]>
Commit | Line | Data |
---|---|---|
111a38b0 RR |
1 | /* |
2 | * This is the actual card emulator. | |
3 | * | |
4 | * These functions can be implemented in different ways on different platforms | |
5 | * using the underlying system primitives. For Linux it uses NSS, though direct | |
6 | * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be | |
7 | * used. On Windows CAPI could be used. | |
8 | * | |
9 | * This work is licensed under the terms of the GNU LGPL, version 2.1 or later. | |
10 | * See the COPYING.LIB file in the top-level directory. | |
11 | */ | |
12 | ||
13 | /* | |
14 | * NSS headers | |
15 | */ | |
16 | ||
17 | /* avoid including prototypes.h that redefines uint32 */ | |
18 | #define NO_NSPR_10_SUPPORT | |
19 | ||
20 | #include <nss.h> | |
21 | #include <pk11pub.h> | |
22 | #include <cert.h> | |
23 | #include <key.h> | |
24 | #include <secmod.h> | |
25 | #include <prthread.h> | |
26 | #include <secerr.h> | |
27 | ||
28 | #include "qemu-common.h" | |
29 | ||
30 | #include "vcard.h" | |
31 | #include "card_7816t.h" | |
32 | #include "vcard_emul.h" | |
33 | #include "vreader.h" | |
34 | #include "vevent.h" | |
35 | ||
0b6a16c1 AL |
36 | #include "libcacard/vcardt_internal.h" |
37 | ||
38 | ||
010debef RR |
39 | typedef enum { |
40 | VCardEmulUnknown = -1, | |
41 | VCardEmulFalse = 0, | |
42 | VCardEmulTrue = 1 | |
43 | } VCardEmulTriState; | |
44 | ||
111a38b0 RR |
45 | struct VCardKeyStruct { |
46 | CERTCertificate *cert; | |
47 | PK11SlotInfo *slot; | |
48 | SECKEYPrivateKey *key; | |
010debef | 49 | VCardEmulTriState failedX509; |
111a38b0 RR |
50 | }; |
51 | ||
52 | ||
53 | typedef struct VirtualReaderOptionsStruct VirtualReaderOptions; | |
54 | ||
55 | struct VReaderEmulStruct { | |
56 | PK11SlotInfo *slot; | |
57 | VCardEmulType default_type; | |
58 | char *type_params; | |
59 | PRBool present; | |
60 | int series; | |
61 | VCard *saved_vcard; | |
62 | }; | |
63 | ||
64 | /* | |
65 | * NSS Specific options | |
66 | */ | |
67 | struct VirtualReaderOptionsStruct { | |
68 | char *name; | |
69 | char *vname; | |
70 | VCardEmulType card_type; | |
71 | char *type_params; | |
72 | char **cert_name; | |
73 | int cert_count; | |
74 | }; | |
75 | ||
76 | struct VCardEmulOptionsStruct { | |
77 | void *nss_db; | |
78 | VirtualReaderOptions *vreader; | |
79 | int vreader_count; | |
80 | VCardEmulType hw_card_type; | |
81 | const char *hw_type_params; | |
82 | PRBool use_hw; | |
83 | }; | |
84 | ||
85 | static int nss_emul_init; | |
86 | ||
87 | /* if we have more that just the slot, define | |
88 | * VCardEmulStruct here */ | |
89 | ||
90 | /* | |
91 | * allocate the set of arrays for certs, cert_len, key | |
92 | */ | |
93 | static PRBool | |
94 | vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp, | |
95 | VCardKey ***keysp, int cert_count) | |
96 | { | |
97 | *certsp = NULL; | |
98 | *cert_lenp = NULL; | |
99 | *keysp = NULL; | |
7267c094 AL |
100 | *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count); |
101 | *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count); | |
102 | *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count); | |
111a38b0 RR |
103 | return PR_TRUE; |
104 | } | |
105 | ||
106 | /* | |
107 | * Emulator specific card information | |
108 | */ | |
109 | typedef struct CardEmulCardStruct CardEmulPrivate; | |
110 | ||
111 | static VCardEmul * | |
112 | vcard_emul_new_card(PK11SlotInfo *slot) | |
113 | { | |
114 | PK11_ReferenceSlot(slot); | |
115 | /* currently we don't need anything other than the slot */ | |
116 | return (VCardEmul *)slot; | |
117 | } | |
118 | ||
119 | static void | |
120 | vcard_emul_delete_card(VCardEmul *vcard_emul) | |
121 | { | |
122 | PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul; | |
123 | if (slot == NULL) { | |
124 | return; | |
125 | } | |
126 | PK11_FreeSlot(slot); | |
127 | } | |
128 | ||
129 | static PK11SlotInfo * | |
130 | vcard_emul_card_get_slot(VCard *card) | |
131 | { | |
132 | /* note, the card is holding the reference, no need to get another one */ | |
133 | return (PK11SlotInfo *)vcard_get_private(card); | |
134 | } | |
135 | ||
136 | ||
137 | /* | |
138 | * key functions | |
139 | */ | |
140 | /* private constructure */ | |
141 | static VCardKey * | |
142 | vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert) | |
143 | { | |
144 | VCardKey *key; | |
145 | ||
7267c094 | 146 | key = (VCardKey *)g_malloc(sizeof(VCardKey)); |
111a38b0 RR |
147 | key->slot = PK11_ReferenceSlot(slot); |
148 | key->cert = CERT_DupCertificate(cert); | |
149 | /* NOTE: if we aren't logged into the token, this could return NULL */ | |
150 | /* NOTE: the cert is a temp cert, not necessarily the cert in the token, | |
151 | * use the DER version of this function */ | |
152 | key->key = PK11_FindKeyByDERCert(slot, cert, NULL); | |
010debef | 153 | key->failedX509 = VCardEmulUnknown; |
111a38b0 RR |
154 | return key; |
155 | } | |
156 | ||
157 | /* destructor */ | |
158 | void | |
159 | vcard_emul_delete_key(VCardKey *key) | |
160 | { | |
161 | if (!nss_emul_init || (key == NULL)) { | |
162 | return; | |
163 | } | |
164 | if (key->key) { | |
165 | SECKEY_DestroyPrivateKey(key->key); | |
166 | key->key = NULL; | |
167 | } | |
168 | if (key->cert) { | |
169 | CERT_DestroyCertificate(key->cert); | |
170 | } | |
171 | if (key->slot) { | |
172 | PK11_FreeSlot(key->slot); | |
173 | } | |
111a38b0 RR |
174 | } |
175 | ||
176 | /* | |
177 | * grab the nss key from a VCardKey. If it doesn't exist, try to look it up | |
178 | */ | |
179 | static SECKEYPrivateKey * | |
180 | vcard_emul_get_nss_key(VCardKey *key) | |
181 | { | |
182 | if (key->key) { | |
183 | return key->key; | |
184 | } | |
