55#include <openssl/asn1.h>
56#include <openssl/buffer.h>
57#include <openssl/cmac.h>
58#include <openssl/ec.h>
59#include <openssl/evp.h>
121 BUF_MEM * (*generate_key)(EVP_PKEY *
key, BN_CTX *bn_ctx);
131 BUF_MEM * (*compute_key)(EVP_PKEY *
key,
const BUF_MEM *in, BN_CTX *bn_ctx);
180 BUF_MEM * (*map_generate_key)(
const struct pace_ctx *ctx, BN_CTX *bn_ctx);
185 const BUF_MEM * in, BN_CTX *bn_ctx);
228 BUF_MEM * (*generate_key)(EVP_PKEY *key, BN_CTX *bn_ctx);
238 BUF_MEM * (*compute_key)(EVP_PKEY *key,
const BUF_MEM *in, BN_CTX *bn_ctx);
244typedef CVC_CERT * (*CVC_lookup_cvca_cert) (
const unsigned char *chr,
size_t car_len);
301typedef X509_STORE * (*X509_lookup_csca_cert) (
unsigned long issuer_name_hash);
378#define EAC_AES_MAC_LENGTH 8
441 const unsigned char *privkey,
size_t privkey_len,
442 const unsigned char *cvca,
size_t cvca_len);
497 const unsigned char *ef_cardsecurity,
size_t ef_cardsecurity_len,
705 size_t cert_desc_len);
Interface for Card Verifiable Certificates.
eac_tr_version
Identification of the specifications to use.
@ EAC_TR_VERSION_2_01
Perform EAC according to TR-03110 v2.01.
@ EAC_TR_VERSION_2_02
Perform EAC according to TR-03110 v2.02 and later.
@ EAC_TR_VERSION
Undefined type, if nothing else matches.
struct ta_ctx TA_CTX
Context for the Terminal Authentication protocol.
struct pace_ctx PACE_CTX
Context for the Password Authenticated Connection Establishment protocol.
struct eac_ctx EAC_CTX
Context for the Extended Access Control protocol.
struct ca_ctx CA_CTX
Context for the Chip Authentication protocol.
struct ri_ctx RI_CTX
Context for the Restricted Identification protocol.
X509_STORE *(* X509_lookup_csca_cert)(unsigned long issuer_name_hash)
callback for finding the X.509 trust anchor
struct ka_ctx KA_CTX
Context for a key agreement and subsequent derivation of session keys.
CVC_CERT *(* CVC_lookup_cvca_cert)(const unsigned char *chr, size_t car_len)
callback for finding the CVCA trust anchor
int EAC_CTX_set_cvca_lookup(EAC_CTX *ctx, CVC_lookup_cvca_cert lookup_cvca_cert)
Set the CVCA lookup callback.
int EAC_CTX_get_csca_lookup_cert(const EAC_CTX *ctx, X509_lookup_csca_cert *lookup_cvca_cert)
Get the CSCA lookup callback.
int EAC_CTX_init_ri(EAC_CTX *ctx, int protocol, int stnd_dp)
Initialize an EAC context for Restricted Identification.
X509_lookup_csca_cert EAC_get_default_csca_lookup(void)
Return the default lookup of the country signing CA.
int EAC_CTX_init_pace(EAC_CTX *ctx, int protocol, int curve)
Initialize an EAC context for PACE.
int EAC_CTX_set_csca_lookup_cert(EAC_CTX *ctx, X509_lookup_csca_cert lookup_cvca_cert)
Set the CSCA lookup callback.
void EAC_init(void)
Initializes OpenSSL and the EAC identifier.
void EAC_set_x509_default_dir(const char *default_dir)
Set directory for EAC_get_default_csca_lookup()
void EAC_CTX_clear_free(EAC_CTX *ctx)
Free an EAC context.
void EAC_cleanup(void)
Wrapper to EVP_cleanup()
void EAC_set_cvc_default_dir(const char *default_dir)
Set directory for EAC_get_default_cvca_lookup()
int EAC_CTX_init_ca(EAC_CTX *ctx, int protocol, int curve)
Initialize an EAC context for Chip Authentication.
