2 * This is the actual card emulator.
4 * These functions can be implemented in different ways on different platforms
5 * using the underlying system primitives. For Linux it uses NSS, though direct
6 * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be
7 * used. On Windows CAPI could be used.
9 * This work is licensed under the terms of the GNU LGPL, version 2.1 or later.
10 * See the COPYING.LIB file in the top-level directory.
17 /* avoid including prototypes.h that redefines uint32 */
18 #define NO_NSPR_10_SUPPORT
28 #include "qemu-common.h"
31 #include "card_7816t.h"
32 #include "vcard_emul.h"
36 #include "libcacard/vcardt_internal.h"
40 VCardEmulUnknown = -1,
45 struct VCardKeyStruct {
46 CERTCertificate *cert;
48 SECKEYPrivateKey *key;
49 VCardEmulTriState failedX509;
53 typedef struct VirtualReaderOptionsStruct VirtualReaderOptions;
55 struct VReaderEmulStruct {
57 VCardEmulType default_type;
65 * NSS Specific options
67 struct VirtualReaderOptionsStruct {
70 VCardEmulType card_type;
76 struct VCardEmulOptionsStruct {
78 VirtualReaderOptions *vreader;
80 VCardEmulType hw_card_type;
81 const char *hw_type_params;
85 static int nss_emul_init;
87 /* if we have more that just the slot, define
88 * VCardEmulStruct here */
91 * allocate the set of arrays for certs, cert_len, key
94 vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp,
95 VCardKey ***keysp, int cert_count)
97 *certsp = g_new(unsigned char *, cert_count);
98 *cert_lenp = g_new(int, cert_count);
99 *keysp = g_new(VCardKey *, cert_count);
103 * Emulator specific card information
105 typedef struct CardEmulCardStruct CardEmulPrivate;
108 vcard_emul_new_card(PK11SlotInfo *slot)
110 PK11_ReferenceSlot(slot);
111 /* currently we don't need anything other than the slot */
112 return (VCardEmul *)slot;
116 vcard_emul_delete_card(VCardEmul *vcard_emul)
118 PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul;
125 static PK11SlotInfo *
126 vcard_emul_card_get_slot(VCard *card)
128 /* note, the card is holding the reference, no need to get another one */
129 return (PK11SlotInfo *)vcard_get_private(card);
136 /* private constructure */
138 vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
142 key = g_new(VCardKey, 1);
143 key->slot = PK11_ReferenceSlot(slot);
144 key->cert = CERT_DupCertificate(cert);
145 /* NOTE: if we aren't logged into the token, this could return NULL */
146 /* NOTE: the cert is a temp cert, not necessarily the cert in the token,
147 * use the DER version of this function */
148 key->key = PK11_FindKeyByDERCert(slot, cert, NULL);
149 key->failedX509 = VCardEmulUnknown;
155 vcard_emul_delete_key(VCardKey *key)
157 if (!nss_emul_init || (key == NULL)) {
161 SECKEY_DestroyPrivateKey(key->key);
165 CERT_DestroyCertificate(key->cert);
168 PK11_FreeSlot(key->slot);
173 * grab the nss key from a VCardKey. If it doesn't exist, try to look it up
175 static SECKEYPrivateKey *
176 vcard_emul_get_nss_key(VCardKey *key)
181 /* NOTE: if we aren't logged into the token, this could return NULL */
182 key->key = PK11_FindPrivateKeyFromCert(key->slot, key->cert, NULL);
187 * Map NSS errors to 7816 errors
189 static vcard_7816_status_t
190 vcard_emul_map_error(int error)
193 case SEC_ERROR_TOKEN_NOT_LOGGED_IN:
194 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
195 case SEC_ERROR_BAD_DATA:
196 case SEC_ERROR_OUTPUT_LEN:
197 case SEC_ERROR_INPUT_LEN:
198 case SEC_ERROR_INVALID_ARGS:
199 case SEC_ERROR_INVALID_ALGORITHM:
200 case SEC_ERROR_NO_KEY:
201 case SEC_ERROR_INVALID_KEY:
