Search in sources :

Example 1 with SecurityInfos

use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.

the class PACEStep method perform.

@Override
public DIDAuthenticateResponse perform(DIDAuthenticate request, Map<String, Object> internalData) {
    // get context to save values in
    DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
    DIDAuthenticate didAuthenticate = request;
    DIDAuthenticateResponse response = new DIDAuthenticateResponse();
    ConnectionHandleType conHandle = (ConnectionHandleType) dynCtx.get(TR03112Keys.CONNECTION_HANDLE);
    try {
        ObjectSchemaValidator valid = (ObjectSchemaValidator) dynCtx.getPromise(EACProtocol.SCHEMA_VALIDATOR).deref();
        boolean messageValid = valid.validateObject(request);
        if (!messageValid) {
            String msg = "Validation of the EAC1InputType message failed.";
            LOG.error(msg);
            dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
            response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
            return response;
        }
    } catch (ObjectValidatorException ex) {
        String msg = "Validation of the EAC1InputType message failed due to invalid input data.";
        LOG.error(msg, ex);
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
        response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
        return response;
    } catch (InterruptedException ex) {
        String msg = "Thread interrupted while waiting for schema validator instance.";
        LOG.error(msg, ex);
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
        response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg));
        return response;
    }
    if (!ByteUtils.compare(conHandle.getSlotHandle(), didAuthenticate.getConnectionHandle().getSlotHandle())) {
        String msg = "Invalid connection handle given in DIDAuthenticate message.";
        Result r = WSHelper.makeResultError(ECardConstants.Minor.SAL.UNKNOWN_HANDLE, msg);
        response.setResult(r);
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
        return response;
    }
    byte[] slotHandle = conHandle.getSlotHandle();
    dynCtx.put(EACProtocol.SLOT_HANDLE, slotHandle);
    dynCtx.put(EACProtocol.DISPATCHER, dispatcher);
    try {
        EAC1InputType eac1Input = new EAC1InputType(didAuthenticate.getAuthenticationProtocolData());
        EAC1OutputType eac1Output = eac1Input.getOutputType();
        AuthenticatedAuxiliaryData aad = new AuthenticatedAuxiliaryData(eac1Input.getAuthenticatedAuxiliaryData());
        byte pinID = PasswordID.valueOf(didAuthenticate.getDIDName()).getByte();
        final String passwordType = PasswordID.parse(pinID).getString();
        // determine PACE capabilities of the terminal
        boolean nativePace = genericPACESupport(conHandle);
        dynCtx.put(EACProtocol.IS_NATIVE_PACE, nativePace);
        // Certificate chain
        CardVerifiableCertificateChain certChain = new CardVerifiableCertificateChain(eac1Input.getCertificates());
        byte[] rawCertificateDescription = eac1Input.getCertificateDescription();
        CertificateDescription certDescription = CertificateDescription.getInstance(rawCertificateDescription);
        // put CertificateDescription into DynamicContext which is needed for later checks
        dynCtx.put(TR03112Keys.ESERVICE_CERTIFICATE_DESC, certDescription);
        // according to BSI-INSTANCE_KEY-7 we MUST perform some checks immediately after receiving the eService cert
        Result activationChecksResult = performChecks(certDescription, dynCtx);
        if (!ECardConstants.Major.OK.equals(activationChecksResult.getResultMajor())) {
            response.setResult(activationChecksResult);
            dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
            return response;
        }
        CHAT requiredCHAT = new CHAT(eac1Input.getRequiredCHAT());
        CHAT optionalCHAT = new CHAT(eac1Input.getOptionalCHAT());
