);
010debef
RR		 233 if (priv_key == NULL) {
234 /* couldn't get the key, indicate that we aren't logged in */
235 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
236 }
237 slot = vcard_emul_card_get_slot(card);
111a38b0
RR		 238
239 /*
240 * this is only true of the rsa signature
241 */
242 signature_len = PK11_SignatureLen(priv_key);
243 if (buffer_size != signature_len) {
244 return VCARD7816_STATUS_ERROR_DATA_INVALID;
245 }
010debef
RR		 246 /* be able to handle larger keys if necessariy */
247 bp = &buf[0];
248 if (sizeof(buf) < signature_len) {
7267c094 249 bp = g_malloc(signature_len);
010debef
RR		 250 }
251
252 /*
253 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
254 * choke when they try to do the actual operations. Try to detect
255 * those cases and treat them as if the token didn't claim support for
256 * X_509.
257 */
258 if (key->failedX509 != VCardEmulTrue
259 && PK11_DoesMechanism(slot, CKM_RSA_X_509)) {
260 rv = PK11_PrivDecryptRaw(priv_key, bp, &signature_len, signature_len,
261 buffer, buffer_size);
262 if (rv == SECSuccess) {
263 assert(buffer_size == signature_len);
264 memcpy(buffer, bp, signature_len);
265 key->failedX509 = VCardEmulFalse;
266 goto cleanup;
267 }
268 /*
269 * we've had a successful X509 operation, this failure must be
270 * somethine else
271 */
272 if (key->failedX509 == VCardEmulFalse) {
273 ret = vcard_emul_map_error(PORT_GetError());
274 goto cleanup;
275 }
276 /*
277 * key->failedX509 must be Unknown at this point, try the
278 * non-x_509 case
279 */
280 }
281 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
282 /* is this a PKCS #1 formatted signature? */
283 if ((buffer[0] == 0) && (buffer[1] == 1)) {
284 int i;
285
286 for (i = 2; i < buffer_size; i++) {
287 /* rsa signature pad */
288 if (buffer[i] != 0xff) {
289 break;
290 }
291 }
292 if ((i < buffer_size) && (buffer[i] == 0)) {
293 /* yes, we have a properly formated PKCS #1 signature */
294 /*
295 * NOTE: even if we accidentally got an encrypt buffer, which
296 * through shear luck started with 00, 01, ff, 00, it won't matter
297 * because the resulting Sign operation will effectively decrypt
298 * the real buffer.
299 */
300 SECItem signature;
301 SECItem hash;
302
303 i++;
304 hash.data = &buffer[i];
305 hash.len = buffer_size - i;
306 signature.data = bp;
307 signature.len = signature_len;
308 rv = PK11_Sign(priv_key, &signature, &hash);
309 if (rv != SECSuccess) {
310 ret = vcard_emul_map_error(PORT_GetError());
311 goto cleanup;
312 }
313 assert(buffer_size == signature.len);
314 memcpy(buffer, bp, signature.len);
315 /*
316 * we got here because either the X509 attempt failed, or the
317 * token couldn't do the X509 operation, in either case stay
318 * with the PKCS version for future operations on this key
319 */
320 key->failedX509 = VCardEmulTrue;
321 goto cleanup;
322 }
323 }
324 pad_len = buffer_size - signature_len;
325 assert(pad_len < 4);
326 /*
327 * OK now we've decrypted the payload, package it up in PKCS #1 for the
328 * upper layer.
329 */
330 buffer[0] = 0;
331 buffer[1] = 2; /* RSA_encrypt */
332 pad_len -= 3; /* format is 0 || 2 || pad || 0 || data */
333 /*
334 * padding for PKCS #1 encrypted data is a string of random bytes. The
335 * random butes protect against potential decryption attacks against RSA.
336 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
337 * them. This shouldn't matter to the upper level code which should just
338 * strip this code out anyway, so We'll pad with a constant 3.
