/****************************************************************************
* Copyright (C) 2012 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
* This file is part of the Open eCard App.
*
* GNU General Public License Usage
* This file may be used under the terms of the GNU General Public
* License version 3.0 as published by the Free Software Foundation
* and appearing in the file LICENSE.GPL included in the packaging of
* this file. Please review the following information to ensure the
* GNU General Public License version 3.0 requirements will be met:
* http://www.gnu.org/copyleft/gpl.html.
*
* Other Usage
* Alternatively, this file may be used in accordance with the terms
* and conditions contained in a signed written agreement between
* you and ecsec GmbH.
*
***************************************************************************/
package org.openecard.sal.protocol.eac;
import org.openecard.common.apdu.ExternalAuthentication;
import org.openecard.common.apdu.GetChallenge;
import org.openecard.common.apdu.common.CardCommandAPDU;
import org.openecard.common.apdu.common.CardResponseAPDU;
import org.openecard.common.apdu.exception.APDUException;
import org.openecard.common.interfaces.Dispatcher;
import org.openecard.common.sal.protocol.exception.ProtocolException;
import org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificate;
import org.openecard.crypto.common.asn1.cvc.CardVerifiableCertificateChain;
import org.openecard.sal.protocol.eac.apdu.MSESetATTA;
import org.openecard.sal.protocol.eac.apdu.MSESetDST;
import org.openecard.sal.protocol.eac.apdu.PSOVerifyCertificate;
/**
* Implements the Terminal Authentication protocol.
* See BSI-TR-03110, version 2.10, part 2, Section B.3.4.
* See BSI-TR-03110, version 2.10, part 3, Section B.3.
*
* @author Moritz Horsch <horsch@cdc.informatik.tu-darmstadt.de>
*/
public class TerminalAuthentication {
private final Dispatcher dispatcher;
private final byte[] slotHandle;
/**
* Creates a new Terminal Authentication.
*
* @param dispatcher Dispatcher
* @param slotHandle Slot handle
*/
public TerminalAuthentication(Dispatcher dispatcher, byte[] slotHandle) {
this.dispatcher = dispatcher;
this.slotHandle = slotHandle;
}
/**
* Verify certificates.
* Sends an MSE:Set DST APDU and PSO:Verify Certificate APDU per certificate. (Protocol step 1)
* See BSI-TR-03110, version 2.10, part 3, B.11.4.
* See BSI-TR-03110, version 2.10, part 3, B.11.5.
*
* @param certificateChain Certificate chain
* @throws ProtocolException
*/
public void verifyCertificates(CardVerifiableCertificateChain certificateChain) throws ProtocolException {
try {
for (CardVerifiableCertificate cvc : certificateChain.getCertificates()) {
// MSE:SetDST APDU
CardCommandAPDU mseSetDST = new MSESetDST(cvc.getCAR().toByteArray());
mseSetDST.transmit(dispatcher, slotHandle);
// PSO:Verify Certificate APDU
CardCommandAPDU psovc = new PSOVerifyCertificate(cvc.getCertificate().getValue());
psovc.transmit(dispatcher, slotHandle);
}
} catch (APDUException e) {
throw new ProtocolException(e.getResult());
}
}
/**
* Initializes the Terminal Authentication protocol.
* Sends an MSE:Set AT APDU. (Protocol step 2)
* See BSI-TR-03110, version 2.10, part 3, B.11.1.
*
* @param oID Terminal Authentication object identifier
* @param chr Certificate Holder Reference (CHR)
* @param key Ephemeral public key
* @param aad Authenticated Auxiliary Data (AAD)
* @throws ProtocolException
*/
public void mseSetAT(byte[] oID, byte[] chr, byte[] key, byte[] aad) throws ProtocolException {
try {
CardCommandAPDU mseSetAT = new MSESetATTA(oID, chr, key, aad);
mseSetAT.transmit(dispatcher, slotHandle);
} catch (APDUException e) {
throw new ProtocolException(e.getResult());
}
}
/**
* Gets a challenge from the PICC.
* Sends a Get Challenge APDU. (Protocol step 3)
* See BSI-TR-03110, version 2.10, part 3, B.11.6.
*
* @return Challenge
* @throws ProtocolException
*/
public byte[] getChallenge() throws ProtocolException {
try {
CardCommandAPDU getChallenge = new GetChallenge();
CardResponseAPDU response = getChallenge.transmit(dispatcher, slotHandle);
return response.getData();
} catch (APDUException e) {
throw new ProtocolException(e.getResult());
}
}
/**
* Performs an External Authentication.
* Sends an External Authentication APDU. (Protocol step 4)
* See BSI-TR-03110, version 2.10, part 3, B.11.7.
*
* @param terminalSignature Terminal signature
* @throws ProtocolException
*/
public void externalAuthentication(byte[] terminalSignature) throws ProtocolException {
try {
CardCommandAPDU externalAuthentication = new ExternalAuthentication(terminalSignature);
externalAuthentication.transmit(dispatcher, slotHandle);
} catch (APDUException e) {
throw new ProtocolException(e.getResult());
}
}
}