use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.
the class PACEStep method perform.
@Override
public DIDAuthenticateResponse perform(DIDAuthenticate request, Map<String, Object> internalData) {
// get context to save values in
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
DIDAuthenticate didAuthenticate = request;
DIDAuthenticateResponse response = new DIDAuthenticateResponse();
ConnectionHandleType conHandle = (ConnectionHandleType) dynCtx.get(TR03112Keys.CONNECTION_HANDLE);
try {
ObjectSchemaValidator valid = (ObjectSchemaValidator) dynCtx.getPromise(EACProtocol.SCHEMA_VALIDATOR).deref();
boolean messageValid = valid.validateObject(request);
if (!messageValid) {
String msg = "Validation of the EAC1InputType message failed.";
LOG.error(msg);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
return response;
}
} catch (ObjectValidatorException ex) {
String msg = "Validation of the EAC1InputType message failed due to invalid input data.";
LOG.error(msg, ex);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
return response;
} catch (InterruptedException ex) {
String msg = "Thread interrupted while waiting for schema validator instance.";
LOG.error(msg, ex);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
return response;
}
if (!ByteUtils.compare(conHandle.getSlotHandle(), didAuthenticate.getConnectionHandle().getSlotHandle())) {
String msg = "Invalid connection handle given in DIDAuthenticate message.";
Result r = WSHelper.makeResultError(ECardConstants.Minor.SAL.UNKNOWN_HANDLE, msg);
response.setResult(r);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
return response;
}
byte[] slotHandle = conHandle.getSlotHandle();
dynCtx.put(EACProtocol.SLOT_HANDLE, slotHandle);
dynCtx.put(EACProtocol.DISPATCHER, dispatcher);
try {
EAC1InputType eac1Input = new EAC1InputType(didAuthenticate.getAuthenticationProtocolData());
EAC1OutputType eac1Output = eac1Input.getOutputType();
AuthenticatedAuxiliaryData aad = new AuthenticatedAuxiliaryData(eac1Input.getAuthenticatedAuxiliaryData());
byte pinID = PasswordID.valueOf(didAuthenticate.getDIDName()).getByte();
final String passwordType = PasswordID.parse(pinID).getString();
// determine PACE capabilities of the terminal
boolean nativePace = genericPACESupport(conHandle);
dynCtx.put(EACProtocol.IS_NATIVE_PACE, nativePace);
// Certificate chain
CardVerifiableCertificateChain certChain = new CardVerifiableCertificateChain(eac1Input.getCertificates());
byte[] rawCertificateDescription = eac1Input.getCertificateDescription();
CertificateDescription certDescription = CertificateDescription.getInstance(rawCertificateDescription);
// put CertificateDescription into DynamicContext which is needed for later checks
dynCtx.put(TR03112Keys.ESERVICE_CERTIFICATE_DESC, certDescription);
// according to BSI-INSTANCE_KEY-7 we MUST perform some checks immediately after receiving the eService cert
Result activationChecksResult = performChecks(certDescription, dynCtx);
if (!ECardConstants.Major.OK.equals(activationChecksResult.getResultMajor())) {
response.setResult(activationChecksResult);
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
return response;
}
CHAT requiredCHAT = new CHAT(eac1Input.getRequiredCHAT());
CHAT optionalCHAT = new CHAT(eac1Input.getOptionalCHAT());
// get the PACEMarker
CardStateEntry cardState = (CardStateEntry) internalData.get(EACConstants.IDATA_CARD_STATE_ENTRY);
PACEMarkerType paceMarker = getPaceMarker(cardState, passwordType);
dynCtx.put(EACProtocol.PACE_MARKER, paceMarker);
// Verify that the certificate description matches the terminal certificate
CardVerifiableCertificate taCert = certChain.getTerminalCertificate();
CardVerifiableCertificateVerifier.verify(taCert, certDescription);
// Verify that the required CHAT matches the terminal certificate's CHAT
CHAT taCHAT = taCert.getCHAT();
// an other role.
