surfer/swisssurfer/src/smartcardauth.hxx

#ifndef SMARTCARDAUTH_H
#define SMARTCARDAUTH_H

#include <QtCore/QMutex>
#include <QtNetwork/QSslSocket>
#include <QtNetwork/QSslConfiguration>
#include <QtNetwork/QSslCertificate>
#include <QtGui/QMessageBox>

#include <pinentry.hxx>

#include <cryptoki.hxx>
#include <openssl-engine.hxx>
#include <openssl.hxx>

#include <memory>

class CryptokiEngine: public openssl::Engine {
  public:
    CryptokiEngine(std::string lib):
        _cryptoki(lib) {
      OPENSSL_LOG("log");
      QSslConfiguration sslConfig(QSslConfiguration::defaultConfiguration());
      QList<QSslCertificate> cacerts(sslConfig.caCertificates());
      QList<QSslCertificate> authcerts;
      QList<QSslCertificate> allcerts;
      QSslCertificate cert;
      _slots = _cryptoki.slotList();
      for (cryptoki::SlotList::iterator slot(_slots.begin());
           slot!=_slots.end() && _pin.isEmpty(); ++slot) {
        _session =
          std::auto_ptr<cryptoki::Session>(new cryptoki::Session(*slot));
        cryptoki::ObjectList certs(_session->find
                                   (cryptoki::Attribute(CKA_CLASS)
                                    .from<CK_OBJECT_CLASS>(CKO_CERTIFICATE)));
        for (cryptoki::ObjectList::iterator cert(certs.begin());
             cert!=certs.end() && _pin.isEmpty(); ++cert) {
          cryptoki::Attribute label(cert->attribute(CKA_LABEL));
          cryptoki::Attribute id(cert->attribute(CKA_ID));
          OPENSSL_LOG("**** FOUND CERTIFICATE: "<<label.value);
          cryptoki::ObjectList keys
            (_session->find(cryptoki::Attribute(CKA_CLASS)
                            .from<CK_OBJECT_CLASS>(CKO_PUBLIC_KEY),
                          id));
          OPENSSL_LOG("**** with keys: "<<keys.size());
          if (!keys.size()) { // add CA-certificate
            OPENSSL_LOG("**** add to CA-certificates");
            std::string data(cert->attribute(CKA_VALUE).value);
            cacerts.push_back(QSslCertificate
                              (QByteArray(data.data(), data.size()),
                               QSsl::Der));
          } else {
            OPENSSL_LOG("**** user cert, check for authentictaion");
            if (label.value.find("auth")==0 ||
                label.value.find("Authentication")!=std::string::npos) {
              OPENSSL_LOG("**** it's our authentication cert");
              std::string data(cert->attribute(CKA_VALUE).value);
              QSslCertificate c(QByteArray(data.data(), data.size()),
                                QSsl::Der);
              PinEntry pinEntry(c); /*! @todo set widget */
              while (pinEntry.exec()==PinEntry::Accepted)
                try {
                  cryptoki::Attribute value(cert->attribute(CKA_VALUE));
                  _cert = std::auto_ptr<openssl::X509>
                    (new openssl::X509(value.value));
                  _session->login(pinEntry.pin().toStdString());
                  cryptoki::ObjectList keys
                    (_session->find(cryptoki::Attribute(CKA_CLASS)
                                    .from<CK_OBJECT_CLASS>(CKO_PRIVATE_KEY),
                                    id));
                  if (keys.size()==1) {
                    OPENSSL_LOG("**** found one private key");
                    _privateKeys = keys;
                    _modulus = keys[0].attribute(CKA_MODULUS).value;
                    _exponent = keys[0].attribute(CKA_PUBLIC_EXPONENT).value;
                  }
                  _pin = pinEntry.pin();
                  break;
                } catch (std::exception& x) {
                  _pin.clear();
                  OPENSSL_LOG("**** ERROR"<<x.what());
                  QMessageBox::critical(0, QMessageBox::tr("Wrong PIN"),
                                        QMessageBox::tr("Authentication failed,"
                                                        " please try again."));
                }
            } else {
              OPENSSL_LOG("**** it's not our authentication cert; ignore");
            }
            //! @todo show certificate dialog
            // std::string data(cert->attribute(CKA_VALUE).value);
            // allcerts.push_back(QSslCertificate
            //                    (QByteArray(data.data(), data.size()),
            //                     QSsl::Der));
            // if (label.value.find("auth")==0) {
            //   authcerts.push_back(*allcerts.rbegin());
            // }
          }
        }
      }
      sslConfig.setCaCertificates(cacerts);
    }
    //! Was initialization successful?
    operator bool() {
      return !_pin.isEmpty() && _cert.get() && _session.get();
    }
    const openssl::X509& cert() {
      return *_cert;
    }
    virtual EVP_PKEY* privkey(const char* id, UI_METHOD*, void*) {
      OPENSSL_LOG("log");
      EVP_PKEY* k(EVP_PKEY_new());
      RSA* r(RSA_new_method(_e));
      r->n = BN_bin2bn((const unsigned char*)_modulus.data(),
                       _modulus.size(), r->n);
      r->e = BN_bin2bn((const unsigned char*)_exponent.data(),
                       _exponent.size(), r->e);
      // otherwise OpenSSL emulates sign/verify with encrypt/decrypt
      r->flags |= RSA_FLAG_SIGN_VER;
      EVP_PKEY_set1_RSA(k, r);
      OPENSSL_LOG("RSA_free");
      RSA_free(r);
      return k;
    }

