Thales card support

IB-8171

Signed-off-by: Raul Metsma <[email protected]>

Author: metsma

lib/libpcsc-cpp/src/SmartCard.cpp

@@ -57,19 +57,6 @@ constexpr SmartCard::Protocol convertToSmartCardProtocol(const DWORD protocol)
     }
 }
 
-std::pair<SCARDHANDLE, DWORD> connectToCard(const SCARDCONTEXT ctx, const string_t& readerName)
-{
-    const unsigned requestedProtocol =
-        SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1; // Let PCSC auto-select protocol.
-    DWORD protocolOut = SCARD_PROTOCOL_UNDEFINED;
-    SCARDHANDLE cardHandle = 0;
-
-    SCard(Connect, ctx, readerName.c_str(), DWORD(SCARD_SHARE_SHARED), requestedProtocol,
-          &cardHandle, &protocolOut);
-
-    return {cardHandle, protocolOut};
-}
-
 template <class K, class V = uint32_t, class D, size_t dsize, typename Func>
 constexpr std::map<K, V> parseTLV(const std::array<D, dsize>& data, DWORD size, Func transform)
 {
@@ -96,9 +83,13 @@ namespace pcsc_cpp
 class CardImpl
 {
 public:
-    explicit CardImpl(std::pair<SCARDHANDLE, DWORD> cardParams) :
-        cardHandle(cardParams.first), _protocol {cardParams.second, sizeof(SCARD_IO_REQUEST)}
+    explicit CardImpl(const SCARDCONTEXT ctx, const string_t& readerName)
     {
+        const unsigned requestedProtocol =
+            SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1; // Let PCSC auto-select protocol.
+        SCard(Connect, ctx, readerName.c_str(), DWORD(SCARD_SHARE_SHARED), requestedProtocol,
+              &cardHandle, &_protocol.dwProtocol);
+
         // TODO: debug("Protocol: " + to_string(protocol()))
         try {
             DWORD size = 0;
@@ -124,7 +115,7 @@ class CardImpl
         }
     }
 
-    ~CardImpl()
+    ~CardImpl() noexcept
     {
         if (cardHandle) {
             // Cannot throw in destructor, so cannot use the SCard() macro here.
@@ -161,6 +152,9 @@ class CardImpl
 
         auto response = toResponse(std::move(responseBytes), responseLength);
 
+        if (response.sw1 == ResponseApdu::WRONG_LE_LENGTH) {
+            getResponseWithLE(response, commandBytes);
+        }
         if (response.sw1 == ResponseApdu::MORE_DATA_AVAILABLE) {
             getMoreResponseData(response);
         }
@@ -213,8 +207,8 @@ class CardImpl
     DWORD protocol() const { return _protocol.dwProtocol; }
 
 private:
-    SCARDHANDLE cardHandle;
-    const SCARD_IO_REQUEST _protocol;
+    SCARDHANDLE cardHandle {};
+    SCARD_IO_REQUEST _protocol {SCARD_PROTOCOL_UNDEFINED, sizeof(SCARD_IO_REQUEST)};
     std::map<DRIVER_FEATURES, uint32_t> features;
     uint32_t id_vendor {};
     uint32_t id_product {};
@@ -232,25 +226,20 @@ class CardImpl
 
         // Let expected errors through for handling in upper layers or in if blocks below.
         switch (response.sw1) {
-        case ResponseApdu::OK:
-        case ResponseApdu::MORE_DATA_AVAILABLE: // See the if block after next.
-        case ResponseApdu::VERIFICATION_FAILED:
-        case ResponseApdu::VERIFICATION_CANCELLED:
-        case ResponseApdu::WRONG_LENGTH:
-        case ResponseApdu::COMMAND_NOT_ALLOWED:
-        case ResponseApdu::WRONG_PARAMETERS:
-        case ResponseApdu::WRONG_LE_LENGTH: // See next if block.
-            break;
+            using enum ResponseApdu::Status;
+        case OK:
+        case MORE_DATA_AVAILABLE:
+        case WRONG_LE_LENGTH:
+        case VERIFICATION_FAILED:
+        case VERIFICATION_CANCELLED:
+        case WRONG_LENGTH:
+        case COMMAND_NOT_ALLOWED:
+        case WRONG_PARAMETERS:
+            return response;
         default:
             THROW(Error,
                   "Error response: '" + response + "', protocol " + std::to_string(protocol()));
         }
-
-        if (response.sw1 == ResponseApdu::WRONG_LE_LENGTH) {
-            THROW(Error, "Wrong LE length (SW1=0x6C) in response, please set LE");
-        }
-
-        return response;
     }
 