202 case SEC_ERROR_DECRYPTION_DISALLOWED:
203 return VCARD7816_STATUS_ERROR_DATA_INVALID;
204 case SEC_ERROR_NO_MEMORY:
205 return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE;
207 return VCARD7816_STATUS_EXC_ERROR_CHANGE;
210 /* RSA sign/decrypt with the key, signature happens 'in place' */
212 vcard_emul_rsa_op(VCard *card, VCardKey *key,
213 unsigned char *buffer, int buffer_size)
215 SECKEYPrivateKey *priv_key;
216 unsigned signature_len;
219 unsigned char buf[2048];
220 unsigned char *bp = NULL;
222 vcard_7816_status_t ret = VCARD7816_STATUS_SUCCESS;
224 if ((!nss_emul_init) || (key == NULL)) {
225 /* couldn't get the key, indicate that we aren't logged in */
226 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
228 priv_key = vcard_emul_get_nss_key(key);
229 if (priv_key == NULL) {
230 /* couldn't get the key, indicate that we aren't logged in */
231 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
233 slot = vcard_emul_card_get_slot(card);
236 * this is only true of the rsa signature
238 signature_len = PK11_SignatureLen(priv_key);
239 if (buffer_size != signature_len) {
240 return VCARD7816_STATUS_ERROR_DATA_INVALID;
242 /* be able to handle larger keys if necessariy */
244 if (sizeof(buf) < signature_len) {
245 bp = g_malloc(signature_len);
249 * do the raw operations. Some tokens claim to do CKM_RSA_X_509, but then
250 * choke when they try to do the actual operations. Try to detect
251 * those cases and treat them as if the token didn't claim support for
254 if (key->failedX509 != VCardEmulTrue
255 && PK11_DoesMechanism(slot, CKM_RSA_X_509)) {
256 rv = PK11_PrivDecryptRaw(priv_key, bp, &signature_len, signature_len,
257 buffer, buffer_size);
258 if (rv == SECSuccess) {
259 assert(buffer_size == signature_len);
260 memcpy(buffer, bp, signature_len);
261 key->failedX509 = VCardEmulFalse;
265 * we've had a successful X509 operation, this failure must be
268 if (key->failedX509 == VCardEmulFalse) {
269 ret = vcard_emul_map_error(PORT_GetError());
273 * key->failedX509 must be Unknown at this point, try the
277 /* token does not support CKM_RSA_X509, emulate that with CKM_RSA_PKCS */
278 /* is this a PKCS #1 formatted signature? */
279 if ((buffer[0] == 0) && (buffer[1] == 1)) {
282 for (i = 2; i < buffer_size; i++) {
283 /* rsa signature pad */
284 if (buffer[i] != 0xff) {
288 if ((i < buffer_size) && (buffer[i] == 0)) {
289 /* yes, we have a properly formated PKCS #1 signature */
291 * NOTE: even if we accidentally got an encrypt buffer, which
292 * through shear luck started with 00, 01, ff, 00, it won't matter
293 * because the resulting Sign operation will effectively decrypt
300 hash.data = &buffer[i];
301 hash.len = buffer_size - i;
303 signature.len = signature_len;
304 rv = PK11_Sign(priv_key, &signature, &hash);
305 if (rv != SECSuccess) {
306 ret = vcard_emul_map_error(PORT_GetError());
309 assert(buffer_size == signature.len);
310 memcpy(buffer, bp, signature.len);
312 * we got here because either the X509 attempt failed, or the
313 * token couldn't do the X509 operation, in either case stay
314 * with the PKCS version for future operations on this key
316 key->failedX509 = VCardEmulTrue;
320 pad_len = buffer_size - signature_len;
323 * OK now we've decrypted the payload, package it up in PKCS #1 for the
327 buffer[1] = 2; /* RSA_encrypt */
328 pad_len -= 3; /* format is 0 || 2 || pad || 0 || data */
330 * padding for PKCS #1 encrypted data is a string of random bytes. The
331 * random butes protect against potential decryption attacks against RSA.