  protected:
    virtual const char* id() {
      OPENSSL_LOG("log");
      return "CryptokiEngine_ID";
    }
    virtual const char* name() {
      OPENSSL_LOG("log");
      return "CryptokiEngine_NAME";
    }
    virtual std::string rsaSign(const std::string& in, unsigned int type) {
      std::string inModded(in);
     
      OPENSSL_LOG("log");
      OPENSSL_LOG("type="<<type);
      // CK_MECHANISM_TYPE mech(0);
      // switch (type) {
      //   case NID_idea_ecb: mech=CKM_IDEA_ECB; break;
      //   default: throw("unknown key mechanism");
      // }

      //------------------------------------------------------------ PKCS11_sign
      int sigsize(openssl::BigNum(_modulus).size());
      {
        int ssl = ((type == NID_md5_sha1) ? 1 : 0);
	unsigned char *encoded = NULL;

	if (ssl) {
          OPENSSL_LOG("It's SSL");
          if((inModded.size() != 36) /* SHA1 + MD5 */ ||
             ((inModded.size() + RSA_PKCS1_PADDING_SIZE) > sigsize)) {
            throw std::runtime_error("the size is wrong");
          }
	} else {
          OPENSSL_LOG("It's not SSL");
          ASN1_TYPE parameter;
          parameter.type = V_ASN1_NULL;
          parameter.value.ptr = 0;
          X509_ALGOR algor;
          algor.algorithm = OBJ_nid2obj(type);
          algor.parameter = &parameter;
          ASN1_STRING digest;
          digest.data = (unsigned char *)inModded.data();
          digest.length = inModded.size();
          X509_SIG sig;
          sig.algor = &algor;
          sig.digest = &digest;
          int size (i2d_X509_SIG(&sig, 0));
          if (!algor.algorithm) throw std::runtime_error("algor wrong nid");
          if (!algor.algorithm->length)
            throw std::runtime_error("algor length");
          if (size) throw std::runtime_error("digest size");
          if (size + RSA_PKCS1_PADDING_SIZE < sigsize)
            throw std::runtime_error("incompatible size");
          unsigned char* buf(new unsigned char[size]);
          i2d_X509_SIG(&sig, &buf);
          inModded.assign((char*)buf, size);
          delete[] buf;
	}
      }
      
      //------------------------------------------------- PKCS11_private_encrypt
      {
        char padding(RSA_PKCS1_PADDING);

	if ((inModded.size() + RSA_PKCS1_PADDING_SIZE) > sigsize)
          throw std::runtime_error("the size is wrong");
      }

      //-----------------------------------------------------------------------
      if (in!=inModded)
        OPENSSL_LOG("changed input"<<std::endl
                    <<"from:"<<std::endl
                    <<crypto::readable(in)<<std::endl
                    <<"to:"<<std::endl
                    <<crypto::readable(inModded));
      return _privateKeys[0].sign(inModded, CKM_RSA_PKCS);
    }
  private:
    cryptoki::Init _cryptoki;
    cryptoki::SlotList _slots;
    std::auto_ptr<cryptoki::Session> _session;
    QString _pin;
    std::auto_ptr<openssl::X509> _cert;
    std::string _modulus;
    std::string _exponent;
    cryptoki::ObjectList _privateKeys;
};

class SmartCardAuth: public QObject {
    Q_OBJECT;
    
  public:

