/* * Copyright (C) 2016 Nikita Mikhailov * Copyright (C) 2013-2017 Dominik Schürmann * Copyright (C) 2015 Vincent Breitmoser * Copyright (C) 2013-2014 Signe Rüsch * Copyright (C) 2013-2014 Philipp Jakubeit * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ package org.sufficientlysecure.keychain.securitytoken; import android.content.Context; import android.support.annotation.NonNull; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1OutputStream; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.nist.NISTNamedCurves; import org.bouncycastle.asn1.x9.X9ECParameters; import org.bouncycastle.bcpg.HashAlgorithmTags; import org.bouncycastle.jcajce.util.MessageDigestUtils; import org.bouncycastle.math.ec.ECPoint; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.operator.PGPPad; import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.encoders.Hex; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.pgp.CanonicalizedPublicKey; import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException; import javax.crypto.Cipher; import javax.crypto.NoSuchPaddingException; import javax.crypto.spec.SecretKeySpec; import javax.smartcardio.CommandAPDU; import javax.smartcardio.ResponseAPDU; import org.sufficientlysecure.keychain.securitytoken.usb.UsbTransportException; import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Passphrase; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; import java.nio.ByteBuffer; import java.security.InvalidKeyException; import java.security.Key; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.interfaces.ECPrivateKey; import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPrivateCrtKey; /** * This class provides a communication interface to OpenPGP applications on ISO SmartCard compliant * devices. * For the full specs, see http://g10code.com/docs/openpgp-card-2.0.pdf */ public class SecurityTokenHelper { private static final int MAX_APDU_NC = 255; private static final int MAX_APDU_NC_EXT = 65535; private static final int MAX_APDU_NE = 256; static final int MAX_APDU_NE_EXT = 65536; static final int APDU_SW_SUCCESS = 0x9000; private static final int APDU_SW1_RESPONSE_AVAILABLE = 0x61; private static final int MASK_CLA_CHAINING = 1 << 4; // Fidesmo constants private static final String FIDESMO_APPS_AID_PREFIX = "A000000617"; private static final byte[] BLANK_FINGERPRINT = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; private final JcaKeyFingerprintCalculator fingerprintCalculator = new JcaKeyFingerprintCalculator(); private Transport mTransport; private CardCapabilities mCardCapabilities; private OpenPgpCapabilities mOpenPgpCapabilities; private SecureMessaging mSecureMessaging; private Passphrase mPin; private Passphrase mAdminPin; private boolean mPw1ValidatedForSignature; private boolean mPw1ValidatedForDecrypt; // Mode 82 does other things; consider renaming? private boolean mPw3Validated; private SecurityTokenHelper() { } public static double parseOpenPgpVersion(final byte[] aid) { float minv = aid[7]; while (minv > 0) minv /= 10.0; return aid[6] + minv; } public static SecurityTokenHelper getInstance() { return LazyHolder.SECURITY_TOKEN_HELPER; } private String getHolderName(byte[] name) { try { return (new String(name, 4, name[3])).replace('<', ' '); } catch (IndexOutOfBoundsException e) { // try-catch for https://github.com/FluffyKaon/OpenPGP-Card // Note: This should not happen, but happens with // https://github.com/FluffyKaon/OpenPGP-Card, thus return an empty string for now! Log.e(Constants.TAG, "Couldn't get holder name, returning empty string!", e); return ""; } } public Passphrase getPin() { return mPin; } public void setPin(final Passphrase pin) { this.mPin = pin; } public Passphrase getAdminPin() { return mAdminPin; } public void setAdminPin(final Passphrase adminPin) { this.mAdminPin = adminPin; } public void changeKey(CanonicalizedSecretKey secretKey, Passphrase passphrase) throws IOException { long keyGenerationTimestamp = secretKey.getCreationTime().getTime() / 1000; byte[] timestampBytes = ByteBuffer.allocate(4).putInt((int) keyGenerationTimestamp).array(); KeyType keyType = KeyType.from(secretKey); if (keyType == null) { throw new IOException("Inappropriate key flags for smart card key."); } // Slot is empty, or contains this key already. PUT KEY operation is safe boolean canPutKey = isSlotEmpty(keyType) || keyMatchesFingerPrint(keyType, secretKey.getFingerprint()); if (!canPutKey) { throw new IOException(String.format("Key slot occupied; card must be reset to put new %s key.", keyType.toString())); } putKey(keyType, secretKey, passphrase); putData(keyType.getFingerprintObjectId(), secretKey.getFingerprint()); putData(keyType.getTimestampObjectId(), timestampBytes); } private boolean isSlotEmpty(KeyType keyType) throws IOException { // Note: special case: This should not happen, but happens with // https://github.com/FluffyKaon/OpenPGP-Card, thus for now assume true if (getKeyFingerprint(keyType) == null) { return true; } return keyMatchesFingerPrint(keyType, BLANK_FINGERPRINT); } private boolean keyMatchesFingerPrint(KeyType keyType, byte[] fingerprint) throws IOException { return java.util.Arrays.equals(getKeyFingerprint(keyType), fingerprint); } /** * Connect to device and select pgp applet * * @throws IOException */ public void connectToDevice(final Context ctx) throws IOException { // Connect on transport layer mCardCapabilities = new CardCapabilities(); mTransport.connect(); // Connect on smartcard layer // Command APDU (page 51) for SELECT FILE command (page 29) CommandAPDU select = new CommandAPDU(0x00, 0xA4, 0x04, 0x00, Hex.decode("D27600012401")); ResponseAPDU response = communicate(select); // activate connection if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Initialization failed!", response.getSW()); } mOpenPgpCapabilities = new OpenPgpCapabilities(getData(0x00, 0x6E)); mCardCapabilities = new CardCapabilities(mOpenPgpCapabilities.getHistoricalBytes()); mPw1ValidatedForSignature = false; mPw1ValidatedForDecrypt = false; mPw3Validated = false; if (mOpenPgpCapabilities.isHasSCP11bSM()) { try { SCP11bSecureMessaging.establish(this, ctx); } catch (SecureMessagingException e) { mSecureMessaging = null; Log.e(Constants.TAG, "failed to establish secure messaging", e); } } } /** * Modifies the user's PW1 or PW3. Before sending, the new PIN will be validated for * conformance to the token's requirements for key length. * * @param pw For PW1, this is 0x81. For PW3 (Admin PIN), mode is 0x83. * @param newPin The new PW1 or PW3. */ public void modifyPin(int pw, byte[] newPin) throws IOException { final int MAX_PW1_LENGTH_INDEX = 1; final int MAX_PW3_LENGTH_INDEX = 3; byte[] pwStatusBytes = getPwStatusBytes(); if (pw == 0x81) { if (newPin.length < 6 || newPin.length > pwStatusBytes[MAX_PW1_LENGTH_INDEX]) { throw new IOException("Invalid PIN length"); } } else if (pw == 0x83) { if (newPin.length < 8 || newPin.length > pwStatusBytes[MAX_PW3_LENGTH_INDEX]) { throw new IOException("Invalid PIN length"); } } else { throw new IOException("Invalid PW index for modify PIN operation"); } byte[] pin; if (pw == 0x83) { pin = mAdminPin.toStringUnsafe().getBytes(); } else { pin = mPin.toStringUnsafe().getBytes(); } // Command APDU for CHANGE REFERENCE DATA command (page 32) CommandAPDU changePin = new CommandAPDU(0x00, 0x24, 0x00, pw, Arrays.concatenate(pin, newPin)); ResponseAPDU response = communicate(changePin); if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Failed to change PIN", response.getSW()); } } /** * Call DECIPHER command * * @param encryptedSessionKey the encoded session key * @param publicKey * @return the decoded session key */ public byte[] decryptSessionKey(@NonNull byte[] encryptedSessionKey, CanonicalizedPublicKey publicKey) throws IOException { final KeyFormat kf = mOpenPgpCapabilities.getFormatForKeyType(KeyType.ENCRYPT); if (!mPw1ValidatedForDecrypt) { verifyPin(0x82); // (Verify PW1 with mode 82 for decryption) } byte[] data; int pLen = 0; X9ECParameters x9Params; switch (kf.keyFormatType()) { case RSAKeyFormatType: data = Arrays.copyOfRange(encryptedSessionKey, 2, encryptedSessionKey.length); if (data[0] != 0) { data = Arrays.prepend(data, (byte) 0x00); } break; case ECKeyFormatType: pLen = ((((encryptedSessionKey[0] & 0xff) << 8) + (encryptedSessionKey[1] & 0xff)) + 7) / 8; data = new byte[pLen]; System.arraycopy(encryptedSessionKey, 2, data, 0, pLen); final ECKeyFormat eckf = (ECKeyFormat) kf; x9Params = NISTNamedCurves.getByOID(eckf.getCurveOID()); final ECPoint p = x9Params.getCurve().decodePoint(data); if (!p.isValid()) { throw new CardException("Invalid EC point!"); } data = p.getEncoded(false); data = Arrays.concatenate( Hex.decode("86"), new byte[]{(byte) data.length}, data); data = Arrays.concatenate( Hex.decode("7F49"), new byte[]{(byte) data.length}, data); data = Arrays.concatenate( Hex.decode("A6"), new byte[]{(byte) data.length}, data); break; default: throw new CardException("Unknown encryption key type!"); } CommandAPDU command = new CommandAPDU(0x00, 0x2A, 0x80, 0x86, data, MAX_APDU_NE_EXT); ResponseAPDU response = communicate(command); if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Deciphering with Security token failed on receive", response.getSW()); } switch (mOpenPgpCapabilities.getFormatForKeyType(KeyType.ENCRYPT).keyFormatType()) { case RSAKeyFormatType: return response.getData(); /* From 3.x OpenPGP card specification : In case of ECDH the card supports a partial decrypt only. With its own private key and the given public key the card calculates a shared secret in compliance with the Elliptic Curve Key Agreement Scheme from Diffie-Hellman. The shared secret is returned in the response, all other calculation for deciphering are done outside of the card. The shared secret obtained is a KEK (Key Encryption Key) that is used to wrap the session key. From rfc6637#section-13 : This document explicitly discourages the use of algorithms other than AES as a KEK algorithm. */ case ECKeyFormatType: data = response.getData(); final byte[] keyEnc = new byte[encryptedSessionKey[pLen + 2]]; System.arraycopy(encryptedSessionKey, 2 + pLen + 1, keyEnc, 0, keyEnc.length); try { final MessageDigest kdf = MessageDigest.getInstance(MessageDigestUtils.getDigestName(publicKey.getSecurityTokenHashAlgorithm())); kdf.update(new byte[]{(byte) 0, (byte) 0, (byte) 0, (byte) 1}); kdf.update(data); kdf.update(publicKey.createUserKeyingMaterial(fingerprintCalculator)); final byte[] kek = kdf.digest(); final Cipher c = Cipher.getInstance("AESWrap"); c.init(Cipher.UNWRAP_MODE, new SecretKeySpec(kek, 0, publicKey.getSecurityTokenSymmetricKeySize() / 8, "AES")); final Key paddedSessionKey = c.unwrap(keyEnc, "Session", Cipher.SECRET_KEY); Arrays.fill(kek, (byte) 0); return