332 * Since PrivDecrypt has already stripped those bytes, we can't reconstruct
333 * them. This shouldn't matter to the upper level code which should just
334 * strip this code out anyway, so We'll pad with a constant 3.
336 memset(&buffer[2], 0x03, pad_len);
337 pad_len += 2; /* index to the end of the pad */
339 pad_len++; /* index to the start of the data */
340 memcpy(&buffer[pad_len], bp, signature_len);
342 * we got here because either the X509 attempt failed, or the
343 * token couldn't do the X509 operation, in either case stay
344 * with the PKCS version for future operations on this key
346 key->failedX509 = VCardEmulTrue;
357 /* return the number of login attempts still possible on the card. if unknown,
360 vcard_emul_get_login_count(VCard *card)
365 /* login into the card, return the 7816 status word (sw2 || sw1) */
367 vcard_emul_login(VCard *card, unsigned char *pin, int pin_len)
370 unsigned char *pin_string;
374 if (!nss_emul_init) {
375 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
377 slot = vcard_emul_card_get_slot(card);
378 /* We depend on the PKCS #11 module internal login state here because we
379 * create a separate process to handle each guest instance. If we needed
380 * to handle multiple guests from one process, then we would need to keep
381 * a lot of extra state in our card structure
383 pin_string = g_malloc(pin_len+1);
384 memcpy(pin_string, pin, pin_len);
385 pin_string[pin_len] = 0;
387 /* handle CAC expanded pins correctly */
388 for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) {
392 rv = PK11_Authenticate(slot, PR_FALSE, pin_string);
393 memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory
396 if (rv == SECSuccess) {
397 return VCARD7816_STATUS_SUCCESS;
399 /* map the error from port get error */
400 return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED;
404 vcard_emul_reset(VCard *card, VCardPower power)
408 if (!nss_emul_init) {
413 * if we reset the card (either power on or power off), we lose our login
416 /* TODO: we may also need to send insertion/removal events? */
417 slot = vcard_emul_card_get_slot(card);
418 PK11_Logout(slot); /* NOTE: ignoring SECStatus return value */
423 vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot)
425 VReaderList *reader_list = vreader_get_reader_list();
426 VReaderListEntry *current_entry;
428 if (reader_list == NULL) {
431 for (current_entry = vreader_list_get_first(reader_list); current_entry;
432 current_entry = vreader_list_get_next(current_entry)) {
433 VReader *reader = vreader_list_get_reader(current_entry);
434 VReaderEmul *reader_emul = vreader_get_private(reader);
435 if (reader_emul->slot == slot) {
436 vreader_list_delete(reader_list);
439 vreader_free(reader);
442 vreader_list_delete(reader_list);
447 * create a new reader emul
450 vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params)
452 VReaderEmul *new_reader_emul;
454 new_reader_emul = g_new(VReaderEmul, 1);
456 new_reader_emul->slot = PK11_ReferenceSlot(slot);
457 new_reader_emul->default_type = type;
458 new_reader_emul->type_params = g_strdup(params);
459 new_reader_emul->present = PR_FALSE;
460 new_reader_emul->series = 0;
461 new_reader_emul->saved_vcard = NULL;
462 return new_reader_emul;
466 vreader_emul_delete(VReaderEmul *vreader_emul)
468 if (vreader_emul == NULL) {
471 if (vreader_emul->slot) {
472 PK11_FreeSlot(vreader_emul->slot);
474 if (vreader_emul->type_params) {
475 g_free(vreader_emul->type_params);
477 g_free(vreader_emul);
481 * TODO: move this to emulater non-specific file
