/* * This is the actual card emulator. * * These functions can be implemented in different ways on different platforms * using the underlying system primitives. For Linux it uses NSS, though direct * to PKCS #11, openssl+pkcs11, or even gnu crypto libraries+pkcs #11 could be * used. On Windows CAPI could be used. */ #include "vcard.h" #include "card_7816t.h" #include "vcard_emul.h" #include "vreader.h" #include "vevent.h" /* * NSS headers */ #include #include #include #include #include #include #include /* * system headers */ #include #include struct VCardKeyStruct { CERTCertificate *cert; PK11SlotInfo *slot; SECKEYPrivateKey *key; }; typedef struct VirtualReaderOptionsStruct VirtualReaderOptions; struct VReaderEmulStruct { PK11SlotInfo *slot; VCardEmulType default_type; char *type_params; PRBool present; int series; VCard *saved_vcard; }; /* * NSS Specific options */ struct VirtualReaderOptionsStruct { char *name; char *vname; VCardEmulType card_type; char *type_params; char **cert_name; int cert_count; }; struct VCardEmulOptionsStruct { void *nss_db; VirtualReaderOptions *vreader; int vreader_count; VCardEmulType hw_card_type; const char *hw_type_params; PRBool use_hw; }; static int nss_emul_init = 0; /* if we have more that just the slot, define * VCardEmulStruct here */ /* * allocate the set of arrays for certs, cert_len, key */ static PRBool vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp, VCardKey ***keysp, int cert_count) { *certsp = NULL; *cert_lenp = NULL; *keysp = NULL; *certsp = (unsigned char **)malloc(sizeof(unsigned char *)*cert_count); if (*certsp == NULL) { return PR_FALSE; } *cert_lenp = (int *)malloc(sizeof(int)*cert_count); if (*cert_lenp == NULL) { free(*certsp); *certsp = NULL; return PR_FALSE; } *keysp = (VCardKey **)malloc(sizeof(VCardKey *)*cert_count); if (*keysp != NULL) { return PR_TRUE; } free(*cert_lenp); free(*certsp); *cert_lenp = NULL; *certsp = NULL; return PR_FALSE; } /* * Emulator specific card information */ typedef struct CardEmulCardStruct CardEmulPrivate; static VCardEmul * vcard_emul_new_card(PK11SlotInfo *slot) { PK11_ReferenceSlot(slot); /* currently we don't need anything other than the slot */ return (VCardEmul *)slot; } static void vcard_emul_delete_card(VCardEmul *vcard_emul) { PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul; if (slot == NULL) { return; } PK11_FreeSlot(slot); } static PK11SlotInfo * vcard_emul_card_get_slot(VCard *card) { /* note, the card is holding the reference, no need to get another one */ return (PK11SlotInfo *)vcard_get_private(card); } /* * key functions */ /* private constructure */ static VCardKey * vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert) { VCardKey * key; key = (VCardKey *)malloc(sizeof(VCardKey)); if (key == NULL) { return NULL; } key->slot = PK11_ReferenceSlot(slot); key->cert = CERT_DupCertificate(cert); /* NOTE: if we aren't logged into the token, this could return NULL */ /* NOTE: the cert is a temp cert, not necessarily the cert in the token, * use the DER version of this function */ key->key = PK11_FindKeyByDERCert(slot,cert, NULL); return key; } /* destructor */ void vcard_emul_delete_key(VCardKey *key) { if (!nss_emul_init || (key == NULL)) { return; } if (key->key) { SECKEY_DestroyPrivateKey(key->key); key->key = NULL; } if (key->cert) { CERT_DestroyCertificate(key->cert); } if (key->slot) { PK11_FreeSlot(key->slot); } return; } /* * grab the nss key from a VCardKey. If it doesn't exist, try to look it up */ static SECKEYPrivateKey * vcard_emul_get_nss_key(VCardKey *key) { if (key->key) { return key->key; } /* NOTE: if we aren't logged into the token, this could return NULL */ key->key = PK11_FindPrivateKeyFromCert(key->slot,key->cert, NULL); return key->key; } /* * Map NSS