]> git.proxmox.com Git - qemu.git/blame - libcacard/vcard_emul_nss.c
projects / qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
libcacard: Fix unchecked strdup() by converting to g_strdup()
[qemu.git] / libcacard / vcard_emul_nss.c
CommitLineData
111a38b0
RR		 1/*
2 * This is the actual card emulator.
3 *
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
8 *
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
11 */
12
13/*
14 * NSS headers
15 */
16
17/* avoid including prototypes.h that redefines uint32 */
18#define NO_NSPR_10_SUPPORT
19
20#include <nss.h>
21#include <pk11pub.h>
22#include <cert.h>
23#include <key.h>
24#include <secmod.h>
25#include <prthread.h>
26#include <secerr.h>
27
28#include "qemu-common.h"
29
30#include "vcard.h"
31#include "card_7816t.h"
32#include "vcard_emul.h"
33#include "vreader.h"
34#include "vevent.h"
35
010debef
RR		 36typedef enum {
37 VCardEmulUnknown = -1,
38 VCardEmulFalse = 0,
39 VCardEmulTrue = 1
40} VCardEmulTriState;
41
111a38b0
RR		 42struct VCardKeyStruct {
43 CERTCertificate *cert;
44 PK11SlotInfo *slot;
45 SECKEYPrivateKey *key;
010debef 46 VCardEmulTriState failedX509;
111a38b0
RR		 47};
48
49
50typedef struct VirtualReaderOptionsStruct VirtualReaderOptions;
51
52struct VReaderEmulStruct {
53 PK11SlotInfo *slot;
54 VCardEmulType default_type;
55 char *type_params;
56 PRBool present;
57 int series;
58 VCard *saved_vcard;
59};
60
61/*
62 * NSS Specific options
63 */
64struct VirtualReaderOptionsStruct {
65 char *name;
66 char *vname;
67 VCardEmulType card_type;
68 char *type_params;
69 char **cert_name;
70 int cert_count;
71};
72
73struct VCardEmulOptionsStruct {
74 void *nss_db;
75 VirtualReaderOptions *vreader;
76 int vreader_count;
77 VCardEmulType hw_card_type;
78 const char *hw_type_params;
79 PRBool use_hw;
80};
81
82static int nss_emul_init;
83
84/* if we have more that just the slot, define
85 * VCardEmulStruct here */
86
87/*
88 * allocate the set of arrays for certs, cert_len, key
89 */
90static PRBool
91vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp,
92 VCardKey ***keysp, int cert_count)
93{
94 *certsp = NULL;
95 *cert_lenp = NULL;
96 *keysp = NULL;
7267c094
AL		 97 *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count);
98 *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count);
99 *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count);
111a38b0
RR		 100 return PR_TRUE;
101}
102
103/*
104 * Emulator specific card information
105 */
106typedef struct CardEmulCardStruct CardEmulPrivate;
107
108static VCardEmul *
109vcard_emul_new_card(PK11SlotInfo *slot)
110{
111 PK11_ReferenceSlot(slot);
112 /* currently we don't need anything other than the slot */
113 return (VCardEmul *)slot;
114}
115
116static void
117vcard_emul_delete_card(VCardEmul *vcard_emul)
118{
119 PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul;
120 if (slot == NULL) {
121 return;
122 }
123 PK11_FreeSlot(slot);
124}
125
126static PK11SlotInfo *
127vcard_emul_card_get_slot(VCard *card)
128{
129 /* note, the card is holding the reference, no need to get another one */
130 return (PK11SlotInfo *)vcard_get_private(card);
131}
132
133
134/*
135 * key functions
136 */
137/* private constructure */
138static VCardKey *
139vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
140{
141 VCardKey *key;
142
7267c094 143 key = (VCardKey *)g_malloc(sizeof(VCardKey));
111a38b0
RR		 144 key->slot = PK11_ReferenceSlot(slot);
145 key->cert = CERT_DupCertificate(cert);
146 /* NOTE: if we aren't logged into the token, this could return NULL */
147 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
148 * use the DER version of this function */
149 key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
010debef 150 key->failedX509 = VCardEmulUnknown;
111a38b0
RR		 151 return key;
152}
153
154/* destructor */
155void
156vcard_emul_delete_key(VCardKey *key)
157{
158 if (!nss_emul_init || (key == NULL)) {
159 return;
160 }
161 if (key->key) {
162 SECKEY_DestroyPrivateKey(key->key);
163 key->key = NULL;
164 }
165 if (key->cert) {
166 CERT_DestroyCertificate(key->cert);
167 }
168 if (key->slot) {
169 PK11_FreeSlot(key->slot);
170 }
111a38b0
RR		 171}
172
173/*
174 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
175 */
176static SECKEYPrivateKey *
177vcard_emul_get_nss_key(VCardKey *key)
178{
179 if (key->key) {
180 return key->key;
181 }
182 /* NOTE: if we aren't logged into the token, this could return NULL */
183 key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
184 return key->key;
185}
186
187/*
188 * Map NSS errors to 7816 errors
189 */
190static vcard_7816_status_t