484 vcard_emul_get_type(VReader *vreader)
486 VReaderEmul *vreader_emul;
488 vreader_emul = vreader_get_private(vreader);
489 if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) {
490 return vreader_emul->default_type;
493 return vcard_emul_type_select(vreader);
496 * TODO: move this to emulater non-specific file
499 vcard_emul_get_type_params(VReader *vreader)
501 VReaderEmul *vreader_emul;
503 vreader_emul = vreader_get_private(vreader);
504 if (vreader_emul && vreader_emul->type_params) {
505 return vreader_emul->type_params;
511 /* pull the slot out of the reader private data */
512 static PK11SlotInfo *
513 vcard_emul_reader_get_slot(VReader *vreader)
515 VReaderEmul *vreader_emul = vreader_get_private(vreader);
516 if (vreader_emul == NULL) {
519 return vreader_emul->slot;
523 * Card ATR's map to physical cards. vcard_alloc_atr will set appropriate
524 * historical bytes for any software emulated card. The remaining bytes can be
525 * used to indicate the actual emulator
527 static unsigned char *nss_atr;
528 static int nss_atr_len;
531 vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len)
536 if (nss_atr == NULL) {
537 nss_atr = vcard_alloc_atr("NSS", &nss_atr_len);
539 len = MIN(nss_atr_len, *atr_len);
540 memcpy(atr, nss_atr, len);
545 * create a new card from certs and keys
548 vcard_emul_make_card(VReader *reader,
549 unsigned char * const *certs, int *cert_len,
550 VCardKey *keys[], int cert_count)
552 VCardEmul *vcard_emul;
558 type = vcard_emul_get_type(reader);
560 /* ignore the inserted card */
561 if (type == VCARD_EMUL_NONE) {
564 slot = vcard_emul_reader_get_slot(reader);
569 params = vcard_emul_get_type_params(reader);
570 /* params these can be NULL */
572 vcard_emul = vcard_emul_new_card(slot);
573 if (vcard_emul == NULL) {
576 vcard = vcard_new(vcard_emul, vcard_emul_delete_card);
578 vcard_emul_delete_card(vcard_emul);
581 vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count);
587 * 'clone' a physical card as a virtual card
590 vcard_emul_mirror_card(VReader *vreader)
593 * lookup certs using the C_FindObjects. The Stan Cert handle won't give
594 * us the real certs until we log in.
596 PK11GenericObject *firstObj, *thisObj;
598 unsigned char **certs;
604 slot = vcard_emul_reader_get_slot(vreader);
609 firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE);
610 if (firstObj == NULL) {
614 /* count the certs */
616 for (thisObj = firstObj; thisObj;
617 thisObj = PK11_GetNextGenericObject(thisObj)) {
621 /* allocate the arrays */
622 vcard_emul_alloc_arrays(&certs, &cert_len, &keys, cert_count);
624 /* fill in the arrays */
626 for (thisObj = firstObj; thisObj;
627 thisObj = PK11_GetNextGenericObject(thisObj)) {
629 CERTCertificate *cert;
632 rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj,
633 CKA_VALUE, &derCert);
634 if (rv != SECSuccess) {
637 /* create floating temp cert. This gives us a cert structure even if
638 * the token isn't logged in */
639 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert,
640 NULL, PR_FALSE, PR_TRUE);
641 SECITEM_FreeItem(&derCert, PR_FALSE);
646 certs[cert_count] = cert->derCert.data;
647 cert_len[cert_count] = cert->derCert.len;
648 keys[cert_count] = vcard_emul_make_key(slot, cert);
650 CERT_DestroyCertificate(cert); /* key obj still has a reference */
653 /* now create the card */
654 card = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count);
662 static VCardEmulType default_card_type = VCARD_EMUL_NONE;
663 static const char *default_type_params = "";
666 * This thread looks for card and reader insertions and puts events on the