CVC_lookup_cvca_cert EAC_get_default_cvca_lookup(void)
Return the default lookup of the country verifying CA.
int EAC_CTX_init_ef_cardaccess(unsigned const char *in, size_t in_len, EAC_CTX *ctx)
Initialize an EAC context for PACE, TA and CA from the data given in an EF.CardAccess.
int EAC_CTX_init_ta(const EAC_CTX *ctx, const unsigned char *privkey, size_t privkey_len, const unsigned char *cvca, size_t cvca_len)
Initialize an EAC context for TA with the terminal's PKI data. Use either a CV certificate or a known...
int EAC_CTX_init_ef_cardsecurity(const unsigned char *ef_cardsecurity, size_t ef_cardsecurity_len, EAC_CTX *ctx)
Initialize an EAC context for PACE, TA and CA from the data given in an EF.CardSecurity.
EAC_CTX * EAC_CTX_new(void)
Create a new EAC context.
int EAC_CTX_get_cvca_lookup(const EAC_CTX *ctx, CVC_lookup_cvca_cert *lookup_cvca_cert)
Return the EAC context's CVCA lookup callback.
void BUF_MEM_clear_free(BUF_MEM *b)
Frees and wipes a buffer.
int EAC_CTX_print_private(BIO *out, const EAC_CTX *ctx, int indent)
Print EAC context including private data.
int BUF_MEM_print(BIO *out, const BUF_MEM *buf, int indent)
Prints buffer.
BUF_MEM * EAC_hash_certificate_description(const unsigned char *cert_desc, size_t cert_desc_len)
Compute the hash of a CV certificate description.
int EAC_verify_authentication(const EAC_CTX *ctx, const BUF_MEM *data, const BUF_MEM *mac)
Verify authenticated data according to TR-03110 F.2.
int EAC_CTX_set_encryption_ctx(EAC_CTX *ctx, int id)
Set the SM context for encryption, decryption and authentication.
BUF_MEM * EAC_encrypt(const EAC_CTX *ctx, const BUF_MEM *data)
Encrypts data according to TR-03110 F.2.
BUF_MEM * EAC_add_iso_pad(const EAC_CTX *ctx, const BUF_MEM *unpadded)
Pad a buffer using ISO/IEC 9797-1 padding method 2.
int EAC_reset_ssc(const EAC_CTX *ctx)
Reset the Send Sequence Counter.
BUF_MEM * EAC_decrypt(const EAC_CTX *ctx, const BUF_MEM *data)
Decrypt data according to TR-03110 F.2.
BUF_MEM * EAC_authenticate(const EAC_CTX *ctx, const BUF_MEM *data)
Authenticate data according to TR-03110 F.2.
int EAC_set_ssc(const EAC_CTX *ctx, unsigned long ssc)
Set the Send Sequence Counter.
BUF_MEM * EAC_Comp(const EAC_CTX *ctx, int id, const BUF_MEM *pub)
Compresse a public key according to TR-03110 Table A.2.
int EAC_increment_ssc(const EAC_CTX *ctx)
Increment the Send Sequence Counter.
BUF_MEM * EAC_remove_iso_pad(const BUF_MEM *padded)
Remove ISO/IEC 9797-1 padding method 2 from a message.
Definitions of object identifiers.
Context for the Chip Authentication protocol.
unsigned char version
(currently unused) Version of the CA protocol, MUST be 1 or 2
int id
identifier of this CA context
int flags
Flags to control some of the behaviour of the CA.
int protocol
Identifier of the protocol's OID specifying the exact CA parameters to use.
X509_lookup_csca_cert lookup_csca_cert
callback for finding the X.509 trust anchor
KA_CTX * ka_ctx
Key agreement object used with the PICC's private key.
The actual certifcate, consisting of the body and a signature.
Context for the Extended Access Control protocol.
