Add support for private DO.

Closes #50. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-02-17 16:46:03 +01:00
parent e563bb3379
commit 615737807a
6 changed files with 177 additions and 9 deletions
--- a/src/openpgp/cmd_get_data.c
+++ b/src/openpgp/cmd_get_data.c
@@ -29,10 +29,20 @@ int cmd_get_data() {
    if (!(ef = search_by_fid(fid, NULL, SPECIFY_EF))) {
        return SW_REFERENCE_NOT_FOUND();
    }
-    if (!authenticate_action(ef, ACL_OP_READ_SEARCH)) {
+    if (fid == EF_PRIV_DO_3) {
+        if (!has_pw2 && !has_pw3) {
+            return SW_SECURITY_STATUS_NOT_SATISFIED();
+        }
+    }
+    else if (fid == EF_PRIV_DO_4) {
+        if (!has_pw3) {
+            return SW_SECURITY_STATUS_NOT_SATISFIED();
+        }
+    }
+    else if (!authenticate_action(ef, ACL_OP_READ_SEARCH)) {
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    }
-    if (currentEF && (currentEF->fid & 0x1FF0) == (fid & 0x1FF0)) { //previously selected
+    if (currentEF && currentEF->fid == fid) { // previously selected same EF
        ef = currentEF;
    }
    else {
--- a/src/openpgp/cmd_put_data.c
+++ b/src/openpgp/cmd_put_data.c
@@ -32,11 +32,17 @@ int cmd_put_data() {
    if (!authenticate_action(ef, ACL_OP_UPDATE_ERASE)) {
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    }
+    if ((fid == EF_PRIV_DO_1 || fid == EF_PRIV_DO_3) && (!has_pw2 && !has_pw3)) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
+    if ((fid == EF_PRIV_DO_2 || fid == EF_PRIV_DO_4) && !has_pw3) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
    if (fid == EF_PW_STATUS) {
        fid = EF_PW_PRIV;
        apdu.nc = 4; //we silently ommit the reset parameters
    }
-    if (currentEF && (currentEF->fid & 0x1FF0) == (fid & 0x1FF0)) { //previously selected
+    if (currentEF && currentEF->fid == fid) { // previously selected same EF
        ef = currentEF;
    }
    if (apdu.nc > 0 && (ef->type & FILE_DATA_FLASH)) {
--- a/src/openpgp/files.c
+++ b/src/openpgp/files.c
@@ -55,12 +55,12 @@ uint8_t historical_bytes[] = {

 uint8_t extended_capabilities[] = {
    10, 0,
-    0x77,           /*
+    0x7f,           /*
                     * No Secure Messaging supported
                     * GET CHALLENGE supported
                     * Key import supported
                     * PW status byte can be put
-                     * No private_use_DO
+                     * private_use_DO
                     * Algorithm attrs are changable
                     * ENC/DEC with AES
                     * KDF-DO available
@@ -68,7 +68,7 @@ uint8_t extended_capabilities[] = {
    0,        /* Secure Messaging Algorithm: N/A (TDES=0, AES=1) */
    0x00, 128,      /* Max size of GET CHALLENGE */
    0x08, 0x00,   /* max. length of cardholder certificate (2KiB) */
-    0x00, 0xff,
+    0x08, 0x00,   /* max. length of private DO (2KiB) */
    0x00, 0x1
 };

@@ -476,10 +476,28 @@ file_t file_entries[] = {
    /* 131 */ { .fid = EF_PW_RETRIES, .parent = 0, .name = NULL,
               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 131 */ { .fid = EF_PRIV_DO_1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 132 */ { .fid = EF_PRIV_DO_2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 133 */ { .fid = EF_PRIV_DO_3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 134 */ { .fid = EF_PRIV_DO_4, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 135 */ { .fid = EF_PW_RETRIES, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 136 */ { .fid = EF_PW_STATUS, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },

-    /* 132 */ { .fid = 0x0000, .parent = 0, .name = openpgp_aid, .type = FILE_TYPE_WORKING_EF,
+    /* 137 */ { .fid = 0x0000, .parent = 0, .name = openpgp_aid, .type = FILE_TYPE_WORKING_EF,
               .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 133 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_NOT_KNOWN, .data = NULL,
+    /* 138 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_NOT_KNOWN, .data = NULL,
               .ef_structure = 0, .acl = ACL_NONE }                                                                                       //end
 };

--- a/src/openpgp/files.h
+++ b/src/openpgp/files.h
@@ -163,4 +163,9 @@

 #define EF_DEV_CONF     0x1122

+#define EF_PRIV_DO_1        0x0101
+#define EF_PRIV_DO_2        0x0102
+#define EF_PRIV_DO_3        0x0103
+#define EF_PRIV_DO_4        0x0104
+
 #endif