CIE-Middleware-RPM-Package/cie-middleware-FirmaConCIE-fix-error-path.patch at main · Leuca/CIE-Middleware-RPM-Package · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
From 6a6063b122eea07acedd2af05b2213ec670170a6 Mon Sep 17 00:00:00 2001
From: Luca Magrone <luca@magrone.cc>
Date: Fri, 1 Nov 2024 15:48:20 +0100
Subject: [PATCH] CSP: firmaConCIE: fix error path

Currently the code tries to make a signature with every token in every
card reader. This way if there are multiple tokens (either CIEs or not)
the signature can be completed but an error pops up to the user wich is bad
UX. Furthermore if an unrecognised token or a wrong CIE is evaluated
before the correct CIE the function fails, which should not.

Keep looking up for the correct CIE until all card readers are evaluated.
Do not immediately fail if an unrecognised token is found.
Fail on PAN mismatch only if the mismatch happens on every CIE.
Stop looking if the correct CIE is found.

Also free allocated resources before returning.

Signed-off-by: Luca Magrone <luca@magrone.cc>
---
 cie-pkcs11/CSP/FirmaConCIE.cpp | 45 +++++++++++++++++++++++++++++++---
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/cie-pkcs11/CSP/FirmaConCIE.cpp b/cie-pkcs11/CSP/FirmaConCIE.cpp
index 050d282..9e3b961 100644
--- a/cie-pkcs11/CSP/FirmaConCIE.cpp
+++ b/cie-pkcs11/CSP/FirmaConCIE.cpp
@@ -10,6 +10,7 @@
 #include "../PKCS11/PKCS11Functions.h"
 #include "../PKCS11/Slot.h"
 #include "../Util/ModuleInfo.h"
+#include "../Util/UtilException.h"
 #include "../PCSC/PCSC.h"
 #include "../Crypto/ASNParser.h"
 #include "../Sign/CIESign.h"
@@ -34,6 +35,7 @@ CK_RV CK_ENTRY firmaConCIE(const char* inFilePath, const char* type, const char*

     char* readers = NULL;
     char* ATR = NULL;
+    bool panMismatch = false;
     try
     {
         std::map<uint8_t, ByteDynArray> hashSet;
@@ -96,12 +98,23 @@ CK_RV CK_ENTRY firmaConCIE(const char* inFilePath, const char* type, const char*
             IAS* ias = new IAS((CToken::TokenTransmitCallback)TokenTransmitCallback, atrBa);
             ias->SetCardContext(&conn);

-            foundCIE = false;
             ias->token.Reset();
-            ias->SelectAID_IAS();
+            // Continue looking for a CIE if the token is unrecognised
+            try
+            {
+                ias->SelectAID_IAS();
+            }
+            catch(logged_error &err)
+            {
+                free(ATR);
+                ATR = NULL;
+                delete ias;
+                continue;
+            }
             ias->ReadPAN();

-            foundCIE = true;
+            if (!foundCIE)
+                foundCIE = true;
             ByteDynArray IntAuth;
             ias->SelectAID_CIE();
             ias->ReadDappPubKey(IntAuth);
@@ -112,9 +125,14 @@ CK_RV CK_ENTRY firmaConCIE(const char* inFilePath, const char* type, const char*
             ias->ReadIdServizi(IdServizi);
             ByteArray baPan = ByteArray((uint8_t*)pan, strlen(pan));

+            // Check for pan mismatch and continue search in such case
             if (memcmp(baPan.data(), IdServizi.data(), IdServizi.size()) != 0)
             {
-                return CARD_PAN_MISMATCH;
+                panMismatch = true;
+                free(ATR);
+                ATR = NULL;
+                delete ias;
+                continue;
             }

             ByteDynArray FullPIN;
@@ -134,9 +152,17 @@ CK_RV CK_ENTRY firmaConCIE(const char* inFilePath, const char* type, const char*
             uint16_t ret = cieSign->sign(inFilePath, type, fullPinCStr, page, x, y, w, h, imagePathFile, outFilePath);
             if((ret & (0x63C0)) == 0x63C0)
             {
+                free(readers);
+                free(ATR);
+                delete ias;
+                delete cieSign;
                 return CKR_PIN_INCORRECT;
             }else if (ret == 0x6983)
             {
+                free(readers);
+                free(ATR);
+                delete ias;
+                delete cieSign;
                 return CKR_PIN_LOCKED;
             }

@@ -148,7 +174,14 @@ CK_RV CK_ENTRY firmaConCIE(const char* inFilePath, const char* type, const char*
             delete ias;
             delete cieSign;

+            // At this point if there has been a pan mismatch doesn't matter
+            if (panMismatch)
+                panMismatch = false;
+
             completedCallBack(ret);
+
+            // A this point a CIE has been found, stop looking for it
+            break;
         }

         if (!foundCIE) {
@@ -174,5 +207,9 @@ CK_RV CK_ENTRY firmaConCIE(const char* inFilePath, const char* type, const char*
         free(ATR);

     free(readers);
+
+    if (panMismatch)
+        return CARD_PAN_MISMATCH;
+
     return SCARD_S_SUCCESS;
 }
--
2.43.5