     void getMoreResponseData(ResponseApdu& response) const
@@ -269,6 +258,13 @@ class CardImpl
         response.sw1 = ResponseApdu::OK;
         response.sw2 = 0;
     }
+
+    void getResponseWithLE(ResponseApdu& response, byte_vector command) const
+    {
+        size_t pos = command.size() <= 5 ? 4 : 5 + command[4];
+        command[pos] = response.sw2;
+        response = transmitBytes(command);
+    }
 };
 
 SmartCard::TransactionGuard::TransactionGuard(const CardImpl& card, bool& inProgress) :
@@ -290,7 +286,7 @@ SmartCard::TransactionGuard::~TransactionGuard() noexcept
 
 SmartCard::SmartCard(ContextPtr context, string_t readerName, byte_vector atr) :
     ctx(std::move(context)),
-    card(std::make_unique<CardImpl>(connectToCard(ctx->handle(), readerName))),
+    card(std::make_unique<CardImpl>(context->handle(), readerName)),
     _readerName(std::move(readerName)), _atr(std::move(atr)),
     _protocol(convertToSmartCardProtocol(card->protocol()))
 {

src/electronic-id.cpp

@@ -60,6 +60,10 @@ const std::map<byte_vector, ElectronicIDConstructor, VectorComparator> SUPPORTED
     {{0x3b, 0xdc, 0x96, 0x00, 0x80, 0xb1, 0xfe, 0x45, 0x1f, 0x83, 0x00, 0x12,
       0x23, 0x3f, 0x54, 0x65, 0x49, 0x44, 0x32, 0x0f, 0x90, 0x00, 0xc3},
      constructor<EstEIDIDEMIAV1>},
+    // EstEID Thales v1.0
+    {{0x3b, 0xff, 0x96, 0x00, 0x00, 0x80, 0x31, 0xfe, 0x43, 0x80, 0x31, 0xb8, 0x53,
+      0x65, 0x49, 0x44, 0x64, 0xb0, 0x85, 0x05, 0x10, 0x12, 0x23, 0x3f, 0x1d},
+     constructor<EstEIDTHALES>},
     // FinEID v3.0
     {{0x3B, 0x7F, 0x96, 0x00, 0x00, 0x80, 0x31, 0xB8, 0x65, 0xB0,
       0x85, 0x03, 0x00, 0xEF, 0x12, 0x00, 0xF6, 0x82, 0x90, 0x00},

src/electronic-ids/pcsc/EIDIDEMIA.cpp

@@ -83,8 +83,7 @@ byte_vector EIDIDEMIA::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector&
     auto [keyId, isECC] = authKeyRef();
     selectSecurityEnv(*card, 0xA4, isECC ? 0x04 : 0x02, keyId, name());
 
-    verifyPin(*card, AUTH_PIN_REFERENCE, std::move(pin), authPinMinMaxLength().first,
-              authPinMinMaxLength().second, PIN_PADDING_CHAR);
+    verifyPin(*card, AUTH_PIN_REFERENCE, std::move(pin), authPinMinMaxLength(), PIN_PADDING_CHAR);
 
