Smart card credentials handling

Cargo.toml

@@ -30,7 +30,7 @@ dns_resolver = ["dep:trust-dns-resolver", "dep:tokio", "tokio/rt-multi-thread"]
 # TSSSP should be used only on Windows as a native CREDSSP replacement
 tsssp = ["dep:rustls"]
 # Turns on Kerberos smart card login (available only on Windows and users WinSCard API)
-scard = ["dep:pcsc", "dep:winscard", "dep:iso7816-tlv"]
+scard = ["dep:pcsc", "dep:winscard"]
 
 [dependencies]
 byteorder = "1.4"
@@ -70,7 +70,6 @@ tokio = { version = "1.32", features = ["time", "rt"], optional = true }
 pcsc = { version = "2.8", optional = true }
 async-recursion = "1.0.5"
 winscard = { path = "./crates/winscard", optional = true }
-iso7816-tlv = { version = "0.4.3", optional = true }
 
 [target.'cfg(windows)'.dependencies]
 winreg = "0.51"

crates/winscard/src/macros.rs

@@ -1,3 +1,4 @@
+#[cfg(feature = "std")]
 macro_rules! env {
     ($name:expr) => {{
         std::env::var($name).map_err(|_| {

crates/winscard/src/scard.rs

@@ -61,6 +61,7 @@ pub const ATR: [u8; 17] = [
 /// Emulated smart card.
 ///
 /// Currently, we support one key container per smart card.
+#[derive(Debug, Clone)]
 pub struct SmartCard<'a> {
     reader_name: Cow<'a, str>,
     chuid: [u8; CHUID_LENGTH],
@@ -101,7 +102,7 @@ impl SmartCard<'_> {
         })
     }
 
-    fn validate_and_pad_pin(mut pin: Vec<u8>) -> WinScardResult<Vec<u8>> {
+    fn validate_and_pad_pin(pin: Vec<u8>) -> WinScardResult<Vec<u8>> {
         // All PIN requirements can be found here: NIST.SP.800-73-4 part 2, section 2.4.3
         if !(PIN_LENGTH_RANGE_LOW_BOUND..=PIN_LENGTH_RANGE_HIGH_BOUND).contains(&pin.len()) {
             return Err(Error::new(
@@ -116,13 +117,17 @@ impl SmartCard<'_> {
             ));
         };
 
+        Ok(Self::pad_pin(pin))
+    }
+
+    fn pad_pin(mut pin: Vec<u8>) -> Vec<u8> {
         if pin.len() < PIN_LENGTH_RANGE_HIGH_BOUND {
             // NIST.SP.800-73-4 part 2, section 2.4.3
             const PIN_PAD_VALUE: u8 = 0xFF;
             pin.resize(PIN_LENGTH_RANGE_HIGH_BOUND, PIN_PAD_VALUE);
         }
 
-        Ok(pin)
+        pin
     }
 
     /// This functions handles one APDU command.
@@ -342,9 +347,9 @@ impl SmartCard<'_> {
         // NIST.SP.800-73-4, Part 1, Table 5
         const RSA_ALGORITHM: u8 = 0x07;
         // NIST.SP.800-73-4, Part 1, Table 4b
-        const PIV_AUTHENTICATION_KEY: u8 = 0x9A;
+        const PIV_DIGITAL_SIGNATURE_KEY: u8 = 0x9C;
 
-        if cmd.p1 != RSA_ALGORITHM || cmd.p2 != PIV_AUTHENTICATION_KEY {
+        if cmd.p1 != RSA_ALGORITHM || cmd.p2 != PIV_DIGITAL_SIGNATURE_KEY {
             return Err(Error::new(
                 ErrorKind::UnsupportedFeature,
                 format!("Provided algorithm or key reference isn't supported: got algorithm {:x}, expected 0x07; got key reference {:x}, expected 0x9A", cmd.p1, cmd.p2)
@@ -428,6 +433,20 @@ impl SmartCard<'_> {
         Ok(signature)
     }
 