185 | /* NOTE: if we aren't logged into the token, this could return NULL */ | |
186 | key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL); | |
187 | return key->key; | |
188 | } | |
189 | ||
190 | /* | |
191 | * Map NSS errors to 7816 errors | |
192 | */ | |
193 | static vcard_7816_status_t | |
194 | vcard_emul_map_error(int error) | |
195 | { | |
196 | switch (error) { | |
197 | case SEC_ERROR_TOKEN_NOT_LOGGED_IN: | |
198 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; | |
199 | case SEC_ERROR_BAD_DATA: | |
200 | case SEC_ERROR_OUTPUT_LEN: | |
201 | case SEC_ERROR_INPUT_LEN: | |
202 | case SEC_ERROR_INVALID_ARGS: | |
203 | case SEC_ERROR_INVALID_ALGORITHM: | |
204 | case SEC_ERROR_NO_KEY: | |
205 | case SEC_ERROR_INVALID_KEY: | |
206 | case SEC_ERROR_DECRYPTION_DISALLOWED: | |
207 | return VCARD7816_STATUS_ERROR_DATA_INVALID; | |
208 | case SEC_ERROR_NO_MEMORY: | |
209 | return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE; | |
210 | } | |
211 | return VCARD7816_STATUS_EXC_ERROR_CHANGE; | |
212 | } | |
213 | ||
214 | /* RSA sign/decrypt with the key, signature happens 'in place' */ | |
215 | vcard_7816_status_t | |
216 | vcard_emul_rsa_op(VCard *card, VCardKey *key, | |
217 | unsigned char *buffer, int buffer_size) | |
218 | { | |
219 | SECKEYPrivateKey *priv_key; | |
220 | unsigned signature_len; | |
010debef | 221 | PK11SlotInfo *slot; |
111a38b0 | 222 | SECStatus rv; |
010debef RR |
223 | unsigned char buf[2048]; |
224 | unsigned char *bp = NULL; | |
225 | int pad_len; | |
226 | vcard_7816_status_t ret = VCARD7816_STATUS_SUCCESS; | |
111a38b0 RR |
227 | |
228 | if ((!nss_emul_init) || (key == NULL)) { | |
229 | /* couldn't get the key, indicate that we aren't logged in */ | |
230 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; | |
231 | } | |
232 | priv_key = vcard_emul_get_nss_key(key); | |
010debef RR |
233 | if (priv_key == NULL) { |
234 | /* couldn't get the key, indicate that we aren't logged in */ | |
235 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; | |
236 | } | |
237 | slot = vcard_emul_card_get_slot(card); | |
111a38b0 RR |
238 | |
239 | /* | |
240 | * this is only true of the rsa signature | |
241 | */ | |
242 | signature_len = PK11_SignatureLen(priv_key); | |
243 | if (buffer_size != signature_len) { | |
244 | return VCARD7816_STATUS_ERROR_DATA_INVALID; | |
245 | } | |
010debef RR |
246 | /* be able to handle larger keys if necessariy */ |
247 | bp = &buf[0]; | |
248 | if (sizeof(buf) < signature_len) { | |
7267c094 | 249 | bp = g_malloc(signature_len); |
010debef RR |
250 | } |
251 | ||
252 | /* | |
253 | * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then | |
254 | * choke when they try to do the actual operations. Try to detect | |
255 | * those cases and treat them as if the token didn't claim support for | |
256 | * X_509. | |
257 | */ | |
258 | if (key->failedX509 != VCardEmulTrue | |
259 | && PK11_DoesMechanism(slot, CKM_RSA_X_509)) { | |
260 | rv = PK11_PrivDecryptRaw(priv_key, bp, &signature_len, signature_len, | |
261 | buffer, buffer_size); | |
262 | if (rv == SECSuccess) { | |
263 | assert(buffer_size == signature_len); | |
264 | memcpy(buffer, bp, signature_len); | |
265 | key->failedX509 = VCardEmulFalse; | |
266 | goto cleanup; | |
267 | } | |
268 | /* | |
269 | * we've had a successful X509 operation, this failure must be | |
270 | * somethine else | |
271 | */ | |
272 | if (key->failedX509 == VCardEmulFalse) { | |
273 | ret = vcard_emul_map_error(PORT_GetError()); | |
274 | goto cleanup; | |
275 | } | |
276 | /* | |
277 | * key->failedX509 must be Unknown at this point, try the | |
278 | * non-x_509 case | |
279 | */ | |
280 | } | |
281 | /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */ | |
282 | /* is this a PKCS #1 formatted signature? */ | |
283 | if ((buffer[0] == 0) && (buffer[1] == 1)) { | |
284 | int i; | |
285 | ||
286 | for (i = 2; i < buffer_size; i++) { | |
287 | /* rsa signature pad */ | |
288 | if (buffer[i] != 0xff) { | |
289 | break; | |
290 | } | |
291 | } | |
292 | if ((i < buffer_size) && (buffer[i] == 0)) { | |
293 | /* yes, we have a properly formated PKCS #1 signature */ | |
294 | /* | |
295 | * NOTE: even if we accidentally got an encrypt buffer, which | |
296 | * through shear luck started with 00, 01, ff, 00, it won't matter | |
297 | * because the resulting Sign operation will effectively decrypt | |
298 | * the real buffer. | |
299 | */ | |
300 | SECItem signature; | |
301 | SECItem hash; | |
302 | ||
303 | i++; | |
304 | hash.data = &buffer[i]; | |
305 | hash.len = buffer_size - i; | |
306 | signature.data = bp; | |
307 | signature.len = signature_len; | |
308 | rv = PK11_Sign(priv_key, &signature, &hash); | |
309 | if (rv != SECSuccess) { | |
310 | ret = vcard_emul_map_error(PORT_GetError()); | |
311 | goto cleanup; | |
312 | } | |
313 | assert(buffer_size == signature.len); | |
314 | memcpy(buffer, bp, signature.len); | |
315 | /* | |
316 | * we got here because either the X509 attempt failed, or the | |
317 | * token couldn't do the X509 operation, in either case stay | |
318 | * with the PKCS version for future operations on this key | |
319 | */ | |
320 | key->failedX509 = VCardEmulTrue; | |
321 | goto cleanup; | |
322 | } | |
323 | } | |
324 | pad_len = buffer_size - signature_len; | |
325 | assert(pad_len < 4); | |
326 | /* | |
327 | * OK now we've decrypted the payload, package it up in PKCS #1 for the | |
328 | * upper layer. | |
329 | */ | |
330 | buffer[0] = 0; | |
331 | buffer[1] = 2; /* RSA_encrypt */ | |
332 | pad_len -= 3; /* format is 0 || 2 || pad || 0 || data */ | |
333 | /* | |
334 | * padding for PKCS #1 encrypted data is a string of random bytes. The | |