PGPPad.unpadSessionData(paddedSessionKey.getEncoded()); } catch (NoSuchAlgorithmException e) { throw new CardException("Unknown digest/encryption algorithm!"); } catch (NoSuchPaddingException e) { throw new CardException("Unknown padding algorithm!"); } catch (PGPException e) { throw new CardException(e.getMessage()); } catch (InvalidKeyException e) { throw new CardException("Invalid KEK!"); } default: throw new CardException("Unknown encryption key type!"); } } /** * Verifies the user's PW1 or PW3 with the appropriate mode. * * @param mode For PW1, this is 0x81 for signing, 0x82 for everything else. * For PW3 (Admin PIN), mode is 0x83. */ private void verifyPin(int mode) throws IOException { if (mPin != null || mode == 0x83) { byte[] pin; if (mode == 0x83) { pin = mAdminPin.toStringUnsafe().getBytes(); } else { pin = mPin.toStringUnsafe().getBytes(); } ResponseAPDU response = tryPin(mode, pin);// login if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Bad PIN!", response.getSW()); } if (mode == 0x81) { mPw1ValidatedForSignature = true; } else if (mode == 0x82) { mPw1ValidatedForDecrypt = true; } else if (mode == 0x83) { mPw3Validated = true; } } } /** * Stores a data object on the token. Automatically validates the proper PIN for the operation. * Supported for all data objects < 255 bytes in length. Only the cardholder certificate * (0x7F21) can exceed this length. * * @param dataObject The data object to be stored. * @param data The data to store in the object */ private void putData(int dataObject, byte[] data) throws IOException { if (data.length > 254) { throw new IOException("Cannot PUT DATA with length > 254"); } if (dataObject == 0x0101 || dataObject == 0x0103) { if (!mPw1ValidatedForDecrypt) { verifyPin(0x82); // (Verify PW1 for non-signing operations) } } else if (!mPw3Validated) { verifyPin(0x83); // (Verify PW3) } CommandAPDU command = new CommandAPDU(0x00, 0xDA, (dataObject & 0xFF00) >> 8, dataObject & 0xFF, data); ResponseAPDU response = communicate(command); // put data if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Failed to put data.", response.getSW()); } } private void setKeyAttributes(final KeyType slot, final CanonicalizedSecretKey secretKey) throws IOException { if (mOpenPgpCapabilities.isAttributesChangable()) { int tag; if (slot == KeyType.SIGN) { tag = 0xC1; } else if (slot == KeyType.ENCRYPT) { tag = 0xC2; } else if (slot == KeyType.AUTH) { tag = 0xC3; } else { throw new IOException("Unknown key for card."); } try { putData(tag, SecurityTokenUtils.attributesFromSecretKey(slot, secretKey)); mOpenPgpCapabilities.updateWithData(getData(0x00, tag)); } catch (PgpGeneralException e) { throw new IOException("Key algorithm not supported by the security token."); } } } /** * Puts a key on the token in the given slot. * * @param slot The slot on the token where the key should be stored: * 0xB6: Signature Key * 0xB8: Decipherment Key * 0xA4: Authentication Key */ private void putKey(KeyType slot, CanonicalizedSecretKey secretKey, Passphrase passphrase) throws IOException { RSAPrivateCrtKey crtSecretKey; ECPrivateKey ecSecretKey; ECPublicKey ecPublicKey; if (!mPw3Validated) { verifyPin(0x83); // (Verify PW3 with mode 83) } // Now we're ready to communicate with the token. byte[] keyBytes = null; try { secretKey.unlock(passphrase); setKeyAttributes(slot, secretKey); switch (mOpenPgpCapabilities.getFormatForKeyType(slot).keyFormatType()) { case RSAKeyFormatType: if (!secretKey.isRSA()) { throw new IOException("Security Token not configured for RSA key."); } crtSecretKey = secretKey.getSecurityTokenRSASecretKey(); // Should