        // get the PACEMarker
        CardStateEntry cardState = (CardStateEntry) internalData.get(EACConstants.IDATA_CARD_STATE_ENTRY);
        PACEMarkerType paceMarker = getPaceMarker(cardState, passwordType);
        dynCtx.put(EACProtocol.PACE_MARKER, paceMarker);
        // Verify that the certificate description matches the terminal certificate
        CardVerifiableCertificate taCert = certChain.getTerminalCertificate();
        CardVerifiableCertificateVerifier.verify(taCert, certDescription);
        // Verify that the required CHAT matches the terminal certificate's CHAT
        CHAT taCHAT = taCert.getCHAT();
        // an other role.
        if (taCHAT.getRole() != CHAT.Role.AUTHENTICATION_TERMINAL) {
            String msg = "Unsupported terminal type in Terminal Certificate referenced. Refernced terminal type is " + taCHAT.getRole().toString() + ".";
            response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, msg));
            dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
            return response;
        }
        CHATVerifier.verfiy(taCHAT, requiredCHAT);
        // remove overlapping values from optional chat
        optionalCHAT.restrictAccessRights(taCHAT);
        // Prepare data in DIDAuthenticate for GUI
        final EACData eacData = new EACData();
        eacData.didRequest = didAuthenticate;
        eacData.certificate = certChain.getTerminalCertificate();
        eacData.certificateDescription = certDescription;
        eacData.rawCertificateDescription = rawCertificateDescription;
        eacData.transactionInfo = eac1Input.getTransactionInfo();
        eacData.requiredCHAT = requiredCHAT;
        eacData.optionalCHAT = optionalCHAT;
        eacData.selectedCHAT = requiredCHAT;
        eacData.aad = aad;
        eacData.pinID = pinID;
        eacData.passwordType = passwordType;
        dynCtx.put(EACProtocol.EAC_DATA, eacData);
        // get initial pin status
        InputAPDUInfoType input = new InputAPDUInfoType();
        input.setInputAPDU(new byte[] { (byte) 0x00, (byte) 0x22, (byte) 0xC1, (byte) 0xA4, (byte) 0x0F, (byte) 0x80, (byte) 0x0A, (byte) 0x04, (byte) 0x00, (byte) 0x7F, (byte) 0x00, (byte) 0x07, (byte) 0x02, (byte) 0x02, (byte) 0x04, (byte) 0x02, (byte) 0x02, (byte) 0x83, (byte) 0x01, (byte) 0x03 });
        input.getAcceptableStatusCode().addAll(EacPinStatus.getCodes());
        Transmit transmit = new Transmit();
        transmit.setSlotHandle(slotHandle);
        transmit.getInputAPDUInfo().add(input);
        TransmitResponse pinCheckResponse = (TransmitResponse) dispatcher.safeDeliver(transmit);
        WSHelper.checkResult(pinCheckResponse);
        byte[] output = pinCheckResponse.getOutputAPDU().get(0);
        CardResponseAPDU outputApdu = new CardResponseAPDU(output);
        byte[] status = outputApdu.getStatusBytes();
        dynCtx.put(EACProtocol.PIN_STATUS, EacPinStatus.fromCode(status));
        // define GUI depending on the PIN status
        final UserConsentDescription uc = new UserConsentDescription(LANG.translationForKey(TITLE));
        final CardMonitor cardMon;
        uc.setDialogType("EAC");
        // create GUI and init executor
        cardMon = new CardMonitor();
        CardRemovedFilter filter = new CardRemovedFilter(conHandle.getIFDName(), conHandle.getSlotIndex());
        eventDispatcher.add(cardMon, filter);
        CVCStep cvcStep = new CVCStep(eacData);
        cvcStep.setBackgroundTask(cardMon);
        CVCStepAction cvcStepAction = new CVCStepAction(cvcStep);
        cvcStep.setAction(cvcStepAction);
        uc.getSteps().add(cvcStep);
        uc.getSteps().add(CHATStep.createDummy());
        uc.getSteps().add(PINStep.createDummy(passwordType));
        ProcessingStep procStep = new ProcessingStep();
        ProcessingStepAction procStepAction = new ProcessingStepAction(procStep);
        procStep.setAction(procStepAction);
        uc.getSteps().add(procStep);
        Thread guiThread = new Thread(new Runnable() {