335 | * random butes protect against potential decryption attacks against RSA. | |
336 | * Since PrivDecrypt has already stripped those bytes, we can't reconstruct | |
337 | * them. This shouldn't matter to the upper level code which should just | |
338 | * strip this code out anyway, so We'll pad with a constant 3. | |
339 | */ | |
340 | memset(&buffer[2], 0x03, pad_len); | |
341 | pad_len += 2; /* index to the end of the pad */ | |
342 | buffer[pad_len] = 0; | |
343 | pad_len++; /* index to the start of the data */ | |
344 | memcpy(&buffer[pad_len], bp, signature_len); | |
345 | /* | |
346 | * we got here because either the X509 attempt failed, or the | |
347 | * token couldn't do the X509 operation, in either case stay | |
348 | * with the PKCS version for future operations on this key | |
349 | */ | |
350 | key->failedX509 = VCardEmulTrue; | |
351 | cleanup: | |
352 | if (bp != buf) { | |
7267c094 | 353 | g_free(bp); |
111a38b0 | 354 | } |
010debef | 355 | return ret; |
111a38b0 RR |
356 | } |
357 | ||
358 | /* | |
359 | * Login functions | |
360 | */ | |
361 | /* return the number of login attempts still possible on the card. if unknown, | |
362 | * return -1 */ | |
363 | int | |
364 | vcard_emul_get_login_count(VCard *card) | |
365 | { | |
366 | return -1; | |
367 | } | |
368 | ||
369 | /* login into the card, return the 7816 status word (sw2 || sw1) */ | |
370 | vcard_7816_status_t | |
371 | vcard_emul_login(VCard *card, unsigned char *pin, int pin_len) | |
372 | { | |
373 | PK11SlotInfo *slot; | |
374 | unsigned char *pin_string = NULL; | |
375 | int i; | |
376 | SECStatus rv; | |
377 | ||
378 | if (!nss_emul_init) { | |
379 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; | |
380 | } | |
381 | slot = vcard_emul_card_get_slot(card); | |
382 | /* We depend on the PKCS #11 module internal login state here because we | |
383 | * create a separate process to handle each guest instance. If we needed | |
384 | * to handle multiple guests from one process, then we would need to keep | |
385 | * a lot of extra state in our card structure | |
386 | * */ | |
7267c094 | 387 | pin_string = g_malloc(pin_len+1); |
111a38b0 RR |
388 | memcpy(pin_string, pin, pin_len); |
389 | pin_string[pin_len] = 0; | |
390 | ||
391 | /* handle CAC expanded pins correctly */ | |
392 | for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) { | |
393 | pin_string[i] = 0; | |
394 | } | |
395 | ||
396 | rv = PK11_Authenticate(slot, PR_FALSE, pin_string); | |
397 | memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory | |
398 | to be snooped */ | |
7267c094 | 399 | g_free(pin_string); |
111a38b0 RR |
400 | if (rv == SECSuccess) { |
401 | return VCARD7816_STATUS_SUCCESS; | |
402 | } | |
403 | /* map the error from port get error */ | |
404 | return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; | |
405 | } | |
406 | ||
407 | void | |
408 | vcard_emul_reset(VCard *card, VCardPower power) | |
409 | { | |
410 | PK11SlotInfo *slot; | |
411 | ||
412 | if (!nss_emul_init) { | |
413 | return; | |
414 | } | |
415 | ||
416 | /* | |
417 | * if we reset the card (either power on or power off), we lose our login | |
418 | * state | |
419 | */ | |
420 | /* TODO: we may also need to send insertion/removal events? */ | |
421 | slot = vcard_emul_card_get_slot(card); | |
422 | PK11_Logout(slot); /* NOTE: ignoring SECStatus return value */ | |
111a38b0 RR |
423 | } |
424 | ||
425 | ||
426 | static VReader * | |
427 | vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot) | |
428 | { | |
429 | VReaderList *reader_list = vreader_get_reader_list(); | |
430 | VReaderListEntry *current_entry = NULL; | |
431 | ||
432 | if (reader_list == NULL) { | |
433 | return NULL; | |
434 | } | |
435 | for (current_entry = vreader_list_get_first(reader_list); current_entry; | |
436 | current_entry = vreader_list_get_next(current_entry)) { | |
437 | VReader *reader = vreader_list_get_reader(current_entry); | |
438 | VReaderEmul *reader_emul = vreader_get_private(reader); | |
439 | if (reader_emul->slot == slot) { | |
440 | return reader; | |
441 | } | |
442 | vreader_free(reader); | |
443 | } | |
444 | ||
445 | return NULL; | |
446 | } | |
447 | ||
448 | /* | |
449 | * create a new reader emul | |
450 | */ | |
451 | static VReaderEmul * | |
452 | vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params) | |
453 | { | |
454 | VReaderEmul *new_reader_emul; | |
455 | ||
7267c094 | 456 | new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul)); |
111a38b0 RR |
457 | |
458 | new_reader_emul->slot = PK11_ReferenceSlot(slot); | |
459 | new_reader_emul->default_type = type; | |
be168af8 | 460 | new_reader_emul->type_params = g_strdup(params); |
111a38b0 RR |
461 | new_reader_emul->present = PR_FALSE; |
462 | new_reader_emul->series = 0; | |
463 | new_reader_emul->saved_vcard = NULL; | |
464 | return new_reader_emul; | |
465 | } | |
466 | ||
467 | static void | |
468 | vreader_emul_delete(VReaderEmul *vreader_emul) | |
469 | { | |
470 | if (vreader_emul == NULL) { | |
471 | return; | |
472 | } | |
473 | if (vreader_emul->slot) { | |
474 | PK11_FreeSlot(vreader_emul->slot); | |
475 | } | |
476 | if (vreader_emul->type_params) { | |
7267c094 | 477 | g_free(vreader_emul->type_params); |
111a38b0 | 478 | } |
7267c094 | 479 | g_free(vreader_emul); |
111a38b0 RR |
480 | } |
481 | ||
482 | /* | |
483 | * TODO: move this to emulater non-specific file | |
484 | */ | |
485 | static VCardEmulType | |
486 | vcard_emul_get_type(VReader *vreader) | |
487 | { | |
488 | VReaderEmul *vreader_emul; | |
489 | ||
490 | vreader_emul = vreader_get_private(vreader); | |
491 | if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) { | |
492 | return vreader_emul->default_type; | |
