diff options
| author | Joey Castillo <jose.castillo@gmail.com> | 2015-05-06 13:08:03 -0400 |
|---|---|---|
| committer | Joey Castillo <jose.castillo@gmail.com> | 2015-05-12 14:44:26 -0400 |
| commit | 76241e90ad440bedaf40f148ba0584e06064096a (patch) | |
| tree | feee753bb557be2f4a589126097c8942525b8b2e /OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui | |
| parent | 5c44f8400970de5943fd6c5e804dfa394f3deb01 (diff) | |
| download | open-keychain-76241e90ad440bedaf40f148ba0584e06064096a.tar.gz open-keychain-76241e90ad440bedaf40f148ba0584e06064096a.tar.bz2 open-keychain-76241e90ad440bedaf40f148ba0584e06064096a.zip | |
Adding NFC Key to Card operation, accessible from Edit Key activity.
Diffstat (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui')
8 files changed, 457 insertions, 33 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java index e0b728bd4..45451bf38 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java @@ -17,6 +17,8 @@ package org.sufficientlysecure.keychain.ui; +import android.app.AlertDialog; +import android.content.DialogInterface; import android.content.Intent; import android.os.Bundle; import android.support.v4.app.Fragment; @@ -41,6 +43,7 @@ public class CreateKeyActivity extends BaseNfcActivity { public static final String EXTRA_FIRST_TIME = "first_time"; public static final String EXTRA_ADDITIONAL_EMAILS = "additional_emails"; public static final String EXTRA_PASSPHRASE = "passphrase"; + public static final String EXTRA_USE_SMART_CARD_SETTINGS = "use_smart_card_settings"; public static final String EXTRA_NFC_USER_ID = "nfc_user_id"; public static final String EXTRA_NFC_AID = "nfc_aid"; @@ -53,6 +56,7 @@ public class CreateKeyActivity extends BaseNfcActivity { ArrayList<String> mAdditionalEmails; Passphrase mPassphrase; boolean mFirstTime; + boolean mUseSmartCardSettings; Fragment mCurrentFragment; @@ -68,6 +72,7 @@ public class CreateKeyActivity extends BaseNfcActivity { mAdditionalEmails = savedInstanceState.getStringArrayList(EXTRA_ADDITIONAL_EMAILS); mPassphrase = savedInstanceState.getParcelable(EXTRA_PASSPHRASE); mFirstTime = savedInstanceState.getBoolean(EXTRA_FIRST_TIME); + mUseSmartCardSettings = savedInstanceState.getBoolean(EXTRA_USE_SMART_CARD_SETTINGS); mCurrentFragment = getSupportFragmentManager().findFragmentByTag(FRAGMENT_TAG); } else { @@ -77,6 +82,7 @@ public class CreateKeyActivity extends BaseNfcActivity { mName = intent.getStringExtra(EXTRA_NAME); mEmail = intent.getStringExtra(EXTRA_EMAIL); mFirstTime = intent.getBooleanExtra(EXTRA_FIRST_TIME, false); + mUseSmartCardSettings = intent.getBooleanExtra(EXTRA_USE_SMART_CARD_SETTINGS, false); if (intent.hasExtra(EXTRA_NFC_FINGERPRINTS)) { byte[] nfcFingerprints = intent.getByteArrayExtra(EXTRA_NFC_FINGERPRINTS); @@ -116,23 +122,45 @@ public class CreateKeyActivity extends BaseNfcActivity { byte[] nfcAid = nfcGetAid(); String userId = nfcGetUserId(); - try { - long masterKeyId = KeyFormattingUtils.getKeyIdFromFingerprint(scannedFingerprints); - CachedPublicKeyRing ring = new ProviderHelper(this).getCachedPublicKeyRing(masterKeyId); - ring.getMasterKeyId(); - - Intent intent = new Intent(this, ViewKeyActivity.class); - intent.setData(KeyRings.buildGenericKeyRingUri(masterKeyId)); - intent.putExtra(ViewKeyActivity.EXTRA_NFC_AID, nfcAid); - intent.putExtra(ViewKeyActivity.EXTRA_NFC_USER_ID, userId); - intent.putExtra(ViewKeyActivity.EXTRA_NFC_FINGERPRINTS, scannedFingerprints); - startActivity(intent); - finish(); - - } catch (PgpKeyNotFoundException e) { - Fragment frag = CreateKeyYubiKeyImportFragment.createInstance( - scannedFingerprints, nfcAid, userId); - loadFragment(frag, FragAction.TO_RIGHT); + // If all fingerprint bytes are 0, the card contains no keys. + boolean cardContainsKeys = false; + for (byte b : scannedFingerprints) { + if (b != 0) { + cardContainsKeys = true; + break; + } + } + + if (cardContainsKeys) { + try { + long masterKeyId = KeyFormattingUtils.getKeyIdFromFingerprint(scannedFingerprints); + CachedPublicKeyRing ring = new ProviderHelper(this).getCachedPublicKeyRing(masterKeyId); + ring.getMasterKeyId(); + + Intent intent = new Intent(this, ViewKeyActivity.class); + intent.setData(KeyRings.buildGenericKeyRingUri(masterKeyId)); + intent.putExtra(ViewKeyActivity.EXTRA_NFC_AID, nfcAid); + intent.putExtra(ViewKeyActivity.EXTRA_NFC_USER_ID, userId); + intent.putExtra(ViewKeyActivity.EXTRA_NFC_FINGERPRINTS, scannedFingerprints); + startActivity(intent); + finish(); + + } catch (PgpKeyNotFoundException e) { + Fragment frag = CreateKeyYubiKeyImportFragment.createInstance( + scannedFingerprints, nfcAid, userId); + loadFragment(frag, FragAction.TO_RIGHT); + } + } else { + AlertDialog.Builder builder = new AlertDialog.Builder(this); + builder.setTitle("Blank Smart Card / Yubikey Detected") + .setMessage("Would you like to generate a smart card compatible key?") + .setPositiveButton(android.R.string.yes, new DialogInterface.OnClickListener() { + @Override + public void onClick(DialogInterface dialog, int button) { + CreateKeyActivity.this.mUseSmartCardSettings = true; + } + }) + .setNegativeButton(android.R.string.no, null).show(); } } @@ -146,6 +174,7 @@ public class CreateKeyActivity extends BaseNfcActivity { outState.putStringArrayList(EXTRA_ADDITIONAL_EMAILS, mAdditionalEmails); outState.putParcelable(EXTRA_PASSPHRASE, mPassphrase); outState.putBoolean(EXTRA_FIRST_TIME, mFirstTime); + outState.putBoolean(EXTRA_USE_SMART_CARD_SETTINGS, mUseSmartCardSettings); } @Override diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java index b0a13c897..84962915b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java @@ -163,12 +163,22 @@ public class CreateKeyFinalFragment extends Fragment { if (mSaveKeyringParcel == null) { mSaveKeyringParcel = new SaveKeyringParcel(); - mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( - Algorithm.RSA, 4096, null, KeyFlags.CERTIFY_OTHER, 0L)); - mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( - Algorithm.RSA, 4096, null, KeyFlags.SIGN_DATA, 0L)); - mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( - Algorithm.RSA, 4096, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L)); + if (mCreateKeyActivity.mUseSmartCardSettings) { + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 2048, null, KeyFlags.SIGN_DATA | KeyFlags.CERTIFY_OTHER, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 2048, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 2048, null, KeyFlags.AUTHENTICATION, 0L)); + mEditText.setText(R.string.create_key_custom); + } else { + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 4096, null, KeyFlags.CERTIFY_OTHER, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 4096, null, KeyFlags.SIGN_DATA, 0L)); + mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA, + 4096, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L)); + } String userId = KeyRing.createUserId( new KeyRing.UserId(mCreateKeyActivity.mName, mCreateKeyActivity.mEmail, null) ); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java index 390efddce..aef770174 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java @@ -36,12 +36,14 @@ import android.view.ViewGroup; import android.widget.AdapterView; import android.widget.ListView; +import org.spongycastle.bcpg.PublicKeyAlgorithmTags; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.compatibility.DialogFragmentWorkaround; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.SingletonResult; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; import org.sufficientlysecure.keychain.pgp.KeyRing; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; @@ -65,6 +67,8 @@ import org.sufficientlysecure.keychain.ui.util.Notify; import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Passphrase; +import java.nio.ByteBuffer; + public class EditKeyFragment extends CryptoOperationFragment implements LoaderManager.LoaderCallbacks<Cursor> { @@ -415,7 +419,7 @@ public class