339 */
340 memset(&buffer[2], 0x03, pad_len);
341 pad_len += 2; /* index to the end of the pad */
342 buffer[pad_len] = 0;
343 pad_len++; /* index to the start of the data */
344 memcpy(&buffer[pad_len], bp, signature_len);
345 /*
346 * we got here because either the X509 attempt failed, or the
347 * token couldn't do the X509 operation, in either case stay
348 * with the PKCS version for future operations on this key
349 */
350 key->failedX509 = VCardEmulTrue;
351cleanup:
352 if (bp != buf) {
7267c094 353 g_free(bp);
111a38b0 354 }
010debef 355 return ret;
111a38b0
RR		 356}
357
358/*
359 * Login functions
360 */
361/* return the number of login attempts still possible on the card. if unknown,
362 * return -1 */
363int
364vcard_emul_get_login_count(VCard *card)
365{
366 return -1;
367}
368
369/* login into the card, return the 7816 status word (sw2 || sw1) */
370vcard_7816_status_t
371vcard_emul_login(VCard *card, unsigned char *pin, int pin_len)
372{
373 PK11SlotInfo *slot;
374 unsigned char *pin_string = NULL;
375 int i;
376 SECStatus rv;
377
378 if (!nss_emul_init) {
379 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
380 }
381 slot = vcard_emul_card_get_slot(card);
382 /* We depend on the PKCS #11 module internal login state here because we
383 * create a separate process to handle each guest instance. If we needed
384 * to handle multiple guests from one process, then we would need to keep
385 * a lot of extra state in our card structure
386 * */
7267c094 387 pin_string = g_malloc(pin_len+1);
111a38b0
RR		 388 memcpy(pin_string, pin, pin_len);
389 pin_string[pin_len] = 0;
390
391 /* handle CAC expanded pins correctly */
392 for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) {
393 pin_string[i] = 0;
394 }
395
396 rv = PK11_Authenticate(slot, PR_FALSE, pin_string);
397 memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory
398 to be snooped */
7267c094 399 g_free(pin_string);
111a38b0
RR		 400 if (rv == SECSuccess) {
401 return VCARD7816_STATUS_SUCCESS;
402 }
403 /* map the error from port get error */
404 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
405}
406
407void
408vcard_emul_reset(VCard *card, VCardPower power)
409{
410 PK11SlotInfo *slot;
411
412 if (!nss_emul_init) {
413 return;
414 }
415
416 /*
417 * if we reset the card (either power on or power off), we lose our login
418 * state
419 */
420 /* TODO: we may also need to send insertion/removal events? */
421 slot = vcard_emul_card_get_slot(card);
422 PK11_Logout(slot); /* NOTE: ignoring SECStatus return value */
111a38b0
RR		 423}
424
425
426static VReader *
427vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot)
428{
429 VReaderList *reader_list = vreader_get_reader_list();
430 VReaderListEntry *current_entry = NULL;
431
432 if (reader_list == NULL) {
433 return NULL;
434 }
435 for (current_entry = vreader_list_get_first(reader_list); current_entry;
436 current_entry = vreader_list_get_next(current_entry)) {
437 VReader *reader = vreader_list_get_reader(current_entry);
438 VReaderEmul *reader_emul = vreader_get_private(reader);
439 if (reader_emul->slot == slot) {
440 return reader;
441 }
442 vreader_free(reader);
443 }
444
445 return NULL;
446}
447
448/*
449 * create a new reader emul
450 */
451static VReaderEmul *
452vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params)
453{
454 VReaderEmul *new_reader_emul;
455
7267c094 456 new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul));
111a38b0
RR		 457
458 new_reader_emul->slot = PK11_ReferenceSlot(slot);
459 new_reader_emul->default_type = type;
be168af8 460 new_reader_emul->type_params = g_strdup(params);
111a38b0
RR		 461 new_reader_emul->present = PR_FALSE;
462 new_reader_emul->series = 0;
463 new_reader_emul->saved_vcard = NULL;
464 return new_reader_emul;
465}
466
467static void
468vreader_emul_delete(VReaderEmul *vreader_emul)
469{
470 if (vreader_emul == NULL) {
471 return;
472 }
473 if (vreader_emul->slot) {
474 PK11_FreeSlot(vreader_emul->slot);
475 }
476 if (vreader_emul->type_params) {
7267c094 477 g_free(vreader_emul->type_params);
111a38b0 478 }
7267c094 479 g_free(vreader_emul);
111a38b0
RR		 480}
481
482/*
483 * TODO: move this to emulater non-specific file
484 */
485static VCardEmulType
486vcard_emul_get_type(VReader *vreader)
487{
488 VReaderEmul *vreader_emul;
489
490 vreader_emul = vreader_get_private(vreader);
491 if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) {
492 return vreader_emul->default_type;
493 }
494
495 return vcard_emul_type_select(vreader);
496}
497/*
498 * TODO: move this to emulater non-specific file
499 */
500static const char *
501vcard_emul_get_type_params(VReader *vreader)
502{
503 VReaderEmul *vreader_emul;
504
505 vreader_emul = vreader_get_private(vreader);
506 if (vreader_emul && vreader_emul->type_params) {
507 return vreader_emul->type_params;
508 }
509
510 return "";
511}
512
