[7d3ae3e] | 1 | /* |
---|
| 2 | * Estonian ID card plugin for web browsers |
---|
| 3 | * |
---|
| 4 | * Copyright (C) 2010-2011 Codeborne <info@codeborne.com> |
---|
| 5 | * |
---|
| 6 | * This is free software; you can redistribute it and/or |
---|
| 7 | * modify it under the terms of the GNU Lesser General Public |
---|
| 8 | * License as published by the Free Software Foundation; either |
---|
| 9 | * version 2.1 of the License, or (at your option) any later version. |
---|
| 10 | * |
---|
| 11 | * This software is distributed in the hope that it will be useful, |
---|
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
---|
| 14 | * Lesser General Public License for more details. |
---|
| 15 | * |
---|
| 16 | * You should have received a copy of the GNU Lesser General Public |
---|
| 17 | * License along with this library; if not, write to the Free Software |
---|
| 18 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
---|
| 19 | * |
---|
| 20 | */ |
---|
| 21 | |
---|
| 22 | #include <stdlib.h> |
---|
| 23 | #include <string.h> |
---|
| 24 | |
---|
| 25 | #include <openssl/x509.h> |
---|
| 26 | #include <openssl/pem.h> |
---|
| 27 | |
---|
| 28 | #ifndef _WIN32 |
---|
| 29 | #include <pthread.h> |
---|
| 30 | #include <unistd.h> |
---|
| 31 | #else |
---|
| 32 | #include <windows.h> |
---|
| 33 | #endif |
---|
| 34 | |
---|
| 35 | #define CRYPTOKI_COMPAT |
---|
| 36 | #include "pkcs11.h" |
---|
| 37 | |
---|
| 38 | #include "esteid_sign.h" |
---|
| 39 | #include "esteid_log.h" |
---|
| 40 | #include "pkcs11_errors.h" |
---|
| 41 | #include "l10n.h" |
---|
| 42 | #include "esteid_error.h" |
---|
| 43 | #include "dialogs.h" |
---|
| 44 | #include "esteid_certinfo.h" |
---|
| 45 | |
---|
| 46 | #define FAILURE 0 |
---|
| 47 | #define SUCCESS 1 |
---|
| 48 | |
---|
| 49 | #define BINARY_SHA1_LENGTH 20 |
---|
| 50 | #define BINARY_SHA224_LENGTH 28 |
---|
| 51 | #define BINARY_SHA256_LENGTH 32 |
---|
| 52 | #define BINARY_SHA512_LENGTH 64 |
---|
| 53 | |
---|
| 54 | CK_BYTE RSA_SHA1_DESIGNATOR_PREFIX[] = {48, 33, 48, 9, 6, 5, 43, 14, 3, 2, 26, 5, 0, 4, 20}; |
---|
| 55 | CK_BYTE RSA_SHA224_DESIGNATOR_PREFIX[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}; |
---|
| 56 | CK_BYTE RSA_SHA256_DESIGNATOR_PREFIX[] = {48, 49, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 4, 32}; |
---|
| 57 | CK_BYTE RSA_SHA512_DESIGNATOR_PREFIX[] = {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; |
---|
| 58 | |
---|
| 59 | extern CK_FUNCTION_LIST_PTR fl; |
---|
| 60 | |
---|
| 61 | extern char EstEID_error[1024]; |
---|
| 62 | extern int EstEID_errorCode; |
---|
| 63 | |
---|
| 64 | #ifdef _WIN32 |
---|
| 65 | #define CLOSE_SESSION_AND_RETURN(_r) { if (session) { fl->C_CloseSession(session); } return (_r); } |
---|
| 66 | #else |
---|
| 67 | #define CLOSE_SESSION_AND_RETURN(_r) { if (name) free(name); if (session) { fl->C_CloseSession(session); } return FAILURE; } |
---|
| 68 | #endif |
---|
| 69 | |
---|
| 70 | #ifdef _WIN32 |
---|
| 71 | #define pthread_mutex_t HANDLE |
---|
| 72 | #define pthread_cond_t HANDLE |
---|
| 73 | #endif |
---|
| 74 | |
---|
| 75 | pthread_mutex_t pinpad_thread_mutex; |
---|
| 76 | pthread_cond_t pinpad_thread_condition; |