     return internalAuthenticate(*card,
                                 authSignatureAlgorithm().isRSAWithPKCS1Padding()
@@ -111,8 +110,8 @@ ElectronicID::Signature EIDIDEMIA::signWithSigningKeyImpl(byte_vector&& pin,
     selectADF2();
     auto [keyRef, isECC] = signKeyRef();
     selectSecurityEnv(*card, 0xB6, isECC ? 0x54 : 0x42, keyRef, name());
-    verifyPin(*card, SIGN_PIN_REFERENCE, std::move(pin), signingPinMinMaxLength().first,
-              signingPinMinMaxLength().second, PIN_PADDING_CHAR);
+    verifyPin(*card, SIGN_PIN_REFERENCE, std::move(pin), signingPinMinMaxLength(),
+              PIN_PADDING_CHAR);
     auto tmp = hash;
     if (isECC) {
         constexpr size_t ECDSA384_INPUT_LENGTH = 384 / 8;

src/electronic-ids/pcsc/FinEID.cpp

@@ -22,8 +22,12 @@
 
 #include "FinEID.hpp"
 
+#include "../TLV.hpp"
+
 #include "pcsc-common.hpp"
 
+#include <array>
+
 // FINEID specification:
 // App 3.0:
 // https://dvv.fi/documents/16079645/17324923/S1v30.pdf/0bad6ff1-1617-1b1f-ab49-56a2f36ecd38/S1v30.pdf
@@ -44,15 +48,19 @@ namespace
 const auto SELECT_MAIN_AID = CommandApdu::select(
     0x04, {0xa0, 0x00, 0x00, 0x00, 0x63, 0x50, 0x4b, 0x43, 0x53, 0x2d, 0x31, 0x35});
 const auto SELECT_AUTH_CERT_FILE = CommandApdu::selectEF(0x08, {0x43, 0x31});
+const auto SELECT_AUTH_CERT_FILE_EST = CommandApdu::selectEF(0x08, {0xAD, 0xF1, 0x34, 0x11});
 const auto SELECT_SIGN_CERT_FILE_V3 = CommandApdu::selectEF(0x08, {0x50, 0x16, 0x43, 0x35});
 const auto SELECT_SIGN_CERT_FILE_V4 = CommandApdu::selectEF(0x08, {0x50, 0x16, 0x43, 0x32});
+const auto SELECT_SIGN_CERT_FILE_EST = CommandApdu::selectEF(0x08, {0xAD, 0xF2, 0x34, 0x21});
 
 constexpr byte_type PIN_PADDING_CHAR = 0x00;
 constexpr byte_type AUTH_PIN_REFERENCE = 0x11;
+constexpr byte_type AUTH_PIN_REFERENCE_EST = 0x81;
 constexpr byte_type SIGNING_PIN_REFERENCE = 0x82;
 constexpr byte_type AUTH_KEY_REFERENCE = 0x01;
 constexpr byte_type SIGNING_KEY_REFERENCE_V3 = 0x03;
 constexpr byte_type SIGNING_KEY_REFERENCE_V4 = 0x02;
+constexpr byte_type SIGNING_KEY_REFERENCE_EST = 0x05;
 constexpr byte_type ECDSA_ALGO = 0x04;
 constexpr byte_type RSA_PSS_ALGO = 0x05;
 
@@ -71,7 +79,7 @@ byte_vector FinEIDv3::getCertificateImpl(const CertificateType type) const
 byte_vector FinEIDv3::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const
 {
     return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin), AUTH_PIN_REFERENCE,
-                authPinMinMaxLength(), AUTH_KEY_REFERENCE, RSA_PSS_ALGO, 0x00);
+                authPinMinMaxLength(), AUTH_KEY_REFERENCE, RSA_PSS_ALGO);
 }
 
 ElectronicID::PinRetriesRemainingAndMax FinEIDv3::authPinRetriesLeftImpl() const
@@ -88,7 +96,7 @@ ElectronicID::Signature FinEIDv3::signWithSigningKeyImpl(byte_vector&& pin, cons
                                                          const HashAlgorithm hashAlgo) const
 {
     return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
-                 SIGNING_KEY_REFERENCE_V3, ECDSA_ALGO, 0x40),
+                 SIGNING_KEY_REFERENCE_V3, ECDSA_ALGO),
             {SignatureAlgorithm::ES, hashAlgo}};
 }
 
