Added (external) card driver for German ID card

(Imported libcardnpa from https://github.com/frankmorgner/vsmartcard)

- Added generic SM implementation of ISO/IEC 7816-8
- Added implementation of extended access control as defined by
  - BSI TR-03110
  - ICAO Doc 9303
  - ISO/IEC 7501
- Added tool for German ID card (and other EAC tokens)
- renamed folder libsm to sm

.gitignore

@@ -67,7 +67,7 @@ doc/tools/netkey-tool
 doc/tools/openpgp-tool
 doc/tools/opensc-explorer
 doc/tools/opensc-tool
-src/tools/gids-tool
+doc/tools/gids-tool
 doc/tools/piv-tool
 doc/tools/pkcs11-tool
 doc/tools/pkcs15-crypt
@@ -76,7 +76,6 @@ doc/tools/pkcs15-tool
 doc/tools/sc-hsm-tool
 doc/tools/westcos-tool
 doc/tools/dnie-tool
-doc/tools/gids-tool
 
 etc/opensc.conf.win
 etc/opensc.conf
@@ -101,7 +100,8 @@ src/tools/cryptoflex-tool
 src/tools/netkey-tool
 src/tools/pkcs11-tool
 src/tools/dnie-tool
-src/tools/gids-tool
+src/tools/npa-tool
+src/tools/sceac-example
 
 win32/OpenSC.iss
 win32/OpenSC.wxs

.travis.yml

@@ -13,6 +13,7 @@ addons:
     - mingw-w64
     - wine
     - xsltproc
+    - gengetopt
   coverity_scan:
     project:
       name: "OpenSC/OpenSC"
@@ -45,6 +46,14 @@ matrix:
     - os: linux
       env: HOST=i686-w64-mingw32
 
+before_install:
+  - if [ "$TRAVIS_OS_NAME" == "osx" ]; then
+        brew update;
+        brew uninstall libtool;
+        brew install libtool;
+        brew install gengetopt;
+    fi
+
 before_script:
   # we run a weekly cron job in travis on the coverity branch
   # just synchronize it with master to get a new report
@@ -53,7 +62,7 @@ before_script:
     fi
   - ./bootstrap
   - if [ -z "$HOST" ]; then
-    CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
+      CFLAGS="-Werror" ./configure $ENABLE_DOC --enable-dnie-ui;
     else
       if [ ! -f "$(winepath 'C:/Program Files (x86)/Inno Setup 5/ISCC.exe')" ]; then
         /sbin/start-stop-daemon --start --quiet --pidfile /tmp/custom_xvfb_99.pid --make-pidfile --background --exec /usr/bin/Xvfb -- :99 -ac -screen 0 1280x1024x16;
@@ -90,13 +99,4 @@ after_script:
       killall services.exe;
     fi
 
-
-before_install:
-  - if [ "$TRAVIS_OS_NAME" != "linux" ]; then
-        brew update;
-        brew uninstall libtool;
-        brew install libtool;
-        brew install libdvbpsi libhdhomerun;
-    fi
-
 cache: ccache

configure.ac

@@ -168,6 +168,13 @@ AC_ARG_ENABLE(
 	[enable_openssl="detect"]
 )
 
+AC_ARG_ENABLE(
+	[openpace],
+	[AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])],
+	,
+	[enable_openpace="detect"]
+)
+
 AC_ARG_ENABLE(
 	[openct],
 	[AS_HELP_STRING([--enable-openct],[enable openct linkage @<:@disabled@:>@])],
@@ -354,7 +361,7 @@ AC_FUNC_ERROR_AT_LINE
 AC_FUNC_STAT
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([ \
-	getpass gettimeofday memset mkdir \
+	getpass gettimeofday getline memset mkdir \
 	strdup strerror getopt_long getopt_long_only \
 	strlcpy strlcat strnlen
 ])
@@ -552,6 +559,88 @@ else
 	OPENSSL_LIBS=""
 fi
 
