Thales card support (#1332)

IB-8171

Signed-off-by: Raul Metsma <[email protected]>

Author: metsma

client/Diagnostics.cpp

@@ -119,7 +119,7 @@ void Diagnostics::generalInfo(QTextStream &s)
 
 		reader.beginTransaction();
 		constexpr auto APDU = &QByteArray::fromHex;
-		auto printAID = [&](const QString &label, const QByteArray &apdu)
+		auto printAID = [&](const QLatin1String &label, const QByteArray &apdu)
 		{
 			QPCSCReader::Result r = reader.transfer(apdu);
 			s << label << ": " << Qt::hex << r.SW;
@@ -129,9 +129,11 @@ void Diagnostics::generalInfo(QTextStream &s)
 			s << "<br />";
 			return r;
 		};
-		if(printAID(QStringLiteral("AID_IDEMIA"), APDU("00A4040C 10 A000000077010800070000FE00000100")) &&
-			reader.transfer(APDU("00A4010C 02 5000")) &&
-			reader.transfer(APDU("00A4020C 02 5006")))
+		if(printAID(QLatin1String("AID_IDEMIA"), APDU("00A4040C 10 A000000077010800070000FE00000100")) &&
+			reader.transfer(APDU("00A4090C 04 5000 5006")))
+			s << "ID - " << reader.transfer(APDU("00B00000 00")).data << "<br />";
+		if(printAID(QLatin1String("AID_THALES"), APDU("00A4040C 0C A000000063504B43532D3135")) &&
+			reader.transfer(APDU("00A4080C 04 DFDD 5006")))
 			s << "ID - " << reader.transfer(APDU("00B00000 00")).data << "<br />";
 		reader.endTransaction();
 	}

client/Diagnostics_win.cpp

@@ -31,6 +31,8 @@
 
 #include <qt_windows.h>
 
+#include <span>
+
 using namespace Qt::StringLiterals;
 
 static QString getUserRights()
@@ -52,24 +54,19 @@ static QString getUserRights()
 	}
 
 	QByteArray tokenGroupsBuffer(dwLength, 0);
-	PTOKEN_GROUPS pGroup = PTOKEN_GROUPS(tokenGroupsBuffer.data());
+	auto *pGroup = PTOKEN_GROUPS(tokenGroupsBuffer.data());
 	if ( !GetTokenInformation( hToken, TokenGroups, pGroup, dwLength, &dwLength ) )
 		return Diagnostics::tr("Unknown - error %1").arg(GetLastError());
 
 	QString rights = Diagnostics::tr( "User" );
 	SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
-	PSID AdministratorsGroup {};
-	if( AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
+	if(PSID AdministratorsGroup {};
+		AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
 			DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup ) )
 	{
-		for ( DWORD dwIndex = 0; dwIndex < pGroup->GroupCount; dwIndex++ )
-		{
-			if ( EqualSid( AdministratorsGroup, pGroup->Groups[dwIndex].Sid ) )
-			{
-				rights = Diagnostics::tr( "Administrator" );
-				break;
-			}
-		}
+		if(auto list = std::span<SID_AND_ATTRIBUTES>(pGroup->Groups, pGroup->GroupCount);
+			std::any_of(list.begin(), list.end(), [&](const auto &group) { return EqualSid(AdministratorsGroup, group.Sid); }))
+			rights = Diagnostics::tr("Administrator");
 		FreeSid(AdministratorsGroup);
 	}
 
@@ -88,8 +85,8 @@ QStringList Diagnostics::packages(const QStringList &names, bool withName)
 		}();
 		for(QSettings::Format format: formats)
 		{
-			QSettings s(u"%1\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"_s.arg(group), format);
-			for(const QString &key: s.childGroups())
+			QSettings s("%1\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"_L1.arg(group), format);
+			for(const auto groups = s.childGroups(); const QString &key: groups)
 			{
 				s.beginGroup(key);
 				QString name = s.value("/DisplayName"_L1).toString();
@@ -149,7 +146,7 @@ void Diagnostics::run()
 	SetDllDirectory(LPCWSTR(QCoreApplication::applicationDirPath().utf16()));
 	static const QStringList dlls{
 		"digidocpp", "qdigidoc4.exe", "EsteidShellExtension", "id-updater.exe", "web-eid.exe",
-		"EstIDMinidriver", "EstIDMinidriver64", "EestiMinidriver", "EestiMinidriver64",
+		"EstIDMinidriver", "EstIDMinidriver64", "EestiMinidriver", "EestiMinidriver64", "estgsv4md", "estgsv4md64",
 		"zlib1", "libxml2", "libxmlsec1", "libxmlsec1-openssl",
 		"msvcp140", "msvcp140_1", "msvcp140_2", "vcruntime140", "vcruntime140_1"};
 	for(const QString &lib: dlls)