493 | } | |
494 | ||
495 | return vcard_emul_type_select(vreader); | |
496 | } | |
497 | /* | |
498 | * TODO: move this to emulater non-specific file | |
499 | */ | |
500 | static const char * | |
501 | vcard_emul_get_type_params(VReader *vreader) | |
502 | { | |
503 | VReaderEmul *vreader_emul; | |
504 | ||
505 | vreader_emul = vreader_get_private(vreader); | |
506 | if (vreader_emul && vreader_emul->type_params) { | |
507 | return vreader_emul->type_params; | |
508 | } | |
509 | ||
510 | return ""; | |
511 | } | |
512 | ||
513 | /* pull the slot out of the reader private data */ | |
514 | static PK11SlotInfo * | |
515 | vcard_emul_reader_get_slot(VReader *vreader) | |
516 | { | |
517 | VReaderEmul *vreader_emul = vreader_get_private(vreader); | |
518 | if (vreader_emul == NULL) { | |
519 | return NULL; | |
520 | } | |
521 | return vreader_emul->slot; | |
522 | } | |
523 | ||
524 | /* | |
0b6a16c1 | 525 | * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate |
111a38b0 RR |
526 | * historical bytes for any software emulated card. The remaining bytes can be |
527 | * used to indicate the actual emulator | |
528 | */ | |
0b6a16c1 AL |
529 | static unsigned char *nss_atr; |
530 | static int nss_atr_len; | |
111a38b0 RR |
531 | |
532 | void | |
533 | vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len) | |
534 | { | |
0b6a16c1 | 535 | int len; |
111a38b0 RR |
536 | assert(atr != NULL); |
537 | ||
0b6a16c1 AL |
538 | if (nss_atr == NULL) { |
539 | nss_atr = vcard_alloc_atr("NSS", &nss_atr_len); | |
540 | } | |
541 | len = MIN(nss_atr_len, *atr_len); | |
111a38b0 RR |
542 | memcpy(atr, nss_atr, len); |
543 | *atr_len = len; | |
111a38b0 RR |
544 | } |
545 | ||
546 | /* | |
547 | * create a new card from certs and keys | |
548 | */ | |
549 | static VCard * | |
550 | vcard_emul_make_card(VReader *reader, | |
551 | unsigned char * const *certs, int *cert_len, | |
552 | VCardKey *keys[], int cert_count) | |
553 | { | |
554 | VCardEmul *vcard_emul; | |
555 | VCard *vcard; | |
556 | PK11SlotInfo *slot; | |
557 | VCardEmulType type; | |
558 | const char *params; | |
559 | ||
560 | type = vcard_emul_get_type(reader); | |
561 | ||
562 | /* ignore the inserted card */ | |
563 | if (type == VCARD_EMUL_NONE) { | |
564 | return NULL; | |
565 | } | |
566 | slot = vcard_emul_reader_get_slot(reader); | |
567 | if (slot == NULL) { | |
568 | return NULL; | |
569 | } | |
570 | ||
571 | params = vcard_emul_get_type_params(reader); | |
572 | /* params these can be NULL */ | |
573 | ||
574 | vcard_emul = vcard_emul_new_card(slot); | |
575 | if (vcard_emul == NULL) { | |
576 | return NULL; | |
577 | } | |
578 | vcard = vcard_new(vcard_emul, vcard_emul_delete_card); | |
579 | if (vcard == NULL) { | |
580 | vcard_emul_delete_card(vcard_emul); | |
581 | return NULL; | |
582 | } | |
583 | vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count); | |
584 | return vcard; | |
585 | } | |
586 | ||
587 | ||
588 | /* | |
589 | * 'clone' a physical card as a virtual card | |
590 | */ | |
591 | static VCard * | |
592 | vcard_emul_mirror_card(VReader *vreader) | |
593 | { | |
594 | /* | |
595 | * lookup certs using the C_FindObjects. The Stan Cert handle won't give | |
596 | * us the real certs until we log in. | |
597 | */ | |
598 | PK11GenericObject *firstObj, *thisObj; | |
599 | int cert_count; | |
600 | unsigned char **certs; | |
601 | int *cert_len; | |
602 | VCardKey **keys; | |
603 | PK11SlotInfo *slot; | |
604 | PRBool ret; | |
ee83d414 | 605 | VCard *card; |
111a38b0 RR |
606 | |
607 | slot = vcard_emul_reader_get_slot(vreader); | |
608 | if (slot == NULL) { | |
609 | return NULL; | |
610 | } | |
611 | ||
612 | firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE); | |
613 | if (firstObj == NULL) { | |
614 | return NULL; | |
615 | } | |
616 | ||
617 | /* count the certs */ | |
618 | cert_count = 0; | |
619 | for (thisObj = firstObj; thisObj; | |
620 | thisObj = PK11_GetNextGenericObject(thisObj)) { | |
621 | cert_count++; | |
622 | } | |
623 | ||
624 | if (cert_count == 0) { | |
625 | PK11_DestroyGenericObjects(firstObj); | |
626 | return NULL; | |
627 | } | |
628 | ||
629 | /* allocate the arrays */ | |
630 | ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count); | |
631 | if (ret == PR_FALSE) { | |
632 | return NULL; | |
633 | } | |
634 | ||
635 | /* fill in the arrays */ | |
636 | cert_count = 0; | |
637 | for (thisObj = firstObj; thisObj; | |
638 | thisObj = PK11_GetNextGenericObject(thisObj)) { | |
639 | SECItem derCert; | |
640 | CERTCertificate *cert; | |
641 | SECStatus rv; | |
642 | ||
643 | rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj, | |
644 | CKA_VALUE, &derCert); | |
645 | if (rv != SECSuccess) { | |
646 | continue; | |
647 | } | |
648 | /* create floating temp cert. This gives us a cert structure even if | |
649 | * the token isn't logged in */ | |
650 | cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert, | |
651 | NULL, PR_FALSE, PR_TRUE); | |
652 | SECITEM_FreeItem(&derCert, PR_FALSE); | |
653 | if (cert == NULL) { | |
654 | continue; | |
655 | } | |
656 | ||
657 | certs[cert_count] = cert->derCert.data; | |
658 | cert_len[cert_count] = cert->derCert.len; | |
659 | keys[cert_count] = vcard_emul_make_key(slot, cert); | |
660 | cert_count++; | |
661 | CERT_DestroyCertificate(cert); /* key obj still has a reference */ | |
662 | } | |
663 | ||
664 | /* now create the card */ | |
ee83d414 | 665 | card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); |
7267c094 AL |
666 | g_free(certs); |
667 | g_free(cert_len); | |
668 | g_free(keys); | |
ee83d414 CF |
669 | |
670 | return card; | |
111a38b0 RR |
671 | } |
672 | ||
