puck/xenid
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit.

Browse source
This commit is contained in:
puck 2025-12-05 11:19:20 +00:00
commit 62d6a66cd0
12 changed files with 4342 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

214
src/digid_api.rs Normal file
View file

@ -0,0 +1,214 @@
use std::collections::HashMap;
use serde::{Deserialize, Serialize, de::DeserializeOwned};
#[derive(serde::Serialize)]
pub struct Version {
pub major: usize,
pub minor: usize,
}
#[derive(serde::Serialize)]
pub struct Header {
#[serde(rename = "sessionId")]
pub session_id: String,
#[serde(rename = "supportedAPIVersion")]
pub supported_api_version: Version,
}
#[derive(serde::Serialize)]
pub struct BaseRequest<T: Serialize> {
pub header: Header,
#[serde(rename = "messageData")]
pub data: T,
}
#[derive(serde::Serialize)]
pub struct Init {
#[serde(rename = "userConsentType")]
pub user_consent_type: String, // "PP" or "PIP", hard-coded as "PIP" rn?
#[serde(rename = "documentType")]
pub document_type: String, // base64-encoded AID. ignored for NIK?
}
#[derive(serde::Deserialize)]
pub struct BaseResponse<T> {
pub status: String,
#[serde(rename = "sessionId")]
pub session_id: Option<String>,
#[serde(rename = "responseData")]
pub data: T,
}
#[derive(serde::Deserialize)]
pub struct APDUsResponse {
pub apdus: Vec<String>,
#[serde(rename = "ephemeralPKey")]
pub ephemeral_key: String,
}
#[derive(serde::Serialize)]
pub struct APDURequest {
pub counter: isize,
pub apdu: String,
}
#[derive(serde::Deserialize)]
pub struct PreparePCAResponse {
pub apdus: Vec<String>,
}
#[derive(serde::Deserialize)]
pub struct PolyDataResponse {
pub result: String,
}
pub async fn wid_init(session_id: &str) -> ClientContext {
let client = reqwest::Client::new();
let init_req = client
.post("https://app.digid.nl/apps/wid/new")
.json(&serde_json::json!({"app_session_id": session_id.to_owned() }))
.header("API-Version", "3")
.header("App-Version", "6.16.3")
.header("OS-Type", "Android")
.header("OS-Version", "28")
.header("Release-Type", "Productie")
.header("User-Agent", "eidkitty")
.send()
.await
.unwrap()
.json::<HashMap<String, String>>()
.await
.unwrap();
println!("{:?}", init_req);
let wid_session_id = init_req.get("session_id").unwrap().to_owned();
client
.post("https://app.digid.nl/apps/wid/confirm")
.json(&serde_json::json!({"app_session_id": session_id.to_owned() }))
.header("API-Version", "3")
.header("App-Version", "6.16.3")
.header("OS-Type", "Android")
.header("OS-Version", "28")
.header("Release-Type", "Productie")
.header("User-Agent", "eidkitty")
.send()
.await
.unwrap()
.json::<HashMap<String, String>>()
.await
.unwrap();
ClientContext {
host: init_req.get("url").unwrap().to_owned(),
session: wid_session_id,
service: init_req.get("webservice").unwrap().to_owned(),
}
}
pub struct ClientContext {
pub host: String,
pub session: String,
pub service: String,
}
impl ClientContext {
async fn send<T: Serialize, R: DeserializeOwned>(
&self,
path: &str,
data: &T,
) -> reqwest::Result<R> {
let client = reqwest::Client::new();
let resp: BaseResponse<R> = client
.post(format!("{}{}", self.host, path))
.json(&BaseRequest {
header: Header {
session_id: self.session.clone(),
supported_api_version: Version { major: 1, minor: 1 },
},
data,
})
.header("User-Agent", "meowmeow")
.send()
.await?
.json()
.await?;
Ok(resp.data)
}
pub async fn start(&self) {
self.send::<_, serde_json::Value>(
"/v1/nik/start",
&Init {
user_consent_type: String::from("PIP"),
document_type: String::from("oAAAAkcQAQ=="),
},
)
.await
.unwrap();
}
pub async fn prepare_eac(
&self,
ef_cvca: &[u8],
dg14: &[u8],
ef_sod: &[u8],
pace_icc: &[u8],
) -> (Vec<Vec<u8>>, Vec<u8>) {
let resp: APDUsResponse = self
.send(
"/v1/nik/prepareeac",
&serde_json::json!({
"efCvca": base64::encode(ef_cvca),
"dg14": base64::encode(dg14),
"efSOd": base64::encode(ef_sod),
"paceIcc": base64::encode(pace_icc),
}),
)
.await
.unwrap();
(
resp.apdus
.into_iter()
.map(|f| base64::decode(f).unwrap())
.collect(),
base64::decode(resp.ephemeral_key).unwrap(),
)
}
pub async fn prepare_pca(&self, counter: isize, last_apdu: &[u8]) -> Vec<Vec<u8>> {
let resp: PreparePCAResponse = self
.send(
"/v1/nik/preparepca",
&APDURequest {
counter,
apdu: base64::encode(last_apdu),
},
)
.await
.unwrap();
resp.apdus
.into_iter()
.map(|f| base64::decode(f).unwrap())
.collect()
}
pub async fn get_polymorphic_data(&self, counter: isize, last_apdu: &[u8]) -> String {
let resp: PolyDataResponse = self
.send(
"/v1/nik/polymorph/data",
&APDURequest {
counter,
apdu: base64::encode(last_apdu),
},
)
.await
.unwrap();
resp.result
}
}