            @Override
            public void run() {
                try {
                    // get context here because it is thread local
                    DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
                    if (!uc.getSteps().isEmpty()) {
                        UserConsentNavigator navigator = gui.obtainNavigator(uc);
                        dynCtx.put(TR03112Keys.OPEN_USER_CONSENT_NAVIGATOR, navigator);
                        ExecutionEngine exec = new ExecutionEngine(navigator);
                        ResultStatus guiResult = exec.process();
                        dynCtx.put(EACProtocol.GUI_RESULT, guiResult);
                        if (guiResult == ResultStatus.CANCEL) {
                            Promise<Object> pPaceSuccessful = dynCtx.getPromise(EACProtocol.PACE_EXCEPTION);
                            if (!pPaceSuccessful.isDelivered()) {
                                pPaceSuccessful.deliver(WSHelper.createException(WSHelper.makeResultError(ECardConstants.Minor.SAL.CANCELLATION_BY_USER, "User canceled the PACE dialog.")));
                            }
                        }
                    }
                } finally {
                    if (cardMon != null) {
                        eventDispatcher.del(cardMon);
                    }
                }
            }
        }, "EAC-GUI");
        guiThread.start();
        // wait for PACE to finish
        Promise<Object> pPaceException = dynCtx.getPromise(EACProtocol.PACE_EXCEPTION);
        Object pPaceError = pPaceException.deref();
        if (pPaceError != null) {
            if (pPaceError instanceof WSHelper.WSException) {
                response.setResult(((WSHelper.WSException) pPaceError).getResult());
                return response;
            } else if (pPaceError instanceof DispatcherException | pPaceError instanceof InvocationTargetException) {
                String msg = "Internal error while PACE authentication.";
                Result r = WSHelper.makeResultError(ECardConstants.Minor.App.INT_ERROR, msg);
                response.setResult(r);
                return response;
            } else {
                String msg = "Unknown error while PACE authentication.";
                Result r = WSHelper.makeResultError(ECardConstants.Minor.App.UNKNOWN_ERROR, msg);
                response.setResult(r);
                return response;
            }
        }
        // get challenge from card
        TerminalAuthentication ta = new TerminalAuthentication(dispatcher, slotHandle);
        byte[] challenge = ta.getChallenge();
        // prepare DIDAuthenticationResponse
        DIDAuthenticationDataType data = eacData.paceResponse.getAuthenticationProtocolData();
        AuthDataMap paceOutputMap = new AuthDataMap(data);
        // int retryCounter = Integer.valueOf(paceOutputMap.getContentAsString(PACEOutputType.RETRY_COUNTER));
        byte[] efCardAccess = paceOutputMap.getContentAsBytes(PACEOutputType.EF_CARD_ACCESS);
        byte[] currentCAR = paceOutputMap.getContentAsBytes(PACEOutputType.CURRENT_CAR);
        byte[] previousCAR = paceOutputMap.getContentAsBytes(PACEOutputType.PREVIOUS_CAR);
        byte[] idpicc = paceOutputMap.getContentAsBytes(PACEOutputType.ID_PICC);
        // Store SecurityInfos
        SecurityInfos securityInfos = SecurityInfos.getInstance(efCardAccess);
        internalData.put(EACConstants.IDATA_SECURITY_INFOS, securityInfos);
        // Store additional data
        internalData.put(EACConstants.IDATA_AUTHENTICATED_AUXILIARY_DATA, aad);
        internalData.put(EACConstants.IDATA_CERTIFICATES, certChain);
        internalData.put(EACConstants.IDATA_CURRENT_CAR, currentCAR);
        internalData.put(EACConstants.IDATA_PREVIOUS_CAR, previousCAR);
        internalData.put(EACConstants.IDATA_CHALLENGE, challenge);
        // Create response
        // eac1Output.setRetryCounter(retryCounter);
        eac1Output.setCHAT(eacData.selectedCHAT.toByteArray());
        eac1Output.setCurrentCAR(currentCAR);
        eac1Output.setPreviousCAR(previousCAR);
        eac1Output.setEFCardAccess(efCardAccess);
        eac1Output.setIDPICC(idpicc);