@@ -99,7 +107,7 @@ ElectronicID::PinRetriesRemainingAndMax FinEIDv3::signingPinRetriesLeftImpl() co
 
 byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash, byte_vector&& pin,
                            byte_type pinReference, PinMinMaxLength pinMinMaxLength,
-                           byte_type keyReference, byte_type signatureAlgo, byte_type LE) const
+                           byte_type keyReference, byte_type signatureAlgo) const
 {
     if (signatureAlgo != ECDSA_ALGO && hashAlgo.isSHA3()) {
         THROW(ArgumentFatalError, "No OID for algorithm " + std::string(hashAlgo));
@@ -127,8 +135,7 @@ byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash
         THROW(ArgumentFatalError, "No OID for algorithm " + std::string(hashAlgo));
     }
 
-    verifyPin(*card, pinReference, std::move(pin), pinMinMaxLength.first, pinMinMaxLength.second,
-              PIN_PADDING_CHAR);
+    verifyPin(*card, pinReference, std::move(pin), pinMinMaxLength, PIN_PADDING_CHAR);
     // Select security environment for COMPUTE SIGNATURE.
     selectSecurityEnv(*card, 0xB6, signatureAlgo, keyReference, name());
 
@@ -146,8 +153,8 @@ byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash
         THROW(SmartCardError, "Command COMPUTE SIGNATURE failed with error " + response);
     }
 
-    const CommandApdu getSignature {0x00, 0x2A, 0x9E, 0x9A, LE};
-    const auto signature = card->transmit(getSignature);
+    const CommandApdu getSignature {0x00, 0x2A, 0x9E, 0x9A, 0x00};
+    auto signature = card->transmit(getSignature);
 
     if (signature.sw1 == ResponseApdu::WRONG_LENGTH) {
         THROW(SmartCardError, "Wrong data length in command GET SIGNATURE argument: " + response);
@@ -156,7 +163,7 @@ byte_vector FinEIDv3::sign(const HashAlgorithm hashAlgo, const byte_vector& hash
         THROW(SmartCardError, "Command GET SIGNATURE failed with error " + signature);
     }
 
-    return signature.data;
+    return std::move(signature.data);
 }
 
 ElectronicID::PinRetriesRemainingAndMax FinEIDv3::pinRetriesLeft(byte_type pinReference) const
@@ -168,12 +175,13 @@ ElectronicID::PinRetriesRemainingAndMax FinEIDv3::pinRetriesLeft(byte_type pinRe
     if (!response.isOK()) {
         THROW(SmartCardError, "Command GET DATA failed with error " + response);
     }
-    if (response.data.size() < 21) {
-        THROW(SmartCardError,
-              "Command GET DATA failed: received data size " + std::to_string(response.data.size())
-                  + " is less than the expected size of the PIN remaining retries offset 21");
+    if (TLV tlv(response.data); tlv.tag == 0xA0) {
+        if (TLV info = tlv[0xdf21]) {
+            return {*info.begin, maximumPinRetries()};
+        }
     }
-    return {uint8_t(response.data[20]), int8_t(5)};
+    THROW(SmartCardError,
+          "Command GET DATA failed: received data does not contain the PIN remaining retries info");
 }
 
 byte_vector FinEIDv4::getCertificateImpl(const CertificateType type) const
@@ -186,14 +194,41 @@ byte_vector FinEIDv4::getCertificateImpl(const CertificateType type) const
 byte_vector FinEIDv4::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const
 {
     return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin), AUTH_PIN_REFERENCE,
-                authPinMinMaxLength(), AUTH_KEY_REFERENCE, ECDSA_ALGO, 0x60);
+                authPinMinMaxLength(), AUTH_KEY_REFERENCE, ECDSA_ALGO);
 }
 