client/MainWindow.cpp

@@ -1015,7 +1015,7 @@ void MainWindow::updateSelectorData(TokenData data)
 	ui->noCardInfo->setVisible(ui->cardInfo->token().isNull());
 	ui->selector->setHidden(list.isEmpty());
 	ui->selector->setChecked(false);
-	ui->cardInfo->setHidden(ui->noCardInfo->isVisible());
+	ui->cardInfo->setVisible(ui->noCardInfo->isHidden());
 	ui->cardInfo->setCursor(ui->selector->isVisible() ? Qt::PointingHandCursor : Qt::ArrowCursor);
 	ui->cardInfo->update(data, list.size() > 1);
 	if (!QPCSC::instance().serviceRunning())

client/QPCSC.cpp

@@ -53,9 +53,9 @@ static QStringList stateToString(DWORD state)
 }
 
 template<auto Func, typename... Args>
-static auto SCCall(const char *file, int line, const char *function, Args... args)
+static auto SCCall(const char *file, int line, const char *function, Args&& ...args)
 {
-	auto err = Func(args...);
+	auto err = Func(std::forward<Args>(args)...);
 	if(SCard().isDebugEnabled())
 		QMessageLogger(file, line, function, SCard().categoryName()).debug()
 			<< function << Qt::hex << (unsigned long)err;

client/QSmartCard.cpp

@@ -51,6 +51,7 @@ QString QSmartCardData::card() const { return d->card; }
 bool QSmartCardData::isNull() const
 { return d->data.isEmpty() && d->authCert.isNull() && d->signCert.isNull(); }
 bool QSmartCardData::isPinpad() const { return d->pinpad; }
+bool QSmartCardData::isPUKReplacable() const { return d->pukReplacable; }
 bool QSmartCardData::isValid() const
 { return d->data.value(Expiry).toDateTime() >= QDateTime::currentDateTime(); }
 
@@ -103,23 +104,17 @@ QPCSCReader::Result Card::transfer(QPCSCReader *reader, bool verify, const QByte
 }
 
 
-QByteArrayView Card::parseFCI(const QByteArray &data, quint8 expectedTag)
+QByteArrayView Card::parseFCI(QByteArrayView data, quint8 expectedTag)
 {
-	for(auto i = data.constBegin(); i != data.constEnd(); ++i)
+	for(auto i = data.begin(); i != data.end();)
 	{
-		quint8 tag(*i), size(*++i);
+		quint8 tag(*i++), size(*i++);
 		if(tag == expectedTag)
-			return QByteArrayView(i + 1, size);
-		switch(tag)
-		{
-		case 0x6F:
-		case 0x62:
-		case 0x64:
-		case 0xA1: continue;
-		default: i += size; break;
-		}
+			return {i, size};
+		if((tag & 0x20) == 0)
+			i += size;
 	}
-	return QByteArrayView();
+	return {};
 }
 
 
@@ -291,6 +286,144 @@ bool IDEMIACard::updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) c
 
 
 
