[pkg-opensc-commit] [opensc] 189/295: Added (external) card driver for German ID card
Eric Dorland
eric at moszumanska.debian.org
Sat Jun 24 21:11:30 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository opensc.
commit a4f64d9439cf072e2c5ef0f8dd1cfd508b75242a
Author: Frank Morgner <morgner at informatik.hu-berlin.de>
Date: Fri Nov 6 08:24:16 2015 +0100
Added (external) card driver for German ID card
(Imported libcardnpa from https://github.com/frankmorgner/vsmartcard)
- Added generic SM implementation of ISO/IEC 7816-8
- Added implementation of extended access control as defined by
- BSI TR-03110
- ICAO Doc 9303
- ISO/IEC 7501
- Added tool for German ID card (and other EAC tokens)
- renamed folder libsm to sm
---
.gitignore | 6 +-
.travis.yml | 20 +-
configure.ac | 103 +-
etc/opensc.conf.in | 28 +-
src/Makefile.am | 6 +-
src/Makefile.mak | 3 +-
src/libopensc/Makefile.am | 15 +-
src/libopensc/Makefile.mak | 13 +-
src/libopensc/card-npa.c | 724 +++++++++++
src/libopensc/card-npa.h | 49 +
src/libopensc/cardnpa.exports | 2 +
src/libopensc/iso7816.c | 135 +++
src/libopensc/libopensc.exports | 14 +
src/libopensc/opensc.h | 28 +
src/libopensc/pace.h | 100 +-
src/libsm/Makefile.am | 14 -
src/libsm/Makefile.mak | 18 -
src/sm/Makefile.am | 28 +
src/sm/Makefile.mak | 30 +
src/{libsm => sm}/sm-common.c | 0
src/{libsm => sm}/sm-common.h | 0
src/sm/sm-eac.c | 2502 ++++++++++++++++++++++++++++++++++++++
src/sm/sm-eac.h | 296 +++++
src/sm/sm-iso-internal.h | 91 ++
src/sm/sm-iso.c | 783 ++++++++++++
src/sm/sm-iso.h | 126 ++
src/sm/sslutil.h | 39 +
src/smm/Makefile.am | 2 +-
src/smm/Makefile.mak | 2 +-
src/smm/sm-module.h | 2 +-
src/tools/Makefile.am | 56 +-
src/tools/Makefile.mak | 6 +-
src/tools/apdus | 29 +
src/tools/fread_to_eof.c | 62 +
src/tools/fread_to_eof.h | 25 +
src/tools/npa-tool-cmdline.c | 2540 +++++++++++++++++++++++++++++++++++++++
src/tools/npa-tool-cmdline.h | 354 ++++++
src/tools/npa-tool.1 | 205 ++++
src/tools/npa-tool.c | 897 ++++++++++++++
src/tools/npa-tool.ggo.in | 225 ++++
src/tools/sceac-example.c | 146 +++
win32/Make.rules.mak | 21 +-
win32/OpenSC.wxs.in | 9 +
win32/winconfig.h.in | 4 +
44 files changed, 9641 insertions(+), 117 deletions(-)
diff --git a/.gitignore b/.gitignore
index 800190d..d224b76 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,7 +67,7 @@ doc/tools/netkey-tool
doc/tools/openpgp-tool
doc/tools/opensc-explorer
doc/tools/opensc-tool
-src/tools/gids-tool
+doc/tools/gids-tool
doc/tools/piv-tool
doc/tools/pkcs11-tool
doc/tools/pkcs15-crypt
@@ -76,7 +76,6 @@ doc/tools/pkcs15-tool
doc/tools/sc-hsm-tool
doc/tools/westcos-tool
doc/tools/dnie-tool
-doc/tools/gids-tool
etc/opensc.conf.win
etc/opensc.conf
@@ -101,7 +100,8 @@ src/tools/cryptoflex-tool
src/tools/netkey-tool
src/tools/pkcs11-tool
src/tools/dnie-tool
-src/tools/gids-tool
+src/tools/npa-tool
+src/tools/sceac-example
win32/OpenSC.iss
win32/OpenSC.wxs
diff --git a/.travis.yml b/.travis.yml
index 8f94d68..9942ca5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,6 +13,7 @@ addons:
- mingw-w64
- wine
- xsltproc
+ - gengetopt
coverity_scan:
project:
name: "OpenSC/OpenSC"
@@ -45,6 +46,14 @@ matrix:
- os: linux
env: HOST=i686-w64-mingw32
+before_install:
+ - if [ "$TRAVIS_OS_NAME" == "osx" ]; then
+ brew update;
+ brew uninstall libtool;
+ brew install libtool;
+ brew install gengetopt;
+ fi
+
before_script:
# we run a weekly cron job in travis on the coverity branch
# just synchronize it with master to get a new report
@@ -53,7 +62,7 @@ before_script:
fi
- ./bootstrap
- if [ -z "$HOST" ]; then
- CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
+ CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
else
if [ ! -f "$(winepath 'C:/Program Files (x86)/Inno Setup 5/ISCC.exe')" ]; then
/sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16;
@@ -90,13 +99,4 @@ after_script:
killall services.exe;
fi
-
-before_install:
- - if [ "$TRAVIS_OS_NAME" != "linux" ]; then
- brew update;
- brew uninstall libtool;
- brew install libtool;
- brew install libdvbpsi libhdhomerun;
- fi
-
cache: ccache
diff --git a/configure.ac b/configure.ac
index d8db9de..7cf6614 100644
--- a/configure.ac
+++ b/configure.ac
@@ -169,6 +169,13 @@ AC_ARG_ENABLE(
)
AC_ARG_ENABLE(
+ [openpace],
+ [AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])],
+ ,
+ [enable_openpace="detect"]
+)
+
+AC_ARG_ENABLE(
[openct],
[AS_HELP_STRING([--enable-openct],[enable openct linkage @<:@disabled@:>@])],
,
@@ -354,7 +361,7 @@ AC_FUNC_ERROR_AT_LINE
AC_FUNC_STAT
AC_FUNC_VPRINTF
AC_CHECK_FUNCS([ \
- getpass gettimeofday memset mkdir \
+ getpass gettimeofday getline memset mkdir \
strdup strerror getopt_long getopt_long_only \
strlcpy strlcat strnlen
])
@@ -552,6 +559,88 @@ else
OPENSSL_LIBS=""
fi
+
+
+PKG_CHECK_EXISTS([libeac], [PKG_CHECK_MODULES([OPENPACE], [libeac >= 0.9])],
+ [AC_MSG_WARN([libeac not found by pkg-config])])
+
+saved_CPPFLAGS="$CPPFLAGS"
+saved_LIBS="$LIBS"
+CPPFLAGS="$CPPFLAGS $OPENPACE_CFLAGS"
+LIBS="$LDFLAGS $OPENPACE_LIBS"
+
+have_openpace="yes"
+AC_CHECK_HEADERS(eac/eac.h, [],
+ [ AC_MSG_WARN([OpenPACE headers not found])
+ have_openpace="no" ])
+AC_MSG_CHECKING([for EAC_CTX_init_pace])
+AC_TRY_LINK_FUNC(EAC_CTX_init_pace, [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_WARN([Cannot link against libeac])
+ have_openpace="no" ])
+
+CPPFLAGS="$saved_CPPFLAGS"
+LIBS="$saved_LIBS"
+
+
+AC_ARG_ENABLE(cvcdir,
+ AC_HELP_STRING([--enable-cvcdir=DIR],
+ [directory containing CV certificates (default is determined by libeac)]),
+ [cvcdir="${enableval}"],
+ [cvcdir=false])
+if test "${cvcdir}" = false ; then
+ cvcdir="`$PKG_CONFIG libeac --variable=cvcdir`"
+fi
+if test "${cvcdir}" = "" ; then
+ AC_MSG_WARN([use --enable-cvcdir=DIR])
+fi
+CVCDIR="${cvcdir}"
+AC_SUBST(CVCDIR)
+
+AC_ARG_ENABLE(x509dir,
+ AC_HELP_STRING([--enable-x509dir=DIR],
+ [directory containing X.509 certificates (default is determined by libeac)]),
+ [x509dir="${enableval}"],
+ [x509dir=false])
+if test "${x509dir}" = false ; then
+ x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
+fi
+if test -z "${x509dir}"
+then
+ x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
+fi
+if test -z "${x509dir}"
+then
+ AC_MSG_WARN([use --enable-x509dir=DIR])
+fi
+X509DIR="${x509dir}"
+AC_SUBST(X509DIR)
+
+case "${enable_openpace}" in
+ no)
+ have_openpace="no"
+ ;;
+ detect)
+ if test "${have_openpace}" = "yes"; then
+ enable_openpace="yes"
+ else
+ enable_openpace="no"
+ fi
+ ;;
+esac
+
+if test "${enable_openpace}" = "yes"; then
+ if test "${have_openpace}" = "yes"; then
+ AC_DEFINE([ENABLE_OPENPACE], [1], [Use OpenPACE libraries and header files])
+ else
+ AC_MSG_ERROR([OpenPACE linkage required, but no OpenPACE was found])
+ fi
+else
+ OPENPACE_CFLAGS=""
+ OPENPACE_LIBS=""
+fi
+
+
+
if test "${enable_sm}" = "yes"; then
AC_DEFINE([ENABLE_SM], [1], [Enable secure messaging support])
@@ -672,6 +761,13 @@ if test "${enable_man}" = "yes" -o "${enable_doc}" = "yes"; then
AC_MSG_RESULT([ok])
fi
+AC_ARG_VAR([HELP2MAN],
+ [absolute path to help2man used for man page generation of npa-tool])
+AC_PATH_PROG(HELP2MAN, help2man, not found)
+AC_ARG_VAR([GENGETOPT],
+ [absolute path to gengetopt used for command line parsing of npa-tool])
+AC_PATH_PROG(GENGETOPT, gengetopt, not found)
+
OPENSC_FEATURES=""
if test "${enable_thread_locking}" = "yes"; then
OPENSC_FEATURES="${OPENSC_FEATURES} locking"
@@ -770,6 +866,7 @@ AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
AM_CONDITIONAL([ENABLE_SM], [test "${enable_sm}" = "yes"])
AM_CONDITIONAL([ENABLE_DNIE_UI], [test "${enable_dnie_ui}" = "yes"])
+AM_CONDITIONAL([ENABLE_NPATOOL], [test "${ENABLE_NPATOOL}" = "yes"])
AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
if test "${enable_pedantic}" = "yes"; then
@@ -796,7 +893,7 @@ AC_CONFIG_FILES([
src/Makefile
src/common/Makefile
src/libopensc/Makefile
- src/libsm/Makefile
+ src/sm/Makefile
src/pkcs11/Makefile
src/pkcs11/versioninfo-pkcs11.rc
src/pkcs11/versioninfo-pkcs11-spy.rc
@@ -877,6 +974,8 @@ ZLIB_CFLAGS: ${ZLIB_CFLAGS}
ZLIB_LIBS: ${ZLIB_LIBS}
OPENSSL_CFLAGS: ${OPENSSL_CFLAGS}
OPENSSL_LIBS: ${OPENSSL_LIBS}
+OPENPACE_CFLAGS: ${OPENPACE_CFLAGS}
+OPENPACE_LIBS: ${OPENPACE_LIBS}
OPENCT_CFLAGS: ${OPENCT_CFLAGS}
OPENCT_LIBS: ${OPENCT_LIBS}
PCSC_CFLAGS: ${PCSC_CFLAGS}
diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in
index b033840..bf74b63 100644
--- a/etc/opensc.conf.in
+++ b/etc/opensc.conf.in
@@ -133,7 +133,7 @@ app default {
# Default: internal
# NOTE: When "internal" keyword is used, must be last entry
#
- # card_drivers = customcos, internal;
+ card_drivers = npa, internal;
# Card driver configuration blocks.
@@ -145,6 +145,32 @@ app default {
# module = @LIBDIR@@LIB_PRE at card_customcos@DYN_LIB_EXT@;
# }
+ card_driver npa {
+ # The location of the driver library
+ module = @LIBDIR@@LIB_PRE at cardnpa@DYN_LIB_EXT@;
+
+ # German ID card requires the CAN to be verified before QES PIN. This,
+ # however, is not part of the PKCS#15 profile of the card. So for
+ # verifying the QES PIN we actually need both. The CAN may be given
+ # here. If the CAN is not given here, it will be prompted on the
+ # command line or on the reader (depending on the reader's
+ # capabilities).
+ #
+ #can = 222222;
+
+ # QES is only possible with a Comfort Reader (CAT-K), which holds a
+ # cryptographic key to authenticate itself as signature terminal (ST).
+ # We usually will use the reader's capability to sign the data.
+ # However, during developement you may specify soft certificates and
+ # keys for a ST below.
+ # The following example EAC PKI can be found in vicc's example data:
+ # https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data
+ #
+ #st_dv_certificate = ZZSTDVCA00001.cvcert;
+ #st_certificate = ZZSTTERM00001.cvcert;
+ #st_key = ZZSTTERM00001.pkcs8;
+ }
+
# Force using specific card driver
#
# If this option is present, OpenSC will use the supplied
diff --git a/src/Makefile.am b/src/Makefile.am
index 880a456..ab1dd1a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -2,9 +2,9 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
EXTRA_DIST = Makefile.mak
# Order IS important
-SUBDIRS = common scconf pkcs15init libopensc pkcs11 \
- tools tests minidriver
+SUBDIRS = common scconf pkcs15init sm \
+ libopensc pkcs11 tools tests minidriver
if ENABLE_SM
-SUBDIRS += libsm smm
+SUBDIRS += smm
endif
diff --git a/src/Makefile.mak b/src/Makefile.mak
index 5ad1fe1..52be922 100644
--- a/src/Makefile.mak
+++ b/src/Makefile.mak
@@ -1,6 +1,7 @@
TOPDIR = ..
-SUBDIRS = common scconf libsm pkcs15init libopensc pkcs11 tools tests
+SUBDIRS = common scconf sm pkcs15init \
+ libopensc pkcs11 tools tests
default: all
diff --git a/src/libopensc/Makefile.am b/src/libopensc/Makefile.am
index 4f39f65..d836636 100644
--- a/src/libopensc/Makefile.am
+++ b/src/libopensc/Makefile.am
@@ -4,7 +4,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
EXTRA_DIST = Makefile.mak
-lib_LTLIBRARIES = libopensc.la
+lib_LTLIBRARIES = libopensc.la libcardnpa.la
noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.h \
internal-winscard.h p15card-helper.h pkcs15-syn.h \
opensc.h pkcs15.h \
@@ -12,7 +12,7 @@ noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.
errors.h types.h compression.h itacns.h iso7816.h \
authentic.h iasecc.h iasecc-sdo.h sm.h card-sc-hsm.h \
pace.h cwa14890.h cwa-dnie.h card-gids.h aux-data.h \
- jpki.h sc-ossl-compat.h
+ jpki.h sc-ossl-compat.h card-npa.h
AM_CPPFLAGS = -DOPENSC_CONF_PATH=\"$(sysconfdir)/opensc.conf\" \
-I$(top_srcdir)/src
@@ -63,6 +63,7 @@ libopensc_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \
$(top_builddir)/src/pkcs15init/libpkcs15init.la \
$(top_builddir)/src/scconf/libscconf.la \
$(top_builddir)/src/common/libscdl.la \
+ $(top_builddir)/src/sm/libsmeac.la \
$(top_builddir)/src/common/libcompat.la
if WIN32
libopensc_la_LIBADD += -lws2_32
@@ -72,6 +73,16 @@ libopensc_la_LDFLAGS = $(AM_LDFLAGS) \
-export-symbols "$(srcdir)/libopensc.exports" \
-no-undefined
+libcardnpa_la_SOURCES = card-npa.c cardnpa.exports
+libcardnpa_la_LIBADD = $(OPENPACE_LIBS) \
+ $(top_builddir)/src/common/libcompat.la \
+ libopensc.la
+libcardnpa_la_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
+libcardnpa_la_LDFLAGS = $(AM_LDFLAGS) \
+ -version-info @OPENSC_LT_CURRENT@:@OPENSC_LT_REVISION@:@OPENSC_LT_AGE@ \
+ -export-symbols "$(srcdir)/cardnpa.exports" \
+ -no-undefined
+
if WIN32
# def file required for MS users to build library
mylibdir=$(libdir)
diff --git a/src/libopensc/Makefile.mak b/src/libopensc/Makefile.mak
index e369ec6..1a3eb2a 100644
--- a/src/libopensc/Makefile.mak
+++ b/src/libopensc/Makefile.mak
@@ -40,9 +40,13 @@ OBJECTS = \
LIBS = $(TOPDIR)\src\scconf\scconf.lib \
$(TOPDIR)\src\common\common.lib \
$(TOPDIR)\src\common\libscdl.lib \
+ $(TOPDIR)\src\sm\libsmeac.lib \
$(TOPDIR)\src\pkcs15init\pkcs15init.lib
-all: $(TOPDIR)\win32\versioninfo.res $(TARGET)
+TARGET1 = cardnpa.dll
+OBJECTS1 = card-npa.obj
+
+all: $(TOPDIR)\win32\versioninfo.res $(TARGET) $(TARGET1)
!INCLUDE $(TOPDIR)\win32\Make.rules.mak
@@ -55,3 +59,10 @@ opensc.dll: $(OBJECTS) $(LIBS)
opensc_a.lib: $(OBJECTS) $(LIBS)
lib $(LIBFLAGS) /out:opensc_a.lib $(OBJECTS) $(LIBS) $(OPENSSL_LIB) $(ZLIB_LIB) user32.lib advapi32.lib ws2_32.lib
+
+$(TARGET1): $(OBJECTS1) opensc_a.lib
+ echo LIBRARY $* > $*.def
+ echo EXPORTS >> $*.def
+ type $*.exports >> $*.def
+ link /dll $(LINKFLAGS) /def:$*.def /implib:$*.lib /out:$(TARGET1) $(OBJECTS1) opensc_a.lib $(ZLIB_LIB) $(OPENPACE_LIB) $(OPENSSL_LIB) ws2_32.lib gdi32.lib advapi32.lib Crypt32.lib User32.lib
+ if EXIST $(TARGET).manifest mt -manifest $(TARGET1).manifest -outputresource:$(TARGET1);2
diff --git a/src/libopensc/card-npa.c b/src/libopensc/card-npa.c
new file mode 100644
index 0000000..b39a487
--- /dev/null
+++ b/src/libopensc/card-npa.c
@@ -0,0 +1,724 @@
+/*
+ * card-npa.c: Recognize known German identity cards
+ *
+ * Copyright (C) 2011-2015 Frank Morgner <frankmorgner at gmail.com>
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "card-npa.h"
+#include "libopensc/internal.h"
+#include "libopensc/opensc.h"
+#include "libopensc/pace.h"
+#include "libopensc/sm.h"
+#include "sm/sm-eac.h"
+#include <string.h>
+
+#include "../tools/fread_to_eof.c"
+
+struct npa_drv_data {
+ const char *can;
+ unsigned char *st_dv_certificate;
+ size_t st_dv_certificate_len;
+ unsigned char *st_certificate;
+ size_t st_certificate_len;
+ unsigned char *st_key;
+ size_t st_key_len;
+ unsigned char *ef_cardaccess;
+ size_t ef_cardaccess_length;
+ unsigned char *ef_cardsecurity;
+ size_t ef_cardsecurity_length;
+};
+
+static struct npa_drv_data *npa_drv_data_create(void)
+{
+ struct npa_drv_data *drv_data = calloc(1, sizeof *drv_data);
+ return drv_data;
+}
+
+static void npa_drv_data_free(struct npa_drv_data *drv_data)
+{
+ if (drv_data) {
+ free(drv_data->ef_cardaccess);
+ free(drv_data->ef_cardsecurity);
+ free(drv_data->st_certificate);
+ free(drv_data->st_dv_certificate);
+ free(drv_data->st_key);
+ free(drv_data);
+ }
+}
+
+static struct sc_atr_table npa_atrs[] = {
+ {"3B:8A:80:01:80:31:F8:73:F7:41:E0:82:90:00:75",
+ "FF:FF:FF:FF:FF:FF:00:FF:00:00:FF:FF:FF:FF:00",
+ "German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
+ {"3B:88:80:01:00:00:00:00:00:00:00:00:09", NULL,
+ "German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
+ {"3B:87:80:01:80:31:B8:73:84:01:E0:19", NULL,
+ "German ID card (neuer Personalausweis, nPA)", SC_CARD_TYPE_NPA, 0, NULL},
+ {"3B:84:80:01:00:00:90:00:95", NULL,
+ "German ID card (Test neuer Personalausweis)", SC_CARD_TYPE_NPA_TEST, 0, NULL},
+ {"3B:88:80:01:00:E1:F3:5E:13:77:83:00:00",
+ "FF:FF:FF:FF:00:FF:FF:FF:FF:FF:FF:FF:00",
+ "German ID card (Test Online-Ausweisfunktion)", SC_CARD_TYPE_NPA_ONLINE, 0, NULL},
+ {NULL, NULL, NULL, 0, 0, NULL}
+};
+
+static struct sc_card_operations npa_ops;
+static struct sc_card_driver npa_drv = {
+ "German ID card (neuer Personalausweis, nPA)",
+ "npa",
+ &npa_ops,
+ NULL, 0, NULL
+};
+
+static int npa_load_options(sc_context_t *ctx, struct npa_drv_data *drv_data)
+{
+ int r;
+ size_t i, j;
+ scconf_block **found_blocks, *block;
+ const char *file;
+
+ if (!ctx || !drv_data) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ for (i = 0; ctx->conf_blocks[i]; i++) {
+ found_blocks = scconf_find_blocks(ctx->conf, ctx->conf_blocks[i],
+ "card_driver", "npa");
+ if (!found_blocks)
+ continue;
+
+ for (j = 0, block = found_blocks[j]; block; j++, block = found_blocks[j]) {
+ if (!drv_data->can)
+ drv_data->can = scconf_get_str(block, "can", NULL);
+
+ if (!drv_data->st_dv_certificate
+ || !drv_data->st_dv_certificate_len) {
+ file = scconf_get_str(block, "st_dv_certificate", NULL);
+ if (!fread_to_eof(file,
+ (unsigned char **) &drv_data->st_dv_certificate,
+ &drv_data->st_dv_certificate_len))
+ sc_log(ctx, "Waring: Could not read %s.\n", file);
+ }
+
+ if (!drv_data->st_certificate
+ || !drv_data->st_certificate_len) {
+ file = scconf_get_str(block, "st_certificate", NULL);
+ if (!fread_to_eof(file,
+ (unsigned char **) &drv_data->st_certificate,
+ &drv_data->st_certificate_len))
+ sc_log(ctx, "Waring: Could not read %s.\n", file);
+ }
+
+ if (!drv_data->st_key
+ || !drv_data->st_key_len) {
+ file = scconf_get_str(block, "st_key", NULL);
+ if (!fread_to_eof(file,
+ (unsigned char **) &drv_data->st_key,
+ &drv_data->st_key_len))
+ sc_log(ctx, "Waring: Could not read %s.\n", file);
+ }
+ }
+
+ free(found_blocks);
+ }
+ r = SC_SUCCESS;
+
+err:
+ return r;
+}
+
+static int npa_match_card(sc_card_t * card)
+{
+ if (_sc_match_atr(card, npa_atrs, &card->type) < 0)
+ return 0;
+ return 1;
+}
+
+static void npa_get_cached_pace_params(sc_card_t *card,
+ struct establish_pace_channel_input *pace_input,
+ struct establish_pace_channel_output *pace_output)
+{
+ struct npa_drv_data *drv_data;
+
+ if (card->drv_data) {
+ drv_data = card->drv_data;
+
+ if (pace_output) {
+ pace_output->ef_cardaccess = drv_data->ef_cardaccess;
+ pace_output->ef_cardaccess_length = drv_data->ef_cardaccess_length;
+ }
+
+ if (pace_input && pace_input->pin_id == PACE_PIN_ID_CAN) {
+ pace_input->pin = (const unsigned char *) drv_data->can;
+ pace_input->pin_length = drv_data->can ? strlen(drv_data->can) : 0;
+ }
+ }
+}
+
+static void npa_get_cached_ta_params(sc_card_t *card,
+ const unsigned char *certs[2], size_t certs_lens[2],
+ const unsigned char **st_key, size_t *st_key_len)
+{
+ struct npa_drv_data *drv_data;
+ size_t i;
+
+ if (card->drv_data) {
+ drv_data = card->drv_data;
+
+ if (certs && certs_lens) {
+ i = 0;
+ if (drv_data->st_dv_certificate) {
+ certs[i] = drv_data->st_dv_certificate;
+ certs_lens[i] = drv_data->st_dv_certificate_len;
+ i++;
+ }
+ if (drv_data->st_certificate) {
+ certs[i] = drv_data->st_certificate;
+ certs_lens[i] = drv_data->st_certificate_len;
+ }
+ }
+ if (st_key && st_key_len) {
+ *st_key = drv_data->st_key;
+ *st_key_len = drv_data->st_key_len;
+ }
+ }
+}
+
+static void npa_get_cached_ca_params(sc_card_t *card,
+ unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_length)
+{
+ struct npa_drv_data *drv_data;
+
+ if (card->drv_data) {
+ drv_data = card->drv_data;
+
+ if (ef_cardsecurity && ef_cardsecurity_length) {
+ *ef_cardsecurity = drv_data->ef_cardsecurity;
+ *ef_cardsecurity_length = drv_data->ef_cardsecurity_length;
+ }
+ }
+}
+
+static void npa_cache_or_free(sc_card_t *card,
+ unsigned char **ef_cardaccess, size_t *ef_cardaccess_length,
+ unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_length)
+{
+ struct npa_drv_data *drv_data;
+
+ if (card && card->drv_data) {
+ drv_data = card->drv_data;
+
+ if (ef_cardaccess && ef_cardaccess_length
+ && *ef_cardaccess && *ef_cardaccess_length) {
+ drv_data->ef_cardaccess = *ef_cardaccess;
+ drv_data->ef_cardaccess_length = *ef_cardaccess_length;
+ *ef_cardaccess = NULL;
+ *ef_cardaccess_length = 0;
+ }
+ if (ef_cardsecurity && ef_cardsecurity_length
+ && *ef_cardsecurity && *ef_cardsecurity_length) {
+ drv_data->ef_cardsecurity = *ef_cardsecurity;
+ drv_data->ef_cardsecurity_length = *ef_cardsecurity_length;
+ *ef_cardsecurity = NULL;
+ *ef_cardsecurity_length = 0;
+ }
+ } else {
+ if (ef_cardaccess && ef_cardaccess_length) {
+ free(*ef_cardaccess);
+ *ef_cardaccess = NULL;
+ *ef_cardaccess_length = 0;
+ }
+ if (ef_cardsecurity && ef_cardsecurity_length) {
+ free(*ef_cardsecurity);
+ *ef_cardsecurity = NULL;
+ *ef_cardsecurity_length = 0;
+ }
+ }
+}
+
+static int npa_unlock_esign(sc_card_t *card)
+{
+ int r = SC_ERROR_INTERNAL;
+ struct establish_pace_channel_input pace_input;
+ struct establish_pace_channel_output pace_output;
+ const unsigned char *certs[] = { NULL, NULL };
+ size_t certs_lens[] = { 0, 0};
+ const unsigned char *st_key = NULL;
+ size_t st_key_len = 0;
+ unsigned char *ef_cardsecurity = NULL;
+ size_t ef_cardsecurity_len = 0;
+ memset(&pace_input, 0, sizeof pace_input);
+ memset(&pace_output, 0, sizeof pace_output);
+
+ if (!card) {
+ r = SC_ERROR_INVALID_CARD;
+ goto err;
+ }
+
+ sc_log(card->ctx, "Will verify CAN first for unlocking eSign application.\n");
+ pace_input.chat = esign_chat;
+ pace_input.chat_length = sizeof esign_chat;
+ pace_input.pin_id = PACE_PIN_ID_CAN;
+ npa_get_cached_pace_params(card, &pace_input, &pace_output);
+ npa_get_cached_ta_params(card, certs, certs_lens, &st_key, &st_key_len);
+ npa_get_cached_ca_params(card, &ef_cardsecurity, &ef_cardsecurity_len);
+
+ if (!(card->reader && (card->reader->capabilities & SC_READER_CAP_PACE_ESIGN))
+ && (!st_key || !st_key_len)) {
+ sc_log(card->ctx, "QES requires a comfort reader (CAT-K) or a ST certificate.\n");
+ r = SC_ERROR_NOT_SUPPORTED;
+ goto err;
+ }
+
+ /* FIXME set flags with opensc.conf */
+ npa_default_flags |= NPA_FLAG_DISABLE_CHECK_ALL;
+ npa_default_flags |= NPA_FLAG_DISABLE_CHECK_TA;
+ npa_default_flags |= NPA_FLAG_DISABLE_CHECK_CA;
+
+ /* FIXME show an alert to the user if can == NULL */
+ r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
+ if (SC_SUCCESS != r) {
+ sc_log(card->ctx, "Error verifying CAN.\n");
+ goto err;
+ }
+
+ if (card->reader->capabilities & SC_READER_CAP_PACE_ESIGN) {
+ sc_log(card->ctx, "Proved Access rights to eSign application with comfort reader (CAT-K).\n");
+ } else {
+ r = perform_terminal_authentication(card, certs, certs_lens, st_key,
+ st_key_len, NULL, 0);
+ if (r != SC_SUCCESS) {
+ sc_log(card->ctx, "Error authenticating as signature terminal.\n");
+ goto err;
+ }
+ r = perform_chip_authentication(card, &ef_cardsecurity, &ef_cardsecurity_len);
+ if ( SC_SUCCESS != r) {
+ sc_log(card->ctx, "Error verifying the chips authenticy.\n");
+ }
+
+ sc_log(card->ctx, "Proved Access rights to eSign application with configured key as ST.\n");
+ }
+
+err:
+ npa_cache_or_free(card, &pace_output.ef_cardaccess,
+ &pace_output.ef_cardaccess_length,
+ &ef_cardsecurity, &ef_cardsecurity_len);
+ free(pace_output.recent_car);
+ free(pace_output.previous_car);
+ free(pace_output.id_icc);
+ free(pace_output.id_pcd);
+
+ return r;
+}
+
+static int npa_init(sc_card_t * card)
+{
+ int flags = SC_ALGORITHM_ECDSA_RAW;
+ int ext_flags = 0;
+ int r;
+
+ if (!card) {
+ r = SC_ERROR_INVALID_CARD;
+ goto err;
+ }
+
+ card->caps |= SC_CARD_CAP_APDU_EXT | SC_CARD_CAP_RNG;
+ /* 1520 bytes is the minimum lenght of the communication buffer in all
+ * Chip/OS variants */
+ card->max_recv_size = 1520;
+ card->max_send_size = 1520;
+#ifdef ENABLE_SM
+ memset(&card->sm_ctx, 0, sizeof card->sm_ctx);
+#endif
+
+ r = _sc_card_add_ec_alg(card, 192, flags, ext_flags, NULL);
+ if (r != SC_SUCCESS)
+ goto err;
+ r = _sc_card_add_ec_alg(card, 224, flags, ext_flags, NULL);
+ if (r != SC_SUCCESS)
+ goto err;
+ r = _sc_card_add_ec_alg(card, 256, flags, ext_flags, NULL);
+ if (r != SC_SUCCESS)
+ goto err;
+ /* nPA does not encode the proprietary fieldSize in PrivateECKeyAttributes,
+ * which leaves it at 0 for OpenSC, so we need to add 0x00 as supported
+ * field_length */
+ r = _sc_card_add_ec_alg(card, 0, flags, ext_flags, NULL);
+ if (r != SC_SUCCESS)
+ goto err;
+
+#ifdef ENABLE_OPENPACE
+ EAC_init();
+#endif
+ card->drv_data = npa_drv_data_create();
+ r = npa_load_options(card->ctx, card->drv_data);
+ if (r != SC_SUCCESS)
+ goto err;
+
+ /* unlock the eSign application for reading the certificates
+ * by the PKCS#15 layer (i.e. sc_pkcs15_bind_internal) */
+ if (SC_SUCCESS != npa_unlock_esign(card))
+ sc_log(card->ctx, "Propably not all functionality will be available.\n");
+
+err:
+ return r;
+}
+
+static int npa_finish(sc_card_t * card)
+{
+ sc_sm_stop(card);
+ npa_drv_data_free(card->drv_data);
+ card->drv_data = NULL;
+#ifdef ENABLE_OPENPACE
+ EAC_cleanup();
+#endif
+
+ return SC_SUCCESS;
+}
+
+static int npa_set_security_env(struct sc_card *card,
+ const struct sc_security_env *env, int se_num)
+{
+ int r;
+ struct sc_card_driver *iso_drv;
+ struct sc_security_env fixed_env;
+
+ iso_drv = sc_get_iso7816_driver();
+
+ if (!env || !iso_drv || !iso_drv->ops || !iso_drv->ops->set_security_env) {
+ r = SC_ERROR_INTERNAL;
+ } else {
+ memcpy(&fixed_env, env, sizeof fixed_env);
+ if (env->operation == SC_SEC_OPERATION_SIGN) {
+ /* The pkcs#15 layer assumes that the field_size of the private key
+ * object is correctly initialized and wants to include it as
+ * algorithm reference. We disable it here */
+ fixed_env.flags &= ~SC_SEC_ENV_ALG_REF_PRESENT;
+ }
+ r = iso_drv->ops->set_security_env(card, &fixed_env, se_num);
+ }
+
+ return r;
+}
+
+static int npa_pin_cmd_get_info(struct sc_card *card,
+ struct sc_pin_cmd_data *data, int *tries_left)
+{
+ int r;
+ u8 pin_reference;
+
+ if (!data || data->pin_type != SC_AC_CHV || !tries_left) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ pin_reference = data->pin_reference;
+ switch (data->pin_reference) {
+ case PACE_PIN_ID_CAN:
+ case PACE_PIN_ID_MRZ:
+ /* usually unlimited number of retries */
+ *tries_left = -1;
+ data->pin1.max_tries = -1;
+ data->pin1.tries_left = -1;
+ r = SC_SUCCESS;
+ break;
+
+ case PACE_PIN_ID_PUK:
+ /* usually 10 tries */
+ *tries_left = 10;
+ data->pin1.max_tries = 10;
+ r = npa_pace_get_tries_left(card,
+ pin_reference, tries_left);
+ data->pin1.tries_left = *tries_left;
+ break;
+
+ case PACE_PIN_ID_PIN:
+ /* usually 3 tries */
+ *tries_left = 3;
+ data->pin1.max_tries = 3;
+ r = npa_pace_get_tries_left(card,
+ pin_reference, tries_left);
+ data->pin1.tries_left = *tries_left;
+ break;
+
+ default:
+ r = SC_ERROR_OBJECT_NOT_FOUND;
+ goto err;
+ }
+
+err:
+ return r;
+}
+
+static int npa_pace_verify(struct sc_card *card,
+ unsigned char pin_reference, struct sc_pin_cmd_pin *pin,
+ const unsigned char *chat, size_t chat_length, int *tries_left)
+{
+ int r;
+ struct establish_pace_channel_input pace_input;
+ struct establish_pace_channel_output pace_output;
+
+ memset(&pace_input, 0, sizeof pace_input);
+ memset(&pace_output, 0, sizeof pace_output);
+ if (chat) {
+ pace_input.chat = chat;
+ pace_input.chat_length = chat_length;
+ }
+ pace_input.pin_id = pin_reference;
+ if (pin) {
+ pace_input.pin = pin->data;
+ pace_input.pin_length = pin->len;
+ }
+ npa_get_cached_pace_params(card, &pace_input, &pace_output);
+
+ r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
+
+ if (tries_left) {
+ if (pace_output.mse_set_at_sw1 == 0x63
+ && (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0) {
+ *tries_left = pace_output.mse_set_at_sw2 & 0x0f;
+ } else {
+ *tries_left = -1;
+ }
+ }
+
+ /* resume the PIN if needed */
+ if (pin_reference == PACE_PIN_ID_PIN
+ && r != SC_SUCCESS
+ && pace_output.mse_set_at_sw1 == 0x63
+ && (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0
+ && (pace_output.mse_set_at_sw2 & 0x0f) <= UC_PIN_SUSPENDED) {
+ /* TODO ask for user consent when automatically resuming the PIN */
+ sc_log(card->ctx, "%s is suspended. Will try to resume it with %s.\n",
+ npa_secret_name(pin_reference), npa_secret_name(PACE_PIN_ID_CAN));
+
+ pace_input.pin_id = PACE_PIN_ID_CAN;
+ pace_input.pin = NULL;
+ pace_input.pin_length = 0;
+
+ r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
+
+ if (r == SC_SUCCESS) {
+ pace_input.pin_id = pin_reference;
+ if (pin) {
+ pace_input.pin = pin->data;
+ pace_input.pin_length = pin->len;
+ }
+
+ r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
+
+ if (r == SC_SUCCESS) {
+ sc_log(card->ctx, "%s resumed.\n");
+ if (tries_left) {
+ *tries_left = MAX_PIN_TRIES;
+ }
+ } else {
+ if (tries_left) {
+ if (pace_output.mse_set_at_sw1 == 0x63
+ && (pace_output.mse_set_at_sw2 & 0xc0) == 0xc0) {
+ *tries_left = pace_output.mse_set_at_sw2 & 0x0f;
+ } else {
+ *tries_left = -1;
+ }
+ }
+ }
+ }
+ }
+
+ if (pin_reference == PACE_PIN_ID_PIN && tries_left) {
+ if (*tries_left == 0) {
+ sc_log(card->ctx, "%s is suspended and must be resumed.\n",
+ npa_secret_name(pin_reference));
+ } else if (*tries_left == 1) {
+ sc_log(card->ctx, "%s is blocked and must be unblocked.\n",
+ npa_secret_name(pin_reference));
+ }
+ }
+
+ npa_cache_or_free(card, &pace_output.ef_cardaccess,
+ &pace_output.ef_cardaccess_length, NULL, NULL);
+ free(pace_output.recent_car);
+ free(pace_output.previous_car);
+ free(pace_output.id_icc);
+ free(pace_output.id_pcd);
+
+ return r;
+}
+
+static int npa_standard_pin_cmd(struct sc_card *card,
+ struct sc_pin_cmd_data *data, int *tries_left)
+{
+ int r;
+ struct sc_card_driver *iso_drv;
+
+ iso_drv = sc_get_iso7816_driver();
+
+ if (!iso_drv || !iso_drv->ops || !iso_drv->ops->pin_cmd) {
+ r = SC_ERROR_INTERNAL;
+ } else {
+ r = iso_drv->ops->pin_cmd(card, data, tries_left);
+ }
+
+ return r;
+}
+
+static int npa_pin_cmd(struct sc_card *card,
+ struct sc_pin_cmd_data *data, int *tries_left)
+{
+ int r;
+
+ if (!data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ if (data->pin_type != SC_AC_CHV) {
+ r = SC_ERROR_NOT_SUPPORTED;
+ goto err;
+ }
+
+ switch (data->cmd) {
+ case SC_PIN_CMD_GET_INFO:
+ r = npa_pin_cmd_get_info(card, data, tries_left);
+ if (r != SC_SUCCESS)
+ goto err;
+ break;
+
+ case SC_PIN_CMD_UNBLOCK:
+#ifdef ENABLE_SM
+ /* opensc-explorer unblocks the PIN by only sending
+ * SC_PIN_CMD_UNBLOCK whereas the PKCS#15 framework first verifies
+ * the PUK with SC_PIN_CMD_VERIFY and then calls with
+ * SC_PIN_CMD_UNBLOCK.
+ *
+ * Here we determine whether the PUK has been verified or not by
+ * checking if an SM channel has been established. */
+ if (card->sm_ctx.sm_mode != SM_MODE_TRANSMIT) {
+ /* PUK has not yet been verified */
+ r = npa_pace_verify(card, PACE_PIN_ID_PUK, &(data->pin1), NULL,
+ 0, NULL);
+ if (r != SC_SUCCESS)
+ goto err;
+ }
+#endif
+ r = npa_reset_retry_counter(card, data->pin_reference, 0,
+ NULL, 0);
+ if (r != SC_SUCCESS)
+ goto err;
+ break;
+
+ case SC_PIN_CMD_CHANGE:
+ case SC_PIN_CMD_VERIFY:
+ switch (data->pin_reference) {
+ case PACE_PIN_ID_CAN:
+ case PACE_PIN_ID_PUK:
+ case PACE_PIN_ID_MRZ:
+ case PACE_PIN_ID_PIN:
+ r = npa_pace_verify(card, data->pin_reference,
+ &(data->pin1), NULL, 0, tries_left);
+ if (r != SC_SUCCESS)
+ goto err;
+ break;
+
+ default:
+ /* assuming QES PIN */
+
+ /* We assume that the eSign application has already been
+ * unlocked, see npa_init().