673 | static VCardEmulType default_card_type = VCARD_EMUL_NONE; | |
674 | static const char *default_type_params = ""; | |
675 | ||
676 | /* | |
677 | * This thread looks for card and reader insertions and puts events on the | |
678 | * event queue | |
679 | */ | |
680 | static void | |
681 | vcard_emul_event_thread(void *arg) | |
682 | { | |
683 | PK11SlotInfo *slot; | |
684 | VReader *vreader; | |
685 | VReaderEmul *vreader_emul; | |
686 | VCard *vcard; | |
687 | SECMODModule *module = (SECMODModule *)arg; | |
688 | ||
689 | do { | |
1b902f7d AL |
690 | /* |
691 | * XXX - the latency value doesn't matter one bit. you only get no | |
692 | * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500), | |
693 | * hard coded in coolkey. And it isn't coolkey's fault - the timeout | |
694 | * value we pass get's dropped on the floor before C_WaitForSlotEvent | |
695 | * is called. | |
696 | */ | |
111a38b0 RR |
697 | slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500); |
698 | if (slot == NULL) { | |
1b902f7d AL |
699 | /* this could be just a no event indication */ |
700 | if (PORT_GetError() == SEC_ERROR_NO_EVENT) { | |
701 | continue; | |
702 | } | |
111a38b0 RR |
703 | break; |
704 | } | |
705 | vreader = vcard_emul_find_vreader_from_slot(slot); | |
706 | if (vreader == NULL) { | |
707 | /* new vreader */ | |
708 | vreader_emul = vreader_emul_new(slot, default_card_type, | |
709 | default_type_params); | |
710 | vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, | |
711 | vreader_emul_delete); | |
712 | PK11_FreeSlot(slot); | |
713 | slot = NULL; | |
714 | vreader_add_reader(vreader); | |
715 | vreader_free(vreader); | |
716 | continue; | |
717 | } | |
718 | /* card remove/insert */ | |
719 | vreader_emul = vreader_get_private(vreader); | |
720 | if (PK11_IsPresent(slot)) { | |
721 | int series = PK11_GetSlotSeries(slot); | |
722 | if (series != vreader_emul->series) { | |
723 | if (vreader_emul->present) { | |
724 | vreader_insert_card(vreader, NULL); | |
725 | } | |
726 | vcard = vcard_emul_mirror_card(vreader); | |
727 | vreader_insert_card(vreader, vcard); | |
728 | vcard_free(vcard); | |
729 | } | |
730 | vreader_emul->series = series; | |
731 | vreader_emul->present = 1; | |
732 | vreader_free(vreader); | |
733 | PK11_FreeSlot(slot); | |
734 | continue; | |
735 | } | |
736 | if (vreader_emul->present) { | |
737 | vreader_insert_card(vreader, NULL); | |
738 | } | |
739 | vreader_emul->series = 0; | |
740 | vreader_emul->present = 0; | |
741 | PK11_FreeSlot(slot); | |
742 | vreader_free(vreader); | |
743 | } while (1); | |
744 | } | |
745 | ||
746 | /* if the card is inserted when we start up, make sure our state is correct */ | |
747 | static void | |
748 | vcard_emul_init_series(VReader *vreader, VCard *vcard) | |
749 | { | |
750 | VReaderEmul *vreader_emul = vreader_get_private(vreader); | |
751 | PK11SlotInfo *slot = vreader_emul->slot; | |
752 | ||
753 | vreader_emul->present = PK11_IsPresent(slot); | |
754 | vreader_emul->series = PK11_GetSlotSeries(slot); | |
755 | if (vreader_emul->present == 0) { | |
756 | vreader_insert_card(vreader, NULL); | |
757 | } | |
758 | } | |
759 | ||
760 | /* | |
761 | * each module has a separate wait call, create a thread for each module that | |
762 | * we are using. | |
763 | */ | |
764 | static void | |
765 | vcard_emul_new_event_thread(SECMODModule *module) | |
766 | { | |
767 | PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread, | |
768 | module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD, | |
769 | PR_UNJOINABLE_THREAD, 0); | |
770 | } | |
771 | ||
772 | static const VCardEmulOptions default_options = { | |
773 | .nss_db = NULL, | |
774 | .vreader = NULL, | |
775 | .vreader_count = 0, | |
776 | .hw_card_type = VCARD_EMUL_CAC, | |
777 | .hw_type_params = "", | |
778 | .use_hw = PR_TRUE | |
779 | }; | |
780 | ||
781 | ||
782 | /* | |
783 | * NSS needs the app to supply a password prompt. In our case the only time | |
784 | * the password is supplied is as part of the Login APDU. The actual password | |
785 | * is passed in the pw_arg in that case. In all other cases pw_arg should be | |
786 | * NULL. | |
787 | */ | |
788 | static char * | |
789 | vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg) | |
790 | { | |
791 | /* if it didn't work the first time, don't keep trying */ | |
792 | if (retries) { | |
793 | return NULL; | |
794 | } | |
795 | /* we are looking up a password when we don't have one in hand */ | |
796 | if (pw_arg == NULL) { | |
797 | return NULL; | |
798 | } | |
799 | /* TODO: we really should verify that were are using the right slot */ | |
800 | return PORT_Strdup(pw_arg); | |
801 | } | |
802 | ||
803 | /* Force a card removal even if the card is not physically removed */ | |
804 | VCardEmulError | |
805 | vcard_emul_force_card_remove(VReader *vreader) | |
806 | { | |
807 | if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) { | |
808 | return VCARD_EMUL_FAIL; /* card is already removed */ | |
809 | } | |
810 | ||
811 | /* OK, remove it */ | |
812 | vreader_insert_card(vreader, NULL); | |
813 | return VCARD_EMUL_OK; | |
814 | } | |
815 | ||
816 | /* Re-insert of a card that has been removed by force removal */ | |
817 | VCardEmulError | |
818 | vcard_emul_force_card_insert(VReader *vreader) | |
819 | { | |
820 | VReaderEmul *vreader_emul; | |
821 | VCard *vcard; | |
822 | ||
823 | if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) { | |
824 | return VCARD_EMUL_FAIL; /* card is already removed */ | |
825 | } | |
826 | vreader_emul = vreader_get_private(vreader); | |
827 | ||
828 | /* if it's a softcard, get the saved vcard from the reader emul structure */ | |
829 | if (vreader_emul->saved_vcard) { | |