        eac1Output.setChallenge(challenge);
        response.setResult(WSHelper.makeResultOK());
        response.setAuthenticationProtocolData(eac1Output.getAuthDataType());
    } catch (CertificateException ex) {
        LOG.error(ex.getMessage(), ex);
        String msg = ex.getMessage();
        response.setResult(WSHelper.makeResultError(ECardConstants.Minor.SAL.EAC.DOC_VALID_FAILED, msg));
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
    } catch (WSHelper.WSException e) {
        LOG.error(e.getMessage(), e);
        response.setResult(e.getResult());
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
    } catch (ElementParsingException ex) {
        LOG.error(ex.getMessage(), ex);
        response.setResult(WSHelper.makeResultError(ECardConstants.Minor.App.INCORRECT_PARM, ex.getMessage()));
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
    } catch (Exception e) {
        LOG.error(e.getMessage(), e);
        response.setResult(WSHelper.makeResultUnknownError(e.getMessage()));
        dynCtx.put(EACProtocol.AUTHENTICATION_FAILED, true);
    }
    return response;
}
Also used : ConnectionHandleType(iso.std.iso_iec._24727.tech.schema.ConnectionHandleType) PACEMarkerType(org.openecard.sal.protocol.eac.anytype.PACEMarkerType) ProcessingStepAction(org.openecard.sal.protocol.eac.gui.ProcessingStepAction) CertificateException(java.security.cert.CertificateException) CardMonitor(org.openecard.sal.protocol.eac.gui.CardMonitor) UserConsentNavigator(org.openecard.gui.UserConsentNavigator) Result(oasis.names.tc.dss._1_0.core.schema.Result) ObjectValidatorException(org.openecard.common.interfaces.ObjectValidatorException) ObjectSchemaValidator(org.openecard.common.interfaces.ObjectSchemaValidator) UserConsentDescription(org.openecard.gui.definition.UserConsentDescription) DispatcherException(org.openecard.common.interfaces.DispatcherException) DIDAuthenticationDataType(iso.std.iso_iec._24727.tech.schema.DIDAuthenticationDataType) InvocationTargetException(java.lang.reflect.InvocationTargetException) Promise(org.openecard.common.util.Promise) ExecutionEngine(org.openecard.gui.executor.ExecutionEngine) AuthenticatedAuxiliaryData(org.openecard.crypto.common.asn1.eac.AuthenticatedAuxiliaryData) CardVerifiableCertificate(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate) AuthDataMap(org.openecard.common.anytype.AuthDataMap) CVCStepAction(org.openecard.sal.protocol.eac.gui.CVCStepAction) DynamicContext(org.openecard.common.DynamicContext) CardRemovedFilter(org.openecard.sal.protocol.eac.gui.CardRemovedFilter) CardStateEntry(org.openecard.common.sal.state.CardStateEntry) CVCStep(org.openecard.sal.protocol.eac.gui.CVCStep) CHAT(org.openecard.crypto.common.asn1.cvc.CHAT) InputAPDUInfoType(iso.std.iso_iec._24727.tech.schema.InputAPDUInfoType) ElementParsingException(org.openecard.sal.protocol.eac.anytype.ElementParsingException) EAC1OutputType(org.openecard.sal.protocol.eac.anytype.EAC1OutputType) CardResponseAPDU(org.openecard.common.apdu.common.CardResponseAPDU) CardVerifiableCertificateChain(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificateChain) EAC1InputType(org.openecard.sal.protocol.eac.anytype.EAC1InputType) WSHelper(org.openecard.common.WSHelper) DIDAuthenticate(iso.std.iso_iec._24727.tech.schema.DIDAuthenticate) Transmit(iso.std.iso_iec._24727.tech.schema.Transmit) ResultStatus(org.openecard.gui.ResultStatus) SecurityInfos(org.openecard.crypto.common.asn1.eac.SecurityInfos) CertificateDescription(org.openecard.crypto.common.asn1.cvc.CertificateDescription) ProcessingStep(org.openecard.sal.protocol.eac.gui.ProcessingStep) DispatcherException(org.openecard.common.interfaces.DispatcherException) ObjectValidatorException(org.openecard.common.interfaces.ObjectValidatorException) InvocationTargetException(java.lang.reflect.InvocationTargetException) ElementParsingException(org.openecard.sal.protocol.eac.anytype.ElementParsingException) MalformedURLException(java.net.MalformedURLException) CertificateException(java.security.cert.CertificateException) DIDAuthenticateResponse(iso.std.iso_iec._24727.tech.schema.DIDAuthenticateResponse) TransmitResponse(iso.std.iso_iec._24727.tech.schema.TransmitResponse)

