Merge branch 'devel/p384' into ykcs11
Conflicts: NEWS configure.ac lib/ykpiv.c lib/ykpiv.h tool/util.c tool/util.h
This commit is contained in:
+35
-51
@@ -452,6 +452,10 @@ ykpiv_rc ykpiv_authenticate(ykpiv_state *state, unsigned const char *key) {
|
||||
}
|
||||
|
||||
ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key) {
|
||||
return ykpiv_set_mgmkey2(state, new_key, 0);
|
||||
}
|
||||
|
||||
ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key, const unsigned char touch) {
|
||||
APDU apdu;
|
||||
unsigned char data[0xff];
|
||||
unsigned long recv_len = sizeof(data);
|
||||
@@ -478,7 +482,13 @@ ykpiv_rc ykpiv_set_mgmkey(ykpiv_state *state, const unsigned char *new_key) {
|
||||
memset(apdu.raw, 0, sizeof(apdu));
|
||||
apdu.st.ins = YKPIV_INS_SET_MGMKEY;
|
||||
apdu.st.p1 = 0xff;
|
||||
apdu.st.p2 = 0xff;
|
||||
if(touch == 0) {
|
||||
apdu.st.p2 = 0xff;
|
||||
} else if(touch == 1) {
|
||||
apdu.st.p2 = 0xfe;
|
||||
} else {
|
||||
return YKPIV_GENERIC_ERROR;
|
||||
}
|
||||
apdu.st.lc = DES_KEY_SZ * 3 + 3;
|
||||
apdu.st.data[0] = YKPIV_ALGO_3DES;
|
||||
apdu.st.data[1] = YKPIV_KEY_CARDMGM;
|
||||
@@ -524,7 +534,7 @@ ykpiv_rc ykpiv_hex_decode(const char *hex_in, size_t in_len,
|
||||
}
|
||||
|
||||
static ykpiv_rc _general_authenticate(ykpiv_state *state,
|
||||
const unsigned char *raw_in, size_t in_len,
|
||||
const unsigned char *sign_in, size_t in_len,
|
||||
unsigned char *out, size_t *out_len,
|
||||
unsigned char algorithm, unsigned char key, bool decipher, bool padding) {
|
||||
unsigned char indata[1024];
|
||||
@@ -532,63 +542,37 @@ static ykpiv_rc _general_authenticate(ykpiv_state *state,
|
||||
unsigned char data[1024];
|
||||
unsigned char templ[] = {0, YKPIV_INS_AUTHENTICATE, algorithm, key};
|
||||
unsigned long recv_len = sizeof(data);
|
||||
unsigned char sign_in[256];
|
||||
size_t pad_len = 0;
|
||||
size_t key_len = 0;
|
||||
int sw;
|
||||
size_t bytes;
|
||||
size_t len = 0;
|
||||
ykpiv_rc res;
|
||||
|
||||
switch(algorithm) {
|
||||
case YKPIV_ALGO_RSA1024:
|
||||
pad_len = 128;
|
||||
|
||||
case YKPIV_ALGO_RSA2048:
|
||||
if(pad_len == 0) {
|
||||
pad_len = 256;
|
||||
}
|
||||
if(!decipher) {
|
||||
// Signature
|
||||
if (padding) {
|
||||
// Padding required
|
||||
if(in_len + RSA_PKCS1_PADDING_SIZE > pad_len) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
}
|
||||
|
||||
// Add padding and copy data
|
||||
RSA_padding_add_PKCS1_type_1(sign_in, pad_len, raw_in, in_len);
|
||||
in_len = pad_len;
|
||||
case YKPIV_ALGO_RSA1024:
|
||||
key_len = 128;
|
||||
case YKPIV_ALGO_RSA2048:
|
||||
if(key_len == 0) {
|
||||
key_len = 256;
|
||||
}
|
||||
else {
|
||||
// No padding required
|
||||
if (in_len != pad_len)
|
||||
return YKPIV_SIZE_ERROR;
|
||||
|
||||
// Just copy data
|
||||
memcpy(sign_in, raw_in, in_len);
|
||||
if(in_len != key_len) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
}
|
||||
}
|
||||
else {
|
||||
// Decryption
|
||||
if(in_len != pad_len) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
break;
|
||||
case YKPIV_ALGO_ECCP256:
|
||||
key_len = 32;
|
||||
case YKPIV_ALGO_ECCP384:
|
||||
if(key_len == 0) {
|
||||
key_len = 48;
|
||||
}
|
||||
|
||||
// Just copy data
|
||||
memcpy(sign_in, raw_in, in_len);
|
||||
}
|
||||
break;
|
||||
|
||||
case YKPIV_ALGO_ECCP256:
|
||||
if(!decipher && in_len > 32) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
} else if(decipher && in_len != 65) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
}
|
||||
memcpy(sign_in, raw_in, in_len);
|
||||
break;
|
||||
default:
|
||||
