Merge pull request #2 from my-number/wip

v0.3.0

Author: yuki-js

Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "myna"
-version = "0.2.0"
+version = "0.3.0"
 authors = ["yuki-js <[email protected]>"]
 edition = "2018"
 license = "Apache-2.0"
-description = "Japan ID card(mynumber card) manipulation library"
+description = "Japanese ID card(mynumber card) manipulation library"
 repository = "https://github.com/my-number/myna"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

src/card.rs

@@ -1,15 +1,21 @@
+use crate::error::ApduError as Error;
+use crate::utils::{check_password, check_pin, make_apdu};
 use alloc::vec::Vec;
 use der_parser::der::der_read_element_header;
-use crate::error::ApduError as Error;
-use crate::utils::{make_apdu, check_pin};
+
 type Request = Vec<u8>;
 type Response = Vec<u8>;
 type BinaryData = Vec<u8>;
 type Hash<'a> = &'a [u8];
 type FileId<'a> = &'a [u8];
 
-pub trait Apdu {
+#[derive(Clone, Copy, Debug)]
+pub enum KeyType {
+    UserAuth,
+    DigitalSign,
+}
 
+pub trait Apdu {
     /// (Required) Error type that transmit() returns when failed to read card
     type TransErr;
     /// (Required) Implement card communication here.
@@ -20,7 +26,10 @@ pub trait Apdu {
         match self.transmit(data) {
             Ok(apdu) => {
                 let len = apdu.len();
-                let sw1 = apdu[len - 2];
+                if len < 2 {
+                    return Err(Error::Fatal("No response"));
+                }
+                let sw1 = apdu[len - 2]; // overflow
                 let sw2 = apdu[len - 1];
                 if (sw1 == 0x90 || sw1 == 0x91) && sw2 == 0x00 {
                     return Ok(apdu[0..(len - 2)].to_vec());
@@ -30,51 +39,70 @@ pub trait Apdu {
             Err(e) => Err(Error::Transmission(e)),
         }
     }
-
+    /// SELECT DF
     fn select_df(&self, dfid: FileId) -> Result<(), Error<Self::TransErr>> {
         match self.transmit_checked(make_apdu(0x00, 0xa4, (0x04, 0x0c), dfid, None)) {
             Ok(_) => Ok(()),
-            _ => Err(Error::Execution("Failed to SELECT DF")),
+            Err(e) => Err(e.check_err("Failed to SELECT DF")),
         }
     }
+    /// SELECT EF
+    /// 
+    /// Call it with DF selected
     fn select_ef(&self, efid: FileId) -> Result<(), Error<Self::TransErr>> {
         match self.transmit_checked(make_apdu(0x00, 0xa4, (0x02, 0x0c), efid, None)) {
             Ok(_) => Ok(()),
-            _ => Err(Error::Execution("Failed to SELECT EF")),
+            Err(e) => Err(e.check_err("Failed to SELECT EF")),
         }
     }
-    fn select_jpki_ap(&self) -> Result<(), Error<Self::TransErr>> {
-        self.select_df(b"\xD3\x92\xf0\x00\x26\x01\x00\x00\x00\x01")
-    }
-    fn select_jpki_token(&self) -> Result<(), Error<Self::TransErr>> {
-        self.select_ef(b"\x00\x06")
-    }
-    fn select_jpki_cert_auth(&self) -> Result<(), Error<Self::TransErr>> {
-        self.select_ef(b"\x00\x0a")
-    }
 