STACK_OF(CA_CTX *) ca_ctxs
stack of available Chip Authentication configurations
TA_CTX * ta_ctx
Context for the currently selected Terminal Authentication protocol.
CA_CTX * ca_ctx
Context for the currently selected Chip Authentication protocol.
EVP_MD_CTX * md_ctx
Context for various hashing operations.
KA_CTX * key_ctx
Context for currently selected secure messaging established with PACE or CA.
PACE_CTX * pace_ctx
Context for the currently selected Password Authenticated Connection Establishment protocol.
STACK_OF(RI_CTX *) ri_ctxs
stack of available Restricted Identification configurations
BN_CTX * bn_ctx
Context for various operations with BIGNUM objects.
STACK_OF(PACE_CTX *) pace_ctxs
stack of available Password Authenticated Connection Establishment configurations
BIGNUM * ssc
Send sequence counter.
EVP_CIPHER_CTX * cipher_ctx
Context for various cipher operations.
RI_CTX * ri_ctx
Context for the currently selected Restricted Identification protocol.
enum eac_tr_version tr_version
Perform EAC conforming to this version of TR-03110.
Context for a key agreement and subsequent derivation of session keys.
ENGINE * cipher_engine
Cipher's engine.
BUF_MEM * k_mac
Symmetric key used for integrity protection. Derived from KA_CTX.shared_secret.
ENGINE * md_engine
Digest's engine.
int enc_keylen
Length of the computed key for the encryption/decryption.
BUF_MEM * k_enc
Symmetric key used for encryption/decryption. Derived from KA_CTX.shared_secret.
const EVP_CIPHER * cipher
Cipher to use for encryption/decryption.
EVP_PKEY * key
Container for the key pair used for key agreement.
const EVP_MD * md
Digest to use for key derivation.
BUF_MEM * shared_secret
Shared secret computed during the key agreement protocol.
CMAC_CTX * cmac_ctx
Context for CMAC.
int mac_keylen
Length of the computed key for the message authentication code.
unsigned char * iv
Initialisation vector for encryption/decryption.
Context for the Password Authenticated Connection Establishment protocol.
BUF_MEM * nonce
PICC's decrypted challenge generated in PACE step 1.
KA_CTX * ka_ctx
Key agreement object used with the ephemeral domain parameters.
unsigned char version
(currently unused) Version of the PACE protocol, MUST be 1 or 2
BUF_MEM * my_eph_pubkey
The own ephemeral public key generated in PACe step 3b.
int(* map_compute_key)(struct pace_ctx *ctx, const BUF_MEM *s, const BUF_MEM *in, BN_CTX *bn_ctx)
Points to the implementation of a specific mapping.
EVP_PKEY * static_key
PICC's static domain parameters.
int id
identifier of this PACE context
int protocol
Identifier of the protocol's OID specifying the exact PACE parameters to use.
Context for the Restricted Identification protocol.
int protocol
Identifier of the hash function to use.
EVP_PKEY * static_key
PICC's static domain parameters.
int id
identifier of this RI context
const EVP_MD * md
Digest to use for derivation of I^{sector}_{ID}.
Context for the Terminal Authentication protocol.
EVP_PKEY * pub_key
TA public key used for signing the challenge.
CVC_CERT * new_trust_anchor
When a complete CV certificate chain has been verified, this will be the new trust anchor.
BUF_MEM * nonce
PICC's challenge.
ENGINE * key_engine
(currently unused) engine for signing and signature verification
EVP_PKEY * priv_key
TA private key used for signing the challenge.
CVC_lookup_cvca_cert lookup_cvca_cert
Lookup the CVCA trust anchor.
BUF_MEM * pk_pcd
PCD's public key extracted from it's CV certificate.
CVC_CERT * trust_anchor
Trust anchor for CV certificate validation.
CVC_CERT * current_cert
Most recent verified CV certificate in a certificate chain.
unsigned char version
(currently unused) Version of the TA protocol, MUST be 1 or 2
int flags
Flags to control some of the behaviour of the CA.
int protocol
Identifier of the protocol's OID specifying the exact TA parameters to use.