if (taCHAT.getRole() != CHAT.Role.AUTHENTICATION_TERMINAL) {
String msg = "Unsupported terminal type in Terminal Certificate referenced. Refernced terminal type is " + taCHAT.getRole().toString() + ".";
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
return response;
}
CHATVerifier.verfiy(taCHAT, requiredCHAT);
// remove overlapping values from optional chat
optionalCHAT.restrictAccessRights(taCHAT);
// Prepare data in DIDAuthenticate for GUI
final EACData eacData = new EACData();
eacData.didRequest = didAuthenticate;
eacData.certificate = certChain.getTerminalCertificate();
eacData.certificateDescription = certDescription;
eacData.rawCertificateDescription = rawCertificateDescription;
eacData.transactionInfo = eac1Input.getTransactionInfo();
eacData.requiredCHAT = requiredCHAT;
eacData.optionalCHAT = optionalCHAT;
eacData.selectedCHAT = requiredCHAT;
eacData.aad = aad;
eacData.pinID = pinID;
eacData.passwordType = passwordType;
dynCtx.put(EACProtocol.EAC_DATA, eacData);
// get initial pin status
InputAPDUInfoType input = new InputAPDUInfoType();
input.setInputAPDU(new byte[] { (byte) 0x00, (byte) 0x22, (byte) 0xC1, (byte) 0xA4, (byte) 0x0F, (byte) 0x80, (byte) 0x0A, (byte) 0x04, (byte) 0x00, (byte) 0x7F, (byte) 0x00, (byte) 0x07, (byte) 0x02, (byte) 0x02, (byte) 0x04, (byte) 0x02, (byte) 0x02, (byte) 0x83, (byte) 0x01, (byte) 0x03 });
input.getAcceptableStatusCode().addAll(EacPinStatus.getCodes());
Transmit transmit = new Transmit();
transmit.setSlotHandle(slotHandle);
transmit.getInputAPDUInfo().add(input);
TransmitResponse pinCheckResponse = (TransmitResponse) dispatcher.safeDeliver(transmit);
WSHelper.checkResult(pinCheckResponse);
byte[] output = pinCheckResponse.getOutputAPDU().get(0);
CardResponseAPDU outputApdu = new CardResponseAPDU(output);
byte[] status = outputApdu.getStatusBytes();
dynCtx.put(EACProtocol.PIN_STATUS, EacPinStatus.fromCode(status));
// define GUI depending on the PIN status
final UserConsentDescription uc = new UserConsentDescription(LANG.translationForKey(TITLE));
final CardMonitor cardMon;
uc.setDialogType("EAC");
// create GUI and init executor
cardMon = new CardMonitor();
CardRemovedFilter filter = new CardRemovedFilter(conHandle.getIFDName(), conHandle.getSlotIndex());
eventDispatcher.add(cardMon, filter);
CVCStep cvcStep = new CVCStep(eacData);
cvcStep.setBackgroundTask(cardMon);
CVCStepAction cvcStepAction = new CVCStepAction(cvcStep);
cvcStep.setAction(cvcStepAction);
uc.getSteps().add(cvcStep);
uc.getSteps().add(CHATStep.createDummy());
uc.getSteps().add(PINStep.createDummy(passwordType));
ProcessingStep procStep = new ProcessingStep();
ProcessingStepAction procStepAction = new ProcessingStepAction(procStep);
procStep.setAction(procStepAction);
uc.getSteps().add(procStep);
Thread guiThread = new Thread(new Runnable() {
@Override
public void run() {
try {
// get context here because it is thread local
DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
if (!uc.getSteps().isEmpty()) {
UserConsentNavigator navigator = gui.obtainNavigator(uc);
dynCtx.put(TR03112Keys.OPEN_USER_CONSENT_NAVIGATOR, navigator);
ExecutionEngine exec = new ExecutionEngine(navigator);
ResultStatus guiResult = exec.process();
dynCtx.put(EACProtocol.GUI_RESULT, guiResult);
if (guiResult == ResultStatus.CANCEL) {
Promise<Object> pPaceSuccessful = dynCtx.getPromise(EACProtocol.PACE_EXCEPTION);
if (!pPaceSuccessful.isDelivered()) {
pPaceSuccessful.deliver(WSHelper.createException(WSHelper.makeResultError(ECardConstants.Minor.SAL.CANCELLATION_BY_USER, "User canceled the PACE dialog.")));
