SecurityToken: support extended apdu and chaining based on capbilities
This commit is contained in:
parent
c2ca440c88
commit
b247de783c
|
@ -0,0 +1,65 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2016 Nikita Mikhailov <nikita.s.mikhailov@gmail.com>
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.sufficientlysecure.keychain.securitytoken;
|
||||||
|
|
||||||
|
import org.sufficientlysecure.keychain.securitytoken.usb.UsbTransportException;
|
||||||
|
|
||||||
|
import java.nio.ByteBuffer;
|
||||||
|
|
||||||
|
public class CardCapabilities {
|
||||||
|
private static final int MASK_CHAINING = 1 << 7;
|
||||||
|
private static final int MASK_EXTENDED = 1 << 6;
|
||||||
|
|
||||||
|
private byte[] mCapabilityBytes;
|
||||||
|
|
||||||
|
public CardCapabilities(byte[] historicalBytes) throws UsbTransportException {
|
||||||
|
if (historicalBytes[0] != 0x00) {
|
||||||
|
throw new UsbTransportException("Invalid historical bytes category indicator byte");
|
||||||
|
}
|
||||||
|
|
||||||
|
mCapabilityBytes = getCapabilitiesBytes(historicalBytes);
|
||||||
|
}
|
||||||
|
|
||||||
|
public CardCapabilities() {
|
||||||
|
mCapabilityBytes = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static byte[] getCapabilitiesBytes(byte[] historicalBytes) {
|
||||||
|
// Compact TLV
|
||||||
|
ByteBuffer byteBuffer = ByteBuffer.wrap(historicalBytes, 1, historicalBytes.length - 2);
|
||||||
|
while (byteBuffer.hasRemaining()) {
|
||||||
|
byte tl = byteBuffer.get();
|
||||||
|
if (tl == 0x73) { // Capabilities TL
|
||||||
|
byte[] val = new byte[3];
|
||||||
|
byteBuffer.get(val);
|
||||||
|
return val;
|
||||||
|
}
|
||||||
|
byteBuffer.position(byteBuffer.position() + (tl & 0xF));
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean hasChaining() {
|
||||||
|
return mCapabilityBytes != null && (mCapabilityBytes[2] & MASK_CHAINING) != 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean hasExtended() {
|
||||||
|
return mCapabilityBytes != null && (mCapabilityBytes[2] & MASK_EXTENDED) != 0;
|
||||||
|
}
|
||||||
|
}
|
|
@ -32,10 +32,12 @@ import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey;
|
||||||
import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
|
import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
|
||||||
import org.sufficientlysecure.keychain.securitytoken.smartcardio.CommandAPDU;
|
import org.sufficientlysecure.keychain.securitytoken.smartcardio.CommandAPDU;
|
||||||
import org.sufficientlysecure.keychain.securitytoken.smartcardio.ResponseAPDU;
|
import org.sufficientlysecure.keychain.securitytoken.smartcardio.ResponseAPDU;
|
||||||
|
import org.sufficientlysecure.keychain.securitytoken.usb.UsbTransportException;
|
||||||
import org.sufficientlysecure.keychain.util.Iso7816TLV;
|
import org.sufficientlysecure.keychain.util.Iso7816TLV;
|
||||||
import org.sufficientlysecure.keychain.util.Log;
|
import org.sufficientlysecure.keychain.util.Log;
|
||||||
import org.sufficientlysecure.keychain.util.Passphrase;
|
import org.sufficientlysecure.keychain.util.Passphrase;
|
||||||
|
|
||||||
|
import java.io.ByteArrayOutputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.math.BigInteger;
|
import java.math.BigInteger;
|
||||||
import java.nio.ByteBuffer;
|
import java.nio.ByteBuffer;
|
||||||
|
@ -57,11 +59,14 @@ public class SecurityTokenHelper {
|
||||||
|
|
||||||
private static final int APDU_SW_SUCCESS = 0x9000;
|
private static final int APDU_SW_SUCCESS = 0x9000;
|
||||||
|
|
||||||
|
private static final int MASK_CLA_CHAINING = 1 << 4;
|
||||||
|
|
||||||
// Fidesmo constants
|
// Fidesmo constants
|
||||||
private static final String FIDESMO_APPS_AID_PREFIX = "A000000617";
|
private static final String FIDESMO_APPS_AID_PREFIX = "A000000617";
|
||||||
|
|
||||||
private static final byte[] BLANK_FINGERPRINT = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
|
private static final byte[] BLANK_FINGERPRINT = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
|
||||||
private Transport mTransport;
|
private Transport mTransport;
|
||||||
|
private CardCapabilities mCardCapabilities;
|
||||||
|
|
||||||
private Passphrase mPin;
|
private Passphrase mPin;
|
||||||
private Passphrase mAdminPin;
|
private Passphrase mAdminPin;
