diff --git a/ykcs11/obj_types.h b/ykcs11/obj_types.h index 0c58c4a..7e9d83d 100644 --- a/ykcs11/obj_types.h +++ b/ykcs11/obj_types.h @@ -76,13 +76,13 @@ typedef enum { typedef struct { //const CK_OBJECT_CLASS class; - piv_obj_id_t type; - const CK_CHAR_PTR name; // TODO: or utf8 - const CK_CHAR_PTR oid; - CK_BYTE tag_len; // TODO: or ulong? - CK_BYTE tag_value[3]; - CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? - CK_ULONG flags; /* object has some internal object like a cert */ + piv_obj_id_t type; + const char *name; // TODO: or utf8 + const char *oid; + CK_BYTE tag_len; // TODO: or ulong? + CK_BYTE tag_value[3]; + CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? + CK_ULONG flags; /* object has some internal object like a cert */ } piv_obj_t; #endif diff --git a/ykcs11/objects.c b/ykcs11/objects.c index e2e9678..6b1e12d 100644 --- a/ykcs11/objects.c +++ b/ykcs11/objects.c @@ -1,277 +1,376 @@ #include "objects.h" #include #include +#include //TODO: this is mostly a snippet from OpenSC how to give credit? /* Must be in order, and one per enumerated PIV_OBJ */ -static const piv_obj_t objects[] = { - { PIV_OBJ_CCC, "Card Capability Container", - "2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00", 0}, - { PIV_OBJ_CHUI, "Card Holder Unique Identifier", - "2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00", 0}, - { PIV_OBJ_X509_PIV_AUTH, "X.509 Certificate for PIV Authentication", - "2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01", PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_CHF, "Card Holder Fingerprints", - "2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10", 0}, - { PIV_OBJ_SEC_OBJ, "Security Object", - "2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00", 0}, - { PIV_OBJ_CHFI, "Cardholder Facial Images", - "2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30", 0}, - { PIV_OBJ_X509_CARD_AUTH, "X.509 Certificate for Card Authentication", - "2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00", PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_X509_DS, "X.509 Certificate for Digital Signature", - "2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00", PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_X509_KM, "X.509 Certificate for Key Management", - "2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02", PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_PI, "Printed Information", - "2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01", 0}, - { PIV_OBJ_DISCOVERY, "Discovery Object", - "2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50", 0}, - { PIV_OBJ_HISTORY, "Key History Object", - "2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60", 0}, +static piv_obj_t objects[] = { + {PIV_OBJ_CCC, "Card Capability Container", + "2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00", 0}, + {PIV_OBJ_CHUI, "Card Holder Unique Identifier", + "2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00", 0}, + {PIV_OBJ_X509_PIV_AUTH, "X.509 Certificate for PIV Authentication", + "2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01", PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_CHF, "Card Holder Fingerprints", + "2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10", 0}, + {PIV_OBJ_SEC_OBJ, "Security Object", + "2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00", 0}, + {PIV_OBJ_CHFI, "Cardholder Facial Images", + "2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30", 0}, + {PIV_OBJ_X509_CARD_AUTH, "X.509 Certificate for Card Authentication", + "2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00", PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_X509_DS, "X.509 Certificate for Digital Signature", + "2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00", PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_X509_KM, "X.509 Certificate for Key Management", + "2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02", PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_PI, "Printed Information", + "2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01", 0}, + {PIV_OBJ_DISCOVERY, "Discovery Object", + "2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50", 