513/* pull the slot out of the reader private data */
514static PK11SlotInfo *
515vcard_emul_reader_get_slot(VReader *vreader)
516{
517 VReaderEmul *vreader_emul = vreader_get_private(vreader);
518 if (vreader_emul == NULL) {
519 return NULL;
520 }
521 return vreader_emul->slot;
522}
523
524/*
0b6a16c1 525 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
111a38b0
RR		 526 * historical bytes for any software emulated card. The remaining bytes can be
527 * used to indicate the actual emulator
528 */
0b6a16c1
AL		 529static unsigned char *nss_atr;
530static int nss_atr_len;
111a38b0
RR		 531
532void
533vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len)
534{
0b6a16c1 535 int len;
111a38b0
RR		 536 assert(atr != NULL);
537
0b6a16c1
AL		 538 if (nss_atr == NULL) {
539 nss_atr = vcard_alloc_atr("NSS", &nss_atr_len);
540 }
541 len = MIN(nss_atr_len, *atr_len);
111a38b0
RR		 542 memcpy(atr, nss_atr, len);
543 *atr_len = len;
111a38b0
RR		 544}
545
546/*
547 * create a new card from certs and keys
548 */
549static VCard *
550vcard_emul_make_card(VReader *reader,
551 unsigned char * const *certs, int *cert_len,
552 VCardKey *keys[], int cert_count)
553{
554 VCardEmul *vcard_emul;
555 VCard *vcard;
556 PK11SlotInfo *slot;
557 VCardEmulType type;
558 const char *params;
559
560 type = vcard_emul_get_type(reader);
561
562 /* ignore the inserted card */
563 if (type == VCARD_EMUL_NONE) {
564 return NULL;
565 }
566 slot = vcard_emul_reader_get_slot(reader);
567 if (slot == NULL) {
568 return NULL;
569 }
570
571 params = vcard_emul_get_type_params(reader);
572 /* params these can be NULL */
573
574 vcard_emul = vcard_emul_new_card(slot);
575 if (vcard_emul == NULL) {
576 return NULL;
577 }
578 vcard = vcard_new(vcard_emul, vcard_emul_delete_card);
579 if (vcard == NULL) {
580 vcard_emul_delete_card(vcard_emul);
581 return NULL;
582 }
583 vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count);
584 return vcard;
585}
586
587
588/*
589 * 'clone' a physical card as a virtual card
590 */
591static VCard *
592vcard_emul_mirror_card(VReader *vreader)
593{
594 /*
595 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
596 * us the real certs until we log in.
597 */
598 PK11GenericObject *firstObj, *thisObj;
599 int cert_count;
600 unsigned char **certs;
601 int *cert_len;
602 VCardKey **keys;
603 PK11SlotInfo *slot;
604 PRBool ret;
ee83d414 605 VCard *card;
111a38b0
RR		 606
607 slot = vcard_emul_reader_get_slot(vreader);
608 if (slot == NULL) {
609 return NULL;
610 }
611
612 firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE);
613 if (firstObj == NULL) {
614 return NULL;
615 }
616
617 /* count the certs */
618 cert_count = 0;
619 for (thisObj = firstObj; thisObj;
620 thisObj = PK11_GetNextGenericObject(thisObj)) {
621 cert_count++;
622 }
623
624 if (cert_count == 0) {
625 PK11_DestroyGenericObjects(firstObj);
626 return NULL;
627 }
628
629 /* allocate the arrays */
630 ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count);
631 if (ret == PR_FALSE) {
632 return NULL;
633 }
634
635 /* fill in the arrays */
636 cert_count = 0;
637 for (thisObj = firstObj; thisObj;
638 thisObj = PK11_GetNextGenericObject(thisObj)) {
639 SECItem derCert;
640 CERTCertificate *cert;
641 SECStatus rv;
642
643 rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj,
644 CKA_VALUE, &derCert);
645 if (rv != SECSuccess) {
646 continue;
647 }
648 /* create floating temp cert. This gives us a cert structure even if
649 * the token isn't logged in */
650 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert,
651 NULL, PR_FALSE, PR_TRUE);
652 SECITEM_FreeItem(&derCert, PR_FALSE);
653 if (cert == NULL) {
654 continue;
655 }
656
657 certs[cert_count] = cert->derCert.data;
658 cert_len[cert_count] = cert->derCert.len;
659 keys[cert_count] = vcard_emul_make_key(slot, cert);
660 cert_count++;
661 CERT_DestroyCertificate(cert); /* key obj still has a reference */
662 }
663
664 /* now create the card */
ee83d414 665 card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count);
7267c094
AL		 666 g_free(certs);
667 g_free(cert_len);
668 g_free(keys);
ee83d414
CF		 669
670 return card;
111a38b0
RR		 671}
672
673static VCardEmulType default_card_type = VCARD_EMUL_NONE;
674static const char *default_type_params = "";
675
676/*
677 * This thread looks for card and reader insertions and puts events on the
678 * event queue
679 */
680static void
681vcard_emul_event_thread(void *arg)
682{
683 PK11SlotInfo *slot;
684 VReader *vreader;
685 VReaderEmul *vreader_emul;
686 VCard *vcard;
687 SECMODModule *module = (SECMODModule *)arg;
688
689 do {
1b902f7d
AL		 690 /*
691 * XXX - the latency value doesn't matter one bit. you only get no
692 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
693 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
694 * value we pass get's dropped on the floor before C_WaitForSlotEvent
695 * is called.
