Thales card support

IB-8171

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

client/Diagnostics.cpp

@@ -121,7 +121,6 @@ void Diagnostics::generalInfo(QTextStream &s)
 		constexpr auto APDU = &QByteArray::fromHex;
 		auto printAID = [&](const QString &label, const QByteArray &apdu)
 		{
-			constexpr auto APDU = &QByteArray::fromHex;
 			QPCSCReader::Result r = reader.transfer(apdu);
 			s << label << ": " << Qt::hex << r.SW;
 			if (r.SW == 0x9000) s << " (OK)";

client/QSmartCard.cpp

@@ -51,6 +51,7 @@ QString QSmartCardData::card() const { return d->card; }
 bool QSmartCardData::isNull() const
 { return d->data.isEmpty() && d->authCert.isNull() && d->signCert.isNull(); }
 bool QSmartCardData::isPinpad() const { return d->pinpad; }
+bool QSmartCardData::isPUKReplacable() const { return d->pukReplacable; }
 bool QSmartCardData::isValid() const
 { return d->data.value(Expiry).toDateTime() >= QDateTime::currentDateTime(); }
 
@@ -285,6 +286,143 @@ bool IDEMIACard::updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) c
 
 
 
+const QByteArray THALESCard::AID = APDU("00A4040C 0C A000000063504B43532D3135");
+
+QPCSCReader::Result THALESCard::change(QPCSCReader *reader, QSmartCardData::PinType type, const QString &pin_, const QString &newpin_) const
+{
+	QByteArray cmd = CHANGE;
+	QByteArray newpin = pinTemplate(newpin_);
+	QByteArray pin = pinTemplate(pin_);
+	cmd[3] = char(0x80 | type);
+	cmd[4] = char(pin.size() + newpin.size());
+	return transfer(reader, false, cmd + pin + newpin, type, quint8(pin.size()), true);
+}
+
+bool THALESCard::isSupported(const QByteArray &atr)
+{
+	return atr == "3BFF9600008031FE438031B85365494464B085051012233F1D";
+}
+
+bool THALESCard::loadPerso(QPCSCReader *reader, QSmartCardDataPrivate *d) const
+{
+	d->pukReplacable = false;
+	if(d->data.isEmpty() && reader->transfer(APDU("00A4080C 02 DFDD")))
+	{
+		QByteArray cmd = APDU("00A4020C 02 5001");
+		for(char data = 1; data <= 8; ++data)
+		{
+			cmd[6] = data;
+			if(!reader->transfer(cmd))
+				return false;
+			QPCSCReader::Result result = reader->transfer(READBINARY);
+			if(!result)
+				return false;
+			QString record = QString::fromUtf8(result.data.trimmed());
+			if(record == QChar(0))
+				record.clear();
+			switch(data)
+			{
+			case QSmartCardData::SurName:
+			case QSmartCardData::FirstName:
+			case QSmartCardData::Citizen:
+			case QSmartCardData::Id:
+			case QSmartCardData::DocumentId:
+				d->data[QSmartCardData::PersonalDataType(data)] = record;
+				break;
+			case QSmartCardData::BirthDate:
+				if(!record.isEmpty())
+					d->data[QSmartCardData::BirthDate] = QDate::fromString(record.left(10), QStringLiteral("dd MM yyyy"));
+				break;
+			case QSmartCardData::Expiry:
+				d->data[QSmartCardData::Expiry] = QDateTime::fromString(record, QStringLiteral("dd MM yyyy")).addDays(1).addSecs(-1);
+				break;
+			default: break;
+			}
+		}
+	}
+
+	bool readFailed = false;
+	auto readCert = [&](const QByteArray &path) {
+		QPCSCReader::Result data = reader->transfer(path);
+		if(!data)
+		{
+			readFailed = true;
+			return QSslCertificate();
+		}
+		QHash<quint8,QByteArray> fci = parseFCI(data.data);
+
+		QByteArray cert;
+		QByteArray cmd = READBINARY;
+		for(int size = quint8(fci[0x81][0]) << 8 | quint8(fci[0x81][1]); cert.size() < size;)
+		{
+			cmd[2] = char(cert.size() >> 8);
+			cmd[3] = char(cert.size());
+			data = reader->transfer(cmd);
+			if(!data)
+			{
+				readFailed = true;
+				return QSslCertificate();