+
+
+PKG_CHECK_EXISTS([libeac], [PKG_CHECK_MODULES([OPENPACE], [libeac >= 0.9])],
+                 [AC_MSG_WARN([libeac not found by pkg-config])])
+
+saved_CPPFLAGS="$CPPFLAGS"
+saved_LIBS="$LIBS"
+CPPFLAGS="$CPPFLAGS $OPENPACE_CFLAGS"
+LIBS="$LDFLAGS $OPENPACE_LIBS"
+
+have_openpace="yes"
+AC_CHECK_HEADERS(eac/eac.h, [],
+                 [ AC_MSG_WARN([OpenPACE headers not found])
+                 have_openpace="no" ])
+AC_MSG_CHECKING([for EAC_CTX_init_pace])
+AC_TRY_LINK_FUNC(EAC_CTX_init_pace, [ AC_MSG_RESULT([yes]) ],
+                 [ AC_MSG_WARN([Cannot link against libeac])
+                 have_openpace="no" ])
+
+CPPFLAGS="$saved_CPPFLAGS"
+LIBS="$saved_LIBS"
+
+
+AC_ARG_ENABLE(cvcdir,
+              AC_HELP_STRING([--enable-cvcdir=DIR],
+                             [directory containing CV certificates (default is determined by libeac)]),
+                             [cvcdir="${enableval}"],
+                             [cvcdir=false])
+if test "${cvcdir}" = false ; then
+    cvcdir="`$PKG_CONFIG libeac --variable=cvcdir`"
+fi
+if test "${cvcdir}" = "" ; then
+    AC_MSG_WARN([use --enable-cvcdir=DIR])
+fi
+CVCDIR="${cvcdir}"
+AC_SUBST(CVCDIR)
+
+AC_ARG_ENABLE(x509dir,
+              AC_HELP_STRING([--enable-x509dir=DIR],
+                             [directory containing X.509 certificates (default is determined by libeac)]),
+                             [x509dir="${enableval}"],
+                             [x509dir=false])
+if test "${x509dir}" = false ; then
+    x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
+fi
+if test -z "${x509dir}"
+then
+    x509dir="`$PKG_CONFIG libeac --variable=x509dir`"
+fi
+if test -z "${x509dir}"
+then
+    AC_MSG_WARN([use --enable-x509dir=DIR])
+fi
+X509DIR="${x509dir}"
+AC_SUBST(X509DIR)
+
+case "${enable_openpace}" in
+	no)
+		have_openpace="no"
+	;;
+	detect)
+		if test "${have_openpace}" = "yes"; then
+			enable_openpace="yes"
+		else
+			enable_openpace="no"
+		fi
+	;;
+esac
+
+if test "${enable_openpace}" = "yes"; then
+	if test "${have_openpace}" = "yes"; then
+		AC_DEFINE([ENABLE_OPENPACE], [1], [Use OpenPACE libraries and header files])
+	else
+		AC_MSG_ERROR([OpenPACE linkage required, but no OpenPACE was found])
+	fi
+else
+	OPENPACE_CFLAGS=""
+	OPENPACE_LIBS=""
+fi
+
+
+
 if test "${enable_sm}" = "yes"; then
 	AC_DEFINE([ENABLE_SM], [1], [Enable secure messaging support])
 
@@ -672,6 +761,13 @@ if test "${enable_man}" = "yes" -o "${enable_doc}" = "yes"; then
 	AC_MSG_RESULT([ok])
 fi
 
+AC_ARG_VAR([HELP2MAN],
+           [absolute path to help2man used for man page generation of npa-tool])
+AC_PATH_PROG(HELP2MAN, help2man, not found)
+AC_ARG_VAR([GENGETOPT],
+           [absolute path to gengetopt used for command line parsing of npa-tool])
+AC_PATH_PROG(GENGETOPT, gengetopt, not found)
+
 OPENSC_FEATURES=""
 if test "${enable_thread_locking}" = "yes"; then
 	OPENSC_FEATURES="${OPENSC_FEATURES} locking"
@@ -770,6 +866,7 @@ AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
 AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
 AM_CONDITIONAL([ENABLE_SM], [test "${enable_sm}" = "yes"])
 AM_CONDITIONAL([ENABLE_DNIE_UI], [test "${enable_dnie_ui}" = "yes"])
+AM_CONDITIONAL([ENABLE_NPATOOL], [test "${ENABLE_NPATOOL}" = "yes"])
 AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
 