-    fn select_jpki_auth_pin(&self) -> Result<(), Error<Self::TransErr>> {
-        self.select_ef(b"\x00\x18")
-    }
-    fn select_jpki_auth_key(&self) -> Result<(), Error<Self::TransErr>> {
-        self.select_ef(b"\x00\x17")
-    }
+    /// GET CHALLENGE
     fn get_challenge(&self, size: u8) -> Result<Response, Error<Self::TransErr>> {
         match self.transmit_checked(make_apdu(0x00, 0x84, (0, 0), &[], Some(size))) {
             Ok(s) => Ok(s),
-            _ => Err(Error::Execution("GET CHALLENGE failed")),
+            Err(e) => Err(e.check_err("GET CHALLENGE failed")),
         }
     }
-    fn verify_pin(&self, pin: &str) -> Result<(), Error<Self::TransErr>> {
-        if !check_pin(pin) {
-            return Err(Error::Execution("PIN is invalid"))
-        }
+
+    /// VERIFY PIN
+    /// 
+    /// Call it with PIN EF selected
+    fn verify_pin(&self, pin: &str, key_type: KeyType) -> Result<(), Error<Self::TransErr>> {
+        match key_type {
+            KeyType::UserAuth => {
+                if !check_pin(pin) {
+                    return Err(Error::Execution("PIN is invalid"));
+                }
+            }
+            KeyType::DigitalSign => {
+                if !check_password(pin) {
+                    return Err(Error::Execution("PIN is invalid"));
+                }
+            }
+        };
+
         match self.transmit_checked(make_apdu(0x00, 0x20, (0x00, 0x80), pin.as_bytes(), None)) {
             Ok(_) => Ok(()),
-            _ => Err(Error::Execution("VERIFY PIN failed")),
+            Err(e) => Err(e.pin_err()),
+        }
+    }
+
+    /// VERIFY PIN without PIN
+    ///
+    /// check PIN retry counter
+    fn lookup_pin(&self) -> Result<u8, Error<Self::TransErr>> {
+        if let Err(e) = self.transmit_checked(make_apdu(0x00, 0x20, (0x00, 0x80), &[], None)) {
+            if let Error::PinIncorrect(remaining) = e.pin_err() {
+                return Ok(remaining);
+            }
         }
+        return Err(Error::Fatal("Unexpected Error"));
     }
-    fn compute_sig(&self, hash_pkcs1: Hash) -> Result<Response, Error<Self::TransErr>> {
+
+    /// COMPUTE DIGITAL SIGNATURE
+    ///
+    /// Call it with Private Key EF selected
+    fn compute_digital_signature(&self, hash_pkcs1: Hash) -> Result<Response, Error<Self::TransErr>> {
         match self.transmit_checked(make_apdu(
             0x80,
             0x2a,
@@ -84,19 +112,13 @@ pub trait Apdu {
         )) {
             // zero, the value of Le probably means 256. it overflowed.
             Ok(sig) => Ok(sig),
-            _ => Err(Error::Execution("COMPUTE DIGITAL SIGNATURE failed")),
+            Err(e) => Err(e.check_err("COMPUTE DIGITAL SIGNATURE failed")),
         }
     }
-
-    fn read_binary(&self) -> Result<BinaryData, Error<Self::TransErr>> {
-        let header = match self.transmit_checked(make_apdu(0x00, 0xb0, (0u8, 0u8), &[], Some(7u8))) {
-            Ok(s) => s,
-            _ => return Err(Error::Execution("READ BINARY failed")),
-        };
-
-        let parsed = der_read_element_header(&header[..]).unwrap();
-        let length = parsed.1.len as usize + header.len() - parsed.0.len();
-        
+    /// READ BINARY
+    ///
+    /// Call it with readable object selected
+    fn read_binary(&self, length: usize) -> Result<BinaryData, Error<Self::TransErr>> {
         let mut data: Vec<u8> = Vec::with_capacity(length);
         loop {
             let current_size = data.len();
@@ -115,10 +137,89 @@ pub trait Apdu {
                         return Ok(data);
                     }
                 }
-                _ => return Err(Error::Execution("READ BINARY failed")),
+                Err(e) => return Err(e.check_err("READ BINARY failed")),
             }
         }
     }
-}
+    
+    /// Read binary as X.509 Certificate
+    fn read_cert(&self) -> Result<BinaryData, Error<Self::TransErr>> {
+        let header = self.read_binary(8)?;
+
+        let parsed = der_read_element_header(&header[..])
+            .map_err(|_| Error::Execution("Failed to parse Certificate header"))?;
+        let length = parsed.1.len as usize + header.len() - parsed.0.len();
+
+        return self.read_binary(length);
+    }
+
+    /// Selects JPKI AP DF
+    fn select_jpki_ap(&self) -> Result<(), Error<Self::TransErr>> {
+        self.select_df(b"\xD3\x92\xf0\x00\x26\x01\x00\x00\x00\x01")
+    }
+    
+    /// Selects JPKI Token EF
+    fn select_jpki_token(&self) -> Result<(), Error<Self::TransErr>> {
+        self.select_ef(b"\x00\x06")
+    }
 
+    /// Selects JPKI Certificate EF
+    fn select_jpki_cert(&self, key_type: KeyType) -> Result<(), Error<Self::TransErr>> {
+        match key_type {
+            KeyType::UserAuth => self.select_ef(b"\x00\x0a"),
+            KeyType::DigitalSign => self.select_ef(b"\x00\x01"),
+        }
+    }
 