---|
| 77 | int pinpad_thread_result; |
---|
| 78 | int pinpad_thread_completed = FALSE; |
---|
| 79 | |
---|
| 80 | int EstEID_getRemainingTries(CK_SLOT_ID slotID) { |
---|
| 81 | CK_TOKEN_INFO tokenInfo; |
---|
| 82 | if (EstEID_CK_failure("C_GetTokenInfo", fl->C_GetTokenInfo(slotID, &tokenInfo))) return -1; |
---|
| 83 | EstEID_log("flags: %li (%lx)", tokenInfo.flags, tokenInfo.flags); |
---|
| 84 | if (tokenInfo.flags & CKF_USER_PIN_LOCKED) return 0; |
---|
| 85 | else if (tokenInfo.flags & CKF_USER_PIN_FINAL_TRY) return 1; |
---|
| 86 | else if (tokenInfo.flags & CKF_USER_PIN_COUNT_LOW) return 2; |
---|
| 87 | else return 3; |
---|
| 88 | } |
---|
| 89 | |
---|
| 90 | int EstEID_isPinPad(CK_SLOT_ID slotID) { |
---|
| 91 | CK_TOKEN_INFO tokenInfo; |
---|
| 92 | if (EstEID_CK_failure("C_GetTokenInfo", fl->C_GetTokenInfo(slotID, &tokenInfo))) return 0; |
---|
| 93 | EstEID_log("flags: %li (%lx)", tokenInfo.flags, tokenInfo.flags); |
---|
| 94 | if (tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) return 1; |
---|
| 95 | else return 0; |
---|
| 96 | } |
---|
| 97 | |
---|
| 98 | |
---|
| 99 | char *EstEID_addPadding(const char *hash, unsigned int hashLength, unsigned int *paddedHashLength) { |
---|
| 100 | CK_BYTE *padding; |
---|
| 101 | char *hashWithPadding; |
---|
| 102 | int paddingLength; |
---|
| 103 | EstEID_log("incoming digest length = %u", hashLength); |
---|
| 104 | switch (hashLength) { |
---|
| 105 | case BINARY_SHA1_LENGTH: |
---|
| 106 | EstEID_log("SHA1"); |
---|
| 107 | padding = RSA_SHA1_DESIGNATOR_PREFIX; |
---|
| 108 | paddingLength = sizeof(RSA_SHA1_DESIGNATOR_PREFIX); |
---|
| 109 | break; |
---|
| 110 | case BINARY_SHA224_LENGTH: |
---|
| 111 | EstEID_log("SHA224"); |
---|
| 112 | padding = RSA_SHA224_DESIGNATOR_PREFIX; |
---|
| 113 | paddingLength = sizeof(RSA_SHA224_DESIGNATOR_PREFIX); |
---|
| 114 | break; |
---|
| 115 | case BINARY_SHA256_LENGTH: |
---|
| 116 | EstEID_log("SHA256"); |
---|
| 117 | padding = RSA_SHA256_DESIGNATOR_PREFIX; |
---|
| 118 | paddingLength = sizeof(RSA_SHA256_DESIGNATOR_PREFIX); |
---|
| 119 | break; |
---|
| 120 | case BINARY_SHA512_LENGTH: |
---|
| 121 | EstEID_log("SHA512"); |
---|
| 122 | padding = RSA_SHA512_DESIGNATOR_PREFIX; |
---|
| 123 | paddingLength = sizeof(RSA_SHA512_DESIGNATOR_PREFIX); |
---|
| 124 | break; |
---|
| 125 | default: |
---|
| 126 | EstEID_log("incorrect digest length, dropping padding"); |
---|
| 127 | *paddedHashLength = 0; |
---|
| 128 | return NULL; |
---|
| 129 | } |
---|
| 130 | |
---|
| 131 | hashWithPadding = (char *)malloc(paddingLength + hashLength); |
---|
| 132 | memcpy(hashWithPadding, padding, paddingLength); |
---|
| 133 | memcpy(hashWithPadding + paddingLength, hash, hashLength); |
---|
| 134 | *paddedHashLength = paddingLength + hashLength; |
---|
| 135 | return hashWithPadding; |
---|
| 136 | } |
---|
| 137 | |
---|
| 138 | |
---|
| 139 | THREAD_RETURN_TYPE EstEID_pinPadLogin(void* threadData) { |
---|
| 140 | #ifndef _WIN32 |
---|
| 141 | LOG_LOCATION; |
---|
| 142 | pthread_mutex_lock(&pinpad_thread_mutex); |
---|
| 143 | CK_SESSION_HANDLE session = ((EstEID_PINPadThreadData*)threadData)->session; |
---|
| 144 | CK_RV loginResult = fl->C_Login(session, CKU_USER, NULL, 0); |