}
}
}
} finally {
if (cardMon != null) {
eventDispatcher.del(cardMon);
}
}
}
}, "EAC-GUI");
guiThread.start();
// wait for PACE to finish
Promise<Object> pPaceException = dynCtx.getPromise(EACProtocol.PACE_EXCEPTION);
Object pPaceError = pPaceException.deref();
if (pPaceError != null) {
if (pPaceError instanceof WSHelper.WSException) {
response.setResult(((WSHelper.WSException) pPaceError).getResult());
return response;
} else if (pPaceError instanceof DispatcherException | pPaceError instanceof InvocationTargetException) {
String msg = "Internal error while PACE authentication.";
Result r = WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg);
response.setResult(r);
return response;
} else {
String msg = "Unknown error while PACE authentication.";
Result r = WSHelper.makeResultError(ECardConstants.Minor.App.UNKNOWN_ERROR, msg);
response.setResult(r);
return response;
}
}
// get challenge from card
TerminalAuthentication ta = new TerminalAuthentication(dispatcher, slotHandle);
byte[] challenge = ta.getChallenge();
// prepare DIDAuthenticationResponse
DIDAuthenticationDataType data = eacData.paceResponse.getAuthenticationProtocolData();
AuthDataMap paceOutputMap = new AuthDataMap(data);
// int retryCounter = Integer.valueOf(paceOutputMap.getContentAsString(PACEOutputType.RETRY_COUNTER));
byte[] efCardAccess = paceOutputMap.getContentAsBytes(PACEOutputType.EF_CARD_ACCESS);
byte[] currentCAR = paceOutputMap.getContentAsBytes(PACEOutputType.CURRENT_CAR);
byte[] previousCAR = paceOutputMap.getContentAsBytes(PACEOutputType.PREVIOUS_CAR);
byte[] idpicc = paceOutputMap.getContentAsBytes(PACEOutputType.ID_PICC);
// Store SecurityInfos
SecurityInfos securityInfos = SecurityInfos.getInstance(efCardAccess);
internalData.put(EACConstants.IDATA_SECURITY_INFOS, securityInfos);
// Store additional data
internalData.put(EACConstants.IDATA_AUTHENTICATED_AUXILIARY_DATA, aad);
internalData.put(EACConstants.IDATA_CERTIFICATES, certChain);
internalData.put(EACConstants.IDATA_CURRENT_CAR, currentCAR);
internalData.put(EACConstants.IDATA_PREVIOUS_CAR, previousCAR);
internalData.put(EACConstants.IDATA_CHALLENGE, challenge);
// Create response
// eac1Output.setRetryCounter(retryCounter);
eac1Output.setCHAT(eacData.selectedCHAT.toByteArray());
eac1Output.setCurrentCAR(currentCAR);
eac1Output.setPreviousCAR(previousCAR);
eac1Output.setEFCardAccess(efCardAccess);
eac1Output.setIDPICC(idpicc);
eac1Output.setChallenge(challenge);
response.setResult(WSHelper.makeResultOK());
response.setAuthenticationProtocolData(eac1Output.getAuthDataType());
} catch (CertificateException ex) {
LOG.error(ex.getMessage(), ex);
String msg = ex.getMessage();
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.SAL.EAC.DOC_VALID_FAILED, msg));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
} catch (WSHelper.WSException e) {
LOG.error(e.getMessage(), e);
response.setResult(e.getResult());
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
} catch (ElementParsingException ex) {
LOG.error(ex.getMessage(), ex);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, ex.getMessage()));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
} catch (Exception e) {
LOG.error(e.getMessage(), e);
response.setResult(WSHelper.makeResultUnknownError(e.getMessage()));
dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
}
return response;
}
use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.
the class PACEProtocol method establish.