 if test "${enable_pedantic}" = "yes"; then
@@ -796,7 +893,7 @@ AC_CONFIG_FILES([
 	src/Makefile
 	src/common/Makefile
 	src/libopensc/Makefile
-	src/libsm/Makefile
+	src/sm/Makefile
 	src/pkcs11/Makefile
 	src/pkcs11/versioninfo-pkcs11.rc
 	src/pkcs11/versioninfo-pkcs11-spy.rc
@@ -877,6 +974,8 @@ ZLIB_CFLAGS:             ${ZLIB_CFLAGS}
 ZLIB_LIBS:               ${ZLIB_LIBS}
 OPENSSL_CFLAGS:          ${OPENSSL_CFLAGS}
 OPENSSL_LIBS:            ${OPENSSL_LIBS}
+OPENPACE_CFLAGS:         ${OPENPACE_CFLAGS}
+OPENPACE_LIBS:           ${OPENPACE_LIBS}
 OPENCT_CFLAGS:           ${OPENCT_CFLAGS}
 OPENCT_LIBS:             ${OPENCT_LIBS}
 PCSC_CFLAGS:             ${PCSC_CFLAGS}

etc/opensc.conf.in

@@ -133,7 +133,7 @@ app default {
 	# Default: internal
 	# NOTE: When "internal" keyword is used, must be last entry
 	#
-	# card_drivers = customcos, internal;
+	card_drivers = npa, internal;
 
 	# Card driver configuration blocks.
 
@@ -145,6 +145,32 @@ app default {
 		# module = @LIBDIR@@LIB_PRE@card_customcos@DYN_LIB_EXT@;
 	# }
 
+	card_driver npa {
+		# The location of the driver library
+		module = @LIBDIR@@LIB_PRE@cardnpa@DYN_LIB_EXT@;
+
+		# German ID card requires the CAN to be verified before QES PIN. This,
+		# however, is not part of the PKCS#15 profile of the card. So for
+		# verifying the QES PIN we actually need both. The CAN may be given
+		# here. If the CAN is not given here, it will be prompted on the
+		# command line or on the reader (depending on the reader's
+		# capabilities).
+		#
+		#can = 222222;
+
+		# QES is only possible with a Comfort Reader (CAT-K), which holds a
+		# cryptographic key to authenticate itself as signature terminal (ST).
+		# We usually will use the reader's capability to sign the data.
+		# However, during developement you may specify soft certificates and
+		# keys for a ST below.
+		# The following example EAC PKI can be found in vicc's example data:
+		# https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data
+		#
+		#st_dv_certificate = ZZSTDVCA00001.cvcert;
+		#st_certificate = ZZSTTERM00001.cvcert;
+		#st_key = ZZSTTERM00001.pkcs8;
+	}
+
 	# Force using specific card driver
 	#
 	# If this option is present, OpenSC will use the supplied

src/Makefile.am

@@ -2,9 +2,9 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 EXTRA_DIST = Makefile.mak
 
 # Order IS important
-SUBDIRS = common scconf pkcs15init libopensc pkcs11 \
-	tools tests minidriver
+SUBDIRS = common scconf pkcs15init sm \
+		  libopensc pkcs11 tools tests minidriver
 
 if ENABLE_SM
-SUBDIRS += libsm smm
+SUBDIRS += smm
 endif

src/Makefile.mak

@@ -1,6 +1,7 @@
 TOPDIR = ..
 