EditKeyFragment extends CryptoOperationFragment implements mSaveKeyringParcel.mRevokeSubKeys.add(keyId); } break; - case EditSubkeyDialogFragment.MESSAGE_STRIP: + case EditSubkeyDialogFragment.MESSAGE_STRIP: { SubkeyChange change = mSaveKeyringParcel.getSubkeyChange(keyId); if (change == null) { mSaveKeyringParcel.mChangeSubKeys.add(new SubkeyChange(keyId, true, null)); @@ -424,6 +428,69 @@ public class EditKeyFragment extends CryptoOperationFragment implements // toggle change.mDummyStrip = !change.mDummyStrip; break; + } + case EditSubkeyDialogFragment.MESSAGE_KEYTOCARD: { + // Three checks to verify that this is a smart card compatible key: + + // 1. Key algorithm must be RSA + int algorithm = mSubkeysAdapter.getAlgorithm(position); + if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT && + algorithm != PublicKeyAlgorithmTags.RSA_SIGN && + algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) { + Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_algo, + Notify.Style.ERROR).show(); + return; + } + + // 2. Key size must be 2048 + if (mSubkeysAdapter.getKeySize(position) != 2048) { + Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_size, + Notify.Style.ERROR).show(); + return; + } + + // 3. Secret key parts must be available + CanonicalizedSecretKey.SecretKeyType type = + mSubkeysAdapter.getSecretKeyType(position); + if (type == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD || + type == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) { + Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_stripped, + Notify.Style.ERROR).show(); + return; + } + + SubkeyChange change; + change = mSaveKeyringParcel.getSubkeyChange(keyId); + if (change == null) { + mSaveKeyringParcel.mChangeSubKeys.add( + new SubkeyChange(keyId, false, new byte[0]) + ); + } + final Bundle data = new Bundle(); + data.putLong(KeychainIntentService.NFC_KEYTOCARD_SUBKEY_ID, keyId); + Intent intent = new Intent(EditKeyFragment.this.getActivity(), + KeychainIntentService.class); + intent.setAction(KeychainIntentService.ACTION_NFC_KEYTOCARD); + intent.putExtra(KeychainIntentService.EXTRA_DATA, data); + + ServiceProgressHandler serviceHandler = new ServiceProgressHandler( + getActivity(), + getString(R.string.progress_exporting), + ProgressDialog.STYLE_HORIZONTAL, + ProgressDialogFragment.ServiceType.KEYCHAIN_INTENT) { + public void handleMessage(Message message) { + super.handleMessage(message); + EditKeyFragment.this.handlePendingMessage(message); + } + }; + // Create a new Messenger for the communication back + Messenger messenger = new Messenger(serviceHandler); + intent.putExtra(KeychainIntentService.EXTRA_MESSENGER, messenger); + serviceHandler.showProgressDialog(getActivity()); + + getActivity().startService(intent); + break; + } } getLoaderManager().getLoader(LOADER_ID_SUBKEYS).forceLoad(); } @@ -593,6 +660,18 @@ public class EditKeyFragment extends CryptoOperationFragment implements Intent intent = new Intent(getActivity(), KeychainIntentService.class); intent.setAction(KeychainIntentService.ACTION_EDIT_KEYRING); + for (SubkeyChange change : mSaveKeyringParcel.mChangeSubKeys) { + if(change.mDummyDivert != null) { + // Convert long key ID to byte buffer + byte[] subKeyId = new byte[8]; + ByteBuffer buf = ByteBuffer.wrap(subKeyId); + buf.putLong(change.mKeyId).rewind(); + + byte[] cardSerial = cryptoInput.getCryptoData().get(buf); + change.mDummyDivert = cardSerial; + } + } + // fill values for this action Bundle data = new Bundle(); data.putParcelable(KeychainIntentService.EXTRA_CRYPTO_INPUT, cryptoInput); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java index aa66053fa..1a618329d 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java @@ -10,8 +10,13 @@ import android.content.Intent; import android.os.Bundle; import android.view.WindowManager; +import org.spongycastle.util.Arrays; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing; +import