---|
| 145 | ((EstEID_PINPadThreadData*)threadData)->result = loginResult; |
---|
| 146 | |
---|
| 147 | closePinPadModalSheet(); |
---|
| 148 | EstEID_log("modal sheet/dialog destroyed"); |
---|
| 149 | |
---|
| 150 | pinpad_thread_completed = TRUE; |
---|
| 151 | pthread_cond_broadcast(&pinpad_thread_condition); |
---|
| 152 | |
---|
| 153 | pthread_mutex_unlock(&pinpad_thread_mutex); |
---|
| 154 | pthread_exit(NULL); |
---|
| 155 | #else |
---|
| 156 | EstEID_PINPromptDataEx* pinPromptDataEx; |
---|
| 157 | LOG_LOCATION; |
---|
| 158 | WaitForSingleObject(pinpad_thread_mutex, INFINITE); |
---|
| 159 | pinPromptDataEx = (EstEID_PINPromptDataEx*)threadData; |
---|
| 160 | pinPromptDataEx->pinPromptData.promptFunction(NULL, pinPromptDataEx->name, pinPromptDataEx->message, 0, TRUE); |
---|
| 161 | ReleaseMutex(pinpad_thread_mutex); |
---|
| 162 | return TRUE; |
---|
| 163 | #endif |
---|
| 164 | } |
---|
| 165 | |
---|
| 166 | void setUserCancelErrorCodeAndMessage() { |
---|
| 167 | EstEID_log("Got user cancel"); |
---|
| 168 | sprintf(EstEID_error, "User cancelled"); |
---|
| 169 | EstEID_errorCode = ESTEID_USER_CANCEL; |
---|
| 170 | } |
---|
| 171 | |
---|
| 172 | char* EstEID_getFullNameWithPersonalCode(EstEID_Map cert) { |
---|
| 173 | const char *surname; |
---|
| 174 | const char *personalID; |
---|
| 175 | const char *givenName; |
---|
| 176 | char *name; |
---|
| 177 | int nameSize = 0; |
---|
| 178 | |
---|
| 179 | givenName = EstEID_mapGet(cert, "givenName"); |
---|
| 180 | if (!givenName) givenName = ""; |
---|
| 181 | |
---|
| 182 | surname = EstEID_mapGet(cert, "surname"); |
---|
| 183 | if (!surname) surname = ""; |
---|
| 184 | |
---|
| 185 | personalID = EstEID_mapGet(cert, "serialNumber"); |
---|
| 186 | if (!personalID) personalID = ""; |
---|
| 187 | |
---|
| 188 | nameSize = strlen(givenName) + strlen(surname) + strlen(personalID) + 4; |
---|
| 189 | name = (char *)malloc(nameSize); |
---|
| 190 | sprintf(name,"%s %s", givenName, surname); |
---|
| 191 | if(strlen(personalID)) { |
---|
| 192 | strcat(name, ", "); |
---|
| 193 | strcat(name, personalID); |
---|
| 194 | } |
---|
| 195 | |
---|
| 196 | return name; |
---|
| 197 | } |
---|
| 198 | |
---|
| 199 | int EstEID_RealSign(CK_SESSION_HANDLE session, char **signature, unsigned int *signatureLength, const char *hash, unsigned int hashLength, char* name) { |
---|
| 200 | CK_OBJECT_HANDLE privateKeyHandle; |
---|
| 201 | CK_ULONG objectCount; |
---|
| 202 | unsigned int hashWithPaddingLength = 0; |
---|
| 203 | char *hashWithPadding; |
---|
| 204 | CK_MECHANISM mechanism = {CKM_RSA_PKCS, 0, 0}; |
---|
| 205 | CK_OBJECT_CLASS objectClass = CKO_PRIVATE_KEY; |
---|
| 206 | CK_ATTRIBUTE searchAttribute = {CKA_CLASS, &objectClass, sizeof(objectClass)}; |
---|
| 207 | |
---|
| 208 | if (EstEID_CK_failure("C_FindObjectsInit", fl->C_FindObjectsInit(session, &searchAttribute, 1))) CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 209 | |
---|
| 210 | if (EstEID_CK_failure("C_FindObjects", fl->C_FindObjects(session, &privateKeyHandle, 1, &objectCount))) CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 211 | if (EstEID_CK_failure("C_FindObjectsFinal", fl->C_FindObjectsFinal(session))) CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 212 | |