Example 2 with SecurityInfos

use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.

the class PACEProtocol method establish.

@Override
public EstablishChannelResponse establish(EstablishChannel req, Dispatcher dispatcher, UserConsent gui) {
    EstablishChannelResponse response = new EstablishChannelResponse();
    try {
        // Get parameters for the PACE protocol
        PACEInputType paceInput = new PACEInputType(req.getAuthenticationProtocolData());
        byte[] pin;
        byte pinID = paceInput.getPINID();
        byte[] chat = paceInput.getCHAT();
        if (paceInput.getPIN() == null || paceInput.getPIN().isEmpty()) {
            // GUI request
            GUIContentMap content = new GUIContentMap();
            content.add(GUIContentMap.ELEMENT.PIN_ID, pinID);
            PACEUserConsent paceUserConsent = new PACEUserConsent(gui);
            paceUserConsent.show(content);
            pin = ((String) content.get(GUIContentMap.ELEMENT.PIN)).getBytes(PACEConstants.PIN_CHARSET);
        } else {
            pin = paceInput.getPIN().getBytes(PACEConstants.PIN_CHARSET);
        }
        if (pin == null || pin.length == 0) {
            response.setResult(WSHelper.makeResultError(ECardConstants.Minor.IFD.CANCELLATION_BY_USER, "No PIN was entered."));
            return response;
        }
        // Read EF.CardAccess from card
        byte[] slotHandle = req.getSlotHandle();
        CardResponseAPDU resp = CardUtils.selectFileWithOptions(dispatcher, slotHandle, ShortUtils.toByteArray(PACEConstants.EF_CARDACCESS_FID), null, CardUtils.FCP_RESPONSE_DATA);
        FCP efCardAccessFCP = new FCP(TLV.fromBER(resp.getData()));
        byte[] efcadata = CardUtils.readFile(efCardAccessFCP, dispatcher, slotHandle);
        // Parse SecurityInfos and get PACESecurityInfos
        SecurityInfos sis = SecurityInfos.getInstance(efcadata);
        EFCardAccess efca = new EFCardAccess(sis);
        PACESecurityInfos psi = efca.getPACESecurityInfos();
        // Start PACE
        PACEImplementation pace = new PACEImplementation(dispatcher, slotHandle, psi);
        pace.execute(pin, pinID, chat);
        // Establish Secure Messaging channel
        sm = new SecureMessaging(pace.getKeyMAC(), pace.getKeyENC());
        // Create AuthenticationProtocolData (PACEOutputType)
        PACEOutputType paceOutput = paceInput.getOutputType();
        paceOutput.setEFCardAccess(efcadata);
        paceOutput.setCurrentCAR(pace.getCurrentCAR());
        paceOutput.setPreviousCAR(pace.getPreviousCAR());
        paceOutput.setIDPICC(pace.getIDPICC());
        paceOutput.setRetryCounter(pace.getRetryCounter());
        // Create EstablishChannelResponse
        response.setResult(WSHelper.makeResultOK());
        response.setAuthenticationProtocolData(paceOutput.getAuthDataType());
    } catch (UnsupportedEncodingException ex) {
        logger.error(ex.getMessage(), ex);
        response.setResult(WSHelper.makeResultError(ECardConstants.Minor.IFD.IO.UNKNOWN_PIN_FORMAT, "Cannot encode the PIN in " + PACEConstants.PIN_CHARSET + " charset."));
    } catch (ProtocolException ex) {
        logger.error(ex.getMessage(), ex);
        response.setResult(WSHelper.makeResult(ex));
    } catch (Throwable ex) {
        logger.error(ex.getMessage(), ex);
        response.setResult(WSHelper.makeResult(ex));
    }
    return response;
}
Also used : ProtocolException(org.openecard.common.ifd.protocol.exception.ProtocolException) EstablishChannelResponse(iso.std.iso_iec._24727.tech.schema.EstablishChannelResponse) EFCardAccess(org.openecard.crypto.common.asn1.eac.ef.EFCardAccess) PACESecurityInfos(org.openecard.crypto.common.asn1.eac.PACESecurityInfos) SecurityInfos(org.openecard.crypto.common.asn1.eac.SecurityInfos) UnsupportedEncodingException(java.io.UnsupportedEncodingException) PACEInputType(org.openecard.common.ifd.anytype.PACEInputType) FCP(org.openecard.common.tlv.iso7816.FCP) PACESecurityInfos(org.openecard.crypto.common.asn1.eac.PACESecurityInfos) PACEOutputType(org.openecard.common.ifd.anytype.PACEOutputType) CardResponseAPDU(org.openecard.common.apdu.common.CardResponseAPDU) GUIContentMap(org.openecard.ifd.protocol.pace.gui.GUIContentMap)