 ElectronicID::Signature FinEIDv4::signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
                                                          const HashAlgorithm hashAlgo) const
 {
     return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
-                 SIGNING_KEY_REFERENCE_V4, ECDSA_ALGO, 0x60),
+                 SIGNING_KEY_REFERENCE_V4, ECDSA_ALGO),
+            {SignatureAlgorithm::ES, hashAlgo}};
+}
+
+byte_vector EstEIDTHALES::getCertificateImpl(const CertificateType type) const
+{
+    transmitApduWithExpectedResponse(*card, SELECT_MAIN_AID);
+    return readFile(
+        *card, type.isAuthentication() ? SELECT_AUTH_CERT_FILE_EST : SELECT_SIGN_CERT_FILE_EST);
+}
+
+byte_vector EstEIDTHALES::signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const
+{
+    return sign(authSignatureAlgorithm().hashAlgorithm(), hash, std::move(pin),
+                AUTH_PIN_REFERENCE_EST, authPinMinMaxLength(), AUTH_KEY_REFERENCE, ECDSA_ALGO);
+}
+
+ElectronicID::PinRetriesRemainingAndMax EstEIDTHALES::authPinRetriesLeftImpl() const
+{
+    return pinRetriesLeft(AUTH_PIN_REFERENCE_EST);
+}
+
+ElectronicID::Signature EstEIDTHALES::signWithSigningKeyImpl(byte_vector&& pin,
+                                                             const byte_vector& hash,
+                                                             const HashAlgorithm hashAlgo) const
+{
+    return {sign(hashAlgo, hash, std::move(pin), SIGNING_PIN_REFERENCE, signingPinMinMaxLength(),
+                 SIGNING_KEY_REFERENCE_EST, ECDSA_ALGO),
             {SignatureAlgorithm::ES, hashAlgo}};
 }
 

src/electronic-ids/pcsc/FinEID.hpp

@@ -30,7 +30,7 @@ namespace electronic_id
 class FinEIDv3 : public PcscElectronicID
 {
 public:
-    FinEIDv3(pcsc_cpp::SmartCard::ptr _card) : PcscElectronicID(std::move(_card)) {}
+    using PcscElectronicID::PcscElectronicID;
 
 protected:
     byte_vector getCertificateImpl(const CertificateType type) const override;
@@ -56,17 +56,18 @@ class FinEIDv3 : public PcscElectronicID
 
     byte_vector sign(const HashAlgorithm hashAlgo, const byte_vector& hash, byte_vector&& pin,
                      byte_type pinReference, PinMinMaxLength pinMinMaxLength,
-                     byte_type keyReference, byte_type signatureAlgo, byte_type LE) const;
+                     byte_type keyReference, byte_type signatureAlgo) const;
 
+    virtual int8_t maximumPinRetries() const { return 5; }
     PinRetriesRemainingAndMax pinRetriesLeft(byte_type pinReference) const;
 };
 
 class FinEIDv4 : public FinEIDv3
 {
 public:
-    FinEIDv4(pcsc_cpp::SmartCard::ptr _card) : FinEIDv3(std::move(_card)) {}
+    using FinEIDv3::FinEIDv3;
 
-private:
+protected:
     JsonWebSignatureAlgorithm authSignatureAlgorithm() const override
     {
         return JsonWebSignatureAlgorithm::ES384;
@@ -82,4 +83,27 @@ class FinEIDv4 : public FinEIDv3
                                      const HashAlgorithm hashAlgo) const override;
 };
 
+class EstEIDTHALES : public FinEIDv4
+{
+public:
+    using FinEIDv4::FinEIDv4;
+
+protected:
+    byte_vector getCertificateImpl(const CertificateType type) const override;
+
+    PinRetriesRemainingAndMax authPinRetriesLeftImpl() const override;
+
+    PinMinMaxLength signingPinMinMaxLength() const override { return {5, 12}; }
+
+    std::string name() const override { return "EstEIDTHALES"; }
+    Type type() const override { return EstEID; }
+
+    byte_vector signWithAuthKeyImpl(byte_vector&& pin, const byte_vector& hash) const override;
+
+    Signature signWithSigningKeyImpl(byte_vector&& pin, const byte_vector& hash,
+                                     const HashAlgorithm hashAlgo) const override;
+
+    int8_t maximumPinRetries() const override { return 3; }
+};
+
 } // namespace electronic_id