830 | vcard = vcard_reference(vreader_emul->saved_vcard); | |
831 | } else { | |
832 | /* it must be a physical card, rebuild it */ | |
833 | if (!PK11_IsPresent(vreader_emul->slot)) { | |
834 | /* physical card has been removed, not way to reinsert it */ | |
835 | return VCARD_EMUL_FAIL; | |
836 | } | |
837 | vcard = vcard_emul_mirror_card(vreader); | |
838 | } | |
839 | vreader_insert_card(vreader, vcard); | |
840 | vcard_free(vcard); | |
841 | ||
842 | return VCARD_EMUL_OK; | |
843 | } | |
844 | ||
845 | ||
846 | static PRBool | |
847 | module_has_removable_hw_slots(SECMODModule *mod) | |
848 | { | |
849 | int i; | |
850 | PRBool ret = PR_FALSE; | |
851 | SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); | |
852 | ||
853 | if (!moduleLock) { | |
854 | PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
855 | return ret; | |
856 | } | |
857 | SECMOD_GetReadLock(moduleLock); | |
858 | for (i = 0; i < mod->slotCount; i++) { | |
859 | PK11SlotInfo *slot = mod->slots[i]; | |
860 | if (PK11_IsRemovable(slot) && PK11_IsHW(slot)) { | |
861 | ret = PR_TRUE; | |
862 | break; | |
863 | } | |
864 | } | |
865 | SECMOD_ReleaseReadLock(moduleLock); | |
866 | return ret; | |
867 | } | |
868 | ||
869 | /* Previously we returned FAIL if no readers found. This makes | |
870 | * no sense when using hardware, since there may be no readers connected | |
871 | * at the time vcard_emul_init is called, but they will be properly | |
872 | * recognized later. So Instead return FAIL only if no_hw==1 and no | |
873 | * vcards can be created (indicates error with certificates provided | |
874 | * or db), or if any other higher level error (NSS error, missing coolkey). */ | |
875 | static int vcard_emul_init_called; | |
876 | ||
877 | VCardEmulError | |
878 | vcard_emul_init(const VCardEmulOptions *options) | |
879 | { | |
880 | SECStatus rv; | |
ad2181f2 | 881 | PRBool ret, has_readers = PR_FALSE; |
111a38b0 RR |
882 | VReader *vreader; |
883 | VReaderEmul *vreader_emul; | |
884 | SECMODListLock *module_lock; | |
885 | SECMODModuleList *module_list; | |
886 | SECMODModuleList *mlp; | |
887 | int i; | |
888 | ||
889 | if (vcard_emul_init_called) { | |
890 | return VCARD_EMUL_INIT_ALREADY_INITED; | |
891 | } | |
892 | vcard_emul_init_called = 1; | |
893 | vreader_init(); | |
894 | vevent_queue_init(); | |
895 | ||
896 | if (options == NULL) { | |
897 | options = &default_options; | |
898 | } | |
899 | ||
900 | /* first initialize NSS */ | |
901 | if (options->nss_db) { | |
902 | rv = NSS_Init(options->nss_db); | |
903 | } else { | |
667e0b4b | 904 | gchar *path; |
e2d9c5e7 MAL |
905 | #ifndef _WIN32 |
906 | path = g_strdup("/etc/pki/nssdb"); | |
907 | #else | |
908 | if (g_get_system_config_dirs() == NULL || | |
909 | g_get_system_config_dirs()[0] == NULL) { | |
910 | return VCARD_EMUL_FAIL; | |
911 | } | |
912 | ||
913 | path = g_build_filename( | |
914 | g_get_system_config_dirs()[0], "pki", "nssdb", NULL); | |
915 | #endif | |
e2d9c5e7 | 916 | |
667e0b4b | 917 | rv = NSS_Init(path); |
e2d9c5e7 | 918 | g_free(path); |
111a38b0 RR |
919 | } |
920 | if (rv != SECSuccess) { | |
921 | return VCARD_EMUL_FAIL; | |
922 | } | |
923 | /* Set password callback function */ | |
924 | PK11_SetPasswordFunc(vcard_emul_get_password); | |
925 | ||
926 | /* set up soft cards emulated by software certs rather than physical cards | |
927 | * */ | |
928 | for (i = 0; i < options->vreader_count; i++) { | |
929 | int j; | |
930 | int cert_count; | |
931 | unsigned char **certs; | |
932 | int *cert_len; | |
933 | VCardKey **keys; | |
934 | PK11SlotInfo *slot; | |
935 | ||
936 | slot = PK11_FindSlotByName(options->vreader[i].name); | |
937 | if (slot == NULL) { | |
938 | continue; | |
939 | } | |
940 | vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, | |
941 | options->vreader[i].type_params); | |
942 | vreader = vreader_new(options->vreader[i].vname, vreader_emul, | |
943 | vreader_emul_delete); | |
944 | vreader_add_reader(vreader); | |
945 | cert_count = options->vreader[i].cert_count; | |
946 | ||
947 | ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, | |
948 | options->vreader[i].cert_count); | |
949 | if (ret == PR_FALSE) { | |
950 | continue; | |
951 | } | |
952 | cert_count = 0; | |
953 | for (j = 0; j < options->vreader[i].cert_count; j++) { | |
954 | /* we should have a better way of identifying certs than by | |
955 | * nickname here */ | |
956 | CERTCertificate *cert = PK11_FindCertFromNickname( | |
957 | options->vreader[i].cert_name[j], | |
958 | NULL); | |
959 | if (cert == NULL) { | |
960 | continue; | |
961 | } | |
962 | certs[cert_count] = cert->derCert.data; | |
963 | cert_len[cert_count] = cert->derCert.len; | |
964 | keys[cert_count] = vcard_emul_make_key(slot, cert); | |
965 | /* this is safe because the key is still holding a cert reference */ | |
966 | CERT_DestroyCertificate(cert); | |
967 | cert_count++; | |
968 | } | |
969 | if (cert_count) { | |
970 | VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, | |
971 | keys, cert_count); | |
972 | vreader_insert_card(vreader, vcard); | |
973 | vcard_emul_init_series(vreader, vcard); | |
974 | /* allow insertion and removal of soft cards */ | |
975 | vreader_emul->saved_vcard = vcard_reference(vcard); | |
976 | vcard_free(vcard); | |
977 | vreader_free(vreader); | |
978 | has_readers = PR_TRUE; | |
979 | } | |
7267c094 AL |
980 | g_free(certs); |
981 | g_free(cert_len); | |
982 | g_free(keys); | |
111a38b0 RR |
983 | } |
984 | ||
985 | /* if we aren't suppose to use hw, skip looking up hardware tokens */ | |
986 | if (!options->use_hw) { | |
987 | nss_emul_init = has_readers; | |
988 | return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; | |