org.sufficientlysecure.keychain.provider.KeychainContract; +import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.remote.CryptoInputParcelCacheService; import org.sufficientlysecure.keychain.service.PassphraseCacheService; import org.sufficientlysecure.keychain.service.input.CryptoInputParcel; @@ -21,6 +26,7 @@ import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Preferences; import java.io.IOException; +import java.nio.ByteBuffer; /** * This class provides a communication interface to OpenPGP applications on ISO SmartCard compliant @@ -53,8 +59,11 @@ public class NfcOperationActivity extends BaseNfcActivity { mRequiredInput = data.getParcelable(EXTRA_REQUIRED_INPUT); mServiceIntent = data.getParcelable(EXTRA_SERVICE_INTENT); - // obtain passphrase for this subkey - obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); + if (mRequiredInput.mType == RequiredInputParcel.RequiredInputType.NFC_KEYTOCARD) { + obtainKeyExportPassphrase(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); + } else { + obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput)); + } } @Override @@ -85,6 +94,44 @@ public class NfcOperationActivity extends BaseNfcActivity { } break; } + case NFC_KEYTOCARD: { + ProviderHelper providerHelper = new ProviderHelper(this); + CanonicalizedSecretKeyRing secretKeyRing; + try { + secretKeyRing = providerHelper.getCanonicalizedSecretKeyRing( + KeychainContract.KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(mRequiredInput.getSubKeyId()) + ); + } catch (ProviderHelper.NotFoundException e) { + throw new IOException("Couldn't find subkey for key to card operation."); + } + CanonicalizedSecretKey key = secretKeyRing.getSecretKey(mRequiredInput.getSubKeyId()); + + long keyGenerationTimestampMillis = key.getCreationTime().getTime(); + long keyGenerationTimestamp = keyGenerationTimestampMillis / 1000; + byte[] timestampBytes = ByteBuffer.allocate(4).putInt((int) keyGenerationTimestamp).array(); + byte[] cardSerialNumber = Arrays.copyOf(nfcGetAid(), 16); + + if (key.canSign() || key.canCertify()) { + nfcPutKey(0xB6, key); + nfcPutData(0xCE, timestampBytes); + nfcPutData(0xC7, key.getFingerprint()); + } else if (key.canEncrypt()) { + nfcPutKey(0xB8, key); + nfcPutData(0xCF, timestampBytes); + nfcPutData(0xC8, key.getFingerprint()); + } else if (key.canAuthenticate()) { + nfcPutKey(0xA4, key); + nfcPutData(0xD0, timestampBytes); + nfcPutData(0xC9, key.getFingerprint()); + } else { + throw new IOException("Inappropriate key flags for smart card key."); + } + + byte[] subKeyId = new byte[8]; + ByteBuffer buf = ByteBuffer.wrap(subKeyId); + buf.putLong(mRequiredInput.getSubKeyId()); + inputParcel.addCryptoData(subKeyId, cardSerialNumber); + } } if (mServiceIntent != null) { diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java index 096dea51f..db0a930ed 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java @@ -116,6 +116,21 @@ public class SubkeysAdapter extends CursorAdapter { } } + public int getAlgorithm(int position) { + mCursor.moveToPosition(position); + return mCursor.getInt(INDEX_ALGORITHM); + } + + public int getKeySize(int position) { + mCursor.moveToPosition(position); + return mCursor.getInt(INDEX_KEY_SIZE); + } + + public SecretKeyType getSecretKeyType(int position) { + mCursor.moveToPosition(position); + return SecretKeyType.fromNum(mCursor.getInt(INDEX_HAS_SECRET)); + } + @Override public Cursor swapCursor(Cursor newCursor) { hasAnySecret = false; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java index 1d09b281f..4506fe3c1 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java @@ -19,7 +19,9 @@ package org.sufficientlysecure.keychain.ui.base; import java.io.IOException; +import java.math.BigInteger; import java.nio.ByteBuffer; +import java.security.interfaces.RSAPrivateCrtKey; import android.app.Activity; import android.app.PendingIntent; @@ -32,9 +34,12 @@ import android.os.Bundle; import android.widget.Toast; import org.spongycastle.bcpg.HashAlgorithmTags; +import