costan-tem_ruby 0.10.2

data/lib/tem/tem.rb

@@ -0,0 +1,31 @@
+class Tem::Session
+  include Tem::Abi
+  include Tem::Apdus::Buffers
+  include Tem::Apdus::Keys
+  include Tem::Apdus::Lifecycle
+  include Tem::Apdus::Tag
+  
+  include Tem::CA
+  include Tem::ECert
+  include Tem::SeClosures
+  include Tem::Toolkit
+  
+  CAPPLET_AID = [0x19, 0x83, 0x12, 0x29, 0x10, 0xBA, 0xBE]
+  
+  attr_reader :transport
+  
+  def initialize(transport)
+    @transport = transport
+    @transport.select_applet CAPPLET_AID
+  end
+  
+  def disconnect
+    return unless @transport
+    @transport.disconnect
+    @transport = nil
+  end
+  
+  def tem_secpack_error(response)
+    raise "TEM refused the SECpack"
+  end
+end

data/lib/tem/toolkit.rb

@@ -0,0 +1,101 @@
+module Tem::Toolkit
+  def tk_firmware_ver
+    tag = get_tag
+    return { :major => read_tem_ubyte(tag, 0), :minor => read_tem_ubyte(tag, 1) }
+  end
+  
+  def tk_gen_key(type = :asymmetric, authz = nil)
+    gen_sec = assemble do |s|
+      s.ldbc authz.nil? ? 24 : 4
+      s.outnew
+      if authz.nil?
+        # no authorization given, must generate one
+        s.ldbc 20
+        s.ldwc :key_auth
+        s.dupn :n => 2
+        s.rnd
+        s.outvb
+      end
+      s.genkp :type => (type == :asymmetric) ? 0x00 : 0x80
+      s.authk :auth => :key_auth 
+      s.outw
+      s.authk :auth => :key_auth 
+      s.outw
+      s.halt
+      s.label :key_auth
+      if authz.nil?
+        s.zeros :tem_ubyte, 20
+      else
+        s.data :tem_ubyte, authz
+      end
+      s.stack 4
+    end
+    
+    kp_buffer = execute gen_sec
+    keys_offset = authz.nil? ? 20 : 0
+    k1id = read_tem_ushort kp_buffer, keys_offset
+    k2id = read_tem_ushort kp_buffer, keys_offset + 2
+    if type == :asymmetric 
+      return_val = { :pubk_id => k1id, :privk_id => k2id }
+    else
+      return_val = { :key_id => k1id }
+    end
+    return { :authz => authz.nil? ? kp_buffer[0...20] : authz }.merge!(return_val)
+  end
+  
+  def tk_read_key(key_id, authz)
+    read_sec = assemble do |s|
+      s.ldbc :const => key_id
+      s.authk :auth => :key_auth
+      s.ldkl
+      s.outnew
+      s.ldbc :const => key_id
+      s.ldbc(-1)
+      s.stk
+      s.halt
+      s.label :key_auth
+      s.data :tem_ubyte, authz
+      s.stack 4
+    end
+    
+    key_string = execute read_sec
+    return read_tem_key(key_string, 0)
+  end
+  
+  def tk_delete_key(key_id, authz)
+    del_sec = assemble do |s|
+      s.ldbc :const => key_id
+      s.authk :auth => :key_auth
+      s.relk
+      s.ldbc :const => 1
+      s.outnew
+      s.ldbc :const => key_id
+      s.outb
+      s.halt
+      s.label :key_auth
+      s.data :tem_ubyte, authz
+      s.stack 4
+    end
+    
+    execute del_sec
+  end
+  
+  def tk_post_key(key, authz)
+    post_sec = assemble do |s|
+      s.ldbc :const => 1
+      s.outnew
+      s.ldwc :const => :key_data
+      s.rdk
+      s.authk :auth => :key_auth
+      s.outb
+      s.halt
+      s.label :key_data
+      s.data :tem_ubyte, key.to_tem_key
+      s.label :key_auth
+      s.data :tem_ubyte, authz
+      s.stack 4
+    end
+    id_string = execute post_sec
+    return read_tem_ubyte(id_string, 0)
+  end
+end