+ *
+ * Now, verify the QES PIN. */
+ r = npa_standard_pin_cmd(card, data, tries_left);
+ if (r != SC_SUCCESS)
+ goto err;
+ break;
+ }
+
+ if (data->cmd == SC_PIN_CMD_CHANGE) {
+ r = npa_reset_retry_counter(card, data->pin_reference, 1,
+ (const char *) data->pin2.data, data->pin2.len);
+ if (r != SC_SUCCESS)
+ goto err;
+ }
+ break;
+
+ default:
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ break;
+
+ }
+
+err:
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+}
+
+static int npa_logout(sc_card_t *card)
+{
+ struct sc_apdu apdu;
+
+ sc_sm_stop(card);
+
+ if (card->reader->capabilities & SC_READER_CAP_PACE_GENERIC) {
+ /* If PACE is done between reader and card, SM is transparent to us as
+ * it ends at the reader. With CLA=0x0C we provoque a SM error to
+ * disable SM on the reader. */
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0xA4, 0x00, 0x00);
+ apdu.cla = 0x0C;
+ sc_transmit_apdu(card, &apdu);
+ /* ignore result */
+ }
+ return sc_select_file(card, sc_get_mf_path(), NULL);
+}
+
+static struct sc_card_driver *npa_get_driver(void)
+{
+ struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
+
+ npa_ops = *iso_drv->ops;
+ npa_ops.match_card = npa_match_card;
+ npa_ops.init = npa_init;
+ npa_ops.finish = npa_finish;
+ npa_ops.set_security_env = npa_set_security_env;
+ npa_ops.pin_cmd = npa_pin_cmd;
+ npa_ops.logout = npa_logout;
+
+ return &npa_drv;
+}
+
+void *sc_module_init(const char *name)
+{
+ const char npa_name[] = "npa";
+ if (name) {
+ if (strcmp(npa_name, name) == 0)
+ return npa_get_driver;
+ }
+ return NULL;
+}
+
+const char *sc_driver_version(void)
+{
+ /* Tested with OpenSC 0.12 and 0.13.0, which can't be captured by checking
+ * our version info against OpenSC's PACKAGE_VERSION. For this reason we
+ * tell OpenSC that everything is fine, here. */
+ return sc_get_version();
+}
diff --git a/src/libopensc/card-npa.h b/src/libopensc/card-npa.h
new file mode 100644
index 0000000..8cb482e
--- /dev/null
+++ b/src/libopensc/card-npa.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _CARD_NPA_H
+#define _CARD_NPA_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "libopensc/opensc.h"
+
+enum {
+ SC_CARD_TYPE_NPA = 42000,
+ SC_CARD_TYPE_NPA_TEST,
+ SC_CARD_TYPE_NPA_ONLINE,
+};
+
+const unsigned char esign_chat[] = {
+ 0x7F, 0x4C, 0x0E,
+ 0x06, 0x09, 0x04, 0x00, 0x7F, 0x00, 0x07, 0x03, 0x01, 0x02, 0x03,
+ 0x53, 0x01, 0x03,
+};
+
+static const unsigned char df_esign_aid[] = { 0xa0, 0x00, 0x00, 0x01, 0x67, 0x45, 0x53, 0x49, 0x47, 0x4e};
+static const unsigned char df_esign_path[] = { 0x3f, 0x00, 0x50, 0x15, 0x1f, 0xff};
+static const unsigned char ef_cardaccess_path[] = { 0x3f, 0x00, 0x01, 0x1c};
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/libopensc/cardnpa.exports b/src/libopensc/cardnpa.exports
new file mode 100644
index 0000000..52cec04
--- /dev/null
+++ b/src/libopensc/cardnpa.exports
@@ -0,0 +1,2 @@
+sc_driver_version
+sc_module_init
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
index 296cf69..7de3c1a 100644
--- a/src/libopensc/iso7816.c
+++ b/src/libopensc/iso7816.c
@@ -28,6 +28,7 @@
#include "internal.h"
#include "asn1.h"
#include "iso7816.h"
+#include "sm/sm-iso.h"
static void fixup_transceive_length(const struct sc_card *card,
@@ -1247,3 +1248,137 @@ struct sc_card_driver * sc_get_iso7816_driver(void)
{
return &iso_driver;
}
+
+#define ISO_READ_BINARY 0xB0
+#define ISO_P1_FLAG_SFID 0x80
+int iso7816_read_binary_sfid(sc_card_t *card, unsigned char sfid,
+ u8 **ef, size_t *ef_len)
+{
+ int r;
+ size_t read = MAX_SM_APDU_RESP_SIZE;
+ sc_apdu_t apdu;
+ u8 *p;
+
+ if (!card || !ef || !ef_len) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ *ef_len = 0;
+
+ if (read > 0xff+1)
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_EXT,
+ ISO_READ_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
+ else
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT,
+ ISO_READ_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
+
+ p = realloc(*ef, read);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ *ef = p;
+ apdu.resp = *ef;
+ apdu.resplen = read;
+ apdu.le = read;
+
+ r = sc_transmit_apdu(card, &apdu);
+ /* emulate the behaviour of sc_read_binary */
+ if (r >= 0)
+ r = apdu.resplen;
+
+ while(1) {
+ if (r >= 0 && ((size_t) r) != read) {
+ *ef_len += r;
+ break;
+ }
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not read EF.");
+ goto err;
+ }
+ *ef_len += r;
+
+ p = realloc(*ef, *ef_len + read);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ *ef = p;
+
+ r = sc_read_binary(card, *ef_len,
+ *ef + *ef_len, read, 0);
+ }
+
+ r = SC_SUCCESS;
+
+err:
+ return r;
+}
+
+#define ISO_WRITE_BINARY 0xD0
+int iso7816_write_binary_sfid(sc_card_t *card, unsigned char sfid,
+ u8 *ef, size_t ef_len)
+{
+ int r;
+ size_t write = MAX_SM_APDU_DATA_SIZE, wrote = 0;
+ sc_apdu_t apdu;
+#ifdef ENABLE_SM
+ struct iso_sm_ctx *iso_sm_ctx;
+#endif
+
+ if (!card) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+#ifdef ENABLE_SM
+ iso_sm_ctx = card->sm_ctx.info.cmd_data;
+ if (write > SC_MAX_APDU_BUFFER_SIZE-2
+ || (card->sm_ctx.sm_mode == SM_MODE_TRANSMIT
+ && write > (((SC_MAX_APDU_BUFFER_SIZE-2
+ /* for encrypted APDUs we usually get authenticated status
+ * bytes (4B), a MAC (11B) and a cryptogram with padding
+ * indicator (3B without data). The cryptogram is always
+ * padded to the block size. */
+ -18) / iso_sm_ctx->block_length)
+ * iso_sm_ctx->block_length - 1)))
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT,
+ ISO_WRITE_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
+ else
+#endif
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT,
+ ISO_WRITE_BINARY, ISO_P1_FLAG_SFID|sfid, 0);
+
+ if (write > ef_len) {
+ apdu.datalen = ef_len;
+ apdu.lc = ef_len;
+ } else {
+ apdu.datalen = write;
+ apdu.lc = write;
+ }
+ apdu.data = ef;
+
+
+ r = sc_transmit_apdu(card, &apdu);
+ /* emulate the behaviour of sc_write_binary */
+ if (r >= 0)
+ r = apdu.datalen;
+
+ while (1) {
+ if (r < 0 || ((size_t) r) > ef_len) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not write EF.");
+ goto err;
+ }
+ wrote += r;
+ apdu.data += r;
+ if (wrote >= ef_len)
+ break;
+
+ r = sc_write_binary(card, wrote, ef, write, 0);
+ }
+
+ r = SC_SUCCESS;
+
+err:
+ return r;
+}
diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports
index 87895f7..a7027b1 100644
--- a/src/libopensc/libopensc.exports
+++ b/src/libopensc/libopensc.exports
@@ -269,6 +269,8 @@ sc_write_binary
sc_write_record
sc_erase_binary
sc_get_iso7816_driver
+iso7816_write_binary_sfid
+iso7816_read_binary_sfid
sc_pkcs15init_add_app
sc_pkcs15init_authenticate
sc_pkcs15init_bind
@@ -339,3 +341,15 @@ iasecc_sm_rsa_update
iasecc_sm_update_binary
iasecc_sm_sdo_update
iasecc_sdo_encode_update_field
+_sc_card_add_ec_alg
+_sc_card_add_rsa_alg
+_sc_match_atr
+_sc_log
+npa_secret_name
+get_pace_capabilities
+perform_pace
+perform_terminal_authentication
+perform_chip_authentication
+npa_default_flags
+npa_reset_retry_counter
+npa_pace_get_tries_left
diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
index 489b60a..fcd2843 100644
--- a/src/libopensc/opensc.h
+++ b/src/libopensc/opensc.h
@@ -1351,6 +1351,34 @@ extern const char *sc_get_version(void);
extern sc_card_driver_t *sc_get_iso7816_driver(void);
+/**
+ * @brief Read a complete EF by short file identifier.
+ *
+ * @param[in] card
+ * @param[in] sfid Short file identifier
+ * @param[in,out] ef Where to safe the file. the buffer will be allocated
+ * using \c realloc() and should be set to NULL, if
+ * empty.
+ * @param[in,out] ef_len Length of \a *ef
+ *
+ * @note The appropriate directory must be selected before calling this function.
+ * */
+int iso7816_read_binary_sfid(sc_card_t *card, unsigned char sfid,
+ u8 **ef, size_t *ef_len);
+
+/**
+ * @brief Write a complete EF by short file identifier.
+ *
+ * @param[in] card
+ * @param[in] sfid Short file identifier
+ * @param[in] ef Date to write
+ * @param[in] ef_len Length of \a ef
+ *
+ * @note The appropriate directory must be selected before calling this function.
+ * */
+int iso7816_write_binary_sfid(sc_card_t *card, unsigned char sfid,
+ u8 *ef, size_t ef_len);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/libopensc/pace.h b/src/libopensc/pace.h
index c499b95..bec5022 100644
--- a/src/libopensc/pace.h
+++ b/src/libopensc/pace.h
@@ -1,7 +1,7 @@
/*
* opensc.h: PACE library header file
*
- * Copyright (C) ???? Frank Morgner <morgner at informatik.hu-berlin.de>
+ * Copyright (C) 2010-2012 Frank Morgner <frankmorgner at gmail.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -43,61 +43,61 @@ extern "C" {
* Input data for EstablishPACEChannel()
*/
struct establish_pace_channel_input {
- /** Type of secret (CAN, MRZ, PIN or PUK). */
- unsigned char pin_id;
-
- /** Length of \a chat */
- size_t chat_length;
- /** Card holder authorization template */
- const unsigned char *chat;
-
- /** Length of \a pin */
- size_t pin_length;
- /** Secret */
- const unsigned char *pin;
-
- /** Length of \a certificate_description */
- size_t certificate_description_length;
- /** Certificate description */
- const unsigned char *certificate_description;
+ /** Type of secret (CAN, MRZ, PIN or PUK). */
+ unsigned char pin_id;
+
+ /** Length of \a chat */
+ size_t chat_length;
+ /** Card holder authorization template */
+ const unsigned char *chat;
+
+ /** Length of \a pin */
+ size_t pin_length;
+ /** Secret */
+ const unsigned char *pin;
+
+ /** Length of \a certificate_description */
+ size_t certificate_description_length;
+ /** Certificate description */
+ const unsigned char *certificate_description;
};
/**
* Output data for EstablishPACEChannel()
*/
struct establish_pace_channel_output {
- /** PACE result (TR-03119) */
- unsigned int result;
-
- /** MSE: Set AT status byte */
- unsigned char mse_set_at_sw1;
- /** MSE: Set AT status byte */
- unsigned char mse_set_at_sw2;
-
- /** Length of \a ef_cardaccess */
- size_t ef_cardaccess_length;
- /** EF.CardAccess */
- unsigned char *ef_cardaccess;
-
- /** Length of \a recent_car */
- size_t recent_car_length;
- /** Most recent certificate authority reference */
- unsigned char *recent_car;
-
- /** Length of \a previous_car */
- size_t previous_car_length;
- /** Previous certificate authority reference */
- unsigned char *previous_car;
-
- /** Length of \a id_icc */
- size_t id_icc_length;
- /** ICC identifier */
- unsigned char *id_icc;
-
- /** Length of \a id_pcd */
- size_t id_pcd_length;
- /** PCD identifier */
- unsigned char *id_pcd;
+ /** PACE result (TR-03119) */
+ unsigned int result;
+
+ /** MSE: Set AT status byte */
+ unsigned char mse_set_at_sw1;
+ /** MSE: Set AT status byte */
+ unsigned char mse_set_at_sw2;
+
+ /** Length of \a ef_cardaccess */
+ size_t ef_cardaccess_length;
+ /** EF.CardAccess */
+ unsigned char *ef_cardaccess;
+
+ /** Length of \a recent_car */
+ size_t recent_car_length;
+ /** Most recent certificate authority reference */
+ unsigned char *recent_car;
+
+ /** Length of \a previous_car */
+ size_t previous_car_length;
+ /** Previous certificate authority reference */
+ unsigned char *previous_car;
+
+ /** Length of \a id_icc */
+ size_t id_icc_length;
+ /** ICC identifier */
+ unsigned char *id_icc;
+
+ /** Length of \a id_pcd */
+ size_t id_pcd_length;
+ /** PCD identifier */
+ unsigned char *id_pcd;
};
#ifdef __cplusplus
diff --git a/src/libsm/Makefile.am b/src/libsm/Makefile.am
deleted file mode 100644
index 8c1a091..0000000
--- a/src/libsm/Makefile.am
+++ /dev/null
@@ -1,14 +0,0 @@
-# Process this file with automake to create Makefile.in
-
-MAINTAINERCLEANFILES = Makefile.in
-EXTRA_DIST = Makefile.mak
-
-if ENABLE_OPENSSL
-noinst_LTLIBRARIES = libsm.la
-endif
-noinst_HEADERS = sm-common.h
-
-AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
-AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src/include
-
-libsm_la_SOURCES = sm-common.c sm-common.h
diff --git a/src/libsm/Makefile.mak b/src/libsm/Makefile.mak
deleted file mode 100644
index 7fc5039..0000000
--- a/src/libsm/Makefile.mak
+++ /dev/null
@@ -1,18 +0,0 @@
-TOPDIR = ..\..
-
-TARGET = libsm.lib
-OBJECTS = sm-common.obj
-
-all: $(TARGET)
-
-!INCLUDE $(TOPDIR)\win32\Make.rules.mak
-
-!IF "$(OPENSSL_DEF)" == "/DENABLE_OPENSSL"
-
-$(TARGET): $(OBJECTS)
- lib $(LIBFLAGS) /out:$(TARGET) $(OBJECTS)
-
-!ELSE
-$(TARGET):
-
-!ENDIF
diff --git a/src/sm/Makefile.am b/src/sm/Makefile.am
new file mode 100644
index 0000000..215013c
--- /dev/null
+++ b/src/sm/Makefile.am
@@ -0,0 +1,28 @@
+# Process this file with automake to create Makefile.in
+
+MAINTAINERCLEANFILES = Makefile.in
+EXTRA_DIST = Makefile.mak
+
+noinst_LTLIBRARIES = libsmiso.la libsmeac.la
+
+noinst_HEADERS = \
+ sm-iso-internal.h \
+ sm-iso.h \
+ sslutil.h \
+ sm-eac.h
+
+if ENABLE_OPENSSL
+noinst_LTLIBRARIES += libsm.la
+endif
+noinst_HEADERS += sm-common.h
+
+AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
+AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_builddir)/src/include
+
+libsm_la_SOURCES = sm-common.c sm-common.h
+
+libsmiso_la_SOURCES = sm-iso.c
+
+libsmeac_la_SOURCES = sm-eac.c
+libsmeac_la_LIBADD = $(OPENPACE_LIBS) $(OPENSSL_LIBS) libsmiso.la
+libsmeac_la_CFLAGS = $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS) -I$(top_srcdir)/src
diff --git a/src/sm/Makefile.mak b/src/sm/Makefile.mak
new file mode 100644
index 0000000..420d168
--- /dev/null
+++ b/src/sm/Makefile.mak
@@ -0,0 +1,30 @@
+TOPDIR = ..\..
+
+TARGET = libsm.lib
+OBJECTS = sm-common.obj
+
+TARGET1 = libsmiso.lib
+OBJECTS1 = sm-iso.obj
+
+TARGET2 = libsmeac.lib
+OBJECTS2 = sm-eac.obj
+
+all: $(TARGET) $(TARGET1) $(TARGET2)
+
+!INCLUDE $(TOPDIR)\win32\Make.rules.mak
+
+!IF "$(OPENSSL_DEF)" == "/DENABLE_OPENSSL"
+
+$(TARGET): $(OBJECTS)
+ lib $(LIBFLAGS) /out:$(TARGET) $(OBJECTS)
+
+!ELSE
+$(TARGET):
+
+!ENDIF
+
+$(TARGET1): $(OBJECTS1)
+ lib $(LIBFLAGS) /out:$(TARGET1) $(OBJECTS1)
+
+$(TARGET2): $(OBJECTS2)
+ lib $(LIBFLAGS) /out:$(TARGET2) $(OBJECTS2)
diff --git a/src/libsm/sm-common.c b/src/sm/sm-common.c
similarity index 100%
rename from src/libsm/sm-common.c
rename to src/sm/sm-common.c
diff --git a/src/libsm/sm-common.h b/src/sm/sm-common.h
similarity index 100%
rename from src/libsm/sm-common.h
rename to src/sm/sm-common.h
diff --git a/src/sm/sm-eac.c b/src/sm/sm-eac.c
new file mode 100644
index 0000000..157e913
--- /dev/null
+++ b/src/sm/sm-eac.c
@@ -0,0 +1,2502 @@
+/*
+ * Copyright (C) 2011-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "sm/sm-iso.h"
+#include "libopensc/asn1.h"
+#include "libopensc/log.h"
+#include "libopensc/opensc.h"
+#include "sm-eac.h"
+#include "sslutil.h"
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef ENABLE_OPENSSL
+#include <openssl/evp.h>
+#endif
+
+char npa_default_flags = 0;
+#define ISO_MSE 0x22
+
+#if defined(ENABLE_OPENPACE)
+#include <openssl/asn1t.h>
+
+#define ASN1_APP_IMP_OPT(stname, field, type, tag) ASN1_EX_TYPE(ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION|ASN1_TFLG_OPTIONAL, tag, stname, field, type)
+#define ASN1_APP_IMP(stname, field, type, tag) ASN1_EX_TYPE(ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION, tag, stname, field, type)
+
+/* 0x67
+ * Auxiliary authenticated data */
+ASN1_ITEM_TEMPLATE(ASN1_AUXILIARY_DATA) =
+ ASN1_EX_TEMPLATE_TYPE(
+ ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION,
+ 7, AuxiliaryAuthenticatedData, CVC_DISCRETIONARY_DATA_TEMPLATE)
+ASN1_ITEM_TEMPLATE_END(ASN1_AUXILIARY_DATA)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_AUXILIARY_DATA)
+#endif
+
+#if defined(ENABLE_OPENPACE) && defined(ENABLE_SM)
+#include <eac/ca.h>
+#include <eac/cv_cert.h>
+#include <eac/eac.h>
+#include <eac/pace.h>
+#include <eac/ta.h>
+#include <openssl/bio.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+
+
+/*
+ * MSE:Set AT
+ */
+
+typedef struct npa_mse_cd_st {
+ ASN1_OBJECT *cryptographic_mechanism_reference;
+ ASN1_OCTET_STRING *key_reference1;
+ ASN1_OCTET_STRING *key_reference2;
+ ASN1_OCTET_STRING *eph_pub_key;
+ ASN1_AUXILIARY_DATA *auxiliary_data;
+ CVC_CHAT *chat;
+} NPA_MSE_C;
+/* Note that we can not use ASN1_AUXILIARY_DATA for the auxiliary_data element
+ * here. Due to limitations of OpenSSL it is not possible to *encode* an
+ * optional item template (such as auxiliary_data) in an other item template
+ * (such as ASN1_AUXILIARY_DATA). However, we can do
+ *
+ * NPA_MSE_C->auxiliary_data = d2i_ASN1_AUXILIARY_DATA(...)
+ *
+ * because they both use the same underlying struct.
+ *
+ * See also openssl/crypto/asn1/tasn_dec.c:183
+ */
+ASN1_SEQUENCE(NPA_MSE_C) = {
+ /* 0x80
+ * Cryptographic mechanism reference */
+ ASN1_IMP_OPT(NPA_MSE_C, cryptographic_mechanism_reference, ASN1_OBJECT, 0),
+ /* 0x83
+ * Reference of a public key / secret key */
+ ASN1_IMP_OPT(NPA_MSE_C, key_reference1, ASN1_OCTET_STRING, 3),
+ /* 0x84
+ * Reference of a private key / Reference for computing a session key */
+ ASN1_IMP_OPT(NPA_MSE_C, key_reference2, ASN1_OCTET_STRING, 4),
+ /* 0x91
+ * Ephemeral Public Key */
+ ASN1_IMP_OPT(NPA_MSE_C, eph_pub_key, ASN1_OCTET_STRING, 0x11),
+ /* 0x67
+ * Auxiliary authenticated data. See note above. */
+ ASN1_APP_IMP_SEQUENCE_OF_OPT(NPA_MSE_C, auxiliary_data, CVC_DISCRETIONARY_DATA_TEMPLATE, 7),
+ /* Certificate Holder Authorization Template */
+ ASN1_OPT(NPA_MSE_C, chat, CVC_CHAT),
+} ASN1_SEQUENCE_END(NPA_MSE_C)
+DECLARE_ASN1_FUNCTIONS(NPA_MSE_C)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_MSE_C)
+
+
+/*
+ * General Authenticate for PACE
+ */
+
+/* Protocol Command Data */
+typedef struct npa_gen_auth_pace_cd_st {
+ ASN1_OCTET_STRING *mapping_data;
+ ASN1_OCTET_STRING *eph_pub_key;
+ ASN1_OCTET_STRING *auth_token;
+} NPA_GEN_AUTH_PACE_C_BODY;
+ASN1_SEQUENCE(NPA_GEN_AUTH_PACE_C_BODY) = {
+ /* 0x81
+ * Mapping Data */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_C_BODY, mapping_data, ASN1_OCTET_STRING, 1),
+ /* 0x83
+ * Ephemeral Public Key */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_C_BODY, eph_pub_key, ASN1_OCTET_STRING, 3),
+ /* 0x85
+ * Authentication Token */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_C_BODY, auth_token, ASN1_OCTET_STRING, 5),
+} ASN1_SEQUENCE_END(NPA_GEN_AUTH_PACE_C_BODY)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_C_BODY)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_C_BODY)
+
+typedef NPA_GEN_AUTH_PACE_C_BODY NPA_GEN_AUTH_PACE_C;
+/* 0x7C
+ * Dynamic Authentication Data */
+ASN1_ITEM_TEMPLATE(NPA_GEN_AUTH_PACE_C) =
+ ASN1_EX_TEMPLATE_TYPE(
+ ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION,
+ 0x1c, NPA_GEN_AUTH_PACE_C, NPA_GEN_AUTH_PACE_C_BODY)
+ASN1_ITEM_TEMPLATE_END(NPA_GEN_AUTH_PACE_C)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_C)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_C)
+
+/* Protocol Response Data */
+typedef struct npa_gen_auth_pace_rapdu_body_st {
+ ASN1_OCTET_STRING *enc_nonce;
+ ASN1_OCTET_STRING *mapping_data;
+ ASN1_OCTET_STRING *eph_pub_key;
+ ASN1_OCTET_STRING *auth_token;
+ ASN1_OCTET_STRING *cur_car;
+ ASN1_OCTET_STRING *prev_car;
+} NPA_GEN_AUTH_PACE_R_BODY;
+ASN1_SEQUENCE(NPA_GEN_AUTH_PACE_R_BODY) = {
+ /* 0x80
+ * Encrypted Nonce */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_R_BODY, enc_nonce, ASN1_OCTET_STRING, 0),
+ /* 0x82
+ * Mapping Data */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_R_BODY, mapping_data, ASN1_OCTET_STRING, 2),
+ /* 0x84
+ * Ephemeral Public Key */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_R_BODY, eph_pub_key, ASN1_OCTET_STRING, 4),
+ /* 0x86
+ * Authentication Token */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_R_BODY, auth_token, ASN1_OCTET_STRING, 6),
+ /* 0x87
+ * Most recent Certification Authority Reference */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_R_BODY, cur_car, ASN1_OCTET_STRING, 7),
+ /* 0x88
+ * Previous Certification Authority Reference */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_PACE_R_BODY, prev_car, ASN1_OCTET_STRING, 8),
+} ASN1_SEQUENCE_END(NPA_GEN_AUTH_PACE_R_BODY)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_R_BODY)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_R_BODY)
+
+typedef NPA_GEN_AUTH_PACE_R_BODY NPA_GEN_AUTH_PACE_R;
+/* 0x7C
+ * Dynamic Authentication Data */
+ASN1_ITEM_TEMPLATE(NPA_GEN_AUTH_PACE_R) =
+ ASN1_EX_TEMPLATE_TYPE(
+ ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION,
+ 0x1c, NPA_GEN_AUTH_PACE_R, NPA_GEN_AUTH_PACE_R_BODY)
+ASN1_ITEM_TEMPLATE_END(NPA_GEN_AUTH_PACE_R)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_R)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_PACE_R)
+
+
+/*
+ * General Authenticate for CA
+ */
+
+/* Protocol Command Data */
+typedef struct npa_gen_auth_ca_cd_st {
+ ASN1_OCTET_STRING *eph_pub_key;
+} NPA_GEN_AUTH_CA_C_BODY;
+ASN1_SEQUENCE(NPA_GEN_AUTH_CA_C_BODY) = {
+ /* 0x80
+ * Ephemeral Public Key */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_CA_C_BODY, eph_pub_key, ASN1_OCTET_STRING, 0),
+} ASN1_SEQUENCE_END(NPA_GEN_AUTH_CA_C_BODY)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_C_BODY)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_C_BODY)
+
+typedef NPA_GEN_AUTH_CA_C_BODY NPA_GEN_AUTH_CA_C;
+/* 0x7C
+ * Dynamic Authentication Data */
+ASN1_ITEM_TEMPLATE(NPA_GEN_AUTH_CA_C) =
+ ASN1_EX_TEMPLATE_TYPE(
+ ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION,
+ 0x1c, NPA_GEN_AUTH_CA_C, NPA_GEN_AUTH_CA_C_BODY)
+ASN1_ITEM_TEMPLATE_END(NPA_GEN_AUTH_CA_C)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_C)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_C)
+
+/* Protocol Response Data */
+typedef struct npa_gen_auth_ca_rapdu_body_st {
+ ASN1_OCTET_STRING *nonce;
+ ASN1_OCTET_STRING *auth_token;
+} NPA_GEN_AUTH_CA_R_BODY;
+ASN1_SEQUENCE(NPA_GEN_AUTH_CA_R_BODY) = {
+ /* 0x81
+ * Nonce */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_CA_R_BODY, nonce, ASN1_OCTET_STRING, 1),
+ /* 0x82
+ * Authentication Token */
+ ASN1_IMP_OPT(NPA_GEN_AUTH_CA_R_BODY, auth_token, ASN1_OCTET_STRING, 2),
+} ASN1_SEQUENCE_END(NPA_GEN_AUTH_CA_R_BODY)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_R_BODY)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_R_BODY)
+
+typedef NPA_GEN_AUTH_CA_R_BODY NPA_GEN_AUTH_CA_R;
+/* 0x7C
+ * Dynamic Authentication Data */
+ASN1_ITEM_TEMPLATE(NPA_GEN_AUTH_CA_R) =
+ ASN1_EX_TEMPLATE_TYPE(
+ ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION,
+ 0x1c, NPA_GEN_AUTH_CA_R, NPA_GEN_AUTH_CA_R_BODY)
+ASN1_ITEM_TEMPLATE_END(NPA_GEN_AUTH_CA_R)
+DECLARE_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_R)
+IMPLEMENT_ASN1_FUNCTIONS(NPA_GEN_AUTH_CA_R)
+
+
+
+#define maxresp SC_MAX_APDU_BUFFER_SIZE - 2
+
+/** @brief NPA secure messaging context */
+struct npa_sm_ctx {
+ /** @brief EAC context */
+ EAC_CTX *ctx;
+ /** @brief Certificate Description given on initialization of PACE */
+ BUF_MEM *certificate_description;
+ /** @brief picc's compressed ephemeral public key of PACE */
+ BUF_MEM *id_icc;
+ /** @brief PCD's compressed ephemeral public key of CA */
+ BUF_MEM *eph_pub_key;
+ /** @brief Auxiliary Data */
+ BUF_MEM *auxiliary_data;
+ char flags;
+};
+
+
+/* included in OpenPACE, but not propagated */
+extern BUF_MEM *BUF_MEM_create(size_t len);
+extern BUF_MEM *BUF_MEM_create_init(const void *buf, size_t len);
+
+
+static int npa_sm_encrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *data, size_t datalen, u8 **enc);
+static int npa_sm_decrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *enc, size_t enclen, u8 **data);
+static int npa_sm_authenticate(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *data, size_t datalen, u8 **outdata);
+static int npa_sm_verify_authentication(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *mac, size_t maclen,
+ const u8 *macdata, size_t macdatalen);
+static int npa_sm_pre_transmit(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *apdu);
+static int npa_sm_post_transmit(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *sm_apdu);
+static int npa_sm_finish(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *apdu);
+static void npa_sm_clear_free(const struct iso_sm_ctx *ctx);
+
+
+
+
+static struct npa_sm_ctx *
+npa_sm_ctx_create(EAC_CTX *ctx, const unsigned char *certificate_description,
+ size_t certificate_description_length,
+ const unsigned char *id_icc, size_t id_icc_length)
+{
+ struct npa_sm_ctx *out = malloc(sizeof *out);
+ if (!out)
+ goto err;
+
+ out->ctx = ctx;
+
+ if (certificate_description && certificate_description_length) {
+ out->certificate_description =
+ BUF_MEM_create_init(certificate_description,
+ certificate_description_length);
+ if (!out->certificate_description)
+ goto err;
+ } else
+ out->certificate_description = NULL;
+
+ if (id_icc && id_icc_length) {
+ out->id_icc = BUF_MEM_create_init(id_icc, id_icc_length);
+ if (!out->id_icc)
+ goto err;
+ } else
+ out->id_icc = NULL;
+
+ out->eph_pub_key = NULL;
+ out->auxiliary_data = NULL;
+
+ out->flags = npa_default_flags;
+ if (out->flags & NPA_FLAG_DISABLE_CHECK_TA)
+ TA_disable_checks(out->ctx);
+ if (out->flags & NPA_FLAG_DISABLE_CHECK_CA)
+ CA_disable_passive_authentication(out->ctx);
+
+ return out;
+
+err:
+ free(out);
+ return NULL;
+}
+
+static int
+npa_sm_start(sc_card_t *card, EAC_CTX *eac_ctx,
+ const unsigned char *certificate_description,
+ size_t certificate_description_length,
+ const unsigned char *id_icc, size_t id_icc_length)
+{
+ int r;
+ struct iso_sm_ctx *sctx = NULL;
+
+ if (!eac_ctx || !eac_ctx->key_ctx) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ sctx = iso_sm_ctx_create();
+ if (!sctx) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+
+ sctx->priv_data = npa_sm_ctx_create(eac_ctx,
+ certificate_description, certificate_description_length,
+ id_icc, id_icc_length);
+ if (!sctx->priv_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+
+ sctx->authenticate = npa_sm_authenticate;
+ sctx->encrypt = npa_sm_encrypt;
+ sctx->decrypt = npa_sm_decrypt;
+ sctx->verify_authentication = npa_sm_verify_authentication;
+ sctx->pre_transmit = npa_sm_pre_transmit;
+ sctx->post_transmit = npa_sm_post_transmit;
+ sctx->finish = npa_sm_finish;
+ sctx->clear_free = npa_sm_clear_free;
+ sctx->padding_indicator = SM_ISO_PADDING;
+ sctx->block_length = EVP_CIPHER_block_size(eac_ctx->key_ctx->cipher);
+
+ r = iso_sm_start(card, sctx);
+
+err:
+ if (r < 0)
+ iso_sm_ctx_clear_free(sctx);
+
+ return r;
+}
+
+static int get_ef_card_access(sc_card_t *card,
+ u8 **ef_cardaccess, size_t *length_ef_cardaccess)
+{
+ return iso7816_read_binary_sfid(card, SFID_EF_CARDACCESS, ef_cardaccess, length_ef_cardaccess);
+}
+
+static int format_mse_cdata(struct sc_context *ctx, int protocol,
+ const unsigned char *key_reference1, size_t key_reference1_len,
+ const unsigned char *key_reference2, size_t key_reference2_len,
+ const unsigned char *eph_pub_key, size_t eph_pub_key_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len,
+ const CVC_CHAT *chat, unsigned char **cdata)
+{
+ NPA_MSE_C *data = NULL;
+ unsigned char *data_sequence = NULL;
+ const unsigned char *data_no_sequence;
+ unsigned char *p;
+ long length;
+ int r, class, tag;
+
+ if (!cdata) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ data = NPA_MSE_C_new();
+ if (!data) {
+ ssl_error(ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (protocol) {
+ data->cryptographic_mechanism_reference = OBJ_nid2obj(protocol);
+ if (!data->cryptographic_mechanism_reference) {
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, "Error setting Cryptographic mechanism reference of MSE:Set AT data");
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ if (key_reference1 && key_reference1_len) {
+ data->key_reference1 = ASN1_OCTET_STRING_new();
+ if (!data->key_reference1
+ || !M_ASN1_OCTET_STRING_set(
+ data->key_reference1, key_reference1, key_reference1_len)) {
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, "Error setting key reference 1 of MSE:Set AT data");
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ if (key_reference2 && key_reference2_len) {
+ data->key_reference2 = ASN1_OCTET_STRING_new();
+ if (!data->key_reference2
+ || !M_ASN1_OCTET_STRING_set(
+ data->key_reference2, key_reference2, key_reference2_len)) {
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, "Error setting key reference 2 of MSE:Set AT data");
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ if (eph_pub_key && eph_pub_key_len) {
+ data->eph_pub_key = ASN1_OCTET_STRING_new();
+ if (!data->eph_pub_key
+ || !M_ASN1_OCTET_STRING_set(
+ data->eph_pub_key, eph_pub_key, eph_pub_key_len)) {
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, "Error setting ephemeral Public Key of MSE:Set AT data");
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ if (auxiliary_data && auxiliary_data_len) {
+ if (!d2i_ASN1_AUXILIARY_DATA(&data->auxiliary_data, &auxiliary_data, auxiliary_data_len)) {
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, "Error setting authenticated auxiliary data of MSE:Set AT data");
+ ssl_error(ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ data->chat = (CVC_CHAT *) chat;
+
+
+ length = i2d_NPA_MSE_C(data, &data_sequence);
+ data_no_sequence = data_sequence;
+ if (length < 0
+ || (0x80 & ASN1_get_object(&data_no_sequence, &length, &tag, &class, length))) {
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, "Error encoding MSE:Set AT APDU data");
+ ssl_error(ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ if (length < 0) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ sc_debug_hex(ctx, SC_LOG_DEBUG_NORMAL, "MSE command data", data_no_sequence, length);
+
+
+ p = realloc(*cdata, length);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ memcpy(p, data_no_sequence, length);
+ *cdata = p;
+ r = length;
+
+err:
+ if (data) {
+ /* do not free the functions parameter chat */
+ data->chat = NULL;
+ NPA_MSE_C_free(data);
+ }
+ OPENSSL_free(data_sequence);
+
+ return r;
+}
+
+static int npa_mse(sc_card_t *card,
+ unsigned char p1, unsigned char p2, int protocol,
+ const unsigned char *key_reference1, size_t key_reference1_len,
+ const unsigned char *key_reference2, size_t key_reference2_len,
+ const unsigned char *eph_pub_key, size_t eph_pub_key_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len,
+ const CVC_CHAT *chat, u8 *sw1, u8 *sw2)
+{
+ sc_apdu_t apdu;
+ unsigned char *d = NULL;
+ int r;
+
+ if (!card) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, ISO_MSE, p1, p2);
+
+ r = format_mse_cdata(card->ctx, protocol, key_reference1,
+ key_reference1_len, key_reference2, key_reference2_len,
+ eph_pub_key, eph_pub_key_len, auxiliary_data, auxiliary_data_len,
+ chat, &d);
+ if (r < 0)
+ goto err;
+ apdu.data = d;
+ apdu.datalen = r;
+ apdu.lc = r;
+
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ if (apdu.resplen) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "MSE:Set AT response data should be empty "
+ "(contains %u bytes)", apdu.resplen);
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+
+ if (sw1)
+ *sw1 = apdu.sw1;
+ if (sw2)
+ *sw2 = apdu.sw2;
+
+err:
+ free(d);
+
+ return r;
+}
+
+static int npa_mse_set_at(sc_card_t *card, unsigned char p1, int protocol,
+ const unsigned char *key_reference1, size_t key_reference1_len,
+ const unsigned char *key_reference2, size_t key_reference2_len,
+ const unsigned char *eph_pub_key, size_t eph_pub_key_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len,
+ const CVC_CHAT *chat, u8 *sw1, u8 *sw2)
+{
+ return npa_mse(card, p1, 0xA4, protocol, key_reference1,
+ key_reference1_len, key_reference2, key_reference2_len,
+ eph_pub_key, eph_pub_key_len, auxiliary_data, auxiliary_data_len,
+ chat, sw1, sw2);
+}
+
+static int npa_mse_set_at_pace(sc_card_t *card, int protocol,
+ enum s_type secret_key, const CVC_CHAT *chat, u8 *sw1, u8 *sw2)
+{
+ int r, tries;
+ unsigned char key = secret_key;
+
+ r = npa_mse_set_at(card, 0xC1, protocol, &key, sizeof key, NULL,
+ 0, NULL, 0, NULL, 0, chat, sw1, sw2);
+
+ if (*sw1 == 0x63) {
+ if ((*sw2 & 0xc0) == 0xc0) {
+ tries = *sw2 & 0x0f;
+ if (tries <= 1) {
+ /* this is only a warning... */
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Remaining tries: %d (%s must be %s)\n",
+ tries, npa_secret_name(secret_key),
+ tries ? "resumed" : "unblocked");
+ }
+ r = SC_SUCCESS;
+ } else {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Unknown status bytes: SW1=%02X, SW2=%02X\n",
+ *sw1, *sw2);
+ r = SC_ERROR_CARD_CMD_FAILED;
+ }
+ } else if (*sw1 == 0x62 && *sw2 == 0x83) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Password is deactivated\n");
+ r = SC_ERROR_AUTH_METHOD_BLOCKED;
+ } else {
+ r = sc_check_sw(card, *sw1, *sw2);
+ }
+
+ return r;
+}
+
+
+#define ISO_GENERAL_AUTHENTICATE 0x86
+#define ISO_COMMAND_CHAINING 0x10
+static int npa_gen_auth_1_encrypted_nonce(sc_card_t *card,
+ u8 **enc_nonce, size_t *enc_nonce_len)
+{
+ sc_apdu_t apdu;
+ NPA_GEN_AUTH_PACE_C *c_data = NULL;
+ NPA_GEN_AUTH_PACE_R *r_data = NULL;
+ unsigned char *d = NULL, *p;
+ int r, l;
+ unsigned char resp[maxresp];
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, ISO_GENERAL_AUTHENTICATE,
+ 0x00, 0x00);
+ apdu.cla = ISO_COMMAND_CHAINING;
+
+ c_data = NPA_GEN_AUTH_PACE_C_new();
+ if (!c_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ r = i2d_NPA_GEN_AUTH_PACE_C(c_data, &d);
+ if (r < 0) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ apdu.data = d;
+ apdu.datalen = r;
+ apdu.lc = r;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Encrypted Nonce) command data", apdu.data, apdu.datalen);
+
+ apdu.resplen = sizeof resp;
+ apdu.resp = resp;
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ if (r < 0)
+ goto err;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Encrypted Nonce) response data", apdu.resp, apdu.resplen);
+
+ if (!d2i_NPA_GEN_AUTH_PACE_R(&r_data,
+ (const unsigned char **) &apdu.resp, apdu.resplen)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse general authenticate response data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (!r_data->enc_nonce
+ || r_data->mapping_data
+ || r_data->eph_pub_key
+ || r_data->auth_token
+ || r_data->cur_car
+ || r_data->prev_car) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Response data of general authenticate for "
+ "step 1 should (only) contain the encrypted nonce.");
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+ p = r_data->enc_nonce->data;
+ l = r_data->enc_nonce->length;
+
+ *enc_nonce = malloc(l);
+ if (!*enc_nonce) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(*enc_nonce, p, l);
+ *enc_nonce_len = l;
+
+err:
+ if (c_data)
+ NPA_GEN_AUTH_PACE_C_free(c_data);
+ OPENSSL_free(d);
+ if (r_data)
+ NPA_GEN_AUTH_PACE_R_free(r_data);
+
+ return r;
+}
+static int npa_gen_auth_2_map_nonce(sc_card_t *card,
+ const u8 *in, size_t in_len,
+ u8 **map_data_out, size_t *map_data_out_len)
+{
+ sc_apdu_t apdu;
+ NPA_GEN_AUTH_PACE_C *c_data = NULL;
+ NPA_GEN_AUTH_PACE_R *r_data = NULL;
+ unsigned char *d = NULL, *p;
+ int r, l;
+ unsigned char resp[maxresp];
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, ISO_GENERAL_AUTHENTICATE,
+ 0x00, 0x00);
+ apdu.cla = ISO_COMMAND_CHAINING;
+
+ c_data = NPA_GEN_AUTH_PACE_C_new();
+ if (!c_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ c_data->mapping_data = ASN1_OCTET_STRING_new();
+ if (!c_data->mapping_data
+ || !M_ASN1_OCTET_STRING_set(
+ c_data->mapping_data, in, in_len)) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = i2d_NPA_GEN_AUTH_PACE_C(c_data, &d);
+ if (r < 0) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ apdu.data = d;
+ apdu.datalen = r;
+ apdu.lc = r;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Map Nonce) command data", apdu.data, apdu.datalen);
+
+ apdu.resplen = sizeof resp;
+ apdu.resp = resp;
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ if (r < 0)
+ goto err;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Map Nonce) response data", apdu.resp, apdu.resplen);
+
+ if (!d2i_NPA_GEN_AUTH_PACE_R(&r_data,
+ (const unsigned char **) &apdu.resp, apdu.resplen)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse general authenticate response data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (r_data->enc_nonce
+ || !r_data->mapping_data
+ || r_data->eph_pub_key
+ || r_data->auth_token
+ || r_data->cur_car
+ || r_data->prev_car) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Response data of general authenticate for "
+ "step 2 should (only) contain the mapping data.");
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+ p = r_data->mapping_data->data;
+ l = r_data->mapping_data->length;
+
+ *map_data_out = malloc(l);
+ if (!*map_data_out) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(*map_data_out, p, l);
+ *map_data_out_len = l;
+
+err:
+ if (c_data)
+ NPA_GEN_AUTH_PACE_C_free(c_data);
+ OPENSSL_free(d);
+ if (r_data)
+ NPA_GEN_AUTH_PACE_R_free(r_data);
+
+ return r;
+}
+static int npa_gen_auth_3_perform_key_agreement(sc_card_t *card,
+ const u8 *in, size_t in_len,
+ u8 **eph_pub_key_out, size_t *eph_pub_key_out_len)
+{
+ sc_apdu_t apdu;
+ NPA_GEN_AUTH_PACE_C *c_data = NULL;
+ NPA_GEN_AUTH_PACE_R *r_data = NULL;
+ unsigned char *d = NULL, *p;
+ int r, l;
+ unsigned char resp[maxresp];
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, ISO_GENERAL_AUTHENTICATE,
+ 0x00, 0x00);
+ apdu.cla = ISO_COMMAND_CHAINING;
+
+ c_data = NPA_GEN_AUTH_PACE_C_new();
+ if (!c_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ c_data->eph_pub_key = ASN1_OCTET_STRING_new();
+ if (!c_data->eph_pub_key
+ || !M_ASN1_OCTET_STRING_set(
+ c_data->eph_pub_key, in, in_len)) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = i2d_NPA_GEN_AUTH_PACE_C(c_data, &d);
+ if (r < 0) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ apdu.data = d;
+ apdu.datalen = r;
+ apdu.lc = r;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Perform Key Agreement) command data", apdu.data, apdu.datalen);
+
+ apdu.resplen = sizeof resp;
+ apdu.resp = resp;
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ if (r < 0)
+ goto err;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Perform Key Agreement) response data", apdu.resp, apdu.resplen);
+
+ if (!d2i_NPA_GEN_AUTH_PACE_R(&r_data,
+ (const unsigned char **) &apdu.resp, apdu.resplen)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse general authenticate response data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (r_data->enc_nonce
+ || r_data->mapping_data
+ || !r_data->eph_pub_key
+ || r_data->auth_token
+ || r_data->cur_car
+ || r_data->prev_car) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Response data of general authenticate for "
+ "step 3 should (only) contain the ephemeral public key.");
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+ p = r_data->eph_pub_key->data;
+ l = r_data->eph_pub_key->length;
+
+ *eph_pub_key_out = malloc(l);
+ if (!*eph_pub_key_out) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(*eph_pub_key_out, p, l);
+ *eph_pub_key_out_len = l;
+
+err:
+ if (c_data)
+ NPA_GEN_AUTH_PACE_C_free(c_data);
+ OPENSSL_free(d);
+ if (r_data)
+ NPA_GEN_AUTH_PACE_R_free(r_data);
+
+ return r;
+}
+static int npa_gen_auth_4_mutual_authentication(sc_card_t *card,
+ const u8 *in, size_t in_len,
+ u8 **auth_token_out, size_t *auth_token_out_len,
+ u8 **recent_car, size_t *recent_car_len,
+ u8 **prev_car, size_t *prev_car_len)
+{
+ sc_apdu_t apdu;
+ NPA_GEN_AUTH_PACE_C *c_data = NULL;
+ NPA_GEN_AUTH_PACE_R *r_data = NULL;
+ unsigned char *d = NULL, *p;
+ int r, l;
+ unsigned char resp[maxresp];
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, ISO_GENERAL_AUTHENTICATE,
+ 0x00, 0x00);
+
+ c_data = NPA_GEN_AUTH_PACE_C_new();
+ if (!c_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ c_data->auth_token = ASN1_OCTET_STRING_new();
+ if (!c_data->auth_token
+ || !M_ASN1_OCTET_STRING_set(
+ c_data->auth_token, in, in_len)) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = i2d_NPA_GEN_AUTH_PACE_C(c_data, &d);
+ if (r < 0) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ apdu.data = d;
+ apdu.datalen = r;
+ apdu.lc = r;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Perform Key Agreement) command data", apdu.data, apdu.datalen);
+
+ apdu.resplen = sizeof resp;
+ apdu.resp = resp;
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ if (r < 0)
+ goto err;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Perform Key Agreement) response data", apdu.resp, apdu.resplen);
+
+ if (!d2i_NPA_GEN_AUTH_PACE_R(&r_data,
+ (const unsigned char **) &apdu.resp, apdu.resplen)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse general authenticate response data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (r_data->enc_nonce
+ || r_data->mapping_data
+ || r_data->eph_pub_key
+ || !r_data->auth_token) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Response data of general authenticate for "
+ "step 4 should (only) contain the authentication token.");
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+ p = r_data->auth_token->data;
+ l = r_data->auth_token->length;
+ if (r_data->cur_car) {
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Most recent Certificate Authority Reference",
+ r_data->cur_car->data, r_data->cur_car->length);
+ *recent_car = malloc(r_data->cur_car->length);
+ if (!*recent_car) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(*recent_car, r_data->cur_car->data, r_data->cur_car->length);
+ *recent_car_len = r_data->cur_car->length;
+ } else
+ *recent_car_len = 0;
+ if (r_data->prev_car) {
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Previous Certificate Authority Reference",
+ r_data->prev_car->data, r_data->prev_car->length);
+ *prev_car = malloc(r_data->prev_car->length);
+ if (!*prev_car) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(*prev_car, r_data->prev_car->data, r_data->prev_car->length);
+ *prev_car_len = r_data->prev_car->length;
+ } else
+ *prev_car_len = 0;
+
+ *auth_token_out = malloc(l);
+ if (!*auth_token_out) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(*auth_token_out, p, l);
+ *auth_token_out_len = l;
+
+err:
+ if (c_data)
+ NPA_GEN_AUTH_PACE_C_free(c_data);
+ OPENSSL_free(d);
+ if (r_data)
+ NPA_GEN_AUTH_PACE_R_free(r_data);
+
+ return r;
+}
+
+static PACE_SEC *
+get_psec(sc_card_t *card, const char *pin, size_t length_pin, enum s_type pin_id)
+{
+ char *p = NULL;
+ PACE_SEC *r;
+ /* Flawfinder: ignore */
+ char buf[MAX_MRZ_LEN > 32 ? MAX_MRZ_LEN : 32];
+
+ if (!length_pin || !pin) {
+ if (0 > snprintf(buf, sizeof buf, "Please enter your %s: ",
+ npa_secret_name(pin_id))) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not create password prompt.\n");
+ return NULL;
+ }
+ p = malloc(MAX_MRZ_LEN+1);
+ if (!p) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for %s.\n",
+ npa_secret_name(pin_id));
+ return NULL;
+ }
+ if (0 > EVP_read_pw_string_min(p, 0, MAX_MRZ_LEN, buf, 0)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not read %s.\n",
+ npa_secret_name(pin_id));
+ return NULL;
+ }
+ length_pin = strlen(p);
+ if (length_pin > MAX_MRZ_LEN) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "MRZ too long");
+ return NULL;
+ }
+ pin = p;
+ }
+
+ r = PACE_SEC_new(pin, length_pin, pin_id);
+
+ if (p) {
+ OPENSSL_cleanse(p, length_pin);
+ free(p);
+ }
+
+ return r;
+}
+
+
+int perform_pace(sc_card_t *card,
+ struct establish_pace_channel_input pace_input,
+ struct establish_pace_channel_output *pace_output,
+ enum eac_tr_version tr_version)
+{
+ u8 *p = NULL;
+ EAC_CTX *eac_ctx = NULL;
+ BUF_MEM *enc_nonce = NULL, *mdata = NULL, *mdata_opp = NULL,
+ *token_opp = NULL, *token = NULL, *pub = NULL, *pub_opp = NULL,
+ *comp_pub = NULL, *comp_pub_opp = NULL;
+ PACE_SEC *sec = NULL;
+ CVC_CHAT *chat = NULL;
+ BIO *bio_stdout = NULL;
+ CVC_CERTIFICATE_DESCRIPTION *desc = NULL;
+ int r;
+ const unsigned char *pp;
+
+ if (!card || !pace_output)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ /* show description in advance to give the user more time to read it...