194
src/gui.rs Normal file
View file

@ -0,0 +1,194 @@
use std::cell::{RefCell, RefMut};
use std::rc::Rc;
use adw::{Clamp, ToolbarView, prelude::*};
use adw::{ActionRow, Application, ApplicationWindow, HeaderBar};
use gtk::{
Box, Button, CssProvider, Grid, GridLayout, Label, ListBox, Orientation, PasswordEntry,
SelectionMode,
};
use crate::pipe;
use glib::clone;
fn build_ui(
app: &Application,
ctg_pipe: async_channel::Receiver<crate::pipe::CardToGUI>,
gtc_pipe: async_channel::Sender<crate::pipe::GUIToCard>,
) {
let main_box = Box::builder().orientation(Orientation::Vertical).build();
let password_grid = Grid::new();
let password_mask: Vec<Button> = (0..5)
.map(|f| {
Button::builder()
.name(format!("button_{}", f))
.icon_name("")
.can_focus(false)
.can_target(false)
.hexpand(true)
.css_classes(&["cell"][..])
.build()
})
.collect();
for i in 0..5 {
password_grid.attach(&password_mask[i], i as i32, 0, 1, 1);
}
let password_field = PasswordEntry::builder()
.margin_bottom(12)
.width_request(5)
.width_chars(0)
.css_classes(&["invisible"][..])
.build();
password_grid.attach(&password_field, 0, 0, 5, 1);
password_field.connect_changed(move |v| {
let count = v.text().len();
for i in 0..5 {
password_mask[i].set_icon_name(if count > i {
"window-close-symbolic"
} else {
""
});
}
if count > 5 {
v.delete_text(5, -1);
}
});
let info_label = Label::builder()
.label("...Processing")
.margin_bottom(12)
.build();
let button = Button::builder().label("Next").sensitive(false).build();
main_box.append(&info_label);
main_box.append(&password_grid);
main_box.append(&button);
let headerbar = HeaderBar::new();
let toolbar_view = ToolbarView::new();
toolbar_view.add_top_bar(&headerbar);
let c = Clamp::builder()
.child(&main_box)
.margin_end(16)
.margin_start(16)
.margin_end(16)
.build();
toolbar_view.set_content(Some(&c));
let window = ApplicationWindow::builder()
.application(app)
.title("Log in with DigiD")
.default_width(350)
// add content to window
.content(&toolbar_view)
.build();
password_field.connect_activate(clone!(
#[weak]
button,
move |_| {
button.emit_clicked();
}
));
button.connect_clicked(clone!(
#[weak]
password_field,
move |btn| {
btn.set_sensitive(false);
let pass = password_field.text().to_string();
gtc_pipe.send_blocking(pipe::GUIToCard::PIN(pass)).unwrap();
}
));
gdk::glib::spawn_future_local(clone!(
#[weak]
info_label,
#[weak]
button,
#[weak]
window,
#[weak]
app,
#[weak]
password_field,
async move {
while let Ok(msg) = ctg_pipe.recv().await {
match msg {
pipe::CardToGUI::AuthenticationTarget { target } => {
info_label.set_text(&format!("Enter your PIN to log in to {}", target));
}
pipe::CardToGUI::WaitForCard => {
button.set_sensitive(false);
button.set_label("Place your card on the reader.");
}
pipe::CardToGUI::ReadyForPIN { message } => {
let no_special = message.is_none();
button.set_label(&message.unwrap_or_else(|| String::from("Next")));
button.set_sensitive(true);
if no_special && password_field.text().len() == 5 {
button.emit_clicked();
}
}
pipe::CardToGUI::ProcessingStep { step: _ } => {}
pipe::CardToGUI::ProcessingMessage { message } => {
button.set_label(&message);
}
pipe::CardToGUI::Done => {
window.close();
app.quit();
}
}
}
}
));
window.connect_has_focus_notify(move |f| {
if f.has_focus() {
password_field.grab_focus();
}
});
window.present();
}
pub fn run_gui(
ctg_pipe_r: async_channel::Receiver<crate::pipe::CardToGUI>,
gtc_pipe_s: async_channel::Sender<crate::pipe::GUIToCard>,
) {
let application = Application::builder()
.application_id("moe.puck.XeniD")
.build();
let ctg_pipe_r = RefCell::new(Some(ctg_pipe_r));
let gtc_pipe_s = RefCell::new(Some(gtc_pipe_s));
application.connect_activate(move |app| {
let provider = CssProvider::new();
provider
.load_from_string(".cell { margin: 6px; padding: 18px; } .invisible { opacity: 0; }");
gtk::style_context_add_provider_for_display(
&gdk::Display::default().expect("Could not connect to a display."),
&provider,
gtk::STYLE_PROVIDER_PRIORITY_APPLICATION,
);
build_ui(app, ctg_pipe_r.take().unwrap(), gtc_pipe_s.take().unwrap());
});
application.run_with_args::<glib::GString>(&[]);
}