0}, + {PIV_OBJ_HISTORY, "Key History Object", + "2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60", 0}, /* 800-73-3, 21 new objects, 20 history certificates */ - { PIV_OBJ_RETIRED_X509_1, "Retired X.509 Certificate for Key Management 1", - "2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_2, "Retired X.509 Certificate for Key Management 2", - "2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_3, "Retired X.509 Certificate for Key Management 3", - "2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_4, "Retired X.509 Certificate for Key Management 4", - "2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_5, "Retired X.509 Certificate for Key Management 5", - "2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_6, "Retired X.509 Certificate for Key Management 6", - "2.16.840.1.101.3.7.2.16.6", 3, "\x5F\xC1\x12", "\x10\x06", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_7, "Retired X.509 Certificate for Key Management 7", - "2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_8, "Retired X.509 Certificate for Key Management 8", - "2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_9, "Retired X.509 Certificate for Key Management 9", - "2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_10, "Retired X.509 Certificate for Key Management 10", - "2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_11, "Retired X.509 Certificate for Key Management 11", - "2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_12, "Retired X.509 Certificate for Key Management 12", - "2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_13, "Retired X.509 Certificate for Key Management 13", - "2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_14, "Retired X.509 Certificate for Key Management 14", - "2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_15, "Retired X.509 Certificate for Key Management 15", - "2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_16, "Retired X.509 Certificate for Key Management 16", - "2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_17, "Retired X.509 Certificate for Key Management 17", - "2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_18, "Retired X.509 Certificate for Key Management 18", - "2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_19, "Retired X.509 Certificate for Key Management 19", - "2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_RETIRED_X509_20, "Retired X.509 Certificate for Key Management 20", - "2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_1, "Retired X.509 Certificate for Key Management 1", + "2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_2, "Retired X.509 Certificate for Key Management 2", + "2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_3, "Retired X.509 Certificate for Key Management 3", + "2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_4, "Retired X.509 Certificate for Key Management 4", + "2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_5, "Retired X.509 Certificate for Key Management 5", + "2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_6, "Retired X.509 Certificate for Key Management 6", + "2.16.840.1.101.3.7.2.16.6", 3, "\x5F\xC1\x12", "\x10\x06", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_7, "Retired X.509 Certificate for Key Management 7", + "2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_8, "Retired X.509 Certificate for Key Management 8", + "2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_9, "Retired X.509 Certificate for Key Management 9", + "2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_10, "Retired X.509 Certificate for Key Management 10", + "2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_11, "Retired X.509 Certificate for Key Management 11", + "2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_12, "Retired X.509 Certificate for Key Management 12", + "2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_13, "Retired X.509 Certificate for Key Management 13", + "2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_14, "Retired X.509 Certificate for Key Management 14", + "2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_15, "Retired X.509 Certificate for Key Management 