Example 3 with SecurityInfos

use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.

the class EFCardAccessTest method init.

@BeforeTest
public void init() throws Exception {
    // Standardized Domain Parameters
    byte[] data = loadTestFile("EF_CardAccess.bin");
    SecurityInfos sis = SecurityInfos.getInstance(data);
    efcaA = new EFCardAccess(sis);
    // Proprietary Domain Parameters
    data = loadTestFile("EF_CardAccess_pdp.bin");
    sis = SecurityInfos.getInstance(data);
    efcaB = new EFCardAccess(sis);
}
Also used : EFCardAccess(org.openecard.crypto.common.asn1.eac.ef.EFCardAccess) BeforeTest(org.testng.annotations.BeforeTest)

Example 4 with SecurityInfos

use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.

the class EFCardAccess method decodeSecurityInfos.

/**
 * Decode the SecurityInfos.
 */
private void decodeSecurityInfos() {
    final ASN1Set securityinfos = sis.getSecurityInfos();
    final int length = securityinfos.size();
    psi = new PACESecurityInfos();
    tsi = new TASecurityInfos();
    csi = new CASecurityInfos();
    for (int i = 0; i < length; i++) {
        ASN1Sequence securityInfo = (ASN1Sequence) securityinfos.getObjectAt(i);
        String oid = securityInfo.getObjectAt(0).toString();
        // PACEInfo (REQUIRED)
        if (PACEInfo.isPACEObjectIdentifer(oid)) {
            _logger.debug("Found PACEInfo object identifier");
            PACEInfo pi = new PACEInfo(securityInfo);
            psi.addPACEInfo(pi);
        } else // PACEDoaminParameterInfo (CONDITIONAL)
        if (PACEDomainParameterInfo.isPACEObjectIdentifer(oid)) {
            _logger.debug("Found PACEDomainParameterInfo object identifier");
            PACEDomainParameterInfo pdp = new PACEDomainParameterInfo(securityInfo);
            psi.addPACEDomainParameterInfo(pdp);
        } else // ChipAuthenticationInfo (CONDITIONAL)
        if (CAInfo.isObjectIdentifier(oid)) {
            _logger.debug("Found ChipAuthenticationInfo object identifier");
            CAInfo ci = new CAInfo(securityInfo);
            csi.addCAInfo(ci);
        } else // ChipAuthenticationDomainParameterInfo (CONDITIONAL)
        if (CADomainParameterInfo.isObjectIdentifier(oid)) {
            _logger.debug("Found ChipAuthenticationDomainParameterInfo object identifier");
            CADomainParameterInfo cdp = new CADomainParameterInfo(securityInfo);
            csi.addCADomainParameterInfo(cdp);
        } else // TerminalAuthenticationInfo (CONDITIONAL)
        if (EACObjectIdentifier.id_TA.equals(oid)) {
            _logger.debug("Found TerminalAuthenticationInfo object identifier");
            TAInfo ta = new TAInfo(securityInfo);
            tsi.addTAInfo(ta);
        } else // CardInfoLocator (RECOMMENDED)
        if (EACObjectIdentifier.id_CI.equals(oid)) {
            _logger.debug("Found CardInfoLocator object identifier");
            cil = CardInfoLocator.getInstance(securityInfo);
        } else // PrivilegedTerminalInfo (CONDITIONAL)
        if (EACObjectIdentifier.id_PT.equals(oid)) {
            _logger.debug("Found PrivilegedTerminalInfo object identifier");
            pti = PrivilegedTerminalInfo.getInstance(securityInfo);
        } else {
            _logger.debug("Found unknown object identifier: {}", oid.toString());
        }
    }
}
Also used : PACESecurityInfos(org.openecard.crypto.common.asn1.eac.PACESecurityInfos) ASN1Sequence(org.openecard.bouncycastle.asn1.ASN1Sequence) ASN1Set(org.openecard.bouncycastle.asn1.ASN1Set) TASecurityInfos(org.openecard.crypto.common.asn1.eac.TASecurityInfos) CADomainParameterInfo(org.openecard.crypto.common.asn1.eac.CADomainParameterInfo) TAInfo(org.openecard.crypto.common.asn1.eac.TAInfo) PACEInfo(org.openecard.crypto.common.asn1.eac.PACEInfo) CAInfo(org.openecard.crypto.common.asn1.eac.CAInfo) CASecurityInfos(org.openecard.crypto.common.asn1.eac.CASecurityInfos) PACEDomainParameterInfo(org.openecard.crypto.common.asn1.eac.PACEDomainParameterInfo)

Example 5 with SecurityInfos

use of org.openecard.crypto.common.asn1.eac.SecurityInfos in project open-ecard by ecsec.

the class AuthenticationHelper method performAuth.