org.spongycastle.util.Arrays; import org.spongycastle.util.encoders.Hex; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey; +import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing; import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings; @@ -54,12 +59,16 @@ import org.sufficientlysecure.keychain.util.Preferences; public abstract class BaseNfcActivity extends BaseActivity { - public static final int REQUEST_CODE_PASSPHRASE = 1; + public static final int REQUEST_CODE_PIN = 1; + public static final int REQUEST_CODE_PASSPHRASE = 2; protected Passphrase mPin; + protected Passphrase mAdminPin; + protected Passphrase mPassphrase; // For key export protected boolean mPw1ValidForMultipleSignatures; protected boolean mPw1ValidatedForSignature; protected boolean mPw1ValidatedForDecrypt; // Mode 82 does other things; consider renaming? + protected boolean mPw3Validated; private NfcAdapter mNfcAdapter; private IsoDep mIsoDep; @@ -127,6 +136,15 @@ public abstract class BaseNfcActivity extends BaseActivity { enableNfcForegroundDispatch(); } + protected void obtainKeyExportPassphrase(RequiredInputParcel requiredInput) { + + Intent intent = new Intent(this, PassphraseDialogActivity.class); + intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT, + RequiredInputParcel.createRequiredPassphrase(requiredInput)); + startActivityForResult(intent, REQUEST_CODE_PASSPHRASE); + + } + protected void obtainYubiKeyPin(RequiredInputParcel requiredInput) { Preferences prefs = Preferences.getPreferences(this); @@ -138,7 +156,7 @@ public abstract class BaseNfcActivity extends BaseActivity { Intent intent = new Intent(this, PassphraseDialogActivity.class); intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT, RequiredInputParcel.createRequiredPassphrase(requiredInput)); - startActivityForResult(intent, REQUEST_CODE_PASSPHRASE); + startActivityForResult(intent, REQUEST_CODE_PIN); } @@ -149,7 +167,7 @@ public abstract class BaseNfcActivity extends BaseActivity { @Override protected void onActivityResult(int requestCode, int resultCode, Intent data) { switch (requestCode) { - case REQUEST_CODE_PASSPHRASE: + case REQUEST_CODE_PIN: { if (resultCode != Activity.RESULT_OK) { setResult(resultCode); finish(); @@ -158,6 +176,18 @@ public abstract class BaseNfcActivity extends BaseActivity { CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT); mPin = input.getPassphrase(); break; + } + + case REQUEST_CODE_PASSPHRASE: { + if (resultCode != Activity.RESULT_OK) { + setResult(resultCode); + finish(); + return; + } + CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT); + mPassphrase = input.getPassphrase(); + break; + } default: super.onActivityResult(requestCode, resultCode, data); @@ -208,6 +238,10 @@ public abstract class BaseNfcActivity extends BaseActivity { mPw1ValidForMultipleSignatures = (pwStatusBytes[0] == 1); mPw1ValidatedForSignature = false; mPw1ValidatedForDecrypt = false; + mPw3Validated = false; + + // TODO: Handle non-default Admin PIN + mAdminPin = new Passphrase("12345678"); onNfcPerform(); @@ -460,13 +494,21 @@ public abstract class BaseNfcActivity extends BaseActivity { return Hex.decode(decryptedSessionKey); } - /** Verifies the user's PW1 with the appropriate mode. + /** Verifies the user's PW1 or PW3 with the appropriate mode. * - * @param mode This is 0x81 for signing, 0x82 for everything else + * @param mode For PW1, this is 0x81 for signing, 0x82 for everything else. + * For PW3 (Admin PIN), mode is 0x83. */ public void nfcVerifyPIN(int mode) throws IOException { - if (mPin != null) { - byte[] pin = new String(mPin.getCharArray()).getBytes(); + if (mPin != null || mode == 0x83) { + byte[] pin; + + if (mode == 0x83) { + pin = new String(mAdminPin.getCharArray()).getBytes(); + } else { + pin = new String(mPin.getCharArray()).getBytes(); + } + // SW1/2 0x9000 is the generic "ok" response, which we expect most of the time. // See specification, page 51 String accepted = "9000"; @@ -488,10 +530,207 @@ public abstract class BaseNfcActivity extends BaseActivity { mPw1ValidatedForSignature = true; } else if (mode == 0x82) { mPw1ValidatedForDecrypt = true; + } else if (mode == 0x83) { + mPw3Validated = true; } } } + /** Modifies the user's PW1 or PW3. Before sending, the new PIN will be validated for + * conformance to the card's requirements for key length. + * + * @param pw For PW1, this is 0x81. For PW3 (Admin PIN), mode is 0x83. + * @param newPinString The new PW1 or PW3. + */ + public void nfcModifyPIN(int pw, String newPinString) throws IOException { + final int MAX_PW1_LENGTH_INDEX = 1; + final int MAX_PW3_LENGTH_INDEX = 3; + + byte[] pwStatusBytes = nfcGetPwStatusBytes(); + byte[] newPin = newPinString.getBytes(); + + if (pw == 0x81) { + if (newPin.length < 6 || newPin.length > pwStatusBytes[MAX_PW1_LENGTH_INDEX]) { + throw new IOException("Invalid PIN length"); + } + } else if (pw == 0x83) { + if (newPin.length < 8 || newPin.length > pwStatusBytes[MAX_PW3_LENGTH_INDEX]) { + throw new IOException("Invalid PIN length"); + } + } else { + throw new IOException("Invalid PW index for modify PIN operation"); + } + + byte[] pin; + + if (pw == 0x83) { + pin = new String(mAdminPin.getCharArray()).getBytes(); + } else { + pin = new String(mPin.getCharArray()).getBytes(); + } + + // Command APDU for CHANGE REFERENCE DATA command (page 32) + String changeReferenceDataApdu = "00" // CLA + + "24" // INS + + "00" // P1 + + String.format("%02x", pw) // P2 + + String.format("%02x", pin.length + newPin.length) // Lc + + getHex(pin) + + getHex(newPin); + if (!nfcCommunicate(changeReferenceDataApdu).equals("9000")) { // Change reference data + handlePinError(); + throw new IOException("Failed to change PIN"); + } + } + + /** + * Stores a data object on the card. Automatically validates the proper PIN for the operation. + * Supported for all data objects < 255 bytes in length. Only the cardholder certificate + * (0x7F21) can exceed this length. + * + * @param dataObject The data object to be stored. + * @param data The data to store in the object + */ + public void nfcPutData(int dataObject, byte[] data) throws IOException { + if (data.length > 254) { + throw new IOException("Cannot PUT DATA with length > 254"); + } + if (dataObject == 0x0101 || dataObject == 0x0103) { + if (!mPw1ValidatedForDecrypt) { + nfcVerifyPIN(0x82); // (Verify PW1 for non-signing operations) + } + } else if (!mPw3Validated) { + nfcVerifyPIN(0x83); // (Verify PW3) + } + + String putDataApdu = "00" // CLA + + "DA" // INS + + String.format("%02x", (dataObject & 0xFF00) >> 8) // P1 + + String.format("%02x", dataObject & 0xFF) // P2 + + String.format("%02x", data.length) // Lc + + getHex(data); + + String response = nfcCommunicate(putDataApdu); + if (!response.equals("9000")) { + throw new IOException("Failed to put data for tag " + + String.format("%02x", (dataObject & 0xFF00) >> 8) + + String.format("%02x", dataObject & 0xFF) + + ": " + response); + } + } + + /** + * Puts a key on the card in the given slot. + * + * @param slot The slot on the card where the key should be stored: + * 0xB6: Signature Key + * 0xB8: Decipherment Key + * 0xA4: Authentication Key + */ + public void nfcPutKey(int slot, CanonicalizedSecretKey secretKey) + throws IOException { + if (slot != 0xB6 && slot != 0xB8 && slot != 0xA4) { + throw new IOException("Invalid key slot"); + } + + RSAPrivateCrtKey crtSecretKey = null; + try { + secretKey.unlock(mPassphrase); + crtSecretKey = secretKey.getCrtSecretKey(); + } catch (PgpGeneralException e) { + throw new IOException(e.getMessage()); + } + + // Shouldn't happen; the UI should block the user from getting an incompatible key this far. + if (crtSecretKey.getModulus().bitLength() > 2048) { + throw new IOException("Key too large to export to smart card."); + } + + // Should happen only rarely; all GnuPG keys since 2006 use public exponent 65537. + if (!crtSecretKey.getPublicExponent().equals(new