|
||||||
|
@ -152,6 +157,8 @@ public class SecurityTokenHelper {
|
||||||
*/
|
*/
|
||||||
public void connectToDevice() throws IOException {
|
public void connectToDevice() throws IOException {
|
||||||
// Connect on transport layer
|
// Connect on transport layer
|
||||||
|
mCardCapabilities = null;
|
||||||
|
|
||||||
mTransport.connect();
|
mTransport.connect();
|
||||||
|
|
||||||
// Connect on smartcard layer
|
// Connect on smartcard layer
|
||||||
|
@ -163,6 +170,8 @@ public class SecurityTokenHelper {
|
||||||
throw new CardException("Initialization failed!", response.getSW());
|
throw new CardException("Initialization failed!", response.getSW());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mCardCapabilities = new CardCapabilities(getHistoricalBytes());
|
||||||
|
|
||||||
byte[] pwStatusBytes = getPwStatusBytes();
|
byte[] pwStatusBytes = getPwStatusBytes();
|
||||||
mPw1ValidForMultipleSignatures = (pwStatusBytes[0] == 1);
|
mPw1ValidForMultipleSignatures = (pwStatusBytes[0] == 1);
|
||||||
mPw1ValidatedForSignature = false;
|
mPw1ValidatedForSignature = false;
|
||||||
|
@ -442,6 +451,10 @@ public class SecurityTokenHelper {
|
||||||
return getHolderName(getData(0x00, 0x65));
|
return getHolderName(getData(0x00, 0x65));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private byte[] getHistoricalBytes() throws IOException {
|
||||||
|
return getData(0x5F, 0x52);
|
||||||
|
}
|
||||||
|
|
||||||
private byte[] getData(int p1, int p2) throws IOException {
|
private byte[] getData(int p1, int p2) throws IOException {
|
||||||
ResponseAPDU response = communicate(new CommandAPDU(0x00, 0xCA, p1, p2));
|
ResponseAPDU response = communicate(new CommandAPDU(0x00, 0xCA, p1, p2));
|
||||||
if (response.getSW() != APDU_SW_SUCCESS) {
|
if (response.getSW() != APDU_SW_SUCCESS) {
|
||||||
|
@ -538,7 +551,48 @@ public class SecurityTokenHelper {
|
||||||
* Transceive data via NFC encoded as Hex
|
* Transceive data via NFC encoded as Hex
|
||||||
*/
|
*/
|
||||||
private ResponseAPDU communicate(CommandAPDU apdu) throws IOException {
|
private ResponseAPDU communicate(CommandAPDU apdu) throws IOException {
|
||||||
return mTransport.transceive(apdu);
|
ByteArrayOutputStream result = new ByteArrayOutputStream();
|
||||||
|
|
||||||
|
ResponseAPDU lastResponse = null;
|
||||||
|
// Transmit
|
||||||
|
if (mCardCapabilities.hasExtended()) {
|
||||||
|
lastResponse = mTransport.transceive(apdu);
|
||||||
|
} else if (apdu.getData().length <= MAX_APDU_NC) {
|
||||||
|
lastResponse = mTransport.transceive(new CommandAPDU(apdu.getCLA(), apdu.getINS(),
|
||||||
|
apdu.getP1(), apdu.getP2(), apdu.getData(), MAX_APDU_NE));
|
||||||
|
} else if (apdu.getData().length > MAX_APDU_NC && mCardCapabilities.hasChaining()) {
|
||||||
|
int offset = 0;
|
||||||
|
byte[] data = apdu.getData();
|
||||||
|
while (offset < data.length) {
|
||||||
|
int curLen = Math.min(MAX_APDU_NC, data.length - offset);
|
||||||
|
boolean last = offset + curLen >= data.length;
|
||||||
|
int cla = apdu.getCLA() + (last ? 0 : MASK_CLA_CHAINING);
|
||||||
|
|
||||||
|
lastResponse = mTransport.transceive(new CommandAPDU(cla, apdu.getINS(), apdu.getP1(),
|
||||||
|
apdu.getP2(), apdu.getData(), MAX_APDU_NE));
|
||||||
|
|
||||||
|
if (!last && lastResponse.getSW() != APDU_SW_SUCCESS) {
|
||||||
|
throw new UsbTransportException("Failed to chain apdu");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (lastResponse == null) {
|
||||||
|
throw new UsbTransportException("Can't transmit command");
|
||||||
|
}
|
||||||
|
|
||||||
|
result.write(lastResponse.getData());
|
||||||
|
|
||||||
|
// Receive
|
||||||
|
while (lastResponse.getSW1() == 0x61) {
|
||||||
|
CommandAPDU getResponse = new CommandAPDU(0x00, 0xC0, 0x00, 0x00, lastResponse.getSW2());
|
||||||
|
lastResponse = mTransport.transceive(getResponse);
|
||||||
|
result.write(lastResponse.getData());
|
||||||
|
}
|
||||||
|
|
||||||
|
result.write(lastResponse.getSW1());
|
||||||
|
result.write(lastResponse.getSW2());
|
||||||
|
|
||||||
|
return new ResponseAPDU(result.toByteArray());
|
||||||
}
|
}
|
||||||
|
|
||||||
public Transport getTransport() {
|
public Transport getTransport() {
|
||||||
|
|
Loading…
Reference in a new issue