-SUBDIRS = common scconf libsm pkcs15init libopensc pkcs11 tools tests
+SUBDIRS = common scconf sm pkcs15init \
+		  libopensc pkcs11 tools tests
 
 default: all
 

src/libopensc/Makefile.am

@@ -4,15 +4,15 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
 EXTRA_DIST = Makefile.mak
 
-lib_LTLIBRARIES = libopensc.la
+lib_LTLIBRARIES = libopensc.la libcardnpa.la
 noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem.h \
 	internal-winscard.h p15card-helper.h pkcs15-syn.h \
 	opensc.h pkcs15.h \
 	cardctl.h asn1.h log.h simpletlv.h \
 	errors.h types.h compression.h itacns.h iso7816.h \
 	authentic.h iasecc.h iasecc-sdo.h sm.h card-sc-hsm.h \
 	pace.h cwa14890.h cwa-dnie.h card-gids.h aux-data.h \
-	jpki.h sc-ossl-compat.h
+	jpki.h sc-ossl-compat.h card-npa.h
 
 AM_CPPFLAGS = -DOPENSC_CONF_PATH=\"$(sysconfdir)/opensc.conf\" \
 	-I$(top_srcdir)/src
@@ -63,6 +63,7 @@ libopensc_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \
 	$(top_builddir)/src/pkcs15init/libpkcs15init.la \
 	$(top_builddir)/src/scconf/libscconf.la \
 	$(top_builddir)/src/common/libscdl.la \
+	$(top_builddir)/src/sm/libsmeac.la \
 	$(top_builddir)/src/common/libcompat.la
 if WIN32
 libopensc_la_LIBADD += -lws2_32
@@ -72,6 +73,16 @@ libopensc_la_LDFLAGS = $(AM_LDFLAGS) \
 	-export-symbols "$(srcdir)/libopensc.exports" \
 	-no-undefined
 
+libcardnpa_la_SOURCES = card-npa.c  cardnpa.exports
+libcardnpa_la_LIBADD = $(OPENPACE_LIBS) \
+					   $(top_builddir)/src/common/libcompat.la \
+					   libopensc.la
+libcardnpa_la_CFLAGS = -I$(top_srcdir)/src $(OPENPACE_CFLAGS) $(OPENSSL_CFLAGS)
+libcardnpa_la_LDFLAGS = $(AM_LDFLAGS) \
+						-version-info @OPENSC_LT_CURRENT@:@OPENSC_LT_REVISION@:@OPENSC_LT_AGE@ \
+						-export-symbols "$(srcdir)/cardnpa.exports" \
+						-no-undefined
+
 if WIN32
 # def file required for MS users to build library
 mylibdir=$(libdir)

src/libopensc/Makefile.mak

@@ -40,9 +40,13 @@ OBJECTS			= \
 LIBS = $(TOPDIR)\src\scconf\scconf.lib \
 	   $(TOPDIR)\src\common\common.lib \
 	   $(TOPDIR)\src\common\libscdl.lib \
+	   $(TOPDIR)\src\sm\libsmeac.lib \
 	   $(TOPDIR)\src\pkcs15init\pkcs15init.lib
 
-all: $(TOPDIR)\win32\versioninfo.res $(TARGET)
+TARGET1 = cardnpa.dll
+OBJECTS1 = card-npa.obj
+
+all: $(TOPDIR)\win32\versioninfo.res $(TARGET) $(TARGET1)
 
 !INCLUDE $(TOPDIR)\win32\Make.rules.mak
 
@@ -55,3 +59,10 @@ opensc.dll: $(OBJECTS) $(LIBS)
 
 opensc_a.lib: $(OBJECTS) $(LIBS)
 	lib $(LIBFLAGS) /out:opensc_a.lib $(OBJECTS) $(LIBS) $(OPENSSL_LIB) $(ZLIB_LIB) user32.lib advapi32.lib ws2_32.lib
+
+$(TARGET1): $(OBJECTS1) opensc_a.lib
+	echo LIBRARY $* > $*.def
+	echo EXPORTS >> $*.def
+	type $*.exports >> $*.def
+	link /dll $(LINKFLAGS) /def:$*.def /implib:$*.lib /out:$(TARGET1) $(OBJECTS1) opensc_a.lib $(ZLIB_LIB) $(OPENPACE_LIB) $(OPENSSL_LIB) ws2_32.lib gdi32.lib advapi32.lib Crypt32.lib User32.lib
+	if EXIST $(TARGET).manifest mt -manifest $(TARGET1).manifest -outputresource:$(TARGET1);2