+    /// Verifies the PIN code. This method alters the scard state.
+    pub fn verify_pin(&mut self, pin: &[u8]) -> WinScardResult<()> {
+        if self.pin != Self::pad_pin(pin.into()) {
+            return Err(Error::new(
+                ErrorKind::InvalidValue,
+                "PIN verification error: Invalid PIN",
+            ));
+        }
+
+        self.state = SCardState::PinVerified;
+
+        Ok(())
+    }
+
     fn get_next_response_chunk(&mut self) -> Option<(Vec<u8>, usize)> {
         let vec = self.pending_response.as_mut()?;
         if vec.is_empty() {
@@ -439,7 +458,7 @@ impl SmartCard<'_> {
     }
 }
 
-#[derive(Debug, PartialEq)]
+#[derive(Debug, Clone, PartialEq)]
 enum SCardState {
     Ready,
     PivAppSelected,

crates/winscard/src/scard_context.rs

@@ -24,13 +24,16 @@ pub struct Reader<'a> {
 }
 
 /// Describes smart card info used for the smart card creation.
+#[derive(Debug, Clone)]
 pub struct SmartCardInfo<'a> {
     /// Container name which stores the certificate along with its private key.
     pub container_name: Cow<'a, str>,
     /// Smart card PIN code.
     pub pin: Vec<u8>,
     /// DER-encoded smart card certificate.
     pub auth_cert_der: Vec<u8>,
+    /// Encoded private key (pem).
+    pub auth_pk_pem: Cow<'a, str>,
     /// Private key.
     pub auth_pk: PrivateKey,
     /// Information about smart card reader.
@@ -93,6 +96,7 @@ impl<'a> SmartCardInfo<'a> {
             container_name,
             pin,
             auth_cert_der: raw_certificate,
+            auth_pk_pem: raw_private_key.into(),
             auth_pk: private_key,
             reader,
         })
@@ -104,6 +108,7 @@ impl<'a> SmartCardInfo<'a> {
         reader_name: Cow<'a, str>,
         pin: Vec<u8>,
         auth_cert_der: Vec<u8>,
+        auth_pk_pem: Cow<'a, str>,
         auth_pk: PrivateKey,
     ) -> Self {
         // Standard Windows Reader Icon
@@ -117,6 +122,7 @@ impl<'a> SmartCardInfo<'a> {
             container_name,
             pin,
             auth_cert_der,
+            auth_pk_pem,
             auth_pk,
             reader,
         }
@@ -126,6 +132,7 @@ impl<'a> SmartCardInfo<'a> {
 /// Represents the resource manager context (the scope).
 ///
 /// Currently, we support only one smart card per smart card context.
+#[derive(Debug, Clone)]
 pub struct ScardContext<'a> {
     smart_card_info: SmartCardInfo<'a>,
     cache: BTreeMap<String, Vec<u8>>,

examples/kerberos.rs

@@ -1,3 +1,5 @@
+use std::error::Error;
+
 use base64::Engine;
 use reqwest::header::{
     ACCEPT, ACCEPT_ENCODING, ACCEPT_LANGUAGE, AUTHORIZATION, CONNECTION, CONTENT_LENGTH, HOST, USER_AGENT,
@@ -7,11 +9,9 @@ use reqwest::StatusCode;
 use sspi::builders::EmptyInitializeSecurityContext;
 use sspi::{
     AcquireCredentialsHandleResult, ClientRequestFlags, CredentialsBuffers, DataRepresentation,
-    InitializeSecurityContextResult, KerberosConfig, SecurityBuffer, SecurityBufferType, SecurityStatus, Sspi,
-    Username,
+    InitializeSecurityContextResult, Kerberos, KerberosConfig, SecurityBuffer, SecurityBufferType, SecurityStatus,
+    Sspi, SspiImpl, Username,
 };
-use sspi::{Kerberos, SspiImpl};
-use std::error::Error;
 use tracing_subscriber::prelude::*;
 use tracing_subscriber::{fmt, EnvFilter};
 