+const QByteArray THALESCard::AID = APDU("00A4040C 0C A000000063504B43532D3135");
+
+QPCSCReader::Result THALESCard::change(QPCSCReader *reader, QSmartCardData::PinType type, const QString &pin_, const QString &newpin_) const
+{
+	QByteArray cmd = CHANGE;
+	QByteArray newpin = pinTemplate(newpin_);
+	QByteArray pin = pinTemplate(pin_);
+	cmd[3] = char(0x80 | type);
+	cmd[4] = char(pin.size() + newpin.size());
+	return transfer(reader, false, cmd + pin + newpin, type, quint8(pin.size()), true);
+}
+
+bool THALESCard::isSupported(const QByteArray &atr)
+{
+	return atr == "3BFF9600008031FE438031B85365494464B085051012233F1D";
+}
+
+bool THALESCard::loadPerso(QPCSCReader *reader, QSmartCardDataPrivate *d) const
+{
+	d->pukReplacable = false;
+	if(d->data.isEmpty() && reader->transfer(APDU("00A4080C 02 DFDD")))
+	{
+		QByteArray cmd = APDU("00A4020C 02 5001");
+		for(char data = 1; data <= 8; ++data)
+		{
+			cmd[6] = data;
+			if(!reader->transfer(cmd))
+				return false;
+			QPCSCReader::Result result = reader->transfer(READBINARY);
+			if(!result)
+				return false;
+			QString record = QString::fromUtf8(result.data.trimmed());
+			if(record == QChar(0))
+				record.clear();
+			switch(data)
+			{
+			case QSmartCardData::SurName:
+			case QSmartCardData::FirstName:
+			case QSmartCardData::Citizen:
+			case QSmartCardData::Id:
+			case QSmartCardData::DocumentId:
+				d->data[QSmartCardData::PersonalDataType(data)] = record;
+				break;
+			case QSmartCardData::BirthDate:
+				if(!record.isEmpty())
+					d->data[QSmartCardData::BirthDate] = QDate::fromString(record.left(10), QStringLiteral("dd MM yyyy"));
+				break;
+			case QSmartCardData::Expiry:
+				d->data[QSmartCardData::Expiry] = QDateTime::fromString(record, QStringLiteral("dd MM yyyy")).addDays(1).addSecs(-1);
+				break;
+			default: break;
+			}
+		}
+	}
+
+	bool readFailed = false;
+	auto readCert = [&](const QByteArray &path) {
+		QPCSCReader::Result data = reader->transfer(path);
+		if(!data)
+		{
+			readFailed = true;
+			return QSslCertificate();
+		}
+		auto sizeTag = parseFCI(data.data, 0x81);
+		if(sizeTag.isEmpty())
+			return QSslCertificate();
+		QByteArray cert;
+		QByteArray cmd = READBINARY;
+		for(int size = quint8(sizeTag[0]) << 8 | quint8(sizeTag[1]); cert.size() < size;)
+		{
+			cmd[2] = char(cert.size() >> 8);
+			cmd[3] = char(cert.size());
+			data = reader->transfer(cmd);
+			if(!data)
+			{
+				readFailed = true;
+				return QSslCertificate();
+			}
+			cert += data.data;
+		}
+		return QSslCertificate(cert, QSsl::Der);
+	};
+	if(d->authCert.isNull())
+		d->authCert = readCert(APDU("00A40804 04 ADF1 3411 00"));
+	if(d->signCert.isNull())
+		d->signCert = readCert(APDU("00A40804 04 ADF2 3421 00"));
+
+	if(readFailed)
+		return false;
+	return updateCounters(reader, d);
+}
+
+QByteArray THALESCard::pinTemplate(const QString &pin)
+{
+	QByteArray result = pin.toUtf8();
+	result += QByteArray(12 - result.size(), char(0x00));
+	return result;
+}
+
+QPCSCReader::Result THALESCard::replace(QPCSCReader *reader, QSmartCardData::PinType type, const QString &puk_, const QString &pin_) const
+{
+	QByteArray puk = pinTemplate(puk_);
+	QByteArray pin = pinTemplate(pin_);
+	QByteArray cmd = REPLACE;
+	cmd[3] = char(0x80 | type);
+	cmd[4] = char(puk.size() + pin.size());
+	return transfer(reader, false, cmd + puk + pin, type, quint8(puk.size()), true);
+}
+
+QByteArray THALESCard::sign(QPCSCReader *reader, const QByteArray &dgst) const
+{
+	if(!reader->transfer(APDU("002241B6 09 800154840101")))
+		return {};
+
+	QByteArray send {0x90, char(dgst.size())};
+	send.append(dgst);
+	send.insert(0, char(send.size()));
+	send.insert(0, APDU("002A90A0"));
+
+	if(!reader->transfer(send))
+		return {};
+
+	return reader->transfer(APDU("002A9E9A 00")).data;
+}
+
+bool THALESCard::updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) const
+{
+	if(auto data = reader->transfer(APDU("00CB00FF 05 A003830181 00")))
+		d->retry[QSmartCardData::Pin1Type] = quint8(data.data[14]);
+	if(auto data = reader->transfer(APDU("00CB00FF 05 A003830183 00")))
+		d->retry[QSmartCardData::PukType] = quint8(data.data[14]);
+	if(auto data = reader->transfer(APDU("00CB00FF 05 A003830182 00")))
+		d->retry[QSmartCardData::Pin2Type] = quint8(data.data[14]);
+	return true;
+}
+
+
+
 QSharedPointer<QPCSCReader> QSmartCard::Private::connect(const QString &reader)
 {
 	qCDebug(CLog) << "Connecting to reader" << reader;
@@ -315,7 +448,8 @@ QSmartCard::ErrorType QSmartCard::Private::handlePinResult(QPCSCReader *reader,
 	case 0x6401: return QSmartCard::CancelError; // Cancel (OK, SCM)
 	case 0x6402: return QSmartCard::DifferentError;
 	case 0x6403: return QSmartCard::LenghtError;
-	case 0x6983: return QSmartCard::BlockedError;
+	case 0x6983:
+	case 0x6984: return QSmartCard::BlockedError;
 	case 0x6985:
 	case 0x6A80: return QSmartCard::OldNewPinSameError;
 	default: return QSmartCard::UnknownError;
@@ -450,7 +584,12 @@ void QSmartCard::reloadCard(const TokenData &token, bool reloadCounters)
 	if(!selectedReader->connect() || !selectedReader->beginTransaction())
 		return;
 