public EAC2OutputType performAuth(EAC2OutputType eac2Output, Map<String, Object> internalData) throws ProtocolException, TLVException {
    // get needed values from context
    CardVerifiableCertificate terminalCertificate;
    terminalCertificate = (CardVerifiableCertificate) internalData.get(EACConstants.IDATA_TERMINAL_CERTIFICATE);
    byte[] key = (byte[]) internalData.get(EACConstants.IDATA_PK_PCD);
    byte[] signature = (byte[]) internalData.get(EACConstants.IDATA_SIGNATURE);
    SecurityInfos securityInfos = (SecurityInfos) internalData.get(EACConstants.IDATA_SECURITY_INFOS);
    AuthenticatedAuxiliaryData aadObj;
    aadObj = (AuthenticatedAuxiliaryData) internalData.get(EACConstants.IDATA_AUTHENTICATED_AUXILIARY_DATA);
    // ///////////////////////////////////////////////////////////////////
    // BEGIN TA PART
    // ///////////////////////////////////////////////////////////////////
    // TA: Step 2 - MSE:SET AT
    byte[] oid = ObjectIdentifierUtils.getValue(terminalCertificate.getPublicKey().getObjectIdentifier());
    byte[] chr = terminalCertificate.getCHR().toByteArray();
    byte[] aad = aadObj.getData();
    // Calculate comp(key)
    EFCardAccess efca = new EFCardAccess(securityInfos);
    CASecurityInfos cas = efca.getCASecurityInfos();
    CADomainParameter cdp = new CADomainParameter(cas);
    CAKey caKey = new CAKey(cdp);
    caKey.decodePublicKey(key);
    byte[] compKey = caKey.getEncodedCompressedPublicKey();
    // TA: Step 4 - MSE SET AT
    ta.mseSetAT(oid, chr, compKey, aad);
    // TA: Step 4 - External Authentication
    ta.externalAuthentication(signature);
    // ///////////////////////////////////////////////////////////////////
    // END TA PART
    // ///////////////////////////////////////////////////////////////////
    // ///////////////////////////////////////////////////////////////////
    // BEGIN CA PART
    // ///////////////////////////////////////////////////////////////////
    // Read EF.CardSecurity
    byte[] efCardSecurity = ca.readEFCardSecurity();
    // CA: Step 1 - MSE:SET AT
    byte[] oID = ObjectIdentifierUtils.getValue(cas.getCAInfo().getProtocol());
    byte[] keyID = IntegerUtils.toByteArray(cas.getCAInfo().getKeyID());
    ca.mseSetAT(oID, keyID);
    // CA: Step 2 - General Authenticate
    byte[] responseData = ca.generalAuthenticate(key);
    TLV tlv = TLV.fromBER(responseData);
    byte[] nonce = tlv.findChildTags(0x81).get(0).getValue();