happen only rarely; all GnuPG keys since 2006 use public exponent 65537. if (!crtSecretKey.getPublicExponent().equals(new BigInteger("65537"))) { throw new IOException("Invalid public exponent for smart Security Token."); } keyBytes = SecurityTokenUtils.createRSAPrivKeyTemplate(crtSecretKey, slot, (RSAKeyFormat) (mOpenPgpCapabilities.getFormatForKeyType(slot))); break; case ECKeyFormatType: if (!secretKey.isEC()) { throw new IOException("Security Token not configured for EC key."); } secretKey.unlock(passphrase); ecSecretKey = secretKey.getSecurityTokenECSecretKey(); ecPublicKey = secretKey.getSecurityTokenECPublicKey(); keyBytes = SecurityTokenUtils.createECPrivKeyTemplate(ecSecretKey, ecPublicKey, slot, (ECKeyFormat) (mOpenPgpCapabilities.getFormatForKeyType(slot))); break; default: throw new IOException("Key type unsupported by security token."); } } catch (PgpGeneralException e) { throw new IOException(e.getMessage()); } CommandAPDU apdu = new CommandAPDU(0x00, 0xDB, 0x3F, 0xFF, keyBytes); ResponseAPDU response = communicate(apdu); if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Key export to Security Token failed", response.getSW()); } } /** * Return fingerprints of all keys from application specific data stored * on tag, or null if data not available. * * @return The fingerprints of all subkeys in a contiguous byte array. */ public byte[] getFingerprints() throws IOException { CommandAPDU apdu = new CommandAPDU(0x00, 0xCA, 0x00, 0x6E, MAX_APDU_NE_EXT); ResponseAPDU response = communicate(apdu); if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Failed to get fingerprints", response.getSW()); } Iso7816TLV[] tlvList = Iso7816TLV.readList(response.getData(), true); Iso7816TLV fingerPrintTlv = null; for (Iso7816TLV tlv : tlvList) { Log.d(Constants.TAG, "nfcGetFingerprints() Iso7816TLV tlv data:\n" + tlv.prettyPrint()); Iso7816TLV matchingTlv = Iso7816TLV.findRecursive(tlv, 0xc5); if (matchingTlv != null) { fingerPrintTlv = matchingTlv; } } if (fingerPrintTlv == null) { return null; } return fingerPrintTlv.mV; } /** * Return the PW Status Bytes from the token. This is a simple DO; no TLV decoding needed. * * @return Seven bytes in fixed format, plus 0x9000 status word at the end. */ private byte[] getPwStatusBytes() throws IOException { return getData(0x00, 0xC4); } public byte[] getAid() throws IOException { return getData(0x00, 0x4F); } public String getUrl() throws IOException { byte[] data = getData(0x5F, 0x50); return new String(data); } public String getUserId() throws IOException { return getHolderName(getData(0x00, 0x65)); } private byte[] getData(int p1, int p2) throws IOException { ResponseAPDU response = communicate(new CommandAPDU(0x00, 0xCA, p1, p2, MAX_APDU_NE_EXT)); if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Failed to get pw status bytes", response.getSW()); } return response.getData(); } /** * Call COMPUTE DIGITAL SIGNATURE command and returns the MPI value * * @param hash the hash for signing * @return a big integer representing the MPI for the given hash */ public byte[] calculateSignature(byte[] hash, int hashAlgo) throws IOException { if (!mPw1ValidatedForSignature) { verifyPin(0x81); // (Verify PW1 with mode 81 for signing) } byte[] dsi; Log.i(Constants.TAG, "Hash: " + hashAlgo); switch (hashAlgo) { case HashAlgorithmTags.SHA1: if (hash.length != 20) { throw new IOException("Bad hash length (" + hash.length + ", expected 10!"); } dsi = Arrays.concatenate(Hex.decode( "3021" // Tag/Length of Sequence, the 0x21 includes all following 33 bytes + "3009" // Tag/Length of Sequence, the 