-	if(!IDEMIACard::isSupported(selectedReader->atr())) {
+	std::unique_ptr<Card> card;
+	if(IDEMIACard::isSupported(selectedReader->atr()))
+		card = std::make_unique<IDEMIACard>();
+	else if(THALESCard::isSupported(selectedReader->atr()))
+		card = std::make_unique<THALESCard>();
+	else {
 		qDebug() << "Unsupported card";
 		return;
 	}
@@ -460,7 +599,7 @@ void QSmartCard::reloadCard(const TokenData &token, bool reloadCounters)
 	t = d->t.d;
 	t->reader = selectedReader->name();
 	t->pinpad = selectedReader->isPinPad();
-	d->card = std::make_unique<IDEMIACard>();
+	d->card = std::move(card);
 	if(d->card->loadPerso(selectedReader.data(), t))
 	{
 		d->t.d = std::move(t);

client/QSmartCard.h

@@ -62,6 +62,7 @@ class QSmartCardData
 
 	bool isNull() const;
 	bool isPinpad() const;
+	bool isPUKReplacable() const;
 	bool isValid() const;
 
 	QVariant data( PersonalDataType type ) const;

client/QSmartCard_p.h

@@ -41,7 +41,7 @@ class Card
 		QSmartCardData::PinType type, quint8 newPINOffset, bool requestCurrentPIN);
 	virtual bool updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) const = 0;
 
-	static QByteArrayView parseFCI(const QByteArray &data, quint8 expectedTag);
+	static QByteArrayView parseFCI(QByteArrayView data, quint8 expectedTag);
 
 	static const QByteArray CHANGE;
 	static const QByteArray READBINARY;
@@ -64,6 +64,21 @@ class IDEMIACard: public Card
 	static const QByteArray AID, AID_OT, AID_QSCD, ATR_COSMO8, ATR_COSMOX;
 };
 
+class THALESCard: public Card
+{
+public:
+	QPCSCReader::Result change(QPCSCReader *reader, QSmartCardData::PinType type, const QString &pin, const QString &newpin) const final;
+	bool loadPerso(QPCSCReader *reader, QSmartCardDataPrivate *d) const final;
+	QPCSCReader::Result replace(QPCSCReader *reader, QSmartCardData::PinType type, const QString &puk, const QString &pin) const final;
+	QByteArray sign(QPCSCReader *reader, const QByteArray &dgst) const final;
+	bool updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) const final;
+
+	static bool isSupported(const QByteArray &atr);
+	static QByteArray pinTemplate(const QString &pin);
+
+	static const QByteArray AID;
+};
+
 class QSmartCard::Private
 {
 public:
@@ -84,4 +99,5 @@ class QSmartCardDataPrivate: public QSharedData
 	SslCertificate authCert, signCert;
 	QHash<QSmartCardData::PinType,quint8> retry;
 	bool pinpad = false;
+	bool pukReplacable = true;
 };