Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

key protection

  • Loading branch information...
commit 34314e44670c5d5873ff62e68f99c4274b2ab63c 1 parent 64b78c0
@pacew authored
Showing with 29 additions and 31 deletions.
  1. +5 −5 src/pkcs15init/acos5.profile
  2. +24 −26 src/pkcs15init/pkcs15-acos5.c
View
10 src/pkcs15init/acos5.profile
@@ -170,19 +170,19 @@ filesystem {
EF template-private-key {
type = internal-ef;
file-id = 4B11;
- acl = *=NEVER, CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN;
+ acl = *=NEVER, CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN
}
EF template-hw-public-key {
type = internal-ef;
file-id = 5b11;
- acl = *=NEVER, CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN;
+ ACL = READ=$PIN, CRYPTO=$PIN, UPDATE=$PIN, DELETE=NONE
}
EF template-public-key {
structure = transparent;
file-id = 5511;
- acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, CRYPTO=$PIN;
}
EF template-certificate {
@@ -197,12 +197,12 @@ filesystem {
EF private-key {
file-id = 4B11;
type = internal-ef;
- acl = *=NEVER, CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN;
+ acl = *=NEVER, CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN
}
EF public-key {
file-id = 5511;
structure = transparent;
- acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, CRYPTO=$PIN;
}
# Certificate template
View
50 src/pkcs15init/pkcs15-acos5.c
@@ -526,8 +526,6 @@ acos5_create_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
size_t bytes, mod_len, exp_len, prv_len, pub_len;
int r, algo;
struct sc_file *found = NULL;
- u8 sec_attr[100], *p;
- int sec_attr_len;
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE);
@@ -549,28 +547,24 @@ acos5_create_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
*/
keyfile->size = 5 + 5 * (key_info->modulus_length / 8 / 2);
- if ((r = sc_pkcs15init_fixup_file(profile, p15card, keyfile)) < 0)
+ r = sc_pkcs15init_fixup_file(profile, p15card, keyfile);
+ if (r < 0)
goto done;
- r = sc_select_file(card, &keyfile->path, &found);
- if (r == SC_ERROR_FILE_NOT_FOUND) {
- p = sec_attr;
- *p++ = 0x8d;
- *p++ = 2;
- *p++ = (ACOS5_MAIN_SE_FILE >> 8) & 0xff;
- *p++ = ACOS5_MAIN_SE_FILE & 0xff;
- sec_attr_len = p - sec_attr;
- sc_file_set_sec_attr(keyfile, sec_attr, sec_attr_len);
-
- r = sc_pkcs15init_create_file(profile, p15card, keyfile);
- if (r >= 0)
+ acos5_sec_attr (keyfile);
+
+ r = sc_pkcs15init_create_file(profile, p15card, keyfile);
+ if (r >= 0)
r = sc_select_file(card, &keyfile->path, &found);
- }
if (r >= 0)
r = sc_pkcs15init_authenticate(profile, p15card, keyfile,
SC_AC_OP_UPDATE);
+ r = acos5_activate_file (card, keyfile);
+ SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r,
+ "error activating key file");
+
done:
if (found)
sc_file_free(found);
@@ -634,8 +628,7 @@ acos5_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
sc_apdu_t apdu;
sc_path_t *prkey_path, *pukey_path;
int len;
- u8 sec_attr[100], *p;
- int sec_attr_len;
+ u8 *p;
int pukey_raw_size;
u8 pukey_raw[5 + 8 + 2048 / 8];
u8 *exponent_raw, exponent[8];
@@ -680,13 +673,9 @@ acos5_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
pukey_raw_size = 5 + 8 + key_info->modulus_length / 8;
pukey_file->size = pukey_raw_size;
- p = sec_attr;
- *p++ = 0x8d;
- *p++ = 2;
- *p++ = (ACOS5_MAIN_SE_FILE >> 8) & 0xff;
- *p++ = ACOS5_MAIN_SE_FILE & 0xff;
- sec_attr_len = p - sec_attr;
- sc_file_set_sec_attr(pukey_file, sec_attr, sec_attr_len);
+ r = sc_pkcs15init_fixup_file (profile, p15card, pukey_file);
+ SC_TEST_RET(ctx, SC_LOG_DEBUG_VERBOSE, r, "fixup_file");
+ acos5_sec_attr (pukey_file);
r = sc_create_file(card, pukey_file);
if (r < 0 && r != SC_ERROR_FILE_ALREADY_EXISTS)
@@ -694,7 +683,7 @@ acos5_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
/* now set up for telling the card to generate the new key pair */
r = sc_pkcs15init_authenticate(profile, p15card, prkey_file,
- SC_AC_OP_GENERATE);
+ SC_AC_OP_CRYPTO);
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r,
"No authorisation to generate private key");
@@ -762,6 +751,10 @@ acos5_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
pubkey->u.rsa.modulus.len = len;
pubkey->u.rsa.modulus.data = p;
+ r = acos5_activate_file (card, pukey_file);
+ SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r,
+ "error activating public key file");
+
/*
* the memory allocated for the exponent and modulus will be
* freed in sc_pkcs15_erase_pubkey()
@@ -852,6 +845,11 @@ acos5_store_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card,
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r,
"unable to select rsa private key file");
+ r = sc_pkcs15init_authenticate(profile, p15card, prkey_file,
+ SC_AC_OP_UPDATE);
+ SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r,
+ "can't authenticate for rsa private key file");
+
/* make public key path, copying low byte of file id from private key */
r = sc_profile_get_file(profile, "template-hw-public-key",
&pukey_file);
Please sign in to comment.
Something went wrong with that request. Please try again.