+ * This behaviour differs from TR-03119 v1.1 p. 44. */
+ if (pace_input.certificate_description_length &&
+ pace_input.certificate_description) {
+
+ pp = pace_input.certificate_description;
+ if (!d2i_CVC_CERTIFICATE_DESCRIPTION(&desc,
+ &pp, pace_input.certificate_description_length)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse certificate description.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (!bio_stdout) {
+ bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
+ if (!bio_stdout) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not create output buffer.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ printf("Certificate Description\n");
+ switch(certificate_description_print(bio_stdout, desc, 8)) {
+ case 0:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not print certificate description.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ break;
+ case 1:
+ /* text format */
+ break;
+ case 2:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Certificate description in "
+ "HTML format can not (yet) be handled.");
+ r = SC_ERROR_NOT_SUPPORTED;
+ goto err;
+ break;
+ case 3:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Certificate description in "
+ "PDF format can not (yet) be handled.");
+ r = SC_ERROR_NOT_SUPPORTED;
+ goto err;
+ break;
+ default:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Certificate description in "
+ "unknown format can not be handled.");
+ r = SC_ERROR_NOT_SUPPORTED;
+ goto err;
+ break;
+ }
+ }
+
+ /* show chat in advance to give the user more time to read it...
+ * This behaviour differs from TR-03119 v1.1 p. 44. */
+ if (pace_input.chat_length && pace_input.chat) {
+
+ if (!bio_stdout) {
+ bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
+ if (!bio_stdout) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not create output buffer.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ pp = pace_input.chat;
+ if (!d2i_CVC_CHAT(&chat, &pp, pace_input.chat_length)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse card holder authorization template (CHAT).");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ printf("Card holder authorization template (CHAT)\n");
+ if (!cvc_chat_print(bio_stdout, chat, 8)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not print card holder authorization template (CHAT).");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ if (card->reader->capabilities & SC_READER_CAP_PACE_GENERIC
+ && card->reader->ops->perform_pace) {
+ r = card->reader->ops->perform_pace(card->reader, &pace_input, pace_output);
+ if (r < 0)
+ goto err;
+ } else {
+ if (!pace_output->ef_cardaccess_length || !pace_output->ef_cardaccess) {
+ r = get_ef_card_access(card, &pace_output->ef_cardaccess,
+ &pace_output->ef_cardaccess_length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get EF.CardAccess.");
+ goto err;
+ }
+ }
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "EF.CardAccess", pace_output->ef_cardaccess,
+ pace_output->ef_cardaccess_length);
+
+ /* XXX Card capabilities should be determined by the OpenSC card driver. We
+ * set it here to be able to use the nPA without patching OpenSC. By
+ * now we have read the EF.CardAccess so the assumption to have an nPA
+ * seems valid. */
+ card->caps |= SC_CARD_CAP_APDU_EXT;
+
+ eac_ctx = EAC_CTX_new();
+ if (!eac_ctx
+ || !EAC_CTX_init_ef_cardaccess(pace_output->ef_cardaccess,
+ pace_output->ef_cardaccess_length, eac_ctx)
+ || !eac_ctx->pace_ctx) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse EF.CardAccess.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ eac_ctx->tr_version = tr_version;
+
+ r = npa_mse_set_at_pace(card, eac_ctx->pace_ctx->protocol,
+ pace_input.pin_id, chat, &pace_output->mse_set_at_sw1,
+ &pace_output->mse_set_at_sw2);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not select protocol proberties "
+ "(MSE: Set AT failed).");
+ goto err;
+ }
+
+ enc_nonce = BUF_MEM_new();
+ if (!enc_nonce) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ r = npa_gen_auth_1_encrypted_nonce(card, (u8 **) &enc_nonce->data,
+ &enc_nonce->length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get encrypted nonce from card "
+ "(General Authenticate step 1 failed).");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Encrypted nonce from MRTD", (u8 *)enc_nonce->data, enc_nonce->length);
+ enc_nonce->max = enc_nonce->length;
+
+ sec = get_psec(card, (char *) pace_input.pin, pace_input.pin_length,
+ pace_input.pin_id);
+ if (!sec) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encode PACE secret.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (!PACE_STEP2_dec_nonce(eac_ctx, sec, enc_nonce)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt MRTD's nonce.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ mdata_opp = BUF_MEM_new();
+ mdata = PACE_STEP3A_generate_mapping_data(eac_ctx);
+ if (!mdata || !mdata_opp) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not generate mapping data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = npa_gen_auth_2_map_nonce(card, (u8 *) mdata->data, mdata->length,
+ (u8 **) &mdata_opp->data, &mdata_opp->length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not exchange mapping data with card "
+ "(General Authenticate step 2 failed).");
+ goto err;
+ }
+ mdata_opp->max = mdata_opp->length;
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Mapping data from MRTD", (u8 *) mdata_opp->data, mdata_opp->length);
+
+ if (!PACE_STEP3A_map_generator(eac_ctx, mdata_opp)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not map generator.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ pub = PACE_STEP3B_generate_ephemeral_key(eac_ctx);
+ pub_opp = BUF_MEM_new();
+ if (!pub || !pub_opp) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not generate ephemeral domain parameter or "
+ "ephemeral key pair.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = npa_gen_auth_3_perform_key_agreement(card, (u8 *) pub->data, pub->length,
+ (u8 **) &pub_opp->data, &pub_opp->length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not exchange ephemeral public key with card "
+ "(General Authenticate step 3 failed).");
+ goto err;
+ }
+ pub_opp->max = pub_opp->length;
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Ephemeral public key from MRTD", (u8 *) pub_opp->data, pub_opp->length);
+
+
+ if (!PACE_STEP3B_compute_shared_secret(eac_ctx, pub_opp)
+ || !PACE_STEP3C_derive_keys(eac_ctx)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not compute ephemeral shared secret or "
+ "derive keys for encryption and authentication.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ token = PACE_STEP3D_compute_authentication_token(eac_ctx, pub_opp);
+ token_opp = BUF_MEM_new();
+ if (!token || !token_opp) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not compute authentication token.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = npa_gen_auth_4_mutual_authentication(card, (u8 *) token->data, token->length,
+ (u8 **) &token_opp->data, &token_opp->length,
+ &pace_output->recent_car, &pace_output->recent_car_length,
+ &pace_output->previous_car, &pace_output->previous_car_length);
+
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not exchange authentication token with card "
+ "(General Authenticate step 4 failed).");
+ goto err;
+ }
+ token_opp->max = token_opp->length;
+
+ if (!PACE_STEP3D_verify_authentication_token(eac_ctx, token_opp)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not verify authentication token.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ /* Initialize secure channel */
+ if (!EAC_CTX_set_encryption_ctx(eac_ctx, EAC_ID_PACE)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not initialize encryption.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ /* Identifier for ICC and PCD */
+ comp_pub = EAC_Comp(eac_ctx, EAC_ID_PACE, pub);
+ comp_pub_opp = EAC_Comp(eac_ctx, EAC_ID_PACE, pub_opp);
+ if (!comp_pub || !comp_pub_opp) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not compress public keys for identification.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ p = realloc(pace_output->id_icc, comp_pub_opp->length);
+ if (!p) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n");
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ pace_output->id_icc = p;
+ pace_output->id_icc_length = comp_pub_opp->length;
+ /* Flawfinder: ignore */
+ memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length);
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "ID ICC", pace_output->id_icc,
+ pace_output->id_icc_length);
+ p = realloc(pace_output->id_pcd, comp_pub->length);
+ if (!p) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n");
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ pace_output->id_pcd = p;
+ pace_output->id_pcd_length = comp_pub->length;
+ /* Flawfinder: ignore */
+ memcpy(pace_output->id_pcd, comp_pub->data, comp_pub->length);
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "ID PCD", pace_output->id_pcd,
+ pace_output->id_pcd_length);
+
+ r = npa_sm_start(card, eac_ctx, pace_input.certificate_description,
+ pace_input.certificate_description_length, pace_output->id_icc,
+ pace_output->id_icc_length);
+ }
+
+err:
+ if (enc_nonce)
+ BUF_MEM_free(enc_nonce);
+ if (mdata)
+ BUF_MEM_free(mdata);
+ if (mdata_opp)
+ BUF_MEM_free(mdata_opp);
+ if (token_opp)
+ BUF_MEM_free(token_opp);
+ if (token)
+ BUF_MEM_free(token);
+ if (pub)
+ BUF_MEM_free(pub);
+ if (pub_opp)
+ BUF_MEM_free(pub_opp);
+ if (comp_pub_opp)
+ BUF_MEM_free(comp_pub_opp);
+ if (comp_pub)
+ BUF_MEM_free(comp_pub);
+ PACE_SEC_clear_free(sec);
+ if (bio_stdout)
+ BIO_free_all(bio_stdout);
+ if (desc)
+ CVC_CERTIFICATE_DESCRIPTION_free(desc);
+ if (chat)
+ CVC_CHAT_free(chat);
+
+ if (r < 0)
+ EAC_CTX_clear_free(eac_ctx);
+
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+}
+
+static int npa_mse_set_at_ta(sc_card_t *card, int protocol,
+ const unsigned char *chr, size_t chr_len,
+ const unsigned char *eph_pub_key, size_t eph_pub_key_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len)
+{
+ return npa_mse_set_at(card, 0x81, protocol, chr, chr_len, NULL, 0,
+ eph_pub_key, eph_pub_key_len, auxiliary_data, auxiliary_data_len,
+ NULL, NULL, NULL);
+}
+
+static int npa_mse_set_dst(sc_card_t *card,
+ const unsigned char *chr, size_t chr_len)
+{
+ return npa_mse(card, 0x81, 0xb6, 0, chr, chr_len, NULL, 0, NULL, 0, NULL,
+ 0, NULL, NULL, NULL);
+}
+
+static int npa_get_challenge(sc_card_t *card,
+ unsigned char *challenge, size_t len)
+{
+ sc_apdu_t apdu;
+ int r;
+
+ if (!card) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0x84, 0x00, 0x00);
+ apdu.le = len;
+ apdu.resplen = len;
+ apdu.resp = challenge;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+
+err:
+ return r;
+}
+
+static int npa_verify(sc_card_t *card,
+ const unsigned char *cert, size_t cert_len)
+{
+ sc_apdu_t apdu;
+ int r, class, tag;
+ long int length;
+
+ memset(&apdu, 0, sizeof apdu);
+
+ if (!card) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT, 0x2A, 0x00, 0xbe);
+
+ apdu.data = cert;
+ if (0x80 & ASN1_get_object(&apdu.data, &length, &tag, &class, cert_len)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Error decoding Certificate");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ apdu.datalen = length;
+ apdu.lc = length;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+
+err:
+ return r;
+}
+
+static int npa_external_authenticate(sc_card_t *card,
+ unsigned char *signature, size_t signature_len)
+{
+ int r;
+ sc_apdu_t apdu;
+ memset(&apdu, 0, sizeof apdu);
+
+ if (!card) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x82, 0x00, 0x00);
+
+ apdu.data = signature;
+ apdu.datalen = signature_len;
+ apdu.lc = signature_len;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+
+err:
+ return r;
+}
+
+#define TA_NONCE_LENGTH 8
+int perform_terminal_authentication(sc_card_t *card,
+ const unsigned char **certs, const size_t *certs_lens,
+ const unsigned char *privkey, size_t privkey_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len)
+{
+ int r;
+ const unsigned char *cert = NULL;
+ size_t cert_len = 0, ef_cardaccess_length = 0;
+ CVC_CERT *cvc_cert = NULL;
+ BUF_MEM *nonce = NULL, *signature = NULL;
+ struct iso_sm_ctx *isosmctx = NULL;
+ struct npa_sm_ctx *eacsmctx = NULL;
+ unsigned char *ef_cardaccess = NULL;
+ EAC_CTX *eac_ctx = NULL;
+
+ if (!card || !certs_lens || !certs) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ if (!card->sm_ctx.info.cmd_data) {
+ card->sm_ctx.info.cmd_data = iso_sm_ctx_create();
+ }
+ if (!card->sm_ctx.info.cmd_data) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ isosmctx = card->sm_ctx.info.cmd_data;
+ if (!isosmctx->priv_data) {
+ r = get_ef_card_access(card, &ef_cardaccess, &ef_cardaccess_length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get EF.CardAccess.");
+ goto err;
+ }
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "EF.CardAccess", ef_cardaccess,
+ ef_cardaccess_length);
+
+ /* XXX Card capabilities should be determined by the OpenSC card driver. We
+ * set it here to be able to use the nPA without patching OpenSC. By
+ * now we have read the EF.CardAccess so the assumption to have an nPA
+ * seems valid. */
+ card->caps |= SC_CARD_CAP_APDU_EXT;
+
+ eac_ctx = EAC_CTX_new();
+ if (!eac_ctx
+ || !EAC_CTX_init_ef_cardaccess(ef_cardaccess,
+ ef_cardaccess_length, eac_ctx)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse EF.CardAccess.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ isosmctx->priv_data = npa_sm_ctx_create(eac_ctx, NULL, 0, NULL, 0);
+ if (!isosmctx->priv_data) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ eac_ctx = NULL;
+ }
+ eacsmctx = isosmctx->priv_data;
+
+
+ while (*certs && *certs_lens) {
+ cert = *certs;
+ cert_len = *certs_lens;
+ if (!CVC_d2i_CVC_CERT(&cvc_cert, &cert, cert_len) || !cvc_cert
+ || !cvc_cert->body || !cvc_cert->body->certificate_authority_reference
+ || !cvc_cert->body->certificate_holder_reference) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+ cert = *certs;
+
+ r = npa_mse_set_dst(card,
+ cvc_cert->body->certificate_authority_reference->data,
+ cvc_cert->body->certificate_authority_reference->length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not select protocol proberties "
+ "(MSE: Set AT failed).");
+ goto err;
+ }
+
+ r = npa_verify(card, cert, cert_len);
+ if (r < 0)
+ goto err;
+
+ certs++;
+ certs_lens++;
+ }
+
+
+ if (!EAC_CTX_init_ta(eacsmctx->ctx, privkey, privkey_len, cert, cert_len)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not initialize TA.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+
+ if (eacsmctx->eph_pub_key)
+ BUF_MEM_free(eacsmctx->eph_pub_key);
+ eacsmctx->eph_pub_key = TA_STEP3_generate_ephemeral_key(eacsmctx->ctx);
+ if (!eacsmctx->eph_pub_key) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not generate CA ephemeral key.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+
+ r = npa_mse_set_at_ta(card, eacsmctx->ctx->ta_ctx->protocol,
+ cvc_cert->body->certificate_holder_reference->data,
+ cvc_cert->body->certificate_holder_reference->length,
+ (unsigned char *) eacsmctx->eph_pub_key->data, eacsmctx->eph_pub_key->length,
+ auxiliary_data, auxiliary_data_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not select protocol proberties "
+ "(MSE: Set AT failed).");
+ goto err;
+ }
+
+ nonce = BUF_MEM_create(TA_NONCE_LENGTH);
+ if (!nonce) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = npa_get_challenge(card, (unsigned char *) nonce->data, nonce->length);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get nonce for TA.");
+ goto err;
+ }
+ if (!TA_STEP4_set_nonce(eacsmctx->ctx, nonce)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not set nonce for TA.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (eacsmctx->auxiliary_data)
+ BUF_MEM_free(eacsmctx->auxiliary_data);
+ eacsmctx->auxiliary_data = BUF_MEM_create_init(auxiliary_data,
+ auxiliary_data_len);
+ signature = TA_STEP5_sign(eacsmctx->ctx, eacsmctx->eph_pub_key,
+ eacsmctx->id_icc, eacsmctx->auxiliary_data);
+ if (!signature) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not generate signature.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = npa_external_authenticate(card, (unsigned char *) signature->data,
+ signature->length);
+
+err:
+ if (cvc_cert)
+ CVC_CERT_free(cvc_cert);
+ free(ef_cardaccess);
+ EAC_CTX_clear_free(eac_ctx);
+ BUF_MEM_clear_free(nonce);
+ BUF_MEM_clear_free(signature);
+
+ if (card)
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+ else
+ return r;
+}
+
+static int npa_mse_set_at_ca(sc_card_t *card, int protocol)
+{
+ return npa_mse_set_at(card, 0x41, protocol, NULL, 0, NULL, 0, NULL, 0,
+ NULL, 0, NULL, NULL, NULL);
+}
+
+static int npa_gen_auth_ca(sc_card_t *card, const BUF_MEM *eph_pub_key,
+ BUF_MEM **nonce, BUF_MEM **token)
+{
+ sc_apdu_t apdu;
+ NPA_GEN_AUTH_CA_C *c_data = NULL;
+ NPA_GEN_AUTH_CA_R *r_data = NULL;
+ unsigned char *d = NULL;
+ int r;
+ unsigned char resp[maxresp];
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, ISO_GENERAL_AUTHENTICATE,
+ 0, 0);
+
+ c_data = NPA_GEN_AUTH_CA_C_new();
+ if (!c_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ c_data->eph_pub_key = ASN1_OCTET_STRING_new();
+ if (!c_data->eph_pub_key
+ || !M_ASN1_OCTET_STRING_set( c_data->eph_pub_key,
+ eph_pub_key->data, eph_pub_key->length)) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = i2d_NPA_GEN_AUTH_CA_C(c_data, &d);
+ if (r < 0) {
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ apdu.data = d;
+ apdu.datalen = r;
+ apdu.lc = r;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Perform Key Agreement) command data", apdu.data, apdu.datalen);
+
+ apdu.resplen = sizeof resp;
+ apdu.resp = resp;
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ goto err;
+
+ r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ if (r < 0)
+ goto err;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "General authenticate (Perform Key Agreement) response data", apdu.resp, apdu.resplen);
+
+ if (!d2i_NPA_GEN_AUTH_CA_R(&r_data,
+ (const unsigned char **) &apdu.resp, apdu.resplen)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse general authenticate response data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (!r_data->nonce || !r_data->auth_token) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Response data of general authenticate for CA"
+ "should contain the nonce and the authentication token.");
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+
+ if (*nonce)
+ BUF_MEM_free(*nonce);
+ *nonce = BUF_MEM_create_init(r_data->nonce->data,
+ r_data->nonce->length);
+ if (*token)
+ BUF_MEM_free(*token);
+ *token = BUF_MEM_create_init(r_data->auth_token->data,
+ r_data->auth_token->length);
+ if (!*nonce || !*token) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+
+err:
+ if (c_data)
+ NPA_GEN_AUTH_CA_C_free(c_data);
+ if (r_data)
+ NPA_GEN_AUTH_CA_R_free(r_data);
+ OPENSSL_free(d);
+
+ return r;
+}
+
+static int get_ef_card_security(sc_card_t *card,
+ u8 **ef_security, size_t *length_ef_security)
+{
+ return iso7816_read_binary_sfid(card, SFID_EF_CARDSECURITY, ef_security, length_ef_security);
+}
+
+int perform_chip_authentication(sc_card_t *card,
+ unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_len)
+{
+ int r;
+ BUF_MEM *picc_pubkey = NULL, *nonce = NULL, *token = NULL,
+ *eph_pub_key = NULL;
+ struct iso_sm_ctx *isosmctx;
+ struct npa_sm_ctx *eacsmctx;
+
+ if (!card || !card->sm_ctx.info.cmd_data
+ || !ef_cardsecurity || !ef_cardsecurity_len) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ isosmctx = card->sm_ctx.info.cmd_data;
+ if (!isosmctx->priv_data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ eacsmctx = isosmctx->priv_data;
+
+
+ /* Passive Authentication */
+ if (!*ef_cardsecurity && !*ef_cardsecurity_len) {
+ r = get_ef_card_security(card, ef_cardsecurity, ef_cardsecurity_len);
+ if (r < 0 || !ef_cardsecurity || !ef_cardsecurity_len) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get EF.CardSecurity.");
+ goto err;
+ }
+ }
+ picc_pubkey = CA_get_pubkey(eacsmctx->ctx, *ef_cardsecurity, *ef_cardsecurity_len);
+ if (!picc_pubkey) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not verify EF.CardSecurity.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+
+ r = npa_mse_set_at_ca(card, eacsmctx->ctx->ca_ctx->protocol);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not select protocol proberties "
+ "(MSE: Set AT failed).");
+ goto err;
+ }
+
+
+ eph_pub_key = CA_STEP2_get_eph_pubkey(eacsmctx->ctx);
+ if (!eph_pub_key) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not derive keys.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ r = npa_gen_auth_ca(card, eph_pub_key, &nonce, &token);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "(General Authenticate failed).");
+ goto err;
+ }
+
+
+ if (!CA_STEP4_compute_shared_secret(eacsmctx->ctx, picc_pubkey)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not compute shared secret.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+
+ if (!CA_STEP6_derive_keys(eacsmctx->ctx, nonce, token)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not derive keys.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+
+ /* Initialize secure channel */
+ if (!EAC_CTX_set_encryption_ctx(eacsmctx->ctx, EAC_ID_CA)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not initialize encryption.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+err:
+ BUF_MEM_clear_free(picc_pubkey);
+ BUF_MEM_clear_free(nonce);
+ BUF_MEM_clear_free(token);
+ BUF_MEM_clear_free(eph_pub_key);
+
+ if (card)
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+ else
+ return r;
+}
+
+static int
+increment_ssc(struct npa_sm_ctx *eacsmctx)
+{
+ if (!eacsmctx)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ if (!EAC_increment_ssc(eacsmctx->ctx))
+ return SC_ERROR_INTERNAL;
+
+ return SC_SUCCESS;
+}
+
+static int
+npa_sm_encrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *data, size_t datalen, u8 **enc)
+{
+ BUF_MEM *encbuf = NULL, *databuf = NULL;
+ u8 *p = NULL;
+ int r;
+ struct npa_sm_ctx *eacsmctx;
+
+ if (!card || !ctx || !enc || !ctx->priv_data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ eacsmctx = ctx->priv_data;
+
+ databuf = BUF_MEM_create_init(data, datalen);
+ encbuf = EAC_encrypt(eacsmctx->ctx, databuf);
+ if (!databuf || !encbuf) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ p = realloc(*enc, encbuf->length);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ *enc = p;
+ /* Flawfinder: ignore */
+ memcpy(*enc, encbuf->data, encbuf->length);
+ r = encbuf->length;
+
+err:
+ BUF_MEM_clear_free(databuf);
+ if (encbuf)
+ BUF_MEM_free(encbuf);
+
+ return r;
+}
+
+static int
+npa_sm_decrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *enc, size_t enclen, u8 **data)
+{
+ BUF_MEM *encbuf = NULL, *databuf = NULL;
+ u8 *p = NULL;
+ int r;
+ struct npa_sm_ctx *eacsmctx;
+
+ if (!card || !ctx || !enc || !ctx->priv_data || !data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ eacsmctx = ctx->priv_data;
+
+ encbuf = BUF_MEM_create_init(enc, enclen);
+ databuf = EAC_decrypt(eacsmctx->ctx, encbuf);
+ if (!encbuf || !databuf) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ p = realloc(*data, databuf->length);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ *data = p;
+ /* Flawfinder: ignore */
+ memcpy(*data, databuf->data, databuf->length);
+ r = databuf->length;
+
+err:
+ BUF_MEM_clear_free(databuf);
+ if (encbuf)
+ BUF_MEM_free(encbuf);
+
+ return r;
+}
+
+static int
+npa_sm_authenticate(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *data, size_t datalen, u8 **macdata)
+{
+ BUF_MEM *inbuf = NULL, *macbuf = NULL;
+ u8 *p = NULL;
+ int r;
+ struct npa_sm_ctx *eacsmctx;
+
+ if (!card || !ctx || !ctx->priv_data || !macdata) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ eacsmctx = ctx->priv_data;
+
+ inbuf = BUF_MEM_create_init(data, datalen);
+ if (!inbuf) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+
+ macbuf = EAC_authenticate(eacsmctx->ctx, inbuf);
+ if (!macbuf) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Could not compute message authentication code (MAC).");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ p = realloc(*macdata, macbuf->length);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ *macdata = p;
+ /* Flawfinder: ignore */
+ memcpy(*macdata, macbuf->data, macbuf->length);
+ r = macbuf->length;
+
+err:
+ if (inbuf)
+ BUF_MEM_free(inbuf);
+ if (macbuf)
+ BUF_MEM_free(macbuf);
+
+ return r;
+}
+
+static int
+npa_sm_verify_authentication(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *mac, size_t maclen,
+ const u8 *macdata, size_t macdatalen)
+{
+ int r;
+ BUF_MEM *inbuf = NULL, *my_mac = NULL;
+ struct npa_sm_ctx *eacsmctx;
+
+ if (!card || !ctx || !ctx->priv_data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ eacsmctx = ctx->priv_data;
+
+ inbuf = BUF_MEM_create_init(macdata, macdatalen);
+ if (!inbuf) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+
+ my_mac = EAC_authenticate(eacsmctx->ctx, inbuf);
+ if (!my_mac) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Could not compute message authentication code (MAC) for verification.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (my_mac->length != maclen ||
+ memcmp(my_mac->data, mac, maclen) != 0) {
+ r = SC_ERROR_OBJECT_NOT_VALID;
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Authentication data not verified");
+ goto err;
+ }
+
+ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Authentication data verified");
+
+ r = SC_SUCCESS;
+
+err:
+ if (inbuf)
+ BUF_MEM_free(inbuf);
+ if (my_mac)
+ BUF_MEM_free(my_mac);
+
+ return r;
+}
+
+static int
+add_tag(unsigned char **asn1new, int constructed, int tag,
+ int xclass, const unsigned char *data, size_t len)
+{
+ unsigned char *p;
+ int newlen;
+
+ if (!asn1new || !data)
+ return -1;
+
+ newlen = ASN1_object_size(constructed, len, tag);
+ if (newlen < 0)
+ return newlen;
+
+ p = OPENSSL_realloc(*asn1new, newlen);
+ if (!p)
+ return -1;
+ *asn1new = p;
+
+ ASN1_put_object(&p, constructed, len, tag, xclass);
+ memcpy(p, data, len);
+
+ return newlen;
+}
+static int
+npa_sm_pre_transmit(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *apdu)
+{
+ int r;
+ CVC_CERT *cvc_cert = NULL;
+ unsigned char *cert = NULL;
+ int len;
+ BUF_MEM *signature = NULL;
+ unsigned char *sequence = NULL;
+ NPA_MSE_C *msesetat = NULL;
+ const unsigned char *p;
+ struct npa_sm_ctx *eacsmctx;
+
+ if (!card)
+ return SC_ERROR_INVALID_ARGUMENTS;
+ if(!ctx || !apdu || !ctx->priv_data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+ eacsmctx = ctx->priv_data;
+
+ if (!(eacsmctx->flags & NPA_FLAG_DISABLE_CHECK_ALL)) {
+ if (apdu->ins == 0x2a && apdu->p1 == 0x00 && apdu->p2 == 0xbe) {
+ /* PSO:Verify Certificate
+ * check certificate description to match given certificate */
+
+ len = add_tag(&cert, 1, 0x21, V_ASN1_APPLICATION, apdu->data, apdu->datalen);
+ p = cert;
+ if (len < 0 || !CVC_d2i_CVC_CERT(&cvc_cert, &p, len)
+ || !cvc_cert || !cvc_cert->body) {
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+
+ switch (CVC_get_role(cvc_cert->body->chat)) {
+ case CVC_CVCA:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Processing CVCA certificate");
+ break;
+
+ case CVC_DV:
+ case CVC_DocVer:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Processing DV certificate");
+ break;
+
+ case CVC_Terminal:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Processing Terminal certificate");
+
+ if (eacsmctx->certificate_description) {
+ switch (CVC_check_description(cvc_cert,
+ (unsigned char *) eacsmctx->certificate_description->data,
+ eacsmctx->certificate_description->length)) {
+ case 1:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Certificate Description matches Certificate");
+ break;
+ case 0:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Certificate Description doesn't match Certificate");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ break;
+ default:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Error verifying Certificate Description");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ break;
+ }
+ } else {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Warning: Certificate Description missing");
+ }
+ break;
+
+ default:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Unknown type of certificate");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ break;
+ }
+
+ if (!TA_STEP2_import_certificate(eacsmctx->ctx, cert, len)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Error importing certificate");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ } else if (apdu->ins == ISO_MSE && apdu->p2 == 0xa4) {
+ /* MSE:Set AT */
+
+ len = add_tag(&sequence, 1, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, apdu->data, apdu->datalen);
+ p = sequence;
+ if (len < 0 || !d2i_NPA_MSE_C(&msesetat, &p, len)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not parse MSE:Set AT.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (apdu->p1 == 0x81) {
+ /* CA: fetch auxiliary data and terminal's compressed ephemeral
+ * public key */
+
+ if (msesetat->auxiliary_data) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Saving terminal's auxiliary data");
+ if (eacsmctx->auxiliary_data)
+ BUF_MEM_free(eacsmctx->auxiliary_data);
+ eacsmctx->auxiliary_data = BUF_MEM_new();
+ if (!eacsmctx->auxiliary_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ eacsmctx->auxiliary_data->length = i2d_ASN1_AUXILIARY_DATA(
+ msesetat->auxiliary_data,
+ (unsigned char **) &eacsmctx->auxiliary_data->data);
+ if ((int) eacsmctx->auxiliary_data->length < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Error encoding auxiliary data.");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ eacsmctx->auxiliary_data->max = eacsmctx->auxiliary_data->length;
+ }
+ if (msesetat->eph_pub_key) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Saving terminal's compressed ephemeral public key");
+ if (eacsmctx->eph_pub_key)
+ BUF_MEM_free(eacsmctx->eph_pub_key);
+ eacsmctx->eph_pub_key =
+ BUF_MEM_create_init(msesetat->eph_pub_key->data,
+ msesetat->eph_pub_key->length);
+ if (!eacsmctx->eph_pub_key) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ }
+ } else if (apdu->p1 == 0x41) {
+ /* TA: Set CAR */
+
+ if (msesetat->key_reference1 && msesetat->key_reference1->data &&
+ msesetat->key_reference1->length) {
+ /* do nothing. The trust anchor matching this CAR will be
+ * looked up when the certificate chain is imported */
+ }
+ }
+ } else if (apdu->ins == 0x82 && apdu->p1 == 0x00 && apdu->p2 == 0x00) {
+ /* External Authenticate
+ * check terminal's signature */
+
+ signature = BUF_MEM_create_init(apdu->data, apdu->datalen);
+ if (!signature) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ switch (TA_STEP6_verify(eacsmctx->ctx, eacsmctx->eph_pub_key,
+ eacsmctx->id_icc, eacsmctx->auxiliary_data, signature)) {
+ case 1:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Verified Terminal's signature");
+ break;
+ case 0:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Terminal's signature not verified");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ break;
+ default:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Error verifying terminal's signature");
+ ssl_error(card->ctx);
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ break;
+ }
+ }
+ }
+
+ r = increment_ssc(ctx->priv_data);
+
+err:
+ if (cvc_cert)
+ CVC_CERT_free(cvc_cert);
+ if (signature)
+ BUF_MEM_free(signature);
+ if (cert)
+ OPENSSL_free(cert);
+ if (sequence)
+ OPENSSL_free(sequence);
+ if (msesetat)
+ NPA_MSE_C_free(msesetat);
+
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
+}
+
+static int
+npa_sm_post_transmit(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *sm_apdu)
+{
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL,
+ increment_ssc(ctx->priv_data));
+}
+
+static int
+npa_sm_finish(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *apdu)
+{
+ struct npa_sm_ctx *eacsmctx;
+ if (!card)
+ return SC_ERROR_INVALID_ARGUMENTS;
+ if(!ctx || !ctx->priv_data || !apdu)
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL,
+ SC_ERROR_INVALID_ARGUMENTS);
+ eacsmctx = ctx->priv_data;
+
+ if (!(eacsmctx->flags & NPA_FLAG_DISABLE_CHECK_ALL)) {
+ if (apdu->sw1 == 0x90 && apdu->sw2 == 0x00) {
+ if (apdu->ins == 0x84 && apdu->p1 == 0x00 && apdu->p2 == 0x00
+ && apdu->le == 8 && apdu->resplen == 8) {
+ BUF_MEM *nonce;
+ int r;
+ /* Get Challenge
+ * copy challenge to EAC context */
+
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Saving MRTD's nonce to later verify Terminal's signature");
+
+ nonce = BUF_MEM_create_init(apdu->resp, apdu->resplen);
+ r = TA_STEP4_set_nonce(eacsmctx->ctx, nonce);
+ if (nonce)
+ BUF_MEM_free(nonce);
+
+ if (!r) {
+ ssl_error(card->ctx);
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INTERNAL);
+ }
+ }
+ }
+ }
+
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_SUCCESS);
+}
+
+static void
+npa_sm_clear_free(const struct iso_sm_ctx *ctx)
+{
+ if (ctx) {
+ struct npa_sm_ctx *eacsmctx = ctx->priv_data;
+ EAC_CTX_clear_free(eacsmctx->ctx);
+ if (eacsmctx->certificate_description)
+ BUF_MEM_free(eacsmctx->certificate_description);
+ if (eacsmctx->id_icc)
+ BUF_MEM_free(eacsmctx->id_icc);
+ if (eacsmctx->eph_pub_key)
+ BUF_MEM_free(eacsmctx->eph_pub_key);
+ if (eacsmctx->auxiliary_data)
+ BUF_MEM_free(eacsmctx->auxiliary_data);
+ free(eacsmctx);
+ }
+}
+
+#else
+
+int perform_pace(sc_card_t *card,
+ struct establish_pace_channel_input pace_input,
+ struct establish_pace_channel_output *pace_output,
+ enum eac_tr_version tr_version)
+{
+ int r;
+
+ if (card->reader->capabilities & SC_READER_CAP_PACE_GENERIC
+ && card->reader->ops->perform_pace) {
+ r = card->reader->ops->perform_pace(card->reader, &pace_input, pace_output);
+ } else {
+ r = SC_ERROR_NOT_SUPPORTED;
+ }
+
+ return r;
+}
+
+int perform_terminal_authentication(sc_card_t *card,
+ const unsigned char **certs, const size_t *certs_lens,
+ const unsigned char *privkey, size_t privkey_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len)
+{
+ return SC_ERROR_NOT_SUPPORTED;
+}
+
+int perform_chip_authentication(sc_card_t *card,
+ unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_len)
+{
+ return SC_ERROR_NOT_SUPPORTED;
+}
+
+#endif
+
+static const char *MRZ_name = "MRZ";
+static const char *PIN_name = "eID PIN";
+static const char *PUK_name = "PUK";
+static const char *CAN_name = "CAN";
+static const char *UNDEF_name = "UNDEF";
+const char *npa_secret_name(enum s_type pin_id) {
+ switch (pin_id) {
+ case PACE_MRZ:
+ return MRZ_name;
+ case PACE_PUK:
+ return PUK_name;
+ case PACE_PIN:
+ return PIN_name;
+ case PACE_CAN:
+ return CAN_name;
+ default:
+ return UNDEF_name;
+ }
+}
+
+int
+npa_reset_retry_counter(sc_card_t *card, enum s_type pin_id,
+ int ask_for_secret, const char *new, size_t new_len)
+{
+ sc_apdu_t apdu;
+ char *p = NULL;
+ int r;
+
+ if (ask_for_secret && (!new || !new_len)) {
+ if (!(SC_READER_CAP_PIN_PAD & card->reader->capabilities)) {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ p = malloc(MAX_PIN_LEN+1);
+ if (!p) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for new PIN.\n");
+ return SC_ERROR_OUT_OF_MEMORY;
+ }
+ if (0 > EVP_read_pw_string_min(p,
+ MIN_PIN_LEN, MAX_PIN_LEN+1,
+ "Please enter your new PIN: ", 0)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not read new PIN.\n");
+ free(p);
+ return SC_ERROR_INTERNAL;
+ }
+ new_len = strlen(p);
+ if (new_len > MAX_PIN_LEN)
+ return SC_ERROR_INVALID_PIN_LENGTH;
+ new = p;
+#else
+ return SC_ERROR_NOT_SUPPORTED;
+#endif
+ }
+ }
+
+ sc_format_apdu(card, &apdu, 0, 0x2C, 0, pin_id);
+ apdu.data = (u8 *) new;
+ apdu.datalen = new_len;
+ apdu.lc = apdu.datalen;
+
+ if (new_len || ask_for_secret) {
+ apdu.p1 = 0x02;
+ apdu.cse = SC_APDU_CASE_3_SHORT;
+ } else {
+ apdu.p1 = 0x03;
+ apdu.cse = SC_APDU_CASE_1;
+ }
+
+ if (ask_for_secret && !new_len) {
+ struct sc_pin_cmd_data data;
+ data.apdu = &apdu;
+ data.cmd = SC_PIN_CMD_CHANGE;
+ data.flags = SC_PIN_CMD_IMPLICIT_CHANGE;
+ data.pin2.encoding = SC_PIN_ENCODING_ASCII;
+ data.pin2.length_offset = 0;
+ data.pin2.offset = 5;
+ data.pin2.max_length = MAX_PIN_LEN;
+ data.pin2.min_length = MIN_PIN_LEN;
+ data.pin2.pad_length = 0;
+ r = card->reader->ops->perform_verify(card->reader, &data);
+ } else
+ r = sc_transmit_apdu(card, &apdu);
+
+ if (p) {
+ sc_mem_clear(p, new_len);
+ free(p);
+ }
+
+ return r;
+}
+
+int npa_pace_get_tries_left(sc_card_t *card,
+ enum s_type pin_id, int *tries_left)
+{
+ int r;
+ u8 sw1, sw2;
+
+ if (tries_left) {
+#if defined(ENABLE_OPENPACE) && defined(ENABLE_SM)
+ r = npa_mse_set_at_pace(card, 0, pin_id, 0, &sw1, &sw2);
+#else
+ sc_apdu_t apdu;
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, ISO_MSE, 0xC1, 0xA4);
+ r = sc_transmit_apdu(card, &apdu);
+ sw1 = apdu.sw1;
+ sw2 = apdu.sw2;
+#endif
+
+ if (r > 0 && (sw1 == 0x63) && ((sw2 & 0xc0) == 0xc0)) {
+ *tries_left = sw2 & 0x0f;
+ } else {
+ *tries_left = -1;
+ }
+ } else {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ }
+
+ return r;
+}
+
+int get_pace_capabilities(u8 *bitmap)
+{
+ if (!bitmap)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ /* BitMap */
+ *bitmap = NPA_BITMAP_PACE|NPA_BITMAP_EID|NPA_BITMAP_ESIGN;
+
+ return SC_SUCCESS;
+}
diff --git a/src/sm/sm-eac.h b/src/sm/sm-eac.h
new file mode 100644
index 0000000..755dd2a
--- /dev/null
+++ b/src/sm/sm-eac.h
@@ -0,0 +1,296 @@
+/*
+ * Copyright (C) 2011-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+/**
+ * @file
+ * @defgroup npa Interface to German identity card (neuer Personalausweis, nPA)
+ * @{
+ */
+#ifndef _SC_EAC_H
+#define _SC_EAC_H
+
+#include "libopensc/opensc.h"
+#include "libopensc/pace.h"
+#include "sm/sm-iso.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef ENABLE_OPENPACE
+#include <eac/cv_cert.h>
+#include <eac/eac.h>
+#include <eac/pace.h>
+
+/** @brief ASN.1 type for authenticated auxiliary data for terminal authentication */
+typedef STACK_OF(CVC_DISCRETIONARY_DATA_TEMPLATE) ASN1_AUXILIARY_DATA;
+DECLARE_ASN1_FUNCTIONS(ASN1_AUXILIARY_DATA)
+
+#else
+/** @brief Type of the secret */
+enum s_type {
+ /** @brief MRZ is the Machine Readable Zone, printed on the card, encoding
+ * the personal information of the user */
+ PACE_MRZ = 1,
+ /** @brief CAN is the Card access number printed on the card */
+ PACE_CAN,
+ /** @brief PIN is the Personal Identification Number, a secret known only
+ * to the user and not printed on the card */
+ PACE_PIN,
+ /** @brief PUK is the Personal Unblocking key. This type of secret is used
+ * when the card is suspended due to too many incorrect PACE runs */
+ PACE_PUK,
+ /** @brief This type of secret is not defined in BSI TR-03110. We use it as
+ * a generic type, so we can use PACE independent from a ID card */
+ PACE_RAW,
+ /** @brief Undefined type, if nothing else matches */
+ PACE_SEC_UNDEF
+};
+
+/**
+ * @brief Identification of the specifications to use.
