A simple Qt based browser with no bullshit that supports PKCS#11 tokens (such as the SuisseID).
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

343 lines
12 KiB

#ifndef SMARTCARDAUTH_H
#define SMARTCARDAUTH_H
#include <QtCore/QMutex>
#include <QtCore/QWaitCondition>
#include <QtNetwork/QSslSocket>
#include <QtNetwork/QSslConfiguration>
#include <QtNetwork/QSslCertificate>
#include <QtNetwork/QSslKey>
#include <QtGui/QMessageBox>
#include <pinentry.hxx>
#include <cryptoki.hxx>
#include <pcsc.hxx>
#include <openssl-engine.hxx>
#include <openssl.hxx>
#include <memory>
#ifndef LOG
#define LOG qDebug()<<__PRETTY_FUNCTION__
#endif
class CryptokiEngine: public QObject, public openssl::Engine {
Q_OBJECT;
Q_SIGNALS:
void certRequired();
public:
CryptokiEngine(std::string lib):
_cryptoki(lib) {
LOG;
}
operator bool() {
LOG<<"Status of CryptokiEngine: "
<<(_privateKey.get()
?"privateKey defined, ":"privateKey undefined");
return _privateKey.get();
}
cryptoki::Init& cryptoki() {
return _cryptoki;
}
void cert(cryptoki::Object& privateKey, const std::string& certVal) {
LOG;
_privateKey = std::auto_ptr<cryptoki::Object>
(new cryptoki::Object(privateKey));
try { // new
QSslConfiguration sslConfig(QSslConfiguration::defaultConfiguration());
QSslCertificate localcert(QByteArray(certVal.data(),
certVal.size()),
QSsl::Der);
sslConfig.setLocalCertificate(localcert);
assert(localcert.isValid());
//RSA_set_default_method(ENGINE_get_RSA(_e));
QByteArray pem // empty dummy key for qt object instantiation
("-----BEGIN RSA PRIVATE KEY-----\n"
"MIIBOwIBAAJBAMH2yqAGeVNPdgeZ2GoHo31m9aUxZ7QfK2Go2qLTahLpQ3UL1C8G\n"
"LkuMS8SNK0ZGfRMalIpIhv6bW5l3kjogOncCAwEAAQJABVGECtFCoGMsZFb2lSmy\n"
"dOzOzYHGSy0TnnDn1dEgNnZ8sIljElPtUzm9dyXs2P3ICL1sOd7qjpzfJeyxknDL\n"
"AQIhAO5iKdLmhyuW+EDEH19vDs1Pmqs3/ZnT5UgUiJnTJqz3AiEA0ExIfUOCnxq2\n"
"a3Z46KEivcr8JB2P9VqouBbVryiq/oECIQDj8bPCejMoiEzMSX0iWWTTB9qC/KAg\n"
"FtF4skHIrXKfEwIgPCs86Uo+Ch2aQjKHvJMHSRHAgeI0OmiEwiB+e0lhE4ECIQDd\n"
"IbUmHIXt6oHLJmoGFX46bCcfil5eE5FXfiaw7Q9iPw==\n"
"-----END RSA PRIVATE KEY-----\n");
QSslKey privkey(pem, QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey);
RSA* rsa((RSA*)privkey.handle());
if (!ENGINE_init(_e)) return;
rsa->engine=_e;
rsa->meth=ENGINE_get_RSA(_e);
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, rsa, &rsa->ex_data)) {
ENGINE_finish(_e);
return;
}
set(rsa->n, privateKey, CKA_MODULUS, "CKA_MODULUS");
set(rsa->e, privateKey, CKA_PUBLIC_EXPONENT, "CKA_PUBLIC_EXPONENT");
set(rsa->d, privateKey, CKA_PRIVATE_EXPONENT, "CKA_PRIVATE_EXPONENT");
set(rsa->p, privateKey, CKA_PRIME_1, "CKA_PRIME_1");
set(rsa->q, privateKey, CKA_PRIME_2, "CKA_PRIME_2");
set(rsa->dmp1, privateKey, CKA_EXPONENT_1, "CKA_EXPONENT_1");
set(rsa->dmq1, privateKey, CKA_EXPONENT_2, "CKA_EXPONENT_2");
set(rsa->iqmp, privateKey, CKA_COEFFICIENT, "CKA_COEFFICIENT");
rsa->flags |= RSA_FLAG_SIGN_VER; // don't emulate with encrypt/decrypt
assert(!privkey.isNull());
LOG<<"Setup RSA finished";
sslConfig.setPrivateKey(privkey);
QSslConfiguration::setDefaultConfiguration(sslConfig);
} catch (const std::exception& e) {
LOG<<"SETUP ERROR: "<<e.what();
}
}
protected:
void set(BIGNUM*& num, cryptoki::Object& key, int type, std::string name) {
try {
std::string value(key.attribute(type).value);
num = BN_bin2bn((const unsigned char*)value.data(),
value.size(), num);
} catch (const std::exception& x) {