696 */
111a38b0
RR		 697 slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500);
698 if (slot == NULL) {
1b902f7d
AL		 699 /* this could be just a no event indication */
700 if (PORT_GetError() == SEC_ERROR_NO_EVENT) {
701 continue;
702 }
111a38b0
RR		 703 break;
704 }
705 vreader = vcard_emul_find_vreader_from_slot(slot);
706 if (vreader == NULL) {
707 /* new vreader */
708 vreader_emul = vreader_emul_new(slot, default_card_type,
709 default_type_params);
710 vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
711 vreader_emul_delete);
712 PK11_FreeSlot(slot);
713 slot = NULL;
714 vreader_add_reader(vreader);
715 vreader_free(vreader);
716 continue;
717 }
718 /* card remove/insert */
719 vreader_emul = vreader_get_private(vreader);
720 if (PK11_IsPresent(slot)) {
721 int series = PK11_GetSlotSeries(slot);
722 if (series != vreader_emul->series) {
723 if (vreader_emul->present) {
724 vreader_insert_card(vreader, NULL);
725 }
726 vcard = vcard_emul_mirror_card(vreader);
727 vreader_insert_card(vreader, vcard);
728 vcard_free(vcard);
729 }
730 vreader_emul->series = series;
731 vreader_emul->present = 1;
732 vreader_free(vreader);
733 PK11_FreeSlot(slot);
734 continue;
735 }
736 if (vreader_emul->present) {
737 vreader_insert_card(vreader, NULL);
738 }
739 vreader_emul->series = 0;
740 vreader_emul->present = 0;
741 PK11_FreeSlot(slot);
742 vreader_free(vreader);
743 } while (1);
744}
745
746/* if the card is inserted when we start up, make sure our state is correct */
747static void
748vcard_emul_init_series(VReader *vreader, VCard *vcard)
749{
750 VReaderEmul *vreader_emul = vreader_get_private(vreader);
751 PK11SlotInfo *slot = vreader_emul->slot;
752
753 vreader_emul->present = PK11_IsPresent(slot);
754 vreader_emul->series = PK11_GetSlotSeries(slot);
755 if (vreader_emul->present == 0) {
756 vreader_insert_card(vreader, NULL);
757 }
758}
759
760/*
761 * each module has a separate wait call, create a thread for each module that
762 * we are using.
763 */
764static void
765vcard_emul_new_event_thread(SECMODModule *module)
766{
767 PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread,
768 module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD,
769 PR_UNJOINABLE_THREAD, 0);
770}
771
772static const VCardEmulOptions default_options = {
773 .nss_db = NULL,
774 .vreader = NULL,
775 .vreader_count = 0,
776 .hw_card_type = VCARD_EMUL_CAC,
777 .hw_type_params = "",
778 .use_hw = PR_TRUE
779};
780
781
782/*
783 * NSS needs the app to supply a password prompt. In our case the only time
784 * the password is supplied is as part of the Login APDU. The actual password
785 * is passed in the pw_arg in that case. In all other cases pw_arg should be
786 * NULL.