---|
| 213 | if (objectCount == 0) CLOSE_SESSION_AND_RETURN(FAILURE); // todo ?? set error message |
---|
| 214 | |
---|
| 215 | if (EstEID_CK_failure("C_SignInit", fl->C_SignInit(session, &mechanism, privateKeyHandle))) CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 216 | |
---|
| 217 | hashWithPadding = EstEID_addPadding(hash, hashLength, &hashWithPaddingLength); |
---|
| 218 | if (hashWithPadding) { // This is additional safeguard, as digest length is checked already before calling EstEID_addPadding() |
---|
| 219 | CK_ULONG len; |
---|
| 220 | if (EstEID_CK_failure("C_Sign", fl->C_Sign(session, (CK_BYTE_PTR)hashWithPadding, hashWithPaddingLength, NULL, &len))) { |
---|
| 221 | free(hashWithPadding); |
---|
| 222 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 223 | } |
---|
| 224 | *signature = (char *)malloc(len); |
---|
| 225 | if (EstEID_CK_failure("C_Sign", fl->C_Sign(session, (CK_BYTE_PTR)hashWithPadding, hashWithPaddingLength, (CK_BYTE_PTR) * signature, &len))) { |
---|
| 226 | free(hashWithPadding); |
---|
| 227 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 228 | } |
---|
| 229 | *signatureLength = len; |
---|
| 230 | free(hashWithPadding); |
---|
| 231 | } |
---|
| 232 | |
---|
| 233 | if (session) { |
---|
| 234 | if (EstEID_CK_failure("C_CloseSession", fl->C_CloseSession(session))) { |
---|
| 235 | return FAILURE; |
---|
| 236 | } |
---|
| 237 | } |
---|
| 238 | |
---|
| 239 | if(name) { |
---|
| 240 | free(name); |
---|
| 241 | } |
---|
| 242 | |
---|
| 243 | if (!hashWithPaddingLength) { // This is additional safeguard, as digest length is checked already before calling EstEID_addPadding() |
---|
| 244 | EstEID_log("will not sign due to incorrect incoming message digest length"); |
---|
| 245 | return FAILURE; |
---|
| 246 | } |
---|
| 247 | EstEID_log("successfully signed"); |
---|
| 248 | return SUCCESS; |
---|
| 249 | } |
---|
| 250 | |
---|
| 251 | |
---|
| 252 | int EstEID_getSlotId(char* certId, CK_SLOT_ID* slotId) { |
---|
| 253 | int certIndex; |
---|
| 254 | EstEID_Certs *certs = EstEID_loadCerts(); |
---|
| 255 | EstEID_log("certs loaded"); |
---|
| 256 | if (!certs) { |
---|
| 257 | EstEID_log("%s", EstEID_error); |
---|
| 258 | return FALSE; |
---|
| 259 | } |
---|
| 260 | else if ((certIndex = EstEID_findNonRepuditionCert(certs, certId)) == NOT_FOUND) { |
---|
| 261 | EstEID_log("card is changed"); |
---|
| 262 | return FALSE; |
---|
| 263 | } |
---|
| 264 | *slotId = certs->slotIDs[certIndex]; |
---|
| 265 | return TRUE; |
---|
| 266 | } |
---|
| 267 | |
---|
| 268 | |
---|
| 269 | #ifdef _WIN32 |
---|
| 270 | int EstEID_sighHashWindows(char **signature, unsigned int *signatureLength, CK_SLOT_ID slotID, EstEID_Map cert, const char *hash, unsigned int hashLength, EstEID_PINPromptData pinPromptData) { |
---|
| 271 | CK_SESSION_HANDLE session = 0L; |
---|
| 272 | char message[1024]; |
---|
| 273 | int remainingTries = 0; |
---|
| 274 | CK_RV loginResult = CKR_FUNCTION_CANCELED; |
---|
| 275 | |
---|
| 276 | LOG_LOCATION; |
---|
| 277 | |
---|