670 vcard_emul_event_thread(void *arg)
674 VReaderEmul *vreader_emul;
676 SECMODModule *module = (SECMODModule *)arg;
680 * XXX - the latency value doesn't matter one bit. you only get no
681 * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
682 * hard coded in coolkey. And it isn't coolkey's fault - the timeout
683 * value we pass get's dropped on the floor before C_WaitForSlotEvent
686 slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500);
688 /* this could be just a no event indication */
689 if (PORT_GetError() == SEC_ERROR_NO_EVENT) {
694 vreader = vcard_emul_find_vreader_from_slot(slot);
695 if (vreader == NULL) {
697 vreader_emul = vreader_emul_new(slot, default_card_type,
698 default_type_params);
699 vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
700 vreader_emul_delete);
703 vreader_add_reader(vreader);
704 vreader_free(vreader);
707 /* card remove/insert */
708 vreader_emul = vreader_get_private(vreader);
709 if (PK11_IsPresent(slot)) {
710 int series = PK11_GetSlotSeries(slot);
711 if (series != vreader_emul->series) {
712 if (vreader_emul->present) {
713 vreader_insert_card(vreader, NULL);
715 vcard = vcard_emul_mirror_card(vreader);
716 vreader_insert_card(vreader, vcard);
719 vreader_emul->series = series;
720 vreader_emul->present = 1;
721 vreader_free(vreader);
725 if (vreader_emul->present) {
726 vreader_insert_card(vreader, NULL);
728 vreader_emul->series = 0;
729 vreader_emul->present = 0;
731 vreader_free(vreader);
735 /* if the card is inserted when we start up, make sure our state is correct */
737 vcard_emul_init_series(VReader *vreader, VCard *vcard)
739 VReaderEmul *vreader_emul = vreader_get_private(vreader);
740 PK11SlotInfo *slot = vreader_emul->slot;
742 vreader_emul->present = PK11_IsPresent(slot);
743 vreader_emul->series = PK11_GetSlotSeries(slot);
744 if (vreader_emul->present == 0) {
745 vreader_insert_card(vreader, NULL);
750 * each module has a separate wait call, create a thread for each module that
754 vcard_emul_new_event_thread(SECMODModule *module)
756 PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread,
757 module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD,
758 PR_UNJOINABLE_THREAD, 0);
761 static const VCardEmulOptions default_options = {
765 .hw_card_type = VCARD_EMUL_CAC,
766 .hw_type_params = "",
772 * NSS needs the app to supply a password prompt. In our case the only time
773 * the password is supplied is as part of the Login APDU. The actual password
774 * is passed in the pw_arg in that case. In all other cases pw_arg should be
778 vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg)
780 /* if it didn't work the first time, don't keep trying */
784 /* we are looking up a password when we don't have one in hand */
785 if (pw_arg == NULL) {
788 /* TODO: we really should verify that were are using the right slot */
789 return PORT_Strdup(pw_arg);
792 /* Force a card removal even if the card is not physically removed */
794 vcard_emul_force_card_remove(VReader *vreader)
796 if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) {
797 return VCARD_EMUL_FAIL; /* card is already removed */
801 vreader_insert_card(vreader, NULL);
802 return VCARD_EMUL_OK;
805 /* Re-insert of a card that has been removed by force removal */
807 vcard_emul_force_card_insert(VReader *vreader)
809 VReaderEmul *vreader_emul;
812 if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) {
813 return VCARD_EMUL_FAIL; /* card is already removed */
815 vreader_emul = vreader_get_private(vreader);
