2 * Copyright (c) 2002 Juha Yrjölä. All rights reserved.
3 * Copyright (c) 2001 Markus Friedl.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #if defined(SMARTCARD) && defined(USE_OPENSC)
29 #include <openssl/evp.h>
30 #include <openssl/x509.h>
32 #include <opensc/opensc.h>
33 #include <opensc/pkcs15.h>
41 #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
43 #define RSA_get_default_method RSA_get_default_openssl_method
48 #include <openssl/engine.h>
49 #define sc_get_rsa sc_get_engine
51 #define sc_get_rsa sc_get_rsa_method
54 static int sc_reader_id
;
55 static sc_context_t
*ctx
= NULL
;
56 static sc_card_t
*card
= NULL
;
57 static sc_pkcs15_card_t
*p15card
= NULL
;
59 static char *sc_pin
= NULL
;
63 struct sc_pkcs15_id cert_id
;
71 sc_pkcs15_unbind(p15card
);
75 sc_disconnect_card(card
, 0);
79 sc_release_context(ctx
);
89 r
= sc_establish_context(&ctx
, "openssh");
92 if (sc_reader_id
>= ctx
->reader_count
) {
93 r
= SC_ERROR_NO_READERS_FOUND
;
94 error("Illegal reader number %d (max %d)", sc_reader_id
,
95 ctx
->reader_count
-1);
98 r
= sc_connect_card(ctx
->reader
[sc_reader_id
], 0, &card
);
101 r
= sc_pkcs15_bind(card
, &p15card
);
110 /* private key operations */
113 sc_prkey_op_init(RSA
*rsa
, struct sc_pkcs15_object
**key_obj_out
,
117 struct sc_priv_data
*priv
;
118 struct sc_pkcs15_object
*key_obj
;
119 struct sc_pkcs15_prkey_info
*key
;
120 struct sc_pkcs15_object
*pin_obj
;
121 struct sc_pkcs15_pin_info
*pin
;
123 priv
= (struct sc_priv_data
*) RSA_get_app_data(rsa
);
126 if (p15card
== NULL
) {
130 error("SmartCard init failed: %s", sc_strerror(r
));
134 r
= sc_pkcs15_find_prkey_by_id_usage(p15card
, &priv
->cert_id
,
137 error("Unable to find private key from SmartCard: %s",
142 r
= sc_pkcs15_find_pin_by_auth_id(p15card
, &key_obj
->auth_id
,
144 if (r
== SC_ERROR_OBJECT_NOT_FOUND
) {
145 /* no pin required */
148 error("Unable to lock smartcard: %s", sc_strerror(r
));
151 *key_obj_out
= key_obj
;
154 error("Unable to find PIN object from SmartCard: %s",
161 error("Unable to lock smartcard: %s", sc_strerror(r
));
164 if (sc_pin
!= NULL
) {
165 r
= sc_pkcs15_verify_pin(p15card
, pin
, sc_pin
,
169 error("PIN code verification failed: %s",
174 *key_obj_out
= key_obj
;
181 #define SC_USAGE_DECRYPT SC_PKCS15_PRKEY_USAGE_DECRYPT | \
182 SC_PKCS15_PRKEY_USAGE_UNWRAP
185 sc_private_decrypt(int flen
, u_char
*from
, u_char
*to
, RSA
*rsa
,
188 struct sc_pkcs15_object
*key_obj
;
191 if (padding
!= RSA_PKCS1_PADDING
)
193 r
= sc_prkey_op_init(rsa
, &key_obj
, SC_USAGE_DECRYPT
);
196 r
= sc_pkcs15_decipher(p15card
, key_obj
, SC_ALGORITHM_RSA_PAD_PKCS1
,
197 from
, flen
, to
, flen
);
200 error("sc_pkcs15_decipher() failed: %s", sc_strerror(r
));
209 #define SC_USAGE_SIGN SC_PKCS15_PRKEY_USAGE_SIGN | \
210 SC_PKCS15_PRKEY_USAGE_SIGNRECOVER
213 sc_sign(int type
, u_char
*m
, unsigned int m_len
,
214 unsigned char *sigret
, unsigned int *siglen
, RSA
*rsa
)
216 struct sc_pkcs15_object
*key_obj
;
218 unsigned long flags
= 0;
220 /* XXX: sc_prkey_op_init will search for a pkcs15 private
221 * key object with the sign or signrecover usage flag set.