| 278 | if (EstEID_CK_failure("C_OpenSession", fl->C_OpenSession(slotID, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session))) return FAILURE; |
---|
| 279 | |
---|
| 280 | remainingTries = EstEID_getRemainingTries(slotID); |
---|
| 281 | EstEID_log("EstEID_getRemainingTries(slotID) = %i", remainingTries); |
---|
| 282 | if (remainingTries == -1) |
---|
| 283 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 284 | if (!remainingTries) { |
---|
| 285 | sprintf_s(EstEID_error, ESTEID_ERROR_SIZE, "C_Login error: %s (%li)", pkcs11_error_message(CKR_PIN_LOCKED), CKR_PIN_LOCKED); |
---|
| 286 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 287 | } |
---|
| 288 | if (remainingTries < 3) { |
---|
| 289 | sprintf_s(message, 1024, "%s %i", l10n("Tries left:"), remainingTries); |
---|
| 290 | } |
---|
| 291 | else { |
---|
| 292 | message[0] = 0; |
---|
| 293 | } |
---|
| 294 | |
---|
| 295 | loginResult = fl->C_Login(session, CKU_USER, (unsigned char *)pinPromptData.pin2, strlen(pinPromptData.pin2)); |
---|
| 296 | if(loginResult != CKR_OK) { |
---|
| 297 | EstEID_log("loginResult = %s", pkcs11_error_message(loginResult)); |
---|
| 298 | sprintf_s(EstEID_error, 1024, "C_Login error: %s (%li)", pkcs11_error_message(loginResult), loginResult); |
---|
| 299 | CLOSE_SESSION_AND_RETURN(loginResult); |
---|
| 300 | } |
---|
| 301 | |
---|
| 302 | return EstEID_RealSign(session, signature, signatureLength, hash, hashLength, NULL); |
---|
| 303 | } |
---|
| 304 | #endif |
---|
| 305 | |
---|
| 306 | int EstEID_signHash(char **signature, unsigned int *signatureLength, CK_SLOT_ID slotID, EstEID_Map cert, const char *hash, unsigned int hashLength, EstEID_PINPromptData pinPromptData) { |
---|
| 307 | CK_SESSION_HANDLE session = 0L; |
---|
| 308 | CK_RV loginResult = CKR_FUNCTION_CANCELED; |
---|
| 309 | char *name; |
---|
| 310 | char message[1024]; |
---|
| 311 | int remainingTries = -1; |
---|
| 312 | int attempt = 0, blocked = FALSE; |
---|
| 313 | int isPinPad; |
---|
| 314 | #ifdef _WIN32 |
---|
| 315 | EstEID_PINPromptDataEx pinPromptDataEx; |
---|
| 316 | #endif |
---|
| 317 | |
---|
| 318 | |
---|
| 319 | LOG_LOCATION; |
---|
| 320 | |
---|
| 321 | if (EstEID_CK_failure("C_OpenSession", fl->C_OpenSession(slotID, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session))) return FAILURE; |
---|
| 322 | |
---|
| 323 | name = EstEID_getFullNameWithPersonalCode(cert); |
---|
| 324 | |
---|
| 325 | for (attempt = 0;; attempt++) { |
---|
| 326 | remainingTries = EstEID_getRemainingTries(slotID); |
---|
| 327 | if (remainingTries == -1) |
---|
| 328 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 329 | if (!remainingTries || blocked) { |
---|
| 330 | sprintf(EstEID_error, "C_Login error: %s (%li)", pkcs11_error_message(CKR_PIN_LOCKED), CKR_PIN_LOCKED); |
---|
| 331 | pinPromptData.alertFunction(pinPromptData.nativeWindowHandle, l10n("PIN2 blocked, cannot sign!")); |
---|
| 332 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 333 | } |
---|
| 334 | if (remainingTries < 3 || attempt) { |
---|
| 335 | sprintf(message, "%s%s %i", (attempt ? l10n("Incorrect PIN2! ") : ""), l10n("Tries left:"), remainingTries); |
---|
| 336 | } |
---|
| 337 | else { |
---|
| 338 | message[0] = 0; |
---|
| 339 | } |
---|
| 340 | |
---|