191vcard_emul_map_error(int error)
192{
193 switch (error) {
194 case SEC_ERROR_TOKEN_NOT_LOGGED_IN:
195 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
196 case SEC_ERROR_BAD_DATA:
197 case SEC_ERROR_OUTPUT_LEN:
198 case SEC_ERROR_INPUT_LEN:
199 case SEC_ERROR_INVALID_ARGS:
200 case SEC_ERROR_INVALID_ALGORITHM:
201 case SEC_ERROR_NO_KEY:
202 case SEC_ERROR_INVALID_KEY:
203 case SEC_ERROR_DECRYPTION_DISALLOWED:
204 return VCARD7816_STATUS_ERROR_DATA_INVALID;
205 case SEC_ERROR_NO_MEMORY:
206 return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE;
207 }
208 return VCARD7816_STATUS_EXC_ERROR_CHANGE;
209}
210
211/* RSA sign/decrypt with the key, signature happens 'in place' */
212vcard_7816_status_t
213vcard_emul_rsa_op(VCard *card, VCardKey *key,
214 unsigned char *buffer, int buffer_size)
215{
216 SECKEYPrivateKey *priv_key;
217 unsigned signature_len;
010debef 218 PK11SlotInfo *slot;
111a38b0 219 SECStatus rv;
010debef
RR		 220 unsigned char buf[2048];
221 unsigned char *bp = NULL;
222 int pad_len;
223 vcard_7816_status_t ret = VCARD7816_STATUS_SUCCESS;
111a38b0
RR		 224
225 if ((!nss_emul_init) || (key == NULL)) {
226 /* couldn't get the key, indicate that we aren't logged in */
227 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
228 }
229 priv_key = vcard_emul_get_nss_key(key);
010debef
RR		 230 if (priv_key == NULL) {
231 /* couldn't get the key, indicate that we aren't logged in */
232 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
233 }
234 slot = vcard_emul_card_get_slot(card);
111a38b0
RR		 235
236 /*
237 * this is only true of the rsa signature
238 */
239 signature_len = PK11_SignatureLen(priv_key);
240 if (buffer_size != signature_len) {
241 return VCARD7816_STATUS_ERROR_DATA_INVALID;
242 }
010debef
RR		 243 /* be able to handle larger keys if necessariy */
244 bp = &buf[0];
245 if (sizeof(buf) < signature_len) {
7267c094 246 bp = g_malloc(signature_len);
010debef
RR		 247 }
248
249 /*
250 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
251 * choke when they try to do the actual operations. Try to detect
252 * those cases and treat them as if the token didn't claim support for
253 * X_509.
254 */
255 if (key->failedX509 != VCardEmulTrue
256 && PK11_DoesMechanism(slot, CKM_RSA_X_509)) {
257 rv = PK11_PrivDecryptRaw(priv_key, bp, &signature_len, signature_len,
258 buffer, buffer_size);
259 if (rv == SECSuccess) {
260 assert(buffer_size == signature_len);
261 memcpy(buffer, bp, signature_len);
262 key->failedX509 = VCardEmulFalse;
263 goto cleanup;
264 }
265 /*
266 * we've had a successful X509 operation, this failure must be
267 * somethine else
268 */
269 if (key->failedX509 == VCardEmulFalse) {
270 ret = vcard_emul_map_error(PORT_GetError());
271 goto cleanup;
272 }
273 /*
274 * key->failedX509 must be Unknown at this point, try the
275 * non-x_509 case
276 */
277 }
278 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
279 /* is this a PKCS #1 formatted signature? */
280 if ((buffer[0] == 0) && (buffer[1] == 1)) {
281 int i;
282
283 for (i = 2; i < buffer_size; i++) {
284 /* rsa signature pad */
285 if (buffer[i] != 0xff) {
286 break;
287 }
288 }
289 if ((i < buffer_size) && (buffer[i] == 0)) {
290 /* yes, we have a properly formated PKCS #1 signature */
291 /*
292 * NOTE: even if we accidentally got an encrypt buffer, which
293 * through shear luck started with 00, 01, ff, 00, it won't matter
294 * because the resulting Sign operation will effectively decrypt
295 * the real buffer.
296 */
297 SECItem signature;
298 SECItem hash;
299
300 i++;
301 hash.data = &buffer[i];
302 hash.len = buffer_size - i;
303 signature.data = bp;
304 signature.len = signature_len;
305 rv = PK11_Sign(priv_key, &signature, &hash);
306 if (rv != SECSuccess) {
307 ret = vcard_emul_map_error(PORT_GetError());
308 goto cleanup;
309 }
310 assert(buffer_size == signature.len);
311 memcpy(buffer, bp, signature.len);
312 /*
313 * we got here because either the X509 attempt failed, or the
314 * token couldn't do the X509 operation, in either case stay
315 * with the PKCS version for future operations on this key
316 */
317 key->failedX509 = VCardEmulTrue;
318 goto cleanup;
319 }
320 }
321 pad_len = buffer_size - signature_len;
322 assert(pad_len < 4);
323 /*
324 * OK now we've decrypted the payload, package it up in PKCS #1 for the
325 * upper layer.
326 */
327 buffer[0] = 0;
328 buffer[1] = 2; /* RSA_encrypt */
329 pad_len -= 3; /* format is 0 || 2 || pad || 0 || data */
330 /*
331 * padding for PKCS #1 encrypted data is a string of random bytes. The
332 * random butes protect against potential decryption attacks against RSA.