+    /// Selects JPKI PIN EF
+    fn select_jpki_pin(&self, key_type: KeyType) -> Result<(), Error<Self::TransErr>> {
+        match key_type {
+            KeyType::UserAuth => self.select_ef(b"\x00\x18"),
+            KeyType::DigitalSign => self.select_ef(b"\x00\x1B"),
+        }
+    }
+
+    /// Selects JPKI Private Key EF
+    fn select_jpki_key(&self, key_type: KeyType) -> Result<(), Error<Self::TransErr>> {
+        match key_type {
+            KeyType::UserAuth => self.select_ef(b"\x00\x17"),
+            _ => unimplemented!(),
+        }
+    }
+
+    /// Checks if it is mynumber card
+    fn is_mynumber_card(&self) -> Result<bool, Error<Self::TransErr>> {
+        self.select_jpki_ap()?;
+        self.select_jpki_token()?;
+        let jpki_token = self.read_binary(32)?;
+        Ok(&jpki_token[..] == b"JPKIAPICCTOKEN2                 ")
+    }
+
+    /// Gets Certificate
+    fn get_cert(&self, key_type: KeyType) -> Result<BinaryData, Error<Self::TransErr>> {
+        self.select_jpki_ap()?;
+        self.select_jpki_key(key_type)?;
+        self.select_jpki_cert(key_type)?;
+
+        let cert = self.read_cert()?;
+        Ok(cert)
+    }
+
+    /// Computes signature
+    fn compute_sig(&self, pin: &str, hash: Hash, key_type: KeyType) -> Result<Response, Error<Self::TransErr>> {
+        self.select_jpki_ap()?;
+        self.select_jpki_pin(key_type)?;
+        self.verify_pin(pin, key_type)?;
+        self.select_jpki_key(key_type)?;
+        let sig = self.compute_digital_signature(hash)?;
+        Ok(sig)
+    }
+
+    /// Gets PIN retry counter
+    fn get_retry_counter(&self, key_type: KeyType) -> Result<u8, Error<Self::TransErr>> {
+        self.select_jpki_ap()?;
+        self.select_jpki_pin(key_type)?;
+        let count = self.lookup_pin()?;
+        Ok(count)
+    }
+}

src/crypto.rs

@@ -5,8 +5,9 @@ extern crate alloc;
 extern crate sha2;
 use der_parser::{ber::BerObjectContent, error::BerError, oid::Oid, parse_der};
 use rsa::{
-    errors::Error as RSAError, hash::Hashes, BigUint, PaddingScheme, PublicKey, RSAPublicKey,
+    errors::Error as RSAError, hash::Hashes, BigUint, PaddingScheme, PublicKey,
 };
+pub use rsa::RSAPublicKey;
 use sha2::{
     digest::{FixedOutput, Input},
     Sha256,

src/error.rs

@@ -1,4 +1,3 @@
-
 /// APDU Error
 #[derive(Debug)]
 pub enum ApduError<T> {
@@ -8,8 +7,27 @@ pub enum ApduError<T> {
     Command(u8, u8),
     /// Error when execution failure detected
     Execution(&'static str),
+    /// Fatal error that seems not to be able to recover
+    Fatal(&'static str),
+    /// PIN Incorrect Error with remaining retries
+    PinIncorrect(u8)
+}
+impl<T> ApduError<T> {
+    pub fn check_err(self, err_msg: &'static str) -> Self {
+        match self {
+            Self::Command(_, _) => Self::Execution(err_msg),
+            _ => self,
+        }
+    }
+    pub fn pin_err(self) -> Self {
+        if let Self::Command(sw1, sw2) = self {
+            if sw1 == 0x63 && (sw2 & 0xF0 ==  0xC0) {
+                return Self::PinIncorrect(sw2 & 0x0F);
+            }
+        }
+        return self;
+    }
 }
-
 #[derive(Debug)]
 pub enum CryptoError {
     ParseError,

src/utils.rs

@@ -41,13 +41,11 @@ const fn is_digit(ch: u8) -> bool {
 /// PIN ^[0-9]{4}$ validation
 pub fn check_pin(pin_str: &str) -> bool {
     let pin = pin_str.as_bytes();
-    pin.len() == 4
-        && is_digit(pin[0])
-        && is_digit(pin[1])
-        && is_digit(pin[2])
-        && is_digit(pin[3])
+    pin.len() == 4 && is_digit(pin[0]) && is_digit(pin[1]) && is_digit(pin[2]) && is_digit(pin[3])
+}
+pub fn check_password(password: &str) -> bool {
+    unimplemented!()
 }
-
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -69,30 +67,18 @@ mod tests {
     }
     #[test]
     fn it_checks_valid_pin() {
-        assert_eq!(
-            check_pin("1919"),
-            true
-        );
+        assert_eq!(check_pin("1919"), true);
     }
     #[test]
     fn it_checks_non_digit_pin() {
-        assert_eq!(
-            check_pin("pien"),
-            false
-        );
+        assert_eq!(check_pin("pien"), false);
     }
     #[test]
     fn it_checks_digit_non_digit_pin() {
-        assert_eq!(
-            check_pin("pa0n"),
-            false
-        );
+        assert_eq!(check_pin("pa0n"), false);
     }
     #[test]
     fn it_checks_too_long_pin() {
-        assert_eq!(
-            check_pin("114514"),
-            false
-        );
+        assert_eq!(check_pin("114514"), false);
     }
 }