    SmartCardAuth(const QString& lib):
        _reg(e(lib)) {
      qDebug()<<__PRETTY_FUNCTION__;
    }

  private Q_SLOTS:
      
    void extendedContextInitialization(ssl_ctx_st* ctx, QSslSocket* socket) {
      qDebug()<<__PRETTY_FUNCTION__;
      if (!*e()) return; // no certificate found
      SSL_CTX_set_client_cert_cb(ctx, clientCert);
    }

    static int clientCert(SSL* ssl, X509 **x509, EVP_PKEY **pkey) {
      qDebug()<<"*** A "<<__PRETTY_FUNCTION__;
      *x509 = e()->cert().lowLevelCopy();
      qDebug()<<"*** B "<<__PRETTY_FUNCTION__;
      *pkey = e()->privkey(0, 0, 0);
      qDebug()<<"*** C "<<__PRETTY_FUNCTION__;
      return 1;
    }

    static CryptokiEngine* e(const QString& lib = QString()) {
      static CryptokiEngine* _e(new CryptokiEngine(lib.toStdString()));
      return _e;
    }

  private:

    openssl::RegisterEngine _reg;
    //std::map<ssl_ctx_st*, QSslSocket*> sockets;

};

#endif // SMARTCARDAUTH_H
it works; closes #8 14 years ago			`#ifndef SMARTCARDAUTH_H`
			`#define SMARTCARDAUTH_H`

			`#include <QtCore/QMutex>`
some slots are disfunctional; refs #13 closes #15 14 years ago			`#include <QtNetwork/QSslSocket>`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`#include <QtNetwork/QSslConfiguration>`
			`#include <QtNetwork/QSslCertificate>`
			`#include <QtGui/QMessageBox>`
it works; closes #8 14 years ago
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`#include <pinentry.hxx>`

			`#include <cryptoki.hxx>`
			`#include <openssl-engine.hxx>`
			`#include <openssl.hxx>`