152
src/iso7816.rs Normal file
View file

@ -0,0 +1,152 @@
use crate::{Card, CommandChaining, OwnedCommandAPDU, SecureMessaging};
/**
* A card contains a master file.
* Each master file contains DFs, which can contain child DFs.
* EFs contain data.
*
* There may not be an MF but lke. yeah
*/
/*
PCA: A0000007885043 412D654D525444
EF.DIR is EF identifier 2F00 under dedicated file
EF.CardAccess (PACE) is EF identifier 011C under dedicated file
EID: A0000007885043 412D654D525444 *encrypted*
EF.DG14 is EF identifier 010E under dedicated file
(icao doc 9303-10)
EF.SOD is EF identifier 011D under dedicated file
(icao doc 9303-10)
EF.CVCA is EF identifier 011C under dedicated file
(icao doc 9303-11)
*/
#[derive(Copy, Clone, Debug)]
pub enum SelectFile<'a> {
File(&'a [u8]),
ChildDedicatedFile(&'a [u8]),
ElementaryFileUnderDedicatedFile(&'a [u8]),
ParentDedicatedFile,
// AID
DedicatedFileName(&'a [u8]),
PathFromMasterFile(&'a [u8]),
PathFromCurrentDedicatedFile(&'a [u8]),
}
pub mod files {
use crate::iso7816::SelectFile;
pub const EF_DIR: SelectFile<'static> =
SelectFile::ElementaryFileUnderDedicatedFile(&[0x2F, 0x00]);
pub const EF_CARDACCESS: SelectFile<'static> =
SelectFile::ElementaryFileUnderDedicatedFile(&[0x01, 0x1C]);
pub const EF_DG14: SelectFile<'static> =
SelectFile::ElementaryFileUnderDedicatedFile(&[0x01, 0x0E]);
pub const EF_SOD: SelectFile<'static> =
SelectFile::ElementaryFileUnderDedicatedFile(&[0x01, 0x1D]);
// static 36 bytes?
// same ID as EF.CardAccess???
pub const EF_CVCA: SelectFile<'static> =
SelectFile::ElementaryFileUnderDedicatedFile(&[0x01, 0x1C]);
}
#[derive(Copy, Clone, Debug)]
pub enum SelectOccurrence {
First = 0b00,
Last = 0b01,
Next = 0b10,
Previous = 0b11,
}
fn generate_select_apdu(
channel: u8,
file: SelectFile<'_>,
occurrence: SelectOccurrence,
) -> OwnedCommandAPDU {
let (p1, contents) = match file {
SelectFile::File(identifier) => (0b0000_0000, identifier),
SelectFile::ChildDedicatedFile(identifier) => (0b0000_0001, identifier),
SelectFile::ElementaryFileUnderDedicatedFile(identifier) => (0b0000_0010, identifier),
SelectFile::ParentDedicatedFile => (0b0000_0011, &[][..]),
SelectFile::DedicatedFileName(identifier) => (0b0000_0100, identifier),
SelectFile::PathFromMasterFile(identifier) => (0b0000_1000, identifier),
SelectFile::PathFromCurrentDedicatedFile(identifier) => (0b0000_1001, identifier),
};
let p2 = occurrence as u8 | 0x0C;
OwnedCommandAPDU {
class: crate::Class::Standard {
command_chaining: CommandChaining::LastOrOnly,
secure_messaging: SecureMessaging::None,
channel,
},
instruction: 0xA4,
parameter: [p1, p2],
command: contents.to_vec(),
expected_length: Some(0),
}
}
pub async fn select(
card: &mut impl Card,
channel: u8,
file: SelectFile<'_>,
occurrence: SelectOccurrence,
) -> std::io::Result<bool> {
let apdu = generate_select_apdu(channel, file, occurrence);
let res = card.transmit(apdu).await?;
Ok(res.status == 0x9000)
}
pub fn generate_read_binary(channel: u8, offset: u16, amount: u16) -> OwnedCommandAPDU {
assert!(offset & 0x8000 == 0);
OwnedCommandAPDU {
class: crate::Class::Standard {
command_chaining: CommandChaining::LastOrOnly,
secure_messaging: SecureMessaging::None,
channel,
},
instruction: 0xB0,
parameter: offset.to_be_bytes(),
command: Vec::new(),
expected_length: Some(amount as usize),
}
}
pub async fn read_binary(card: &mut impl Card, channel: u8) -> std::io::Result<Option<Vec<u8>>> {
let mut out = Vec::new();
loop {
let buf = card
.transmit(generate_read_binary(channel, out.len() as u16, 0x70))
.await?;
if buf.status == 0x6b00 {
// End of EF
return Ok(Some(out));
}
if buf.status != 0x9000 {
return Ok(None);
}
out.extend_from_slice(&buf.data);
if buf.data.len() < 0x70 {
return Ok(Some(out));
}
}
}