+ *
+ * @note TR-03110 v2.01 differs from all later versions of the Technical
+ * Guideline in how the authentication token is calculated. Therefore old test
+ * cards are incompatible with the newer specification.
+ */
+enum eac_tr_version {
+ /** @brief Undefined type, if nothing else matches */
+ EAC_TR_VERSION = 0,
+ /** @brief Perform EAC according to TR-03110 v2.01 */
+ EAC_TR_VERSION_2_01,
+ /** @brief Perform EAC according to TR-03110 v2.02 and later */
+ EAC_TR_VERSION_2_02,
+};
+#endif
+
+/** @brief NPA capabilities (TR-03119): PACE */
+#define NPA_BITMAP_PACE 0x40
+/** @brief NPA capabilities (TR-03119): EPA: eID */
+#define NPA_BITMAP_EID 0x20
+/** @brief NPA capabilities (TR-03119): EPA: eSign */
+#define NPA_BITMAP_ESIGN 0x10
+
+/** @brief NPA result (TR-03119): Kein Fehler */
+#define NPA_SUCCESS 0x00000000
+/** @brief NPA result (TR-03119): Längen im Input sind inkonsistent */
+#define NPA_ERROR_LENGTH_INCONSISTENT 0xD0000001
+/** @brief NPA result (TR-03119): Unerwartete Daten im Input */
+#define NPA_ERROR_UNEXPECTED_DATA 0xD0000002
+/** @brief NPA result (TR-03119): Unerwartete Kombination von Daten im Input */
+#define NPA_ERROR_UNEXPECTED_DATA_COMBINATION 0xD0000003
+/** @brief NPA result (TR-03119): Die Karte unterstützt das PACE – Verfahren nicht. (Unerwartete Struktur in Antwortdaten der Karte) */
+#define NPA_ERROR_CARD_NOT_SUPPORTED 0xE0000001
+/** @brief NPA result (TR-03119): Der Kartenleser unterstützt den angeforderten bzw. den ermittelten Algorithmus nicht. */
+#define NPA_ERROR_ALGORITH_NOT_SUPPORTED 0xE0000002
+/** @brief NPA result (TR-03119): Der Kartenleser kennt die PIN – ID nicht. */
+#define NPA_ERROR_PINID_NOT_SUPPORTED 0xE0000003
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf Select EF_CardAccess (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_SELECT_EF_CARDACCESS 0xF0000000
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf Read Binary (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_READ_BINARY 0xF0010000
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf MSE: Set AT (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_MSE_SET_AT 0xF0020000
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 1 (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_GENERAL_AUTHENTICATE_1 0xF0030000
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 2 (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_GENERAL_AUTHENTICATE_2 0xF0040000
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 3 (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_GENERAL_AUTHENTICATE_3 0xF0050000
+/** @brief NPA result (TR-03119): Negative Antwort der Karte auf General Authenticate Step 4 (needs to be OR-ed with SW1|SW2) */
+#define NPA_ERROR_GENERAL_AUTHENTICATE_4 0xF0060000
+/** @brief NPA result (TR-03119): Kommunikationsabbruch mit Karte. */
+#define NPA_ERROR_COMMUNICATION 0xF0100001
+/** @brief NPA result (TR-03119): Keine Karte im Feld. */
+#define NPA_ERROR_NO_CARD 0xF0100002
+/** @brief NPA result (TR-03119): Benutzerabbruch. */
+#define NPA_ERROR_ABORTED 0xF0200001
+/** @brief NPA result (TR-03119): Benutzer – Timeout */
+#define NPA_ERROR_TIMEOUT 0xF0200002
+
+/** @brief File identifier of EF.CardAccess */
+#define FID_EF_CARDACCESS 0x011C
+/** @brief Short file identifier of EF.CardAccess */
+#define SFID_EF_CARDACCESS 0x1C
+/** @brief File identifier of EF.CardSecurity */
+#define FID_EF_CARDSECURITY 0x011D
+/** @brief Short file identifier of EF.CardAccess */
+#define SFID_EF_CARDSECURITY 0x1D
+
+/** @brief Maximum length of PIN */
+#define MAX_PIN_LEN 6
+/** @brief Minimum length of PIN */
+#define MIN_PIN_LEN 6
+/** @brief Length of CAN */
+#define CAN_LEN 6
+/** @brief Minimum length of MRZ */
+#define MAX_MRZ_LEN 128
+/** @brief Number of retries for PIN */
+#define MAX_PIN_TRIES 3
+/** @brief Usage counter of PIN in suspended state */
+#define UC_PIN_SUSPENDED 1
+
+
+/**
+ * @brief Names the type of the PACE secret
+ *
+ * @param pin_id type of the PACE secret
+ *
+ * @return Printable string containing the name
+ */
+const char *npa_secret_name(enum s_type pin_id);
+
+
+/**
+ * @brief Get the PACE capabilities
+ *
+ * @param[in,out] bitmap where to store capabilities bitmap
+ * @note Since this code offers no support for terminal certificate, the bitmap is always \c PACE_BITMAP_PACE|PACE_BITMAP_EID
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int get_pace_capabilities(u8 *bitmap);
+
+/**
+ * @brief Establish secure messaging using PACE
+ *
+ * Modifies \a card to use the ISO SM driver and initializes the data
+ * structures to use the established SM channel.
+ *
+ * Prints certificate description and card holder authorization template if
+ * given in a human readable form to stdout. If no secret is given, the user is
+ * asked for it. Only \a pace_input.pin_id is mandatory, the other members of
+ * \a pace_input can be set to \c 0 or \c NULL respectively.
+ *
+ * The buffers in \a pace_output are allocated using \c realloc() and should be
+ * set to NULL, if empty. If an EF.CardAccess is already present, this file is
+ * reused and not fetched from the card.
+ *
+ * @param[in,out] card
+ * @param[in] pace_input
+ * @param[in,out] pace_output
+ * @param[in] tr_version Version of TR-03110 to use with PACE
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int perform_pace(sc_card_t *card,
+ struct establish_pace_channel_input pace_input,
+ struct establish_pace_channel_output *pace_output,
+ enum eac_tr_version tr_version);
+
+/**
+ * @brief Terminal Authentication version 2
+ *
+ * @param[in] card
+ * @param[in] certs chain of cv certificates, the last certificate
+ * is the terminal's certificate, array should be
+ * terminated with \c NULL
+ * @param[in] certs_lens length of each element in \c certs, should be
+ * terminated with \c 0
+ * @param[in] privkey The terminal's private key
+ * @param[in] privkey_len length of \a privkey
+ * @param[in] auxiliary_data auxiliary data for age/validity/community ID
+ * verification. Should be an ASN1 object tagged
+ * with \c 0x67
+ * @param[in] auxiliary_data_len length of \a auxiliary_data
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int perform_terminal_authentication(sc_card_t *card,
+ const unsigned char **certs, const size_t *certs_lens,
+ const unsigned char *privkey, size_t privkey_len,
+ const unsigned char *auxiliary_data, size_t auxiliary_data_len);
+
+/**
+ * @brief Establish secure messaging using Chip Authentication version 2
+ *
+ * Switches the SM context of \c card to the new established keys.
+ *
+ * @param[in] card
+ * @param[in,out] ef_cardsecurity
+ * @param[in,out] ef_cardsecurity_len
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int perform_chip_authentication(sc_card_t *card,
+ unsigned char **ef_cardsecurity, size_t *ef_cardsecurity_len);
+
+/**
+ * @brief Sends a reset retry counter APDU
+ *
+ * According to TR-03110 the reset retry counter APDU is used to set a new PIN
+ * or to reset the retry counter of the PIN. The standard requires this
+ * operation to be authorized either by an established PACE channel or by the
+ * effective authorization of the terminal's certificate.
+ *
+ * @param[in] card
+ * @param[in] pin_id Type of secret (usually PIN or CAN). You may use <tt>enum s_type</tt> from \c <openssl/pace.h>.
+ * @param[in] ask_for_secret whether to ask the user for the secret (\c 1) or not (\c 0)
+ * @param[in] new (optional) new secret
+ * @param[in] new_len (optional) length of \a new
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int npa_reset_retry_counter(sc_card_t *card,
+ enum s_type pin_id, int ask_for_secret,
+ const char *new, size_t new_len);
+
+/**
+ * @brief Sends an MSE:Set AT to determine the number of remaining tries
+ *
+ * @param[in] card
+ * @param[in] pin_id Type of secret (usually PIN or CAN). You may use <tt>enum s_type</tt> from \c <openssl/pace.h>.
+ * @param[in,out] tries_left Tries left or -1 if no specific number has been returned by the card (e.g. when there is no limit in retries).
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int npa_pace_get_tries_left(sc_card_t *card,
+ enum s_type pin_id, int *tries_left);
+/**
+ * @brief Send APDU to unblock the PIN
+ *
+ * @param[in] card
+ */
+#define npa_unblock_pin(card) \
+ npa_reset_retry_counter(card, PACE_PIN, 0, NULL, 0)
+/**
+ * @brief Send APDU to set a new PIN
+ *
+ * @param[in] card
+ * @param[in] newp (optional) new PIN
+ * @param[in] newplen (optional) length of \a new
+ */
+#define npa_change_pin(card, newp, newplen) \
+ npa_reset_retry_counter(card, PACE_PIN, 1, newp, newplen)
+
+/** @brief Disable all sanity checks done by libnpa */
+#define NPA_FLAG_DISABLE_CHECK_ALL 1
+/** @brief Disable checking validity period of CV certificates */
+#define NPA_FLAG_DISABLE_CHECK_TA 2
+/** @brief Disable checking passive authentication during CA */
+#define NPA_FLAG_DISABLE_CHECK_CA 4
+
+/** @brief Use \c npa_default_flags to disable checks for EAC/SM */
+extern char npa_default_flags;
+
+#ifdef __cplusplus
+}
+#endif
+#endif
+/* @} */
diff --git a/src/sm/sm-iso-internal.h b/src/sm/sm-iso-internal.h
new file mode 100644
index 0000000..9d8e9d0
--- /dev/null
+++ b/src/sm/sm-iso-internal.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2012-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+/**
+ * @file
+ * @defgroup sm Interface to Secure Messaging (SM) defined in ISO 7816
+ * @{
+ */
+#ifndef _ISO_SM_INTERNAL_H
+#define _ISO_SM_INTERNAL_H
+
+#include "libopensc/opensc.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+
+/* @brief Protect an APDU with Secure Messaging
+ *
+ * If secure messaging (SM) is activated in \a sctx and \a apdu is not already
+ * SM protected, \a apdu is processed with the following steps:
+ * \li call to \a sctx->pre_transmit
+ * \li encrypt \a apdu calling \a sctx->encrypt
+ * \li authenticate \a apdu calling \a sctx->authenticate
+ * \li copy the SM protected data to \a sm_apdu
+ *
+ * Data for authentication or encryption is always padded before the callback
+ * functions are called
+ *
+ * @param[in] card
+ * @param[in] apdu
+ * @param[in,out] sm_apdu
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu);
+
+/* @brief Remove Secure Messaging from an APDU
+ *
+ * If secure messaging (SM) is activated in \a sctx and \a apdu is not already
+ * SM protected, \a apdu is processed with the following steps:
+ * \li verify SM protected \a apdu calling \a sctx->verify_authentication
+ * \li decrypt SM protected \a apdu calling \a sctx->decrypt
+ * \li copy decrypted/authenticated data and status bytes to \a apdu
+ *
+ * Callback functions must not remove padding.
+ *
+ * @param[in] card
+ * @param[in,out] apdu
+ * @param[in,out] sm_apdu will be freed when done.
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int iso_free_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu);
+
+/**
+ * @brief Cleans up allocated ressources of the ISO SM driver
+ *
+ * \c iso_sm_close() is designed as SM card operation. However, have in mind
+ * that this card operation is not called automatically for \c
+ * sc_disconnect_card() .
+ *
+ * @param[in] card
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int iso_sm_close(struct sc_card *card);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
+/* @} */
diff --git a/src/sm/sm-iso.c b/src/sm/sm-iso.c
new file mode 100644
index 0000000..5128823
--- /dev/null
+++ b/src/sm/sm-iso.c
@@ -0,0 +1,783 @@
+/*
+ * Copyright (C) 2011-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "sm-iso-internal.h"
+#include "libopensc/asn1.h"
+#include "libopensc/log.h"
+#include "sm/sm-iso.h"
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef ENABLE_SM
+
+static const struct sc_asn1_entry c_sm_capdu[] = {
+ { "Cryptogram",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x05, SC_ASN1_OPTIONAL, NULL, NULL },
+ { "Padding-content indicator followed by cryptogram",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x07, SC_ASN1_OPTIONAL, NULL, NULL },
+ { "Protected Le",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x17, SC_ASN1_OPTIONAL, NULL, NULL },
+ { "Cryptographic Checksum",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x0E, SC_ASN1_OPTIONAL, NULL, NULL },
+ { NULL , 0 , 0 , 0 , NULL , NULL }
+};
+
+static const struct sc_asn1_entry c_sm_rapdu[] = {
+ { "Cryptogram",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x05, SC_ASN1_OPTIONAL, NULL, NULL },
+ { "Padding-content indicator followed by cryptogram" ,
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x07, SC_ASN1_OPTIONAL, NULL, NULL },
+ { "Processing Status",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x19, 0 , NULL, NULL },
+ { "Cryptographic Checksum",
+ SC_ASN1_OCTET_STRING, SC_ASN1_CTX|0x0E, SC_ASN1_OPTIONAL, NULL, NULL },
+ { NULL, 0, 0, 0, NULL, NULL }
+};
+
+static int
+add_iso_pad(const u8 *data, size_t datalen, int block_size, u8 **padded)
+{
+ u8 *p;
+ size_t p_len;
+
+ if (!padded)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ /* calculate length of padded message */
+ p_len = (datalen / block_size) * block_size + block_size;
+
+ p = realloc(*padded, p_len);
+ if (!p)
+ return SC_ERROR_OUT_OF_MEMORY;
+
+ if (*padded != data)
+ /* Flawfinder: ignore */
+ memcpy(p, data, datalen);
+
+ *padded = p;
+
+ /* now add iso padding */
+ memset(p + datalen, 0x80, 1);
+ memset(p + datalen + 1, 0, p_len - datalen - 1);
+
+ return p_len;
+}
+
+static int
+add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
+ u8 **padded)
+{
+ u8 *p;
+
+ switch (ctx->padding_indicator) {
+ case SM_NO_PADDING:
+ if (*padded != data) {
+ p = realloc(*padded, datalen);
+ if (!p)
+ return SC_ERROR_OUT_OF_MEMORY;
+ *padded = p;
+ /* Flawfinder: ignore */
+ memcpy(*padded, data, datalen);
+ }
+ return datalen;
+ case SM_ISO_PADDING:
+ return add_iso_pad(data, datalen, ctx->block_length, padded);
+ default:
+ return SC_ERROR_INVALID_ARGUMENTS;
+ }
+}
+
+static int
+rm_padding(u8 padding_indicator, const u8 *data, size_t datalen)
+{
+ size_t len;
+
+ if (!datalen || !data)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ switch (padding_indicator) {
+ case SM_NO_PADDING:
+ len = datalen;
+ break;
+
+ case SM_ISO_PADDING:
+ len = datalen;
+
+ while (len) {
+ len--;
+ if (data[len])
+ break;
+ }
+
+ if (data[len] != 0x80)
+ return SC_ERROR_INVALID_DATA;
+
+ break;
+
+ default:
+ return SC_ERROR_NOT_SUPPORTED;
+ }
+
+ return len;
+}
+
+static int format_le(size_t le, struct sc_asn1_entry *le_entry,
+ u8 **lebuf, size_t *le_len)
+{
+ u8 *p;
+
+ if (!lebuf || !le_len)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ p = realloc(*lebuf, *le_len);
+ if (!p)
+ return SC_ERROR_OUT_OF_MEMORY;
+ *lebuf = p;
+
+ switch (*le_len) {
+ case 1:
+ p[0] = le;
+ break;
+ case 2:
+ p[0] = le >> 8;
+ p[1] = le & 0xff;
+ break;
+ case 3:
+ p[0] = 0x00;
+ p[1] = le >> 8;
+ p[2] = le & 0xff;
+ break;
+ default:
+ return SC_ERROR_INVALID_ARGUMENTS;
+ }
+
+ sc_format_asn1_entry(le_entry, *lebuf, le_len, SC_ASN1_PRESENT);
+
+ return SC_SUCCESS;
+}
+
+static int prefix_buf(u8 prefix, u8 *buf, size_t buflen, u8 **cat)
+{
+ u8 *p;
+
+ p = realloc(*cat, buflen + 1);
+ if (!p)
+ return SC_ERROR_OUT_OF_MEMORY;
+
+ if (*cat == buf) {
+ memmove(p + 1, p, buflen);
+ } else {
+ /* Flawfinder: ignore */
+ memcpy(p + 1, buf, buflen);
+ }
+ p[0] = prefix;
+
+ *cat = p;
+
+ return buflen + 1;
+}
+
+static int format_data(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ int prepend_padding_indicator, const u8 *data, size_t datalen,
+ struct sc_asn1_entry *formatted_encrypted_data_entry,
+ u8 **formatted_data, size_t *formatted_data_len)
+{
+ int r;
+ u8 *pad_data = NULL;
+ size_t pad_data_len = 0;
+
+ if (!ctx || !formatted_data || !formatted_data_len) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ r = add_padding(ctx, data, datalen, &pad_data);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not add padding to data: %s",
+ sc_strerror(r));
+ goto err;
+ }
+ pad_data_len = r;
+
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Data to encrypt", pad_data, pad_data_len);
+ r = ctx->encrypt(card, ctx, pad_data, pad_data_len, formatted_data);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt the data");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Cryptogram", *formatted_data, r);
+
+ if (prepend_padding_indicator) {
+ r = prefix_buf(ctx->padding_indicator, *formatted_data, r, formatted_data);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not prepend padding indicator to formatted "
+ "data: %s", sc_strerror(r));
+ goto err;
+ }
+ }
+
+ *formatted_data_len = r;
+ sc_format_asn1_entry(formatted_encrypted_data_entry,
+ *formatted_data, formatted_data_len, SC_ASN1_PRESENT);
+
+ r = SC_SUCCESS;
+
+err:
+ if (pad_data) {
+ sc_mem_clear(pad_data, pad_data_len);
+ free(pad_data);
+ }
+
+ return r;
+}
+
+static int format_head(const struct iso_sm_ctx *ctx, const sc_apdu_t *apdu,
+ u8 **formatted_head)
+{
+ u8 *p;
+
+ if (!apdu || !formatted_head)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ p = realloc(*formatted_head, 4);
+ if (!p)
+ return SC_ERROR_OUT_OF_MEMORY;
+
+ p[0] = apdu->cla;
+ p[1] = apdu->ins;
+ p[2] = apdu->p1;
+ p[3] = apdu->p2;
+ *formatted_head = p;
+
+ return add_padding(ctx, *formatted_head, 4, formatted_head);
+}
+
+static int sm_encrypt(const struct iso_sm_ctx *ctx, sc_card_t *card,
+ const sc_apdu_t *apdu, sc_apdu_t **psm_apdu)
+{
+ struct sc_asn1_entry sm_capdu[5];
+ u8 *p, *le = NULL, *sm_data = NULL, *fdata = NULL, *mac_data = NULL,
+ *asn1 = NULL, *mac = NULL, *resp_data = NULL;
+ size_t sm_data_len, fdata_len, mac_data_len, asn1_len, mac_len, le_len;
+ int r, cse;
+ sc_apdu_t *sm_apdu = NULL;
+
+ if (!apdu || !ctx || !card || !card->reader || !psm_apdu) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ if ((apdu->cla & 0x0C) == 0x0C) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Given APDU is already protected with some secure messaging");
+ goto err;
+ }
+
+ sc_copy_asn1_entry(c_sm_capdu, sm_capdu);
+
+ sm_apdu = malloc(sizeof(sc_apdu_t));
+ if (!sm_apdu) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ sm_apdu->control = apdu->control;
+ sm_apdu->flags = apdu->flags;
+ sm_apdu->cla = apdu->cla|0x0C;
+ sm_apdu->ins = apdu->ins;
+ sm_apdu->p1 = apdu->p1;
+ sm_apdu->p2 = apdu->p2;
+ r = format_head(ctx, sm_apdu, &mac_data);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format header of SM apdu");
+ goto err;
+ }
+ mac_data_len = r;
+
+ /* get le and data depending on the case of the insecure command */
+ cse = apdu->cse;
+ if ((apdu->le/ctx->block_length + 1)*ctx->block_length + 18 > 0xff+1)
+ /* for encrypted APDUs we usually get authenticated status bytes (4B),
+ * a MAC (11B) and a cryptogram with padding indicator (3B without
+ * data). The cryptogram is always padded to the block size. */
+ /*cse |= SC_APDU_EXT;*/
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Response data may be truncated, because it doesn't fit into a short length APDU.");
+
+ switch (cse) {
+ case SC_APDU_CASE_1:
+ break;
+ case SC_APDU_CASE_2_SHORT:
+ le_len = 1;
+ r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
+ break;
+ case SC_APDU_CASE_2_EXT:
+ if (card->reader->active_protocol == SC_PROTO_T0) {
+ /* T0 extended APDUs look just like short APDUs */
+ le_len = 1;
+ r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
+ goto err;
+ }
+ } else {
+ /* in case of T1 always use 2 bytes for length */
+ le_len = 2;
+ r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
+ goto err;
+ }
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
+ break;
+ case SC_APDU_CASE_3_SHORT:
+ case SC_APDU_CASE_3_EXT:
+ if (apdu->ins & 1) {
+ r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
+ sm_capdu + 0, &fdata, &fdata_len);
+ } else {
+ r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
+ sm_capdu + 1, &fdata, &fdata_len);
+ }
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
+ fdata, fdata_len);
+ break;
+ case SC_APDU_CASE_4_SHORT:
+ /* in case of T0 no Le byte is added */
+ if (card->reader->active_protocol != SC_PROTO_T0) {
+ le_len = 1;
+ r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
+ }
+
+ if (apdu->ins & 1) {
+ r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
+ sm_capdu + 0, &fdata, &fdata_len);
+ } else {
+ r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
+ sm_capdu + 1, &fdata, &fdata_len);
+ }
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
+ fdata, fdata_len);
+ break;
+ case SC_APDU_CASE_4_EXT:
+ if (card->reader->active_protocol == SC_PROTO_T0) {
+ /* again a T0 extended case 4 APDU looks just
+ * like a short APDU, the additional data is
+ * transferred using ENVELOPE and GET RESPONSE */
+ } else {
+ /* only 2 bytes are use to specify the length of the
+ * expected data */
+ le_len = 2;
+ r = format_le(apdu->le, sm_capdu + 2, &le, &le_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format Le of SM apdu");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Protected Le (plain)", le, le_len);
+ }
+
+ if (apdu->ins & 1) {
+ r = format_data(card, ctx, 0, apdu->data, apdu->datalen,
+ sm_capdu + 0, &fdata, &fdata_len);
+ } else {
+ r = format_data(card, ctx, 1, apdu->data, apdu->datalen,
+ sm_capdu + 1, &fdata, &fdata_len);
+ }
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not format data of SM apdu");
+ goto err;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Padding-content indicator followed by cryptogram (plain)",
+ fdata, fdata_len);
+ break;
+ default:
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Unhandled apdu case");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+
+
+ r = sc_asn1_encode(card->ctx, sm_capdu, (u8 **) &asn1, &asn1_len);
+ if (r < 0) {
+ goto err;
+ }
+ if (asn1_len) {
+ p = realloc(mac_data, mac_data_len + asn1_len);
+ if (!p) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ mac_data = p;
+ /* Flawfinder: ignore */
+ memcpy(mac_data + mac_data_len, asn1, asn1_len);
+ mac_data_len += asn1_len;
+ r = add_padding(ctx, mac_data, mac_data_len, &mac_data);
+ if (r < 0) {
+ goto err;
+ }
+ mac_data_len = r;
+ }
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Data to authenticate", mac_data, mac_data_len);
+
+ r = ctx->authenticate(card, ctx, mac_data, mac_data_len,
+ &mac);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not get authentication code");
+ goto err;
+ }
+ mac_len = r;
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Cryptographic Checksum (plain)", mac, mac_len);
+
+
+ /* format SM apdu */
+ sc_format_asn1_entry(sm_capdu + 3, mac, &mac_len, SC_ASN1_PRESENT);
+ r = sc_asn1_encode(card->ctx, sm_capdu, (u8 **) &sm_data, &sm_data_len);
+ if (r < 0)
+ goto err;
+ sm_apdu->data = sm_data;
+ sm_apdu->datalen = sm_data_len;
+ sm_apdu->lc = sm_data_len;
+ sm_apdu->le = 0;
+ if (cse & SC_APDU_EXT) {
+ sm_apdu->cse = SC_APDU_CASE_4_EXT;
+#if OPENSC_NOT_BOGUS_ANYMORE
+ sm_apdu->resplen = 0xffff+1;
+#else
+ sm_apdu->resplen = SC_MAX_EXT_APDU_BUFFER_SIZE;
+#endif
+ } else {
+ sm_apdu->cse = SC_APDU_CASE_4_SHORT;
+#if OPENSC_NOT_BOGUS_ANYMORE
+ sm_apdu->resplen = 0xff+1;
+#else
+ sm_apdu->resplen = SC_MAX_APDU_BUFFER_SIZE;
+#endif
+ }
+ resp_data = malloc(sm_apdu->resplen);
+ if (!resp_data) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ sm_apdu->resp = resp_data;
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "ASN.1 encoded encrypted APDU data", sm_apdu->data, sm_apdu->datalen);
+
+ *psm_apdu = sm_apdu;
+
+err:
+ free(fdata);
+ free(asn1);
+ free(mac_data);
+ free(mac);
+ free(le);
+ if (r < 0) {
+ free(resp_data);
+ free(sm_apdu);
+ free(sm_data);
+ }
+
+ return r;
+}
+
+static int sm_decrypt(const struct iso_sm_ctx *ctx, sc_card_t *card,
+ const sc_apdu_t *sm_apdu, sc_apdu_t *apdu)
+{
+ int r;
+ struct sc_asn1_entry sm_rapdu[5];
+ struct sc_asn1_entry my_sm_rapdu[5];
+ u8 sw[2], mac[8], fdata[SC_MAX_EXT_APDU_BUFFER_SIZE];
+ size_t sw_len = sizeof sw, mac_len = sizeof mac, fdata_len = sizeof fdata,
+ buf_len, asn1_len, fdata_offset = 0;
+ const u8 *buf;
+ u8 *data = NULL, *mac_data = NULL, *asn1 = NULL;
+
+ sc_copy_asn1_entry(c_sm_rapdu, sm_rapdu);
+ sc_format_asn1_entry(sm_rapdu + 0, fdata, &fdata_len, 0);
+ sc_format_asn1_entry(sm_rapdu + 1, fdata, &fdata_len, 0);
+ sc_format_asn1_entry(sm_rapdu + 2, sw, &sw_len, 0);
+ sc_format_asn1_entry(sm_rapdu + 3, mac, &mac_len, 0);
+
+ r = sc_asn1_decode(card->ctx, sm_rapdu, sm_apdu->resp, sm_apdu->resplen,
+ &buf, &buf_len);
+ if (r < 0)
+ goto err;
+ if (buf_len > 0) {
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+
+
+ if (sm_rapdu[3].flags & SC_ASN1_PRESENT) {
+ /* copy from sm_apdu to my_sm_apdu, but leave mac at default */
+ sc_copy_asn1_entry(sm_rapdu, my_sm_rapdu);
+ sc_copy_asn1_entry(&c_sm_rapdu[3], &my_sm_rapdu[3]);
+
+ r = sc_asn1_encode(card->ctx, my_sm_rapdu, &asn1, &asn1_len);
+ if (r < 0)
+ goto err;
+ r = add_padding(ctx, asn1, asn1_len, &mac_data);
+ if (r < 0) {
+ goto err;
+ }
+
+ r = ctx->verify_authentication(card, ctx, mac, mac_len,
+ mac_data, r);
+ if (r < 0)
+ goto err;
+ } else {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Cryptographic Checksum missing");
+ r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
+ goto err;
+ }
+
+
+ if (sm_rapdu[1].flags & SC_ASN1_PRESENT) {
+ if (ctx->padding_indicator != fdata[0]) {
+ r = SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ goto err;
+ }
+ fdata_offset = 1;
+ }
+ if (sm_rapdu[0].flags & SC_ASN1_PRESENT
+ || sm_rapdu[1].flags & SC_ASN1_PRESENT) {
+ r = ctx->decrypt(card, ctx, fdata + fdata_offset,
+ fdata_len - fdata_offset, &data);
+ if (r < 0)
+ goto err;
+ buf_len = r;
+
+ r = rm_padding(ctx->padding_indicator, data, buf_len);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not remove padding");
+ goto err;
+ }
+
+ if (apdu->resplen < (size_t) r || (r && !apdu->resp)) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
+ "Response of SM APDU %u byte%s too long", r-apdu->resplen,
+ r-apdu->resplen < 2 ? "" : "s");
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ /* Flawfinder: ignore */
+ memcpy(apdu->resp, data, r);
+ apdu->resplen = r;
+ } else {
+ apdu->resplen = 0;
+ }
+
+ if (sm_rapdu[2].flags & SC_ASN1_PRESENT) {
+ if (sw_len != 2) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Length of processing status bytes must be 2");
+ r = SC_ERROR_ASN1_END_OF_CONTENTS;
+ goto err;
+ }
+ apdu->sw1 = sw[0];
+ apdu->sw2 = sw[1];
+ } else {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Authenticated status bytes are missing");
+ r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
+ goto err;
+ }
+
+ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Decrypted APDU sw1=%02x sw2=%02x",
+ apdu->sw1, apdu->sw2);
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Decrypted APDU response data",
+ apdu->resp, apdu->resplen);
+
+ r = SC_SUCCESS;
+
+err:
+ free(asn1);
+ free(mac_data);
+ if (data) {
+ sc_mem_clear(data, buf_len);
+ free(data);
+ }
+
+ return r;
+}
+
+static int iso_add_sm(struct iso_sm_ctx *sctx, sc_card_t *card,
+ sc_apdu_t *apdu, sc_apdu_t **sm_apdu)
+{
+ if (!card || !sctx)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ if ((apdu->cla & 0x0C) == 0x0C) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Given APDU is already protected with some secure messaging. Closing own SM context.");
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sc_sm_stop(card),
+ "Could not close ISO SM session");
+ return SC_ERROR_SM_NOT_APPLIED;
+ }
+
+ if (sctx->pre_transmit)
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->pre_transmit(card, sctx, apdu),
+ "Could not complete SM specific pre transmit routine");
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sm_encrypt(sctx, card, apdu, sm_apdu),
+ "Could not encrypt APDU");
+
+ return SC_SUCCESS;
+}
+
+static int iso_rm_sm(struct iso_sm_ctx *sctx, sc_card_t *card,
+ sc_apdu_t *sm_apdu, sc_apdu_t *apdu)
+{
+ if (sctx->post_transmit)
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->post_transmit(card, sctx, sm_apdu),
+ "Could not complete SM specific post transmit routine");
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sm_decrypt(sctx, card, sm_apdu, apdu),
+ "Could not decrypt APDU");
+ if (sctx->finish)
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sctx->finish(card, sctx, apdu),
+ "Could not complete SM specific post transmit routine");
+
+ return SC_SUCCESS;
+}
+
+int iso_sm_close(struct sc_card *card)
+{
+ if (card) {
+ iso_sm_ctx_clear_free(card->sm_ctx.info.cmd_data);
+ card->sm_ctx.info.cmd_data = NULL;
+ }
+
+ return SC_SUCCESS;
+}
+
+int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
+{
+ return iso_add_sm(card->sm_ctx.info.cmd_data, card, apdu, sm_apdu);
+}
+
+int iso_free_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
+{
+ struct sc_apdu *p = *sm_apdu;
+ int r;
+
+ if (!sm_apdu)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ p = *sm_apdu;
+
+ r = iso_rm_sm(card->sm_ctx.info.cmd_data, card, p, apdu);
+
+ if (p) {
+ free((unsigned char *) p->data);
+ free((unsigned char *) p->resp);
+ }
+ free(*sm_apdu);
+ *sm_apdu = NULL;
+
+ return r;
+}
+
+struct iso_sm_ctx *iso_sm_ctx_create(void)
+{
+ struct iso_sm_ctx *sctx = malloc(sizeof *sctx);
+ if (!sctx)
+ return NULL;
+
+ sctx->priv_data = NULL;
+ sctx->padding_indicator = SM_ISO_PADDING;
+ sctx->block_length = 0;
+ sctx->authenticate = NULL;
+ sctx->verify_authentication = NULL;
+ sctx->encrypt = NULL;
+ sctx->decrypt = NULL;
+ sctx->pre_transmit = NULL;
+ sctx->post_transmit = NULL;
+ sctx->finish = NULL;
+ sctx->clear_free = NULL;
+
+ return sctx;
+}
+
+void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx)
+{
+ if (sctx && sctx->clear_free)
+ sctx->clear_free(sctx);
+ free(sctx);
+}
+
+int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx)
+{
+ if (!card)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ if (card->sm_ctx.ops.close)
+ card->sm_ctx.ops.close(card);
+
+ card->sm_ctx.info.cmd_data = sctx;
+ card->sm_ctx.ops.close = iso_sm_close;
+ card->sm_ctx.ops.free_sm_apdu = iso_free_sm_apdu;
+ card->sm_ctx.ops.get_sm_apdu = iso_get_sm_apdu;
+ card->sm_ctx.sm_mode = SM_MODE_TRANSMIT;
+
+ return SC_SUCCESS;
+}
+
+#else
+
+int iso_sm_close(struct sc_card *card)
+{
+ return SC_ERROR_NOT_SUPPORTED;
+}
+
+int iso_get_sm_apdu(struct sc_card *card, struct sc_apdu *apdu, struct sc_apdu **sm_apdu)
+{
+ return SC_ERROR_NOT_SUPPORTED;
+}
+
+struct iso_sm_ctx *iso_sm_ctx_create(void)
+{
+ return NULL;
+}
+
+void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx)
+{
+}
+
+int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx)
+{
+ return SC_ERROR_NOT_SUPPORTED;
+}
+
+#endif
diff --git a/src/sm/sm-iso.h b/src/sm/sm-iso.h
new file mode 100644
index 0000000..12c6535
--- /dev/null
+++ b/src/sm/sm-iso.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2012-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+/**
+ * @file
+ * @defgroup sm Interface to Secure Messaging (SM) defined in ISO 7816
+ * @{
+ */
+#ifndef _ISO_SM_H
+#define _ISO_SM_H
+
+#include "libopensc/opensc.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** @brief maximum length of response when targeting a SM RAPDU
+ *
+ * Using SM with authenticated data+le and encrypted data this is the biggest
+ * amount of the unencrypted response data we can receive. We assume AES block
+ * length for padding and MAC. */
+#define MAX_SM_APDU_RESP_SIZE 223
+
+/** @brief maximum length of data when targeting a SM APDU
+ *
+ * Using SM with authenticated data+header and encrypted data this is the
+ * biggest amount of the unencrypted data we can send. We assume AES block
+ * length for padding and MAC. */
+#define MAX_SM_APDU_DATA_SIZE 239
+
+/** @brief Padding indicator: use ISO/IEC 9797-1 padding method 2 */
+#define SM_ISO_PADDING 0x01
+/** @brief Padding indicator: use no padding */
+#define SM_NO_PADDING 0x02
+
+/** @brief Secure messaging context */
+struct iso_sm_ctx {
+ /** @brief data of the specific crypto implementation */
+ void *priv_data;
+
+ /** @brief Padding-content indicator byte (ISO 7816-4 Table 30) */
+ u8 padding_indicator;
+ /** @brief Pad to this block length */
+ size_t block_length;
+
+ /** @brief Call back function for authentication of data */
+ int (*authenticate)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *data, size_t datalen, u8 **outdata);
+ /** @brief Call back function for verifying authentication data */
+ int (*verify_authentication)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *mac, size_t maclen,
+ const u8 *macdata, size_t macdatalen);
+
+ /** @brief Call back function for encryption of data */
+ int (*encrypt)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *data, size_t datalen, u8 **enc);
+ /** @brief Call back function for decryption of data */
+ int (*decrypt)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ const u8 *enc, size_t enclen, u8 **data);
+
+ /** @brief Call back function for actions before encoding and encryption of \a apdu */
+ int (*pre_transmit)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *apdu);
+ /** @brief Call back function for actions before decryption and decoding of \a sm_apdu */
+ int (*post_transmit)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *sm_apdu);
+ /** @brief Call back function for actions after decrypting SM protected APDU */
+ int (*finish)(sc_card_t *card, const struct iso_sm_ctx *ctx,
+ sc_apdu_t *apdu);
+
+ /** @brief Clears and frees private data */
+ void (*clear_free)(const struct iso_sm_ctx *ctx);
+};
+
+/**
+ * @brief Clears and frees the SM context including private data
+ *
+ * Calls \a sctx->clear_free() if available
+ *
+ * @param[in] sctx (optional)
+ */
+void iso_sm_ctx_clear_free(struct iso_sm_ctx *sctx);
+
+/**
+ * @brief Creates a SM context
+ *
+ * @return SM context or NULL if an error occurred
+ */
+struct iso_sm_ctx *iso_sm_ctx_create(void);
+
+/**
+ * @brief Initializes a card for usage of the ISO SM driver
+ *
+ * If a SM module has been assigned previously to the card, it will be cleaned
+ * up.
+ *
+ * @param[in] card
+ * @param[in] sctx will NOT be freed automatically. \a sctx should be present
+ * for the time of the SM session.
+ *
+ * @return \c SC_SUCCESS or error code if an error occurred
+ */
+int iso_sm_start(struct sc_card *card, struct iso_sm_ctx *sctx);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
+/* @} */
diff --git a/src/sm/sslutil.h b/src/sm/sslutil.h
new file mode 100644
index 0000000..9f65e36
--- /dev/null
+++ b/src/sm/sslutil.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2011-2015 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifndef _SC_SSLUTIL_H
+#define _SC_SSLUTIL_H
+
+#include <libopensc/opensc.h>
+#include <libopensc/log.h>
+
+#ifdef ENABLE_OPENSSL
+#include <openssl/err.h>
+
+#define ssl_error(ctx) { \
+ unsigned long _r; \
+ ERR_load_crypto_strings(); \
+ for (_r = ERR_get_error(); _r; _r = ERR_get_error()) { \
+ sc_debug(ctx, SC_LOG_DEBUG_VERBOSE, ERR_error_string(_r, NULL)); \
+ } \
+ ERR_free_strings(); \
+}
+#endif
+
+#endif
diff --git a/src/smm/Makefile.am b/src/smm/Makefile.am
index 5b6c819..7c707ca 100644
--- a/src/smm/Makefile.am
+++ b/src/smm/Makefile.am
@@ -6,7 +6,7 @@ EXTRA_DIST = Makefile.mak
AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_READLINE_CFLAGS)
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/common -I$(top_builddir)/src/include
-LIBS = $(top_builddir)/src/libsm/libsm.la \
+LIBS = $(top_builddir)/src/sm/libsm.la \
$(top_builddir)/src/libopensc/libopensc.la \
$(top_builddir)/src/common/libcompat.la
diff --git a/src/smm/Makefile.mak b/src/smm/Makefile.mak
index 2513656..d0eb992 100644
--- a/src/smm/Makefile.mak
+++ b/src/smm/Makefile.mak
@@ -3,7 +3,7 @@ TOPDIR = ..\..