222 * If the signing key has only the non-repudiation flag set
223 * the key will be rejected as using a non-repudiation key
224 * for authentication is not recommended. Note: This does not
225 * prevent the use of a non-repudiation key for authentication
226 * if the sign or signrecover flag is set as well.
228 r
= sc_prkey_op_init(rsa
, &key_obj
, SC_USAGE_SIGN
);
231 /* FIXME: length of sigret correct? */
232 /* FIXME: check 'type' and modify flags accordingly */
233 flags
= SC_ALGORITHM_RSA_PAD_PKCS1
| SC_ALGORITHM_RSA_HASH_SHA1
;
234 r
= sc_pkcs15_compute_signature(p15card
, key_obj
, flags
,
235 m
, m_len
, sigret
, RSA_size(rsa
));
238 error("sc_pkcs15_compute_signature() failed: %s",
250 sc_private_encrypt(int flen
, u_char
*from
, u_char
*to
, RSA
*rsa
,
253 error("Private key encryption not supported");
259 static int (*orig_finish
)(RSA
*rsa
) = NULL
;
264 struct sc_priv_data
*priv
;
266 priv
= RSA_get_app_data(rsa
);
268 if (priv
->ref_count
== 0) {
277 /* engine for overloading private key operations */
280 sc_get_rsa_method(void)
282 static RSA_METHOD smart_rsa
;
283 const RSA_METHOD
*def
= RSA_get_default_method();
285 /* use the OpenSSL version */
286 memcpy(&smart_rsa
, def
, sizeof(smart_rsa
));
288 smart_rsa
.name
= "opensc";
291 smart_rsa
.rsa_priv_enc
= sc_private_encrypt
;
292 smart_rsa
.rsa_priv_dec
= sc_private_decrypt
;
293 smart_rsa
.rsa_sign
= sc_sign
;
296 orig_finish
= def
->finish
;
297 smart_rsa
.finish
= sc_finish
;
306 static ENGINE
*smart_engine
= NULL
;
308 if ((smart_engine
= ENGINE_new()) == NULL
)
309 fatal("ENGINE_new failed");
311 ENGINE_set_id(smart_engine
, "opensc");
312 ENGINE_set_name(smart_engine
, "OpenSC");
314 ENGINE_set_RSA(smart_engine
, sc_get_rsa_method());
315 ENGINE_set_DSA(smart_engine
, DSA_get_default_openssl_method());
316 ENGINE_set_DH(smart_engine
, DH_get_default_openssl_method());
317 ENGINE_set_RAND(smart_engine
, RAND_SSLeay());
318 ENGINE_set_BN_mod_exp(smart_engine
, BN_mod_exp
);
325 convert_rsa_to_rsa1(Key
* in
, Key
* out
)
327 struct sc_priv_data
*priv
;
329 out
->rsa
->flags
= in
->rsa
->flags
;
330 out
->flags
= in
->flags
;
331 RSA_set_method(out
->rsa
, RSA_get_method(in
->rsa
));
332 BN_copy(out
->rsa
->n
, in
->rsa
->n
);
333 BN_copy(out
->rsa
->e
, in
->rsa
->e
);
334 priv
= RSA_get_app_data(in
->rsa
);
336 RSA_set_app_data(out
->rsa
, priv
);
341 sc_read_pubkey(Key
* k
, const struct sc_pkcs15_object
*cert_obj
)
344 sc_pkcs15_cert_t
*cert
= NULL
;
345 struct sc_priv_data
*priv
= NULL
;
346 sc_pkcs15_cert_info_t
*cinfo
= cert_obj
->data
;
349 EVP_PKEY
*pubkey
= NULL
;
353 debug("sc_read_pubkey() with cert id %02X", cinfo
->id
.value
[0]);
354 r
= sc_pkcs15_read_certificate(p15card
, cinfo
, &cert
);
356 logit("Certificate read failed: %s", sc_strerror(r
));
365 if (!d2i_X509(&x509
, &p
, cert
->data_len
)) {
366 logit("Unable to parse X.509 certificate");
370 sc_pkcs15_free_certificate(cert
);
372 pubkey