456
src/main.rs Normal file
View file

@ -0,0 +1,456 @@
use std::{env::args, thread, time::Duration};
use der::{Any, Decode, asn1::SetOfVec, oid::ObjectIdentifier};
use openssl::{bn::BigNumContext, ec::PointConversionForm, pkey::PKey};
use tokio::runtime::Runtime;
use url::Url;
use crate::{
pace::{append_do, prepend_do},
pcsc_card::PCSCCard,
pipe::GUIToCard,
};
mod digid_api;
mod gui;
mod iso7816;
mod pace;
mod pcsc_card;
mod pipe;
#[derive(Clone, Debug)]
pub struct ResultAPDU {
pub data: Vec<u8>,
pub status: u16,
}
#[derive(Clone, Debug)]
pub struct OwnedCommandAPDU {
pub class: Class,
pub instruction: u8,
pub parameter: [u8; 2],
pub command: Vec<u8>,
pub expected_length: Option<usize>,
}
#[derive(Copy, Clone, Debug)]
pub enum CommandChaining {
LastOrOnly = 0,
NotLast = 1,
}
#[derive(Copy, Clone, Debug)]
pub enum SecureMessaging {
None = 0b00,
Proprietary = 0b01,
StandardNoHeader = 0b10,
StandardHeaderAuthenticated = 0b11,
}
#[derive(Copy, Clone, Debug)]
pub enum Class {
Proprietary(u8),
Standard {
command_chaining: CommandChaining,
secure_messaging: SecureMessaging,
channel: u8,
},
}
impl Class {
pub fn encode(&self) -> Option<u8> {
match *self {
Class::Proprietary(n) if n < 0x80 => Some(0x80 | n),
Class::Standard {
command_chaining,
secure_messaging,
channel,
} if channel < 4 => {
Some(((command_chaining as u8) << 4) | ((secure_messaging as u8) << 2) | channel)
}
Class::Standard {
command_chaining,
secure_messaging:
secure_messaging @ (SecureMessaging::None | SecureMessaging::StandardNoHeader),
channel,
} if channel < 20 => Some(
0x40 | ((command_chaining as u8) << 4) | ((secure_messaging as u8) << 4) | channel,
),
_ => None,
}
}
}
pub trait Card {
fn transmit(
&mut self,
apdu: OwnedCommandAPDU,
) -> impl Future<Output = std::io::Result<ResultAPDU>> + Send;
fn transmit_raw(
&mut self,
apdu_buf: &[u8],
) -> impl Future<Output = std::io::Result<ResultAPDU>> + Send;
}
async fn run_auth(
session_id: String,
ctg_pipe: async_channel::Sender<crate::pipe::CardToGUI>,
gtc_pipe: async_channel::Receiver<crate::pipe::GUIToCard>,
) -> std::io::Result<()> {
let ctx = if session_id == "test" {
digid_api::ClientContext {
host: String::from("http://localhost"),
session: String::from("test"),
service: String::from("UI Test"),
}
} else {
let ctx = digid_api::wid_init(&session_id).await;
ctx.start().await;
ctx
};
ctg_pipe
.send(pipe::CardToGUI::AuthenticationTarget {
target: ctx.service.clone(),
})
.await;
ctg_pipe.send(pipe::CardToGUI::WaitForCard).await;
let mut crad = loop {
let mut crad = PCSCCard::new();
// Select MF
iso7816::select(
&mut crad,
0,
iso7816::SelectFile::File(&[]),
iso7816::SelectOccurrence::First,
)
.await?;
iso7816::select(
&mut crad,
0,
iso7816::files::EF_DIR,
iso7816::SelectOccurrence::First,
)
.await?;
let ef_dir = iso7816::read_binary(&mut crad, 0).await?;
if ef_dir.is_none()
|| !ef_dir.unwrap().windows(14).any(|w| {
w == [
0xA0, 0x00, 0x00, 0x07, 0x88, 0x50, 0x43, 0x41, 0x2D, 0x65, 0x4D, 0x52, 0x54,
0x44,
]
})
{
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Card is not eID"),
})
.await;
crad.wait_for_remove();
ctg_pipe.send(pipe::CardToGUI::WaitForCard).await;
continue;
}
break crad;
};
// Select the PCA application
iso7816::select(
&mut crad,
0,
iso7816::SelectFile::DedicatedFileName(&[
0xA0, 0x00, 0x00, 0x07, 0x88, 0x50, 0x43, 0x41, 0x2D, 0x65, 0x4D, 0x52, 0x54, 0x44,
]),
iso7816::SelectOccurrence::First,
)
.await?;
// Select _its_ MF (what?)
iso7816::select(
&mut crad,
0,
iso7816::SelectFile::File(&[]),
iso7816::SelectOccurrence::First,
)
.await?;
iso7816::select(
&mut crad,
0,
iso7816::files::EF_CARDACCESS,
iso7816::SelectOccurrence::First,
)
.await?;
let ef_cardaccess_bytes = iso7816::read_binary(&mut crad, 0).await?.unwrap();
let ef_cardaccess = pace::SecurityInfos::from_der(&ef_cardaccess_bytes).unwrap();
let status = pace::set_authentication_template(
&mut crad,
ef_cardaccess.get(0).unwrap().protocol,
pace::PasswordType::PIN,
)
.await?;
let (msg, can_continue) = match status {
pace::PACEStatus::Okay => (None, true),
pace::PACEStatus::TriesLeft(n) => (Some(format!("{} tries left", n)), true),
pace::PACEStatus::Error(unk) => (Some(format!("Unknown error {:04x}", unk)), false),
pace::PACEStatus::PasswordSuspended => (Some("PIN suspended. Use app.".to_string()), false),
pace::PACEStatus::PasswordBlocked => (Some("PIN blocked. Use app.".to_string()), false),
};
if can_continue {
ctg_pipe
.send(pipe::CardToGUI::ReadyForPIN { message: msg })
.await;
} else {
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: msg.unwrap(),
})
.await;
}
let GUIToCard::PIN(pin) = gtc_pipe.recv().await.unwrap();
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Negotiating with the card..."),
})
.await;
let creds = pace::authenticate_pin(
&mut crad,
pin.as_bytes(),
ef_cardaccess.get(0).unwrap().protocol,
)
.await?;
let apdus;
{
let mut enc_crad = pace::EncryptedCardWrapper::new(&mut crad, creds.clone());
// Select the PCA again
iso7816::select(
&mut enc_crad,
0,
iso7816::SelectFile::DedicatedFileName(&[
0xA0, 0x00, 0x00, 0x07, 0x88, 0x50, 0x43, 0x41, 0x2D, 0x65, 0x4D, 0x52, 0x54, 0x44,
]),
iso7816::SelectOccurrence::First,
)
.await?;