817 /* if it's a softcard, get the saved vcard from the reader emul structure */
818 if (vreader_emul->saved_vcard) {
819 vcard = vcard_reference(vreader_emul->saved_vcard);
821 /* it must be a physical card, rebuild it */
822 if (!PK11_IsPresent(vreader_emul->slot)) {
823 /* physical card has been removed, not way to reinsert it */
824 return VCARD_EMUL_FAIL;
826 vcard = vcard_emul_mirror_card(vreader);
828 vreader_insert_card(vreader, vcard);
831 return VCARD_EMUL_OK;
836 module_has_removable_hw_slots(SECMODModule *mod)
839 PRBool ret = PR_FALSE;
840 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
843 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
846 SECMOD_GetReadLock(moduleLock);
847 for (i = 0; i < mod->slotCount; i++) {
848 PK11SlotInfo *slot = mod->slots[i];
849 if (PK11_IsRemovable(slot) && PK11_IsHW(slot)) {
854 SECMOD_ReleaseReadLock(moduleLock);
858 /* Previously we returned FAIL if no readers found. This makes
859 * no sense when using hardware, since there may be no readers connected
860 * at the time vcard_emul_init is called, but they will be properly
861 * recognized later. So Instead return FAIL only if no_hw==1 and no
862 * vcards can be created (indicates error with certificates provided
863 * or db), or if any other higher level error (NSS error, missing coolkey). */
864 static int vcard_emul_init_called;
867 vcard_emul_init(const VCardEmulOptions *options)
870 PRBool has_readers = PR_FALSE;
872 VReaderEmul *vreader_emul;
873 SECMODListLock *module_lock;
874 SECMODModuleList *module_list;
875 SECMODModuleList *mlp;
878 if (vcard_emul_init_called) {
879 return VCARD_EMUL_INIT_ALREADY_INITED;
881 vcard_emul_init_called = 1;
885 if (options == NULL) {
886 options = &default_options;
889 /* first initialize NSS */
890 if (options->nss_db) {
891 rv = NSS_Init(options->nss_db);
895 path = g_strdup("/etc/pki/nssdb");
897 if (g_get_system_config_dirs() == NULL ||
898 g_get_system_config_dirs()[0] == NULL) {
899 return VCARD_EMUL_FAIL;
902 path = g_build_filename(
903 g_get_system_config_dirs()[0], "pki", "nssdb", NULL);
909 if (rv != SECSuccess) {
910 return VCARD_EMUL_FAIL;
912 /* Set password callback function */
913 PK11_SetPasswordFunc(vcard_emul_get_password);
915 /* set up soft cards emulated by software certs rather than physical cards
917 for (i = 0; i < options->vreader_count; i++) {
920 unsigned char **certs;
925 slot = PK11_FindSlotByName(options->vreader[i].name);
929 vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
930 options->vreader[i].type_params);
931 vreader = vreader_new(options->vreader[i].vname, vreader_emul,
932 vreader_emul_delete);
933 vreader_add_reader(vreader);
935 vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
936 options->vreader[i].cert_count);
939 for (j = 0; j < options->vreader[i].cert_count; j++) {
940 /* we should have a better way of identifying certs than by
942 CERTCertificate *cert = PK11_FindCertFromNickname(
943 options->vreader[i].cert_name[j],
948 certs[cert_count] = cert->derCert.data;
949 cert_len[cert_count] = cert->derCert.len;
950 keys[cert_count] = vcard_emul_make_key(slot, cert);
951 /* this is safe because the key is still holding a cert reference */
952 CERT_DestroyCertificate(cert);
956 VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
958 vreader_insert_card(vreader, vcard);
959 vcard_emul_init_series(vreader, vcard);
960 /* allow insertion and removal of soft cards */
961 vreader_emul->saved_vcard = vcard_reference(vcard);
963 vreader_free(vreader);
964 has_readers = PR_TRUE;
971 /* if we aren't suppose to use hw, skip looking up hardware tokens */