787 */
788static char *
789vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg)
790{
791 /* if it didn't work the first time, don't keep trying */
792 if (retries) {
793 return NULL;
794 }
795 /* we are looking up a password when we don't have one in hand */
796 if (pw_arg == NULL) {
797 return NULL;
798 }
799 /* TODO: we really should verify that were are using the right slot */
800 return PORT_Strdup(pw_arg);
801}
802
803/* Force a card removal even if the card is not physically removed */
804VCardEmulError
805vcard_emul_force_card_remove(VReader *vreader)
806{
807 if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) {
808 return VCARD_EMUL_FAIL; /* card is already removed */
809 }
810
811 /* OK, remove it */
812 vreader_insert_card(vreader, NULL);
813 return VCARD_EMUL_OK;
814}
815
816/* Re-insert of a card that has been removed by force removal */
817VCardEmulError
818vcard_emul_force_card_insert(VReader *vreader)
819{
820 VReaderEmul *vreader_emul;
821 VCard *vcard;
822
823 if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) {
824 return VCARD_EMUL_FAIL; /* card is already removed */
825 }
826 vreader_emul = vreader_get_private(vreader);
827
828 /* if it's a softcard, get the saved vcard from the reader emul structure */
829 if (vreader_emul->saved_vcard) {
830 vcard = vcard_reference(vreader_emul->saved_vcard);
831 } else {
832 /* it must be a physical card, rebuild it */
833 if (!PK11_IsPresent(vreader_emul->slot)) {
834 /* physical card has been removed, not way to reinsert it */
835 return VCARD_EMUL_FAIL;
836 }
837 vcard = vcard_emul_mirror_card(vreader);
838 }
839 vreader_insert_card(vreader, vcard);
840 vcard_free(vcard);
841
842 return VCARD_EMUL_OK;
843}
844
845
846static PRBool
847module_has_removable_hw_slots(SECMODModule *mod)
848{
849 int i;
850 PRBool ret = PR_FALSE;
851 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
852
853 if (!moduleLock) {
854 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
855 return ret;
856 }
857 SECMOD_GetReadLock(moduleLock);
858 for (i = 0; i < mod->slotCount; i++) {
859 PK11SlotInfo *slot = mod->slots[i];
860 if (PK11_IsRemovable(slot) && PK11_IsHW(slot)) {
861 ret = PR_TRUE;
862 break;
863 }
864 }
865 SECMOD_ReleaseReadLock(moduleLock);
866 return ret;
867}
868
869/* Previously we returned FAIL if no readers found. This makes
870 * no sense when using hardware, since there may be no readers connected
871 * at the time vcard_emul_init is called, but they will be properly
872 * recognized later. So Instead return FAIL only if no_hw==1 and no
873 * vcards can be created (indicates error with certificates provided
874 * or db), or if any other higher level error (NSS error, missing coolkey). */
875static int vcard_emul_init_called;
876
877VCardEmulError
878vcard_emul_init(const VCardEmulOptions *options)
879{
880 SECStatus rv;
ad2181f2 881 PRBool ret, has_readers = PR_FALSE;
111a38b0
RR		 882 VReader *vreader;
883 VReaderEmul *vreader_emul;
884 SECMODListLock *module_lock;
885 SECMODModuleList *module_list;
886 SECMODModuleList *mlp;
887 int i;
888
889 if (vcard_emul_init_called) {
890 return VCARD_EMUL_INIT_ALREADY_INITED;
891 }
892 vcard_emul_init_called = 1;
893 vreader_init();
894 vevent_queue_init();
895
896 if (options == NULL) {
897 options = &default_options;
898 }
899
900 /* first initialize NSS */
901 if (options->nss_db) {
902 rv = NSS_Init(options->nss_db);
903 } else {
667e0b4b 904 gchar *path;
e2d9c5e7
MAL		 905#ifndef _WIN32
906 path = g_strdup("/etc/pki/nssdb");
907#else
908 if (g_get_system_config_dirs() == NULL ||
909 g_get_system_config_dirs()[0] == NULL) {
910 return VCARD_EMUL_FAIL;
911 }
912
913 path = g_build_filename(
914 g_get_system_config_dirs()[0], "pki", "nssdb", NULL);
915#endif
e2d9c5e7 916
667e0b4b 917 rv = NSS_Init(path);
e2d9c5e7 918 g_free(path);
111a38b0
RR		 919 }
920 if (rv != SECSuccess) {
921 return VCARD_EMUL_FAIL;
922 }
923 /* Set password callback function */
924 PK11_SetPasswordFunc(vcard_emul_get_password);
925
926 /* set up soft cards emulated by software certs rather than physical cards
927 * */
928 for (i = 0; i < options->vreader_count; i++) {
929 int j;
930 int cert_count;
931 unsigned char **certs;
932 int *cert_len;
933 VCardKey **keys;
934 PK11SlotInfo *slot;
935