15", + "2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_16, "Retired X.509 Certificate for Key Management 16", + "2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_17, "Retired X.509 Certificate for Key Management 17", + "2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_18, "Retired X.509 Certificate for Key Management 18", + "2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_19, "Retired X.509 Certificate for Key Management 19", + "2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, + {PIV_OBJ_RETIRED_X509_20, "Retired X.509 Certificate for Key Management 20", + "2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14", + PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - { PIV_OBJ_IRIS_IMAGE, "Cardholder Iris Images", - "2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15", 0}, - { PIV_OBJ_BITGT, "Biometric Information Templates Group Template", - "2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16" }, - { PIV_OBJ_SM_SIGNER, "Secure Messaging Certificate Signer", - "2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17"}, - { PIV_OBJ_PC_REF_DATA, "Pairing Code Reference Data Container", - "2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18"}, + {PIV_OBJ_IRIS_IMAGE, "Cardholder Iris Images", + "2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15", 0}, + {PIV_OBJ_BITGT, "Biometric Information Templates Group Template", + "2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16", 0}, + {PIV_OBJ_SM_SIGNER, "Secure Messaging Certificate Signer", + "2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17", 0}, + {PIV_OBJ_PC_REF_DATA, "Pairing Code Reference Data Container", + "2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18", 0}, /* following not standard , to be used by piv-tool only for testing */ - { PIV_OBJ_9B03, "3DES-ECB ADM", - "2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0}, + {PIV_OBJ_9B03, "3DES-ECB ADM", + "2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0}, /* Only used when signing a cert req, usually from engine * after piv-tool generated the key and saved the pub key * to a file. Note RSA key can be 1024, 2048 or 3072 * but still use the "9x06" name. */ - { PIV_OBJ_9A06, "RSA 9A Pub key from last genkey", - "2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9C06, "Pub 9C key from last genkey", - "2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9D06, "Pub 9D key from last genkey", - "2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9E06, "Pub 9E key from last genkey", - "2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9A06, "RSA 9A Pub key from last genkey", + "2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9C06, "Pub 9C key from last genkey", + "2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9D06, "Pub 9D key from last genkey", + "2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9E06, "Pub 9E key from last genkey", + "2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8206, "Pub 82 key ", - "2.16.840.1.101.3.7.2.9999.101", 2, "\x82\x06", "\x82\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8306, "Pub 83 key ", - "2.16.840.1.101.3.7.2.9999.102", 2, "\x83\x06", "\x83\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8406, "Pub 84 key ", - "2.16.840.1.101.3.7.2.9999.103", 2, "\x84\x06", "\x84\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8506, "Pub 85 key ", - "2.16.840.1.101.3.7.2.9999.104", 2, "\x85\x06", "\x85\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8606, "Pub 86 key ", - "2.16.840.1.101.3.7.2.9999.105", 2, "\x86\x06", "\x86\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8706, "Pub 87 key ", - "2.16.840.1.101.3.7.2.9999.106", 2, "\x87\x06", "\x87\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8806, "Pub 88 key ", - "2.16.840.1.101.3.7.2.9999.107", 2, "\x88\x06", "\x88\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8906, "Pub 89 key ", - "2.16.840.1.101.3.7.2.9999.108", 2, "\x89\x06", "\x89\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8A06, "Pub 8A key ", - "2.16.840.1.101.3.7.2.9999.109", 2, "\x8A\x06", "\x8A\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8B06, "Pub 8B key ", - "2.16.840.1.101.3.7.2.9999.110", 