972 if (!options->use_hw) {
973 nss_emul_init = has_readers;
974 return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
977 /* make sure we have some PKCS #11 module loaded */
978 module_lock = SECMOD_GetDefaultModuleListLock();
979 module_list = SECMOD_GetDefaultModuleList();
980 SECMOD_GetReadLock(module_lock);
981 for (mlp = module_list; mlp; mlp = mlp->next) {
982 SECMODModule *module = mlp->module;
983 if (module_has_removable_hw_slots(module)) {
987 SECMOD_ReleaseReadLock(module_lock);
989 /* now examine all the slots, finding which should be readers */
990 /* We should control this with options. For now we mirror out any
991 * removable hardware slot */
992 default_card_type = options->hw_card_type;
993 default_type_params = g_strdup(options->hw_type_params);
995 SECMOD_GetReadLock(module_lock);
996 for (mlp = module_list; mlp; mlp = mlp->next) {
997 SECMODModule *module = mlp->module;
999 /* Ignore the internal module */
1000 if (module == NULL || module == SECMOD_GetInternalModule()) {
1004 for (i = 0; i < module->slotCount; i++) {
1005 PK11SlotInfo *slot = module->slots[i];
1007 /* only map removable HW slots */
1008 if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
1011 if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) {
1013 * coolkey <= 1.1.0-20 emulates this reader if it can't find
1014 * any hardware readers. This causes problems, warn user of
1017 fprintf(stderr, "known bad coolkey version - see "
1018 "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n");
1021 vreader_emul = vreader_emul_new(slot, options->hw_card_type,
1022 options->hw_type_params);
1023 vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
1024 vreader_emul_delete);
1025 vreader_add_reader(vreader);
1027 if (PK11_IsPresent(slot)) {
1029 vcard = vcard_emul_mirror_card(vreader);
1030 vreader_insert_card(vreader, vcard);
1031 vcard_emul_init_series(vreader, vcard);
1035 vcard_emul_new_event_thread(module);
1037 SECMOD_ReleaseReadLock(module_lock);
1038 nss_emul_init = PR_TRUE;
1040 return VCARD_EMUL_OK;
1043 /* Recreate card insert events for all readers (user should
1044 * deduce implied reader insert. perhaps do a reader insert as well?)
1047 vcard_emul_replay_insertion_events(void)
1049 VReaderListEntry *current_entry;
1050 VReaderListEntry *next_entry;
1051 VReaderList *list = vreader_get_reader_list();
1053 for (current_entry = vreader_list_get_first(list); current_entry;
1054 current_entry = next_entry) {
1055 VReader *vreader = vreader_list_get_reader(current_entry);
1056 next_entry = vreader_list_get_next(current_entry);
1057 vreader_queue_card_event(vreader);
1060 vreader_list_delete(list);
1064 * Silly little functions to help parsing our argument string
1067 count_tokens(const char *str, char token, char token_end)
1071 for (; *str; str++) {
1072 if (*str == token) {
1075 if (*str == token_end) {
1083 strip(const char *str)
1085 for (; *str && isspace(*str); str++) {
1091 find_blank(const char *str)
1093 for (; *str && !isspace(*str); str++) {
1100 * We really want to use some existing argument parsing library here. That
1101 * would give us a consistent look */
1102 static VCardEmulOptions options;
1103 #define READER_STEP 4
1105 /* Expects "args" to be at the beginning of a token (ie right after the ','
1106 * ending the previous token), and puts the next token start in "token",
1107 * and its length in "token_length". "token" will not be nul-terminated.
1108 * After calling the macro, "args" will be advanced to the beginning of
1110 * This macro may call continue or break.