+			}
+			cert += data.data;
+		}
+		return QSslCertificate(cert, QSsl::Der);
+	};
+	if(d->authCert.isNull())
+		d->authCert = readCert(APDU("00A40804 04 ADF1 3411 00"));
+	if(d->signCert.isNull())
+		d->signCert = readCert(APDU("00A40804 04 ADF2 3421 00"));
+
+	if(readFailed)
+		return false;
+	return updateCounters(reader, d);
+}
+
+QByteArray THALESCard::pinTemplate(const QString &pin)
+{
+	QByteArray result = pin.toUtf8();
+	result += QByteArray(12 - result.size(), char(0x00));
+	return result;
+}
+
+QPCSCReader::Result THALESCard::replace(QPCSCReader *reader, QSmartCardData::PinType type, const QString &puk_, const QString &pin_) const
+{
+	QByteArray puk = pinTemplate(puk_);
+	QByteArray pin = pinTemplate(pin_);
+	QByteArray cmd = REPLACE;
+	cmd[3] = char(0x80 | type);
+	cmd[4] = char(puk.size() + pin.size());
+	return transfer(reader, false, cmd + puk + pin, type, quint8(puk.size()), true);
+}
+
+QByteArray THALESCard::sign(QPCSCReader *reader, const QByteArray &dgst) const
+{
+	if(!reader->transfer(APDU("002241B6 09 800154840101")))
+		return {};
+
+	QByteArray send {0x90, char(dgst.size())};
+	send.append(dgst);
+	send.insert(0, char(send.size()));
+	send.insert(0, APDU("002A90A0"));
+
+	if(!reader->transfer(send))
+		return {};
+
+	return reader->transfer(APDU("002A9E9A 00")).data;
+}
+
+bool THALESCard::updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) const
+{
+	if(auto data = reader->transfer(APDU("00CB00FF 05 A003830181 00")))
+		d->retry[QSmartCardData::Pin1Type] = quint8(data.data[14]);
+	if(auto data = reader->transfer(APDU("00CB00FF 05 A003830183 00")))
+		d->retry[QSmartCardData::PukType] = quint8(data.data[14]);
+	if(auto data = reader->transfer(APDU("00CB00FF 05 A003830182 00")))
+		d->retry[QSmartCardData::Pin2Type] = quint8(data.data[14]);
+	return true;
+}
+
+
+
 QSharedPointer<QPCSCReader> QSmartCard::Private::connect(const QString &reader)
 {
 	qCDebug(CLog) << "Connecting to reader" << reader;
@@ -309,7 +447,8 @@ QSmartCard::ErrorType QSmartCard::Private::handlePinResult(QPCSCReader *reader,
 	case 0x6401: return QSmartCard::CancelError; // Cancel (OK, SCM)
 	case 0x6402: return QSmartCard::DifferentError;
 	case 0x6403: return QSmartCard::LenghtError;
-	case 0x6983: return QSmartCard::BlockedError;
+	case 0x6983:
+	case 0x6984: return QSmartCard::BlockedError;
 	case 0x6985:
 	case 0x6A80: return QSmartCard::OldNewPinSameError;
 	default: return QSmartCard::UnknownError;
@@ -444,7 +583,12 @@ void QSmartCard::reloadCard(const TokenData &token, bool reloadCounters)
 	if(!selectedReader->connect() || !selectedReader->beginTransaction())
 		return;
 
-	if(!IDEMIACard::isSupported(selectedReader->atr())) {
+	std::unique_ptr<Card> card;
+	if(IDEMIACard::isSupported(selectedReader->atr()))
+		card = std::make_unique<IDEMIACard>();
+	else if(THALESCard::isSupported(selectedReader->atr()))
+		card = std::make_unique<THALESCard>();
+	else {
 		qDebug() << "Unsupported card";
 		return;
 	}
@@ -454,7 +598,7 @@ void QSmartCard::reloadCard(const TokenData &token, bool reloadCounters)
 	t = d->t.d;
 	t->reader = selectedReader->name();
 	t->pinpad = selectedReader->isPinPad();
-	d->card = std::make_unique<IDEMIACard>();
+	d->card = std::move(card);
 	if(d->card->loadPerso(selectedReader.data(), t))
 	{
 		d->t.d = std::move(t);

client/QSmartCard.h

@@ -62,6 +62,7 @@ class QSmartCardData
 
 	bool isNull() const;
 	bool isPinpad() const;
+	bool isPUKReplacable() const;
 	bool isValid() const;
 