333 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
334 * them. This shouldn't matter to the upper level code which should just
335 * strip this code out anyway, so We'll pad with a constant 3.
336 */
337 memset(&buffer[2], 0x03, pad_len);
338 pad_len += 2; /* index to the end of the pad */
339 buffer[pad_len] = 0;
340 pad_len++; /* index to the start of the data */
341 memcpy(&buffer[pad_len], bp, signature_len);
342 /*
343 * we got here because either the X509 attempt failed, or the
344 * token couldn't do the X509 operation, in either case stay
345 * with the PKCS version for future operations on this key
346 */
347 key->failedX509 = VCardEmulTrue;
348cleanup:
349 if (bp != buf) {
7267c094 350 g_free(bp);
111a38b0 351 }
010debef 352 return ret;
111a38b0
RR		 353}
354
355/*
356 * Login functions
357 */
358/* return the number of login attempts still possible on the card. if unknown,
359 * return -1 */
360int
361vcard_emul_get_login_count(VCard *card)
362{
363 return -1;
364}
365
366/* login into the card, return the 7816 status word (sw2 || sw1) */
367vcard_7816_status_t
368vcard_emul_login(VCard *card, unsigned char *pin, int pin_len)
369{
370 PK11SlotInfo *slot;
371 unsigned char *pin_string = NULL;
372 int i;
373 SECStatus rv;
374
375 if (!nss_emul_init) {
376 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
377 }
378 slot = vcard_emul_card_get_slot(card);
379 /* We depend on the PKCS #11 module internal login state here because we
380 * create a separate process to handle each guest instance. If we needed
381 * to handle multiple guests from one process, then we would need to keep
382 * a lot of extra state in our card structure
383 * */
7267c094 384 pin_string = g_malloc(pin_len+1);
111a38b0
RR		 385 memcpy(pin_string, pin, pin_len);
386 pin_string[pin_len] = 0;
387
388 /* handle CAC expanded pins correctly */
389 for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) {
390 pin_string[i] = 0;
391 }
392
393 rv = PK11_Authenticate(slot, PR_FALSE, pin_string);
394 memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory
395 to be snooped */
7267c094 396 g_free(pin_string);
111a38b0
RR		 397 if (rv == SECSuccess) {
398 return VCARD7816_STATUS_SUCCESS;
399 }
400 /* map the error from port get error */
401 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
402}
403
404void
405vcard_emul_reset(VCard *card, VCardPower power)
406{
407 PK11SlotInfo *slot;
408
409 if (!nss_emul_init) {
410 return;
411 }
412
413 /*
414 * if we reset the card (either power on or power off), we lose our login
415 * state
416 */
417 /* TODO: we may also need to send insertion/removal events? */
418 slot = vcard_emul_card_get_slot(card);
419 PK11_Logout(slot); /* NOTE: ignoring SECStatus return value */
111a38b0
RR		 420}
421
422
423static VReader *
424vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot)
425{
426 VReaderList *reader_list = vreader_get_reader_list();
427 VReaderListEntry *current_entry = NULL;
428
429 if (reader_list == NULL) {
430 return NULL;
431 }
432 for (current_entry = vreader_list_get_first(reader_list); current_entry;
433 current_entry = vreader_list_get_next(current_entry)) {
434 VReader *reader = vreader_list_get_reader(current_entry);
435 VReaderEmul *reader_emul = vreader_get_private(reader);
436 if (reader_emul->slot == slot) {
437 return reader;
438 }
439 vreader_free(reader);
440 }
441
442 return NULL;
443}
444
445/*
446 * create a new reader emul
447 */
448static VReaderEmul *
449vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params)
450{
451 VReaderEmul *new_reader_emul;
452
7267c094 453 new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul));
111a38b0
RR		 454
455 new_reader_emul->slot = PK11_ReferenceSlot(slot);
456 new_reader_emul->default_type = type;
be168af8 457 new_reader_emul->type_params = g_strdup(params);
111a38b0
RR		 458 new_reader_emul->present = PR_FALSE;
459 new_reader_emul->series = 0;
460 new_reader_emul->saved_vcard = NULL;
461 return new_reader_emul;
462}
463
464static void
465vreader_emul_delete(VReaderEmul *vreader_emul)
466{
467 if (vreader_emul == NULL) {
468 return;
469 }
470 if (vreader_emul->slot) {
471 PK11_FreeSlot(vreader_emul->slot);
472 }
473 if (vreader_emul->type_params) {
7267c094 474 g_free(vreader_emul->type_params);
111a38b0 475 }
7267c094 476 g_free(vreader_emul);
111a38b0
RR		 477}
478
479/*
480 * TODO: move this to emulater non-specific file
481 */
482static VCardEmulType
483vcard_emul_get_type(VReader *vreader)
484{
485 VReaderEmul *vreader_emul;
486
487 vreader_emul = vreader_get_private(vreader);
488 if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) {
489 return vreader_emul->default_type;
490 }
491
492 return vcard_emul_type_select(vreader);
493}
494/*
495 * TODO: move this to emulater non-specific file
496 */
497static const char *
498vcard_emul_get_type_params(VReader *vreader)
499{
500 VReaderEmul *vreader_emul;
501