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Reading EF.DG14..."),
})
.await;
iso7816::select(
&mut enc_crad,
0,
iso7816::files::EF_DG14,
iso7816::SelectOccurrence::First,
)
.await?;
let dg14 = iso7816::read_binary(&mut enc_crad, 0).await?.unwrap();
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Reading EF.SOD..."),
})
.await;
iso7816::select(
&mut enc_crad,
0,
iso7816::files::EF_SOD,
iso7816::SelectOccurrence::First,
)
.await?;
let ef_sod = iso7816::read_binary(&mut enc_crad, 0).await?.unwrap();
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Reading EF.CVCA..."),
})
.await;
iso7816::select(
&mut enc_crad,
0,
iso7816::files::EF_CVCA,
iso7816::SelectOccurrence::First,
)
.await?;
let ef_cvca = iso7816::read_binary(&mut enc_crad, 0).await?.unwrap();
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Provided files for EAC..."),
})
.await;
if ctx.session == "test" {
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Test done."),
})
.await;
tokio::time::sleep(Duration::from_secs(2)).await;
ctg_pipe.send(pipe::CardToGUI::Done).await;
return Ok(());
}
let (apdus_, remote_ephemeral_pkey_bytes) = ctx
.prepare_eac(&ef_cvca, &dg14, &ef_sod, &creds.card_ephemeral_key)
.await;
apdus = apdus_;
let barely_parsed_dg14_one = Any::from_der(&dg14).unwrap();
let barely_parsed_dg14_contents =
SetOfVec::<Vec<Any>>::from_der(barely_parsed_dg14_one.value()).unwrap();
let ca_info_oid = ObjectIdentifier::new_unwrap("0.4.0.127.0.7.2.2.3");
let mut ca_info = None;
for item in barely_parsed_dg14_contents.into_vec() {
let oid = item
.first()
.unwrap()
.decode_as::<ObjectIdentifier>()
.unwrap();
if oid.as_bytes().starts_with(ca_info_oid.as_bytes()) {
ca_info = Some((oid, item.get(2).map(|f| f.value().to_vec())));
break;
}
}
let ca_info = ca_info.unwrap();
let remote_ephemeral_key_pkey =
PKey::public_key_from_der(&remote_ephemeral_pkey_bytes).unwrap();
let remote_ephemeral_key = remote_ephemeral_key_pkey.ec_key().unwrap();
let remote_ephemeral_key_group = remote_ephemeral_key.group();
let remote_ephemeral_key_point = remote_ephemeral_key.public_key();
let mut bn_ctx = BigNumContext::new().unwrap();
let mut remote_ephemeral_key_bytes = remote_ephemeral_key_point
.to_bytes(
remote_ephemeral_key_group,
PointConversionForm::UNCOMPRESSED,
&mut bn_ctx,
)
.unwrap();
// We send a new SET AT along with a GENERAL AUTHENTICATE for internal/restricted identification.
// This has to be encrypted, for Reasons.
let mut set_at_params = ca_info.0.as_bytes().to_vec();
prepend_do(&mut set_at_params, 0x80);
if let Some(v) = ca_info.1 {
append_do(&mut set_at_params, 0x84, &v);
}
let new_apdu = OwnedCommandAPDU {
class: Class::Standard {
command_chaining: CommandChaining::LastOrOnly,
secure_messaging: SecureMessaging::None,
channel: 0,
},
instruction: 0x22,
parameter: [0x41, 0xA4],
command: set_at_params,
expected_length: Some(0),
};
let resp = enc_crad.transmit(new_apdu).await?;
assert_eq!(resp.status, 0x9000);
prepend_do(&mut remote_ephemeral_key_bytes, 0x80);
prepend_do(&mut remote_ephemeral_key_bytes, 0x7c);
let new_apdu = OwnedCommandAPDU {
class: Class::Standard {
command_chaining: CommandChaining::LastOrOnly,
secure_messaging: SecureMessaging::None,
channel: 0,
},
instruction: 0x86,
parameter: [0x00, 0x00],
command: remote_ephemeral_key_bytes,
expected_length: Some(0x16),
};
let resp = enc_crad.transmit(new_apdu).await?;
assert_eq!(resp.status, 0x9000);
}
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: String::from("Running server-sent APDUs... (0/?)"),
})
.await;
let mut counter = -1isize;
let mut last_response = ResultAPDU {
data: Vec::new(),
status: 0,
};
let apdu_count = apdus.len();
for apdu in apdus {
counter += 1;
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: format!("Running server-sent APDUs... ({}/{})", counter, apdu_count),
})
.await;
last_response = crad.transmit_raw(&apdu).await?;
if last_response.status != 0x9000 {
break;
}
}
last_response
.data
.extend_from_slice(&last_response.status.to_be_bytes());
let apdus = ctx.prepare_pca(counter, &last_response.data).await;
let apdu_count = apdus.len() as isize + counter;
for apdu in apdus {
counter += 1;
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: format!("Running server-sent APDUs... ({}/{})", counter, apdu_count),
})
.await;
last_response = crad.transmit_raw(&apdu).await?;
if last_response.status != 0x9000 {
break;
}
}
last_response
.data
.extend_from_slice(&last_response.status.to_be_bytes());
let result = ctx.get_polymorphic_data(counter, &last_response.data).await;
ctg_pipe
.send(pipe::CardToGUI::ProcessingMessage {
message: format!("Server said: {}", result),
})
.await;
tokio::time::sleep(Duration::from_secs(3)).await;
ctg_pipe.send(pipe::CardToGUI::Done).await;
Ok(())
}
fn main() {
let (ctg_pipe_s, ctg_pipe_r) = async_channel::unbounded();
let (gtc_pipe_s, gtc_pipe_r) = async_channel::unbounded();
let s = args().nth(1).unwrap();
let session_id = s
.split('&')
.next()
.unwrap()
.split('=')
.last()
.unwrap()
.to_owned();
let rt = Runtime::new().unwrap();
rt.spawn(async { run_auth(session_id, ctg_pipe_s, gtc_pipe_r).await.unwrap() });
gui::run_gui(ctg_pipe_r, gtc_pipe_s);
}