1112 #define NEXT_TOKEN(token) \
1114 args = strpbrk(args, ",)"); \
1118 if (*args == ')') { \
1122 (token##_length) = args - (token); \
1123 args = strip(args+1);
1126 vcard_emul_options(const char *args)
1128 int reader_count = 0;
1129 VCardEmulOptions *opts;
1131 /* Allow the future use of allocating the options structure on the fly */
1132 memcpy(&options, &default_options, sizeof(options));
1136 args = strip(args); /* strip off the leading spaces */
1140 /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol)
1141 * cert_2,cert_3...) */
1142 if (strncmp(args, "soft=", 5) == 0) {
1146 size_t vname_length;
1147 const char *type_params;
1148 size_t type_params_length;
1152 VirtualReaderOptions *vreaderOpt;
1154 args = strip(args + 5);
1158 args = strip(args+1);
1162 NEXT_TOKEN(type_params)
1163 type_params_length = MIN(type_params_length, sizeof(type_str)-1);
1164 memcpy(type_str, type_params, type_params_length);
1165 type_str[type_params_length] = '\0';
1166 type = vcard_emul_type_from_string(type_str);
1168 NEXT_TOKEN(type_params)
1174 if (opts->vreader_count >= reader_count) {
1175 reader_count += READER_STEP;
1176 opts->vreader = g_renew(VirtualReaderOptions, opts->vreader,
1179 vreaderOpt = &opts->vreader[opts->vreader_count];
1180 vreaderOpt->name = g_strndup(name, name_length);
1181 vreaderOpt->vname = g_strndup(vname, vname_length);
1182 vreaderOpt->card_type = type;
1183 vreaderOpt->type_params =
1184 g_strndup(type_params, type_params_length);
1185 count = count_tokens(args, ',', ')') + 1;
1186 vreaderOpt->cert_count = count;
1187 vreaderOpt->cert_name = g_new(char *, count);
1188 for (i = 0; i < count; i++) {
1189 const char *cert = args;
1190 args = strpbrk(args, ",)");
1191 vreaderOpt->cert_name[i] = g_strndup(cert, args - cert);
1192 args = strip(args+1);
1197 opts->vreader_count++;
1199 } else if (strncmp(args, "use_hw=", 7) == 0) {
1200 args = strip(args+7);
1201 if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') {
1202 opts->use_hw = PR_FALSE;
1204 opts->use_hw = PR_TRUE;
1206 args = find_blank(args);
1208 } else if (strncmp(args, "hw_type=", 8) == 0) {
1209 args = strip(args+8);
1210 opts->hw_card_type = vcard_emul_type_from_string(args);
1211 args = find_blank(args);
1213 } else if (strncmp(args, "hw_params=", 10) == 0) {
1215 args = strip(args+10);
1217 args = find_blank(args);
1218 opts->hw_type_params = g_strndup(params, args-params);
1219 /* db="/data/base/path" */
1220 } else if (strncmp(args, "db=", 3) == 0) {
1222 args = strip(args+3);
1228 args = strpbrk(args, "\"\n");
1229 opts->nss_db = g_strndup(db, args-db);
1234 args = find_blank(args);
1236 } while (*args != 0);
1242 vcard_emul_usage(void)
1245 "emul args: comma separated list of the following arguments\n"
1246 " db={nss_database} (default sql:/etc/pki/nssdb)\n"
1247 " use_hw=[yes|no] (default yes)\n"
1248 " hw_type={card_type_to_emulate} (default CAC)\n"
1249 " hw_param={param_for_card} (default \"\")\n"
1250 " soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n"
1251 " {cert1},{cert2},{cert3} (default none)\n"
1253 " {nss_database} The location of the NSS cert & key database\n"
1254 " {card_type_to_emulate} What card interface to present to the guest\n"
1255 " {param_for_card} Card interface specific parameters\n"
1256 " {slot_name} NSS slot that contains the certs\n"
1257 " {vreader_name} Virtual reader name to present to the guest\n"
1258 " {certN} Nickname of the certificate n on the virtual card\n"
1260 "These parameters come as a single string separated by blanks or newlines."
1262 "Unless use_hw is set to no, all tokens that look like removable hardware\n"
1263 "tokens will be presented to the guest using the emulator specified by\n"
1264 "hw_type, and parameters of hw_param.\n"
1266 "If more one or more soft= parameters are specified, these readers will be\n"
1267 "presented to the guest\n");
projects / qemu.git / blob