502 vreader_emul = vreader_get_private(vreader);
503 if (vreader_emul && vreader_emul->type_params) {
504 return vreader_emul->type_params;
505 }
506
507 return "";
508}
509
510/* pull the slot out of the reader private data */
511static PK11SlotInfo *
512vcard_emul_reader_get_slot(VReader *vreader)
513{
514 VReaderEmul *vreader_emul = vreader_get_private(vreader);
515 if (vreader_emul == NULL) {
516 return NULL;
517 }
518 return vreader_emul->slot;
519}
520
521/*
522 * Card ATR's map to physical cards. VCARD_ATR_PREFIX will set appropriate
523 * historical bytes for any software emulated card. The remaining bytes can be
524 * used to indicate the actual emulator
525 */
526static const unsigned char nss_atr[] = { VCARD_ATR_PREFIX(3), 'N', 'S', 'S' };
527
528void
529vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len)
530{
531 int len = MIN(sizeof(nss_atr), *atr_len);
532 assert(atr != NULL);
533
534 memcpy(atr, nss_atr, len);
535 *atr_len = len;
111a38b0
RR		 536}
537
538/*
539 * create a new card from certs and keys
540 */
541static VCard *
542vcard_emul_make_card(VReader *reader,
543 unsigned char * const *certs, int *cert_len,
544 VCardKey *keys[], int cert_count)
545{
546 VCardEmul *vcard_emul;
547 VCard *vcard;
548 PK11SlotInfo *slot;
549 VCardEmulType type;
550 const char *params;
551
552 type = vcard_emul_get_type(reader);
553
554 /* ignore the inserted card */
555 if (type == VCARD_EMUL_NONE) {
556 return NULL;
557 }
558 slot = vcard_emul_reader_get_slot(reader);
559 if (slot == NULL) {
560 return NULL;
561 }
562
563 params = vcard_emul_get_type_params(reader);
564 /* params these can be NULL */
565
566 vcard_emul = vcard_emul_new_card(slot);
567 if (vcard_emul == NULL) {
568 return NULL;
569 }
570 vcard = vcard_new(vcard_emul, vcard_emul_delete_card);
571 if (vcard == NULL) {
572 vcard_emul_delete_card(vcard_emul);
573 return NULL;
574 }
575 vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count);
576 return vcard;
577}
578
579
580/*
581 * 'clone' a physical card as a virtual card
582 */
583static VCard *
584vcard_emul_mirror_card(VReader *vreader)
585{
586 /*
587 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
588 * us the real certs until we log in.
589 */
590 PK11GenericObject *firstObj, *thisObj;
591 int cert_count;
592 unsigned char **certs;
593 int *cert_len;
594 VCardKey **keys;
595 PK11SlotInfo *slot;
596 PRBool ret;
ee83d414 597 VCard *card;
111a38b0
RR		 598
599 slot = vcard_emul_reader_get_slot(vreader);
600 if (slot == NULL) {
601 return NULL;
602 }
603
604 firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE);
605 if (firstObj == NULL) {
606 return NULL;
607 }
608
609 /* count the certs */
610 cert_count = 0;
611 for (thisObj = firstObj; thisObj;
612 thisObj = PK11_GetNextGenericObject(thisObj)) {
613 cert_count++;
614 }
615
616 if (cert_count == 0) {
617 PK11_DestroyGenericObjects(firstObj);
618 return NULL;
619 }
620
621 /* allocate the arrays */
622 ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count);
623 if (ret == PR_FALSE) {
624 return NULL;
625 }
626
627 /* fill in the arrays */
628 cert_count = 0;
629 for (thisObj = firstObj; thisObj;
630 thisObj = PK11_GetNextGenericObject(thisObj)) {
631 SECItem derCert;
632 CERTCertificate *cert;
633 SECStatus rv;
634
635 rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj,
636 CKA_VALUE, &derCert);
637 if (rv != SECSuccess) {
638 continue;
639 }
640 /* create floating temp cert. This gives us a cert structure even if
641 * the token isn't logged in */
642 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert,
643 NULL, PR_FALSE, PR_TRUE);
644 SECITEM_FreeItem(&derCert, PR_FALSE);
645 if (cert == NULL) {
646 continue;
647 }
648
649 certs[cert_count] = cert->derCert.data;
650 cert_len[cert_count] = cert->derCert.len;
651 keys[cert_count] = vcard_emul_make_key(slot, cert);
652 cert_count++;
653 CERT_DestroyCertificate(cert); /* key obj still has a reference */
654 }
655
656 /* now create the card */
ee83d414 657 card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count);
7267c094
AL		 658 g_free(certs);
659 g_free(cert_len);
660 g_free(keys);
ee83d414
CF		 661
662 return card;
111a38b0
RR		 663}
664
665static VCardEmulType default_card_type = VCARD_EMUL_NONE;
666static const char *default_type_params = "";
667
668/*
669 * This thread looks for card and reader insertions and puts events on the
670 * event queue
671 */
672static void
673vcard_emul_event_thread(void *arg)
674{
675 PK11SlotInfo *slot;
676 VReader *vreader;
677 VReaderEmul *vreader_emul;
678 VCard *vcard;
679 SECMODModule *module = (SECMODModule *)arg;
680
681 do {
1b902f7d
AL		 682 /*
683 * XXX - the latency value doesn't matter one bit. you only get no
684 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
685 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
686 * value we pass get's dropped on the floor before C_WaitForSlotEvent
687 * is called.