0x09 are the following header bytes + "0605" + "2B0E03021A" // OID of SHA1 + "0500" // TLV coding of ZERO + "0414"), hash); // 0x14 are 20 hash bytes break; case HashAlgorithmTags.RIPEMD160: if (hash.length != 20) { throw new IOException("Bad hash length (" + hash.length + ", expected 20!"); } dsi = Arrays.concatenate(Hex.decode("3021300906052B2403020105000414"), hash); break; case HashAlgorithmTags.SHA224: if (hash.length != 28) { throw new IOException("Bad hash length (" + hash.length + ", expected 28!"); } dsi = Arrays.concatenate(Hex.decode("302D300D06096086480165030402040500041C"), hash); break; case HashAlgorithmTags.SHA256: if (hash.length != 32) { throw new IOException("Bad hash length (" + hash.length + ", expected 32!"); } dsi = Arrays.concatenate(Hex.decode("3031300D060960864801650304020105000420"), hash); break; case HashAlgorithmTags.SHA384: if (hash.length != 48) { throw new IOException("Bad hash length (" + hash.length + ", expected 48!"); } dsi = Arrays.concatenate(Hex.decode("3041300D060960864801650304020205000430"), hash); break; case HashAlgorithmTags.SHA512: if (hash.length != 64) { throw new IOException("Bad hash length (" + hash.length + ", expected 64!"); } dsi = Arrays.concatenate(Hex.decode("3051300D060960864801650304020305000440"), hash); break; default: throw new IOException("Not supported hash algo!"); } byte[] data; KeyFormat signKeyFormat = mOpenPgpCapabilities.getFormatForKeyType(KeyType.SIGN); switch (signKeyFormat.keyFormatType()) { case RSAKeyFormatType: data = dsi; break; case ECKeyFormatType: data = hash; break; default: throw new IOException("Not supported key type!"); } // Command APDU for PERFORM SECURITY OPERATION: COMPUTE DIGITAL SIGNATURE (page 37) CommandAPDU command = new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, data, MAX_APDU_NE_EXT); ResponseAPDU response = communicate(command); if (response.getSW() != APDU_SW_SUCCESS) { throw new CardException("Failed to sign", response.getSW()); } if (!mOpenPgpCapabilities.isPw1ValidForMultipleSignatures()) { mPw1ValidatedForSignature = false; } byte[] signature = response.getData(); // Make sure the signature we received is actually the expected number of bytes long! switch (signKeyFormat.keyFormatType()) { case RSAKeyFormatType: int modulusLength = ((RSAKeyFormat) signKeyFormat).getModulusLength(); if (signature.length != (modulusLength / 8)) { throw new IOException("Bad signature length! Expected " + (modulusLength / 8) + " bytes, got " + signature.length); } break; case ECKeyFormatType: // "plain" encoding, see https://github.com/open-keychain/open-keychain/issues/2108 if (signature.length % 2 != 0) { throw new IOException("Bad signature length!"); } final byte[] br = new byte[signature.length / 2]; final byte[] bs = new byte[signature.length / 2]; for (int i = 0; i < br.length; ++i) { br[i] = signature[i]; bs[i] = signature[br.length + i]; } final ByteArrayOutputStream baos = new ByteArrayOutputStream(); ASN1OutputStream out = new ASN1OutputStream(baos); out.writeObject(new DERSequence(new ASN1Encodable[]{new ASN1Integer(br), new ASN1Integer(bs)})); out.flush(); signature = baos.toByteArray(); break; } return signature; } /** * Transceives APDU * Splits extended APDU into short APDUs and chains them if necessary * Performs GET RESPONSE command(ISO/IEC 7816-4 par.7.6.1) on retrieving if necessary * * @param apdu short or extended APDU to transceive * @return response from the card * @throws IOException */ ResponseAPDU communicate(CommandAPDU apdu) throws IOException { if ((mSecureMessaging != null) && mSecureMessaging.isEstablished()) { try { apdu = mSecureMessaging.encryptAndSign(apdu); } catch (SecureMessagingException e) { clearSecureMessaging(); throw new IOException("secure messaging encrypt/sign failure : " + e.getMessage()); } } ByteArrayOutputStream result = new ByteArrayOutputStream(); ResponseAPDU lastResponse = null; // Transmit if (mCardCapabilities.hasExtended()) { lastResponse = mTransport.transceive(apdu); } else if (apdu.getData().length <= MAX_APDU_NC) { int ne = Math.min(apdu.getNe(), MAX_APDU_NE); lastResponse = mTransport.transceive(new CommandAPDU(apdu.getCLA(), apdu.getINS(), apdu.getP1(), apdu.getP2(), apdu.getData(), ne)); } else if (apdu.getData().length > MAX_APDU_NC && mCardCapabilities.hasChaining()) { int offset = 0; byte[] data = apdu.getData(); int ne = Math.min(apdu.getNe(), MAX_APDU_NE); while (offset < data.length) { int curLen = Math.min(MAX_APDU_NC, data.length - offset); boolean last = offset + curLen >= data.length; int cla = apdu.getCLA() + (last ? 0 : MASK_CLA_CHAINING); lastResponse = mTransport.transceive(new CommandAPDU(cla, apdu.getINS(), apdu.getP1(), apdu.getP2(), Arrays.copyOfRange(data, offset, offset + curLen), ne)); if (!last && lastResponse.getSW() != APDU_SW_SUCCESS) { throw new UsbTransportException("Failed to chain apdu"); } offset += curLen; } } if (lastResponse == null) { throw new UsbTransportException("Can't transmit command"); } result.write(lastResponse.getData()); // Receive while (lastResponse.getSW1() == APDU_SW1_RESPONSE_AVAILABLE) { // GET RESPONSE ISO/IEC 7816-4 par.7.6.1 CommandAPDU getResponse = new CommandAPDU(0x00, 0xC0, 0x00, 0x00, lastResponse.getSW2()); lastResponse = mTransport.transceive(getResponse); result.write(lastResponse.getData()); } result.write(lastResponse.getSW1()); result.write(lastResponse.getSW2()); lastResponse = new ResponseAPDU(result.toByteArray()); if ((mSecureMessaging != null) && mSecureMessaging.isEstablished()) { try { lastResponse = mSecureMessaging.verifyAndDecrypt(lastResponse); } catch (SecureMessagingException e) { clearSecureMessaging(); throw new IOException("secure messaging verify/decrypt failure : " + e.getMessage()); } } return lastResponse; } public Transport getTransport() { return mTransport; } public void setTransport(Transport mTransport) { clearSecureMessaging(); this.mTransport = mTransport; } public boolean isFidesmoToken() { if (isConnected()) { // Check if we can still talk to the card try { // By trying to select any apps that have the Fidesmo AID prefix we can // see if it is a Fidesmo device or not CommandAPDU apdu = new CommandAPDU(0x00, 0xA4, 0x04, 0x00, Hex.decode(FIDESMO_APPS_AID_PREFIX)); return communicate(apdu).getSW() == APDU_SW_SUCCESS; } catch (IOException e) { Log.e(Constants.TAG, "Card communication failed!", e); } } return false; } /** * Generates a key on the card in the given slot. If the slot is 0xB6 (the signature key), * this command also has the effect of resetting the digital signature counter. * NOTE: This does not set the key fingerprint data object! After calling this command, you * must construct a public key packet using the returned public key data objects, compute the * key fingerprint, and store it on the card using: putData(0xC8, key.getFingerprint()) * * @param slot The slot on the card where the key should be generated: * 0xB6: Signature Key * 0xB8: Decipherment Key * 0xA4: Authentication Key * @return the public key data objects, in TLV format. For RSA this will be the public modulus * (0x81) and exponent (0x82). These may come out of order; proper TLV parsing is required. */ public byte[] generateKey(int