data/lib/tem/transport/auto_configurator.rb

@@ -0,0 +1,87 @@
+# :nodoc: namespace
+module Tem::Transport
+
+# Automatic configuration code. 
+module AutoConfigurator  
+  # The name of the environment variable that might supply the transport
+  # configuration.
+  ENVIRONMENT_VARIABLE_NAME = 'TEM_PORT'
+  
+  # The default configurations to be tried if no configuration is specified.
+  DEFAULT_CONFIGURATIONS = [
+    { :class => JcopRemoteTransport,
+      :opts => { :host => '127.0.0.1', :port => 8050} },
+    { :class => PcscTransport, :opts => { :reader_index => 0 }}
+  ]
+
+  # Creates a transport based on available configuration information.
+  def self.auto_transport
+    configuration = env_configuration
+    return try_transport(configuration) if configuration
+    
+    DEFAULT_CONFIGURATIONS.each do |config|
+      transport = try_transport(config)
+      return transport if transport
+    end
+    return nil
+  end
+
+  # Retrieves transport configuration information from an environment variable.
+  #
+  # :call-seq:
+  #   AutoConfigurator.env_configuration -> hash
+  #
+  # The returned configuration has the keys required by
+  # AutoConfigurator#try_transport
+  def self.env_configuration
+    return nil unless conf = ENV[ENVIRONMENT_VARIABLE_NAME]
+    
+    case conf[0]
+    when ?:
+      # :8050 -- JCOP emulator at port 8050
+      transport_class = JcopRemoteTransport
+      transport_opts = { :host => '127.0.0.1' }
+      transport_opts[:port] = conf[1..-1].to_i
+    when ?@
+      # @127.0.0.1:8050 -- JCOP emulator at host 127.0.0.1 port 8050
+      transport_class = JcopRemoteTransport
+      port_index = conf.rindex(?:) || conf.length
+      transport_opts = { :host => conf[1...port_index] }
+      transport_opts[:port] = conf[(port_index + 1)..-1].to_i
+    when ?#
+      # #2 -- 2nd PC/SC reader in the system
+      transport_class = PcscTransport
+      transport_opts = { :reader_index => conf[1..-1].to_i - 1 }
+    else
+      # Reader Name -- the PC/SC reader with the given name
+      transport_class = PcscTransport
+      transport_opts = { :reader_name => conf }
+    end
+    
+    transport_opts[:port] = 8050 if transport_opts[:port] == 0
+    if transport_opts[:reader_index] and transport_opts[:reader_index] < 0
+      transport_opts[:reader_index] = 0
+    end
+    { :class => transport_class, :opts => transport_opts }
+  end
+  
+  # Attempts to create a new TEM transport with the given configuration.
+  # :call-seq:
+  #   AutoConfigurator.try_transport(configuration) -> Transport or nil
+  #
+  # The configuration should have the following keys:
+  #   class:: the Ruby class implementing the transport
+  #   opts:: the options to be passed to the implementation's constructor
+  def self.try_transport(configuration)
+    raise 'No transport class specified' unless configuration[:class]
+    begin
+      transport = configuration[:class].new(configuration[:opts] || {})
+      transport.connect
+      return transport
+    rescue Exception
+      return nil
+    end
+  end
+end  # module AutoConfigurator
+
+end  # module Tem::Transport