= X509_get_pubkey(x509
);
375 if (pubkey
->type
!= EVP_PKEY_RSA
) {
376 logit("Public key is of unknown type");
380 k
->rsa
= EVP_PKEY_get1_RSA(pubkey
);
381 EVP_PKEY_free(pubkey
);
383 k
->rsa
->flags
|= RSA_FLAG_SIGN_VER
;
384 RSA_set_method(k
->rsa
, sc_get_rsa_method());
385 priv
= xmalloc(sizeof(struct sc_priv_data
));
386 priv
->cert_id
= cinfo
->id
;
388 RSA_set_app_data(k
->rsa
, priv
);
390 k
->flags
= KEY_FLAG_EXT
;
391 tmp
= key_fingerprint(k
, SSH_FP_MD5
, SSH_FP_HEX
);
392 debug("fingerprint %d %s", key_size(k
), tmp
);
398 sc_pkcs15_free_certificate(cert
);
400 EVP_PKEY_free(pubkey
);
407 sc_get_keys(const char *id
, const char *pin
)
410 int i
, r
, real_count
= 0, key_count
;
411 sc_pkcs15_id_t cert_id
;
412 sc_pkcs15_object_t
*certs
[32];
413 char *buf
= xstrdup(id
), *p
;
415 debug("sc_get_keys called: id = %s", id
);
419 sc_pin
= (pin
== NULL
) ? NULL
: xstrdup(pin
);
422 if ((p
= strchr(buf
, ':')) != NULL
) {
425 sc_pkcs15_hex_string_to_id(p
, &cert_id
);
427 r
= sscanf(buf
, "%d", &sc_reader_id
);
431 if (p15card
== NULL
) {
435 error("Smartcard init failed: %s", sc_strerror(r
));
440 r
= sc_pkcs15_find_cert_by_id(p15card
, &cert_id
, &certs
[0]);
445 r
= sc_pkcs15_get_objects(p15card
, SC_PKCS15_TYPE_CERT_X509
,
448 logit("No certificates found on smartcard");
452 error("Certificate enumeration failed: %s",
458 if (key_count
> 1024)
459 fatal("Too many keys (%u), expected <= 1024", key_count
);
460 keys
= xcalloc(key_count
* 2 + 1, sizeof(Key
*));
461 for (i
= 0; i
< key_count
; i
++) {
462 sc_pkcs15_object_t
*tmp_obj
= NULL
;
463 cert_id
= ((sc_pkcs15_cert_info_t
*)(certs
[i
]->data
))->id
;
464 if (sc_pkcs15_find_prkey_by_id(p15card
, &cert_id
, &tmp_obj
))
465 /* skip the public key (certificate) if no
466 * corresponding private key is present */
468 k
= key_new(KEY_RSA
);
471 r
= sc_read_pubkey(k
, certs
[i
]);
473 error("sc_read_pubkey failed: %s", sc_strerror(r
));
477 keys
[real_count
] = k
;
479 k
= key_new(KEY_RSA1
);
482 convert_rsa_to_rsa1(keys
[real_count
-1], k
);
483 keys
[real_count
] = k
;
486 keys
[real_count
] = NULL
;
495 sc_put_key(Key
*prv
, const char *id
)
497 error("key uploading not yet supported");
502 sc_get_key_label(Key
*key
)
505 const struct sc_priv_data
*priv
;
506 struct sc_pkcs15_object
*key_obj
;
508 priv
= (const struct sc_priv_data
*) RSA_get_app_data(key
->rsa
);
509 if (priv
== NULL
|| p15card
== NULL
) {
510 logit("SmartCard key not loaded");
511 /* internal error => return default label */
512 return xstrdup("smartcard key");
514 r
= sc_pkcs15_find_prkey_by_id(p15card
, &priv
->cert_id
, &key_obj
);
516 logit("Unable to find private key from SmartCard: %s",
518 return xstrdup("smartcard key");
520 if (key_obj
== NULL
|| key_obj
->label
== NULL
)
521 /* the optional PKCS#15 label does not exists
522 * => return the default label */
523 return xstrdup("smartcard key");
524 return xstrdup(key_obj
->label
);
527 #endif /* SMARTCARD */