LOG<<"**** ERROR: key attribute missing:"<<name.c_str()<<x.what();
}
}
virtual const char* id() {
LOG;
return "CryptokiEngine_ID";
}
virtual const char* name() {
LOG;
return "CryptokiEngine_NAME";
}
virtual std::string rsaSign(const std::string& in, unsigned int type) {
LOG<<"log; type="<<type<<"; size="<<in.size();
LOG<<crypto::readable(in).c_str();
if (type != NID_md5_sha1) throw std::runtime_error("wrong sign type");
if (in.size() != 36) throw std::runtime_error("wrong msg size to sign");
LOG<<"ready to sign";
try {
return _privateKey->sign(in, CKM_RSA_PKCS);
} catch (const std::exception& x) {
certRequired(); // get new certificate
return _privateKey->sign(in, CKM_RSA_PKCS); // try again
}
}
private:
cryptoki::Init _cryptoki;
std::auto_ptr<cryptoki::Object> _privateKey;
};
class SmartCardAuth: public QObject {
Q_OBJECT;
public:
SmartCardAuth(const QString& lib, QWidget* p=0, bool loginAtStart=true):
_parent(p), _e(new CryptokiEngine(lib.toStdString())), _reg(_e) {
LOG;
if (loginAtStart) login();
assert(connect(_e, SIGNAL(certRequired()), SLOT(login())));
}
public Q_SLOTS:
void login(bool force=true) {
try {
LOG;
Lock lock;
LOG<<"got lock";
if (!_e || (!force && *_e)) return; // no smartcard or already logged in
LOG<<"start login to smartcard";
QList<CertInfo> authcerts;
QList<CertInfo> allcerts;
QSslConfiguration sslConfig(QSslConfiguration::defaultConfiguration());
_slots = _e->cryptoki().slotList();
LOG<<"number of slots"<<_slots.size();
// look for login certificates ----------------------------------------
for (cryptoki::SlotList::iterator slot(_slots.begin());
slot!=_slots.end(); ++slot) {
cryptoki::Session session(*slot);
cryptoki::ObjectList certs(session.find
(cryptoki::Attribute(CKA_CLASS)
.from<CK_OBJECT_CLASS>(CKO_CERTIFICATE)));
for (cryptoki::ObjectList::iterator cert(certs.begin());
cert!=certs.end(); ++cert) {
cryptoki::Attribute label(cert->attribute(CKA_LABEL));
cryptoki::Attribute id(cert->attribute(CKA_ID));
LOG<<"**** FOUND CERTIFICATE: "<<label.value.c_str();
cryptoki::ObjectList keys
(session.find(cryptoki::Attribute(CKA_CLASS)
.from<CK_OBJECT_CLASS>(CKO_PUBLIC_KEY),
id));
LOG<<"**** with keys: "<<keys.size();
std::string data(cert->attribute(CKA_VALUE).value);
if (!keys.size()) { // add CA-certificate
LOG<<"**** add to CA-certificates";
} else {
LOG<<"**** user cert, check for authentictaion";
if (label.value.find("auth")==0 ||
label.value.find("Authentication")!=std::string::npos) {
LOG<<"**** it's our authentication cert";
authcerts.push_back(CertInfo(data, slot, id));
} else {
LOG<<"**** it's an unknown cert";
allcerts.push_back(CertInfo(data, slot, id));
}
}
}
}
// get pin and install client certificate ------------------------------
LOG<<"00000000000000000000000000000000000000000000000000";
if (!authcerts.isEmpty() || !allcerts.isEmpty()) {
LOG<<"11111111111111111111111111111111111111111111111111";
CertInfo c(authcerts.size()?authcerts[0]:allcerts[0]);
PinEntry pinEntry(QSslCertificate(QByteArray(c.data.data(),
c.data.size()),
QSsl::Der), _parent);
while (true) try {
LOG<<"******************************************1*******";
pinEntry.retries(retries(c.slot->slotinfo().slotDescription));
LOG<<"******************************************2*******";
int res(pinEntry.myexec());
LOG<<"******************************************3*******";
if (res!=PinEntry::Accepted) return;