989 | } | |
990 | ||
991 | /* make sure we have some PKCS #11 module loaded */ | |
992 | module_lock = SECMOD_GetDefaultModuleListLock(); | |
993 | module_list = SECMOD_GetDefaultModuleList(); | |
111a38b0 RR |
994 | SECMOD_GetReadLock(module_lock); |
995 | for (mlp = module_list; mlp; mlp = mlp->next) { | |
996 | SECMODModule *module = mlp->module; | |
997 | if (module_has_removable_hw_slots(module)) { | |
111a38b0 RR |
998 | break; |
999 | } | |
1000 | } | |
1001 | SECMOD_ReleaseReadLock(module_lock); | |
1002 | ||
111a38b0 RR |
1003 | /* now examine all the slots, finding which should be readers */ |
1004 | /* We should control this with options. For now we mirror out any | |
1005 | * removable hardware slot */ | |
1006 | default_card_type = options->hw_card_type; | |
be168af8 | 1007 | default_type_params = g_strdup(options->hw_type_params); |
111a38b0 RR |
1008 | |
1009 | SECMOD_GetReadLock(module_lock); | |
1010 | for (mlp = module_list; mlp; mlp = mlp->next) { | |
1011 | SECMODModule *module = mlp->module; | |
111a38b0 | 1012 | |
4e339882 AL |
1013 | /* Ignore the internal module */ |
1014 | if (module == NULL || module == SECMOD_GetInternalModule()) { | |
1015 | continue; | |
111a38b0 RR |
1016 | } |
1017 | ||
1018 | for (i = 0; i < module->slotCount; i++) { | |
1019 | PK11SlotInfo *slot = module->slots[i]; | |
1020 | ||
1021 | /* only map removable HW slots */ | |
1022 | if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { | |
1023 | continue; | |
1024 | } | |
6f06f178 AL |
1025 | if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) { |
1026 | /* | |
1027 | * coolkey <= 1.1.0-20 emulates this reader if it can't find | |
1028 | * any hardware readers. This causes problems, warn user of | |
1029 | * problems. | |
1030 | */ | |
1031 | fprintf(stderr, "known bad coolkey version - see " | |
1032 | "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n"); | |
1033 | continue; | |
1034 | } | |
111a38b0 RR |
1035 | vreader_emul = vreader_emul_new(slot, options->hw_card_type, |
1036 | options->hw_type_params); | |
1037 | vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, | |
1038 | vreader_emul_delete); | |
1039 | vreader_add_reader(vreader); | |
1040 | ||
111a38b0 RR |
1041 | if (PK11_IsPresent(slot)) { |
1042 | VCard *vcard; | |
1043 | vcard = vcard_emul_mirror_card(vreader); | |
1044 | vreader_insert_card(vreader, vcard); | |
1045 | vcard_emul_init_series(vreader, vcard); | |
1046 | vcard_free(vcard); | |
1047 | } | |
1048 | } | |
4e339882 | 1049 | vcard_emul_new_event_thread(module); |
111a38b0 RR |
1050 | } |
1051 | SECMOD_ReleaseReadLock(module_lock); | |
4e339882 | 1052 | nss_emul_init = PR_TRUE; |
111a38b0 RR |
1053 | |
1054 | return VCARD_EMUL_OK; | |
1055 | } | |
1056 | ||
1057 | /* Recreate card insert events for all readers (user should | |
1058 | * deduce implied reader insert. perhaps do a reader insert as well?) | |
1059 | */ | |
1060 | void | |
1061 | vcard_emul_replay_insertion_events(void) | |
1062 | { | |
1063 | VReaderListEntry *current_entry; | |
1064 | VReaderListEntry *next_entry = NULL; | |
1065 | VReaderList *list = vreader_get_reader_list(); | |
1066 | ||
1067 | for (current_entry = vreader_list_get_first(list); current_entry; | |
1068 | current_entry = next_entry) { | |
1069 | VReader *vreader = vreader_list_get_reader(current_entry); | |
1070 | next_entry = vreader_list_get_next(current_entry); | |
1071 | vreader_queue_card_event(vreader); | |
1072 | } | |
1073 | } | |
1074 | ||
1075 | /* | |
1076 | * Silly little functions to help parsing our argument string | |
1077 | */ | |
111a38b0 RR |
1078 | static int |
1079 | count_tokens(const char *str, char token, char token_end) | |
1080 | { | |
1081 | int count = 0; | |
1082 | ||
1083 | for (; *str; str++) { | |
1084 | if (*str == token) { | |
1085 | count++; | |
1086 | } | |
1087 | if (*str == token_end) { | |
1088 | break; | |
1089 | } | |
1090 | } | |
1091 | return count; | |
1092 | } | |
1093 | ||
1094 | static const char * | |
1095 | strip(const char *str) | |
1096 | { | |
685ff50f | 1097 | for (; *str && isspace(*str); str++) { |
111a38b0 RR |
1098 | } |
1099 | return str; | |
1100 | } | |
1101 | ||
1102 | static const char * | |
1103 | find_blank(const char *str) | |
1104 | { | |
685ff50f | 1105 | for (; *str && !isspace(*str); str++) { |
111a38b0 RR |
1106 | } |
1107 | return str; | |
1108 | } | |
1109 | ||
1110 | ||
1111 | /* | |
1112 | * We really want to use some existing argument parsing library here. That | |
fc27eefe | 1113 | * would give us a consistent look */ |
111a38b0 RR |
1114 | static VCardEmulOptions options; |
1115 | #define READER_STEP 4 | |
1116 | ||
d246b3cf CF |
1117 | /* Expects "args" to be at the beginning of a token (ie right after the ',' |
1118 | * ending the previous token), and puts the next token start in "token", | |
1119 | * and its length in "token_length". "token" will not be nul-terminated. | |
1120 | * After calling the macro, "args" will be advanced to the beginning of | |
1121 | * the next token. | |
1122 | * This macro may call continue or break. | |
1123 | */ | |
1124 | #define NEXT_TOKEN(token) \ | |
1125 | (token) = args; \ | |
1126 | args = strpbrk(args, ",)"); \ | |
1127 | if (*args == 0) { \ | |
1128 | break; \ | |
1129 | } \ | |
1130 | if (*args == ')') { \ | |
1131 | args++; \ | |
1132 | continue; \ | |
1133 | } \ | |
1134 | (token##_length) = args - (token); \ | |
1135 | args = strip(args+1); | |
1136 | ||
111a38b0 RR |
1137 | VCardEmulOptions * |
1138 | vcard_emul_options(const char *args) | |
1139 | { | |
1140 | int reader_count = 0; | |
1141 | VCardEmulOptions *opts; | |
111a38b0 RR |
1142 | |