2, "\x8B\x06", "\x8B\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8C06, "Pub 8C key ", - "2.16.840.1.101.3.7.2.9999.111", 2, "\x8C\x06", "\x8C\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8D06, "Pub 8D key ", - "2.16.840.1.101.3.7.2.9999.112", 2, "\x8D\x06", "\x8D\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8E06, "Pub 8E key ", - "2.16.840.1.101.3.7.2.9999.113", 2, "\x8E\x06", "\x8E\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_8F06, "Pub 8F key ", - "2.16.840.1.101.3.7.2.9999.114", 2, "\x8F\x06", "\x8F\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9006, "Pub 90 key ", - "2.16.840.1.101.3.7.2.9999.115", 2, "\x90\x06", "\x90\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9106, "Pub 91 key ", - "2.16.840.1.101.3.7.2.9999.116", 2, "\x91\x06", "\x91\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9206, "Pub 92 key ", - "2.16.840.1.101.3.7.2.9999.117", 2, "\x92\x06", "\x92\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9306, "Pub 93 key ", - "2.16.840.1.101.3.7.2.9999.118", 2, "\x93\x06", "\x93\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9406, "Pub 94 key ", - "2.16.840.1.101.3.7.2.9999.119", 2, "\x94\x06", "\x94\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_9506, "Pub 95 key ", - "2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY}, - { PIV_OBJ_LAST_ENUM, "", "", 0, "", "", 0} + {PIV_OBJ_8206, "Pub 82 key ", + "2.16.840.1.101.3.7.2.9999.101", 2, "\x82\x06", "\x82\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8306, "Pub 83 key ", + "2.16.840.1.101.3.7.2.9999.102", 2, "\x83\x06", "\x83\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8406, "Pub 84 key ", + "2.16.840.1.101.3.7.2.9999.103", 2, "\x84\x06", "\x84\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8506, "Pub 85 key ", + "2.16.840.1.101.3.7.2.9999.104", 2, "\x85\x06", "\x85\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8606, "Pub 86 key ", + "2.16.840.1.101.3.7.2.9999.105", 2, "\x86\x06", "\x86\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8706, "Pub 87 key ", + "2.16.840.1.101.3.7.2.9999.106", 2, "\x87\x06", "\x87\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8806, "Pub 88 key ", + "2.16.840.1.101.3.7.2.9999.107", 2, "\x88\x06", "\x88\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8906, "Pub 89 key ", + "2.16.840.1.101.3.7.2.9999.108", 2, "\x89\x06", "\x89\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8A06, "Pub 8A key ", + "2.16.840.1.101.3.7.2.9999.109", 2, "\x8A\x06", "\x8A\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8B06, "Pub 8B key ", + "2.16.840.1.101.3.7.2.9999.110", 2, "\x8B\x06", "\x8B\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8C06, "Pub 8C key ", + "2.16.840.1.101.3.7.2.9999.111", 2, "\x8C\x06", "\x8C\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8D06, "Pub 8D key ", + "2.16.840.1.101.3.7.2.9999.112", 2, "\x8D\x06", "\x8D\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8E06, "Pub 8E key ", + "2.16.840.1.101.3.7.2.9999.113", 2, "\x8E\x06", "\x8E\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_8F06, "Pub 8F key ", + "2.16.840.1.101.3.7.2.9999.114", 2, "\x8F\x06", "\x8F\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9006, "Pub 90 key ", + "2.16.840.1.101.3.7.2.9999.115", 2, "\x90\x06", "\x90\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9106, "Pub 91 key ", + "2.16.840.1.101.3.7.2.9999.116", 2, "\x91\x06", "\x91\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9206, "Pub 92 key ", + "2.16.840.1.101.3.7.2.9999.117", 2, "\x92\x06", "\x92\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9306, "Pub 93 key ", + "2.16.840.1.101.3.7.2.9999.118", 2, "\x93\x06", "\x93\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9406, "Pub 94 key ", + "2.16.840.1.101.3.7.2.9999.119", 2, "\x94\x06", "\x94\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_9506, "Pub 95 key ", + "2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY}, + {PIV_OBJ_LAST_ENUM, "", "", 0, "", "", 0} }; static const CK_ULONG n_objects = sizeof(objects) / sizeof(piv_obj_t); -static CK_RV get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class) { +static void get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class) { if ((objects[obj].flags & PIV_OBJECT_TYPE_PUBKEY)) *class = CKO_PUBLIC_KEY; else if ((objects[obj].flags & PIV_OBJECT_TYPE_CERT)) *class = CKO_CERTIFICATE; else - *class - CKO_DATA; // TODO: other possibilities? - return CKR_OK; + *class = CKO_DATA; // TODO: other possibilities? } -static CK_RV get_object_label(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR label) { - strcpy(label, objects[obj].name); +static void get_object_label(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR label) { + strcpy((char *)label, objects[obj].name); } -static CK_RV get_object_oid(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR oid) { -// strcpy(oid, objects[obj].oid); - oid[0] = 0x2b; - oid[1] = 0x06; - oid[2] = 0x01; - oid[3] = 0x04; - oid[4] = 0x01; - oid[5] = 0x82; - oid[6] = 0x37; - oid[7] = 0x15; - oid[8] = 0x14; +// Next two functions based off the code at +// https://github.com/m9aertner/oidConverter/blob/master/oid.c +// TODO: how to give credit? +static void make_base128(unsigned long l, int first, CK_BYTE_PTR buf, CK_ULONG_PTR n) { + if (l > 127) + make_base128(l / 128, 0, buf, n); + + l %= 128; + + if (first) + buf[(*n)++] = (CK_BYTE)l; + else + buf[(*n)++] = 0x80 | (CK_BYTE)l; } +static void asn1_encode_oid(CK_CHAR_PTR oid, CK_BYTE_PTR asn1_oid, CK_ULONG_PTR len) { + CK_CHAR_PTR tmp = strdup((char *)oid); + CK_CHAR_PTR p = tmp; + CK_BYTE_PTR q = NULL; + CK_ULONG n = 0; + CK_BYTE b = 0; + CK_ULONG l = 0; + CK_ULONG nodes; + + q = p; + *len = 0; + nodes = 1; + while (*p != 0) { + if (*p == '.') + nodes++; + p++; + } + + n = 0; + b = 0; + p = q; + while (n < nodes) { + q = p; + while (*p != 0) { + if (*p == '.') + break; + p++; + } + + l = 0; + if (*p == '.') { + *p = 0; + l = (CK_ULONG) atoi((char *)q); + q = p + 1; + p = q; + } + else { + l = (CK_ULONG) atoi((char *)q); + q = p; + } + + /* Digit is in l. */ + if (n == 0) + b = 40 * ((CK_BYTE)l); + else if (n == 1) { + b += (CK_BYTE) l; + asn1_oid[(*len)++] = b; + } + else { + make_base128(l, 1, asn1_oid, len); + } + n++; + } + + free(tmp); +} + +static void get_object_oid(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR oid) { + strcpy((char *)oid, objects[obj].oid); +} + +static void get_object_certificate_type(CK_OBJECT_HANDLE obj, CK_CERTIFICATE_TYPE_PTR type) { + if ((objects[obj].flags & PIV_OBJECT_TYPE_CERT)) + *type = CKC_X_509; +} + +static void get_object_key_id(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR key_id) { + memcpy((char *)key_id, objects[obj].containerid, 2); +} CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { fprintf(stderr, "FOR OBJECT %lu, I WANT ", obj); - CK_ULONG i; switch (template->type) { case CKA_CLASS: fprintf(stderr, "CLASS\n"); - get_object_class(obj, template->pValue); + if (template->pValue == NULL_PTR) // TODO: just don't use functions, break and check return later? + template->ulValueLen = 1; + else + get_object_class(obj, template->pValue); + return CKR_OK; - case CKA_TOKEN: - //get_object +// case CKA_TOKEN: case CKA_PRIVATE: + fprintf(stderr, "PRIVATE\n"); // TODO: check more template->ulValueLen = CK_UNAVAILABLE_INFORMATION; return CKR_OK; case CKA_LABEL: fprintf(stderr, "LABEL\n"); - get_object_label(obj, template->pValue); + if (template->pValue == NULL_PTR) + template->ulValueLen = strlen(objects[obj].name); + else + strcpy((char *)template->pValue, objects[obj].name); return CKR_OK; case CKA_APPLICATION: fprintf(stderr, "APPLICATION\n"); - get_object_label(obj, template->pValue); + if (template->pValue == NULL_PTR) + template->ulValueLen = strlen(objects[obj].name); + else + strcpy((char *)template->pValue, objects[obj].name); return CKR_OK; - case CKA_VALUE: - case CKA_OBJECT_ID: - fprintf(stderr, "OID\n!!!"); // TODO: this is a DER encoded byte array - - get_object_oid(obj, template->pValue); - template->ulValueLen = 9; +// case CKA_VALUE: + case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? + fprintf(stderr, "OID\n"); + if (template->pValue == NULL_PTR) + template->ulValueLen = strlen(objects[obj].oid) * 2; // Slightly oversized + else { + strcpy((char *)template->pValue, objects[obj].oid); + asn1_encode_oid(template->pValue, template->pValue, &template->ulValueLen); + } return CKR_OK; case CKA_CERTIFICATE_TYPE: - case CKA_ISSUER: - case CKA_SERIAL_NUMBER: + fprintf(stderr, "CERTIFICATE TYPE\n"); + if (template->pValue == NULL_PTR) + template->ulValueLen = 1; + else + *((CK_ULONG_PTR)template->pValue) = CKC_X_509; // Support only X.509 certs + return CKR_OK; +// case CKA_ISSUER: +// case CKA_SERIAL_NUMBER: case CKA_KEY_TYPE: - fprintf(stderr, "Return the key type\n"); + fprintf(stderr, "Return the key type TODO!!!