| 341 | isPinPad = EstEID_isPinPad(slotID); |
---|
| 342 | if(!isPinPad) { |
---|
| 343 | // Simple card reader |
---|
| 344 | char *pin = pinPromptData.promptFunction(pinPromptData.nativeWindowHandle, name, message, (unsigned)atoi(EstEID_mapGet(cert, "minPinLen")), isPinPad); |
---|
| 345 | if (!pin || strlen(pin) == 0) { |
---|
| 346 | if (pin) free(pin); |
---|
| 347 | setUserCancelErrorCodeAndMessage(); |
---|
| 348 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 349 | } |
---|
| 350 | loginResult = fl->C_Login(session, CKU_USER, (unsigned char *)pin, strlen(pin)); |
---|
| 351 | free(pin); |
---|
| 352 | } |
---|
| 353 | else { |
---|
| 354 | // PIN pad |
---|
| 355 | #ifdef _WIN32 |
---|
| 356 | EstEID_log("creating pinpad dialog UI thread"); |
---|
| 357 | pinpad_thread_result = -1; |
---|
| 358 | FAIL_IF_THREAD_ERROR("CreateMutex", (pinpad_thread_mutex = CreateMutex(NULL, FALSE, NULL))); |
---|
| 359 | #else |
---|
| 360 | EstEID_log("creating pinpad worker thread"); |
---|
| 361 | pinpad_thread_result = -1; |
---|
| 362 | FAIL_IF_PTHREAD_ERROR("pthread_mutex_init", pthread_mutex_init(&pinpad_thread_mutex, NULL)); |
---|
| 363 | FAIL_IF_PTHREAD_ERROR("pthread_cond_init", pthread_cond_init(&pinpad_thread_condition, NULL)); |
---|
| 364 | pthread_t pinpad_thread; |
---|
| 365 | EstEID_PINPadThreadData threadData; |
---|
| 366 | threadData.session = session; |
---|
| 367 | threadData.result = CKR_OK; |
---|
| 368 | #endif |
---|
| 369 | EstEID_log("thread launched"); |
---|
| 370 | #ifdef _WIN32 |
---|
| 371 | /* |
---|
| 372 | NB! Due to Firefox for Windows specific behaviour C_Login() is launched from main thread |
---|
| 373 | and UI code is running in separate thread if running on Windows. |
---|
| 374 | */ |
---|
| 375 | pinPromptDataEx.pinPromptData = pinPromptData; |
---|
| 376 | pinPromptDataEx.message = message; |
---|
| 377 | pinPromptDataEx.name = name; |
---|
| 378 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&EstEID_pinPadLogin, (LPVOID)&pinPromptDataEx, 0, NULL); |
---|
| 379 | loginResult = fl->C_Login(session, CKU_USER, NULL, 0); |
---|
| 380 | //closePinPadModalSheet(); |
---|
| 381 | #else |
---|
| 382 | FAIL_IF_PTHREAD_ERROR("pthread_create", pthread_create(&pinpad_thread, NULL, EstEID_pinPadLogin, (void*)&threadData)); |
---|
| 383 | pinPromptData.promptFunction(pinPromptData.nativeWindowHandle, name, message, 0, isPinPad); |
---|
| 384 | loginResult = threadData.result; |
---|
| 385 | #endif |
---|
| 386 | EstEID_log("pinpad sheet/dialog closed"); |
---|
| 387 | if (loginResult == CKR_FUNCTION_CANCELED) { |
---|
| 388 | setUserCancelErrorCodeAndMessage(); |
---|
| 389 | CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 390 | } |
---|
| 391 | } |
---|
| 392 | EstEID_log("loginResult = %s", pkcs11_error_message(loginResult)); |
---|
| 393 | switch (loginResult) { |
---|
| 394 | case CKR_PIN_LOCKED: |
---|
| 395 | blocked = TRUE; |
---|
| 396 | case CKR_PIN_INCORRECT: |
---|
| 397 | case CKR_PIN_INVALID: |
---|
| 398 | case CKR_PIN_LEN_RANGE: |
---|
| 399 | EstEID_log("this was attempt %i, loginResult causes to run next round", attempt); |
---|
| 400 | continue; |
---|
| 401 | default: |
---|