688 */
111a38b0
RR		 689 slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500);
690 if (slot == NULL) {
1b902f7d
AL		 691 /* this could be just a no event indication */
692 if (PORT_GetError() == SEC_ERROR_NO_EVENT) {
693 continue;
694 }
111a38b0
RR		 695 break;
696 }
697 vreader = vcard_emul_find_vreader_from_slot(slot);
698 if (vreader == NULL) {
699 /* new vreader */
700 vreader_emul = vreader_emul_new(slot, default_card_type,
701 default_type_params);
702 vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
703 vreader_emul_delete);
704 PK11_FreeSlot(slot);
705 slot = NULL;
706 vreader_add_reader(vreader);
707 vreader_free(vreader);
708 continue;
709 }
710 /* card remove/insert */
711 vreader_emul = vreader_get_private(vreader);
712 if (PK11_IsPresent(slot)) {
713 int series = PK11_GetSlotSeries(slot);
714 if (series != vreader_emul->series) {
715 if (vreader_emul->present) {
716 vreader_insert_card(vreader, NULL);
717 }
718 vcard = vcard_emul_mirror_card(vreader);
719 vreader_insert_card(vreader, vcard);
720 vcard_free(vcard);
721 }
722 vreader_emul->series = series;
723 vreader_emul->present = 1;
724 vreader_free(vreader);
725 PK11_FreeSlot(slot);
726 continue;
727 }
728 if (vreader_emul->present) {
729 vreader_insert_card(vreader, NULL);
730 }
731 vreader_emul->series = 0;
732 vreader_emul->present = 0;
733 PK11_FreeSlot(slot);
734 vreader_free(vreader);
735 } while (1);
736}
737
738/* if the card is inserted when we start up, make sure our state is correct */
739static void
740vcard_emul_init_series(VReader *vreader, VCard *vcard)
741{
742 VReaderEmul *vreader_emul = vreader_get_private(vreader);
743 PK11SlotInfo *slot = vreader_emul->slot;
744
745 vreader_emul->present = PK11_IsPresent(slot);
746 vreader_emul->series = PK11_GetSlotSeries(slot);
747 if (vreader_emul->present == 0) {
748 vreader_insert_card(vreader, NULL);
749 }
750}
751
752/*
753 * each module has a separate wait call, create a thread for each module that
754 * we are using.
755 */
756static void
757vcard_emul_new_event_thread(SECMODModule *module)
758{
759 PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread,
760 module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD,
761 PR_UNJOINABLE_THREAD, 0);
762}
763
764static const VCardEmulOptions default_options = {
765 .nss_db = NULL,
766 .vreader = NULL,
767 .vreader_count = 0,
768 .hw_card_type = VCARD_EMUL_CAC,
769 .hw_type_params = "",
770 .use_hw = PR_TRUE
771};
772
773
774/*
775 * NSS needs the app to supply a password prompt. In our case the only time
776 * the password is supplied is as part of the Login APDU. The actual password
777 * is passed in the pw_arg in that case. In all other cases pw_arg should be
778 * NULL.
779 */
780static char *
781vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg)
782{
783 /* if it didn't work the first time, don't keep trying */
784 if (retries) {
785 return NULL;
786 }
787 /* we are looking up a password when we don't have one in hand */
788 if (pw_arg == NULL) {
789 return NULL;
790 }
791 /* TODO: we really should verify that were are using the right slot */
792 return PORT_Strdup(pw_arg);
793}
794
795/* Force a card removal even if the card is not physically removed */
796VCardEmulError
797vcard_emul_force_card_remove(VReader *vreader)
798{
799 if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) {
800 return VCARD_EMUL_FAIL; /* card is already removed */
801 }
802
803 /* OK, remove it */
804 vreader_insert_card(vreader, NULL);
805 return VCARD_EMUL_OK;
806}
807
808/* Re-insert of a card that has been removed by force removal */
809VCardEmulError
810vcard_emul_force_card_insert(VReader *vreader)
811{
812 VReaderEmul *vreader_emul;
813 VCard *vcard;
814
815 if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) {
816 return VCARD_EMUL_FAIL; /* card is already removed */
817 }
818 vreader_emul = vreader_get_private(vreader);
819
820 /* if it's a softcard, get the saved vcard from the reader emul structure */
821 if (vreader_emul->saved_vcard) {
822 vcard = vcard_reference(vreader_emul->saved_vcard);
823 } else {
824 /* it must be a physical card, rebuild it */
825 if (!PK11_IsPresent(vreader_emul->slot)) {
826 /* physical card has been removed, not way to reinsert it */
827 return VCARD_EMUL_FAIL;
828 }
829 vcard = vcard_emul_mirror_card(vreader);
830 }
831 vreader_insert_card(vreader, vcard);
832 vcard_free(vcard);
833
834 return VCARD_EMUL_OK;
835}
836
837
838static PRBool
839module_has_removable_hw_slots(SECMODModule *mod)
840{
841 int i;
842 PRBool ret = PR_FALSE;
843 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