return YKPIV_ALGORITHM_ERROR;
|
||||
if(!decipher && in_len > key_len) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
} else if(decipher && in_len != (key_len * 2) + 1) {
|
||||
return YKPIV_SIZE_ERROR;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return YKPIV_ALGORITHM_ERROR;
|
||||
}
|
||||
|
||||
if(in_len < 0x80) {
|
||||
@@ -603,7 +587,7 @@ static ykpiv_rc _general_authenticate(ykpiv_state *state,
|
||||
dataptr += set_length(dataptr, in_len + bytes + 3);
|
||||
*dataptr++ = 0x82;
|
||||
*dataptr++ = 0x00;
|
||||
*dataptr++ = algorithm == YKPIV_ALGO_ECCP256 && decipher ? 0x85 : 0x81;
|
||||
*dataptr++ = YKPIV_IS_EC(algorithm) && decipher ? 0x85 : 0x81;
|
||||
dataptr += set_length(dataptr, in_len);
|
||||
memcpy(dataptr, sign_in, (size_t)in_len);
|
||||
dataptr += in_len;
|
||||
|
||||
+36
@@ -88,6 +88,8 @@ extern "C"
|
||||
ykpiv_rc ykpiv_verify(ykpiv_state *state, const char *pin, int *tries);
|
||||
ykpiv_rc ykpiv_fetch_object(ykpiv_state *state, int object_id,
|
||||
unsigned char *data, unsigned long *len);
|
||||
ykpiv_rc ykpiv_set_mgmkey2(ykpiv_state *state, const unsigned char *new_key,
|
||||
const unsigned char touch);
|
||||
ykpiv_rc ykpiv_save_object(ykpiv_state *state, int object_id,
|
||||
unsigned char *indata, size_t len);
|
||||
|
||||
@@ -95,6 +97,7 @@ extern "C"
|
||||
#define YKPIV_ALGO_RSA1024 0x06
|
||||
#define YKPIV_ALGO_RSA2048 0x07
|
||||
#define YKPIV_ALGO_ECCP256 0x11
|
||||
#define YKPIV_ALGO_ECCP384 0x14
|
||||
|
||||
#define YKPIV_KEY_AUTHENTICATION 0x9a
|
||||
#define YKPIV_KEY_CARDMGM 0x9b
|
||||
@@ -116,6 +119,27 @@ extern "C"
|
||||
#define YKPIV_OBJ_KEY_HISTORY 0x5fc10c
|
||||
#define YKPIV_OBJ_IRIS 0x5fc121
|
||||
|
||||
#define YKPIV_OBJ_RETIRED1 0x5fc10d
|
||||
#define YKPIV_OBJ_RETIRED2 0x5fc10e
|
||||
#define YKPIV_OBJ_RETIRED3 0x5fc10f
|
||||
#define YKPIV_OBJ_RETIRED4 0x5fc110
|
||||
#define YKPIV_OBJ_RETIRED5 0x5fc111
|
||||
#define YKPIV_OBJ_RETIRED6 0x5fc112
|
||||
#define YKPIV_OBJ_RETIRED7 0x5fc113
|
||||
#define YKPIV_OBJ_RETIRED8 0x5fc114
|
||||
#define YKPIV_OBJ_RETIRED9 0x5fc115
|
||||
#define YKPIV_OBJ_RETIRED10 0x5fc116
|
||||
#define YKPIV_OBJ_RETIRED11 0x5fc117
|
||||
#define YKPIV_OBJ_RETIRED12 0x5fc118
|
||||
#define YKPIV_OBJ_RETIRED13 0x5fc119
|
||||
#define YKPIV_OBJ_RETIRED14 0x5fc11a
|
||||
#define YKPIV_OBJ_RETIRED15 0x5fc11b
|
||||
#define YKPIV_OBJ_RETIRED16 0x5fc11c
|
||||
#define YKPIV_OBJ_RETIRED17 0x5fc11d
|
||||
#define YKPIV_OBJ_RETIRED18 0x5fc11e
|
||||
#define YKPIV_OBJ_RETIRED19 0x5fc11f
|
||||
#define YKPIV_OBJ_RETIRED20 0x5fc120
|
||||
|
||||
#define YKPIV_INS_VERIFY 0x20
|
||||
#define YKPIV_INS_CHANGE_REFERENCE 0x24
|
||||
#define YKPIV_INS_RESET_RETRY 0x2c
|
||||
@@ -131,6 +155,18 @@ extern "C"
|
||||
#define YKPIV_INS_RESET 0xfb
|
||||
#define YKPIV_INS_SET_PIN_RETRIES 0xfa
|
||||
|
||||
#define YKPIV_PINPOLICY_TAG 0xaa
|
||||
#define YKPIV_PINPOLICY_NEVER 1
|
||||
#define YKPIV_PINPOLICY_ONCE 2
|
||||
#define YKPIV_PINPOLICY_ALWAYS 3
|
||||
|
||||
#define YKPIV_TOUCHPOLICY_TAG 0xab
|
||||
#define YKPIV_TOUCHPOLICY_NEVER 1
|
||||
#define YKPIV_TOUCHPOLICY_ALWAYS 2
|
||||
|
||||
#define YKPIV_IS_EC(a) ((a == YKPIV_ALGO_ECCP256 || a == YKPIV_ALGO_ECCP384))
|
||||
#define YKPIV_IS_RSA(a) ((a == YKPIV_ALGO_RSA1024 || a == YKPIV_ALGO_RSA2048))
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -56,3 +56,9 @@ global:
|
||||
ykpiv_connect2;
|
||||
ykpiv_sign_data2;
|
||||
} YKPIV_0.1.0;
|
||||
|
||||
YKPIV_1.1.0
|
||||
{
|
||||
global:
|
||||
ykpiv_set_mgmkey2;
|
||||
} YKPIV_0.1.0;
|
||||
|
||||
Reference in New Issue
Block a user