| 402 | if (EstEID_CK_failure("C_Login", loginResult)) CLOSE_SESSION_AND_RETURN(FAILURE); |
---|
| 403 | } |
---|
| 404 | break; // Login successful - correct PIN supplied |
---|
| 405 | } |
---|
| 406 | |
---|
| 407 | return EstEID_RealSign(session, signature, signatureLength, hash, hashLength, name); |
---|
| 408 | } |
---|
| 409 | |
---|
| 410 | char *EstEID_base64Encode(const char *input, int length) { |
---|
| 411 | BIO *memBio; |
---|
| 412 | BIO *b64Bio; |
---|
| 413 | char *b; |
---|
| 414 | int len; |
---|
| 415 | char *result; |
---|
| 416 | |
---|
| 417 | LOG_LOCATION; |
---|
| 418 | |
---|
| 419 | memBio = BIO_new(BIO_s_mem()); |
---|
| 420 | b64Bio = BIO_new(BIO_f_base64()); |
---|
| 421 | b64Bio = BIO_push(b64Bio, memBio); |
---|
| 422 | |
---|
| 423 | BIO_write(b64Bio, input, length); |
---|
| 424 | (void)BIO_flush(b64Bio); |
---|
| 425 | |
---|
| 426 | |
---|
| 427 | len = BIO_get_mem_data(memBio, &b); |
---|
| 428 | result = (char *)malloc(len + 1); |
---|
| 429 | strncpy(result, b, len); |
---|
| 430 | result[len] = 0; |
---|
| 431 | BIO_free_all(b64Bio); |
---|
| 432 | while (result[--len] == '\n') result[len] = 0; |
---|
| 433 | return result; |
---|
| 434 | } |
---|
| 435 | |
---|
| 436 | void EstEID_logBase64(char *message, char* data, int dataLength) { |
---|
| 437 | char *base64; |
---|
| 438 | LOG_LOCATION; |
---|
| 439 | base64 = EstEID_base64Encode(data, dataLength); |
---|
| 440 | EstEID_log(message, base64); |
---|
| 441 | free(base64); |
---|
| 442 | } |
---|
| 443 | |
---|
| 444 | char *EstEID_hex2bin(const char *hex) { |
---|
| 445 | int binLength; |
---|
| 446 | char *bin; |
---|
| 447 | char *c; |
---|
| 448 | char *h; |
---|
| 449 | int i = 0; |
---|
| 450 | |
---|
| 451 | LOG_LOCATION; |
---|
| 452 | |
---|
| 453 | binLength = strlen(hex) / 2; |
---|
| 454 | bin = (char *)malloc(binLength); |
---|
| 455 | c = bin; |
---|
| 456 | h = (char *)hex; |
---|
| 457 | while (*h) { |
---|
| 458 | int x; |
---|
| 459 | sscanf(h, "%2X", &x); |
---|
| 460 | *c = x; |
---|
| 461 | c++; |
---|
| 462 | h += 2; |
---|
| 463 | i++; |
---|
| 464 | } |
---|
| 465 | return bin; |
---|
| 466 | } |
---|
| 467 | |
---|
| 468 | int EstEID_signHashHex(char **signatureHex, CK_SLOT_ID slotID, EstEID_Map cert, const char *hashHex, EstEID_PINPromptData pinPromptData) { |
---|
| 469 | int expectedLengthSHA1 = BINARY_SHA1_LENGTH * 2; |
---|
| 470 | int expectedLengthSHA256 = BINARY_SHA256_LENGTH * 2; |
---|
| 471 | int expectedLengthSHA224 = BINARY_SHA224_LENGTH * 2; |
---|
| 472 | int expectedLengthSHA512 = BINARY_SHA512_LENGTH * 2; |
---|
| 473 | |
---|
| 474 | int hashHexLength, result = SUCCESS; |
---|
| 475 | char *hash, *signature; |
---|
| 476 | unsigned int signatureLength, hashLength; |
---|
| 477 | |
---|
| 478 | LOG_LOCATION; |
---|
| 479 | |
---|
| 480 | hashHexLength = strlen(hashHex); |
---|
| 481 | |
---|
| 482 | if (hashHexLength != expectedLengthSHA1 && |
---|
| 483 | hashHexLength != expectedLengthSHA224 && |
---|
| 484 | hashHexLength != expectedLengthSHA256 && |
---|
| 485 | hashHexLength != expectedLengthSHA512) { |
---|
| 486 | sprintf(EstEID_error, "invalid incoming hash length: %i", hashHexLength); |
---|
| 487 | EstEID_errorCode = ESTEID_INVALID_HASH_ERROR; |