844
845 if (!moduleLock) {
846 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
847 return ret;
848 }
849 SECMOD_GetReadLock(moduleLock);
850 for (i = 0; i < mod->slotCount; i++) {
851 PK11SlotInfo *slot = mod->slots[i];
852 if (PK11_IsRemovable(slot) && PK11_IsHW(slot)) {
853 ret = PR_TRUE;
854 break;
855 }
856 }
857 SECMOD_ReleaseReadLock(moduleLock);
858 return ret;
859}
860
861/* Previously we returned FAIL if no readers found. This makes
862 * no sense when using hardware, since there may be no readers connected
863 * at the time vcard_emul_init is called, but they will be properly
864 * recognized later. So Instead return FAIL only if no_hw==1 and no
865 * vcards can be created (indicates error with certificates provided
866 * or db), or if any other higher level error (NSS error, missing coolkey). */
867static int vcard_emul_init_called;
868
869VCardEmulError
870vcard_emul_init(const VCardEmulOptions *options)
871{
872 SECStatus rv;
873 PRBool ret, has_readers = PR_FALSE, need_coolkey_module;
874 VReader *vreader;
875 VReaderEmul *vreader_emul;
876 SECMODListLock *module_lock;
877 SECMODModuleList *module_list;
878 SECMODModuleList *mlp;
879 int i;
880
881 if (vcard_emul_init_called) {
882 return VCARD_EMUL_INIT_ALREADY_INITED;
883 }
884 vcard_emul_init_called = 1;
885 vreader_init();
886 vevent_queue_init();
887
888 if (options == NULL) {
889 options = &default_options;
890 }
891
892 /* first initialize NSS */
893 if (options->nss_db) {
894 rv = NSS_Init(options->nss_db);
895 } else {
896 rv = NSS_Init("sql:/etc/pki/nssdb");
897 }
898 if (rv != SECSuccess) {
899 return VCARD_EMUL_FAIL;
900 }
901 /* Set password callback function */
902 PK11_SetPasswordFunc(vcard_emul_get_password);
903
904 /* set up soft cards emulated by software certs rather than physical cards
905 * */
906 for (i = 0; i < options->vreader_count; i++) {
907 int j;
908 int cert_count;
909 unsigned char **certs;
910 int *cert_len;
911 VCardKey **keys;
912 PK11SlotInfo *slot;
913
914 slot = PK11_FindSlotByName(options->vreader[i].name);
915 if (slot == NULL) {
916 continue;
917 }
918 vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
919 options->vreader[i].type_params);
920 vreader = vreader_new(options->vreader[i].vname, vreader_emul,
921 vreader_emul_delete);
922 vreader_add_reader(vreader);
923 cert_count = options->vreader[i].cert_count;
924
925 ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
926 options->vreader[i].cert_count);
927 if (ret == PR_FALSE) {
928 continue;
929 }
930 cert_count = 0;
931 for (j = 0; j < options->vreader[i].cert_count; j++) {
932 /* we should have a better way of identifying certs than by
933 * nickname here */
934 CERTCertificate *cert = PK11_FindCertFromNickname(
935 options->vreader[i].cert_name[j],
936 NULL);
937 if (cert == NULL) {
938 continue;
939 }
940 certs[cert_count] = cert->derCert.data;
941 cert_len[cert_count] = cert->derCert.len;
942 keys[cert_count] = vcard_emul_make_key(slot, cert);
943 /* this is safe because the key is still holding a cert reference */
944 CERT_DestroyCertificate(cert);
945 cert_count++;
946 }
947 if (cert_count) {
948 VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
949 keys, cert_count);
950 vreader_insert_card(vreader, vcard);
951 vcard_emul_init_series(vreader, vcard);
952 /* allow insertion and removal of soft cards */
953 vreader_emul->saved_vcard = vcard_reference(vcard);
954 vcard_free(vcard);
955 vreader_free(vreader);
956 has_readers = PR_TRUE;
957 }
7267c094
AL		 958 g_free(certs);
959 g_free(cert_len);
960 g_free(keys);
111a38b0
RR		 961 }
962
963 /* if we aren't suppose to use hw, skip looking up hardware tokens */
964 if (!options->use_hw) {
965 nss_emul_init = has_readers;
966 return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
967 }
968
969 /* make sure we have some PKCS #11 module loaded */
970 module_lock = SECMOD_GetDefaultModuleListLock();
971 module_list = SECMOD_GetDefaultModuleList();
972 need_coolkey_module = !has_readers;
973 SECMOD_GetReadLock(module_lock);
974 for (mlp = module_list; mlp; mlp = mlp->next) {
975 SECMODModule *module = mlp->module;
976 if (module_has_removable_hw_slots(module)) {
977 need_coolkey_module = PR_FALSE;
978 break;
979 }
980 }
981 SECMOD_ReleaseReadLock(module_lock);
982
983 if (need_coolkey_module) {
984 SECMODModule *module;
985 module = SECMOD_LoadUserModule(
986 (char *)"library=libcoolkeypk11.so name=Coolkey",
987 NULL, PR_FALSE);
988 if (module == NULL) {
989 return VCARD_EMUL_FAIL;
990 }
991 SECMOD_DestroyModule(module); /* free our reference, Module will still
992 * be on the list.