TARGET = smm-local.dll
OBJECTS = smm-local.obj sm-global-platform.obj sm-cwa14890.obj sm-card-iasecc.obj sm-card-authentic.obj
-LIBS = $(TOPDIR)\src\libsm\libsm.lib $(TOPDIR)\src\libopensc\opensc_a.lib $(TOPDIR)\src\common\libscdl.lib
+LIBS = $(TOPDIR)\src\sm\libsm.lib $(TOPDIR)\src\libopensc\opensc_a.lib $(TOPDIR)\src\common\libscdl.lib
all: $(TARGET)
diff --git a/src/smm/sm-module.h b/src/smm/sm-module.h
index 14a06bc..0275fc1 100644
--- a/src/smm/sm-module.h
+++ b/src/smm/sm-module.h
@@ -31,7 +31,7 @@ extern "C" {
#include <openssl/sha.h>
#include "libopensc/sm.h"
-#include "libsm/sm-common.h"
+#include "sm/sm-common.h"
/* Global Platform definitions */
int sm_gp_get_mac(unsigned char *key, DES_cblock *icv, unsigned char *in, int in_len,
diff --git a/src/tools/Makefile.am b/src/tools/Makefile.am
index 5fb7f5e..cef8b24 100644
--- a/src/tools/Makefile.am
+++ b/src/tools/Makefile.am
@@ -1,14 +1,32 @@
include $(top_srcdir)/win32/ltrc.inc
+do_subst = $(SED) \
+ -e 's,[@]CVCDIR[@],$(CVCDIR),g' \
+ -e 's,[@]PACKAGE[@],$(PACKAGE),g' \
+ -e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
+ -e 's,[@]PACKAGE_NAME[@],$(PACKAGE_NAME),g' \
+ -e 's,[@]PACKAGE_TARNAME[@],$(PACKAGE_TARNAME),g' \
+ -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
+ -e 's,[@]PACKAGE_SUMMARY[@],$(PACKAGE_SUMMARY),g' \
+ -e 's,[@]PACKAGE_VERSION[@],"$(PACKAGE_VERSION)",g' \
+ -e 's,[@]X509DIR[@],$(X509DIR),g'
+
+NPA_TOOL_BUILT_SOURCES = npa-tool-cmdline.h npa-tool-cmdline.c
+
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/versioninfo-tools.rc
-EXTRA_DIST = Makefile.mak versioninfo-tools.rc.in
+EXTRA_DIST = Makefile.mak versioninfo-tools.rc.in npa-tool.ggo.in
-noinst_HEADERS = util.h
+noinst_HEADERS = util.h fread_to_eof.h
+noinst_PROGRAMS = sceac-example
bin_PROGRAMS = opensc-tool opensc-explorer pkcs15-tool pkcs15-crypt \
pkcs11-tool cardos-tool eidenv openpgp-tool iasecc-tool
if ENABLE_OPENSSL
bin_PROGRAMS += cryptoflex-tool pkcs15-init netkey-tool piv-tool \
- westcos-tool sc-hsm-tool dnie-tool gids-tool
+ westcos-tool sc-hsm-tool dnie-tool gids-tool npa-tool
+endif
+
+if ENABLE_MAN
+dist_man1_MANS = npa-tool.1
endif
# compile with $(PTHREAD_CFLAGS) to allow debugging with gdb
@@ -19,6 +37,10 @@ LIBS = \
$(top_builddir)/src/common/libscdl.la \
$(top_builddir)/src/common/libcompat.la
+sceac_example_SOURCES = sceac-example.c
+sceac_example_LDADD = $(top_builddir)/src/sm/libsmeac.la $(top_builddir)/src/libopensc/libopensc.la $(OPENPACE_LIBS)
+sceac_example_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS)
+
opensc_tool_SOURCES = opensc-tool.c util.c
piv_tool_SOURCES = piv-tool.c util.c
piv_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
@@ -54,6 +76,31 @@ dnie_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
gids_tool_SOURCES = gids-tool.c util.c
gids_tool_LDADD = $(OPTIONAL_OPENSSL_LIBS)
+npa_tool_SOURCES = npa-tool.c fread_to_eof.c $(NPA_TOOL_BUILT_SOURCES)
+npa_tool_LDADD = $(top_builddir)/src/libopensc/libopensc.la \
+ $(top_builddir)/src/sm/libsmeac.la \
+ $(OPENPACE_LIBS)
+npa_tool_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
+
+npa-tool.c: $(abs_builddir)/npa-tool.ggo $(NPA_TOOL_BUILT_SOURCES)
+
+# We only want *cmdline* to be generated when they have explicitly been removed.
+$(NPA_TOOL_BUILT_SOURCES):
+ $(MAKE) $(abs_builddir)/npa-tool.ggo
+ $(GENGETOPT) --include-getopt --file-name=npa-tool-cmdline --output-dir=$(builddir) < $(abs_builddir)/npa-tool.ggo
+
+$(abs_builddir)/npa-tool.ggo: npa-tool.ggo.in
+ $(do_subst) < $(abs_srcdir)/npa-tool.ggo.in > $@
+
+# We only want npa-tool.1 to be generated when it has explicitly been removed.
+npa-tool.1:
+ $(MAKE) npa-tool$(EXEEXT)
+ $(HELP2MAN) \
+ --output=$@ \
+ --no-info \
+ --source='$(PACKAGE_STRING)' \
+ $(builddir)/npa-tool$(EXEEXT)
+
if WIN32
opensc_tool_SOURCES += versioninfo-tools.rc
piv_tool_SOURCES += versioninfo-tools.rc
@@ -72,3 +119,6 @@ iasecc_tool_SOURCES += versioninfo-tools.rc
sc_hsm_tool_SOURCES += versioninfo-tools.rc
gids_tool_SOURCES += versioninfo-tools.rc
endif
+
+clean-local:
+ rm -f $(abs_builddir)/npa-tool.ggo
diff --git a/src/tools/Makefile.mak b/src/tools/Makefile.mak
index de68f46..d9bf0cb 100644
--- a/src/tools/Makefile.mak
+++ b/src/tools/Makefile.mak
@@ -8,12 +8,14 @@ TARGETS = opensc-tool.exe opensc-explorer.exe pkcs15-tool.exe pkcs15-crypt.exe \
pkcs11-tool.exe cardos-tool.exe eidenv.exe openpgp-tool.exe iasecc-tool.exe \
$(PROGRAMS_OPENSSL)
-OBJECTS = util.obj versioninfo-tools.res
+OBJECTS = util.obj npa-tool-cmdline.obj fread_to_eof.obj versioninfo-tools.res
LIBS = $(TOPDIR)\src\common\common.lib \
$(TOPDIR)\src\scconf\scconf.lib \
$(TOPDIR)\src\libopensc\opensc.lib \
$(TOPDIR)\src\pkcs15init\pkcs15init.lib \
$(TOPDIR)\src\common\libpkcs11.lib \
+ $(TOPDIR)\src\sm\libsmeac.lib \
+ $(TOPDIR)\src\sm\libsmiso.lib \
$(TOPDIR)\src\common\libscdl.lib
all: $(TARGETS)
@@ -22,5 +24,5 @@ $(TARGETS): $(OBJECTS) $(LIBS)
.c.exe:
cl $(COPTS) /c $<
- link $(LINKFLAGS) /pdb:$*.pdb /out:$@ $*.obj $(OBJECTS) $(LIBS) $(OPENSSL_LIB) gdi32.lib shell32.lib
+ link $(LINKFLAGS) /pdb:$*.pdb /out:$@ $*.obj $(OBJECTS) $(LIBS) $(OPENPACE_LIB) $(OPENSSL_LIB) gdi32.lib shell32.lib ws2_32.lib
if EXIST $@.manifest mt -manifest $@.manifest -outputresource:$@;1
diff --git a/src/tools/apdus b/src/tools/apdus
new file mode 100644
index 0000000..922c3cd
--- /dev/null
+++ b/src/tools/apdus
@@ -0,0 +1,29 @@
+00:22:81:B6:0F:83:0D:5A:5A:43:56:43:41:41:54:41:30:30:30:31
+00:2a:00:be:e4:7f:4e:81:9d:5f:29:01:00:42:0d:5a:5a:43:56:43:41:41:54:41:30:30:30:31:7f:49:4f:06:0a:04:00:7f:00:07:02:02:02:02:03:86:41:04:52:dd:32:ea:fe:1f:bb:b4:00:0c:d9:ce:75:f6:66:36:cf:cf:1e:dd:44:f7:b1:ed:ae:25:b8:41:93:da:04:a9:1c:77:ee:87:f5:c8:f9:59:ed:27:62:00:de:33:ab:57:4c:e9:80:11:35:ff:44:97:a3:71:62:b7:c8:54:8a:0c:5f:20:0e:5a:5a:44:56:43:41:41:54:41:30:30:30:30:35:7f:4c:12:06:09:04:00:7f:00:07:03:01:02:02:53:05:70:03:01:ff:b7:5f:25:06:01:00:00:06:01:01:5f:24:06:01:00:01:00: [...]
+002281B610830E5A5A445643414154413030303035
+002a00be0001417f4e81fa5f290100420e5a5a4456434141544130303030357f494f060a04007f000702020202038641049bfe7415d73c4a78d60b2cc1bca11b6d5e523969acfb5b756a3be1551b22239c79ae362b838b00669983c0caf6ed0c781d401c95d2b32857de8ce1b619dac4a75f200a5a5a5349543030304f347f4c12060904007f000703010202530500000000045f25060100000902015f2406010000090206655e732d060904007f0007030103028020b02baa51a94fac0954df204d61fe22da1d408d45db4aa1d70e600dad4faf6799732d060904007f0007030103018020c72e13582f01ba068dd1aac29a2428c0c5 [...]
+00:22:81:A4:53:80:0A:04:00:7F:00:07:02:02:02:02:03:83:0A:5A:5A:53:49:54:30:30:30:4F:34:91:20:88:E5:F2:C6:11:18:0D:0A:C1:0E:BD:E6:FC:2A:5E:62:41:79:C0:A5:77:C3:E4:88:52:DD:81:A4:CD:F7:90:51:67:17:73:15:06:09:04:00:7F:00:07:03:01:04:02:53:08:32:30:31:30:30:39:32:34
+00:84:00:00:08
+00820000400C9E7DB72CB0FAEA15B00FECAE0257546446A9395862239AF240C3C29E857F8403345817760FE13F6597F04D2F7330B59065F68DF71EF7FDEC86743CDE2869DD
+00a4000c023f00
+00:A4:02:0C:02:01:1D
+00:b0:00:00:80
+00B0008080
+00b0010080
+00:B0:01:80:80
+00:b0:02:00:80
+00B0028080
+00b0030080
+00:B0:03:80:80
+00:b0:04:00:80
+00B0048080
+00b0050080
+00:B0:05:80:80
+00:b0:06:00:80
+00B0068080
+00b0070080
+00:B0:07:80:80
+00:22:41:a4:0c:80:0a:04:00:7f:00:07:02:02:03:02:02
+00860000457C43804104239E3D05EEB059117D30F86AEB5AE7D12E0EBF758889C79115F2A13DC1BB570A5CAD91A384337C09D1B74BED1C0FF195A7C3EA3A2CEDF86DDEF7B95D1FD1B35D00
+0020001006010203040506
+
diff --git a/src/tools/fread_to_eof.c b/src/tools/fread_to_eof.c
new file mode 100644
index 0000000..a563e46
--- /dev/null
+++ b/src/tools/fread_to_eof.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2010 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int fread_to_eof(const char *file, unsigned char **buf, size_t *buflen)
+{
+ FILE *input = NULL;
+ int r = 0;
+ unsigned char *p;
+
+ if (!buflen || !buf || !file)
+ goto err;
+
+#define MAX_READ_LEN 0xfff
+ p = realloc(*buf, MAX_READ_LEN);
+ if (!p)
+ goto err;
+ *buf = p;
+
+ input = fopen(file, "rb");
+ if (!input) {
+ goto err;
+ }
+
+ *buflen = 0;
+ while (feof(input) == 0 && *buflen < MAX_READ_LEN) {
+ *buflen += fread(*buf+*buflen, 1, MAX_READ_LEN-*buflen, input);
+ if (ferror(input)) {
+ goto err;
+ }
+ }
+
+ r = 1;
+err:
+ if (input)
+ fclose(input);
+
+ return r;
+}
diff --git a/src/tools/fread_to_eof.h b/src/tools/fread_to_eof.h
new file mode 100644
index 0000000..14a176c
--- /dev/null
+++ b/src/tools/fread_to_eof.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifndef _FREAD_TO_EOF_H
+#define _FREAD_TO_EOF_H
+
+int fread_to_eof(const char *file, unsigned char **buf, size_t *buflen);
+
+#endif
diff --git a/src/tools/npa-tool-cmdline.c b/src/tools/npa-tool-cmdline.c
new file mode 100644
index 0000000..7a92e14
--- /dev/null
+++ b/src/tools/npa-tool-cmdline.c
@@ -0,0 +1,2540 @@
+/*
+ File autogenerated by gengetopt version 2.22.6
+ generated with the following command:
+ /usr/bin/gengetopt --include-getopt --file-name=npa-tool-cmdline --output-dir=.
+
+ The developers of gengetopt consider the fixed text that goes in all
+ gengetopt output files to be in the public domain:
+ we make no copyright claims on it.
+*/
+
+/* If we use autoconf. */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef FIX_UNUSED
+#define FIX_UNUSED(X) (void) (X) /* avoid warnings for unused params */
+#endif
+
+
+#include "npa-tool-cmdline.h"
+
+const char *gengetopt_args_info_purpose = "";
+
+const char *gengetopt_args_info_usage = "Usage: npa-tool [OPTIONS]...";
+
+const char *gengetopt_args_info_versiontext = "";
+
+const char *gengetopt_args_info_description = "";
+
+const char *gengetopt_args_info_help[] = {
+ " -h, --help Print help and exit",
+ " -V, --version Print version and exit",
+ " -r, --reader=INT Number of the PC/SC reader to use (-1 for\n autodetect) (default=`-1')",
+ " -v, --verbose Use (several times) to be more verbose",
+ "\nPassword Authenticated Connection Establishment (PACE):",
+ " -p, --pin[=STRING] Run PACE with (transport) eID-PIN",
+ " -u, --puk[=STRING] Run PACE with PUK",
+ " -c, --can[=STRING] Run PACE with CAN",
+ " -m, --mrz[=STRING] Run PACE with MRZ (insert MRZ without newlines)",
+ " --env Whether to use environment variables PIN, PUK,\n CAN, MRZ and NEWPIN. You may want to clean\n your environment before enabling this.\n (default=off)",
+ "\nPIN management:",
+ " -N, --new-pin[=STRING] Install a new PIN",
+ " -R, --resume Resume eID-PIN (uses CAN to activate last\n retry) (default=off)",
+ " -U, --unblock Unblock PIN (uses PUK to activate three more\n retries) (default=off)",
+ "\nTerminal Authentication (TA) and Chip Authentication (CA):",
+ " -C, --cv-certificate=FILENAME Card Verifiable Certificate to create a\n certificate chain. Can be used multiple times\n (order is important).",
+ " --cert-desc=HEX_STRING Certificate description to show for Terminal\n Authentication",
+ " --chat=HEX_STRING Card holder authorization template to use\n (default is terminal's CHAT). Use\n 7F4C0E060904007F000703010203530103 to trigger\n EAC on the CAT-C (Komfortleser).",
+ " -A, --auxiliary-data=HEX_STRING\n Terminal's auxiliary data (default is\n determined by verification of validity, age\n and community ID).",
+ " -P, --private-key=FILENAME Terminal's private key",
+ " --cvc-dir=DIRECTORY Where to look for the CVCA's certificate\n (default=`/home/fm/.local/etc/eac/cvc')",
+ " --x509-dir=DIRECTORY Where to look for the CSCA's certificate\n (default=`/home/fm/.local/etc/eac/x509')",
+ " --disable-ta-checks Disable checking the validity period of CV\n certifcates (default=off)",
+ " --disable-ca-checks Disable passive authentication (default=off)",
+ "\nRead and write data groups:",
+ " --read-dg1 Read DG 1 (Document Type) (default=off)",
+ " --read-dg2 Read DG 2 (Issuing State) (default=off)",
+ " --read-dg3 Read DG 3 (Date of Expiry) (default=off)",
+ " --read-dg4 Read DG 4 (Given Names) (default=off)",
+ " --read-dg5 Read DG 5 (Family Names) (default=off)",
+ " --read-dg6 Read DG 6 (Religious/Artistic Name)\n (default=off)",
+ " --read-dg7 Read DG 7 (Academic Title) (default=off)",
+ " --read-dg8 Read DG 8 (Date of Birth) (default=off)",
+ " --read-dg9 Read DG 9 (Place of Birth) (default=off)",
+ " --read-dg10 Read DG 10 (Nationality) (default=off)",
+ " --read-dg11 Read DG 11 (Sex) (default=off)",
+ " --read-dg12 Read DG 12 (Optional Data) (default=off)",
+ " --read-dg13 Read DG 13 (Birth Name) (default=off)",
+ " --read-dg14 Read DG 14 (default=off)",
+ " --read-dg15 Read DG 15 (default=off)",
+ " --read-dg16 Read DG 16 (default=off)",
+ " --read-dg17 Read DG 17 (Normal Place of Residence)\n (default=off)",
+ " --read-dg18 Read DG 18 (Community ID) (default=off)",
+ " --read-dg19 Read DG 19 (Residence Permit I) (default=off)",
+ " --read-dg20 Read DG 20 (Residence Permit II)\n (default=off)",
+ " --read-dg21 Read DG 21 (Optional Data) (default=off)",
+ " --write-dg17=HEX_STRING Write DG 17 (Normal Place of Residence)",
+ " --write-dg18=HEX_STRING Write DG 18 (Community ID)",
+ " --write-dg19=HEX_STRING Write DG 19 (Residence Permit I)",
+ " --write-dg20=HEX_STRING Write DG 20 (Residence Permit II)",
+ " --write-dg21=HEX_STRING Write DG 21 (Optional Data)",
+ "\nVerification of validity, age and community ID:",
+ " --verify-validity=YYYYMMDD\n Verify chip's validity with a reference date",
+ " --older-than=YYYYMMDD Verify age with a reference date",
+ " --verify-community=HEX_STRING\n Verify community ID with a reference ID",
+ "\nSpecial options, not always useful:",
+ " -b, --break Brute force PIN, CAN or PUK. Use together with\n -p, -a or -u (default=off)",
+ " -t, --translate=FILENAME File with APDUs of HEX_STRINGs to send through\n the secure channel (default=`stdin')",
+ " --tr-03110v201 Force compliance to BSI TR-03110 version 2.01\n (default=off)",
+ " --disable-all-checks Disable all checking of fly-by-data\n (default=off)",
+ "\nReport bugs to opensc-devel at lists.sourceforge.net\n\nWritten by Frank Morgner <frankmorgner at gmail.com>",
+ 0
+};
+
+typedef enum {ARG_NO
+ , ARG_FLAG
+ , ARG_STRING
+ , ARG_INT
+} cmdline_parser_arg_type;
+
+static
+void clear_given (struct gengetopt_args_info *args_info);
+static
+void clear_args (struct gengetopt_args_info *args_info);
+
+static int
+cmdline_parser_internal (int argc, char **argv, struct gengetopt_args_info *args_info,
+ struct cmdline_parser_params *params, const char *additional_error);
+
+static int
+cmdline_parser_required2 (struct gengetopt_args_info *args_info, const char *prog_name, const char *additional_error);
+
+static char *
+gengetopt_strdup (const char *s);
+
+static
+void clear_given (struct gengetopt_args_info *args_info)
+{
+ args_info->help_given = 0 ;
+ args_info->version_given = 0 ;
+ args_info->reader_given = 0 ;
+ args_info->verbose_given = 0 ;
+ args_info->pin_given = 0 ;
+ args_info->puk_given = 0 ;
+ args_info->can_given = 0 ;
+ args_info->mrz_given = 0 ;
+ args_info->env_given = 0 ;
+ args_info->new_pin_given = 0 ;
+ args_info->resume_given = 0 ;
+ args_info->unblock_given = 0 ;
+ args_info->cv_certificate_given = 0 ;
+ args_info->cert_desc_given = 0 ;
+ args_info->chat_given = 0 ;
+ args_info->auxiliary_data_given = 0 ;
+ args_info->private_key_given = 0 ;
+ args_info->cvc_dir_given = 0 ;
+ args_info->x509_dir_given = 0 ;
+ args_info->disable_ta_checks_given = 0 ;
+ args_info->disable_ca_checks_given = 0 ;
+ args_info->read_dg1_given = 0 ;
+ args_info->read_dg2_given = 0 ;
+ args_info->read_dg3_given = 0 ;
+ args_info->read_dg4_given = 0 ;
+ args_info->read_dg5_given = 0 ;
+ args_info->read_dg6_given = 0 ;
+ args_info->read_dg7_given = 0 ;
+ args_info->read_dg8_given = 0 ;
+ args_info->read_dg9_given = 0 ;
+ args_info->read_dg10_given = 0 ;
+ args_info->read_dg11_given = 0 ;
+ args_info->read_dg12_given = 0 ;
+ args_info->read_dg13_given = 0 ;
+ args_info->read_dg14_given = 0 ;
+ args_info->read_dg15_given = 0 ;
+ args_info->read_dg16_given = 0 ;
+ args_info->read_dg17_given = 0 ;
+ args_info->read_dg18_given = 0 ;
+ args_info->read_dg19_given = 0 ;
+ args_info->read_dg20_given = 0 ;
+ args_info->read_dg21_given = 0 ;
+ args_info->write_dg17_given = 0 ;
+ args_info->write_dg18_given = 0 ;
+ args_info->write_dg19_given = 0 ;
+ args_info->write_dg20_given = 0 ;
+ args_info->write_dg21_given = 0 ;
+ args_info->verify_validity_given = 0 ;
+ args_info->older_than_given = 0 ;
+ args_info->verify_community_given = 0 ;
+ args_info->break_given = 0 ;
+ args_info->translate_given = 0 ;
+ args_info->tr_03110v201_given = 0 ;
+ args_info->disable_all_checks_given = 0 ;
+}
+
+static
+void clear_args (struct gengetopt_args_info *args_info)
+{
+ FIX_UNUSED (args_info);
+ args_info->reader_arg = -1;
+ args_info->reader_orig = NULL;
+ args_info->pin_arg = NULL;
+ args_info->pin_orig = NULL;
+ args_info->puk_arg = NULL;
+ args_info->puk_orig = NULL;
+ args_info->can_arg = NULL;
+ args_info->can_orig = NULL;
+ args_info->mrz_arg = NULL;
+ args_info->mrz_orig = NULL;
+ args_info->env_flag = 0;
+ args_info->new_pin_arg = NULL;
+ args_info->new_pin_orig = NULL;
+ args_info->resume_flag = 0;
+ args_info->unblock_flag = 0;
+ args_info->cv_certificate_arg = NULL;
+ args_info->cv_certificate_orig = NULL;
+ args_info->cert_desc_arg = NULL;
+ args_info->cert_desc_orig = NULL;
+ args_info->chat_arg = NULL;
+ args_info->chat_orig = NULL;
+ args_info->auxiliary_data_arg = NULL;
+ args_info->auxiliary_data_orig = NULL;
+ args_info->private_key_arg = NULL;
+ args_info->private_key_orig = NULL;
+ args_info->cvc_dir_arg = gengetopt_strdup ("/home/fm/.local/etc/eac/cvc");
+ args_info->cvc_dir_orig = NULL;
+ args_info->x509_dir_arg = gengetopt_strdup ("/home/fm/.local/etc/eac/x509");
+ args_info->x509_dir_orig = NULL;
+ args_info->disable_ta_checks_flag = 0;
+ args_info->disable_ca_checks_flag = 0;
+ args_info->read_dg1_flag = 0;
+ args_info->read_dg2_flag = 0;
+ args_info->read_dg3_flag = 0;
+ args_info->read_dg4_flag = 0;
+ args_info->read_dg5_flag = 0;
+ args_info->read_dg6_flag = 0;
+ args_info->read_dg7_flag = 0;
+ args_info->read_dg8_flag = 0;
+ args_info->read_dg9_flag = 0;
+ args_info->read_dg10_flag = 0;
+ args_info->read_dg11_flag = 0;
+ args_info->read_dg12_flag = 0;
+ args_info->read_dg13_flag = 0;
+ args_info->read_dg14_flag = 0;
+ args_info->read_dg15_flag = 0;
+ args_info->read_dg16_flag = 0;
+ args_info->read_dg17_flag = 0;
+ args_info->read_dg18_flag = 0;
+ args_info->read_dg19_flag = 0;
+ args_info->read_dg20_flag = 0;
+ args_info->read_dg21_flag = 0;
+ args_info->write_dg17_arg = NULL;
+ args_info->write_dg17_orig = NULL;
+ args_info->write_dg18_arg = NULL;
+ args_info->write_dg18_orig = NULL;
+ args_info->write_dg19_arg = NULL;
+ args_info->write_dg19_orig = NULL;
+ args_info->write_dg20_arg = NULL;
+ args_info->write_dg20_orig = NULL;
+ args_info->write_dg21_arg = NULL;
+ args_info->write_dg21_orig = NULL;
+ args_info->verify_validity_arg = NULL;
+ args_info->verify_validity_orig = NULL;
+ args_info->older_than_arg = NULL;
+ args_info->older_than_orig = NULL;
+ args_info->verify_community_arg = NULL;
+ args_info->verify_community_orig = NULL;
+ args_info->break_flag = 0;
+ args_info->translate_arg = gengetopt_strdup ("stdin");
+ args_info->translate_orig = NULL;
+ args_info->tr_03110v201_flag = 0;
+ args_info->disable_all_checks_flag = 0;
+
+}
+
+static
+void init_args_info(struct gengetopt_args_info *args_info)
+{
+
+
+ args_info->help_help = gengetopt_args_info_help[0] ;
+ args_info->version_help = gengetopt_args_info_help[1] ;
+ args_info->reader_help = gengetopt_args_info_help[2] ;
+ args_info->verbose_help = gengetopt_args_info_help[3] ;
+ args_info->verbose_min = 0;
+ args_info->verbose_max = 0;
+ args_info->pin_help = gengetopt_args_info_help[5] ;
+ args_info->puk_help = gengetopt_args_info_help[6] ;
+ args_info->can_help = gengetopt_args_info_help[7] ;
+ args_info->mrz_help = gengetopt_args_info_help[8] ;
+ args_info->env_help = gengetopt_args_info_help[9] ;
+ args_info->new_pin_help = gengetopt_args_info_help[11] ;
+ args_info->resume_help = gengetopt_args_info_help[12] ;
+ args_info->unblock_help = gengetopt_args_info_help[13] ;
+ args_info->cv_certificate_help = gengetopt_args_info_help[15] ;
+ args_info->cv_certificate_min = 0;
+ args_info->cv_certificate_max = 0;
+ args_info->cert_desc_help = gengetopt_args_info_help[16] ;
+ args_info->chat_help = gengetopt_args_info_help[17] ;
+ args_info->auxiliary_data_help = gengetopt_args_info_help[18] ;
+ args_info->private_key_help = gengetopt_args_info_help[19] ;
+ args_info->cvc_dir_help = gengetopt_args_info_help[20] ;
+ args_info->x509_dir_help = gengetopt_args_info_help[21] ;
+ args_info->disable_ta_checks_help = gengetopt_args_info_help[22] ;
+ args_info->disable_ca_checks_help = gengetopt_args_info_help[23] ;
+ args_info->read_dg1_help = gengetopt_args_info_help[25] ;
+ args_info->read_dg2_help = gengetopt_args_info_help[26] ;
+ args_info->read_dg3_help = gengetopt_args_info_help[27] ;
+ args_info->read_dg4_help = gengetopt_args_info_help[28] ;
+ args_info->read_dg5_help = gengetopt_args_info_help[29] ;
+ args_info->read_dg6_help = gengetopt_args_info_help[30] ;
+ args_info->read_dg7_help = gengetopt_args_info_help[31] ;
+ args_info->read_dg8_help = gengetopt_args_info_help[32] ;
+ args_info->read_dg9_help = gengetopt_args_info_help[33] ;
+ args_info->read_dg10_help = gengetopt_args_info_help[34] ;
+ args_info->read_dg11_help = gengetopt_args_info_help[35] ;
+ args_info->read_dg12_help = gengetopt_args_info_help[36] ;
+ args_info->read_dg13_help = gengetopt_args_info_help[37] ;
+ args_info->read_dg14_help = gengetopt_args_info_help[38] ;
+ args_info->read_dg15_help = gengetopt_args_info_help[39] ;
+ args_info->read_dg16_help = gengetopt_args_info_help[40] ;
+ args_info->read_dg17_help = gengetopt_args_info_help[41] ;
+ args_info->read_dg18_help = gengetopt_args_info_help[42] ;
+ args_info->read_dg19_help = gengetopt_args_info_help[43] ;
+ args_info->read_dg20_help = gengetopt_args_info_help[44] ;
+ args_info->read_dg21_help = gengetopt_args_info_help[45] ;
+ args_info->write_dg17_help = gengetopt_args_info_help[46] ;
+ args_info->write_dg18_help = gengetopt_args_info_help[47] ;
+ args_info->write_dg19_help = gengetopt_args_info_help[48] ;
+ args_info->write_dg20_help = gengetopt_args_info_help[49] ;
+ args_info->write_dg21_help = gengetopt_args_info_help[50] ;
+ args_info->verify_validity_help = gengetopt_args_info_help[52] ;
+ args_info->older_than_help = gengetopt_args_info_help[53] ;
+ args_info->verify_community_help = gengetopt_args_info_help[54] ;
+ args_info->break_help = gengetopt_args_info_help[56] ;
+ args_info->translate_help = gengetopt_args_info_help[57] ;
+ args_info->tr_03110v201_help = gengetopt_args_info_help[58] ;
+ args_info->disable_all_checks_help = gengetopt_args_info_help[59] ;
+
+}
+
+void
+cmdline_parser_print_version (void)
+{
+ printf ("%s %s\n",
+ (strlen(CMDLINE_PARSER_PACKAGE_NAME) ? CMDLINE_PARSER_PACKAGE_NAME : CMDLINE_PARSER_PACKAGE),
+ CMDLINE_PARSER_VERSION);
+
+ if (strlen(gengetopt_args_info_versiontext) > 0)
+ printf("\n%s\n", gengetopt_args_info_versiontext);
+}
+
+static void print_help_common(void) {
+ cmdline_parser_print_version ();
+
+ if (strlen(gengetopt_args_info_purpose) > 0)
+ printf("\n%s\n", gengetopt_args_info_purpose);
+
+ if (strlen(gengetopt_args_info_usage) > 0)
+ printf("\n%s\n", gengetopt_args_info_usage);
+
+ printf("\n");
+
+ if (strlen(gengetopt_args_info_description) > 0)
+ printf("%s\n\n", gengetopt_args_info_description);
+}
+
+void
+cmdline_parser_print_help (void)
+{
+ int i = 0;
+ print_help_common();
+ while (gengetopt_args_info_help[i])
+ printf("%s\n", gengetopt_args_info_help[i++]);
+}
+
+void
+cmdline_parser_init (struct gengetopt_args_info *args_info)
+{
+ clear_given (args_info);
+ clear_args (args_info);
+ init_args_info (args_info);
+}
+
+void
+cmdline_parser_params_init(struct cmdline_parser_params *params)
+{
+ if (params)
+ {
+ params->override = 0;
+ params->initialize = 1;
+ params->check_required = 1;
+ params->check_ambiguity = 0;
+ params->print_errors = 1;
+ }
+}
+
+struct cmdline_parser_params *
+cmdline_parser_params_create(void)
+{
+ struct cmdline_parser_params *params =
+ (struct cmdline_parser_params *)malloc(sizeof(struct cmdline_parser_params));
+ cmdline_parser_params_init(params);
+ return params;
+}
+
+static void
+free_string_field (char **s)
+{
+ if (*s)
+ {
+ free (*s);
+ *s = 0;
+ }
+}
+
+/** @brief generic value variable */
+union generic_value {
+ int int_arg;
+ char *string_arg;
+ const char *default_string_arg;
+};
+
+/** @brief holds temporary values for multiple options */
+struct generic_list
+{
+ union generic_value arg;
+ char *orig;
+ struct generic_list *next;
+};
+
+/**
+ * @brief add a node at the head of the list
+ */
+static void add_node(struct generic_list **list) {
+ struct generic_list *new_node = (struct generic_list *) malloc (sizeof (struct generic_list));
+ new_node->next = *list;
+ *list = new_node;
+ new_node->arg.string_arg = 0;
+ new_node->orig = 0;
+}
+
+
+static void
+free_multiple_string_field(unsigned int len, char ***arg, char ***orig)
+{
+ unsigned int i;
+ if (*arg) {
+ for (i = 0; i < len; ++i)
+ {
+ free_string_field(&((*arg)[i]));
+ free_string_field(&((*orig)[i]));
+ }
+ free_string_field(&((*arg)[0])); /* free default string */
+
+ free (*arg);
+ *arg = 0;
+ free (*orig);
+ *orig = 0;
+ }
+}
+
+static void
+cmdline_parser_release (struct gengetopt_args_info *args_info)
+{
+
+ free_string_field (&(args_info->reader_orig));
+ free_string_field (&(args_info->pin_arg));
+ free_string_field (&(args_info->pin_orig));
+ free_string_field (&(args_info->puk_arg));
+ free_string_field (&(args_info->puk_orig));
+ free_string_field (&(args_info->can_arg));
+ free_string_field (&(args_info->can_orig));
+ free_string_field (&(args_info->mrz_arg));
+ free_string_field (&(args_info->mrz_orig));
+ free_string_field (&(args_info->new_pin_arg));
+ free_string_field (&(args_info->new_pin_orig));
+ free_multiple_string_field (args_info->cv_certificate_given, &(args_info->cv_certificate_arg), &(args_info->cv_certificate_orig));
+ free_string_field (&(args_info->cert_desc_arg));
+ free_string_field (&(args_info->cert_desc_orig));
+ free_string_field (&(args_info->chat_arg));
+ free_string_field (&(args_info->chat_orig));
+ free_string_field (&(args_info->auxiliary_data_arg));
+ free_string_field (&(args_info->auxiliary_data_orig));
+ free_string_field (&(args_info->private_key_arg));
+ free_string_field (&(args_info->private_key_orig));
+ free_string_field (&(args_info->cvc_dir_arg));
+ free_string_field (&(args_info->cvc_dir_orig));
+ free_string_field (&(args_info->x509_dir_arg));
+ free_string_field (&(args_info->x509_dir_orig));
+ free_string_field (&(args_info->write_dg17_arg));
+ free_string_field (&(args_info->write_dg17_orig));
+ free_string_field (&(args_info->write_dg18_arg));
+ free_string_field (&(args_info->write_dg18_orig));
+ free_string_field (&(args_info->write_dg19_arg));
+ free_string_field (&(args_info->write_dg19_orig));
+ free_string_field (&(args_info->write_dg20_arg));
+ free_string_field (&(args_info->write_dg20_orig));
+ free_string_field (&(args_info->write_dg21_arg));
+ free_string_field (&(args_info->write_dg21_orig));
+ free_string_field (&(args_info->verify_validity_arg));
+ free_string_field (&(args_info->verify_validity_orig));
+ free_string_field (&(args_info->older_than_arg));
+ free_string_field (&(args_info->older_than_orig));
+ free_string_field (&(args_info->verify_community_arg));
+ free_string_field (&(args_info->verify_community_orig));
+ free_string_field (&(args_info->translate_arg));
+ free_string_field (&(args_info->translate_orig));
+
+
+
+ clear_given (args_info);
+}
+
+
+static void
+write_into_file(FILE *outfile, const char *opt, const char *arg, const char *values[])
+{
+ FIX_UNUSED (values);
+ if (arg) {
+ fprintf(outfile, "%s=\"%s\"\n", opt, arg);
+ } else {
+ fprintf(outfile, "%s\n", opt);
+ }
+}
+
+static void
+write_multiple_into_file(FILE *outfile, int len, const char *opt, char **arg, const char *values[])
+{
+ int i;
+
+ for (i = 0; i < len; ++i)
+ write_into_file(outfile, opt, (arg ? arg[i] : 0), values);
+}
+
+int
+cmdline_parser_dump(FILE *outfile, struct gengetopt_args_info *args_info)
+{
+ int i = 0;
+
+ if (!outfile)
+ {
+ fprintf (stderr, "%s: cannot dump options to stream\n", CMDLINE_PARSER_PACKAGE);
+ return EXIT_FAILURE;
+ }
+
+ if (args_info->help_given)
+ write_into_file(outfile, "help", 0, 0 );
+ if (args_info->version_given)
+ write_into_file(outfile, "version", 0, 0 );
+ if (args_info->reader_given)
+ write_into_file(outfile, "reader", args_info->reader_orig, 0);
+ write_multiple_into_file(outfile, args_info->verbose_given, "verbose", 0, 0);
+ if (args_info->pin_given)
+ write_into_file(outfile, "pin", args_info->pin_orig, 0);
+ if (args_info->puk_given)
+ write_into_file(outfile, "puk", args_info->puk_orig, 0);
+ if (args_info->can_given)
+ write_into_file(outfile, "can", args_info->can_orig, 0);
+ if (args_info->mrz_given)
+ write_into_file(outfile, "mrz", args_info->mrz_orig, 0);
+ if (args_info->env_given)
+ write_into_file(outfile, "env", 0, 0 );
+ if (args_info->new_pin_given)
+ write_into_file(outfile, "new-pin", args_info->new_pin_orig, 0);
+ if (args_info->resume_given)
+ write_into_file(outfile, "resume", 0, 0 );
+ if (args_info->unblock_given)
+ write_into_file(outfile, "unblock", 0, 0 );
+ write_multiple_into_file(outfile, args_info->cv_certificate_given, "cv-certificate", args_info->cv_certificate_orig, 0);
+ if (args_info->cert_desc_given)
+ write_into_file(outfile, "cert-desc", args_info->cert_desc_orig, 0);
+ if (args_info->chat_given)
+ write_into_file(outfile, "chat", args_info->chat_orig, 0);
+ if (args_info->auxiliary_data_given)
+ write_into_file(outfile, "auxiliary-data", args_info->auxiliary_data_orig, 0);
+ if (args_info->private_key_given)
+ write_into_file(outfile, "private-key", args_info->private_key_orig, 0);
+ if (args_info->cvc_dir_given)
+ write_into_file(outfile, "cvc-dir", args_info->cvc_dir_orig, 0);
+ if (args_info->x509_dir_given)
+ write_into_file(outfile, "x509-dir", args_info->x509_dir_orig, 0);
+ if (args_info->disable_ta_checks_given)
+ write_into_file(outfile, "disable-ta-checks", 0, 0 );
+ if (args_info->disable_ca_checks_given)
+ write_into_file(outfile, "disable-ca-checks", 0, 0 );
+ if (args_info->read_dg1_given)
+ write_into_file(outfile, "read-dg1", 0, 0 );
+ if (args_info->read_dg2_given)
+ write_into_file(outfile, "read-dg2", 0, 0 );
+ if (args_info->read_dg3_given)
+ write_into_file(outfile, "read-dg3", 0, 0 );
+ if (args_info->read_dg4_given)
+ write_into_file(outfile, "read-dg4", 0, 0 );
+ if (args_info->read_dg5_given)
+ write_into_file(outfile, "read-dg5", 0, 0 );
+ if (args_info->read_dg6_given)
+ write_into_file(outfile, "read-dg6", 0, 0 );
+ if (args_info->read_dg7_given)
+ write_into_file(outfile, "read-dg7", 0, 0 );
+ if (args_info->read_dg8_given)
+ write_into_file(outfile, "read-dg8", 0, 0 );
+ if (args_info->read_dg9_given)
+ write_into_file(outfile, "read-dg9", 0, 0 );
+ if (args_info->read_dg10_given)
+ write_into_file(outfile, "read-dg10", 0, 0 );
+ if (args_info->read_dg11_given)
+ write_into_file(outfile, "read-dg11", 0, 0 );
+ if (args_info->read_dg12_given)
+ write_into_file(outfile, "read-dg12", 0, 0 );
+ if (args_info->read_dg13_given)
+ write_into_file(outfile, "read-dg13", 0, 0 );
+ if (args_info->read_dg14_given)
+ write_into_file(outfile, "read-dg14", 0, 0 );
+ if (args_info->read_dg15_given)
+ write_into_file(outfile, "read-dg15", 0, 0 );
+ if (args_info->read_dg16_given)
+ write_into_file(outfile, "read-dg16", 0, 0 );
+ if (args_info->read_dg17_given)
+ write_into_file(outfile, "read-dg17", 0, 0 );
+ if (args_info->read_dg18_given)
+ write_into_file(outfile, "read-dg18", 0, 0 );
+ if (args_info->read_dg19_given)
+ write_into_file(outfile, "read-dg19", 0, 0 );
+ if (args_info->read_dg20_given)
+ write_into_file(outfile, "read-dg20", 0, 0 );
+ if (args_info->read_dg21_given)
+ write_into_file(outfile, "read-dg21", 0, 0 );
+ if (args_info->write_dg17_given)
+ write_into_file(outfile, "write-dg17", args_info->write_dg17_orig, 0);
+ if (args_info->write_dg18_given)
+ write_into_file(outfile, "write-dg18", args_info->write_dg18_orig, 0);
+ if (args_info->write_dg19_given)
+ write_into_file(outfile, "write-dg19", args_info->write_dg19_orig, 0);
+ if (args_info->write_dg20_given)
+ write_into_file(outfile, "write-dg20", args_info->write_dg20_orig, 0);
+ if (args_info->write_dg21_given)
+ write_into_file(outfile, "write-dg21", args_info->write_dg21_orig, 0);
+ if (args_info->verify_validity_given)
+ write_into_file(outfile, "verify-validity", args_info->verify_validity_orig, 0);
+ if (args_info->older_than_given)
+ write_into_file(outfile, "older-than", args_info->older_than_orig, 0);
+ if (args_info->verify_community_given)
+ write_into_file(outfile, "verify-community", args_info->verify_community_orig, 0);
+ if (args_info->break_given)
+ write_into_file(outfile, "break", 0, 0 );
+ if (args_info->translate_given)
+ write_into_file(outfile, "translate", args_info->translate_orig, 0);
+ if (args_info->tr_03110v201_given)
+ write_into_file(outfile, "tr-03110v201", 0, 0 );
+ if (args_info->disable_all_checks_given)
+ write_into_file(outfile, "disable-all-checks", 0, 0 );
+
+
+ i = EXIT_SUCCESS;
+ return i;
+}
+
+int
+cmdline_parser_file_save(const char *filename, struct gengetopt_args_info *args_info)
+{
+ FILE *outfile;
+ int i = 0;
+
+ outfile = fopen(filename, "w");
+
+ if (!outfile)
+ {
+ fprintf (stderr, "%s: cannot open file for writing: %s\n", CMDLINE_PARSER_PACKAGE, filename);
+ return EXIT_FAILURE;
+ }
+
+ i = cmdline_parser_dump(outfile, args_info);
+ fclose (outfile);
+
+ return i;
+}
+
+void
+cmdline_parser_free (struct gengetopt_args_info *args_info)
+{
+ cmdline_parser_release (args_info);
+}
+
+/** @brief replacement of strdup, which is not standard */
+char *
+gengetopt_strdup (const char *s)
+{
+ char *result = 0;
+ if (!s)
+ return result;
+
+ result = (char*)malloc(strlen(s) + 1);
+ if (result == (char*)0)
+ return (char*)0;
+ strcpy(result, s);
+ return result;
+}
+
+static char *
+get_multiple_arg_token(const char *arg)
+{
+ const char *tok;
+ char *ret;
+ size_t len, num_of_escape, i, j;
+
+ if (!arg)
+ return 0;
+
+ tok = strchr (arg, ',');
+ num_of_escape = 0;
+
+ /* make sure it is not escaped */
+ while (tok)
+ {
+ if (*(tok-1) == '\\')
+ {
+ /* find the next one */
+ tok = strchr (tok+1, ',');
+ ++num_of_escape;
+ }
+ else
+ break;
+ }
+
+ if (tok)
+ len = (size_t)(tok - arg + 1);
+ else
+ len = strlen (arg) + 1;
+
+ len -= num_of_escape;
+
+ ret = (char *) malloc (len);
+
+ i = 0;
+ j = 0;
+ while (arg[i] && (j < len-1))
+ {
+ if (arg[i] == '\\' &&
+ arg[ i + 1 ] &&
+ arg[ i + 1 ] == ',')
+ ++i;
+
+ ret[j++] = arg[i++];
+ }
+
+ ret[len-1] = '\0';
+
+ return ret;
+}
+
+static const char *
+get_multiple_arg_token_next(const char *arg)
+{
+ const char *tok;
+
+ if (!arg)
+ return 0;
+
+ tok = strchr (arg, ',');
+
+ /* make sure it is not escaped */
+ while (tok)
+ {
+ if (*(tok-1) == '\\')
+ {
+ /* find the next one */
+ tok = strchr (tok+1, ',');
+ }
+ else
+ break;
+ }
+
+ if (! tok || strlen(tok) == 1)
+ return 0;
+
+ return tok+1;
+}
+
+static int
+check_multiple_option_occurrences(const char *prog_name, unsigned int option_given, unsigned int min, unsigned int max, const char *option_desc);
+
+int
+check_multiple_option_occurrences(const char *prog_name, unsigned int option_given, unsigned int min, unsigned int max, const char *option_desc)
+{
+ int error_occurred = 0;
+
+ if (option_given && (min > 0 || max > 0))
+ {
+ if (min > 0 && max > 0)
+ {
+ if (min == max)
+ {
+ /* specific occurrences */
+ if (option_given != (unsigned int) min)
+ {
+ fprintf (stderr, "%s: %s option occurrences must be %d\n",
+ prog_name, option_desc, min);
+ error_occurred = 1;
+ }
+ }
+ else if (option_given < (unsigned int) min
+ || option_given > (unsigned int) max)
+ {
+ /* range occurrences */
+ fprintf (stderr, "%s: %s option occurrences must be between %d and %d\n",
+ prog_name, option_desc, min, max);
+ error_occurred = 1;
+ }
+ }
+ else if (min > 0)
+ {
+ /* at least check */
+ if (option_given < min)
+ {
+ fprintf (stderr, "%s: %s option occurrences must be at least %d\n",
+ prog_name, option_desc, min);
+ error_occurred = 1;
+ }
+ }
+ else if (max > 0)
+ {
+ /* at most check */
+ if (option_given > max)
+ {
+ fprintf (stderr, "%s: %s option occurrences must be at most %d\n",
+ prog_name, option_desc, max);
+ error_occurred = 1;
+ }
+ }
+ }
+
+ return error_occurred;
+}
+int
+cmdline_parser (int argc, char **argv, struct gengetopt_args_info *args_info)
+{
+ return cmdline_parser2 (argc, argv, args_info, 0, 1, 1);
+}
+
+int
+cmdline_parser_ext (int argc, char **argv, struct gengetopt_args_info *args_info,
+ struct cmdline_parser_params *params)
+{
+ int result;
+ result = cmdline_parser_internal (argc, argv, args_info, params, 0);
+
+ if (result == EXIT_FAILURE)
+ {
+ cmdline_parser_free (args_info);
+ exit (EXIT_FAILURE);
+ }
+
+ return result;
+}
+
+int
+cmdline_parser2 (int argc, char **argv, struct gengetopt_args_info *args_info, int override, int initialize, int check_required)
+{
+ int result;
+ struct cmdline_parser_params params;
+
+ params.override = override;
+ params.initialize = initialize;
+ params.check_required = check_required;
+ params.check_ambiguity = 0;
+ params.print_errors = 1;
+
+ result = cmdline_parser_internal (argc, argv, args_info, ¶ms, 0);
+
+ if (result == EXIT_FAILURE)
+ {
+ cmdline_parser_free (args_info);
+ exit (EXIT_FAILURE);
+ }
+
+ return result;
+}
+
+int
+cmdline_parser_required (struct gengetopt_args_info *args_info, const char *prog_name)
+{
+ int result = EXIT_SUCCESS;
+
+ if (cmdline_parser_required2(args_info, prog_name, 0) > 0)
+ result = EXIT_FAILURE;
+
+ if (result == EXIT_FAILURE)
+ {
+ cmdline_parser_free (args_info);
+ exit (EXIT_FAILURE);
+ }
+
+ return result;
+}
+
+int
+cmdline_parser_required2 (struct gengetopt_args_info *args_info, const char *prog_name, const char *additional_error)
+{
+ int error_occurred = 0;
+ FIX_UNUSED (additional_error);
+
+ /* checks for required options */
+ if (check_multiple_option_occurrences(prog_name, args_info->verbose_given, args_info->verbose_min, args_info->verbose_max, "'--verbose' ('-v')"))
+ error_occurred = 1;
+
+ if (check_multiple_option_occurrences(prog_name, args_info->cv_certificate_given, args_info->cv_certificate_min, args_info->cv_certificate_max, "'--cv-certificate' ('-C')"))
+ error_occurred = 1;
+
+
+ /* checks for dependences among options */
+
+ return error_occurred;
+}
+
+/*
+ * Extracted from the glibc source tree, version 2.3.6
+ *
+ * Licensed under the GPL as per the whole glibc source tree.