936 slot = PK11_FindSlotByName(options->vreader[i].name);
937 if (slot == NULL) {
938 continue;
939 }
940 vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
941 options->vreader[i].type_params);
942 vreader = vreader_new(options->vreader[i].vname, vreader_emul,
943 vreader_emul_delete);
944 vreader_add_reader(vreader);
945 cert_count = options->vreader[i].cert_count;
946
947 ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
948 options->vreader[i].cert_count);
949 if (ret == PR_FALSE) {
950 continue;
951 }
952 cert_count = 0;
953 for (j = 0; j < options->vreader[i].cert_count; j++) {
954 /* we should have a better way of identifying certs than by
955 * nickname here */
956 CERTCertificate *cert = PK11_FindCertFromNickname(
957 options->vreader[i].cert_name[j],
958 NULL);
959 if (cert == NULL) {
960 continue;
961 }
962 certs[cert_count] = cert->derCert.data;
963 cert_len[cert_count] = cert->derCert.len;
964 keys[cert_count] = vcard_emul_make_key(slot, cert);
965 /* this is safe because the key is still holding a cert reference */
966 CERT_DestroyCertificate(cert);
967 cert_count++;
968 }
969 if (cert_count) {
970 VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
971 keys, cert_count);
972 vreader_insert_card(vreader, vcard);
973 vcard_emul_init_series(vreader, vcard);
974 /* allow insertion and removal of soft cards */
975 vreader_emul->saved_vcard = vcard_reference(vcard);
976 vcard_free(vcard);
977 vreader_free(vreader);
978 has_readers = PR_TRUE;
979 }
7267c094
AL		 980 g_free(certs);
981 g_free(cert_len);
982 g_free(keys);
111a38b0
RR		 983 }
984
985 /* if we aren't suppose to use hw, skip looking up hardware tokens */
986 if (!options->use_hw) {
987 nss_emul_init = has_readers;
988 return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
989 }
990
991 /* make sure we have some PKCS #11 module loaded */
992 module_lock = SECMOD_GetDefaultModuleListLock();
993 module_list = SECMOD_GetDefaultModuleList();
111a38b0
RR		 994 SECMOD_GetReadLock(module_lock);
995 for (mlp = module_list; mlp; mlp = mlp->next) {
996 SECMODModule *module = mlp->module;
997 if (module_has_removable_hw_slots(module)) {
111a38b0
RR		 998 break;
999 }
1000 }
1001 SECMOD_ReleaseReadLock(module_lock);
1002
111a38b0
RR		 1003 /* now examine all the slots, finding which should be readers */
1004 /* We should control this with options. For now we mirror out any
1005 * removable hardware slot */
1006 default_card_type = options->hw_card_type;
be168af8 1007 default_type_params = g_strdup(options->hw_type_params);
111a38b0
RR		 1008
1009 SECMOD_GetReadLock(module_lock);
1010 for (mlp = module_list; mlp; mlp = mlp->next) {
1011 SECMODModule *module = mlp->module;
111a38b0 1012
4e339882
AL		 1013 /* Ignore the internal module */
1014 if (module == NULL || module == SECMOD_GetInternalModule()) {
1015 continue;
111a38b0
RR		 1016 }
1017
1018 for (i = 0; i < module->slotCount; i++) {
1019 PK11SlotInfo *slot = module->slots[i];
1020
1021 /* only map removable HW slots */
1022 if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
1023 continue;
1024 }
6f06f178
AL		 1025 if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) {
1026 /*
1027 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1028 * any hardware readers. This causes problems, warn user of
1029 * problems.
1030 */
1031 fprintf(stderr, "known bad coolkey version - see "
1032 "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n");
1033 continue;
1034 }
111a38b0
RR		 1035 vreader_emul = vreader_emul_new(slot, options->hw_card_type,
1036 options->hw_type_params);
1037 vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
1038 vreader_emul_delete);
1039 vreader_add_reader(vreader);
1040
111a38b0
RR		 1041 if (PK11_IsPresent(slot)) {
1042 VCard *vcard;
1043 vcard = vcard_emul_mirror_card(vreader);
1044 vreader_insert_card(vreader, vcard);
1045 vcard_emul_init_series(vreader, vcard);
1046 vcard_free(vcard);
1047 }
1048 }
4e339882 1049 vcard_emul_new_event_thread(module);
111a38b0
RR		 1050 }
1051 SECMOD_ReleaseReadLock(module_lock);
4e339882 1052 nss_emul_init = PR_TRUE;
111a38b0
RR		 1053
1054 return VCARD_EMUL_OK;
1055}
1056
1057/* Recreate card insert events for all readers (user should
1058 * deduce implied reader insert. perhaps do a reader insert as well?)