993 * until we destroy it */
994 }
995
996 /* now examine all the slots, finding which should be readers */
997 /* We should control this with options. For now we mirror out any
998 * removable hardware slot */
999 default_card_type = options->hw_card_type;
be168af8 1000 default_type_params = g_strdup(options->hw_type_params);
111a38b0
RR		 1001
1002 SECMOD_GetReadLock(module_lock);
1003 for (mlp = module_list; mlp; mlp = mlp->next) {
1004 SECMODModule *module = mlp->module;
111a38b0 1005
4e339882
AL		 1006 /* Ignore the internal module */
1007 if (module == NULL || module == SECMOD_GetInternalModule()) {
1008 continue;
111a38b0
RR		 1009 }
1010
1011 for (i = 0; i < module->slotCount; i++) {
1012 PK11SlotInfo *slot = module->slots[i];
1013
1014 /* only map removable HW slots */
1015 if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
1016 continue;
1017 }
6f06f178
AL		 1018 if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) {
1019 /*
1020 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1021 * any hardware readers. This causes problems, warn user of
1022 * problems.
1023 */
1024 fprintf(stderr, "known bad coolkey version - see "
1025 "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n");
1026 continue;
1027 }
111a38b0
RR		 1028 vreader_emul = vreader_emul_new(slot, options->hw_card_type,
1029 options->hw_type_params);
1030 vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
1031 vreader_emul_delete);
1032 vreader_add_reader(vreader);
1033
111a38b0
RR		 1034 if (PK11_IsPresent(slot)) {
1035 VCard *vcard;
1036 vcard = vcard_emul_mirror_card(vreader);
1037 vreader_insert_card(vreader, vcard);
1038 vcard_emul_init_series(vreader, vcard);
1039 vcard_free(vcard);
1040 }
1041 }
4e339882 1042 vcard_emul_new_event_thread(module);
111a38b0
RR		 1043 }
1044 SECMOD_ReleaseReadLock(module_lock);
4e339882 1045 nss_emul_init = PR_TRUE;
111a38b0
RR		 1046
1047 return VCARD_EMUL_OK;
1048}
1049
1050/* Recreate card insert events for all readers (user should
1051 * deduce implied reader insert. perhaps do a reader insert as well?)
1052 */
1053void
1054vcard_emul_replay_insertion_events(void)
1055{
1056 VReaderListEntry *current_entry;
1057 VReaderListEntry *next_entry = NULL;
1058 VReaderList *list = vreader_get_reader_list();
1059
1060 for (current_entry = vreader_list_get_first(list); current_entry;
1061 current_entry = next_entry) {
1062 VReader *vreader = vreader_list_get_reader(current_entry);
1063 next_entry = vreader_list_get_next(current_entry);
1064 vreader_queue_card_event(vreader);
1065 }
1066}
1067
1068/*
1069 * Silly little functions to help parsing our argument string
1070 */
111a38b0
RR		 1071static int
1072count_tokens(const char *str, char token, char token_end)
1073{
1074 int count = 0;
1075
1076 for (; *str; str++) {
1077 if (*str == token) {
1078 count++;
1079 }
1080 if (*str == token_end) {
1081 break;
1082 }
1083 }
1084 return count;
1085}
1086
1087static const char *
1088strip(const char *str)
1089{
685ff50f 1090 for (; *str && isspace(*str); str++) {
111a38b0
RR		 1091 }
1092 return str;
1093}
1094
1095static const char *
1096find_blank(const char *str)
1097{
685ff50f 1098 for (; *str && !isspace(*str); str++) {
111a38b0
RR		 1099 }
1100 return str;
1101}
1102
1103
1104/*
1105 * We really want to use some existing argument parsing library here. That
fc27eefe 1106 * would give us a consistent look */
111a38b0
RR		 1107static VCardEmulOptions options;
1108#define READER_STEP 4
1109
d246b3cf
CF		 1110/* Expects "args" to be at the beginning of a token (ie right after the ','
1111 * ending the previous token), and puts the next token start in "token",
1112 * and its length in "token_length". "token" will not be nul-terminated.
1113 * After calling the macro, "args" will be advanced to the beginning of
1114 * the next token.
1115 * This macro may call continue or break.