+ *
+ * This file was modified so that getopt_long can be called
+ * many times without risking previous memory to be spoiled.
+ *
+ * Modified by Andre Noll and Lorenzo Bettini for use in
+ * GNU gengetopt generated files.
+ *
+ */
+
+/*
+ * we must include anything we need since this file is not thought to be
+ * inserted in a file already using getopt.h
+ *
+ * Lorenzo
+ */
+
+struct option
+{
+ const char *name;
+ /* has_arg can't be an enum because some compilers complain about
+ type mismatches in all the code that assumes it is an int. */
+ int has_arg;
+ int *flag;
+ int val;
+};
+
+/* This version of `getopt' appears to the caller like standard Unix `getopt'
+ but it behaves differently for the user, since it allows the user
+ to intersperse the options with the other arguments.
+
+ As `getopt' works, it permutes the elements of ARGV so that,
+ when it is done, all the options precede everything else. Thus
+ all application programs are extended to handle flexible argument order.
+*/
+/*
+ If the field `flag' is not NULL, it points to a variable that is set
+ to the value given in the field `val' when the option is found, but
+ left unchanged if the option is not found.
+
+ To have a long-named option do something other than set an `int' to
+ a compiled-in constant, such as set a value from `custom_optarg', set the
+ option's `flag' field to zero and its `val' field to a nonzero
+ value (the equivalent single-letter option character, if there is
+ one). For long options that have a zero `flag' field, `getopt'
+ returns the contents of the `val' field. */
+
+/* Names for the values of the `has_arg' field of `struct option'. */
+#ifndef no_argument
+#define no_argument 0
+#endif
+
+#ifndef required_argument
+#define required_argument 1
+#endif
+
+#ifndef optional_argument
+#define optional_argument 2
+#endif
+
+struct custom_getopt_data {
+ /*
+ * These have exactly the same meaning as the corresponding global variables,
+ * except that they are used for the reentrant versions of getopt.
+ */
+ int custom_optind;
+ int custom_opterr;
+ int custom_optopt;
+ char *custom_optarg;
+
+ /* True if the internal members have been initialized. */
+ int initialized;
+
+ /*
+ * The next char to be scanned in the option-element in which the last option
+ * character we returned was found. This allows us to pick up the scan where
+ * we left off. If this is zero, or a null string, it means resume the scan by
+ * advancing to the next ARGV-element.
+ */
+ char *nextchar;
+
+ /*
+ * Describe the part of ARGV that contains non-options that have been skipped.
+ * `first_nonopt' is the index in ARGV of the first of them; `last_nonopt' is
+ * the index after the last of them.
+ */
+ int first_nonopt;
+ int last_nonopt;
+};
+
+/*
+ * the variables optarg, optind, opterr and optopt are renamed with
+ * the custom_ prefix so that they don't interfere with getopt ones.
+ *
+ * Moreover they're static so they are visible only from within the
+ * file where this very file will be included.
+ */
+
+/*
+ * For communication from `custom_getopt' to the caller. When `custom_getopt' finds an
+ * option that takes an argument, the argument value is returned here.
+ */
+static char *custom_optarg;
+
+/*
+ * Index in ARGV of the next element to be scanned. This is used for
+ * communication to and from the caller and for communication between
+ * successive calls to `custom_getopt'.
+ *
+ * On entry to `custom_getopt', 1 means this is the first call; initialize.
+ *
+ * When `custom_getopt' returns -1, this is the index of the first of the non-option
+ * elements that the caller should itself scan.
+ *
+ * Otherwise, `custom_optind' communicates from one call to the next how much of ARGV
+ * has been scanned so far.
+ *
+ * 1003.2 says this must be 1 before any call.
+ */
+static int custom_optind = 1;
+
+/*
+ * Callers store zero here to inhibit the error message for unrecognized
+ * options.
+ */
+static int custom_opterr = 1;
+
+/*
+ * Set to an option character which was unrecognized. This must be initialized
+ * on some systems to avoid linking in the system's own getopt implementation.
+ */
+static int custom_optopt = '?';
+
+/*
+ * Exchange two adjacent subsequences of ARGV. One subsequence is elements
+ * [first_nonopt,last_nonopt) which contains all the non-options that have been
+ * skipped so far. The other is elements [last_nonopt,custom_optind), which contains
+ * all the options processed since those non-options were skipped.
+ * `first_nonopt' and `last_nonopt' are relocated so that they describe the new
+ * indices of the non-options in ARGV after they are moved.
+ */
+static void exchange(char **argv, struct custom_getopt_data *d)
+{
+ int bottom = d->first_nonopt;
+ int middle = d->last_nonopt;
+ int top = d->custom_optind;
+ char *tem;
+
+ /*
+ * Exchange the shorter segment with the far end of the longer segment.
+ * That puts the shorter segment into the right place. It leaves the
+ * longer segment in the right place overall, but it consists of two
+ * parts that need to be swapped next.
+ */
+ while (top > middle && middle > bottom) {
+ if (top - middle > middle - bottom) {
+ /* Bottom segment is the short one. */
+ int len = middle - bottom;
+ int i;
+
+ /* Swap it with the top part of the top segment. */
+ for (i = 0; i < len; i++) {
+ tem = argv[bottom + i];
+ argv[bottom + i] =
+ argv[top - (middle - bottom) + i];
+ argv[top - (middle - bottom) + i] = tem;
+ }
+ /* Exclude the moved bottom segment from further swapping. */
+ top -= len;
+ } else {
+ /* Top segment is the short one. */
+ int len = top - middle;
+ int i;
+
+ /* Swap it with the bottom part of the bottom segment. */
+ for (i = 0; i < len; i++) {
+ tem = argv[bottom + i];
+ argv[bottom + i] = argv[middle + i];
+ argv[middle + i] = tem;
+ }
+ /* Exclude the moved top segment from further swapping. */
+ bottom += len;
+ }
+ }
+ /* Update records for the slots the non-options now occupy. */
+ d->first_nonopt += (d->custom_optind - d->last_nonopt);
+ d->last_nonopt = d->custom_optind;
+}
+
+/* Initialize the internal data when the first call is made. */
+static void custom_getopt_initialize(struct custom_getopt_data *d)
+{
+ /*
+ * Start processing options with ARGV-element 1 (since ARGV-element 0
+ * is the program name); the sequence of previously skipped non-option
+ * ARGV-elements is empty.
+ */
+ d->first_nonopt = d->last_nonopt = d->custom_optind;
+ d->nextchar = NULL;
+ d->initialized = 1;
+}
+
+#define NONOPTION_P (argv[d->custom_optind][0] != '-' || argv[d->custom_optind][1] == '\0')
+
+/* return: zero: continue, nonzero: return given value to user */
+static int shuffle_argv(int argc, char *const *argv,const struct option *longopts,
+ struct custom_getopt_data *d)
+{
+ /*
+ * Give FIRST_NONOPT & LAST_NONOPT rational values if CUSTOM_OPTIND has been
+ * moved back by the user (who may also have changed the arguments).
+ */
+ if (d->last_nonopt > d->custom_optind)
+ d->last_nonopt = d->custom_optind;
+ if (d->first_nonopt > d->custom_optind)
+ d->first_nonopt = d->custom_optind;
+ /*
+ * If we have just processed some options following some
+ * non-options, exchange them so that the options come first.
+ */
+ if (d->first_nonopt != d->last_nonopt &&
+ d->last_nonopt != d->custom_optind)
+ exchange((char **) argv, d);
+ else if (d->last_nonopt != d->custom_optind)
+ d->first_nonopt = d->custom_optind;
+ /*
+ * Skip any additional non-options and extend the range of
+ * non-options previously skipped.
+ */
+ while (d->custom_optind < argc && NONOPTION_P)
+ d->custom_optind++;
+ d->last_nonopt = d->custom_optind;
+ /*
+ * The special ARGV-element `--' means premature end of options. Skip
+ * it like a null option, then exchange with previous non-options as if
+ * it were an option, then skip everything else like a non-option.
+ */
+ if (d->custom_optind != argc && !strcmp(argv[d->custom_optind], "--")) {
+ d->custom_optind++;
+ if (d->first_nonopt != d->last_nonopt
+ && d->last_nonopt != d->custom_optind)
+ exchange((char **) argv, d);
+ else if (d->first_nonopt == d->last_nonopt)
+ d->first_nonopt = d->custom_optind;
+ d->last_nonopt = argc;
+ d->custom_optind = argc;
+ }
+ /*
+ * If we have done all the ARGV-elements, stop the scan and back over
+ * any non-options that we skipped and permuted.
+ */
+ if (d->custom_optind == argc) {
+ /*
+ * Set the next-arg-index to point at the non-options that we
+ * previously skipped, so the caller will digest them.
+ */
+ if (d->first_nonopt != d->last_nonopt)
+ d->custom_optind = d->first_nonopt;
+ return -1;
+ }
+ /*
+ * If we have come to a non-option and did not permute it, either stop
+ * the scan or describe it to the caller and pass it by.
+ */
+ if (NONOPTION_P) {
+ d->custom_optarg = argv[d->custom_optind++];
+ return 1;
+ }
+ /*
+ * We have found another option-ARGV-element. Skip the initial
+ * punctuation.
+ */
+ d->nextchar = (argv[d->custom_optind] + 1 + (longopts != NULL && argv[d->custom_optind][1] == '-'));
+ return 0;
+}
+
+/*
+ * Check whether the ARGV-element is a long option.
+ *
+ * If there's a long option "fubar" and the ARGV-element is "-fu", consider
+ * that an abbreviation of the long option, just like "--fu", and not "-f" with
+ * arg "u".
+ *
+ * This distinction seems to be the most useful approach.
+ *
+ */
+static int check_long_opt(int argc, char *const *argv, const char *optstring,
+ const struct option *longopts, int *longind,
+ int print_errors, struct custom_getopt_data *d)
+{
+ char *nameend;
+ const struct option *p;
+ const struct option *pfound = NULL;
+ int exact = 0;
+ int ambig = 0;
+ int indfound = -1;
+ int option_index;
+
+ for (nameend = d->nextchar; *nameend && *nameend != '='; nameend++)
+ /* Do nothing. */ ;
+
+ /* Test all long options for either exact match or abbreviated matches */
+ for (p = longopts, option_index = 0; p->name; p++, option_index++)
+ if (!strncmp(p->name, d->nextchar, nameend - d->nextchar)) {
+ if ((unsigned int) (nameend - d->nextchar)
+ == (unsigned int) strlen(p->name)) {
+ /* Exact match found. */
+ pfound = p;
+ indfound = option_index;
+ exact = 1;
+ break;
+ } else if (pfound == NULL) {
+ /* First nonexact match found. */
+ pfound = p;
+ indfound = option_index;
+ } else if (pfound->has_arg != p->has_arg
+ || pfound->flag != p->flag
+ || pfound->val != p->val)
+ /* Second or later nonexact match found. */
+ ambig = 1;
+ }
+ if (ambig && !exact) {
+ if (print_errors) {
+ fprintf(stderr,
+ "%s: option `%s' is ambiguous\n",
+ argv[0], argv[d->custom_optind]);
+ }
+ d->nextchar += strlen(d->nextchar);
+ d->custom_optind++;
+ d->custom_optopt = 0;
+ return '?';
+ }
+ if (pfound) {
+ option_index = indfound;
+ d->custom_optind++;
+ if (*nameend) {
+ if (pfound->has_arg != no_argument)
+ d->custom_optarg = nameend + 1;
+ else {
+ if (print_errors) {
+ if (argv[d->custom_optind - 1][1] == '-') {
+ /* --option */
+ fprintf(stderr, "%s: option `--%s' doesn't allow an argument\n",
+ argv[0], pfound->name);
+ } else {
+ /* +option or -option */
+ fprintf(stderr, "%s: option `%c%s' doesn't allow an argument\n",
+ argv[0], argv[d->custom_optind - 1][0], pfound->name);
+ }
+
+ }
+ d->nextchar += strlen(d->nextchar);
+ d->custom_optopt = pfound->val;
+ return '?';
+ }
+ } else if (pfound->has_arg == required_argument) {
+ if (d->custom_optind < argc)
+ d->custom_optarg = argv[d->custom_optind++];
+ else {
+ if (print_errors) {
+ fprintf(stderr,
+ "%s: option `%s' requires an argument\n",
+ argv[0],
+ argv[d->custom_optind - 1]);
+ }
+ d->nextchar += strlen(d->nextchar);
+ d->custom_optopt = pfound->val;
+ return optstring[0] == ':' ? ':' : '?';
+ }
+ }
+ d->nextchar += strlen(d->nextchar);
+ if (longind != NULL)
+ *longind = option_index;
+ if (pfound->flag) {
+ *(pfound->flag) = pfound->val;
+ return 0;
+ }
+ return pfound->val;
+ }
+ /*
+ * Can't find it as a long option. If this is not getopt_long_only, or
+ * the option starts with '--' or is not a valid short option, then
+ * it's an error. Otherwise interpret it as a short option.
+ */
+ if (print_errors) {
+ if (argv[d->custom_optind][1] == '-') {
+ /* --option */
+ fprintf(stderr,
+ "%s: unrecognized option `--%s'\n",
+ argv[0], d->nextchar);
+ } else {
+ /* +option or -option */
+ fprintf(stderr,
+ "%s: unrecognized option `%c%s'\n",
+ argv[0], argv[d->custom_optind][0],
+ d->nextchar);
+ }
+ }
+ d->nextchar = (char *) "";
+ d->custom_optind++;
+ d->custom_optopt = 0;
+ return '?';
+}
+
+static int check_short_opt(int argc, char *const *argv, const char *optstring,
+ int print_errors, struct custom_getopt_data *d)
+{
+ char c = *d->nextchar++;
+ const char *temp = strchr(optstring, c);
+
+ /* Increment `custom_optind' when we start to process its last character. */
+ if (*d->nextchar == '\0')
+ ++d->custom_optind;
+ if (!temp || c == ':') {
+ if (print_errors)
+ fprintf(stderr, "%s: invalid option -- %c\n", argv[0], c);
+
+ d->custom_optopt = c;
+ return '?';
+ }
+ if (temp[1] == ':') {
+ if (temp[2] == ':') {
+ /* This is an option that accepts an argument optionally. */
+ if (*d->nextchar != '\0') {
+ d->custom_optarg = d->nextchar;
+ d->custom_optind++;
+ } else
+ d->custom_optarg = NULL;
+ d->nextchar = NULL;
+ } else {
+ /* This is an option that requires an argument. */
+ if (*d->nextchar != '\0') {
+ d->custom_optarg = d->nextchar;
+ /*
+ * If we end this ARGV-element by taking the
+ * rest as an arg, we must advance to the next
+ * element now.
+ */
+ d->custom_optind++;
+ } else if (d->custom_optind == argc) {
+ if (print_errors) {
+ fprintf(stderr,
+ "%s: option requires an argument -- %c\n",
+ argv[0], c);
+ }
+ d->custom_optopt = c;
+ if (optstring[0] == ':')
+ c = ':';
+ else
+ c = '?';
+ } else
+ /*
+ * We already incremented `custom_optind' once;
+ * increment it again when taking next ARGV-elt
+ * as argument.
+ */
+ d->custom_optarg = argv[d->custom_optind++];
+ d->nextchar = NULL;
+ }
+ }
+ return c;
+}
+
+/*
+ * Scan elements of ARGV for option characters given in OPTSTRING.
+ *
+ * If an element of ARGV starts with '-', and is not exactly "-" or "--",
+ * then it is an option element. The characters of this element
+ * (aside from the initial '-') are option characters. If `getopt'
+ * is called repeatedly, it returns successively each of the option characters
+ * from each of the option elements.
+ *
+ * If `getopt' finds another option character, it returns that character,
+ * updating `custom_optind' and `nextchar' so that the next call to `getopt' can
+ * resume the scan with the following option character or ARGV-element.
+ *
+ * If there are no more option characters, `getopt' returns -1.
+ * Then `custom_optind' is the index in ARGV of the first ARGV-element
+ * that is not an option. (The ARGV-elements have been permuted
+ * so that those that are not options now come last.)
+ *
+ * OPTSTRING is a string containing the legitimate option characters.
+ * If an option character is seen that is not listed in OPTSTRING,
+ * return '?' after printing an error message. If you set `custom_opterr' to
+ * zero, the error message is suppressed but we still return '?'.
+ *
+ * If a char in OPTSTRING is followed by a colon, that means it wants an arg,
+ * so the following text in the same ARGV-element, or the text of the following
+ * ARGV-element, is returned in `custom_optarg'. Two colons mean an option that
+ * wants an optional arg; if there is text in the current ARGV-element,
+ * it is returned in `custom_optarg', otherwise `custom_optarg' is set to zero.
+ *
+ * If OPTSTRING starts with `-' or `+', it requests different methods of
+ * handling the non-option ARGV-elements.
+ * See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above.
+ *
+ * Long-named options begin with `--' instead of `-'.
+ * Their names may be abbreviated as long as the abbreviation is unique
+ * or is an exact match for some defined option. If they have an
+ * argument, it follows the option name in the same ARGV-element, separated
+ * from the option name by a `=', or else the in next ARGV-element.
+ * When `getopt' finds a long-named option, it returns 0 if that option's
+ * `flag' field is nonzero, the value of the option's `val' field
+ * if the `flag' field is zero.
+ *
+ * The elements of ARGV aren't really const, because we permute them.
+ * But we pretend they're const in the prototype to be compatible
+ * with other systems.
+ *
+ * LONGOPTS is a vector of `struct option' terminated by an
+ * element containing a name which is zero.
+ *
+ * LONGIND returns the index in LONGOPT of the long-named option found.
+ * It is only valid when a long-named option has been found by the most
+ * recent call.
+ *
+ * Return the option character from OPTS just read. Return -1 when there are
+ * no more options. For unrecognized options, or options missing arguments,
+ * `custom_optopt' is set to the option letter, and '?' is returned.
+ *
+ * The OPTS string is a list of characters which are recognized option letters,
+ * optionally followed by colons, specifying that that letter takes an
+ * argument, to be placed in `custom_optarg'.
+ *
+ * If a letter in OPTS is followed by two colons, its argument is optional.
+ * This behavior is specific to the GNU `getopt'.
+ *
+ * The argument `--' causes premature termination of argument scanning,
+ * explicitly telling `getopt' that there are no more options. If OPTS begins
+ * with `--', then non-option arguments are treated as arguments to the option
+ * '\0'. This behavior is specific to the GNU `getopt'.
+ */
+
+static int getopt_internal_r(int argc, char *const *argv, const char *optstring,
+ const struct option *longopts, int *longind,
+ struct custom_getopt_data *d)
+{
+ int ret, print_errors = d->custom_opterr;
+
+ if (optstring[0] == ':')
+ print_errors = 0;
+ if (argc < 1)
+ return -1;
+ d->custom_optarg = NULL;
+
+ /*
+ * This is a big difference with GNU getopt, since optind == 0
+ * means initialization while here 1 means first call.
+ */
+ if (d->custom_optind == 0 || !d->initialized) {
+ if (d->custom_optind == 0)
+ d->custom_optind = 1; /* Don't scan ARGV[0], the program name. */
+ custom_getopt_initialize(d);
+ }
+ if (d->nextchar == NULL || *d->nextchar == '\0') {
+ ret = shuffle_argv(argc, argv, longopts, d);
+ if (ret)
+ return ret;
+ }
+ if (longopts && (argv[d->custom_optind][1] == '-' ))
+ return check_long_opt(argc, argv, optstring, longopts,
+ longind, print_errors, d);
+ return check_short_opt(argc, argv, optstring, print_errors, d);
+}
+
+static int custom_getopt_internal(int argc, char *const *argv, const char *optstring,
+ const struct option *longopts, int *longind)
+{
+ int result;
+ /* Keep a global copy of all internal members of d */
+ static struct custom_getopt_data d;
+
+ d.custom_optind = custom_optind;
+ d.custom_opterr = custom_opterr;
+ result = getopt_internal_r(argc, argv, optstring, longopts,
+ longind, &d);
+ custom_optind = d.custom_optind;
+ custom_optarg = d.custom_optarg;
+ custom_optopt = d.custom_optopt;
+ return result;
+}
+
+static int custom_getopt_long (int argc, char *const *argv, const char *options,
+ const struct option *long_options, int *opt_index)
+{
+ return custom_getopt_internal(argc, argv, options, long_options,
+ opt_index);
+}
+
+
+static char *package_name = 0;
+
+/**
+ * @brief updates an option
+ * @param field the generic pointer to the field to update
+ * @param orig_field the pointer to the orig field
+ * @param field_given the pointer to the number of occurrence of this option
+ * @param prev_given the pointer to the number of occurrence already seen
+ * @param value the argument for this option (if null no arg was specified)
+ * @param possible_values the possible values for this option (if specified)
+ * @param default_value the default value (in case the option only accepts fixed values)
+ * @param arg_type the type of this option
+ * @param check_ambiguity @see cmdline_parser_params.check_ambiguity
+ * @param override @see cmdline_parser_params.override
+ * @param no_free whether to free a possible previous value
+ * @param multiple_option whether this is a multiple option
+ * @param long_opt the corresponding long option
+ * @param short_opt the corresponding short option (or '-' if none)
+ * @param additional_error possible further error specification
+ */
+static
+int update_arg(void *field, char **orig_field,
+ unsigned int *field_given, unsigned int *prev_given,
+ char *value, const char *possible_values[],
+ const char *default_value,
+ cmdline_parser_arg_type arg_type,
+ int check_ambiguity, int override,
+ int no_free, int multiple_option,
+ const char *long_opt, char short_opt,
+ const char *additional_error)
+{
+ char *stop_char = 0;
+ const char *val = value;
+ int found;
+ char **string_field;
+ FIX_UNUSED (field);
+
+ stop_char = 0;
+ found = 0;
+
+ if (!multiple_option && prev_given && (*prev_given || (check_ambiguity && *field_given)))
+ {
+ if (short_opt != '-')
+ fprintf (stderr, "%s: `--%s' (`-%c') option given more than once%s\n",
+ package_name, long_opt, short_opt,
+ (additional_error ? additional_error : ""));
+ else
+ fprintf (stderr, "%s: `--%s' option given more than once%s\n",
+ package_name, long_opt,
+ (additional_error ? additional_error : ""));
+ return 1; /* failure */
+ }
+
+ FIX_UNUSED (default_value);
+
+ if (field_given && *field_given && ! override)
+ return 0;
+ if (prev_given)
+ (*prev_given)++;
+ if (field_given)
+ (*field_given)++;
+ if (possible_values)
+ val = possible_values[found];
+
+ switch(arg_type) {
+ case ARG_FLAG:
+ *((int *)field) = !*((int *)field);
+ break;
+ case ARG_INT:
+ if (val) *((int *)field) = strtol (val, &stop_char, 0);
+ break;
+ case ARG_STRING:
+ if (val) {
+ string_field = (char **)field;
+ if (!no_free && *string_field)
+ free (*string_field); /* free previous string */
+ *string_field = gengetopt_strdup (val);
+ }
+ break;
+ default:
+ break;
+ };
+
+ /* check numeric conversion */
+ switch(arg_type) {
+ case ARG_INT:
+ if (val && !(stop_char && *stop_char == '\0')) {
+ fprintf(stderr, "%s: invalid numeric value: %s\n", package_name, val);
+ return 1; /* failure */
+ }
+ break;
+ default:
+ ;
+ };
+
+ /* store the original value */
+ switch(arg_type) {
+ case ARG_NO:
+ case ARG_FLAG:
+ break;
+ default:
+ if (value && orig_field) {
+ if (no_free) {
+ *orig_field = value;
+ } else {
+ if (*orig_field)
+ free (*orig_field); /* free previous string */
+ *orig_field = gengetopt_strdup (value);
+ }
+ }
+ };
+
+ return 0; /* OK */
+}
+
+/**
+ * @brief store information about a multiple option in a temporary list
+ * @param list where to (temporarily) store multiple options
+ */
+static
+int update_multiple_arg_temp(struct generic_list **list,
+ unsigned int *prev_given, const char *val,
+ const char *possible_values[], const char *default_value,
+ cmdline_parser_arg_type arg_type,
+ const char *long_opt, char short_opt,
+ const char *additional_error)
+{
+ /* store single arguments */
+ char *multi_token;
+ const char *multi_next;
+
+ if (arg_type == ARG_NO) {
+ (*prev_given)++;
+ return 0; /* OK */
+ }
+
+ multi_token = get_multiple_arg_token(val);
+ multi_next = get_multiple_arg_token_next (val);
+
+ while (1)
+ {
+ add_node (list);
+ if (update_arg((void *)&((*list)->arg), &((*list)->orig), 0,
+ prev_given, multi_token, possible_values, default_value,
+ arg_type, 0, 1, 1, 1, long_opt, short_opt, additional_error)) {
+ if (multi_token) free(multi_token);
+ return 1; /* failure */
+ }
+
+ if (multi_next)
+ {
+ multi_token = get_multiple_arg_token(multi_next);
+ multi_next = get_multiple_arg_token_next (multi_next);
+ }
+ else
+ break;
+ }
+
+ return 0; /* OK */
+}
+
+/**
+ * @brief free the passed list (including possible string argument)
+ */
+static
+void free_list(struct generic_list *list, short string_arg)
+{
+ if (list) {
+ struct generic_list *tmp;
+ while (list)
+ {
+ tmp = list;
+ if (string_arg && list->arg.string_arg)
+ free (list->arg.string_arg);
+ if (list->orig)
+ free (list->orig);
+ list = list->next;
+ free (tmp);
+ }
+ }
+}
+
+/**
+ * @brief updates a multiple option starting from the passed list
+ */
+static
+void update_multiple_arg(void *field, char ***orig_field,
+ unsigned int field_given, unsigned int prev_given, union generic_value *default_value,
+ cmdline_parser_arg_type arg_type,
+ struct generic_list *list)
+{
+ int i;
+ struct generic_list *tmp;
+
+ if (prev_given && list) {
+ *orig_field = (char **) realloc (*orig_field, (field_given + prev_given) * sizeof (char *));
+
+ switch(arg_type) {
+ case ARG_INT:
+ *((int **)field) = (int *)realloc (*((int **)field), (field_given + prev_given) * sizeof (int)); break;
+ case ARG_STRING:
+ *((char ***)field) = (char **)realloc (*((char ***)field), (field_given + prev_given) * sizeof (char *)); break;
+ default:
+ break;
+ };
+
+ for (i = (prev_given - 1); i >= 0; --i)
+ {
+ tmp = list;
+
+ switch(arg_type) {
+ case ARG_INT:
+ (*((int **)field))[i + field_given] = tmp->arg.int_arg; break;
+ case ARG_STRING:
+ (*((char ***)field))[i + field_given] = tmp->arg.string_arg; break;
+ default:
+ break;
+ }
+ (*orig_field) [i + field_given] = list->orig;
+ list = list->next;
+ free (tmp);
+ }
+ } else { /* set the default value */
+ if (default_value && ! field_given) {
+ switch(arg_type) {
+ case ARG_INT:
+ if (! *((int **)field)) {
+ *((int **)field) = (int *)malloc (sizeof (int));
+ (*((int **)field))[0] = default_value->int_arg;
+ }
+ break;
+ case ARG_STRING:
+ if (! *((char ***)field)) {
+ *((char ***)field) = (char **)malloc (sizeof (char *));
+ (*((char ***)field))[0] = gengetopt_strdup(default_value->string_arg);
+ }
+ break;
+ default: break;
+ }
+ if (!(*orig_field)) {
+ *orig_field = (char **) malloc (sizeof (char *));
+ (*orig_field)[0] = 0;
+ }
+ }
+ }
+}
+
+int
+cmdline_parser_internal (
+ int argc, char **argv, struct gengetopt_args_info *args_info,
+ struct cmdline_parser_params *params, const char *additional_error)
+{
+ int c; /* Character of the parsed option. */
+
+ struct generic_list * cv_certificate_list = NULL;
+ int error_occurred = 0;
+ struct gengetopt_args_info local_args_info;
+
+ int override;
+ int initialize;
+ int check_required;
+ int check_ambiguity;
+
+ char *optarg;
+ int optind;
+ int opterr;
+ int optopt;
+
+ package_name = argv[0];
+
+ override = params->override;
+ initialize = params->initialize;
+ check_required = params->check_required;
+ check_ambiguity = params->check_ambiguity;
+
+ if (initialize)
+ cmdline_parser_init (args_info);
+
+ cmdline_parser_init (&local_args_info);
+
+ optarg = 0;
+ optind = 0;
+ opterr = params->print_errors;
+ optopt = '?';
+
+ while (1)
+ {
+ int option_index = 0;
+
+ static struct option long_options[] = {
+ { "help", 0, NULL, 'h' },
+ { "version", 0, NULL, 'V' },
+ { "reader", 1, NULL, 'r' },
+ { "verbose", 0, NULL, 'v' },
+ { "pin", 2, NULL, 'p' },
+ { "puk", 2, NULL, 'u' },
+ { "can", 2, NULL, 'c' },
+ { "mrz", 2, NULL, 'm' },
+ { "env", 0, NULL, 0 },
+ { "new-pin", 2, NULL, 'N' },
+ { "resume", 0, NULL, 'R' },
+ { "unblock", 0, NULL, 'U' },
+ { "cv-certificate", 1, NULL, 'C' },
+ { "cert-desc", 1, NULL, 0 },
+ { "chat", 1, NULL, 0 },
+ { "auxiliary-data", 1, NULL, 'A' },
+ { "private-key", 1, NULL, 'P' },
+ { "cvc-dir", 1, NULL, 0 },
+ { "x509-dir", 1, NULL, 0 },
+ { "disable-ta-checks", 0, NULL, 0 },
+ { "disable-ca-checks", 0, NULL, 0 },
+ { "read-dg1", 0, NULL, 0 },
+ { "read-dg2", 0, NULL, 0 },
+ { "read-dg3", 0, NULL, 0 },
+ { "read-dg4", 0, NULL, 0 },
+ { "read-dg5", 0, NULL, 0 },
+ { "read-dg6", 0, NULL, 0 },
+ { "read-dg7", 0, NULL, 0 },
+ { "read-dg8", 0, NULL, 0 },
+ { "read-dg9", 0, NULL, 0 },
+ { "read-dg10", 0, NULL, 0 },
+ { "read-dg11", 0, NULL, 0 },
+ { "read-dg12", 0, NULL, 0 },
+ { "read-dg13", 0, NULL, 0 },
+ { "read-dg14", 0, NULL, 0 },
+ { "read-dg15", 0, NULL, 0 },
+ { "read-dg16", 0, NULL, 0 },
+ { "read-dg17", 0, NULL, 0 },
+ { "read-dg18", 0, NULL, 0 },
+ { "read-dg19", 0, NULL, 0 },
+ { "read-dg20", 0, NULL, 0 },
+ { "read-dg21", 0, NULL, 0 },
+ { "write-dg17", 1, NULL, 0 },
+ { "write-dg18", 1, NULL, 0 },
+ { "write-dg19", 1, NULL, 0 },
+ { "write-dg20", 1, NULL, 0 },
+ { "write-dg21", 1, NULL, 0 },
+ { "verify-validity", 1, NULL, 0 },
+ { "older-than", 1, NULL, 0 },
+ { "verify-community", 1, NULL, 0 },
+ { "break", 0, NULL, 'b' },
+ { "translate", 1, NULL, 't' },
+ { "tr-03110v201", 0, NULL, 0 },
+ { "disable-all-checks", 0, NULL, 0 },
+ { 0, 0, 0, 0 }
+ };
+
+ custom_optarg = optarg;
+ custom_optind = optind;
+ custom_opterr = opterr;
+ custom_optopt = optopt;
+
+ c = custom_getopt_long (argc, argv, "hVr:vp::u::c::m::N::RUC:A:P:bt:", long_options, &option_index);
+
+ optarg = custom_optarg;
+ optind = custom_optind;
+ opterr = custom_opterr;
+ optopt = custom_optopt;
+
+ if (c == -1) break; /* Exit from `while (1)' loop. */
+
+ switch (c)
+ {
+ case 'h': /* Print help and exit. */
+ cmdline_parser_print_help ();
+ cmdline_parser_free (&local_args_info);
+ exit (EXIT_SUCCESS);
+
+ case 'V': /* Print version and exit. */
+ cmdline_parser_print_version ();
+ cmdline_parser_free (&local_args_info);
+ exit (EXIT_SUCCESS);
+
+ case 'r': /* Number of the PC/SC reader to use (-1 for autodetect). */
+
+
+ if (update_arg( (void *)&(args_info->reader_arg),
+ &(args_info->reader_orig), &(args_info->reader_given),
+ &(local_args_info.reader_given), optarg, 0, "-1", ARG_INT,
+ check_ambiguity, override, 0, 0,
+ "reader", 'r',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'v': /* Use (several times) to be more verbose. */
+
+ local_args_info.verbose_given++;
+
+ break;
+ case 'p': /* Run PACE with (transport) eID-PIN. */
+
+
+ if (update_arg( (void *)&(args_info->pin_arg),
+ &(args_info->pin_orig), &(args_info->pin_given),
+ &(local_args_info.pin_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "pin", 'p',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'u': /* Run PACE with PUK. */
+
+
+ if (update_arg( (void *)&(args_info->puk_arg),
+ &(args_info->puk_orig), &(args_info->puk_given),
+ &(local_args_info.puk_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "puk", 'u',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'c': /* Run PACE with CAN. */
+
+
+ if (update_arg( (void *)&(args_info->can_arg),
+ &(args_info->can_orig), &(args_info->can_given),
+ &(local_args_info.can_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "can", 'c',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'm': /* Run PACE with MRZ (insert MRZ without newlines). */
+
+
+ if (update_arg( (void *)&(args_info->mrz_arg),
+ &(args_info->mrz_orig), &(args_info->mrz_given),
+ &(local_args_info.mrz_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "mrz", 'm',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'N': /* Install a new PIN. */
+
+
+ if (update_arg( (void *)&(args_info->new_pin_arg),
+ &(args_info->new_pin_orig), &(args_info->new_pin_given),
+ &(local_args_info.new_pin_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "new-pin", 'N',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'R': /* Resume eID-PIN (uses CAN to activate last retry). */
+
+
+ if (update_arg((void *)&(args_info->resume_flag), 0, &(args_info->resume_given),
+ &(local_args_info.resume_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "resume", 'R',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'U': /* Unblock PIN (uses PUK to activate three more retries). */
+
+
+ if (update_arg((void *)&(args_info->unblock_flag), 0, &(args_info->unblock_given),
+ &(local_args_info.unblock_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "unblock", 'U',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'C': /* Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).. */
+
+ if (update_multiple_arg_temp(&cv_certificate_list,
+ &(local_args_info.cv_certificate_given), optarg, 0, 0, ARG_STRING,
+ "cv-certificate", 'C',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'A': /* Terminal's auxiliary data (default is determined by verification of validity, age and community ID).. */
+
+
+ if (update_arg( (void *)&(args_info->auxiliary_data_arg),
+ &(args_info->auxiliary_data_orig), &(args_info->auxiliary_data_given),
+ &(local_args_info.auxiliary_data_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "auxiliary-data", 'A',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'P': /* Terminal's private key. */
+
+
+ if (update_arg( (void *)&(args_info->private_key_arg),
+ &(args_info->private_key_orig), &(args_info->private_key_given),
+ &(local_args_info.private_key_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "private-key", 'P',
+ additional_error))
+ goto failure;
+
+ break;
+ case 'b': /* Brute force PIN, CAN or PUK. Use together with -p, -a or -u. */
+
+
+ if (update_arg((void *)&(args_info->break_flag), 0, &(args_info->break_given),
+ &(local_args_info.break_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "break", 'b',
+ additional_error))
+ goto failure;
+
+ break;
+ case 't': /* File with APDUs of HEX_STRINGs to send through the secure channel. */
+
+
+ if (update_arg( (void *)&(args_info->translate_arg),
+ &(args_info->translate_orig), &(args_info->translate_given),
+ &(local_args_info.translate_given), optarg, 0, "stdin", ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "translate", 't',
+ additional_error))
+ goto failure;
+
+ break;
+
+ case 0: /* Long option with no short option */
+ /* Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this.. */
+ if (strcmp (long_options[option_index].name, "env") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->env_flag), 0, &(args_info->env_given),
+ &(local_args_info.env_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "env", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Certificate description to show for Terminal Authentication. */
+ else if (strcmp (long_options[option_index].name, "cert-desc") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->cert_desc_arg),
+ &(args_info->cert_desc_orig), &(args_info->cert_desc_given),
+ &(local_args_info.cert_desc_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "cert-desc", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).. */
+ else if (strcmp (long_options[option_index].name, "chat") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->chat_arg),
+ &(args_info->chat_orig), &(args_info->chat_given),
+ &(local_args_info.chat_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "chat", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Where to look for the CVCA's certificate. */
+ else if (strcmp (long_options[option_index].name, "cvc-dir") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->cvc_dir_arg),
+ &(args_info->cvc_dir_orig), &(args_info->cvc_dir_given),
+ &(local_args_info.cvc_dir_given), optarg, 0, "/home/fm/.local/etc/eac/cvc", ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "cvc-dir", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Where to look for the CSCA's certificate. */
+ else if (strcmp (long_options[option_index].name, "x509-dir") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->x509_dir_arg),
+ &(args_info->x509_dir_orig), &(args_info->x509_dir_given),
+ &(local_args_info.x509_dir_given), optarg, 0, "/home/fm/.local/etc/eac/x509", ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "x509-dir", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Disable checking the validity period of CV certifcates. */
+ else if (strcmp (long_options[option_index].name, "disable-ta-checks") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->disable_ta_checks_flag), 0, &(args_info->disable_ta_checks_given),
+ &(local_args_info.disable_ta_checks_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "disable-ta-checks", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Disable passive authentication. */
+ else if (strcmp (long_options[option_index].name, "disable-ca-checks") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->disable_ca_checks_flag), 0, &(args_info->disable_ca_checks_given),
+ &(local_args_info.disable_ca_checks_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "disable-ca-checks", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 1 (Document Type). */
+ else if (strcmp (long_options[option_index].name, "read-dg1") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg1_flag), 0, &(args_info->read_dg1_given),
+ &(local_args_info.read_dg1_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg1", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 2 (Issuing State). */
+ else if (strcmp (long_options[option_index].name, "read-dg2") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg2_flag), 0, &(args_info->read_dg2_given),
+ &(local_args_info.read_dg2_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg2", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 3 (Date of Expiry). */
+ else if (strcmp (long_options[option_index].name, "read-dg3") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg3_flag), 0, &(args_info->read_dg3_given),
+ &(local_args_info.read_dg3_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg3", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 4 (Given Names). */
+ else if (strcmp (long_options[option_index].name, "read-dg4") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg4_flag), 0, &(args_info->read_dg4_given),
+ &(local_args_info.read_dg4_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg4", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 5 (Family Names). */
+ else if (strcmp (long_options[option_index].name, "read-dg5") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg5_flag), 0, &(args_info->read_dg5_given),
+ &(local_args_info.read_dg5_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg5", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 6 (Religious/Artistic Name). */
+ else if (strcmp (long_options[option_index].name, "read-dg6") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg6_flag), 0, &(args_info->read_dg6_given),
+ &(local_args_info.read_dg6_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg6", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 7 (Academic Title). */
+ else if (strcmp (long_options[option_index].name, "read-dg7") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg7_flag), 0, &(args_info->read_dg7_given),
+ &(local_args_info.read_dg7_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg7", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 8 (Date of Birth). */
+ else if (strcmp (long_options[option_index].name, "read-dg8") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg8_flag), 0, &(args_info->read_dg8_given),
+ &(local_args_info.read_dg8_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg8", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 9 (Place of Birth). */
+ else if (strcmp (long_options[option_index].name, "read-dg9") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg9_flag), 0, &(args_info->read_dg9_given),
+ &(local_args_info.read_dg9_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg9", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 10 (Nationality). */
+ else if (strcmp (long_options[option_index].name, "read-dg10") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg10_flag), 0, &(args_info->read_dg10_given),
+ &(local_args_info.read_dg10_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg10", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 11 (Sex). */
+ else if (strcmp (long_options[option_index].name, "read-dg11") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg11_flag), 0, &(args_info->read_dg11_given),
+ &(local_args_info.read_dg11_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg11", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 12 (Optional Data). */
+ else if (strcmp (long_options[option_index].name, "read-dg12") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg12_flag), 0, &(args_info->read_dg12_given),
+ &(local_args_info.read_dg12_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg12", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 13 (Birth Name). */
+ else if (strcmp (long_options[option_index].name, "read-dg13") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg13_flag), 0, &(args_info->read_dg13_given),
+ &(local_args_info.read_dg13_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg13", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 14. */
+ else if (strcmp (long_options[option_index].name, "read-dg14") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg14_flag), 0, &(args_info->read_dg14_given),
+ &(local_args_info.read_dg14_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg14", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 15. */
+ else if (strcmp (long_options[option_index].name, "read-dg15") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg15_flag), 0, &(args_info->read_dg15_given),
+ &(local_args_info.read_dg15_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg15", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 16. */
+ else if (strcmp (long_options[option_index].name, "read-dg16") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg16_flag), 0, &(args_info->read_dg16_given),
+ &(local_args_info.read_dg16_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg16", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 17 (Normal Place of Residence). */
+ else if (strcmp (long_options[option_index].name, "read-dg17") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg17_flag), 0, &(args_info->read_dg17_given),
+ &(local_args_info.read_dg17_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg17", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 18 (Community ID). */
+ else if (strcmp (long_options[option_index].name, "read-dg18") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg18_flag), 0, &(args_info->read_dg18_given),
+ &(local_args_info.read_dg18_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg18", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 19 (Residence Permit I). */
+ else if (strcmp (long_options[option_index].name, "read-dg19") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg19_flag), 0, &(args_info->read_dg19_given),
+ &(local_args_info.read_dg19_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg19", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 20 (Residence Permit II). */
+ else if (strcmp (long_options[option_index].name, "read-dg20") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg20_flag), 0, &(args_info->read_dg20_given),
+ &(local_args_info.read_dg20_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg20", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Read DG 21 (Optional Data). */
+ else if (strcmp (long_options[option_index].name, "read-dg21") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->read_dg21_flag), 0, &(args_info->read_dg21_given),
+ &(local_args_info.read_dg21_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "read-dg21", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Write DG 17 (Normal Place of Residence). */
+ else if (strcmp (long_options[option_index].name, "write-dg17") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->write_dg17_arg),
+ &(args_info->write_dg17_orig), &(args_info->write_dg17_given),
+ &(local_args_info.write_dg17_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "write-dg17", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Write DG 18 (Community ID). */
+ else if (strcmp (long_options[option_index].name, "write-dg18") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->write_dg18_arg),
+ &(args_info->write_dg18_orig), &(args_info->write_dg18_given),
+ &(local_args_info.write_dg18_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "write-dg18", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Write DG 19 (Residence Permit I). */
+ else if (strcmp (long_options[option_index].name, "write-dg19") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->write_dg19_arg),
+ &(args_info->write_dg19_orig), &(args_info->write_dg19_given),
+ &(local_args_info.write_dg19_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "write-dg19", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Write DG 20 (Residence Permit II). */
+ else if (strcmp (long_options[option_index].name, "write-dg20") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->write_dg20_arg),
+ &(args_info->write_dg20_orig), &(args_info->write_dg20_given),
+ &(local_args_info.write_dg20_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "write-dg20", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Write DG 21 (Optional Data). */
+ else if (strcmp (long_options[option_index].name, "write-dg21") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->write_dg21_arg),
+ &(args_info->write_dg21_orig), &(args_info->write_dg21_given),
+ &(local_args_info.write_dg21_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "write-dg21", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Verify chip's validity with a reference date. */
+ else if (strcmp (long_options[option_index].name, "verify-validity") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->verify_validity_arg),
+ &(args_info->verify_validity_orig), &(args_info->verify_validity_given),
+ &(local_args_info.verify_validity_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "verify-validity", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Verify age with a reference date. */
+ else if (strcmp (long_options[option_index].name, "older-than") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->older_than_arg),
+ &(args_info->older_than_orig), &(args_info->older_than_given),
+ &(local_args_info.older_than_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "older-than", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Verify community ID with a reference ID. */
+ else if (strcmp (long_options[option_index].name, "verify-community") == 0)
+ {
+
+
+ if (update_arg( (void *)&(args_info->verify_community_arg),
+ &(args_info->verify_community_orig), &(args_info->verify_community_given),
+ &(local_args_info.verify_community_given), optarg, 0, 0, ARG_STRING,
+ check_ambiguity, override, 0, 0,
+ "verify-community", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Force compliance to BSI TR-03110 version 2.01. */
+ else if (strcmp (long_options[option_index].name, "tr-03110v201") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->tr_03110v201_flag), 0, &(args_info->tr_03110v201_given),
+ &(local_args_info.tr_03110v201_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "tr-03110v201", '-',
+ additional_error))
+ goto failure;
+
+ }
+ /* Disable all checking of fly-by-data. */
+ else if (strcmp (long_options[option_index].name, "disable-all-checks") == 0)
+ {
+
+
+ if (update_arg((void *)&(args_info->disable_all_checks_flag), 0, &(args_info->disable_all_checks_given),
+ &(local_args_info.disable_all_checks_given), optarg, 0, 0, ARG_FLAG,
+ check_ambiguity, override, 1, 0, "disable-all-checks", '-',
+ additional_error))
+ goto failure;
+
+ }
+
+ break;
+ case '?': /* Invalid option. */
+ /* `getopt_long' already printed an error message. */
+ goto failure;
+
+ default: /* bug: option not considered. */
+ fprintf (stderr, "%s: option unknown: %c%s\n", CMDLINE_PARSER_PACKAGE, c, (additional_error ? additional_error : ""));
+ abort ();
+ } /* switch */
+ } /* while */
+
+
+ update_multiple_arg((void *)&(args_info->cv_certificate_arg),
+ &(args_info->cv_certificate_orig), args_info->cv_certificate_given,
+ local_args_info.cv_certificate_given, 0,
+ ARG_STRING, cv_certificate_list);
+
+ args_info->verbose_given += local_args_info.verbose_given;
+ local_args_info.verbose_given = 0;
+ args_info->cv_certificate_given += local_args_info.cv_certificate_given;
+ local_args_info.cv_certificate_given = 0;
+
+ if (check_required)
+ {
+ error_occurred += cmdline_parser_required2 (args_info, argv[0], additional_error);
+ }
+
+ cmdline_parser_release (&local_args_info);
+
+ if ( error_occurred )
+ return (EXIT_FAILURE);
+
+ return 0;
+
+failure:
+ free_list (cv_certificate_list, 1 );
+
+ cmdline_parser_release (&local_args_info);
+ return (EXIT_FAILURE);
+}
diff --git a/src/tools/npa-tool-cmdline.h b/src/tools/npa-tool-cmdline.h
new file mode 100644
index 0000000..4c724ea
--- /dev/null
+++ b/src/tools/npa-tool-cmdline.h
@@ -0,0 +1,354 @@
+/** @file npa-tool-cmdline.h
+ * @brief The header file for the command line option parser
+ * generated by GNU Gengetopt version 2.22.6
+ * http://www.gnu.org/software/gengetopt.