			`#include <memory>`

			`class CryptokiEngine: public openssl::Engine {`
			`public:`
			`CryptokiEngine(std::string lib):`
			`_cryptoki(lib) {`
			`OPENSSL_LOG("log");`
			`QSslConfiguration sslConfig(QSslConfiguration::defaultConfiguration());`
			`QList<QSslCertificate> cacerts(sslConfig.caCertificates());`
			`QList<QSslCertificate> authcerts;`
			`QList<QSslCertificate> allcerts;`
			`QSslCertificate cert;`
			`_slots = _cryptoki.slotList();`
			`for (cryptoki::SlotList::iterator slot(_slots.begin());`
			`slot!=_slots.end() && _pin.isEmpty(); ++slot) {`
			`_session =`
			`std::auto_ptr<cryptoki::Session>(new cryptoki::Session(*slot));`
			`cryptoki::ObjectList certs(_session->find`
			`(cryptoki::Attribute(CKA_CLASS)`
			`.from<CK_OBJECT_CLASS>(CKO_CERTIFICATE)));`
			`for (cryptoki::ObjectList::iterator cert(certs.begin());`
			`cert!=certs.end() && _pin.isEmpty(); ++cert) {`
			`cryptoki::Attribute label(cert->attribute(CKA_LABEL));`
			`cryptoki::Attribute id(cert->attribute(CKA_ID));`
			`OPENSSL_LOG("**** FOUND CERTIFICATE: "<<label.value);`
			`cryptoki::ObjectList keys`
			`(_session->find(cryptoki::Attribute(CKA_CLASS)`
			`.from<CK_OBJECT_CLASS>(CKO_PUBLIC_KEY),`
			`id));`
			`OPENSSL_LOG("**** with keys: "<<keys.size());`
			`if (!keys.size()) { // add CA-certificate`
find SuisseID certs; refs #32 14 years ago			`OPENSSL_LOG("**** add to CA-certificates");`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`std::string data(cert->attribute(CKA_VALUE).value);`
			`cacerts.push_back(QSslCertificate`
			`(QByteArray(data.data(), data.size()),`
			`QSsl::Der));`
			`} else {`
find SuisseID certs; refs #32 14 years ago			`OPENSSL_LOG("**** user cert, check for authentictaion");`
find SuisseID certs; refs #32 14 years ago			`if (label.value.find("auth")==0 \|\|`
find SuisseID certs; refs #32 14 years ago			`label.value.find("Authentication")!=std::string::npos) {`
			`OPENSSL_LOG("**** it's our authentication cert");`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`std::string data(cert->attribute(CKA_VALUE).value);`
			`QSslCertificate c(QByteArray(data.data(), data.size()),`
			`QSsl::Der);`
			`PinEntry pinEntry(c); /! @todo set widget /`
			`while (pinEntry.exec()==PinEntry::Accepted)`
			`try {`
			`cryptoki::Attribute value(cert->attribute(CKA_VALUE));`
			`_cert = std::auto_ptr<openssl::X509>`
			`(new openssl::X509(value.value));`
			`_session->login(pinEntry.pin().toStdString());`
			`cryptoki::ObjectList keys`
			`(_session->find(cryptoki::Attribute(CKA_CLASS)`
			`.from<CK_OBJECT_CLASS>(CKO_PRIVATE_KEY),`
			`id));`
			`if (keys.size()==1) {`
			`OPENSSL_LOG("**** found one private key");`
			`_privateKeys = keys;`
			`_modulus = keys[0].attribute(CKA_MODULUS).value;`
			`_exponent = keys[0].attribute(CKA_PUBLIC_EXPONENT).value;`
			`}`
			`_pin = pinEntry.pin();`
			`break;`
			`} catch (std::exception& x) {`
			`_pin.clear();`
			`OPENSSL_LOG("**** ERROR"<<x.what());`
			`QMessageBox::critical(0, QMessageBox::tr("Wrong PIN"),`
			`QMessageBox::tr("Authentication failed,"`
			`" please try again."));`
			`}`
find SuisseID certs; refs #32 14 years ago			`} else {`
			`OPENSSL_LOG("**** it's not our authentication cert; ignore");`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`}`
			`//! @todo show certificate dialog`
			`// std::string data(cert->attribute(CKA_VALUE).value);`
			`// allcerts.push_back(QSslCertificate`
			`// (QByteArray(data.data(), data.size()),`
			`// QSsl::Der));`
			`// if (label.value.find("auth")==0) {`
			`// authcerts.push_back(*allcerts.rbegin());`
			`// }`
			`}`
			`}`
			`}`
			`sslConfig.setCaCertificates(cacerts);`
			`}`
			`//! Was initialization successful?`
			`operator bool() {`
			`return !_pin.isEmpty() && _cert.get() && _session.get();`
			`}`
			`const openssl::X509& cert() {`
			`return *_cert;`
			`}`
			`virtual EVP_PKEY* privkey(const char* id, UI_METHOD, void) {`
log rsa free, new -g option; refs #32 14 years ago			`OPENSSL_LOG("log");`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`EVP_PKEY* k(EVP_PKEY_new());`
			`RSA* r(RSA_new_method(_e));`
			`r->n = BN_bin2bn((const unsigned char*)_modulus.data(),`
			`_modulus.size(), r->n);`
			`r->e = BN_bin2bn((const unsigned char*)_exponent.data(),`
			`_exponent.size(), r->e);`
			`// otherwise OpenSSL emulates sign/verify with encrypt/decrypt`
			`r->flags \|= RSA_FLAG_SIGN_VER;`
			`EVP_PKEY_set1_RSA(k, r);`
log rsa free, new -g option; refs #32 14 years ago			`OPENSSL_LOG("RSA_free");`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`RSA_free(r);`
			`return k;`
			`}`

			`protected:`
			`virtual const char* id() {`
			`OPENSSL_LOG("log");`
			`return "CryptokiEngine_ID";`
			`}`
			`virtual const char* name() {`
			`OPENSSL_LOG("log");`
			`return "CryptokiEngine_NAME";`
			`}`
			`virtual std::string rsaSign(const std::string& in, unsigned int type) {`
			`std::string inModded(in);`

			`OPENSSL_LOG("log");`
			`OPENSSL_LOG("type="<<type);`
			`// CK_MECHANISM_TYPE mech(0);`
			`// switch (type) {`
			`// case NID_idea_ecb: mech=CKM_IDEA_ECB; break;`
			`// default: throw("unknown key mechanism");`
			`// }`

			`//------------------------------------------------------------ PKCS11_sign`
			`int sigsize(openssl::BigNum(_modulus).size());`
			`{`
			`int ssl = ((type == NID_md5_sha1) ? 1 : 0);`
			`unsigned char *encoded = NULL;`