 	QVariant data( PersonalDataType type ) const;

client/QSmartCard_p.h

@@ -64,6 +64,21 @@ class IDEMIACard: public Card
 	static const QByteArray AID, AID_OT, AID_QSCD;
 };
 
+class THALESCard: public Card
+{
+  public:
+	QPCSCReader::Result change(QPCSCReader *reader, QSmartCardData::PinType type, const QString &pin, const QString &newpin) const final;
+	bool loadPerso(QPCSCReader *reader, QSmartCardDataPrivate *d) const final;
+	QPCSCReader::Result replace(QPCSCReader *reader, QSmartCardData::PinType type, const QString &puk, const QString &pin) const final;
+	QByteArray sign(QPCSCReader *reader, const QByteArray &dgst) const final;
+	bool updateCounters(QPCSCReader *reader, QSmartCardDataPrivate *d) const final;
+
+	static bool isSupported(const QByteArray &atr);
+	static QByteArray pinTemplate(const QString &pin);
+
+	static const QByteArray AID;
+};
+
 class QSmartCard::Private
 {
 public:
@@ -84,4 +99,5 @@ class QSmartCardDataPrivate: public QSharedData
 	SslCertificate authCert, signCert;
 	QHash<QSmartCardData::PinType,quint8> retry;
 	bool pinpad = false;
+	bool pukReplacable = true;
 };

client/SslCertificate.cpp

@@ -262,8 +262,10 @@ QString SslCertificate::toString( const QString &format ) const
 
 SslCertificate::CertType SslCertificate::type() const
 {
-	for(const QString &p: policies())
+	// https://www.id.ee/wp-content/uploads/2022/02/cp_esteid_01.10.2018_version1.0.pdf
+	for(QString p: policies())
 	{
+		p.remove(QLatin1String("2.999.")); // test certificates
 		if(p.startsWith(QLatin1String("1.3.6.1.4.1.10015.1.1")) ||
 			p.startsWith(QLatin1String("1.3.6.1.4.1.10015.3.1")) ||
 			p.startsWith(QLatin1String("1.3.6.1.4.1.10015.1.2")) ||
@@ -283,12 +285,15 @@ SslCertificate::CertType SslCertificate::type() const
 			p.startsWith(QLatin1String("1.3.6.1.4.1.51361.1.2.3")))
 			return DigiIDType;
 		if(p.startsWith(QLatin1String("1.3.6.1.4.1.51361.1.1.4")) ||
-			p.startsWith(QLatin1String("1.3.6.1.4.1.51361.1.2.4")))
+			p.startsWith(QLatin1String("1.3.6.1.4.1.51361.1.2.4")) ||
+			p.startsWith(QLatin1String("1.3.6.1.4.1.51361.2.1.6")))
 			return EResidentType;
 		if(p.startsWith(QLatin1String("1.3.6.1.4.1.51361.1.1")) ||
-			p.startsWith(QLatin1String("1.3.6.1.4.1.51455.1.1")) ||
 			p.startsWith(QLatin1String("1.3.6.1.4.1.51361.1.2")) ||
-			p.startsWith(QLatin1String("1.3.6.1.4.1.51455.1.2")))
+			p.startsWith(QLatin1String("1.3.6.1.4.1.51361.2.1")) ||
+			p.startsWith(QLatin1String("1.3.6.1.4.1.51455.1.1")) ||
+			p.startsWith(QLatin1String("1.3.6.1.4.1.51455.1.2")) ||
+			p.startsWith(QLatin1String("1.3.6.1.4.1.51455.2.1")))
 			return EstEidType;
 	}
 