599
src/pace.rs Normal file
View file

@ -0,0 +1,599 @@
use std::collections::HashMap;
use der::{Any, DerOrd, Encode, Reader, asn1::SetOfVec, oid::ObjectIdentifier};
use openssl::{
bn::{BigNum, BigNumContext},
ec::{EcGroup, EcKey, EcPoint, PointConversionForm},
nid::Nid,
symm::{Cipher, Crypter, Mode},
};
use crate::{Card, Class, CommandChaining, OwnedCommandAPDU, SecureMessaging};
pub type SecurityInfos = SetOfVec<SecurityInfo>;
fn decrypt_unpadded(
c: Cipher,
key: &[u8],
iv: Option<&[u8]>,
data: &[u8],
) -> Result<Vec<u8>, openssl::error::ErrorStack> {
let mut crypter = Crypter::new(c, Mode::Decrypt, key, iv)?;
crypter.pad(false);
let mut out = vec![0; data.len() + 64];
let count = crypter.update(data, &mut out)?;
let rest = crypter.finalize(&mut out[count..])?;
out.truncate(count + rest);
Ok(out)
}
fn encrypt_unpadded(
c: Cipher,
key: &[u8],
iv: Option<&[u8]>,
data: &[u8],
) -> Result<Vec<u8>, openssl::error::ErrorStack> {
let mut crypter = Crypter::new(c, Mode::Encrypt, key, iv)?;
crypter.pad(false);
let mut out = vec![0; data.len() + 64];
let count = crypter.update(data, &mut out)?;
let rest = crypter.finalize(&mut out[count..])?;
out.truncate(count + rest);
Ok(out)
}
const BSI_DE: ObjectIdentifier = ObjectIdentifier::new_unwrap("0.4.0.127.0.7");
const ID_PACE: ObjectIdentifier = ObjectIdentifier::new_unwrap("0.4.0.127.0.7.2.2.4");
const ID_PACE_ECDH_GM: ObjectIdentifier = ObjectIdentifier::new_unwrap("0.4.0.127.0.7.2.2.4.2");
const ID_PACE_ECDH_GM_AES_CBC_CMAC_256: ObjectIdentifier =
ObjectIdentifier::new_unwrap("0.4.0.127.0.7.2.2.4.2.4");
#[derive(PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
pub enum SecurityInfoData {
PACE {
version: u64,
parameter_id: Option<u64>,
},
Other {
required_data: Any,
optional_data: Option<Any>,
},
}
impl DerOrd for SecurityInfoData {
fn der_cmp(&self, other: &Self) -> der::Result<std::cmp::Ordering> {
Ok(self.cmp(other))
}
}
#[derive(PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
pub struct SecurityInfo {
pub protocol: ObjectIdentifier,
pub data: SecurityInfoData,
}
impl DerOrd for SecurityInfo {
fn der_cmp(&self, other: &Self) -> der::Result<std::cmp::Ordering> {
Ok(self.cmp(other))
}
}
pub struct EncryptedCardWrapper<'a, C: Card + 'a> {
pub card: &'a mut C,
pub counter: [u8; 16],
pub creds: PACECredentials,
}
impl<'a, C: Card + Send + 'a> EncryptedCardWrapper<'a, C> {
pub fn new(card: &'a mut C, creds: PACECredentials) -> Self {
Self {
card,
creds,
counter: [0; 16],
}
}
fn tick_counter(&mut self) {
for i in 0..16 {
let j = 15 - i;
if let Some(ok) = self.counter[j].checked_add(1) {
self.counter[j] = ok;
break;
} else {
self.counter[j] = 0;
}
}
}
}
fn pad_vec(v: &mut Vec<u8>, to: usize) {
v.push(0x80);
while v.len() % to != 0 {
v.push(0x00);
}
}
impl<'a, C: Card + Send + 'a> Card for EncryptedCardWrapper<'a, C> {
async fn transmit(&mut self, mut apdu: OwnedCommandAPDU) -> std::io::Result<crate::ResultAPDU> {
if let Class::Standard {
secure_messaging, ..
} = &mut apdu.class
{
*secure_messaging = SecureMessaging::StandardHeaderAuthenticated;
}
self.tick_counter();
let mut header = vec![
apdu.class.encode().unwrap(),
apdu.instruction,
apdu.parameter[0],
apdu.parameter[1],
];
pad_vec(&mut header, 16);
let mut to_encrypt_data = apdu.command.clone();
pad_vec(&mut to_encrypt_data, 16);
let iv = encrypt_unpadded(
openssl::symm::Cipher::aes_256_cbc(),
&self.creds.k_enc,
Some(&[0; 16]),
&self.counter,
)
.unwrap();
let mut encrypted_data_do = encrypt_unpadded(
Cipher::aes_256_cbc(),
&self.creds.k_enc,
Some(&iv),
&to_encrypt_data,
)
.unwrap();
encrypted_data_do.insert(0, 0x01);
prepend_do(&mut encrypted_data_do, 0x87);
let expected_length_do = if apdu.expected_length != Some(0) {
let mut v = vec![apdu.expected_length.unwrap_or_default() as u8];
prepend_do(&mut v, 0x97);
v
} else {
Vec::new()
};
let mut mac_data = self.counter.to_vec();
mac_data.extend_from_slice(&header);
mac_data.extend_from_slice(&encrypted_data_do);
mac_data.extend_from_slice(&expected_length_do);
pad_vec(&mut mac_data, 16);
let cmac_key =
openssl::pkey::PKey::cmac(&openssl::symm::Cipher::aes_256_cbc(), &self.creds.k_mac[..])
.unwrap();
let mut cmac_signer = openssl::sign::Signer::new_without_digest(&cmac_key).unwrap();
cmac_signer.update(&mac_data).unwrap();
let mut signature = cmac_signer.sign_to_vec().unwrap();
signature.truncate(8);
let mut encoded_data = Vec::new();
encoded_data.extend_from_slice(&encrypted_data_do);
encoded_data.extend_from_slice(&expected_length_do);
append_do(&mut encoded_data, 0x8e, &signature);
apdu.command = encoded_data;
apdu.expected_length = None;
let resp = self.card.transmit(apdu).await?;
if resp.status == 0x6987 || resp.status == 0x6988 {
return Err(std::io::Error::new(
std::io::ErrorKind::InvalidData,
"Secure messaging error.",
));
}
self.tick_counter();
if resp.data.len() < 8 {
return Err(std::io::Error::new(
std::io::ErrorKind::InvalidData,
"Secure messaging error.",
));
}
let mac = &resp.data[resp.data.len() - 8..];
let mut data_to_mac = self.counter.to_vec();
data_to_mac.extend_from_slice(&resp.data[..resp.data.len() - 10]);
pad_vec(&mut data_to_mac, 16);
let cmac_key =
openssl::pkey::PKey::cmac(&openssl::symm::Cipher::aes_256_cbc(), &self.creds.k_mac[..])
.unwrap();
let mut cmac_signer = openssl::sign::Signer::new_without_digest(&cmac_key).unwrap();
cmac_signer.update(&data_to_mac).unwrap();
let mut signature = cmac_signer.sign_to_vec().unwrap();
signature.truncate(8);
if mac != signature {
return Err(std::io::Error::new(
std::io::ErrorKind::InvalidData,
"invalid APDU",
));
}
let mut rest = &resp.data[..];
let mut decrypted_data = Vec::new();
if rest[0] == 0x87 {
let (length, skip) = if rest[1] < 0x80 {
(rest[1] as usize, 2)
} else {
let count = rest[1] as usize - 0x80;
let mut out = 0;
for i in 0..count {
out = (out << 8) | rest[2 + i] as usize;
}
(out, 2 + count)
};
let encrypted_data = rest[skip + 1..skip + length].to_vec();
let iv = encrypt_unpadded(
openssl::symm::Cipher::aes_256_cbc(),
&self.creds.k_enc,
Some(&[0; 16]),
&self.counter,
)
.unwrap();
decrypted_data = decrypt_unpadded(
Cipher::aes_256_cbc(),
&self.creds.k_enc,
Some(&iv),
&encrypted_data,
)
.unwrap();
while decrypted_data.pop() != Some(0x80) {}
rest = &rest[skip + length..];
}
assert_eq!(rest[0], 0x99);
assert_eq!(rest[1], 0x02);
let new_sw1 = rest[2];
let new_sw2 = rest[3];
Ok(crate::ResultAPDU {
data: decrypted_data,
status: (new_sw1 as u16) << 8 | (new_sw2 as u16),
})
}
async fn transmit_raw(&mut self, apdu_buf: &[u8]) -> std::io::Result<crate::ResultAPDU> {
self.card.transmit_raw(apdu_buf).await
}
}
impl SecurityInfo {
fn for_datas(oid: ObjectIdentifier, reqd: Any, opt: Option<Any>) -> der::Result<Self> {
let data = if oid.parent().and_then(|f| f.parent()) == Some(ID_PACE) {
SecurityInfoData::PACE {
version: reqd.decode_as()?,
parameter_id: if let Some(opt) = opt {
Some(opt.decode_as()?)
} else {
None
},
}
} else {
SecurityInfoData::Other {
required_data: reqd,
optional_data: opt,
}
};
Ok(Self {
protocol: oid,
data,
})
}
}
impl<'a> der::Decode<'a> for SecurityInfo {
fn decode<R: der::Reader<'a>>(decoder: &mut R) -> der::Result<Self> {
decoder.sequence(|r| {