errors to 7816 errors */ static vcard_7816_status_t vcard_emul_map_error(int error) { switch (error) { case SEC_ERROR_TOKEN_NOT_LOGGED_IN: return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; case SEC_ERROR_BAD_DATA: case SEC_ERROR_OUTPUT_LEN: case SEC_ERROR_INPUT_LEN: case SEC_ERROR_INVALID_ARGS: case SEC_ERROR_INVALID_ALGORITHM: case SEC_ERROR_NO_KEY: case SEC_ERROR_INVALID_KEY: case SEC_ERROR_DECRYPTION_DISALLOWED: return VCARD7816_STATUS_ERROR_DATA_INVALID; case SEC_ERROR_NO_MEMORY: return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE; } return VCARD7816_STATUS_EXC_ERROR_CHANGE; } /* RSA sign/decrypt with the key, signature happens 'in place' */ vcard_7816_status_t vcard_emul_rsa_op(VCard *card, VCardKey *key, unsigned char *buffer, int buffer_size) { SECKEYPrivateKey *priv_key; unsigned signature_len; SECStatus rv; if ((!nss_emul_init) || (key == NULL)) { /* couldn't get the key, indicate that we aren't logged in */ return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; } priv_key = vcard_emul_get_nss_key(key); /* * this is only true of the rsa signature */ signature_len = PK11_SignatureLen(priv_key); if (buffer_size != signature_len) { return VCARD7816_STATUS_ERROR_DATA_INVALID; } rv = PK11_PrivDecryptRaw(priv_key, buffer, &signature_len, signature_len, buffer, buffer_size); if (rv != SECSuccess) { return vcard_emul_map_error(PORT_GetError()); } ASSERT(buffer_size == signature_len); return VCARD7816_STATUS_SUCCESS; } /* * Login functions */ /* return the number of login attempts still possible on the card. if unknown, * return -1 */ int vcard_emul_get_login_count(VCard *card) { return -1; } /* login into the card, return the 7816 status word (sw2 || sw1) */ vcard_7816_status_t vcard_emul_login(VCard *card, unsigned char *pin, int pin_len) { PK11SlotInfo *slot; unsigned char *pin_string = NULL; int i; SECStatus rv; if (!nss_emul_init) { return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; } slot = vcard_emul_card_get_slot(card); /* We depend on the PKCS #11 module internal login state here because we * create a separate process to handle each guest instance. If we needed * to handle multiple guests from one process, then we would need to keep * a lot of extra state in our card structure * */ pin_string = malloc(pin_len+1); if (pin_string == NULL) { return VCARD7816_STATUS_EXC_ERROR_MEMORY_FAILURE; } memcpy(pin_string,pin,pin_len); pin_string[pin_len] = 0; /* handle CAC expanded pins correctly */ for (i = pin_len-1; i >= 0 && (pin_string[i] == 0xff); i--) { pin_string[i] = 0; } rv = PK11_Authenticate(slot, PR_FALSE, pin_string); memset(pin_string, 0, pin_len); /* don't let the pin hang around in memory to be snooped */ free(pin_string); if (rv == SECSuccess) { return VCARD7816_STATUS_SUCCESS; } /* map the error from port get error */ return VCARD7816_STATUS_ERROR_CONDITION_NOT_SATISFIED; } void vcard_emul_reset(VCard *card, VCardPower power) { PK11SlotInfo *slot; if (!nss_emul_init) { return; } /* if we reset the card (either power on or power off), we loose our login * state */ /* TODO: we may also need to send insertion/removal events? */ slot = vcard_emul_card_get_slot(card); (void)PK11_Logout(slot); return; } static VReader * vcard_emul_find_vreader_from_slot(PK11SlotInfo *slot) { VReaderList *reader_list = vreader_get_reader_list(); VReaderListEntry *current_entry = NULL; if (reader_list == NULL) { return NULL; } for (current_entry= vreader_list_get_first(reader_list); current_entry; current_entry=vreader_list_get_next(current_entry)) { VReader *reader = vreader_list_get_reader(current_entry); VReaderEmul *reader_emul = vreader_get_private(reader); if (reader_emul->slot == slot) { return reader; } vreader_free(reader); } return NULL; } /* * create a