data/lib/tem/transport/java_card_mixin.rb

@@ -0,0 +1,99 @@
+# :nodoc: namespace
+module Tem::Transport
+  
+# Module intended to be mixed into transport implementations to mediate between
+# a high level format for Javacard-specific APDUs and the wire-level APDU 
+# request and response formats.
+#
+# The mix-in calls exchange_apdu in the transport implementation. It supplies
+# the APDU data as an array of integers between 0 and 255, and expects a
+# response in the same format.
+module JavaCardMixin
+  # Selects a Javacard applet.
+  def select_applet(applet_id)
+    applet_apdu! :ins => 0xA4, :p1 => 0x04, :p2 => 0x00, :data => applet_id
+  end
+  
+  # APDU exchange with the JavaCard applet, raising an exception if the return
+  # code is not success (0x9000).
+  #
+  # :call_seq:
+  #   transport.applet_apdu!(apdu_data) -> array
+  #
+  # The apdu_data should be in the format expected by
+  # JavaCardMixin#serialize_apdu. Returns the response data, if the response
+  # status indicates success (0x9000). Otherwise, raises an exeception.
+  def applet_apdu!(apdu_data)
+    response = self.applet_apdu apdu_data
+    return response[:data] if response[:status] == 0x9000
+    raise "JavaCard response has error status 0x#{'%04x' % response[:status]}"
+  end
+
+  # Performs an APDU exchange with the JavaCard applet.
+  #
+  # :call-seq:
+  #   transport.applet_apdu(apdu_data) -> hash
+  #
+  # The apdu_data should be in the format expected by
+  # JavaCardMixin#serialize_apdu. The response will be as specified in
+  # JavaCardMixin#deserialize_response.
+  def applet_apdu(apdu_data)
+    apdu = Tem::Transport::JavaCardMixin.serialize_apdu apdu_data
+    response = self.exchange_apdu apdu
+    JavaCardMixin.deserialize_response response
+  end
+  
+  # Serializes an APDU for wire transmission.
+  #
+  # :call-seq:
+  #   transport.wire_apdu(apdu_data) -> array
+  #
+  # The following keys are recognized in the APDU hash:
+  #   cla:: the CLA byte in the APDU (optional, defaults to 0) 
+  #   ins:: the INS byte in the APDU -- the first byte seen by a JavaCard applet
+  #   p:: 
+  #   p1, p2:: the P1 and P2 bytes in the APDU (optional, both default to 0)
+  #   data:: the extra data in the APDU (optional, defaults to nothing)
+  def self.serialize_apdu(apdu_data)
+    raise 'Unspecified INS in apdu_data' unless apdu_data[:ins]
+    apdu = [ apdu_data[:cla] || 0, apdu_data[:ins] ]
+    if apdu_data[:p12]
+      unless apdu_data[:p12].length == 2
+        raise "Malformed P1,P2 - #{apdu_data[:p12]}"
+      end
+      apdu += apdu_data[:p12]
+    else
+      apdu << (apdu_data[:p1] || 0)
+      apdu << (apdu_data[:p2] || 0)
+    end
+    if apdu_data[:data]
+      apdu << apdu_data[:data].length
+      apdu += apdu_data[:data]
+    else
+      apdu << 0
+    end
+    apdu
+  end
+  
+  # De-serializes a JavaCard response APDU.
+  # 
+  # :call-seq:
+  #   transport.deserialize_response(response) -> hash
+  #
+  # The response contains the following keys:
+  #   status:: the 2-byte status code (e.g. 0x9000 is OK)
+  #   data:: the additional data in the response
+  def self.deserialize_response(response)
+    { :status => response[-2] * 256 + response[-1], :data => response[0...-2] }
+  end
+  
+  # Installs a JavaCard applet on the JavaCard.
+  #
+  # This would be really, really nice to have. Sadly, it's a far away TBD right
+  # now.
+  def install_applet(cap_contents)
+    raise "Not implemeted; it'd be nice though, right?"
+  end
+end  # module Tem
+
+end  # module Tem::Transport