BigInteger("65537"))) { + throw new IOException("Invalid public exponent for smart card key."); + } + + if (!mPw3Validated) { + nfcVerifyPIN(0x83); // (Verify PW1 with mode 83) + } + + byte[] header= Hex.decode( + "4D82" + "03A2" // Extended header list 4D82, length of 930 bytes. (page 23) + + String.format("%02x", slot) + "00" // CRT to indicate targeted key, no length + + "7F48" + "15" // Private key template 0x7F48, length 21 (decimal, 0x15 hex) + + "9103" // Public modulus, length 3 + + "928180" // Prime P, length 128 + + "938180" // Prime Q, length 128 + + "948180" // Coefficient (1/q mod p), length 128 + + "958180" // Prime exponent P (d mod (p - 1)), length 128 + + "968180" // Prime exponent Q (d mod (1 - 1)), length 128 + + "97820100" // Modulus, length 256, last item in private key template + + "5F48" + "820383");// DO 5F48; 899 bytes of concatenated key data will follow + byte[] dataToSend = new byte[934]; + byte[] currentKeyObject; + int offset = 0; + + System.arraycopy(header, 0, dataToSend, offset, header.length); + offset += header.length; + currentKeyObject = crtSecretKey.getPublicExponent().toByteArray(); + System.arraycopy(currentKeyObject, 0, dataToSend, offset, 3); + offset += 3; + // NOTE: For a 2048-bit key, these lengths are fixed. However, bigint includes a leading 0 + // in the array to represent sign, so we take care to set the offset to 1 if necessary. + currentKeyObject = crtSecretKey.getPrimeP().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getPrimeQ().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getCrtCoefficient().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getPrimeExponentP().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getPrimeExponentQ().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128); + Arrays.fill(currentKeyObject, (byte)0); + offset += 128; + currentKeyObject = crtSecretKey.getModulus().toByteArray(); + System.arraycopy(currentKeyObject, currentKeyObject.length - 256, dataToSend, offset, 256); + + String putKeyCommand = "10DB3FFF"; + String lastPutKeyCommand = "00DB3FFF"; + + // Now we're ready to communicate with the card. + offset = 0; + String response; + while(offset < dataToSend.length) { + int dataRemaining = dataToSend.length - offset; + if (dataRemaining > 254) { + response = nfcCommunicate( + putKeyCommand + "FE" + Hex.toHexString(dataToSend, offset, 254) + ); + offset += 254; + } else { + int length = dataToSend.length - offset; + response = nfcCommunicate( + lastPutKeyCommand + String.format("%02x", length) + + Hex.toHexString(dataToSend, offset, length)); + offset += length; + } + + if (!response.endsWith("9000")) { + throw new IOException("Key export to card failed"); + } + } + + // Clear array with secret data before we return. + Arrays.fill(dataToSend, (byte) 0); + } + /** * Prints a message to the screen * diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java index 232a39f86..3b92f7208 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java @@ -43,6 +43,7 @@ public abstract class CryptoOperationFragment extends Fragment { private void initiateInputActivity(RequiredInputParcel requiredInput) { switch (requiredInput.mType) { + case NFC_KEYTOCARD: case NFC_DECRYPT: case NFC_SIGN: { Intent intent = new Intent(getActivity(), NfcOperationActivity.class); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java index 9568312f5..eafa129f0 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java @@ -35,6 +35,7 @@ public class EditSubkeyDialogFragment extends DialogFragment { public static final int MESSAGE_CHANGE_EXPIRY = 1; public static final int MESSAGE_REVOKE = 2; public static final int MESSAGE_STRIP = 3; + public static final int MESSAGE_KEYTOCARD = 4; private Messenger mMessenger; @@ -76,6 +77,9 @@ public class EditSubkeyDialogFragment extends DialogFragment { case 2: sendMessageToHandler(MESSAGE_STRIP, null); break; + case 3: + sendMessageToHandler(MESSAGE_KEYTOCARD, null); + break; default: break; } |