@Override
public EstablishChannelResponse establish(EstablishChannel req, Dispatcher dispatcher, UserConsent gui) {
EstablishChannelResponse response = new EstablishChannelResponse();
try {
// Get parameters for the PACE protocol
PACEInputType paceInput = new PACEInputType(req.getAuthenticationProtocolData());
byte[] pin;
byte pinID = paceInput.getPINID();
byte[] chat = paceInput.getCHAT();
if (paceInput.getPIN() == null || paceInput.getPIN().isEmpty()) {
// GUI request
GUIContentMap content = new GUIContentMap();
content.add(GUIContentMap.ELEMENT.PIN_ID, pinID);
PACEUserConsent paceUserConsent = new PACEUserConsent(gui);
paceUserConsent.show(content);
pin = ((String) content.get(GUIContentMap.ELEMENT.PIN)).getBytes(PACEConstants.PIN_CHARSET);
} else {
pin = paceInput.getPIN().getBytes(PACEConstants.PIN_CHARSET);
}
if (pin == null || pin.length == 0) {
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.IFD.CANCELLATION_BY_USER, "No PIN was entered."));
return response;
}
// Read EF.CardAccess from card
byte[] slotHandle = req.getSlotHandle();
CardResponseAPDU resp = CardUtils.selectFileWithOptions(dispatcher, slotHandle, ShortUtils.toByteArray(PACEConstants.EF_CARDACCESS_FID), null, CardUtils.FCP_RESPONSE_DATA);
FCP efCardAccessFCP = new FCP(TLV.fromBER(resp.getData()));
byte[] efcadata = CardUtils.readFile(efCardAccessFCP, dispatcher, slotHandle);
// Parse SecurityInfos and get PACESecurityInfos
SecurityInfos sis = SecurityInfos.getInstance(efcadata);
EFCardAccess efca = new EFCardAccess(sis);
PACESecurityInfos psi = efca.getPACESecurityInfos();
// Start PACE
PACEImplementation pace = new PACEImplementation(dispatcher, slotHandle, psi);
pace.execute(pin, pinID, chat);
// Establish Secure Messaging channel
sm = new SecureMessaging(pace.getKeyMAC(), pace.getKeyENC());
// Create AuthenticationProtocolData (PACEOutputType)
PACEOutputType paceOutput = paceInput.getOutputType();
paceOutput.setEFCardAccess(efcadata);
paceOutput.setCurrentCAR(pace.getCurrentCAR());
paceOutput.setPreviousCAR(pace.getPreviousCAR());
paceOutput.setIDPICC(pace.getIDPICC());
paceOutput.setRetryCounter(pace.getRetryCounter());
// Create EstablishChannelResponse
response.setResult(WSHelper.makeResultOK());
response.setAuthenticationProtocolData(paceOutput.getAuthDataType());
} catch (UnsupportedEncodingException ex) {
logger.error(ex.getMessage(), ex);
response.setResult(WSHelper.makeResultError(ECardConstants.Minor.IFD.IO.UNKNOWN_PIN_FORMAT, "Cannot encode the PIN in " + PACEConstants.PIN_CHARSET + " charset."));
} catch (ProtocolException ex) {
logger.error(ex.getMessage(), ex);
response.setResult(WSHelper.makeResult(ex));
} catch (Throwable ex) {
logger.error(ex.getMessage(), ex);
response.setResult(WSHelper.makeResult(ex));
}
return response;
}
use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.
the class EFCardAccessTest method init.
@BeforeTest
public void init() throws Exception {
// Standardized Domain Parameters
byte[] data = loadTestFile("EF_CardAccess.bin");
SecurityInfos sis = SecurityInfos.getInstance(data);
efcaA = new EFCardAccess(sis);
// Proprietary Domain Parameters
data = loadTestFile("EF_CardAccess_pdp.bin");
sis = SecurityInfos.getInstance(data);
efcaB = new EFCardAccess(sis);
}
use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.
the class EFCardAccess method decodeSecurityInfos.
/**
* Decode the SecurityInfos.
*/
private void decodeSecurityInfos() {
final ASN1Set securityinfos = sis.getSecurityInfos();
final int length = securityinfos.size();
psi = new PACESecurityInfos();
tsi = new TASecurityInfos();
csi = new CASecurityInfos();
for (int i = 0; i < length; i++) {
ASN1Sequence securityInfo = (ASN1Sequence) securityinfos.getObjectAt(i);
String oid = securityInfo.getObjectAt(0).toString();
// PACEInfo (REQUIRED)
if (PACEInfo.isPACEObjectIdentifer(oid)) {
_logger.debug("Found PACEInfo object identifier");
PACEInfo pi = new PACEInfo(securityInfo);
psi.addPACEInfo(pi);
} else // PACEDoaminParameterInfo (CONDITIONAL)
if (PACEDomainParameterInfo.isPACEObjectIdentifer(oid)) {
_logger.debug("Found PACEDomainParameterInfo object identifier");
PACEDomainParameterInfo pdp = new PACEDomainParameterInfo(securityInfo);
psi.addPACEDomainParameterInfo(pdp);
} else // ChipAuthenticationInfo (CONDITIONAL)
if (CAInfo.isObjectIdentifier(oid)) {
_logger.debug("Found ChipAuthenticationInfo object identifier");
CAInfo ci = new CAInfo(securityInfo);
csi.addCAInfo(ci);
} else // ChipAuthenticationDomainParameterInfo (CONDITIONAL)
if (CADomainParameterInfo.isObjectIdentifier(oid)) {
_logger.debug("Found ChipAuthenticationDomainParameterInfo object identifier");
CADomainParameterInfo cdp = new CADomainParameterInfo(securityInfo);
csi.addCADomainParameterInfo(cdp);
} else // TerminalAuthenticationInfo (CONDITIONAL)
if (EACObjectIdentifier.id_TA.equals(oid)) {
_logger.debug("Found TerminalAuthenticationInfo object identifier");
TAInfo ta = new TAInfo(securityInfo);
tsi.addTAInfo(ta);
} else // CardInfoLocator (RECOMMENDED)
if (EACObjectIdentifier.id_CI.equals(oid)) {
_logger.debug("Found CardInfoLocator object identifier");
cil = CardInfoLocator.getInstance(securityInfo);
} else // PrivilegedTerminalInfo (CONDITIONAL)
if (EACObjectIdentifier.id_PT.equals(oid)) {
_logger.debug("Found PrivilegedTerminalInfo object identifier");
pti = PrivilegedTerminalInfo.getInstance(securityInfo);
} else {
_logger.debug("Found unknown object identifier: {}", oid.toString());
}
}
}
use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.