1059 */
1060void
1061vcard_emul_replay_insertion_events(void)
1062{
1063 VReaderListEntry *current_entry;
1064 VReaderListEntry *next_entry = NULL;
1065 VReaderList *list = vreader_get_reader_list();
1066
1067 for (current_entry = vreader_list_get_first(list); current_entry;
1068 current_entry = next_entry) {
1069 VReader *vreader = vreader_list_get_reader(current_entry);
1070 next_entry = vreader_list_get_next(current_entry);
1071 vreader_queue_card_event(vreader);
1072 }
1073}
1074
1075/*
1076 * Silly little functions to help parsing our argument string
1077 */
111a38b0
RR		 1078static int
1079count_tokens(const char *str, char token, char token_end)
1080{
1081 int count = 0;
1082
1083 for (; *str; str++) {
1084 if (*str == token) {
1085 count++;
1086 }
1087 if (*str == token_end) {
1088 break;
1089 }
1090 }
1091 return count;
1092}
1093
1094static const char *
1095strip(const char *str)
1096{
685ff50f 1097 for (; *str && isspace(*str); str++) {
111a38b0
RR		 1098 }
1099 return str;
1100}
1101
1102static const char *
1103find_blank(const char *str)
1104{
685ff50f 1105 for (; *str && !isspace(*str); str++) {
111a38b0
RR		 1106 }
1107 return str;
1108}
1109
1110
1111/*
1112 * We really want to use some existing argument parsing library here. That
fc27eefe 1113 * would give us a consistent look */
111a38b0
RR		 1114static VCardEmulOptions options;
1115#define READER_STEP 4
1116
d246b3cf
CF		 1117/* Expects "args" to be at the beginning of a token (ie right after the ','
1118 * ending the previous token), and puts the next token start in "token",
1119 * and its length in "token_length". "token" will not be nul-terminated.
1120 * After calling the macro, "args" will be advanced to the beginning of
1121 * the next token.
1122 * This macro may call continue or break.
1123 */
1124#define NEXT_TOKEN(token) \
1125 (token) = args; \
1126 args = strpbrk(args, ",)"); \
1127 if (*args == 0) { \
1128 break; \
1129 } \
1130 if (*args == ')') { \
1131 args++; \
1132 continue; \
1133 } \
1134 (token##_length) = args - (token); \
1135 args = strip(args+1);
1136
111a38b0
RR		 1137VCardEmulOptions *
1138vcard_emul_options(const char *args)
1139{
1140 int reader_count = 0;
1141 VCardEmulOptions *opts;
111a38b0
RR		 1142
1143 /* Allow the future use of allocating the options structure on the fly */
1144 memcpy(&options, &default_options, sizeof(options));
1145 opts = &options;
1146
1147 do {
1148 args = strip(args); /* strip off the leading spaces */
1149 if (*args == ',') {
1150 continue;
1151 }
1152 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1153 * cert_2,cert_3...) */
1154 if (strncmp(args, "soft=", 5) == 0) {
1155 const char *name;
a5aa842a 1156 size_t name_length;
111a38b0 1157 const char *vname;
a5aa842a 1158 size_t vname_length;
111a38b0 1159 const char *type_params;
a5aa842a
CF		 1160 size_t type_params_length;
1161 char type_str[100];
111a38b0 1162 VCardEmulType type;
a5aa842a 1163 int count, i;
111a38b0
RR		 1164 VirtualReaderOptions *vreaderOpt = NULL;
1165
1166 args = strip(args + 5);
1167 if (*args != '(') {
1168 continue;
1169 }
a5aa842a
CF		 1170 args = strip(args+1);
1171
d246b3cf
CF		 1172 NEXT_TOKEN(name)
1173 NEXT_TOKEN(vname)
1174 NEXT_TOKEN(type_params)
a5aa842a 1175 type_params_length = MIN(type_params_length, sizeof(type_str)-1);
2e679780 1176 pstrcpy(type_str, type_params_length, type_params);
a5aa842a
CF		 1177 type = vcard_emul_type_from_string(type_str);
1178
d246b3cf 1179 NEXT_TOKEN(type_params)
a5aa842a 1180
111a38b0
RR		 1181 if (*args == 0) {
1182 break;
1183 }
1184