let oid = r.decode::<ObjectIdentifier>()?;
let reqd = r.decode::<Any>()?;
let opt = r.decode::<Option<Any>>()?;
SecurityInfo::for_datas(oid, reqd, opt)
})
}
}
pub enum PasswordType {
MRZ = 0x01,
CAN = 0x02,
PIN = 0x03,
PUK = 0x04,
}
#[derive(Debug)]
pub enum PACEStatus {
Okay,
Error(u16),
TriesLeft(u8),
PasswordSuspended,
PasswordBlocked,
}
fn make_set_authentication_template_apdu(
cryptographic_mechanism: ObjectIdentifier,
password: PasswordType,
) -> OwnedCommandAPDU {
let mut buf = Vec::new();
append_do(&mut buf, 0x80, cryptographic_mechanism.as_bytes());
append_do(&mut buf, 0x83, &[password as u8]);
OwnedCommandAPDU {
class: Class::Standard {
command_chaining: crate::CommandChaining::LastOrOnly,
secure_messaging: SecureMessaging::None,
channel: 0,
},
instruction: 0x22,
parameter: [0xC1, 0xA4],
command: buf,
expected_length: Some(0),
}
}
pub async fn set_authentication_template(
card: &mut impl Card,
cryptographic_mechanism: ObjectIdentifier,
password: PasswordType,
) -> std::io::Result<PACEStatus> {
let d = card
.transmit(make_set_authentication_template_apdu(
cryptographic_mechanism,
password,
))
.await?;
Ok(match d.status {
0x9000 => PACEStatus::Okay,
v if v & 0xFFF0 == 0x63C0 => PACEStatus::TriesLeft((v as u8) & 0xF),
0x63C1 => PACEStatus::PasswordSuspended,
0x63C0 => PACEStatus::PasswordBlocked,
v => PACEStatus::Error(v),
})
}
pub async fn step_general_authenticate(
card: &mut impl Card,
chained: bool,
make_data: impl FnOnce(&mut Vec<u8>),
) -> std::io::Result<HashMap<u8, Vec<u8>>> {
let mut buf = Vec::new();
make_data(&mut buf);
prepend_do(&mut buf, 0x7c);
let bbuf = buf.clone();
let res = card
.transmit(OwnedCommandAPDU {
class: Class::Standard {
command_chaining: if chained {
CommandChaining::NotLast
} else {
CommandChaining::LastOrOnly
},
secure_messaging: SecureMessaging::None,
channel: 0,
},
instruction: 0x86,
parameter: [0x00, 0x00],
command: buf,
expected_length: None,
})
.await?;
if !res.data.starts_with(&[0x7c]) || res.status != 0x9000 {
return Ok(HashMap::new());
}
let mut b = &res.data[2..];
let mut out = HashMap::new();
while !b.is_empty() {
let id = b[0];
let len = b[1] as usize;
out.insert(id, b[2..2 + len].to_vec());
b = &b[2 + len..];
}
Ok(out)
}
#[derive(Clone, Debug)]
pub struct PACECredentials {
pub k_mac: [u8; 32],
pub k_enc: [u8; 32],
pub card_ephemeral_key: Vec<u8>,
}
pub async fn authenticate_pin(
card: &mut impl Card,
pin: &[u8],
cryptographic_mechanism: ObjectIdentifier,
) -> std::io::Result<PACECredentials> {
// Step one: Get the encrypted nonce
let mut data = step_general_authenticate(card, true, |_| {}).await?;
let encrypted_nonce = data.remove(&0x80).unwrap();
let mut pin_padded = pin.to_vec();
pin_padded.extend_from_slice(&[0x00, 0x00, 0x00, 0x03]);
let hashed_pin = openssl::sha::sha256(&pin_padded);
let cipher = openssl::symm::Cipher::aes_256_cbc();
let decrypted_nonce =
decrypt_unpadded(cipher, &hashed_pin, Some(&[0; 16]), &encrypted_nonce).unwrap();
let mut bn_ctx = BigNumContext::new().unwrap();
let main_group = EcGroup::from_curve_name(Nid::BRAINPOOL_P320R1).unwrap();
let host_ephemeral_key = EcKey::generate(&main_group).unwrap();
// Step two: provide mapping data to the card.
// In generic mapping, this is an EC point.
let host_ephemeral_key_bytes = host_ephemeral_key
.public_key()
.to_bytes(&main_group, PointConversionForm::UNCOMPRESSED, &mut bn_ctx)
.unwrap();
let data = step_general_authenticate(card, true, |f| {
append_do(f, 0x81, &host_ephemeral_key_bytes)
})
.await?;
let icc_public_key_point =
EcPoint::from_bytes(&main_group, data.get(&0x82).unwrap(), &mut bn_ctx).unwrap();
let mut shared_secret = EcPoint::new(&main_group).unwrap();
shared_secret
.mul(
&main_group,
&icc_public_key_point,
host_ephemeral_key.private_key(),
&bn_ctx,
)
.unwrap();
let mut tmp = EcPoint::new(&main_group).unwrap();
let mut mapped_generator = EcPoint::new(&main_group).unwrap();
tmp.mul_generator(
&main_group,
&BigNum::from_slice(&decrypted_nonce[..]).unwrap(),
&bn_ctx,
)
.unwrap();
mapped_generator
.add(&main_group, &tmp, &shared_secret, &mut bn_ctx)
.unwrap();
let mut mapped_group = EcGroup::from_curve_name(Nid::BRAINPOOL_P320R1).unwrap();
let mut order = BigNum::new().unwrap();
mapped_group.order(&mut order, &mut bn_ctx).unwrap();
let mut cofactor = BigNum::new().unwrap();
mapped_group.cofactor(&mut cofactor, &mut bn_ctx).unwrap();
mapped_group
.set_generator(mapped_generator, order, cofactor)
.unwrap();
let host_ephemeral_mapped_key = EcKey::generate(&mapped_group).unwrap();
let host_ephemeral_mapped_key_bytes = host_ephemeral_mapped_key
.public_key()
.to_bytes(
&mapped_group,
PointConversionForm::UNCOMPRESSED,
&mut bn_ctx,
)
.unwrap();
let data = step_general_authenticate(card, true, |f| {
append_do(f, 0x83, &host_ephemeral_mapped_key_bytes)
})
.await?;
let icc_ephemeral_mapped_key =
EcPoint::from_bytes(&mapped_group, data.get(&0x84).unwrap(), &mut bn_ctx).unwrap();
let mut mapped_shared_secret = EcPoint::new(&mapped_group).unwrap();
mapped_shared_secret
.mul(
&mapped_group,
&icc_ephemeral_mapped_key,
host_ephemeral_mapped_key.private_key(),
&mut bn_ctx,
)
.unwrap();
let mut mapped_shared_secret_x = BigNum::new().unwrap();
let mut mapped_shared_secret_y = BigNum::new().unwrap();
mapped_shared_secret
.affine_coordinates(
&mapped_group,
&mut mapped_shared_secret_x,
&mut mapped_shared_secret_y,
&mut bn_ctx,
)
.unwrap();
let mut shared_secret_bytes = mapped_shared_secret_x.to_vec();
shared_secret_bytes.extend_from_slice(&[0x00, 0x00, 0x00, 0x01]);
let k_enc = openssl::sha::sha256(&shared_secret_bytes);
shared_secret_bytes.pop();
shared_secret_bytes.push(0x02);
let k_mac = openssl::sha::sha256(&shared_secret_bytes);
let mut to_mac = Vec::new();
cryptographic_mechanism.encode_to_vec(&mut to_mac).unwrap();
append_do(
&mut to_mac,
0x86,
&icc_ephemeral_mapped_key
.to_bytes(
&mapped_group,
PointConversionForm::UNCOMPRESSED,
&mut bn_ctx,
)
.unwrap(),
);
prepend_do(&mut to_mac, 0x7F49);
let cmac_key =
openssl::pkey::PKey::cmac(&openssl::symm::Cipher::aes_256_cbc(), &k_mac[..]).unwrap();
let mut cmac_signer = openssl::sign::Signer::new_without_digest(&cmac_key).unwrap();
cmac_signer.update(&to_mac).unwrap();
let mut signature = cmac_signer.sign_to_vec().unwrap();
signature.truncate(8);
let _ = step_general_authenticate(card, false, |f| append_do(f, 0x85, &signature)).await?;
// TODO: verify card
let mut icc_ephemeral_mapped_key_x = BigNum::new().unwrap();
let mut icc_ephemeral_mapped_key_y = BigNum::new().unwrap();
icc_ephemeral_mapped_key
.affine_coordinates(
&mapped_group,
&mut icc_ephemeral_mapped_key_x,
&mut icc_ephemeral_mapped_key_y,
&mut bn_ctx,
)
.unwrap();
Ok(PACECredentials {
k_mac,
k_enc,
card_ephemeral_key: icc_ephemeral_mapped_key_x.to_vec(),
})
}
pub fn prepend_do(v: &mut Vec<u8>, val: u16) {
let l = v.len() as u8;
v.insert(0, l);
if val < 0x100 {
v.insert(0, val as u8);
} else {
v.insert(0, (val >> 8) as u8);
v.insert(1, val as u8);
}
}
pub fn append_do(v: &mut Vec<u8>, val: u16, d: &[u8]) {
let l = d.len() as u8;
if val < 0x100 {
v.push(val as u8);
} else {
v.push((val >> 8) as u8);
v.push(val as u8);
}
v.push(l);
v.extend_from_slice(d);
}