LOG<<"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
_session = // session login with pin
std::auto_ptr<cryptoki::Session>
(new cryptoki::Session(*c.slot));
LOG<<"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
_session->login(pinEntry.pin().toStdString());
LOG<<"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC";
cryptoki::ObjectList keys
(_session->find(cryptoki::Attribute(CKA_CLASS)
.from<CK_OBJECT_CLASS>(CKO_PRIVATE_KEY),
c.id));
LOG<<"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD";
if (keys.size()==1) {
LOG<<"**** found one private key";
_e->cert(keys[0], c.data); // install client cert
LOG<<"==================================================";
break;
}
LOG<<"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
} catch (std::exception& x) {
pinEntry.pin().clear();
LOG<<"**** ERROR"<<x.what();
QMessageBox::critical(0, QMessageBox::tr("Wrong PIN"),
QMessageBox::tr("Authentication failed,"
" please try again."));
}
}
LOG<<"YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY";
} catch (std::exception& x) {
LOG<<"**** ERROR"<<x.what();
throw;
}
LOG<<"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ";
}
private:
int retries(const std::string& name) try {
LOG<<name.c_str();
pcsc::Connection pcsc;
pcsc::Connection::Reader& reader(pcsc.reader(name));
#ifndef Q_OS_MAC
pcsc::Connection::Reader::Transaction lock(reader);
#endif
// first try to read version info
if (reader.transmit(0x00, 0xA4, 0x08, 0x0C, "\x3f\x00\x56\x49", 4)
!= std::string("\x90\x00", 2) || !reader) {
LOG<<"Select File failed";
return -2;
}
std::string res(reader.transmit(0x00, 0xB0, 0x00, 0x00));
if (res.substr(res.size()-2)!=std::string("\x90\x00", 2)) {
LOG<<"read error";
return -2;
}
LOG<<"version text is: "<<res.substr(4, res[3]).c_str();
// if (res.substr(4, res[3]) != "RAPost 2009" &&
// res.substr(4, res[3]) != "RAPost 2010") {
// LOG<<"unsupported card";
// return -2;
// }
if (retCode(reader.transmit(0x00, 0xA4, 0x00, 0x0C)) == 0x9000) {
int value(retCode(reader.transmit(0x00, 0x20, 0x00, 0x81)));
if ((value&0x63C0)==0x63C0) return value&0x0F;
} else {
LOG<<"**** ERROR in select MF while reading pin status";
}
return -1; // locked
} catch (const std::exception& x) {
LOG<<"**** ERROR while reading pin status: "<<x.what();
return -2;
}
int retCode(const std::string& res) {
if (res.size()>=2)
return ((((unsigned int)(unsigned char)res[res.size()-2])*256)
+((unsigned int)(unsigned char)res[res.size()-1]));
else
return -1;
}
private:
struct CertInfo {
CertInfo(std::string d, cryptoki::SlotList::iterator s,
cryptoki::Attribute i):
data(d), slot(s), id(i) {
}
std::string data;
cryptoki::SlotList::iterator slot;
cryptoki::Attribute id;
};
class Lock {
public:
Lock() {
LOG<<loops().size();
loops().append(new QEventLoop); // add to queue
if (loops().size()>1) loops().back()->exec(); // wait
}
~Lock() {
LOG<<loops().size();
delete loops().front(); // mine is the first;
loops().erase(loops().begin()); // mine is the first;
if (loops().begin()!=loops().end())
loops().front()->exit(0); // wake up next
}
private:
QList<QEventLoop*>& loops() { // same as a static member variable
static QList<QEventLoop*> _loops;
return _loops;
}
};
private:
QWidget* _parent;
CryptokiEngine* _e;
openssl::RegisterEngine<CryptokiEngine> _reg;
cryptoki::SlotList _slots;
std::auto_ptr<cryptoki::Session> _session;
};
#endif // SMARTCARDAUTH_H