1185 if (opts->vreader_count >= reader_count) {
1186 reader_count += READER_STEP;
1187 vreaderOpt = realloc(opts->vreader,
1188 reader_count * sizeof(*vreaderOpt));
1189 if (vreaderOpt == NULL) {
1190 return opts; /* we're done */
1191 }
1192 }
1193 opts->vreader = vreaderOpt;
1194 vreaderOpt = &vreaderOpt[opts->vreader_count];
7267c094
AL		 1195 vreaderOpt->name = g_strndup(name, name_length);
1196 vreaderOpt->vname = g_strndup(vname, vname_length);
111a38b0
RR		 1197 vreaderOpt->card_type = type;
1198 vreaderOpt->type_params =
7267c094 1199 g_strndup(type_params, type_params_length);
a5aa842a 1200 count = count_tokens(args, ',', ')') + 1;
111a38b0 1201 vreaderOpt->cert_count = count;
7267c094 1202 vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *));
111a38b0 1203 for (i = 0; i < count; i++) {
a5aa842a
CF		 1204 const char *cert = args;
1205 args = strpbrk(args, ",)");
7267c094 1206 vreaderOpt->cert_name[i] = g_strndup(cert, args - cert);
a5aa842a 1207 args = strip(args+1);
111a38b0
RR		 1208 }
1209 if (*args == ')') {
1210 args++;
1211 }
1212 opts->vreader_count++;
1213 /* use_hw= */
1214 } else if (strncmp(args, "use_hw=", 7) == 0) {
1215 args = strip(args+7);
1216 if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') {
1217 opts->use_hw = PR_FALSE;
1218 } else {
1219 opts->use_hw = PR_TRUE;
1220 }
1221 args = find_blank(args);
1222 /* hw_type= */
1223 } else if (strncmp(args, "hw_type=", 8) == 0) {
1224 args = strip(args+8);
1225 opts->hw_card_type = vcard_emul_type_from_string(args);
1226 args = find_blank(args);
1227 /* hw_params= */
1228 } else if (strncmp(args, "hw_params=", 10) == 0) {
1229 const char *params;
1230 args = strip(args+10);
1231 params = args;
1232 args = find_blank(args);
7267c094 1233 opts->hw_type_params = g_strndup(params, args-params);
111a38b0
RR		 1234 /* db="/data/base/path" */
1235 } else if (strncmp(args, "db=", 3) == 0) {
1236 const char *db;
1237 args = strip(args+3);
1238 if (*args != '"') {
1239 continue;
1240 }
1241 args++;
1242 db = args;
1243 args = strpbrk(args, "\"\n");
7267c094 1244 opts->nss_db = g_strndup(db, args-db);
111a38b0
RR		 1245 if (*args != 0) {
1246 args++;
1247 }
1248 } else {
1249 args = find_blank(args);
1250 }
1251 } while (*args != 0);
1252
1253 return opts;
1254}
1255
1256void
1257vcard_emul_usage(void)
1258{
1259 fprintf(stderr,
1260"emul args: comma separated list of the following arguments\n"
1261" db={nss_database} (default sql:/etc/pki/nssdb)\n"
1262" use_hw=[yes|no] (default yes)\n"
1263" hw_type={card_type_to_emulate} (default CAC)\n"
1264" hw_param={param_for_card} (default \"\")\n"
1265" soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n"
1266" {cert1},{cert2},{cert3} (default none)\n"
1267"\n"
1268" {nss_database} The location of the NSS cert & key database\n"
1269" {card_type_to_emulate} What card interface to present to the guest\n"
1270" {param_for_card} Card interface specific parameters\n"
1271" {slot_name} NSS slot that contains the certs\n"
cba919da 1272" {vreader_name} Virtual reader name to present to the guest\n"
111a38b0
RR		 1273" {certN} Nickname of the certificate n on the virtual card\n"
1274"\n"
1275"These parameters come as a single string separated by blanks or newlines."
1276"\n"
1277"Unless use_hw is set to no, all tokens that look like removable hardware\n"
1278"tokens will be presented to the guest using the emulator specified by\n"
1279"hw_type, and parameters of hw_param.\n"
1280"\n"
1281"If more one or more soft= parameters are specified, these readers will be\n"
1282"presented to the guest\n");
1283}
Qemu copy for testing