---|
| 488 | return FAILURE; |
---|
| 489 | } |
---|
| 490 | hashLength = hashHexLength / 2; |
---|
| 491 | hash = EstEID_hex2bin(hashHex); |
---|
| 492 | EstEID_logBase64("hash[base64] = %s", hash, hashLength); |
---|
| 493 | |
---|
| 494 | #ifdef _WIN32 |
---|
| 495 | //NB!!! error codes may mess this up, as earlier retun values were only true/false |
---|
| 496 | if(EstEID_isPinPad(slotID)){ |
---|
| 497 | EstEID_log("pinpad detected"); |
---|
| 498 | result = EstEID_signHash(&signature, &signatureLength, slotID, cert, hash, hashLength, pinPromptData); |
---|
| 499 | } |
---|
| 500 | else { |
---|
| 501 | EstEID_log("simple card reader detected"); |
---|
| 502 | result = EstEID_sighHashWindows(&signature, &signatureLength, slotID, cert, hash, hashLength, pinPromptData); |
---|
| 503 | } |
---|
| 504 | #else |
---|
| 505 | result = EstEID_signHash(&signature, &signatureLength, slotID, cert, hash, hashLength, pinPromptData); |
---|
| 506 | #endif |
---|
| 507 | EstEID_log("result = %i (where failure = %i, success = %i)", result, FAILURE, SUCCESS); |
---|
| 508 | |
---|
| 509 | if (result==SUCCESS) { |
---|
| 510 | EstEID_logBase64("signature[base64] = %s", signature, signatureLength); |
---|
| 511 | *signatureHex = EstEID_bin2hex(signature, signatureLength); |
---|
| 512 | free(hash); |
---|
| 513 | free(signature); |
---|
| 514 | return SUCCESS; |
---|
| 515 | } |
---|
| 516 | else { |
---|
| 517 | free(hash); |
---|
| 518 | return FAILURE; |
---|
| 519 | } |
---|
| 520 | } |
---|
| 521 | |
---|
| 522 | int EstEID_findNonRepuditionCert(EstEID_Certs *certs, const char *certId) { |
---|
| 523 | unsigned int i = 0; |
---|
| 524 | for (i = 0; i < certs->count; i++) { |
---|
| 525 | EstEID_Map cert = certs->certs[i]; |
---|
| 526 | if (EstEID_mapGet(cert, "usageNonRepudiation") && !strcmp(certId, EstEID_mapGet(cert, "certHash"))) { |
---|
| 527 | return i; |
---|
| 528 | } |
---|
| 529 | } |
---|
| 530 | return NOT_FOUND; |
---|
| 531 | } |
---|
| 532 | |
---|
| 533 | char *EstEID_sign(char *certId, char *hash, EstEID_PINPromptData pinPromptData) { |
---|
| 534 | char *signature = NULL; |
---|
| 535 | int i; |
---|
| 536 | EstEID_Certs *certs; |
---|
| 537 | |
---|
| 538 | EstEID_log("called, hash=%s", hash); |
---|
| 539 | |
---|
| 540 | certs = EstEID_loadCerts(); |
---|
| 541 | EstEID_log("certs loaded"); |
---|
| 542 | if (!certs) { |
---|
| 543 | EstEID_log("%s", EstEID_error); |
---|
| 544 | } |
---|
| 545 | else if ((i = EstEID_findNonRepuditionCert(certs, certId)) == NOT_FOUND) { |
---|
| 546 | snprintf(EstEID_error, sizeof(EstEID_error) - 1, "no cert has ID: %s", certId); |
---|
| 547 | EstEID_errorCode = ESTEID_CERT_NOT_FOUND_ERROR; |
---|
| 548 | EstEID_error[sizeof(EstEID_error) - 1] = 0; |
---|
| 549 | EstEID_log("%s", EstEID_error); |
---|
| 550 | } |
---|
| 551 | else if (EstEID_signHashHex(&signature, certs->slotIDs[i], certs->certs[i], hash, pinPromptData)) { |
---|
| 552 | EstEID_log("signature=%s", signature); |
---|
| 553 | } |
---|
| 554 | else { |
---|
| 555 | EstEID_log("%s", EstEID_error); |
---|
| 556 | } |
---|
| 557 | free(certId); |
---|
| 558 | free(hash); |
---|
| 559 | return signature; |
---|
| 560 | } |
---|