+ * DO NOT modify this file, since it can be overwritten
+ * @author GNU Gengetopt by Lorenzo Bettini */
+
+#ifndef NPA_TOOL_CMDLINE_H
+#define NPA_TOOL_CMDLINE_H
+
+/* If we use autoconf. */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h> /* for FILE */
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#ifndef CMDLINE_PARSER_PACKAGE
+/** @brief the program name (used for printing errors) */
+#define CMDLINE_PARSER_PACKAGE "npa-tool"
+#endif
+
+#ifndef CMDLINE_PARSER_PACKAGE_NAME
+/** @brief the complete program name (used for help and version) */
+#define CMDLINE_PARSER_PACKAGE_NAME "npa-tool"
+#endif
+
+#ifndef CMDLINE_PARSER_VERSION
+/** @brief the program version */
+#define CMDLINE_PARSER_VERSION VERSION
+#endif
+
+/** @brief Where the command line options are stored */
+struct gengetopt_args_info
+{
+ const char *help_help; /**< @brief Print help and exit help description. */
+ const char *version_help; /**< @brief Print version and exit help description. */
+ int reader_arg; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) (default='-1'). */
+ char * reader_orig; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) original value given at command line. */
+ const char *reader_help; /**< @brief Number of the PC/SC reader to use (-1 for autodetect) help description. */
+ unsigned int verbose_min; /**< @brief Use (several times) to be more verbose's minimum occurreces */
+ unsigned int verbose_max; /**< @brief Use (several times) to be more verbose's maximum occurreces */
+ const char *verbose_help; /**< @brief Use (several times) to be more verbose help description. */
+ char * pin_arg; /**< @brief Run PACE with (transport) eID-PIN. */
+ char * pin_orig; /**< @brief Run PACE with (transport) eID-PIN original value given at command line. */
+ const char *pin_help; /**< @brief Run PACE with (transport) eID-PIN help description. */
+ char * puk_arg; /**< @brief Run PACE with PUK. */
+ char * puk_orig; /**< @brief Run PACE with PUK original value given at command line. */
+ const char *puk_help; /**< @brief Run PACE with PUK help description. */
+ char * can_arg; /**< @brief Run PACE with CAN. */
+ char * can_orig; /**< @brief Run PACE with CAN original value given at command line. */
+ const char *can_help; /**< @brief Run PACE with CAN help description. */
+ char * mrz_arg; /**< @brief Run PACE with MRZ (insert MRZ without newlines). */
+ char * mrz_orig; /**< @brief Run PACE with MRZ (insert MRZ without newlines) original value given at command line. */
+ const char *mrz_help; /**< @brief Run PACE with MRZ (insert MRZ without newlines) help description. */
+ int env_flag; /**< @brief Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this. (default=off). */
+ const char *env_help; /**< @brief Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this. help description. */
+ char * new_pin_arg; /**< @brief Install a new PIN. */
+ char * new_pin_orig; /**< @brief Install a new PIN original value given at command line. */
+ const char *new_pin_help; /**< @brief Install a new PIN help description. */
+ int resume_flag; /**< @brief Resume eID-PIN (uses CAN to activate last retry) (default=off). */
+ const char *resume_help; /**< @brief Resume eID-PIN (uses CAN to activate last retry) help description. */
+ int unblock_flag; /**< @brief Unblock PIN (uses PUK to activate three more retries) (default=off). */
+ const char *unblock_help; /**< @brief Unblock PIN (uses PUK to activate three more retries) help description. */
+ char ** cv_certificate_arg; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).. */
+ char ** cv_certificate_orig; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important). original value given at command line. */
+ unsigned int cv_certificate_min; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).'s minimum occurreces */
+ unsigned int cv_certificate_max; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important).'s maximum occurreces */
+ const char *cv_certificate_help; /**< @brief Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important). help description. */
+ char * cert_desc_arg; /**< @brief Certificate description to show for Terminal Authentication. */
+ char * cert_desc_orig; /**< @brief Certificate description to show for Terminal Authentication original value given at command line. */
+ const char *cert_desc_help; /**< @brief Certificate description to show for Terminal Authentication help description. */
+ char * chat_arg; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).. */
+ char * chat_orig; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser). original value given at command line. */
+ const char *chat_help; /**< @brief Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser). help description. */
+ char * auxiliary_data_arg; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID).. */
+ char * auxiliary_data_orig; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID). original value given at command line. */
+ const char *auxiliary_data_help; /**< @brief Terminal's auxiliary data (default is determined by verification of validity, age and community ID). help description. */
+ char * private_key_arg; /**< @brief Terminal's private key. */
+ char * private_key_orig; /**< @brief Terminal's private key original value given at command line. */
+ const char *private_key_help; /**< @brief Terminal's private key help description. */
+ char * cvc_dir_arg; /**< @brief Where to look for the CVCA's certificate (default='/home/fm/.local/etc/eac/cvc'). */
+ char * cvc_dir_orig; /**< @brief Where to look for the CVCA's certificate original value given at command line. */
+ const char *cvc_dir_help; /**< @brief Where to look for the CVCA's certificate help description. */
+ char * x509_dir_arg; /**< @brief Where to look for the CSCA's certificate (default='/home/fm/.local/etc/eac/x509'). */
+ char * x509_dir_orig; /**< @brief Where to look for the CSCA's certificate original value given at command line. */
+ const char *x509_dir_help; /**< @brief Where to look for the CSCA's certificate help description. */
+ int disable_ta_checks_flag; /**< @brief Disable checking the validity period of CV certifcates (default=off). */
+ const char *disable_ta_checks_help; /**< @brief Disable checking the validity period of CV certifcates help description. */
+ int disable_ca_checks_flag; /**< @brief Disable passive authentication (default=off). */
+ const char *disable_ca_checks_help; /**< @brief Disable passive authentication help description. */
+ int read_dg1_flag; /**< @brief Read DG 1 (Document Type) (default=off). */
+ const char *read_dg1_help; /**< @brief Read DG 1 (Document Type) help description. */
+ int read_dg2_flag; /**< @brief Read DG 2 (Issuing State) (default=off). */
+ const char *read_dg2_help; /**< @brief Read DG 2 (Issuing State) help description. */
+ int read_dg3_flag; /**< @brief Read DG 3 (Date of Expiry) (default=off). */
+ const char *read_dg3_help; /**< @brief Read DG 3 (Date of Expiry) help description. */
+ int read_dg4_flag; /**< @brief Read DG 4 (Given Names) (default=off). */
+ const char *read_dg4_help; /**< @brief Read DG 4 (Given Names) help description. */
+ int read_dg5_flag; /**< @brief Read DG 5 (Family Names) (default=off). */
+ const char *read_dg5_help; /**< @brief Read DG 5 (Family Names) help description. */
+ int read_dg6_flag; /**< @brief Read DG 6 (Religious/Artistic Name) (default=off). */
+ const char *read_dg6_help; /**< @brief Read DG 6 (Religious/Artistic Name) help description. */
+ int read_dg7_flag; /**< @brief Read DG 7 (Academic Title) (default=off). */
+ const char *read_dg7_help; /**< @brief Read DG 7 (Academic Title) help description. */
+ int read_dg8_flag; /**< @brief Read DG 8 (Date of Birth) (default=off). */
+ const char *read_dg8_help; /**< @brief Read DG 8 (Date of Birth) help description. */
+ int read_dg9_flag; /**< @brief Read DG 9 (Place of Birth) (default=off). */
+ const char *read_dg9_help; /**< @brief Read DG 9 (Place of Birth) help description. */
+ int read_dg10_flag; /**< @brief Read DG 10 (Nationality) (default=off). */
+ const char *read_dg10_help; /**< @brief Read DG 10 (Nationality) help description. */
+ int read_dg11_flag; /**< @brief Read DG 11 (Sex) (default=off). */
+ const char *read_dg11_help; /**< @brief Read DG 11 (Sex) help description. */
+ int read_dg12_flag; /**< @brief Read DG 12 (Optional Data) (default=off). */
+ const char *read_dg12_help; /**< @brief Read DG 12 (Optional Data) help description. */
+ int read_dg13_flag; /**< @brief Read DG 13 (Birth Name) (default=off). */
+ const char *read_dg13_help; /**< @brief Read DG 13 (Birth Name) help description. */
+ int read_dg14_flag; /**< @brief Read DG 14 (default=off). */
+ const char *read_dg14_help; /**< @brief Read DG 14 help description. */
+ int read_dg15_flag; /**< @brief Read DG 15 (default=off). */
+ const char *read_dg15_help; /**< @brief Read DG 15 help description. */
+ int read_dg16_flag; /**< @brief Read DG 16 (default=off). */
+ const char *read_dg16_help; /**< @brief Read DG 16 help description. */
+ int read_dg17_flag; /**< @brief Read DG 17 (Normal Place of Residence) (default=off). */
+ const char *read_dg17_help; /**< @brief Read DG 17 (Normal Place of Residence) help description. */
+ int read_dg18_flag; /**< @brief Read DG 18 (Community ID) (default=off). */
+ const char *read_dg18_help; /**< @brief Read DG 18 (Community ID) help description. */
+ int read_dg19_flag; /**< @brief Read DG 19 (Residence Permit I) (default=off). */
+ const char *read_dg19_help; /**< @brief Read DG 19 (Residence Permit I) help description. */
+ int read_dg20_flag; /**< @brief Read DG 20 (Residence Permit II) (default=off). */
+ const char *read_dg20_help; /**< @brief Read DG 20 (Residence Permit II) help description. */
+ int read_dg21_flag; /**< @brief Read DG 21 (Optional Data) (default=off). */
+ const char *read_dg21_help; /**< @brief Read DG 21 (Optional Data) help description. */
+ char * write_dg17_arg; /**< @brief Write DG 17 (Normal Place of Residence). */
+ char * write_dg17_orig; /**< @brief Write DG 17 (Normal Place of Residence) original value given at command line. */
+ const char *write_dg17_help; /**< @brief Write DG 17 (Normal Place of Residence) help description. */
+ char * write_dg18_arg; /**< @brief Write DG 18 (Community ID). */
+ char * write_dg18_orig; /**< @brief Write DG 18 (Community ID) original value given at command line. */
+ const char *write_dg18_help; /**< @brief Write DG 18 (Community ID) help description. */
+ char * write_dg19_arg; /**< @brief Write DG 19 (Residence Permit I). */
+ char * write_dg19_orig; /**< @brief Write DG 19 (Residence Permit I) original value given at command line. */
+ const char *write_dg19_help; /**< @brief Write DG 19 (Residence Permit I) help description. */
+ char * write_dg20_arg; /**< @brief Write DG 20 (Residence Permit II). */
+ char * write_dg20_orig; /**< @brief Write DG 20 (Residence Permit II) original value given at command line. */
+ const char *write_dg20_help; /**< @brief Write DG 20 (Residence Permit II) help description. */
+ char * write_dg21_arg; /**< @brief Write DG 21 (Optional Data). */
+ char * write_dg21_orig; /**< @brief Write DG 21 (Optional Data) original value given at command line. */
+ const char *write_dg21_help; /**< @brief Write DG 21 (Optional Data) help description. */
+ char * verify_validity_arg; /**< @brief Verify chip's validity with a reference date. */
+ char * verify_validity_orig; /**< @brief Verify chip's validity with a reference date original value given at command line. */
+ const char *verify_validity_help; /**< @brief Verify chip's validity with a reference date help description. */
+ char * older_than_arg; /**< @brief Verify age with a reference date. */
+ char * older_than_orig; /**< @brief Verify age with a reference date original value given at command line. */
+ const char *older_than_help; /**< @brief Verify age with a reference date help description. */
+ char * verify_community_arg; /**< @brief Verify community ID with a reference ID. */
+ char * verify_community_orig; /**< @brief Verify community ID with a reference ID original value given at command line. */
+ const char *verify_community_help; /**< @brief Verify community ID with a reference ID help description. */
+ int break_flag; /**< @brief Brute force PIN, CAN or PUK. Use together with -p, -a or -u (default=off). */
+ const char *break_help; /**< @brief Brute force PIN, CAN or PUK. Use together with -p, -a or -u help description. */
+ char * translate_arg; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel (default='stdin'). */
+ char * translate_orig; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel original value given at command line. */
+ const char *translate_help; /**< @brief File with APDUs of HEX_STRINGs to send through the secure channel help description. */
+ int tr_03110v201_flag; /**< @brief Force compliance to BSI TR-03110 version 2.01 (default=off). */
+ const char *tr_03110v201_help; /**< @brief Force compliance to BSI TR-03110 version 2.01 help description. */
+ int disable_all_checks_flag; /**< @brief Disable all checking of fly-by-data (default=off). */
+ const char *disable_all_checks_help; /**< @brief Disable all checking of fly-by-data help description. */
+
+ unsigned int help_given ; /**< @brief Whether help was given. */
+ unsigned int version_given ; /**< @brief Whether version was given. */
+ unsigned int reader_given ; /**< @brief Whether reader was given. */
+ unsigned int verbose_given ; /**< @brief Whether verbose was given. */
+ unsigned int pin_given ; /**< @brief Whether pin was given. */
+ unsigned int puk_given ; /**< @brief Whether puk was given. */
+ unsigned int can_given ; /**< @brief Whether can was given. */
+ unsigned int mrz_given ; /**< @brief Whether mrz was given. */
+ unsigned int env_given ; /**< @brief Whether env was given. */
+ unsigned int new_pin_given ; /**< @brief Whether new-pin was given. */
+ unsigned int resume_given ; /**< @brief Whether resume was given. */
+ unsigned int unblock_given ; /**< @brief Whether unblock was given. */
+ unsigned int cv_certificate_given ; /**< @brief Whether cv-certificate was given. */
+ unsigned int cert_desc_given ; /**< @brief Whether cert-desc was given. */
+ unsigned int chat_given ; /**< @brief Whether chat was given. */
+ unsigned int auxiliary_data_given ; /**< @brief Whether auxiliary-data was given. */
+ unsigned int private_key_given ; /**< @brief Whether private-key was given. */
+ unsigned int cvc_dir_given ; /**< @brief Whether cvc-dir was given. */
+ unsigned int x509_dir_given ; /**< @brief Whether x509-dir was given. */
+ unsigned int disable_ta_checks_given ; /**< @brief Whether disable-ta-checks was given. */
+ unsigned int disable_ca_checks_given ; /**< @brief Whether disable-ca-checks was given. */
+ unsigned int read_dg1_given ; /**< @brief Whether read-dg1 was given. */
+ unsigned int read_dg2_given ; /**< @brief Whether read-dg2 was given. */
+ unsigned int read_dg3_given ; /**< @brief Whether read-dg3 was given. */
+ unsigned int read_dg4_given ; /**< @brief Whether read-dg4 was given. */
+ unsigned int read_dg5_given ; /**< @brief Whether read-dg5 was given. */
+ unsigned int read_dg6_given ; /**< @brief Whether read-dg6 was given. */
+ unsigned int read_dg7_given ; /**< @brief Whether read-dg7 was given. */
+ unsigned int read_dg8_given ; /**< @brief Whether read-dg8 was given. */
+ unsigned int read_dg9_given ; /**< @brief Whether read-dg9 was given. */
+ unsigned int read_dg10_given ; /**< @brief Whether read-dg10 was given. */
+ unsigned int read_dg11_given ; /**< @brief Whether read-dg11 was given. */
+ unsigned int read_dg12_given ; /**< @brief Whether read-dg12 was given. */
+ unsigned int read_dg13_given ; /**< @brief Whether read-dg13 was given. */
+ unsigned int read_dg14_given ; /**< @brief Whether read-dg14 was given. */
+ unsigned int read_dg15_given ; /**< @brief Whether read-dg15 was given. */
+ unsigned int read_dg16_given ; /**< @brief Whether read-dg16 was given. */
+ unsigned int read_dg17_given ; /**< @brief Whether read-dg17 was given. */
+ unsigned int read_dg18_given ; /**< @brief Whether read-dg18 was given. */
+ unsigned int read_dg19_given ; /**< @brief Whether read-dg19 was given. */
+ unsigned int read_dg20_given ; /**< @brief Whether read-dg20 was given. */
+ unsigned int read_dg21_given ; /**< @brief Whether read-dg21 was given. */
+ unsigned int write_dg17_given ; /**< @brief Whether write-dg17 was given. */
+ unsigned int write_dg18_given ; /**< @brief Whether write-dg18 was given. */
+ unsigned int write_dg19_given ; /**< @brief Whether write-dg19 was given. */
+ unsigned int write_dg20_given ; /**< @brief Whether write-dg20 was given. */
+ unsigned int write_dg21_given ; /**< @brief Whether write-dg21 was given. */
+ unsigned int verify_validity_given ; /**< @brief Whether verify-validity was given. */
+ unsigned int older_than_given ; /**< @brief Whether older-than was given. */
+ unsigned int verify_community_given ; /**< @brief Whether verify-community was given. */
+ unsigned int break_given ; /**< @brief Whether break was given. */
+ unsigned int translate_given ; /**< @brief Whether translate was given. */
+ unsigned int tr_03110v201_given ; /**< @brief Whether tr-03110v201 was given. */
+ unsigned int disable_all_checks_given ; /**< @brief Whether disable-all-checks was given. */
+
+} ;
+
+/** @brief The additional parameters to pass to parser functions */
+struct cmdline_parser_params
+{
+ int override; /**< @brief whether to override possibly already present options (default 0) */
+ int initialize; /**< @brief whether to initialize the option structure gengetopt_args_info (default 1) */
+ int check_required; /**< @brief whether to check that all required options were provided (default 1) */
+ int check_ambiguity; /**< @brief whether to check for options already specified in the option structure gengetopt_args_info (default 0) */
+ int print_errors; /**< @brief whether getopt_long should print an error message for a bad option (default 1) */
+} ;
+
+/** @brief the purpose string of the program */
+extern const char *gengetopt_args_info_purpose;
+/** @brief the usage string of the program */
+extern const char *gengetopt_args_info_usage;
+/** @brief the description string of the program */
+extern const char *gengetopt_args_info_description;
+/** @brief all the lines making the help output */
+extern const char *gengetopt_args_info_help[];
+
+/**
+ * The command line parser
+ * @param argc the number of command line options
+ * @param argv the command line options
+ * @param args_info the structure where option information will be stored
+ * @return 0 if everything went fine, NON 0 if an error took place
+ */
+int cmdline_parser (int argc, char **argv,
+ struct gengetopt_args_info *args_info);
+
+/**
+ * The command line parser (version with additional parameters - deprecated)
+ * @param argc the number of command line options
+ * @param argv the command line options
+ * @param args_info the structure where option information will be stored
+ * @param override whether to override possibly already present options
+ * @param initialize whether to initialize the option structure my_args_info
+ * @param check_required whether to check that all required options were provided
+ * @return 0 if everything went fine, NON 0 if an error took place
+ * @deprecated use cmdline_parser_ext() instead
+ */
+int cmdline_parser2 (int argc, char **argv,
+ struct gengetopt_args_info *args_info,
+ int override, int initialize, int check_required);
+
+/**
+ * The command line parser (version with additional parameters)
+ * @param argc the number of command line options
+ * @param argv the command line options
+ * @param args_info the structure where option information will be stored
+ * @param params additional parameters for the parser
+ * @return 0 if everything went fine, NON 0 if an error took place
+ */
+int cmdline_parser_ext (int argc, char **argv,
+ struct gengetopt_args_info *args_info,
+ struct cmdline_parser_params *params);
+
+/**
+ * Save the contents of the option struct into an already open FILE stream.
+ * @param outfile the stream where to dump options
+ * @param args_info the option struct to dump
+ * @return 0 if everything went fine, NON 0 if an error took place
+ */
+int cmdline_parser_dump(FILE *outfile,
+ struct gengetopt_args_info *args_info);
+
+/**
+ * Save the contents of the option struct into a (text) file.
+ * This file can be read by the config file parser (if generated by gengetopt)
+ * @param filename the file where to save
+ * @param args_info the option struct to save
+ * @return 0 if everything went fine, NON 0 if an error took place
+ */
+int cmdline_parser_file_save(const char *filename,
+ struct gengetopt_args_info *args_info);
+
+/**
+ * Print the help
+ */
+void cmdline_parser_print_help(void);
+/**
+ * Print the version
+ */
+void cmdline_parser_print_version(void);
+
+/**
+ * Initializes all the fields a cmdline_parser_params structure
+ * to their default values
+ * @param params the structure to initialize
+ */
+void cmdline_parser_params_init(struct cmdline_parser_params *params);
+
+/**
+ * Allocates dynamically a cmdline_parser_params structure and initializes
+ * all its fields to their default values
+ * @return the created and initialized cmdline_parser_params structure
+ */
+struct cmdline_parser_params *cmdline_parser_params_create(void);
+
+/**
+ * Initializes the passed gengetopt_args_info structure's fields
+ * (also set default values for options that have a default)
+ * @param args_info the structure to initialize
+ */
+void cmdline_parser_init (struct gengetopt_args_info *args_info);
+/**
+ * Deallocates the string fields of the gengetopt_args_info structure
+ * (but does not deallocate the structure itself)
+ * @param args_info the structure to deallocate
+ */
+void cmdline_parser_free (struct gengetopt_args_info *args_info);
+
+/**
+ * Checks that all the required options were specified
+ * @param args_info the structure to check
+ * @param prog_name the name of the program that will be used to print
+ * possible errors
+ * @return
+ */
+int cmdline_parser_required (struct gengetopt_args_info *args_info,
+ const char *prog_name);
+
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+#endif /* NPA_TOOL_CMDLINE_H */
diff --git a/src/tools/npa-tool.1 b/src/tools/npa-tool.1
new file mode 100644
index 0000000..c1a655e
--- /dev/null
+++ b/src/tools/npa-tool.1
@@ -0,0 +1,205 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
+.TH NPA-TOOL "1" "July 2016" "OpenSC 0.16.0" "User Commands"
+.SH NAME
+npa-tool \- manual page for npa-tool 0.16.0
+.SH SYNOPSIS
+.B npa-tool
+[\fI\,OPTIONS\/\fR]...
+.SH DESCRIPTION
+npa\-tool 0.16.0
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help and exit
+.TP
+\fB\-V\fR, \fB\-\-version\fR
+Print version and exit
+.TP
+\fB\-r\fR, \fB\-\-reader\fR=\fI\,INT\/\fR
+Number of the PC/SC reader to use (\fB\-1\fR for
+autodetect) (default=`\-1')
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Use (several times) to be more verbose
+.SS "Password Authenticated Connection Establishment (PACE):"
+.TP
+\fB\-p\fR, \fB\-\-pin\fR[=\fI\,STRING\/\fR]
+Run PACE with (transport) eID\-PIN
+.TP
+\fB\-u\fR, \fB\-\-puk\fR[=\fI\,STRING\/\fR]
+Run PACE with PUK
+.TP
+\fB\-c\fR, \fB\-\-can\fR[=\fI\,STRING\/\fR]
+Run PACE with CAN
+.TP
+\fB\-m\fR, \fB\-\-mrz\fR[=\fI\,STRING\/\fR]
+Run PACE with MRZ (insert MRZ without newlines)
+.TP
+\fB\-\-env\fR
+Whether to use environment variables PIN, PUK,
+CAN, MRZ and NEWPIN. You may want to clean
+your environment before enabling this.
+(default=off)
+.SS "PIN management:"
+.TP
+\fB\-N\fR, \fB\-\-new\-pin\fR[=\fI\,STRING\/\fR]
+Install a new PIN
+.TP
+\fB\-R\fR, \fB\-\-resume\fR
+Resume eID\-PIN (uses CAN to activate last
+retry) (default=off)
+.TP
+\fB\-U\fR, \fB\-\-unblock\fR
+Unblock PIN (uses PUK to activate three more
+retries) (default=off)
+.SS "Terminal Authentication (TA) and Chip Authentication (CA):"
+.TP
+\fB\-C\fR, \fB\-\-cv\-certificate\fR=\fI\,FILENAME\/\fR Card Verifiable Certificate to create a
+certificate chain. Can be used multiple times
+(order is important).
+.TP
+\fB\-\-cert\-desc\fR=\fI\,HEX_STRING\/\fR
+Certificate description to show for Terminal
+Authentication
+.TP
+\fB\-\-chat\fR=\fI\,HEX_STRING\/\fR
+Card holder authorization template to use
+(default is terminal's CHAT). Use
+7F4C0E060904007F000703010203530103 to trigger
+EAC on the CAT\-C (Komfortleser).
+.TP
+\fB\-A\fR, \fB\-\-auxiliary\-data\fR=\fI\,HEX_STRING\/\fR
+Terminal's auxiliary data (default is
+.TP
+determined by verification of validity, age
+and community ID).