\n"); return CKR_OK; - case CKA_SUBJECT: + /* case CKA_SUBJECT: */ case CKA_ID: - case CKA_SENSITIVE: - case CKA_ENCRYPT: - case CKA_DECRYPT: - case CKA_WRAP: - case CKA_UNWRAP: - case CKA_SIGN: - case CKA_SIGN_RECOVER: - case CKA_VERIFY: - case CKA_VERIFY_RECOVER: - case CKA_DERIVE: - case CKA_START_DATE: - case CKA_END_DATE: - case CKA_MODULUS: - case CKA_MODULUS_BITS: - case CKA_PUBLIC_EXPONENT: - case CKA_PRIVATE_EXPONENT: - case CKA_PRIME_1: - case CKA_PRIME_2: - case CKA_EXPONENT_1: - case CKA_EXPONENT_2: - case CKA_COEFFICIENT: - case CKA_PRIME: - case CKA_SUBPRIME: - case CKA_BASE: - case CKA_VALUE_BITS: - case CKA_VALUE_LEN: - case CKA_EXTRACTABLE: - case CKA_LOCAL: - case CKA_NEVER_EXTRACTABLE: - case CKA_ALWAYS_SENSITIVE: + fprintf(stderr, "KEY ID\n"); + if (template->pValue == NULL_PTR) + template->ulValueLen = 2; + else + memcpy((char *)template->pValue, objects[obj].containerid, 2); + return CKR_OK; + /* case CKA_SENSITIVE: */ + /* case CKA_ENCRYPT: */ + /* case CKA_DECRYPT: */ + /* case CKA_WRAP: */ + /* case CKA_UNWRAP: */ + /* case CKA_SIGN: */ + /* case CKA_SIGN_RECOVER: */ + /* case CKA_VERIFY: */ + /* case CKA_VERIFY_RECOVER: */ + /* case CKA_DERIVE: */ + /* case CKA_START_DATE: */ + /* case CKA_END_DATE: */ + /* case CKA_MODULUS: */ + /* case CKA_MODULUS_BITS: */ + /* case CKA_PUBLIC_EXPONENT: */ + /* case CKA_PRIVATE_EXPONENT: */ + /* case CKA_PRIME_1: */ + /* case CKA_PRIME_2: */ + /* case CKA_EXPONENT_1: */ + /* case CKA_EXPONENT_2: */ + /* case CKA_COEFFICIENT: */ + /* case CKA_PRIME: */ + /* case CKA_SUBPRIME: */ + /* case CKA_BASE: */ + /* case CKA_VALUE_BITS: */ + /* case CKA_VALUE_LEN: */ + /* case CKA_EXTRACTABLE: */ + /* case CKA_LOCAL: */ + /* case CKA_NEVER_EXTRACTABLE: */ + /* case CKA_ALWAYS_SENSITIVE: */ case CKA_MODIFIABLE: fprintf(stderr, "MODIFIABLE\n"); + if (template->pValue == NULL_PTR) + template->ulValueLen = 1; + else *((CK_ULONG_PTR)template->pValue) = CK_FALSE; return CKR_OK; + case CKA_VENDOR_DEFINED: default: - fprintf(stderr, "UNKNOWN ATTRIBUTE!!!!! %lu\n", template[0].type); - + fprintf(stderr, "UNKNOWN ATTRIBUTE!!!!! %lx\n", template[0].type); + template->ulValueLen = CK_UNAVAILABLE_INFORMATION; return CKR_FUNCTION_FAILED; } diff --git a/ykcs11/pkcs11t.h b/ykcs11/pkcs11t.h index 3d10176..6808b3f 100644 --- a/ykcs11/pkcs11t.h +++ b/ykcs11/pkcs11t.h @@ -356,6 +356,7 @@ typedef CK_ULONG CK_KEY_TYPE; /* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG * for v2.0 */ typedef CK_ULONG CK_CERTIFICATE_TYPE; +typedef CK_CERTIFICATE_TYPE CK_PTR CK_CERTIFICATE_TYPE_PTR; /* The following certificate types are defined: */ #define CKC_X_509 0x00000000 diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c index 9a977d4..4e83a0f 100644 --- a/ykcs11/ykcs11.c +++ b/ykcs11/ykcs11.c @@ -11,7 +11,7 @@ printf ("\n"); \ } while (0) -#define YKCS11_DBG 1 // General debug, must be either 1 or 0 +#define YKCS11_DBG 0 // General debug, must be either 1 or 0 #define YKCS11_DINOUT 0 // Function in/out debug, must be either 1 or 0 #define YKCS11_MANUFACTURER "Yubico (www.yubico.com)" @@ -49,6 +49,7 @@ static CK_SESSION_INFO session_info; static struct { CK_BBOOL active; + CK_ULONG num; CK_ULONG idx; CK_BBOOL all; CK_OBJECT_CLASS class; @@ -750,7 +751,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)( if (pTemplate[0].pValue == NULL_PTR) { DBG(("Just get size")); - pTemplate[0].ulValueLen = 1024; // TODO: get attribute size + get_attribute(hObject, pTemplate); // TODO: get attribute size DOUT; return CKR_OK; } @@ -784,6 +785,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( { DIN; CK_ULONG i; + vendor_t vendor; if (piv_state == NULL) return CKR_CRYPTOKI_NOT_INITIALIZED; @@ -792,16 +794,23 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( return