the class AuthenticationHelper method performAuth.
public EAC2OutputType performAuth(EAC2OutputType eac2Output, Map<String, Object> internalData) throws ProtocolException, TLVException {
// get needed values from context
CardVerifiableCertificate terminalCertificate;
terminalCertificate = (CardVerifiableCertificate) internalData.get(EACConstants.IDATA_TERMINAL_CERTIFICATE);
byte[] key = (byte[]) internalData.get(EACConstants.IDATA_PK_PCD);
byte[] signature = (byte[]) internalData.get(EACConstants.IDATA_SIGNATURE);
SecurityInfos securityInfos = (SecurityInfos) internalData.get(EACConstants.IDATA_SECURITY_INFOS);
AuthenticatedAuxiliaryData aadObj;
aadObj = (AuthenticatedAuxiliaryData) internalData.get(EACConstants.IDATA_AUTHENTICATED_AUXILIARY_DATA);
// ///////////////////////////////////////////////////////////////////
// BEGIN TA PART
// ///////////////////////////////////////////////////////////////////
// TA: Step 2 - MSE:SET AT
byte[] oid = ObjectIdentifierUtils.getValue(terminalCertificate.getPublicKey().getObjectIdentifier());
byte[] chr = terminalCertificate.getCHR().toByteArray();
byte[] aad = aadObj.getData();
// Calculate comp(key)
EFCardAccess efca = new EFCardAccess(securityInfos);
CASecurityInfos cas = efca.getCASecurityInfos();
CADomainParameter cdp = new CADomainParameter(cas);
CAKey caKey = new CAKey(cdp);
caKey.decodePublicKey(key);
byte[] compKey = caKey.getEncodedCompressedPublicKey();
// TA: Step 4 - MSE SET AT
ta.mseSetAT(oid, chr, compKey, aad);
// TA: Step 4 - External Authentication
ta.externalAuthentication(signature);
// ///////////////////////////////////////////////////////////////////
// END TA PART
// ///////////////////////////////////////////////////////////////////
// ///////////////////////////////////////////////////////////////////
// BEGIN CA PART
// ///////////////////////////////////////////////////////////////////
// Read EF.CardSecurity
byte[] efCardSecurity = ca.readEFCardSecurity();
// CA: Step 1 - MSE:SET AT
byte[] oID = ObjectIdentifierUtils.getValue(cas.getCAInfo().getProtocol());
byte[] keyID = IntegerUtils.toByteArray(cas.getCAInfo().getKeyID());
ca.mseSetAT(oID, keyID);
// CA: Step 2 - General Authenticate
byte[] responseData = ca.generalAuthenticate(key);
TLV tlv = TLV.fromBER(responseData);
byte[] nonce = tlv.findChildTags(0x81).get(0).getValue();
byte[] token = tlv.findChildTags(0x82).get(0).getValue();
// Disable Secure Messaging
ca.destroySecureChannel();
// ///////////////////////////////////////////////////////////////////
// END CA PART
// ///////////////////////////////////////////////////////////////////
// Create response
eac2Output.setEFCardSecurity(efCardSecurity);
eac2Output.setNonce(nonce);
eac2Output.setToken(token);
return eac2Output;
}
Aggregations