1143 | /* Allow the future use of allocating the options structure on the fly */ | |
1144 | memcpy(&options, &default_options, sizeof(options)); | |
1145 | opts = &options; | |
1146 | ||
1147 | do { | |
1148 | args = strip(args); /* strip off the leading spaces */ | |
1149 | if (*args == ',') { | |
1150 | continue; | |
1151 | } | |
1152 | /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol) | |
1153 | * cert_2,cert_3...) */ | |
1154 | if (strncmp(args, "soft=", 5) == 0) { | |
1155 | const char *name; | |
a5aa842a | 1156 | size_t name_length; |
111a38b0 | 1157 | const char *vname; |
a5aa842a | 1158 | size_t vname_length; |
111a38b0 | 1159 | const char *type_params; |
a5aa842a CF |
1160 | size_t type_params_length; |
1161 | char type_str[100]; | |
111a38b0 | 1162 | VCardEmulType type; |
a5aa842a | 1163 | int count, i; |
111a38b0 RR |
1164 | VirtualReaderOptions *vreaderOpt = NULL; |
1165 | ||
1166 | args = strip(args + 5); | |
1167 | if (*args != '(') { | |
1168 | continue; | |
1169 | } | |
a5aa842a CF |
1170 | args = strip(args+1); |
1171 | ||
d246b3cf CF |
1172 | NEXT_TOKEN(name) |
1173 | NEXT_TOKEN(vname) | |
1174 | NEXT_TOKEN(type_params) | |
a5aa842a | 1175 | type_params_length = MIN(type_params_length, sizeof(type_str)-1); |
2e679780 | 1176 | pstrcpy(type_str, type_params_length, type_params); |
a5aa842a CF |
1177 | type = vcard_emul_type_from_string(type_str); |
1178 | ||
d246b3cf | 1179 | NEXT_TOKEN(type_params) |
a5aa842a | 1180 | |
111a38b0 RR |
1181 | if (*args == 0) { |
1182 | break; | |
1183 | } | |
1184 | ||
1185 | if (opts->vreader_count >= reader_count) { | |
1186 | reader_count += READER_STEP; | |
1187 | vreaderOpt = realloc(opts->vreader, | |
1188 | reader_count * sizeof(*vreaderOpt)); | |
1189 | if (vreaderOpt == NULL) { | |
1190 | return opts; /* we're done */ | |
1191 | } | |
1192 | } | |
1193 | opts->vreader = vreaderOpt; | |
1194 | vreaderOpt = &vreaderOpt[opts->vreader_count]; | |
7267c094 AL |
1195 | vreaderOpt->name = g_strndup(name, name_length); |
1196 | vreaderOpt->vname = g_strndup(vname, vname_length); | |
111a38b0 RR |
1197 | vreaderOpt->card_type = type; |
1198 | vreaderOpt->type_params = | |
7267c094 | 1199 | g_strndup(type_params, type_params_length); |
a5aa842a | 1200 | count = count_tokens(args, ',', ')') + 1; |
111a38b0 | 1201 | vreaderOpt->cert_count = count; |
7267c094 | 1202 | vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *)); |
111a38b0 | 1203 | for (i = 0; i < count; i++) { |
a5aa842a CF |
1204 | const char *cert = args; |
1205 | args = strpbrk(args, ",)"); | |
7267c094 | 1206 | vreaderOpt->cert_name[i] = g_strndup(cert, args - cert); |
a5aa842a | 1207 | args = strip(args+1); |
111a38b0 RR |
1208 | } |
1209 | if (*args == ')') { | |
1210 | args++; | |
1211 | } | |
1212 | opts->vreader_count++; | |
1213 | /* use_hw= */ | |
1214 | } else if (strncmp(args, "use_hw=", 7) == 0) { | |
1215 | args = strip(args+7); | |
1216 | if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') { | |
1217 | opts->use_hw = PR_FALSE; | |
1218 | } else { | |
1219 | opts->use_hw = PR_TRUE; | |
1220 | } | |
1221 | args = find_blank(args); | |
1222 | /* hw_type= */ | |
1223 | } else if (strncmp(args, "hw_type=", 8) == 0) { | |
1224 | args = strip(args+8); | |
1225 | opts->hw_card_type = vcard_emul_type_from_string(args); | |
1226 | args = find_blank(args); | |
1227 | /* hw_params= */ | |
1228 | } else if (strncmp(args, "hw_params=", 10) == 0) { | |
1229 | const char *params; | |
1230 | args = strip(args+10); | |
1231 | params = args; | |
1232 | args = find_blank(args); | |
7267c094 | 1233 | opts->hw_type_params = g_strndup(params, args-params); |
111a38b0 RR |
1234 | /* db="/data/base/path" */ |
1235 | } else if (strncmp(args, "db=", 3) == 0) { | |
1236 | const char *db; | |
1237 | args = strip(args+3); | |
1238 | if (*args != '"') { | |
1239 | continue; | |
1240 | } | |
1241 | args++; | |
1242 | db = args; | |
1243 | args = strpbrk(args, "\"\n"); | |
7267c094 | 1244 | opts->nss_db = g_strndup(db, args-db); |
111a38b0 RR |
1245 | if (*args != 0) { |
1246 | args++; | |
1247 | } | |
1248 | } else { | |
1249 | args = find_blank(args); | |
1250 | } | |
1251 | } while (*args != 0); | |
1252 | ||
1253 | return opts; | |
1254 | } | |
1255 | ||
1256 | void | |
1257 | vcard_emul_usage(void) | |
1258 | { | |
1259 | fprintf(stderr, | |
1260 | "emul args: comma separated list of the following arguments\n" | |
1261 | " db={nss_database} (default sql:/etc/pki/nssdb)\n" | |
1262 | " use_hw=[yes|no] (default yes)\n" | |
1263 | " hw_type={card_type_to_emulate} (default CAC)\n" | |
1264 | " hw_param={param_for_card} (default \"\")\n" | |
1265 | " soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n" | |
1266 | " {cert1},{cert2},{cert3} (default none)\n" | |
1267 | "\n" | |
1268 | " {nss_database} The location of the NSS cert & key database\n" | |
1269 | " {card_type_to_emulate} What card interface to present to the guest\n" | |
1270 | " {param_for_card} Card interface specific parameters\n" | |
1271 | " {slot_name} NSS slot that contains the certs\n" | |
cba919da | 1272 | " {vreader_name} Virtual reader name to present to the guest\n" |
111a38b0 RR |
1273 | " {certN} Nickname of the certificate n on the virtual card\n" |
1274 | "\n" | |
1275 | "These parameters come as a single string separated by blanks or newlines." | |
1276 | "\n" | |
1277 | "Unless use_hw is set to no, all tokens that look like removable hardware\n" | |
1278 | "tokens will be presented to the guest using the emulator specified by\n" | |
1279 | "hw_type, and parameters of hw_param.\n" | |
1280 | "\n" | |
1281 | "If more one or more soft= parameters are specified, these readers will be\n" | |
1282 | "presented to the guest\n"); | |
1283 | } |