CKR_SESSION_CLOSED; if (hSession != session) - return CKR_SESSION_HANDLE_INVALID; + return CKR_SESSION_HANDLE_INVALID; // TODO: or session closed? if (find_obj.active == CK_TRUE) return CKR_OPERATION_ACTIVE; + if (slots[session_info.slotID].vid == UNKNOWN) { + DBG(("Slot %lu is tokenless/unsupported", slotID)); + return CKR_SLOT_ID_INVALID; + } + vendor = get_vendor(slots[session_info.slotID].vid); // TODO: make a token field in slot_t ?; + if (ulCount == 0) { DBG(("Find ALL the objects!")); find_obj.active = CK_TRUE; - find_obj.all = CK_TRUE; + vendor.get_token_objects_num(&find_obj.num); find_obj.idx = 0; + find_obj.all = CK_TRUE; DOUT; return CKR_OK; } @@ -824,7 +833,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( DOUT; return CKR_OK; } -CK_ULONG bla = 1; // TODO: delete + CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)( CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, @@ -853,11 +862,15 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)( DBG(("Can return %lu object(s)", ulMaxObjectCount)); if (find_obj.all == CK_TRUE) { - // Trying to get all the objects, just return the next - //*phObject = piv_objects[find_obj.idx++]; - //*pulObjectCount = 1; - *phObject = piv_objects[bla]; - *pulObjectCount = bla--; + // Trying to get all the objects, just return the next one + if (find_obj.idx == find_obj.num) { + *pulObjectCount = 0; + DOUT; + return CKR_OK; + } + + *phObject = piv_objects[find_obj.idx++]; + *pulObjectCount = 1; } diff --git a/ykcs11/yubico.c b/ykcs11/yubico.c index dd968a4..f3c25f5 100644 --- a/ykcs11/yubico.c +++ b/ykcs11/yubico.c @@ -67,8 +67,43 @@ static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH {0, 0, CKF_DIGEST} // CKM_SHA512 }; -static const piv_obj_id_t token_objects[] = { - +static const piv_obj_id_t token_objects[] = { // TODO: is there a way to get this from the token? + PIV_OBJ_CCC, // Card capability container + PIV_OBJ_CHUI, // Cardholder unique id + PIV_OBJ_X509_PIV_AUTH, // PIV authentication + PIV_OBJ_CHF, // Cardholder fingerprints + PIV_OBJ_SEC_OBJ, // Security object + PIV_OBJ_CHFI, // Cardholder facial images + PIV_OBJ_X509_CARD_AUTH, // Certificate for card authentication + PIV_OBJ_X509_DS, // Certificate for digital signature + PIV_OBJ_X509_KM, // Certificate for key management + //PIV_OBJ_PI, // Cardholder printed information + //PIV_OBJ_DISCOVERY, // Discovery object + //PIV_OBJ_HISTORY, // History object +/* PIV_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 + PIV_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 + PIV_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 + PIV_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 + PIV_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 + PIV_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 + PIV_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 + PIV_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 + PIV_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 + PIV_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 + PIV_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 + PIV_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 + PIV_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 + PIV_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 + PIV_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 + PIV_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 + PIV_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 + PIV_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 + PIV_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 + PIV_OBJ_RETIRED_X509_20, // Retired certificate for KM 20*/ + //PIV_OBJ_IRIS_IMAGE, // Cardholder iris images + //PIV_OBJ_BITGT, // Biometric information templates group template + //PIV_OBJ_SM_SIGNER, // Secure messaging signer + //PIV_OBJ_PC_REF_DATA, // Pairing code reference data }; static const CK_ULONG token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t); @@ -220,6 +255,7 @@ CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_P CK_RV YUBICO_get_token_objects_num(CK_ULONG_PTR num) { *num = token_objects_num; + //fprintf("TIENI %lu\n", token_objects_num); return CKR_OK; }