new reader emul */ static VReaderEmul * vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params) { VReaderEmul *new_reader_emul; new_reader_emul = (VReaderEmul *)malloc(sizeof(VReaderEmul)); if (new_reader_emul == NULL) { return NULL; } new_reader_emul->slot = PK11_ReferenceSlot(slot); new_reader_emul->default_type = type; new_reader_emul->type_params = strdup(params); new_reader_emul->present = PR_FALSE; new_reader_emul->series = 0; new_reader_emul->saved_vcard = NULL; return new_reader_emul; } static void vreader_emul_delete(VReaderEmul *vreader_emul) { if (vreader_emul == NULL) { return; } if (vreader_emul->slot) { PK11_FreeSlot(vreader_emul->slot); } if (vreader_emul->type_params) { free(vreader_emul->type_params); } free(vreader_emul); } /* * TODO: move this to emulater non-specific file */ static VCardEmulType vcard_emul_get_type(VReader *vreader) { VReaderEmul *vreader_emul; vreader_emul = vreader_get_private(vreader); if (vreader_emul && vreader_emul->default_type != VCARD_EMUL_NONE) { return vreader_emul->default_type; } return vcard_emul_type_select(vreader); } /* * TODO: move this to emulater non-specific file */ static const char * vcard_emul_get_type_params(VReader *vreader) { VReaderEmul *vreader_emul; vreader_emul = vreader_get_private(vreader); if (vreader_emul && vreader_emul->type_params) { return vreader_emul->type_params; } return ""; } /* pull the slot out of the reader private data */ static PK11SlotInfo * vcard_emul_reader_get_slot(VReader *vreader) { VReaderEmul *vreader_emul = vreader_get_private(vreader); if (vreader_emul == NULL) { return NULL; } return vreader_emul->slot; } /* * Card ATR's map to physical cards. VCARD_ATR_PREFIX will set appropriate * historical bytes for any software emulated card. The remaining bytes can be * used to indicate the actual emulator */ static const unsigned char nss_atr[] = { VCARD_ATR_PREFIX(3), 'N', 'S', 'S' }; void vcard_emul_get_atr(VCard *card, unsigned char *atr, int *atr_len) { int len = MIN(sizeof(nss_atr), *atr_len); ASSERT(atr != NULL); memcpy(atr, nss_atr, len); *atr_len = len; return; } /* * create a new card from certs and keys */ static VCard * vcard_emul_make_card(VReader *reader, unsigned char * const *certs, int *cert_len, VCardKey *keys[], int cert_count) { VCardEmul *vcard_emul; VCard *vcard; PK11SlotInfo *slot; VCardEmulType type; const char *params; type = vcard_emul_get_type(reader); /* ignore the inserted card */ if (type == VCARD_EMUL_NONE) { return NULL; } slot = vcard_emul_reader_get_slot(reader); if (slot == NULL) { return NULL; } params = vcard_emul_get_type_params(reader); /* params these can be NULL */ vcard_emul = vcard_emul_new_card(slot); if (vcard_emul == NULL) { return NULL; } vcard = vcard_new(vcard_emul, vcard_emul_delete_card); if (vcard == NULL) { vcard_emul_delete_card(vcard_emul); return NULL; } vcard_init(reader, vcard, type, params, certs, cert_len, keys, cert_count); return vcard; } /* * 'clone' a physical card as a virtual card */ static VCard * vcard_emul_mirror_card(VReader *vreader) { /* * lookup certs using the C_FindObjects. The Stan Cert handle won't give * us the real certs until we log in. */ PK11GenericObject *firstObj, *thisObj; int cert_count; unsigned char **certs; int *cert_len; VCardKey **keys; PK11SlotInfo *slot; PRBool ret; slot = vcard_emul_reader_get_slot(vreader); if (slot == NULL) { return NULL; } firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE); if (firstObj == NULL) { return NULL; } /* count the certs */ cert_count=0; for (thisObj = firstObj; thisObj; thisObj = PK11_GetNextGenericObject(thisObj)) { cert_count++; } if (cert_count == 0) { PK11_DestroyGenericObjects(firstObj); return NULL; } /* allocate the arrays */ ret = vcard_emul_alloc_arrays(&certs,&cert_len, &keys, cert_count); if (ret == PR_FALSE) { return NULL; } /* fill in the arrays */ cert_count = 0; for (thisObj = firstObj; thisObj; thisObj = PK11_GetNextGenericObject(thisObj)) { SECItem derCert; CERTCertificate *cert; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisObj, CKA_VALUE, &derCert); if (rv != SECSuccess) { continue; } /* create floating temp cert. This gives us a cert structure even if * the token isn't logged in */ cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert, NULL, PR_FALSE, PR_TRUE); SECITEM_FreeItem(&derCert, PR_FALSE); if (cert == NULL) { continue; } certs[cert_count] = cert->derCert.data; cert_len[cert_count] = cert->derCert.len; keys[cert_count] = vcard_emul_make_key(slot, cert); cert_count++; CERT_DestroyCertificate(cert); /* key obj still has a reference */ } /* now create the card */ return vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); } static VCardEmulType default_card_type = VCARD_EMUL_NONE; static const char *default_type_params = ""; /* * This thread looks for card and reader insertions and puts events on the * event queue */ static void vcard_emul_event_thread(void *arg) { PK11SlotInfo *slot; VReader *vreader; VReaderEmul *vreader_emul; VCard *vcard; SECMODModule *module = (SECMODModule *)arg; do { slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500); if (slot == NULL) { break; } vreader = vcard_emul_find_vreader_from_slot(slot); if (vreader == NULL) { /* new vreader */ vreader_emul = vreader_emul_new(slot, default_card_type, default_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); PK11_FreeSlot(slot); slot = NULL; vreader_add_reader(vreader); vreader_free(vreader); continue; } /* card remove/insert */ vreader_emul = vreader_get_private(vreader); if (PK11_IsPresent(slot)) { int series = PK11_GetSlotSeries(slot); if (series != vreader_emul->series) { if (vreader_emul->present) { vreader_insert_card(vreader, NULL); } vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_free(vcard); } vreader_emul->series = series; vreader_emul->present = 1; vreader_free(vreader); PK11_FreeSlot(slot); continue; } if (vreader_emul->present) { vreader_insert_card(vreader, NULL); } vreader_emul->series = 0; vreader_emul->present = 0; PK11_FreeSlot(slot); vreader_free(vreader); } while(1); } /* if the card is inserted when we start up, make sure our state is correct */ static void vcard_emul_init_series(VReader *vreader, VCard *vcard) { VReaderEmul *vreader_emul = vreader_get_private(vreader); PK11SlotInfo *slot = vreader_emul->slot; vreader_emul->present = PK11_IsPresent(slot); vreader_emul->series = PK11_GetSlotSeries(slot); if (vreader_emul->present == 0) { vreader_insert_card(vreader, NULL); } } /* * each module has a separate wait call, create a thread for each module that * we are using. */ static void vcard_emul_new_event_thread(SECMODModule *module) { PR_CreateThread(PR_SYSTEM_THREAD, vcard_emul_event_thread, module, PR_PRIORITY_HIGH, PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0); } static const VCardEmulOptions default_options = { .nss_db = NULL, .vreader = NULL, .vreader_count = 0, .hw_card_type = VCARD_EMUL_CAC, .hw_type_params = "", .use_hw = PR_TRUE }; /* * NSS needs the app to supply a password prompt. In our case the only time * the password is supplied is as part of the Login APDU. The actual password * is passed in the pw_arg in that case. In all other cases pw_arg should be * NULL. */ static char * vcard_emul_get_password(PK11SlotInfo *slot, PRBool retries, void *pw_arg) { /* if it didn't work the first time, don't keep trying */ if (retries) { return NULL; } /* we are looking up a password when we don't have one in hand */ if (pw_arg == NULL) { return NULL; } /* TODO: we really should verify that were are