+.TP
+\fB\-P\fR, \fB\-\-private\-key\fR=\fI\,FILENAME\/\fR
+Terminal's private key
+.TP
+\fB\-\-cvc\-dir\fR=\fI\,DIRECTORY\/\fR
+Where to look for the CVCA's certificate
+(default=`/home/fm/.local/etc/eac/cvc')
+.TP
+\fB\-\-x509\-dir\fR=\fI\,DIRECTORY\/\fR
+Where to look for the CSCA's certificate
+(default=`/home/fm/.local/etc/eac/x509')
+.TP
+\fB\-\-disable\-ta\-checks\fR
+Disable checking the validity period of CV
+certifcates (default=off)
+.TP
+\fB\-\-disable\-ca\-checks\fR
+Disable passive authentication (default=off)
+.SS "Read and write data groups:"
+.TP
+\fB\-\-read\-dg1\fR
+Read DG 1 (Document Type) (default=off)
+.TP
+\fB\-\-read\-dg2\fR
+Read DG 2 (Issuing State) (default=off)
+.TP
+\fB\-\-read\-dg3\fR
+Read DG 3 (Date of Expiry) (default=off)
+.TP
+\fB\-\-read\-dg4\fR
+Read DG 4 (Given Names) (default=off)
+.TP
+\fB\-\-read\-dg5\fR
+Read DG 5 (Family Names) (default=off)
+.TP
+\fB\-\-read\-dg6\fR
+Read DG 6 (Religious/Artistic Name)
+(default=off)
+.TP
+\fB\-\-read\-dg7\fR
+Read DG 7 (Academic Title) (default=off)
+.TP
+\fB\-\-read\-dg8\fR
+Read DG 8 (Date of Birth) (default=off)
+.TP
+\fB\-\-read\-dg9\fR
+Read DG 9 (Place of Birth) (default=off)
+.TP
+\fB\-\-read\-dg10\fR
+Read DG 10 (Nationality) (default=off)
+.TP
+\fB\-\-read\-dg11\fR
+Read DG 11 (Sex) (default=off)
+.TP
+\fB\-\-read\-dg12\fR
+Read DG 12 (Optional Data) (default=off)
+.TP
+\fB\-\-read\-dg13\fR
+Read DG 13 (Birth Name) (default=off)
+.TP
+\fB\-\-read\-dg14\fR
+Read DG 14 (default=off)
+.TP
+\fB\-\-read\-dg15\fR
+Read DG 15 (default=off)
+.TP
+\fB\-\-read\-dg16\fR
+Read DG 16 (default=off)
+.TP
+\fB\-\-read\-dg17\fR
+Read DG 17 (Normal Place of Residence)
+(default=off)
+.TP
+\fB\-\-read\-dg18\fR
+Read DG 18 (Community ID) (default=off)
+.TP
+\fB\-\-read\-dg19\fR
+Read DG 19 (Residence Permit I) (default=off)
+.TP
+\fB\-\-read\-dg20\fR
+Read DG 20 (Residence Permit II)
+(default=off)
+.TP
+\fB\-\-read\-dg21\fR
+Read DG 21 (Optional Data) (default=off)
+.TP
+\fB\-\-write\-dg17\fR=\fI\,HEX_STRING\/\fR
+Write DG 17 (Normal Place of Residence)
+.TP
+\fB\-\-write\-dg18\fR=\fI\,HEX_STRING\/\fR
+Write DG 18 (Community ID)
+.TP
+\fB\-\-write\-dg19\fR=\fI\,HEX_STRING\/\fR
+Write DG 19 (Residence Permit I)
+.TP
+\fB\-\-write\-dg20\fR=\fI\,HEX_STRING\/\fR
+Write DG 20 (Residence Permit II)
+.TP
+\fB\-\-write\-dg21\fR=\fI\,HEX_STRING\/\fR
+Write DG 21 (Optional Data)
+.SS "Verification of validity, age and community ID:"
+.TP
+\fB\-\-verify\-validity\fR=\fI\,YYYYMMDD\/\fR
+Verify chip's validity with a reference date
+.TP
+\fB\-\-older\-than\fR=\fI\,YYYYMMDD\/\fR
+Verify age with a reference date
+.TP
+\fB\-\-verify\-community\fR=\fI\,HEX_STRING\/\fR
+Verify community ID with a reference ID
+.SS "Special options, not always useful:"
+.TP
+\fB\-b\fR, \fB\-\-break\fR
+Brute force PIN, CAN or PUK. Use together with
+\fB\-p\fR, \fB\-a\fR or \fB\-u\fR (default=off)
+.TP
+\fB\-t\fR, \fB\-\-translate\fR=\fI\,FILENAME\/\fR
+File with APDUs of HEX_STRINGs to send through
+the secure channel (default=`stdin')
+.TP
+\fB\-\-tr\-03110v201\fR
+Force compliance to BSI TR\-03110 version 2.01
+(default=off)
+.TP
+\fB\-\-disable\-all\-checks\fR
+Disable all checking of fly\-by\-data
+(default=off)
+.SH AUTHOR
+Written by Frank Morgner <frankmorgner at gmail.com>
+.SH "REPORTING BUGS"
+Report bugs to opensc\-devel at lists.sourceforge.net
diff --git a/src/tools/npa-tool.c b/src/tools/npa-tool.c
new file mode 100644
index 0000000..b44f001
--- /dev/null
+++ b/src/tools/npa-tool.c
@@ -0,0 +1,897 @@
+/*
+ * Copyright (C) 2010-2012 Frank Morgner <frankmorgner at gmail.com>
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef ENABLE_OPENPACE
+#include "npa-tool-cmdline.h"
+#include "fread_to_eof.h"
+#include "sm/sslutil.h"
+#include "sm/sm-eac.h"
+#include <eac/pace.h>
+#include <libopensc/log.h>
+#include <libopensc/opensc.h>
+#include <libopensc/sm.h>
+#include <sm/sm-eac.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+/* only implement what we are using in this file */
+struct timeval {
+ unsigned int tv_sec;
+ unsigned int tv_usec;
+};
+int gettimeofday(struct timeval *tv, struct timezone *tz)
+{
+#ifdef _WIN32
+ SYSTEMTIME st;
+ GetLocalTime(&st);
+ if (!tv)
+ return -1;
+ tv->tv_sec = st.wSecond;
+ tv->tv_usec = st.wMilliseconds*1000;
+#else
+ tv->tv_sec = 0;
+ tv->tv_usec = 0;
+#endif
+ return 0;
+}
+#endif
+
+#ifndef HAVE_GETLINE
+static int getline(char **lineptr, size_t *n, FILE *stream)
+{
+ char *p;
+
+ if (!lineptr)
+ return -1;
+
+ p = realloc(*lineptr, SC_MAX_EXT_APDU_BUFFER_SIZE*3);
+ if (!p)
+ return -1;
+ *lineptr = p;
+
+ if (fgets(p, SC_MAX_EXT_APDU_BUFFER_SIZE*3, stream) == NULL)
+ return -1;
+
+ return strlen(p);
+}
+#endif
+
+/**
+ * @brief Print binary data to a file stream
+ *
+ * @param[in] file File for printing
+ * @param[in] label Label to prepend to the buffer
+ * @param[in] data Binary data
+ * @param[in] len Length of \a data
+ */
+#define bin_print(file, label, data, len) { \
+ fprintf(file, "%s (%u byte%s)%s%s\n", \
+ label, (unsigned int) len, len==1?"":"s", len==0?"":":\n", sc_dump_hex(data, len)); \
+ }
+
+static int initialize(int reader_id, int verbose,
+ sc_context_t **ctx, sc_reader_t **reader)
+{
+ unsigned int i, reader_count;
+ int r;
+
+ if (!ctx || !reader)
+ return SC_ERROR_INVALID_ARGUMENTS;
+
+ r = sc_establish_context(ctx, "");
+ if (r < 0 || !*ctx) {
+ fprintf(stderr, "Failed to create initial context: %s", sc_strerror(r));
+ return r;
+ }
+
+ (*ctx)->debug = verbose;
+ (*ctx)->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
+
+ reader_count = sc_ctx_get_reader_count(*ctx);
+
+ if (reader_count == 0) {
+ sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "No reader not found.\n");
+ return SC_ERROR_NO_READERS_FOUND;
+ }
+
+ if (reader_id < 0) {
+ /* Automatically try to skip to a reader with a card if reader not specified */
+ for (i = 0; i < reader_count; i++) {
+ *reader = sc_ctx_get_reader(*ctx, i);
+ if (sc_detect_card_presence(*reader) & SC_READER_CARD_PRESENT) {
+ reader_id = i;
+ sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "Using the first reader"
+ " with a card: %s", (*reader)->name);
+ break;
+ }
+ }
+ if ((unsigned int) reader_id >= reader_count) {
+ sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "No card found, using the first reader.");
+ reader_id = 0;
+ }
+ }
+
+ if ((unsigned int) reader_id >= reader_count) {
+ sc_debug(*ctx, SC_LOG_DEBUG_NORMAL, "Invalid reader number "
+ "(%d), only %d available.\n", reader_id, reader_count);
+ return SC_ERROR_NO_READERS_FOUND;
+ }
+
+ *reader = sc_ctx_get_reader(*ctx, reader_id);
+
+ return SC_SUCCESS;
+}
+
+
+static void read_dg(sc_card_t *card, unsigned char sfid, const char *dg_str,
+ unsigned char **dg, size_t *dg_len)
+{
+ int r = iso7816_read_binary_sfid(card, sfid, dg, dg_len);
+ if (r < 0)
+ fprintf(stderr, "Coult not read DG %02u %s (%s)\n",
+ sfid, dg_str, sc_strerror(r));
+ else {
+ char buf[0x200];
+ sc_hex_dump(NULL, 0, *dg, *dg_len, buf, sizeof buf);
+ fprintf(stdout, "Read %s", buf);
+ }
+}
+
+static void write_dg(sc_card_t *card, unsigned char sfid, const char *dg_str,
+ const char *dg_hex)
+{
+ unsigned char dg[0xff];
+ size_t dg_len = sizeof dg;
+ int r;
+
+ r = sc_hex_to_bin(dg_hex, dg, &dg_len);
+ if (r < 0) {
+ fprintf(stderr, "Could not parse DG %02u %s (%s)\n",
+ sfid, dg_str, sc_strerror(r));
+ } else {
+ r = iso7816_write_binary_sfid(card, sfid, dg, dg_len);
+ if (r < 0)
+ fprintf(stderr, "Could not write DG %02u %s (%s)\n",
+ sfid, dg_str, sc_strerror(r));
+ else
+ printf("Wrote DG %02u %s\n", sfid, dg_str);
+ }
+}
+
+#define ISO_VERIFY 0x20
+static void verify(sc_card_t *card, const char *verify_str,
+ unsigned char *data, size_t data_len)
+{
+ sc_apdu_t apdu;
+ int r;
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, ISO_VERIFY, 0x80, 0);
+ apdu.cla = 0x80;
+ apdu.data = data;
+ apdu.datalen = data_len;
+ apdu.lc = data_len;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0)
+ fprintf(stderr, "Coult not verify %s (%s)\n",
+ verify_str, sc_strerror(r));
+ else
+ printf("Verified %s\n", verify_str);
+}
+
+int npa_translate_apdus(sc_card_t *card, FILE *input)
+{
+ u8 buf[4 + 3 + 0xffff + 3];
+ char *read = NULL;
+ size_t readlen = 0, apdulen;
+ sc_apdu_t apdu;
+ int linelen;
+ int r;
+
+ memset(&apdu, 0, sizeof apdu);
+
+ while (1) {
+ if (input == stdin)
+ printf("Enter unencrypted C-APDU (empty line to exit)\n");
+
+ linelen = getline(&read, &readlen, input);
+ if (linelen <= 1) {
+ if (linelen < 0) {
+ r = SC_ERROR_INTERNAL;
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
+ "Could not read line");
+ } else {
+ r = SC_SUCCESS;
+ printf("Thanks for flying with ccid\n");
+ }
+ break;
+ }
+ read[linelen - 1] = 0;
+
+ apdulen = sizeof buf;
+ if (sc_hex_to_bin(read, buf, &apdulen) < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
+ "Could not format binary string");
+ continue;
+ }
+ if (input != stdin)
+ bin_print(stdout, "Unencrypted C-APDU", buf, apdulen);
+
+ r = sc_bytes2apdu(card->ctx, buf, apdulen, &apdu);
+ if (r < 0) {
+ sc_debug_hex(card->ctx, SC_LOG_DEBUG_NORMAL, "Invalid C-APDU", buf, apdulen);
+ continue;
+ }
+
+ apdu.resp = buf;
+ apdu.resplen = sizeof buf;
+
+ r = sc_transmit_apdu(card, &apdu);
+ if (r < 0) {
+ sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE_TOOL,
+ "Could not send C-APDU: %s", sc_strerror(r));
+ continue;
+ }
+
+ printf("Decrypted R-APDU sw1=%02x sw2=%02x\n", apdu.sw1, apdu.sw2);
+ bin_print(stdout, "Decrypted R-APDU response data", apdu.resp, apdu.resplen);
+ printf("======================================================================\n");
+ }
+
+ if (read)
+ free(read);
+
+ return r;
+}
+
+static int add_to_ASN1_AUXILIARY_DATA(
+ ASN1_AUXILIARY_DATA **auxiliary_data,
+ int nid, const unsigned char *data, size_t data_len)
+{
+ int r;
+ CVC_DISCRETIONARY_DATA_TEMPLATE *template = NULL;
+
+ if (!auxiliary_data) {
+ r = SC_ERROR_INVALID_ARGUMENTS;
+ goto err;
+ }
+
+ if (!*auxiliary_data) {
+ *auxiliary_data = ASN1_AUXILIARY_DATA_new();
+ if (!*auxiliary_data) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ template = CVC_DISCRETIONARY_DATA_TEMPLATE_new();
+ if (!template) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ template->type = OBJ_nid2obj(nid);
+ if (!template->type) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ if (data && data_len) {
+ template->discretionary_data3 = ASN1_OCTET_STRING_new();
+ if (!template->discretionary_data3
+ || !M_ASN1_OCTET_STRING_set(
+ template->discretionary_data3, data, data_len)) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+ }
+
+ if (!sk_push((_STACK*) (*auxiliary_data), template)) {
+ r = SC_ERROR_INTERNAL;
+ goto err;
+ }
+
+ r = SC_SUCCESS;
+
+err:
+ return r;
+}
+
+int
+main (int argc, char **argv)
+{
+ const char *newpin = NULL;
+ const char *pin = NULL;
+ const char *puk = NULL;
+ const char *can = NULL;
+ const char *mrz = NULL;
+
+ unsigned char chat[0xff];
+ unsigned char desc[0xffff];
+ unsigned char **certs = NULL;
+ size_t *certs_lens = NULL;
+ unsigned char *privkey = NULL;
+ size_t privkey_len = 0;
+ unsigned char auxiliary_data[0xff];
+ size_t auxiliary_data_len = 0;
+ unsigned char community_id[0xf];
+ size_t community_id_len = 0;
+
+ sc_context_t *ctx = NULL;
+ sc_card_t *card = NULL;
+ sc_reader_t *reader;
+
+ int r, tr_version = EAC_TR_VERSION_2_02;
+ struct establish_pace_channel_input pace_input;
+ struct establish_pace_channel_output pace_output;
+ struct timeval tv;
+ size_t i;
+ FILE *input = NULL;
+ CVC_CERT *cvc_cert = NULL;
+ unsigned char *certs_chat = NULL;
+ unsigned char *dg = NULL;
+ size_t dg_len = 0;
+ ASN1_AUXILIARY_DATA *templates = NULL;
+ unsigned char *ef_cardsecurity = NULL;
+ size_t ef_cardsecurity_len = 0;
+
+ struct gengetopt_args_info cmdline;
+
+ memset(&pace_input, 0, sizeof pace_input);
+ memset(&pace_output, 0, sizeof pace_output);
+
+
+ /* Parse command line */
+ if (cmdline_parser (argc, argv, &cmdline) != 0)
+ exit(1);
+ if (cmdline.env_flag) {
+ can = getenv("CAN");
+ mrz = getenv("MRZ");
+ pin = getenv("PIN");
+ puk = getenv("PUK");
+ newpin = getenv("NEWPIN");
+ }
+ can = cmdline.can_arg;
+ mrz = cmdline.mrz_arg;
+ pin = cmdline.pin_arg;
+ puk = cmdline.puk_arg;
+ newpin = cmdline.new_pin_arg;
+ if (cmdline.chat_given) {
+ pace_input.chat = chat;
+ pace_input.chat_length = sizeof chat;
+ if (sc_hex_to_bin(cmdline.chat_arg, (u8 *) pace_input.chat,
+ &pace_input.chat_length) < 0) {
+ fprintf(stderr, "Could not parse CHAT.\n");
+ exit(2);
+ }
+ }
+ if (cmdline.cert_desc_given) {
+ pace_input.certificate_description = desc;
+ pace_input.certificate_description_length = sizeof desc;
+ if (sc_hex_to_bin(cmdline.cert_desc_arg,
+ (u8 *) pace_input.certificate_description,
+ &pace_input.certificate_description_length) < 0) {
+ fprintf(stderr, "Could not parse certificate description.\n");
+ exit(2);
+ }
+ }
+ if (cmdline.tr_03110v201_flag)
+ tr_version = EAC_TR_VERSION_2_01;
+ if (cmdline.disable_all_checks_flag)
+ npa_default_flags |= NPA_FLAG_DISABLE_CHECK_ALL;
+ if (cmdline.disable_ta_checks_flag)
+ npa_default_flags |= NPA_FLAG_DISABLE_CHECK_TA;
+ if (cmdline.disable_ca_checks_flag)
+ npa_default_flags |= NPA_FLAG_DISABLE_CHECK_CA;
+
+
+ r = initialize(cmdline.reader_arg, cmdline.verbose_given, &ctx, &reader);
+ if (r < 0) {
+ fprintf(stderr, "Can't initialize reader\n");
+ exit(1);
+ }
+
+ if (sc_connect_card(reader, &card) < 0) {
+ fprintf(stderr, "Could not connect to card\n");
+ sc_release_context(ctx);
+ exit(1);
+ }
+
+ EAC_init();
+ if (cmdline.cvc_dir_given)
+ EAC_set_cvc_default_dir(cmdline.cvc_dir_arg);
+ if (cmdline.x509_dir_given)
+ EAC_set_x509_default_dir(cmdline.cvc_dir_arg);
+
+ if (cmdline.break_flag) {
+ /* The biggest number sprintf could write with "%llu is 18446744073709551615 */
+ char secretbuf[21];
+ unsigned long long secret = 0;
+ unsigned long long maxsecret = 0;
+
+ if (cmdline.pin_given) {
+ pace_input.pin_id = PACE_PIN;
+ pace_input.pin_length = 6;
+ maxsecret = 999999;
+ if (pin) {
+ if (sscanf(pin, "%llu", &secret) != 1) {
+ fprintf(stderr, "%s is not an unsigned long long.\n",
+ npa_secret_name(pace_input.pin_id));
+ exit(2);
+ }
+ if (strlen(pin) > pace_input.pin_length) {
+ fprintf(stderr, "%s too big, only %u digits allowed.\n",
+ npa_secret_name(pace_input.pin_id),
+ (unsigned int) pace_input.pin_length);
+ exit(2);
+ }
+ }
+ } else if (cmdline.can_given) {
+ pace_input.pin_id = PACE_CAN;
+ pace_input.pin_length = 6;
+ maxsecret = 999999;
+ if (can) {
+ if (sscanf(can, "%llu", &secret) != 1) {
+ fprintf(stderr, "%s is not an unsigned long long.\n",
+ npa_secret_name(pace_input.pin_id));
+ exit(2);
+ }
+ if (strlen(can) > pace_input.pin_length) {
+ fprintf(stderr, "%s too big, only %u digits allowed.\n",
+ npa_secret_name(pace_input.pin_id),
+ (unsigned int) pace_input.pin_length);
+ exit(2);
+ }
+ }
+ } else if (cmdline.puk_given) {
+ pace_input.pin_id = PACE_PUK;
+ pace_input.pin_length = 10;
+ maxsecret = 9999999999LLU;
+ if (puk) {
+ if (sscanf(puk, "%llu", &secret) != 1) {
+ fprintf(stderr, "%s is not an unsigned long long.\n",
+ npa_secret_name(pace_input.pin_id));
+ exit(2);
+ }
+ if (strlen(puk) > pace_input.pin_length) {
+ fprintf(stderr, "%s too big, only %u digits allowed.\n",
+ npa_secret_name(pace_input.pin_id),
+ (unsigned int) pace_input.pin_length);
+ exit(2);
+ }
+ }
+ } else {
+ fprintf(stderr, "Please specify whether to do PACE with "
+ "PIN, CAN or PUK.\n");
+ exit(1);
+ }
+
+ pace_input.pin = (unsigned char *) secretbuf;
+
+ do {
+ sprintf(secretbuf, "%0*llu", (unsigned int) pace_input.pin_length, secret);
+
+ gettimeofday(&tv, NULL);
+ printf("%u,%06u: Trying %s=%s\n",
+ (unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
+ npa_secret_name(pace_input.pin_id), pace_input.pin);
+
+ r = perform_pace(card, pace_input, &pace_output, tr_version);
+
+ secret++;
+ } while (0 > r && secret <= maxsecret);
+
+ gettimeofday(&tv, NULL);
+ if (0 > r) {
+ printf("%u,%06u: Tried breaking %s without success.\n",
+ (unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
+ npa_secret_name(pace_input.pin_id));
+ goto err;
+ } else {
+ printf("%u,%06u: Tried breaking %s with success (=%s).\n",
+ (unsigned int) tv.tv_sec, (unsigned int) tv.tv_usec,
+ npa_secret_name(pace_input.pin_id),
+ pace_input.pin);
+ }
+ }
+
+ if (cmdline.resume_flag) {
+ pace_input.pin_id = PACE_CAN;
+ if (can) {
+ pace_input.pin = (unsigned char *) can;
+ pace_input.pin_length = strlen(can);
+ } else {
+ pace_input.pin = NULL;
+ pace_input.pin_length = 0;
+ }
+ r = perform_pace(card, pace_input, &pace_output, tr_version);
+ if (r < 0)
+ goto err;
+ printf("Established PACE channel with CAN.\n");
+
+ pace_input.pin_id = PACE_PIN;
+ if (pin) {
+ pace_input.pin = (unsigned char *) pin;
+ pace_input.pin_length = strlen(pin);
+ } else {
+ pace_input.pin = NULL;
+ pace_input.pin_length = 0;
+ }
+ r = perform_pace(card, pace_input, &pace_output, tr_version);
+ if (r < 0)
+ goto err;
+ printf("Established PACE channel with PIN. PIN resumed.\n");
+ }
+
+ if (cmdline.unblock_flag) {
+ pace_input.pin_id = PACE_PUK;
+ if (puk) {
+ pace_input.pin = (unsigned char *) puk;
+ pace_input.pin_length = strlen(puk);
+ } else {
+ pace_input.pin = NULL;
+ pace_input.pin_length = 0;
+ }
+ r = perform_pace(card, pace_input, &pace_output, tr_version);
+ if (r < 0)
+ goto err;
+ printf("Established PACE channel with PUK.\n");
+
+ r = npa_unblock_pin(card);
+ if (r < 0)
+ goto err;
+ printf("Unblocked PIN.\n");
+ }
+
+ if (cmdline.new_pin_given) {
+ pace_input.pin_id = PACE_PIN;
+ if (pin) {
+ pace_input.pin = (unsigned char *) pin;
+ pace_input.pin_length = strlen(pin);
+ } else {
+ pace_input.pin = NULL;
+ pace_input.pin_length = 0;
+ }
+ r = perform_pace(card, pace_input, &pace_output, tr_version);
+ if (r < 0)
+ goto err;
+ printf("Established PACE channel with PIN.\n");
+
+ r = npa_change_pin(card, newpin, newpin ? strlen(newpin) : 0);
+ if (r < 0)
+ goto err;
+ printf("Changed PIN.\n");
+ }
+
+ if (cmdline.translate_given
+ || (!cmdline.resume_flag && !cmdline.new_pin_given
+ && !cmdline.unblock_flag && !cmdline.break_given)) {
+
+ if (cmdline.cv_certificate_given || cmdline.private_key_given
+ || cmdline.auxiliary_data_given) {
+ if (!cmdline.cv_certificate_given || !cmdline.private_key_given) {
+ fprintf(stderr, "Need at least the terminal's certificate "
+ "and its private key to perform terminal authentication.\n");
+ exit(1);
+ }
+
+ certs = calloc(sizeof *certs, cmdline.cv_certificate_given + 1);
+ certs_lens = calloc(sizeof *certs_lens,
+ cmdline.cv_certificate_given + 1);
+ if (!certs || !certs_lens) {
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ for (i = 0; i < cmdline.cv_certificate_given; i++) {
+ if (!fread_to_eof(cmdline.cv_certificate_arg[i],
+ (unsigned char **) &certs[i], &certs_lens[i])) {
+ fprintf(stderr, "Could not read certificate.\n");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+ }
+
+ if (!pace_input.chat_length) {
+ const unsigned char *p = certs[cmdline.cv_certificate_given-1];
+ if (!CVC_d2i_CVC_CERT(&cvc_cert, &p, certs_lens[cmdline.cv_certificate_given-1])
+ || !cvc_cert || !cvc_cert->body
+ || !cvc_cert->body->certificate_authority_reference
+ || !cvc_cert->body->chat) {
+ fprintf(stderr, "Could not parse certificate.\n");
+ ssl_error(ctx);
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+ pace_input.chat_length = i2d_CVC_CHAT(cvc_cert->body->chat, &certs_chat);
+ if (0 >= (int) pace_input.chat_length) {
+ fprintf(stderr, "Could not parse CHAT.\n");
+ r = SC_ERROR_INVALID_DATA;
+ ssl_error(ctx);
+ goto err;
+ }
+ pace_input.chat = certs_chat;
+ }
+
+ if (!fread_to_eof(cmdline.private_key_arg,
+ &privkey, &privkey_len)) {
+ fprintf(stderr, "Could not parse private key.\n");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+
+ if (cmdline.auxiliary_data_given) {
+ auxiliary_data_len = sizeof auxiliary_data;
+ if (sc_hex_to_bin(cmdline.auxiliary_data_arg, auxiliary_data,
+ &auxiliary_data_len) < 0) {
+ fprintf(stderr, "Could not parse auxiliary data.\n");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+ } else {
+ if (cmdline.older_than_given) {
+ r = add_to_ASN1_AUXILIARY_DATA(&templates,
+ NID_id_DateOfBirth,
+ (unsigned char *) cmdline.older_than_arg,
+ strlen(cmdline.older_than_arg));
+ if (r < 0)
+ goto err;
+ }
+ if (cmdline.verify_validity_given) {
+ r = add_to_ASN1_AUXILIARY_DATA(&templates,
+ NID_id_DateOfExpiry,
+ (unsigned char *) cmdline.verify_validity_arg,
+ strlen(cmdline.verify_validity_arg));
+ if (r < 0)
+ goto err;
+ }
+ if (cmdline.verify_community_given) {
+ community_id_len = sizeof community_id;
+ if (sc_hex_to_bin(cmdline.verify_community_arg, community_id,
+ &community_id_len) < 0) {
+ fprintf(stderr, "Could not parse community ID.\n");
+ exit(2);
+ }
+ r = add_to_ASN1_AUXILIARY_DATA(&templates,
+ NID_id_CommunityID,
+ community_id, community_id_len);
+ if (r < 0)
+ goto err;
+ }
+ if (templates) {
+ unsigned char *p = NULL;
+ auxiliary_data_len = i2d_ASN1_AUXILIARY_DATA(
+ templates, &p);
+ if (0 > (int) auxiliary_data_len
+ || auxiliary_data_len > sizeof auxiliary_data) {
+ free(p);
+ fprintf(stderr, "Auxiliary data too big.\n");
+ r = SC_ERROR_OUT_OF_MEMORY;
+ goto err;
+ }
+ memcpy(auxiliary_data, p, auxiliary_data_len);
+ free(p);
+ }
+ }
+ }
+
+ pace_input.pin = NULL;
+ pace_input.pin_length = 0;
+ if (cmdline.pin_given) {
+ pace_input.pin_id = PACE_PIN;
+ if (pin) {
+ pace_input.pin = (unsigned char *) pin;
+ pace_input.pin_length = strlen(pin);
+ }
+ } else if (cmdline.can_given) {
+ pace_input.pin_id = PACE_CAN;
+ if (can) {
+ pace_input.pin = (unsigned char *) can;
+ pace_input.pin_length = strlen(can);
+ }
+ } else if (cmdline.mrz_given) {
+ pace_input.pin_id = PACE_MRZ;
+ if (mrz) {
+ pace_input.pin = (unsigned char *) mrz;
+ pace_input.pin_length = strlen(mrz);
+ }
+ } else if (cmdline.puk_given) {
+ pace_input.pin_id = PACE_PUK;
+ if (puk) {
+ pace_input.pin = (unsigned char *) puk;
+ pace_input.pin_length = strlen(puk);
+ }
+ } else {
+ fprintf(stderr, "Skipping PIN verification\n");
+ goto nopace;
+ }
+
+ r = perform_pace(card, pace_input, &pace_output, tr_version);
+ if (r < 0)
+ goto err;
+ printf("Established PACE channel with %s.\n",
+ npa_secret_name(pace_input.pin_id));
+
+nopace:
+ if (cmdline.cv_certificate_given || cmdline.private_key_given) {
+ unsigned char eid_aid[] = { 0xE8, 0x07, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x02};
+ sc_path_t path;
+
+ r = perform_terminal_authentication(card,
+ (const unsigned char **) certs, certs_lens,
+ privkey, privkey_len, auxiliary_data, auxiliary_data_len);
+ if (r < 0)
+ goto err;
+ printf("Performed Terminal Authentication.\n");
+
+ r = perform_chip_authentication(card, &ef_cardsecurity, &ef_cardsecurity_len);
+ if (r < 0)
+ goto err;
+ printf("Performed Chip Authentication.\n");
+
+ sc_path_set(&path, SC_PATH_TYPE_DF_NAME, eid_aid, sizeof eid_aid, 0, 0);
+ r = sc_select_file(card, &path, NULL);
+ if (r < 0)
+ goto err;
+ printf("Selected eID application.\n");
+ }
+
+ if (cmdline.read_dg1_flag)
+ read_dg(card, 1, "Document Type", &dg, &dg_len);
+ if (cmdline.read_dg2_flag)
+ read_dg(card, 2, "Issuing State", &dg, &dg_len);
+ if (cmdline.read_dg3_flag)
+ read_dg(card, 3, "Date of Expiry", &dg, &dg_len);
+ if (cmdline.read_dg4_flag)
+ read_dg(card, 4, "Given Names", &dg, &dg_len);
+ if (cmdline.read_dg5_flag)
+ read_dg(card, 5, "Family Names", &dg, &dg_len);
+ if (cmdline.read_dg6_flag)
+ read_dg(card, 6, "Religious/Artistic Name", &dg, &dg_len);
+ if (cmdline.read_dg7_flag)
+ read_dg(card, 7, "Academic Title", &dg, &dg_len);
+ if (cmdline.read_dg8_flag)
+ read_dg(card, 8, "Date of Birth", &dg, &dg_len);
+ if (cmdline.read_dg9_flag)
+ read_dg(card, 9, "Place of Birth", &dg, &dg_len);
+ if (cmdline.read_dg10_flag)
+ read_dg(card, 10, "Nationality", &dg, &dg_len);
+ if (cmdline.read_dg11_flag)
+ read_dg(card, 11, "Sex", &dg, &dg_len);
+ if (cmdline.read_dg12_flag)
+ read_dg(card, 12, "Optional Data", &dg, &dg_len);
+ if (cmdline.read_dg13_flag)
+ read_dg(card, 13, "Birth Name", &dg, &dg_len);
+ if (cmdline.read_dg14_flag)
+ read_dg(card, 14, "DG 14", &dg, &dg_len);
+ if (cmdline.read_dg15_flag)
+ read_dg(card, 15, "DG 15", &dg, &dg_len);
+ if (cmdline.read_dg16_flag)
+ read_dg(card, 16, "DG 16", &dg, &dg_len);
+ if (cmdline.read_dg17_flag)
+ read_dg(card, 17, "Normal Place of Residence", &dg, &dg_len);
+ if (cmdline.read_dg18_flag)
+ read_dg(card, 18, "Community ID", &dg, &dg_len);
+ if (cmdline.read_dg19_flag)
+ read_dg(card, 19, "Residence Permit I", &dg, &dg_len);
+ if (cmdline.read_dg20_flag)
+ read_dg(card, 20, "Residence Permit II", &dg, &dg_len);
+ if (cmdline.read_dg21_flag)
+ read_dg(card, 21, "Optional Data", &dg, &dg_len);
+
+ if (cmdline.write_dg17_given)
+ write_dg(card, 17, "Normal Place of Residence", cmdline.write_dg17_arg);
+ if (cmdline.write_dg18_given)
+ write_dg(card, 18, "Community ID", cmdline.write_dg18_arg);
+ if (cmdline.write_dg19_given)
+ write_dg(card, 19, "Residence Permit I", cmdline.write_dg19_arg);
+ if (cmdline.write_dg20_given)
+ write_dg(card, 20, "Residence Permit II", cmdline.write_dg20_arg);
+ if (cmdline.write_dg21_given)
+ write_dg(card, 21, "Optional Data", cmdline.write_dg21_arg);
+
+ if (cmdline.older_than_given) {
+ unsigned char id_DateOfBirth[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 1};
+ verify(card, "age", id_DateOfBirth, sizeof id_DateOfBirth);
+ }
+ if (cmdline.verify_validity_given) {
+ unsigned char id_DateOfExpiry[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 2};
+ verify(card, "validity", id_DateOfExpiry, sizeof id_DateOfExpiry);
+ }
+ if (cmdline.verify_community_given) {
+ unsigned char id_CommunityID[] = {6, 9, 4, 0, 127, 0, 7, 3, 1, 4, 3};
+ verify(card, "community ID", id_CommunityID, sizeof id_CommunityID);
+ }
+
+ if (cmdline.translate_given) {
+ if (strncmp(cmdline.translate_arg, "stdin", strlen("stdin")) == 0)
+ input = stdin;
+ else {
+ input = fopen(cmdline.translate_arg, "r");
+ if (!input) {
+ perror("Opening file with APDUs");
+ r = SC_ERROR_INVALID_DATA;
+ goto err;
+ }
+ }
+
+ r = npa_translate_apdus(card, input);
+ if (r < 0)
+ goto err;
+ fclose(input);
+ input = NULL;
+ }
+ }
+
+err:
+ cmdline_parser_free(&cmdline);
+ free(pace_output.ef_cardaccess);
+ free(pace_output.recent_car);
+ free(pace_output.previous_car);
+ free(pace_output.id_icc);
+ free(pace_output.id_pcd);
+ if (ef_cardsecurity) {
+ OPENSSL_cleanse(ef_cardsecurity, ef_cardsecurity_len);
+ free(ef_cardsecurity);
+ }
+ if (input)
+ fclose(input);
+ if (certs) {
+ i = 0;
+ while (certs[i]) {
+ free((unsigned char *) certs[i]);
+ i++;
+ }
+ free(certs);
+ }
+ free(certs_lens);
+ free(certs_chat);
+ if (cvc_cert)
+ CVC_CERT_free(cvc_cert);
+ free(privkey);
+ free(dg);
+ if (templates)
+ ASN1_AUXILIARY_DATA_free(templates);
+
+ sc_sm_stop(card);
+ sc_reset(card, 1);
+ sc_disconnect_card(card);
+ sc_release_context(ctx);
+ EAC_cleanup();
+
+ if (r < 0)
+ fprintf(stderr, "Error: %s\n", sc_strerror(r));
+
+ return -r;
+}
+#else
+int
+main (int argc, char **argv)
+{
+ return 1;
+}
+#endif
diff --git a/src/tools/npa-tool.ggo.in b/src/tools/npa-tool.ggo.in
new file mode 100644
index 0000000..9652c89
--- /dev/null
+++ b/src/tools/npa-tool.ggo.in
@@ -0,0 +1,225 @@
+package "npa-tool"
+purpose "@PACKAGE_SUMMARY@"
+
+option "reader" r
+ "Number of the PC/SC reader to use (-1 for autodetect)"
+ int
+ default="-1"
+ optional
+option "verbose" v
+ "Use (several times) to be more verbose"
+ multiple
+ optional
+
+section "Password Authenticated Connection Establishment (PACE)"
+option "pin" p
+ "Run PACE with (transport) eID-PIN"
+ string
+ argoptional
+ optional
+option "puk" u
+ "Run PACE with PUK"
+ string
+ argoptional
+ optional
+option "can" c
+ "Run PACE with CAN"
+ string
+ argoptional
+ optional
+option "mrz" m
+ "Run PACE with MRZ (insert MRZ without newlines)"
+ string
+ argoptional
+ optional
+option "env" -
+ "Whether to use environment variables PIN, PUK, CAN, MRZ and NEWPIN. You may want to clean your environment before enabling this."
+ flag off
+
+section "PIN management"
+option "new-pin" N
+ "Install a new PIN"
+ string
+ argoptional
+ optional
+option "resume" R
+ "Resume eID-PIN (uses CAN to activate last retry)"
+ flag off
+option "unblock" U
+ "Unblock PIN (uses PUK to activate three more retries)"
+ flag off
+
+section "Terminal Authentication (TA) and Chip Authentication (CA)"
+option "cv-certificate" C
+ "Card Verifiable Certificate to create a certificate chain. Can be used multiple times (order is important)."
+ string
+ typestr="FILENAME"
+ optional
+ multiple
+option "cert-desc" -
+ "Certificate description to show for Terminal Authentication"
+ string
+ typestr="HEX_STRING"
+ optional
+option "chat" -
+ "Card holder authorization template to use (default is terminal's CHAT). Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser)."
+ string
+ typestr="HEX_STRING"
+ optional
+option "auxiliary-data" A
+ "Terminal's auxiliary data (default is determined by verification of validity, age and community ID)."
+ string
+ typestr="HEX_STRING"
+ optional
+option "private-key" P
+ "Terminal's private key"
+ string
+ typestr="FILENAME"
+ optional
+option "cvc-dir" -
+ "Where to look for the CVCA's certificate"
+ string
+ typestr="DIRECTORY"
+ default="@CVCDIR@"
+ optional
+option "x509-dir" -
+ "Where to look for the CSCA's certificate"
+ string
+ typestr="DIRECTORY"
+ default="@X509DIR@"
+ optional
+option "disable-ta-checks" -
+ "Disable checking the validity period of CV certifcates"
+ flag off
+option "disable-ca-checks" -
+ "Disable passive authentication"
+ flag off
+
+section "Read and write data groups"
+option "read-dg1" -
+ "Read DG 1 (Document Type)"
+ flag off
+option "read-dg2" -
+ "Read DG 2 (Issuing State)"
+ flag off
+option "read-dg3" -
+ "Read DG 3 (Date of Expiry)"
+ flag off
+option "read-dg4" -
+ "Read DG 4 (Given Names)"
+ flag off
+option "read-dg5" -
+ "Read DG 5 (Family Names)"
+ flag off
+option "read-dg6" -
+ "Read DG 6 (Religious/Artistic Name)"
+ flag off
+option "read-dg7" -
+ "Read DG 7 (Academic Title)"
+ flag off
+option "read-dg8" -
+ "Read DG 8 (Date of Birth)"
+ flag off
+option "read-dg9" -
+ "Read DG 9 (Place of Birth)"
+ flag off
+option "read-dg10" -
+ "Read DG 10 (Nationality)"
+ flag off
+option "read-dg11" -
+ "Read DG 11 (Sex)"
+ flag off
+option "read-dg12" -
+ "Read DG 12 (Optional Data)"
+ flag off
+option "read-dg13" -
+ "Read DG 13 (Birth Name)"
+ flag off
+option "read-dg14" -
+ "Read DG 14"
+ flag off
+option "read-dg15" -
+ "Read DG 15"
+ flag off
+option "read-dg16" -
+ "Read DG 16"
+ flag off
+option "read-dg17" -
+ "Read DG 17 (Normal Place of Residence)"
+ flag off
+option "read-dg18" -
+ "Read DG 18 (Community ID)"
+ flag off
+option "read-dg19" -
+ "Read DG 19 (Residence Permit I)"
+ flag off
+option "read-dg20" -
+ "Read DG 20 (Residence Permit II)"
+ flag off
+option "read-dg21" -
+ "Read DG 21 (Optional Data)"
+ flag off
+option "write-dg17" -
+ "Write DG 17 (Normal Place of Residence)"
+ string
+ typestr="HEX_STRING"
+ optional
+option "write-dg18" -
+ "Write DG 18 (Community ID)"
+ string
+ typestr="HEX_STRING"
+ optional
+option "write-dg19" -
+ "Write DG 19 (Residence Permit I)"
+ string
+ typestr="HEX_STRING"
+ optional
+option "write-dg20" -
+ "Write DG 20 (Residence Permit II)"
+ string
+ typestr="HEX_STRING"
+ optional
+option "write-dg21" -
+ "Write DG 21 (Optional Data)"
+ string
+ typestr="HEX_STRING"
+ optional
+
+section "Verification of validity, age and community ID"
+option "verify-validity" -
+ "Verify chip's validity with a reference date"
+ string
+ typestr="YYYYMMDD"
+ optional
+option "older-than" -
+ "Verify age with a reference date"
+ string
+ typestr="YYYYMMDD"
+ optional
+option "verify-community" -
+ "Verify community ID with a reference ID"
+ string
+ typestr="HEX_STRING"
+ optional
+
+section "Special options, not always useful"
+option "break" b
+ "Brute force PIN, CAN or PUK. Use together with -p, -a or -u"
+ flag off
+option "translate" t
+ "File with APDUs of HEX_STRINGs to send through the secure channel"
+ string
+ typestr="FILENAME"
+ default="stdin"
+ optional
+option "tr-03110v201" -
+ "Force compliance to BSI TR-03110 version 2.01"
+ flag off
+option "disable-all-checks" -
+ "Disable all checking of fly-by-data"
+ flag off
+
+text "
+Report bugs to @PACKAGE_BUGREPORT@
+
+Written by Frank Morgner <frankmorgner at gmail.com>"
diff --git a/src/tools/sceac-example.c b/src/tools/sceac-example.c
new file mode 100644
index 0000000..49d8bbe
--- /dev/null
+++ b/src/tools/sceac-example.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2011 Frank Morgner
+ *
+ * This file is part of OpenSC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* This example shows how to use the library functions perform_pace to
+ * get a secure channel to the nPA. We use the builtin function npa_change_pin
+ * to modify the PIN using the secure channel. Then we transmit an arbitrary
+ * APDU encrypted and authenticated to the card using sm_transmit_apdu. */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef ENABLE_OPENPACE
+#include "libopensc/sm.h"
+#include "sm/sm-iso.h"
+#include "sm/sm-eac.h"
+#include <string.h>
+
+static const char *newpin = NULL;
+static const char *pin = NULL;
+
+/* SELECT the Master File (MF) */
+const unsigned char apdubuf[] = {0x00, 0xA4, 0x00, 0x0C, 0x02, 0x3F, 0x00};
+
+int
+main (int argc, char **argv)
+{
+ /* Set up the environment */
+ int r;
+
+ sc_context_t *ctx = NULL;
+ sc_card_t *card = NULL;
+ sc_reader_t *reader = NULL;
+
+ sc_apdu_t apdu;
+ u8 buf[0xffff];
+
+ struct establish_pace_channel_input pace_input;
+ struct establish_pace_channel_output pace_output;
+
+ memset(&pace_input, 0, sizeof pace_input);
+ memset(&pace_output, 0, sizeof pace_output);
+
+
+ /* Connect to a reader */
+ r = sc_establish_context(&ctx, "example");
+ if (r < 0 || !ctx) {
+ fprintf(stderr, "Failed to create initial context: %s", sc_strerror(r));
+ exit(1);
+ }
+ reader = sc_ctx_get_reader(ctx, 0);
+ if (!reader) {
+ fprintf(stderr, "Failed to access reader 0");
+ exit(1);
+ }
+
+ /* Connect to a nPA */
+ ctx->flags |= SC_CTX_FLAG_ENABLE_DEFAULT_DRIVER;
+ if (sc_connect_card(reader, &card) < 0) {
+ fprintf(stderr, "Could not connect to card\n");
+ sc_release_context(ctx);
+ exit(1);
+ }
+
+ /* initialize OpenPACE */
+ EAC_init();
+
+
+ /* Now we try to change the PIN. Therefor we need to establish a SM channel
+ * with PACE.
+ *
+ * You could set your PIN with pin=“123456”; or just leave it at NULL to be
+ * asked for it. The same applies to the new PIN newpin. */
+ pace_input.pin_id = PACE_PIN;
+ pace_input.pin = (unsigned char *) pin;
+ pace_input.pin_length = pin ? strlen(pin) : 0;
+
+ r = perform_pace(card, pace_input, &pace_output, EAC_TR_VERSION_2_02);
+ if (r < 0)
+ goto err;
+ printf("Established PACE channel with PIN.\n");
+
+ r = npa_change_pin(card, newpin, newpin ? strlen(newpin) : 0);
+ if (r < 0)
+ goto err;
+ printf("Changed PIN.\n");
+
+
+ /* Now we want to transmit additional APDUs in the established SM channel.
+ *
+ * Here we are parsing the raw apdu buffer apdubuf to be transformed into
+ * an sc_apdu_t. Alternatively you could also set CLA, INS, P1, P2, ... by
+ * hand in the sc_apdu_t object. */
+ r = sc_bytes2apdu(ctx, apdubuf, sizeof apdubuf, &apdu);
+ if (r < 0)
+ goto err;
+
+ /* write the response data to buf */
+ apdu.resp = buf;
+ apdu.resplen = sizeof buf;
+
+ /* Transmit the APDU with SM */
+ r = sc_transmit_apdu(card, &apdu);
+
+
+err:
+ fprintf(r < 0 ? stderr : stdout, "%s\n", sc_strerror(r));
+
+ /* Free up memory and wipe it if necessary (e.g. for keys stored in sm_ctx) */
+ free(pace_output.ef_cardaccess);
+ free(pace_output.recent_car);
+ free(pace_output.previous_car);
+ free(pace_output.id_icc);
+ free(pace_output.id_pcd);
+
+ sc_sm_stop(card);
+ sc_reset(card, 1);
+ sc_disconnect_card(card);
+ sc_release_context(ctx);
+ EAC_cleanup();
+
+ return -r;
+}
+#else
+int
+main (int argc, char **argv)
+{
+ return 1;
+}
+#endif
diff --git a/win32/Make.rules.mak b/win32/Make.rules.mak
index eced692..621beb4 100644
--- a/win32/Make.rules.mak
+++ b/win32/Make.rules.mak
@@ -48,7 +48,7 @@ OPENSSL_LIB = $(OPENSSL_DIR)\lib\VC\$(OPENSSL_STATIC_DIR)\libeay32MT.lib user32.
!ENDIF
PROGRAMS_OPENSSL = cryptoflex-tool.exe pkcs15-init.exe netkey-tool.exe piv-tool.exe \
- westcos-tool.exe sc-hsm-tool.exe dnie-tool.exe gids-tool.exe
+ westcos-tool.exe sc-hsm-tool.exe dnie-tool.exe gids-tool.exe npa-tool.exe
OPENSC_FEATURES = $(OPENSC_FEATURES) openssl
CANDLEFLAGS = -dOpenSSL="$(OPENSSL_DIR)" $(CANDLEFLAGS)
!ENDIF
@@ -73,6 +73,19 @@ CANDLEFLAGS = -dzlib="C:\zlib-dll" $(CANDLEFLAGS)
!ENDIF
+# If you want support for EAC:
+# - Download OpenPACE and
+# - uncomment the line starting with OPENPACE_DEF
+# - set the OPENPACE_INCL_DIR below to the OpenPACE include directory preceeded by "/I"
+# - set the OPENPACE_LIB below to your OpenPACE lib file
+#OPENPACE_DEF= /DENABLE_OPENPACE
+!IF "$(OPENPACE_DEF)" == "/DENABLE_OPENPACE"
+OPENPACE_DIR = C:\OpenPACE
+OPENPACE_INCL_DIR = /I$(OPENPACE_DIR)\include
+OPENPACE_LIB = $(OPENPACE_DIR)\lib\libeac.lib
+!ENDIF
+
+
# Used for MiniDriver
CNGSDK_INCL_DIR = "/I$(PROGRAMFILES_PATH)\Microsoft CNG Development Kit\Include"
# Mandatory path to 'ISO C9x compliant stdint.h and inttypes.h for Microsoft Visual Studio'
@@ -83,15 +96,15 @@ CNGSDK_INCL_DIR = "/I$(PROGRAMFILES_PATH)\Microsoft CNG Development Kit\Include"
# O1 - minimal code size
CODE_OPTIMIZATION = /O1
-ALL_INCLUDES = /I$(TOPDIR)\win32 /I$(TOPDIR)\src $(OPENSSL_INCL_DIR) $(OPENSSL_EXTRA_CFLAGS) $(ZLIB_INCL_DIR) $(LIBLTDL_INCL) $(INTTYPES_INCL_DIR) $(CNGSDK_INCL_DIR) $(WIX_INCL_DIR)
+ALL_INCLUDES = /I$(TOPDIR)\win32 /I$(TOPDIR)\src $(OPENPACE_INCL_DIR) $(OPENSSL_INCL_DIR) $(OPENSSL_EXTRA_CFLAGS) $(ZLIB_INCL_DIR) $(LIBLTDL_INCL) $(INTTYPES_INCL_DIR) $(CNGSDK_INCL_DIR) $(WIX_INCL_DIR)
!IF "$(DEBUG_DEF)" == "/DDEBUG"
LINKDEBUGFLAGS = /NODEFAULTLIB:LIBCMT /DEBUG
CODE_OPTIMIZATION =
-COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MTd /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\"" /DDEBUG /Zi /Od
+COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MTd /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENPACE_DEF) $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\"" /DDEBUG /Zi /Od
!ELSE
LINKDEBUGFLAGS = /NODEFAULTLIB:LIBCMTD
-COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\""
+COPTS = /GS /W3 /D_CRT_SECURE_NO_DEPRECATE /MT /nologo /DHAVE_CONFIG_H $(ALL_INCLUDES) /D_WIN32_WINNT=0x0502 /DWIN32_LEAN_AND_MEAN $(OPENPACE_DEF) $(OPENSSL_DEF) $(ZLIB_DEF) $(MINIDRIVER_DEF) $(SM_DEF) /DOPENSC_FEATURES="\"$(OPENSC_FEATURES)\""
!ENDIF
diff --git a/win32/OpenSC.wxs.in b/win32/OpenSC.wxs.in
index 0092ede..bdab84a 100644
--- a/win32/OpenSC.wxs.in
+++ b/win32/OpenSC.wxs.in
@@ -62,6 +62,9 @@
<Directory Id="TARGETDIR" Name="SourceDir">
<!-- Install critical DLL-s to system folder. NB! Id-s can not contain "-" characters! -->
<Directory Id="$(var.PlatformSystemFolder)" Name=".">
+ <Component Id="cardnpa.dll" Guid="*" Win64="$(var.Win64YesNo)">
+ <File Source="$(var.SOURCE_DIR)\src\libopensc\cardnpa.dll" Vital="yes"/>
+ </Component>
<Component Id="opensc_pkcs11.dll" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\pkcs11\opensc-pkcs11.dll" Vital="yes"/>
</Component>
@@ -180,6 +183,9 @@
<Component Id="gids_tool.exe" Guid="*" Win64="$(var.Win64YesNo)">
<File Source="$(var.SOURCE_DIR)\src\tools\gids-tool.exe" Vital="yes"/>
</Component>
+ <Component Id="npa_tool.exe" Guid="*" Win64="$(var.Win64YesNo)">
+ <File Source="$(var.SOURCE_DIR)\src\tools\npa-tool.exe" Vital="yes"/>
+ </Component>
<?endif ?>
</Directory>
<?ifdef OpenSSL ?>
@@ -296,6 +302,7 @@
<Feature Id="Complete" Level="1" Title="OpenSC software suite" Display="expand">
<Feature Id="OpenSC_core" Level="1" Title="OpenSC core library" Description="Core DLL and configuration file used by all other components." Absent="disallow">
<ComponentRef Id="opensc.dll"/>
+ <ComponentRef Id="cardnpa.dll"/>
<?ifdef zlib ?>
<ComponentRef Id="zlib1.dll"/>
<?endif ?>
@@ -305,6 +312,7 @@
<?endif ?>
</Feature>
<Feature Id="OpenSC_pkcs11" Level="1" Title="OpenSC PKCS#11 module" Description="PKCS#11 module usd by most open source and cross-platform software (like Firefox, Putty, TrueCrypt, OpenVPN etc)" TypicalDefault="install">
+ <ComponentRef Id="cardnpa.dll"/>
<ComponentRef Id="opensc_pkcs11.dll"/>
<ComponentRef Id="onepin_opensc_pkcs11.dll"/>
</Feature>
@@ -335,6 +343,7 @@
<ComponentRef Id="sc_hsm_tool.exe"/>
<ComponentRef Id="dnie_tool.exe"/>
<ComponentRef Id="gids_tool.exe"/>
+ <ComponentRef Id="npa_tool.exe"/>
<ComponentRef Id="cyberflex.profile"/>
<ComponentRef Id="flex.profile"/>
<ComponentRef Id="gpk.profile"/>
diff --git a/win32/winconfig.h.in b/win32/winconfig.h.in
index 95056c0..55f74fd 100644
--- a/win32/winconfig.h.in
+++ b/win32/winconfig.h.in
@@ -90,6 +90,10 @@
#define PACKAGE_VERSION "@PACKAGE_VERSION@"
#endif
+#ifndef VERSION
+#define VERSION PACKAGE_VERSION
+#endif
+
#ifndef PACKAGE_NAME
#define PACKAGE_NAME "@PACKAGE_NAME@"
#endif
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git
More information about the pkg-opensc-commit
mailing list