client/translations/en.ts

@@ -2960,6 +2960,10 @@ Additional licenses and components</translation>
         <source>Certificate status check failed. Please check your internet connection.</source>
         <translation>Certificate status check failed. Please check your internet connection.</translation>
     </message>
+    <message>
+        <source>The PUK-code cannot be changed on the ID-card in the reader</source>
+        <translation>The PUK-code cannot be changed on the ID-card in the reader</translation>
+    </message>
 </context>
 <context>
     <name>WarningDialog</name>

client/translations/et.ts

@@ -2960,6 +2960,10 @@ Täiendavad litsentsid ja komponendid</translation>
         <source>Certificate status check failed. Please check your internet connection.</source>
         <translation>Sertifikaadi staatuse kontrollimine ebaõnnestus. Palun kontrolli internetiühendust.</translation>
     </message>
+    <message>
+        <source>The PUK-code cannot be changed on the ID-card in the reader</source>
+        <translation>Lugejas oleval ID-kaardil ei saa PUK-koodi muuta</translation>
+    </message>
 </context>
 <context>
     <name>WarningDialog</name>

client/translations/ru.ts

@@ -2961,6 +2961,10 @@ Additional licenses and components</source>
         <source>Change PUK</source>
         <translation>Изменить PUK</translation>
     </message>
+    <message>
+        <source>The PUK-code cannot be changed on the ID-card in the reader</source>
+        <translation>Невозможно изменить PUK-код ID-карты, находящейся в считывателе</translation>
+    </message>
 </context>
 <context>
     <name>WarningDialog</name>

client/widgets/VerifyCert.cpp

@@ -70,8 +70,8 @@ VerifyCert::VerifyCert(QWidget *parent)
 	ui->details->setFont( regular12 );
 	ui->checkCert->setFont(regular12);
 	ui->changePIN->setFont( Styles::font( Styles::Condensed, 14 ) );
-	ui->tempelText->setFont( Styles::font( Styles::Regular, 14 ) );
-	ui->tempelText->hide();
+	ui->infoText->setFont( Styles::font( Styles::Regular, 14 ) );
+	ui->infoText->hide();
 }
 
 VerifyCert::~VerifyCert()
@@ -109,6 +109,7 @@ void VerifyCert::update()
 	bool isBlockedPuk = !cardData.isNull() && cardData.retryCount( QSmartCardData::PukType ) == 0;
 	bool isTempelType = c.type() & SslCertificate::TempelType;
 	isValidCert = c.isNull() || c.isValid();
+	ui->infoText->setVisible(isTempelType);
 
 	QString txt;
 	QTextStream cert( &txt );
@@ -155,7 +156,9 @@ void VerifyCert::update()
 		ui->validUntil->setText(tr("The PUK code is located in your envelope"));
 		ui->validUntil->setHidden(isBlockedPuk);
 		ui->changePIN->setText(tr("Change PUK"));
-		ui->changePIN->setHidden(isBlockedPuk);
+		ui->changePIN->setHidden(isBlockedPuk || !cardData.isPUKReplacable());
+		ui->infoText->setVisible(!cardData.isPUKReplacable());
+		ui->infoText->setText(tr("The PUK-code cannot be changed on the ID-card in the reader"));
 		ui->forgotPinLink->hide();
 		ui->details->hide();
 		ui->checkCert->hide();
@@ -213,7 +216,6 @@ void VerifyCert::update()
 		ui->nameIcon->setHidden(pinType == QSmartCardData::PukType);
 	}
 	ui->error->setHidden(ui->error->text().isEmpty());
-	ui->tempelText->setVisible(isTempelType);
 	ui->changePIN->setAccessibleName(ui->changePIN->text().toLower());
 
 	if(pinType == QSmartCardData::Pin1Type)

client/widgets/VerifyCert.ui

@@ -213,19 +213,13 @@ background-color: #F8DDA7;</string>
     </widget>
    </item>
    <item>
-    <widget class="QLabel" name="tempelText">
+    <widget class="QLabel" name="infoText">
      <property name="minimumSize">
       <size>
        <width>0</width>
        <height>30</height>
       </size>
      </property>
-     <property name="maximumSize">
-      <size>
-       <width>16777215</width>
-       <height>30</height>
-      </size>
-     </property>
      <property name="font">
       <font>
        <family>Roboto</family>