data/lib/tem/transport/jcop_remote_protocol.rb

@@ -0,0 +1,59 @@
+# :nodoc: namespace
+module Tem::Transport
+  
+# Mixin implementing the JCOP simulator protocol.
+#
+# The (pretty informal) protocol specification is contained in the JavaDocs for
+# the class com.ibm.jc.terminal.RemoteJCTerminal and should be easy to find by
+# http://www.google.com/search?q=%22com.ibm.jc.terminal.RemoteJCTerminal%22  
+module JcopRemoteProtocol
+  # Encodes and sends a JCOP simulator message to a TCP socket.
+  #
+  # The message must contain the following keys:
+  #   type:: Integer expressing the message type (e.g. 1 = APDU exchange)
+  #   node:: Integer expressing the node address (e.g. 0 for most purposes)
+  #   data:: message payload, as an array of Integers ranging from 0 to 255
+  def send_message(socket, message)
+    raw_message = [message[:type], message[:node], message[:data].length].
+                  pack('CCn') + message[:data].pack('C*')
+    socket.send raw_message, 0
+  end
+  
+  # Reads and decodes a JCOP simulator message from a TCP socket.
+  # 
+  # :call_seq:
+  #   client.read_message(socket) -> Hash or nil
+  #
+  # If the other side of the TCP socket closes the connection, this method
+  # returns nil. Otherwise, a Hash is returned, with the format required by the
+  # JcopRemoteProtocol#send_message.
+  def recv_message(socket)
+    header = ''
+    while header.length < 4
+      begin
+        partial = socket.recv 4 - header.length
+      rescue  # Abrupt hangups result in exceptions that we catch here.        
+        return nil
+      end
+      return false if partial.length == 0
+      header += partial
+    end
+    message_type, node_address, data_length = *header.unpack('CCn')
+    raw_data = ''
+    while raw_data.length < data_length
+      begin
+        partial = socket.recv data_length - raw_data.length
+      rescue  # Abrupt hangups result in exceptions that we catch here.
+        return nil
+      end
+      return false if partial.length == 0
+      raw_data += partial
+    end
+    
+    return false unless raw_data.length == data_length
+    data = raw_data.unpack('C*')
+    return { :type => message_type, :node => node_address, :data => data }
+  end
+end  # module JcopRemoteProtocol
+
+end  # namespace Tem::Transport