    byte[] token = tlv.findChildTags(0x82).get(0).getValue();
    // Disable Secure Messaging
    ca.destroySecureChannel();
    // ///////////////////////////////////////////////////////////////////
    // END CA PART
    // ///////////////////////////////////////////////////////////////////
    // Create response
    eac2Output.setEFCardSecurity(efCardSecurity);
    eac2Output.setNonce(nonce);
    eac2Output.setToken(token);
    return eac2Output;
}
Also used : CADomainParameter(org.openecard.crypto.common.asn1.eac.CADomainParameter) AuthenticatedAuxiliaryData(org.openecard.crypto.common.asn1.eac.AuthenticatedAuxiliaryData) CardVerifiableCertificate(org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate) EFCardAccess(org.openecard.crypto.common.asn1.eac.ef.EFCardAccess) CASecurityInfos(org.openecard.crypto.common.asn1.eac.CASecurityInfos) SecurityInfos(org.openecard.crypto.common.asn1.eac.SecurityInfos) CASecurityInfos(org.openecard.crypto.common.asn1.eac.CASecurityInfos) CAKey(org.openecard.sal.protocol.eac.crypto.CAKey) TLV(org.openecard.common.tlv.TLV)

Aggregations

SecurityInfos (org.openecard.crypto.common.asn1.eac.SecurityInfos)3 EFCardAccess (org.openecard.crypto.common.asn1.eac.ef.EFCardAccess)3 CardResponseAPDU (org.openecard.common.apdu.common.CardResponseAPDU)2 CardVerifiableCertificate (org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate)2 AuthenticatedAuxiliaryData (org.openecard.crypto.common.asn1.eac.AuthenticatedAuxiliaryData)2 CASecurityInfos (org.openecard.crypto.common.asn1.eac.CASecurityInfos)2 PACESecurityInfos (org.openecard.crypto.common.asn1.eac.PACESecurityInfos)2 ConnectionHandleType (iso.std.iso_iec._24727.tech.schema.ConnectionHandleType)1 DIDAuthenticate (iso.std.iso_iec._24727.tech.schema.DIDAuthenticate)1 DIDAuthenticateResponse (iso.std.iso_iec._24727.tech.schema.DIDAuthenticateResponse)1 DIDAuthenticationDataType (iso.std.iso_iec._24727.tech.schema.DIDAuthenticationDataType)1 EstablishChannelResponse (iso.std.iso_iec._24727.tech.schema.EstablishChannelResponse)1 InputAPDUInfoType (iso.std.iso_iec._24727.tech.schema.InputAPDUInfoType)1 Transmit (iso.std.iso_iec._24727.tech.schema.Transmit)1 TransmitResponse (iso.std.iso_iec._24727.tech.schema.TransmitResponse)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 MalformedURLException (java.net.MalformedURLException)1 CertificateException (java.security.cert.CertificateException)1 Result (oasis.names.tc.dss._1_0.core.schema.Result)1