slot) throws IOException { if (slot != 0xB6 && slot != 0xB8 && slot != 0xA4) { throw new IOException("Invalid key slot"); } if (!mPw3Validated) { verifyPin(0x83); // (Verify PW3 with mode 83) } CommandAPDU apdu = new CommandAPDU(0x00, 0x47, 0x80, 0x00, new byte[]{(byte) slot, 0x00}, MAX_APDU_NE_EXT); ResponseAPDU response = communicate(apdu); if (response.getSW() != APDU_SW_SUCCESS) { throw new IOException("On-card key generation failed"); } return response.getData(); } private ResponseAPDU tryPin(int mode, byte[] pin) throws IOException { // Command APDU for VERIFY command (page 32) return communicate(new CommandAPDU(0x00, 0x20, 0x00, mode, pin)); } /** * Resets security token, which deletes all keys and data objects. * This works by entering a wrong PIN and then Admin PIN 4 times respectively. * Afterwards, the token is reactivated. */ public void resetAndWipeToken() throws IOException { // try wrong PIN 4 times until counter goes to C0 byte[] pin = "XXXXXX".getBytes(); for (int i = 0; i <= 4; i++) { ResponseAPDU response = tryPin(0x81, pin); if (response.getSW() == APDU_SW_SUCCESS) { // Should NOT accept! throw new CardException("Should never happen, XXXXXX has been accepted!", response.getSW()); } } // try wrong Admin PIN 4 times until counter goes to C0 byte[] adminPin = "XXXXXXXX".getBytes(); for (int i = 0; i <= 4; i++) { ResponseAPDU response = tryPin(0x83, adminPin); if (response.getSW() == APDU_SW_SUCCESS) { // Should NOT accept! throw new CardException("Should never happen, XXXXXXXX has been accepted", response.getSW()); } } // secure messaging must be disabled before reactivation clearSecureMessaging(); // reactivate token! // NOTE: keep the order here! First execute _both_ reactivate commands. Before checking _both_ responses // If a token is in a bad state and reactivate1 fails, it could still be reactivated with reactivate2 CommandAPDU reactivate1 = new CommandAPDU(0x00, 0xE6, 0x00, 0x00); CommandAPDU reactivate2 = new CommandAPDU(0x00, 0x44, 0x00, 0x00); ResponseAPDU response1 = communicate(reactivate1); ResponseAPDU response2 = communicate(reactivate2); if (response1.getSW() != APDU_SW_SUCCESS) { throw new CardException("Reactivating failed!", response1.getSW()); } if (response2.getSW() != APDU_SW_SUCCESS) { throw new CardException("Reactivating failed!", response2.getSW()); } } /** * Return the fingerprint from application specific data stored on tag, or * null if it doesn't exist. * * @param keyType key type * @return The fingerprint of the requested key, or null if not found. */ public byte[] getKeyFingerprint(@NonNull KeyType keyType) throws IOException { byte[] data = getFingerprints(); if (data == null) { return null; } // return the master key fingerprint ByteBuffer fpbuf = ByteBuffer.wrap(data); byte[] fp = new byte[20]; fpbuf.position(keyType.getIdx() * 20); fpbuf.get(fp, 0, 20); return fp; } public boolean isPersistentConnectionAllowed() { return mTransport != null && mTransport.isPersistentConnectionAllowed() && (mSecureMessaging == null || !mSecureMessaging.isEstablished()); } public boolean isConnected() { return mTransport != null && mTransport.isConnected(); } public void clearSecureMessaging() { if (mSecureMessaging != null) { mSecureMessaging.clearSession(); } mSecureMessaging = null; } void setSecureMessaging(final SecureMessaging sm) { clearSecureMessaging(); mSecureMessaging = sm; } OpenPgpCapabilities getOpenPgpCapabilities() { return mOpenPgpCapabilities; } private static class LazyHolder { private static final SecurityTokenHelper SECURITY_TOKEN_HELPER = new SecurityTokenHelper(); } }