data/lib/tem/transport/jcop_remote_server.rb

@@ -0,0 +1,171 @@
+require 'socket'
+
+# :nodoc: namespace
+module Tem::Transport
+  
+# Stubs out the methods that can be implemented by the serving logic in a
+# JCOP remote server. Serving logic classes should mix in this module, to
+# avoid having unimplemented methods.
+module JcopRemoteServingStubs
+  # Called when a client connection accepted.
+  #
+  # This method serves as a notification to the serving logic implementation.
+  # Its return value is discarded.
+  def connection_start
+    nil
+  end
+  
+  # Called when a client connection is closed.
+  #
+  # This method serves as a notification to the serving logic implementation.
+  # Its return value is discarded.
+  def connection_end
+    nil
+  end
+  
+  # Serving logic handling an APDU exchange.
+  #
+  # :call-seq:
+  #   logic.exchange_apdu(apdu) -> array
+  #
+  # The |apdu| parameter is the request APDU, formatted as an array of
+  # integers between 0 and 255. The method should return the response APDU,
+  # formatted in a similar manner.  
+  def exchange_apdu(apdu)
+    # Dumb implementation that always returns OK.
+    [0x90, 0x00]
+  end
+end  # module JcopRemoteServingStubs
+    
+
+# A server for the JCOP simulator protocol.
+#
+# The JCOP simulator protocol is generally useful when talking to a real JCOP
+# simulator. This server is only handy for testing, and for forwarding
+# connections (JCOP's Eclipse plug-in makes the simulator listen to 127.0.0.1,
+# and sometimes you want to use it from another box).
+class JcopRemoteServer
+  include JcopRemoteProtocol  
+  
+  # Creates a new JCOP server.
+  #
+  # The options hash supports the following keys:
+  #   port:: the port to serve on
+  #   ip:: the IP of the interface to serve on (defaults to all interfaces)
+  #   reusable:: if set, the serving port can be shared with another
+  #              application (REUSEADDR flag will be set on the socket)
+  #
+  # If the |serving_logic| parameter is nil, a serving logic implementation
+  # must be provided when calling JcopRemoteServer#run. The server will crash
+  # otherwise.
+  def initialize(options, serving_logic = nil)
+    @logic = serving_logic
+    @running = false
+    @options = options
+    @mutex = Mutex.new
+  end
+  
+  # Runs the serving loop indefinitely.
+  #
+  # This method serves incoming conenctions until #stop is called.
+  #
+  # If |serving_logic| contains a non-nil value, it overrides any previously
+  # specified serving logic implementation. If no implementation is specified
+  # when the server is instantiated via JcopRemoteServer#new, one must be
+  # passed into |serving_logic|.
+  def run(serving_logic = nil)
+    @mutex.synchronize do
+      @logic ||= serving_logic
+      @serving_socket = serving_socket @options
+      @running = true
+    end
+    loop do
+      break unless @mutex.synchronize { @running }
+      begin
+        client_socket, client_address = @serving_socket.accept
+      rescue
+        # An exception will occur if the socket is closed
+        break
+      end
+      @logic.connection_start
+      loop do        
+        break unless @mutex.synchronize { @running }
+        break unless process_request client_socket
+      end
+      client_socket.close rescue nil
+      @logic.connection_end  # implemented by subclass
+    end
+    @mutex.synchronize do
+      @serving_socket.close if @serving_socket
+      @serving_socket = nil
+    end
+  end
+
+  # Stops the serving loop.
+  def stop
+    @mutex.synchronize do
+      if @running
+        @serving_socket.close rescue nil
+        @serving_socket = nil
+        @running = false
+      end
+    end
+    
+    # TODO(costan): figure out a way to let serving logic reach this directly.
+  end
+  
+  
+  # Creates a socket listening to incoming connections to this server.
+  # 
+  # :call-seq:
+  #   server.establish_socket(options) -> Socket
+  #
+  # The |options| parameter supports the same keys as the options parameter
+  # of JcopRemoteServer#new.
+  #
+  # Returns a Socket configured to accept incoming connections. 
+  def serving_socket(options)
+    port = options[:port] || 0
+    interface_ip = options[:ip] || '0.0.0.0'
+    serving_address = Socket.pack_sockaddr_in port, interface_ip
+    
+    socket = Socket.new Socket::AF_INET, Socket::SOCK_STREAM,
+                        Socket::PF_UNSPEC
+    
+    if options[:reusable]
+      socket.setsockopt Socket::SOL_SOCKET, Socket::SO_REUSEADDR, true
+    end
+    socket.setsockopt Socket::IPPROTO_TCP, Socket::TCP_NODELAY, true      
+    socket.bind serving_address
+    socket.listen 5
+    socket
+  end
+  private :serving_socket
+
+  # Performs a request/response cycle.
+  #
+  # :call-seq:
+  #   server.process_request(socket) -> Boolean
+  #
+  # Returns true if the server should do another request/response cycle, or
+  # false if this client indicated it's done talking to the server.
+  def process_request(socket)
+    return false unless request = recv_message(socket)
+    
+    case request[:type]
+    when 0
+      # Wait for card; no-op, because that should have happen when the client
+      # connected.
+      send_message socket, :type => 0, :node => 0, :data => [3, 1, 4, 1, 5, 9]
+    when 1
+      # ATR exchange; the class' bread and butter
+      response = @logic.exchange_apdu request[:data]
+      send_message socket, :type => 1, :node => 0, :data => response
+    else
+      send_message socket, :type => request[:type], :node => 0, :data => []
+    end
+  end
+  private :process_request    
+end  # module JcopRemoteServer
+
+end  # namespace Tem::Transport