1116 */
1117#define NEXT_TOKEN(token) \
1118 (token) = args; \
1119 args = strpbrk(args, ",)"); \
1120 if (*args == 0) { \
1121 break; \
1122 } \
1123 if (*args == ')') { \
1124 args++; \
1125 continue; \
1126 } \
1127 (token##_length) = args - (token); \
1128 args = strip(args+1);
1129
111a38b0
RR		 1130VCardEmulOptions *
1131vcard_emul_options(const char *args)
1132{
1133 int reader_count = 0;
1134 VCardEmulOptions *opts;
111a38b0
RR		 1135
1136 /* Allow the future use of allocating the options structure on the fly */
1137 memcpy(&options, &default_options, sizeof(options));
1138 opts = &options;
1139
1140 do {
1141 args = strip(args); /* strip off the leading spaces */
1142 if (*args == ',') {
1143 continue;
1144 }
1145 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1146 * cert_2,cert_3...) */
1147 if (strncmp(args, "soft=", 5) == 0) {
1148 const char *name;
a5aa842a 1149 size_t name_length;
111a38b0 1150 const char *vname;
a5aa842a 1151 size_t vname_length;
111a38b0 1152 const char *type_params;
a5aa842a
CF		 1153 size_t type_params_length;
1154 char type_str[100];
111a38b0 1155 VCardEmulType type;
a5aa842a 1156 int count, i;
111a38b0
RR		 1157 VirtualReaderOptions *vreaderOpt = NULL;
1158
1159 args = strip(args + 5);
1160 if (*args != '(') {
1161 continue;
1162 }
a5aa842a
CF		 1163 args = strip(args+1);
1164
d246b3cf
CF		 1165 NEXT_TOKEN(name)
1166 NEXT_TOKEN(vname)
1167 NEXT_TOKEN(type_params)
a5aa842a 1168 type_params_length = MIN(type_params_length, sizeof(type_str)-1);
2e679780 1169 pstrcpy(type_str, type_params_length, type_params);
a5aa842a
CF		 1170 type = vcard_emul_type_from_string(type_str);
1171
d246b3cf 1172 NEXT_TOKEN(type_params)
a5aa842a 1173
111a38b0
RR		 1174 if (*args == 0) {
1175 break;
1176 }
1177
1178 if (opts->vreader_count >= reader_count) {
1179 reader_count += READER_STEP;
1180 vreaderOpt = realloc(opts->vreader,
1181 reader_count * sizeof(*vreaderOpt));
1182 if (vreaderOpt == NULL) {
1183 return opts; /* we're done */
1184 }
1185 }
1186 opts->vreader = vreaderOpt;
1187 vreaderOpt = &vreaderOpt[opts->vreader_count];
7267c094
AL		 1188 vreaderOpt->name = g_strndup(name, name_length);
1189 vreaderOpt->vname = g_strndup(vname, vname_length);
111a38b0
RR		 1190 vreaderOpt->card_type = type;
1191 vreaderOpt->type_params =
7267c094 1192 g_strndup(type_params, type_params_length);
a5aa842a 1193 count = count_tokens(args, ',', ')') + 1;
111a38b0 1194 vreaderOpt->cert_count = count;
7267c094 1195 vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *));
111a38b0 1196 for (i = 0; i < count; i++) {
a5aa842a
CF		 1197 const char *cert = args;
1198 args = strpbrk(args, ",)");
7267c094 1199 vreaderOpt->cert_name[i] = g_strndup(cert, args - cert);
a5aa842a 1200 args = strip(args+1);
111a38b0
RR		 1201 }
1202 if (*args == ')') {
1203 args++;
1204 }
1205 opts->vreader_count++;
1206 /* use_hw= */
1207 } else if (strncmp(args, "use_hw=", 7) == 0) {
1208 args = strip(args+7);
1209 if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') {
1210 opts->use_hw = PR_FALSE;
1211 } else {
1212 opts->use_hw = PR_TRUE;
1213 }
1214 args = find_blank(args);
1215 /* hw_type= */
1216 } else if (strncmp(args, "hw_type=", 8) == 0) {
1217 args = strip(args+8);
1218 opts->hw_card_type = vcard_emul_type_from_string(args);
1219 args = find_blank(args);
1220 /* hw_params= */
1221 } else if (strncmp(args, "hw_params=", 10) == 0) {
1222 const char *params;
1223 args = strip(args+10);
1224 params = args;
1225 args = find_blank(args);
7267c094 1226 opts->hw_type_params = g_strndup(params, args-params);
111a38b0
RR		 1227 /* db="/data/base/path" */
1228 } else if (strncmp(args, "db=", 3) == 0) {
1229 const char *db;
1230 args = strip(args+3);
1231 if (*args != '"') {
1232 continue;
1233 }
1234 args++;
1235 db = args;
1236 args = strpbrk(args, "\"\n");
7267c094 1237 opts->nss_db = g_strndup(db, args-db);
111a38b0
RR		 1238 if (*args != 0) {
1239 args++;
1240 }
1241 } else {
1242 args = find_blank(args);
1243 }
1244 } while (*args != 0);
1245
1246 return opts;
1247}
1248
1249void
1250vcard_emul_usage(void)
1251{
1252 fprintf(stderr,
1253"emul args: comma separated list of the following arguments\n"
1254" db={nss_database} (default sql:/etc/pki/nssdb)\n"
1255" use_hw=[yes|no] (default yes)\n"
1256" hw_type={card_type_to_emulate} (default CAC)\n"
1257" hw_param={param_for_card} (default \"\")\n"
1258" soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n"
1259" {cert1},{cert2},{cert3} (default none)\n"
1260"\n"
1261" {nss_database} The location of the NSS cert & key database\n"
1262" {card_type_to_emulate} What card interface to present to the guest\n"
1263" {param_for_card} Card interface specific parameters\n"
1264" {slot_name} NSS slot that contains the certs\n"
cba919da 1265" {vreader_name} Virtual reader name to present to the guest\n"
111a38b0
RR		 1266" {certN} Nickname of the certificate n on the virtual card\n"
1267"\n"
1268"These parameters come as a single string separated by blanks or newlines."
1269"\n"
1270"Unless use_hw is set to no, all tokens that look like removable hardware\n"
1271"tokens will be presented to the guest using the emulator specified by\n"
1272"hw_type, and parameters of hw_param.\n"
1273"\n"
1274"If more one or more soft= parameters are specified, these readers will be\n"
1275"presented to the guest\n");
1276}
Qemu copy for testing