107
src/pcsc_card.rs Normal file
View file

@ -0,0 +1,107 @@
use std::ffi::CString;
use pcsc::{Protocols, ReaderState, State};
use crate::{Card, ResultAPDU};
pub struct PCSCCard {
pub ctx: pcsc::Context,
pub reader: CString,
pub card: pcsc::Card,
pub buf: [u8; 0x10002],
}
impl Card for PCSCCard {
async fn transmit(
&mut self,
apdu: crate::OwnedCommandAPDU,
) -> std::io::Result<crate::ResultAPDU> {
let mut apdu_buf = vec![
apdu.class.encode().unwrap(),
apdu.instruction,
apdu.parameter[0],
apdu.parameter[1],
];
let extended =
apdu.command.len() > 0xFF || apdu.expected_length.map(|f| f > 0xFF) == Some(true);
if extended {
apdu_buf.push(0);
apdu_buf.extend_from_slice(&(apdu.command.len() as u16).to_be_bytes());
} else if !apdu.command.is_empty() {
apdu_buf.push(apdu.command.len() as u8);
}
apdu_buf.extend_from_slice(&apdu.command);
if extended {
apdu_buf.extend_from_slice(
&(apdu.expected_length.unwrap_or_default() as u16).to_be_bytes(),
);
} else if apdu.expected_length != Some(0) {
apdu_buf.push(apdu.expected_length.unwrap_or_default() as u8);
}
let ret_len = self
.card
.transmit(&apdu_buf, &mut self.buf)
.map_err(|f| std::io::Error::new(std::io::ErrorKind::BrokenPipe, f))?
.len();
let data = self.buf[..ret_len - 2].to_vec();
let sw = (self.buf[ret_len - 2] as u16) << 8 | (self.buf[ret_len - 1] as u16);
Ok(ResultAPDU { data, status: sw })
}
async fn transmit_raw(&mut self, apdu_buf: &[u8]) -> std::io::Result<crate::ResultAPDU> {
let ret_len = self
.card
.transmit(apdu_buf, &mut self.buf)
.map_err(|f| std::io::Error::new(std::io::ErrorKind::BrokenPipe, f))?
.len();
let data = self.buf[..ret_len - 2].to_vec();
let sw = (self.buf[ret_len - 2] as u16) << 8 | (self.buf[ret_len - 1] as u16);
Ok(ResultAPDU { data, status: sw })
}
}
impl PCSCCard {
pub fn new() -> Self {
let ctx = pcsc::Context::establish(pcsc::Scope::User).unwrap();
let readers = ctx.list_readers_owned().unwrap();
let reader = readers.first().unwrap();
let mut rs = [ReaderState::new(reader.to_owned(), State::empty())];
loop {
ctx.get_status_change(None, &mut rs[..]).unwrap();
rs[0].sync_current_state();
if rs[0].event_state().contains(State::PRESENT) {
let card = ctx
.connect(reader, pcsc::ShareMode::Shared, Protocols::ANY)
.unwrap();
return Self {
ctx,
reader: reader.to_owned(),
card,
buf: [0; 0x10002],
};
}
}
}
pub fn wait_for_remove(self) {
let mut rs = [ReaderState::new(self.reader, State::empty())];
loop {
self.ctx.get_status_change(None, &mut rs[..]).unwrap();
if rs[0].event_state().contains(State::PRESENT) {
rs[0].sync_current_state();
continue;
}
break;
}
}
}

14
src/pipe.rs Normal file
View file

@ -0,0 +1,14 @@
#[derive(Debug)]
pub enum GUIToCard {
PIN(String),
}
#[derive(Debug)]
pub enum CardToGUI {
AuthenticationTarget { target: String },
WaitForCard,
ReadyForPIN { message: Option<String> },
ProcessingStep { step: usize },
ProcessingMessage { message: String },
Done,
}