			`if (ssl) {`
			`OPENSSL_LOG("It's SSL");`
			`if((inModded.size() != 36) /* SHA1 + MD5 */ \|\|`
			`((inModded.size() + RSA_PKCS1_PADDING_SIZE) > sigsize)) {`
			`throw std::runtime_error("the size is wrong");`
			`}`
			`} else {`
			`OPENSSL_LOG("It's not SSL");`
			`ASN1_TYPE parameter;`
			`parameter.type = V_ASN1_NULL;`
			`parameter.value.ptr = 0;`
			`X509_ALGOR algor;`
			`algor.algorithm = OBJ_nid2obj(type);`
			`algor.parameter = &parameter;`
			`ASN1_STRING digest;`
			`digest.data = (unsigned char *)inModded.data();`
			`digest.length = inModded.size();`
			`X509_SIG sig;`
			`sig.algor = &algor;`
			`sig.digest = &digest;`
			`int size (i2d_X509_SIG(&sig, 0));`
			`if (!algor.algorithm) throw std::runtime_error("algor wrong nid");`
			`if (!algor.algorithm->length)`
			`throw std::runtime_error("algor length");`
			`if (size) throw std::runtime_error("digest size");`
			`if (size + RSA_PKCS1_PADDING_SIZE < sigsize)`
			`throw std::runtime_error("incompatible size");`
			`unsigned char* buf(new unsigned char[size]);`
			`i2d_X509_SIG(&sig, &buf);`
			`inModded.assign((char*)buf, size);`
			`delete[] buf;`
			`}`
			`}`

			`//------------------------------------------------- PKCS11_private_encrypt`
			`{`
			`char padding(RSA_PKCS1_PADDING);`

			`if ((inModded.size() + RSA_PKCS1_PADDING_SIZE) > sigsize)`
			`throw std::runtime_error("the size is wrong");`
			`}`

			`//-----------------------------------------------------------------------`
			`if (in!=inModded)`
			`OPENSSL_LOG("changed input"<<std::endl`
			`<<"from:"<<std::endl`
			`<<crypto::readable(in)<<std::endl`
			`<<"to:"<<std::endl`
			`<<crypto::readable(inModded));`
			`return _privateKeys[0].sign(inModded, CKM_RSA_PKCS);`
			`}`
			`private:`
			`cryptoki::Init _cryptoki;`
			`cryptoki::SlotList _slots;`
			`std::auto_ptr<cryptoki::Session> _session;`
			`QString _pin;`
			`std::auto_ptr<openssl::X509> _cert;`
			`std::string _modulus;`
			`std::string _exponent;`
			`cryptoki::ObjectList _privateKeys;`
			`};`
it works; closes #8 14 years ago
closes #12 14 years ago			`class SmartCardAuth: public QObject {`
			`Q_OBJECT;`

			`public:`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago
			`SmartCardAuth(const QString& lib):`
			`_reg(e(lib)) {`
			`qDebug()<<__PRETTY_FUNCTION__;`
			`}`
it works; closes #8 14 years ago
closes #12 14 years ago			`private Q_SLOTS:`

first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`void extendedContextInitialization(ssl_ctx_st* ctx, QSslSocket* socket) {`
			`qDebug()<<__PRETTY_FUNCTION__;`
			`if (!*e()) return; // no certificate found`
			`SSL_CTX_set_client_cert_cb(ctx, clientCert);`
			`}`

			`static int clientCert(SSL* ssl, X509 x509, EVP_PKEY pkey) {`
find SuisseID certs; refs #32 14 years ago			`qDebug()<<"*** A "<<__PRETTY_FUNCTION__;`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`*x509 = e()->cert().lowLevelCopy();`
find SuisseID certs; refs #32 14 years ago			`qDebug()<<"*** B "<<__PRETTY_FUNCTION__;`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`*pkey = e()->privkey(0, 0, 0);`
find SuisseID certs; refs #32 14 years ago			`qDebug()<<"*** C "<<__PRETTY_FUNCTION__;`
first working implementaiion; to be improved; refs #32, closes #28, closes #29 14 years ago			`return 1;`
			`}`

			`static CryptokiEngine* e(const QString& lib = QString()) {`
			`static CryptokiEngine* _e(new CryptokiEngine(lib.toStdString()));`
			`return _e;`
			`}`

			`private:`

			`openssl::RegisterEngine _reg;`
			`//std::map<ssl_ctx_st, QSslSocket> sockets;`
it works; closes #8 14 years ago
			`};`

			`#endif // SMARTCARDAUTH_H`