using the right slot */ return PORT_Strdup(pw_arg); } /* Force a card removal even if the card is not physically removed */ VCardEmulError vcard_emul_force_card_remove(VReader *vreader) { if (!nss_emul_init || (vreader_card_is_present(vreader) != VREADER_OK)) { return VCARD_EMUL_FAIL; /* card is already removed */ } /* OK, remove it */ vreader_insert_card(vreader, NULL); return VCARD_EMUL_OK; } /* Re-insert of a card that has been removed by force removal */ VCardEmulError vcard_emul_force_card_insert(VReader *vreader) { VReaderEmul *vreader_emul; VCard *vcard; if (!nss_emul_init || (vreader_card_is_present(vreader) == VREADER_OK)) { return VCARD_EMUL_FAIL; /* card is already removed */ } vreader_emul = vreader_get_private(vreader); /* if it's a softcard, get the saved vcard from the reader emul structure */ if (vreader_emul->saved_vcard) { vcard = vcard_reference(vreader_emul->saved_vcard); } else { /* it must be a physical card, rebuild it */ if (!PK11_IsPresent(vreader_emul->slot)) { /* physical card has been removed, not way to reinsert it */ return VCARD_EMUL_FAIL; } vcard = vcard_emul_mirror_card(vreader); } vreader_insert_card(vreader, vcard); vcard_free(vcard); return VCARD_EMUL_OK; } /* Previously we returned FAIL if no readers found. This makes * no sense when using hardware, since there may be no readers connected * at the time vcard_emul_init is called, but they will be properly * recognized later. So Instead return FAIL only if no_hw==1 and no * vcards can be created (indicates error with certificates provided * or db), or if any other higher level error (NSS error, missing coolkey). */ VCardEmulError vcard_emul_init(const VCardEmulOptions *options) { SECStatus rv; PRBool ret, has_readers=PR_FALSE, need_module; VReader *vreader; VReaderEmul *vreader_emul; SECMODListLock *module_lock; SECMODModuleList *module_list; SECMODModuleList *mlp; int i; vreader_init(); vevent_queue_init(); if (options == NULL) { options = &default_options; } /* first initialize NSS */ if (options->nss_db) { rv = NSS_Init(options->nss_db); } else { rv = NSS_Init("sql:/etc/pki/nssdb"); } if (rv != SECSuccess) { return VCARD_EMUL_FAIL; } /* Set password callback function */ PK11_SetPasswordFunc(vcard_emul_get_password); /* set up soft cards emulated by software certs rather than physical cards * */ for (i = 0; i < options->vreader_count; i++) { int j; int cert_count; unsigned char **certs; int *cert_len; VCardKey **keys; PK11SlotInfo *slot; slot = PK11_FindSlotByName(options->vreader[i].name); if (slot == NULL) { continue; } vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, options->vreader[i].type_params); vreader = vreader_new(options->vreader[i].vname, vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); cert_count = options->vreader[i].cert_count; ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, options->vreader[i].cert_count); if (ret == PR_FALSE) { continue; } cert_count = 0; for (j=0; j < options->vreader[i].cert_count; j++) { /* we should have a better way of identifying certs than by * nickname here */ CERTCertificate *cert = PK11_FindCertFromNickname( options->vreader[i].cert_name[j], NULL); if (cert == NULL) { continue; } certs[cert_count] = cert->derCert.data; cert_len[cert_count] = cert->derCert.len; keys[cert_count] = vcard_emul_make_key(slot, cert); /* this is safe because the key is still holding a cert reference */ CERT_DestroyCertificate(cert); cert_count++; } if (cert_count) { VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); /* allow insertion and removal of soft cards */ vreader_emul->saved_vcard = vcard_reference(vcard); vcard_free(vcard); vreader_free(vreader); has_readers = PR_TRUE; } } /* if we aren't suppose to use hw, skip looking up hardware tokens */ if (!options->use_hw) { nss_emul_init = has_readers; return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; } /* make sure we have some PKCS #11 module loaded */ module_lock = SECMOD_GetDefaultModuleListLock(); module_list = SECMOD_GetDefaultModuleList(); need_module = !has_readers; SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule * module = mlp->module; if (SECMOD_HasRemovableSlots(module)) { need_module = PR_FALSE; break; } } SECMOD_ReleaseReadLock(module_lock); if (need_module) { SECMODModule *module; module = SECMOD_LoadUserModule( (char*)"library=libcoolkeypk11.so name=Coolkey", NULL, PR_FALSE); if (module == NULL) { return VCARD_EMUL_FAIL; } SECMOD_DestroyModule(module); /* free our reference, Module will still * be on the list. * until we destroy it */ } /* now examine all the slots, finding which should be readers */ /* We should control this with options. For now we mirror out any * removable hardware slot */ default_card_type = options->hw_card_type; default_type_params = strdup(options->hw_type_params); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule * module = mlp->module; PRBool has_emul_slots = PR_FALSE; if (module == NULL) { continue; } for (i=0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; /* only map removable HW slots */ if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { continue; } vreader_emul = vreader_emul_new(slot, options->hw_card_type, options->hw_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); has_readers = PR_TRUE; has_emul_slots = PR_TRUE; if (PK11_IsPresent(slot)) { VCardEmulType type; VCard *vcard; type = vcard_emul_get_type(vreader); vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); vcard_free(vcard); } } if (has_emul_slots) { vcard_emul_new_event_thread(module); } } SECMOD_ReleaseReadLock(module_lock); nss_emul_init = has_readers; return VCARD_EMUL_OK; } /* * Silly little functions to help parsing our argument string */ static char * copy_string(const char *str, int str_len) { char *new_str; new_str = malloc(str_len+1); memcpy(new_str, str, str_len); new_str[str_len] = 0; return new_str; } static int count_tokens(const char *str, char token, char token_end) { int count = 0; for (;*str;str++) { if (*str == token) { count++; } if (*str == token_end) { break; } } return count; } static const char * find_token(const char *str, char token, char token_end) { /* just do the blind simple thing */ for (;*str;str++) { if ((*str == token) || (*str == token_end)) { break; } } return str; } static const char * strip(const char *str) { for(;*str; str++) { if ((*str != ' ') && (*str != '\n') && (*str != '\t') && (*str != '\r')) { break; } } return str; } static const char * find_blank(const char *str) { for(;*str; str++) { if ((*str == ' ') || (*str == '\n') || (*str == '\t') || (*str == '\r')) { break; } } return str; } /* * We really want to use some existing argument parsing library here. That * would give us a consistant look */ static VCardEmulOptions options; #define READER_STEP 4 VCardEmulOptions * vcard_emul_options(const char *args) { int reader_count = 0; VCardEmulOptions *opts; char type_str[100]; int type_len; /* Allow the future use of allocating the options structure on the fly */ memcpy(&options, &default_options, sizeof(options)); opts = &options; do { args = strip(args); /* strip off the leading spaces */ if (*args == ',') { continue; } /* soft=(slot_name,virt_name,emul_type,emul_flags,cert_1, (no eol) * cert_2,cert_3...) */ if (strncmp(args,"soft=",5) == 0) { const char *name; const char *vname; const char *type_params; VCardEmulType type; int name_length, vname_length, type_params_length, count, i; VirtualReaderOptions *vreaderOpt = NULL; args = strip(args+5); if (*args != '(') { continue; } name = args; args = find_token(args+1,',',')'); if (*args == 0) { break; } if (*args == ')') { args++; continue; } args = strip(args+1); name_length = args - name - 2; vname = args; args = find_token(args+1,',',')'); if (*args == 0) { break; } if (*args == ')') { args++; continue; } vname_length = args - name - 2; args = strip(args+1); type_len = find_token(args,',',')') - args; assert(sizeof(type_str) > type_len); strncpy(type_str, args, type_len); type_str[type_len] = 0; type = vcard_emul_type_from_string(type_str); args = find_token(args,',',')'); if (*args == 0) { break; } if (*args == ')') { args++; continue; } args = strip(args++); type_params=args; args = find_token(args+1,',',')'); if (*args == 0) { break; } if (*args == ')') { args++; continue; } type_params_length = args - name; args = strip(args++); if (*args == 0) { break; } if (opts->vreader_count >= reader_count) { reader_count += READER_STEP; vreaderOpt = realloc(opts->vreader, reader_count*sizeof(*vreaderOpt)); if (vreaderOpt == NULL) { return opts; /* we're done */ } } opts->vreader = vreaderOpt; vreaderOpt = &vreaderOpt[opts->vreader_count]; vreaderOpt->name = copy_string(name, name_length); vreaderOpt->vname = copy_string(vname, vname_length); vreaderOpt->card_type = type; vreaderOpt->type_params = copy_string(name, name_length); count = count_tokens(args,',',')'); vreaderOpt->cert_count = count; vreaderOpt->cert_name = (char **)malloc(count*sizeof(char *)); for (i=0; i < count; i++) { const char *cert = args + 1; args = find_token(args + 1, ',', ')'); vreaderOpt->cert_name[i] = copy_string(cert, args - cert); } if (*args == ')') { args++; } opts->vreader_count++; /* use_hw= */ } else if (strncmp(args,"use_hw=",7) == 0) { args = strip(args+7); if (*args == '0' || *args == 'N' || *args == 'n' || *args == 'F') { opts->use_hw = PR_FALSE; } else { opts->use_hw = PR_TRUE; } args = find_blank(args); /* hw_type= */ } else if (strncmp(args,"hw_type=",8) == 0) { args = strip(args+8); opts->hw_card_type = vcard_emul_type_from_string(args); args = find_blank(args); /* hw_params= */ } else if (strncmp(args,"hw_params=",10) == 0) { const char *params; args = strip(args+10); params= args; args = find_blank(args); opts->hw_type_params = copy_string(params, args-params); /* db="/data/base/path" */ } else if (strncmp(args,"db=",3) == 0) { const char *db; args = strip(args+3); if (*args != '"') { continue; } args++; db = args; args = find_token(args, '"', '\n'); opts->nss_db = copy_string(db,args-db); if (*args != 0) { args++; } } else args = find_blank(args); } while (*args != 0); return opts; } void vcard_emul_usage(void) { fprintf(stderr, "emul args: comma separated list of the following arguments\n" " db={nss_database} (default sql:/etc/pki/nssdb)\n" " use_hw=[yes|no] (default yes)\n" " hw_type={card_type_to_emulate} (default CAC)\n" " hw_param={param_for_card} (default \"\")\n" " soft=({slot_name},{vreader_name},{card_type_to_emulate},{params_for_card},\n" " {cert1},{cert2},{cert3} (default none)\n" "\n" " {nss_database} The location of the NSS cert & key database\n" " {card_type_to_emulate} What card interface to present to the guest\n" " {param_for_card} Card interface specific parameters\n" " {slot_name} NSS slot that contains the certs\n" " {vreader_name} Virutal reader name to present to the guest\n" " {certN} Nickname of the certificate n on the virtual card\n" "\n" "These parameters come as a single string separated by blanks or newlines." "\n" "Unless use_hw is set to no, all tokens that look like removable hardware\n" "tokens will be presented to the guest using the emulator specified by \n" "hw_type, and parameters of hw_param.\n" "\n" "If more one or more soft= parameters are specified, these readers will be\n" "presented to the guest\n"); }