ffi/src/sspi/sec_handle.rs

@@ -173,7 +173,7 @@ pub(crate) unsafe fn p_ctxt_handle_to_sspi_context(
             ))?),
             _ => {
                 return Err(Error::new(
-                    ErrorKind::InvalidParameter,
+                    ErrorKind::SecurityPackageNotFound,
                     format!("security package name `{}` is not supported", name),
                 ));
             }
@@ -188,6 +188,18 @@ pub(crate) unsafe fn p_ctxt_handle_to_sspi_context(
     Ok((*(*context)).dw_lower as *mut SspiContext)
 }
 
+fn verify_security_package(package_name: &str) -> Result<()> {
+    match package_name {
+        negotiate::PKG_NAME | pku2u::PKG_NAME | kerberos::PKG_NAME | ntlm::PKG_NAME => Ok(()),
+        #[cfg(feature = "tsssp")]
+        sspi_cred_ssp::PKG_NAME => Ok(()),
+        _ => Err(Error::new(
+            ErrorKind::SecurityPackageNotFound,
+            format!("security package name `{}` is not supported", package_name),
+        )),
+    }
+}
+
 #[instrument(skip_all)]
 #[cfg_attr(windows, rename_symbol(to = "Rust_AcquireCredentialsHandleA"))]
 #[no_mangle]
@@ -209,6 +221,8 @@ pub unsafe extern "system" fn AcquireCredentialsHandleA(
 
         let security_package_name =
             try_execute!(CStr::from_ptr(psz_package).to_str(), ErrorKind::InvalidParameter).to_owned();
+        try_execute!(verify_security_package(&security_package_name));
+
         debug!(?security_package_name);
 
         let mut package_list: Option<String> = None;
@@ -257,6 +271,8 @@ pub unsafe extern "system" fn AcquireCredentialsHandleW(
         check_null!(ph_credential);
 
         let security_package_name = c_w_str_to_string(psz_package);
+        try_execute!(verify_security_package(&security_package_name));
+
         debug!(?security_package_name);
 
         let mut package_list: Option<String> = None;

ffi/src/sspi/sec_winnt_auth_identity.rs

@@ -234,8 +234,8 @@ pub unsafe fn auth_data_to_identity_buffers(
     p_auth_data: *const c_void,
     package_list: &mut Option<String>,
 ) -> Result<CredentialsBuffers> {
-    let rawcreds = std::slice::from_raw_parts(p_auth_data as *const u8, 128);
-    debug!(?rawcreds);
+    let raw_creds = from_raw_parts(p_auth_data as *const u8, 128);
+    debug!(?raw_creds);
 
     #[cfg(feature = "tsssp")]
     if _security_package_name == sspi::credssp::sspi_cred_ssp::PKG_NAME {
@@ -505,6 +505,7 @@ unsafe fn handle_smart_card_creds(mut username: Vec<u8>, password: Secret<Vec<u8
         container_name: string_to_utf16(key_container_name),
         csp_name: string_to_utf16(csp_name),
         private_key_file_index: Some(private_key_file_index),
+        private_key_pem: None,
     });
 
     Ok(creds)
@@ -582,6 +583,38 @@ pub unsafe fn unpack_sec_winnt_auth_identity_ex2_w_sized(
         ));
     }
 
+    // try to collect credentials for the emulated smart card
+    #[cfg(feature = "scard")]
+    if username.contains(&b'@') {
+        use winscard::SmartCardInfo;
+
+        use crate::utils::str_encode_utf16;
+        use crate::winscard::scard_context::{DEFAULT_CARD_NAME, MICROSOFT_DEFAULT_CSP};
+
+        match SmartCardInfo::try_from_env() {
+            Ok(smart_card_info) => {
+                // remove null
+                let new_len = password.as_ref().len() - 2;
+                password.as_mut().truncate(new_len);
+
+                return Ok(CredentialsBuffers::SmartCard(SmartCardIdentityBuffers {
+                    username,
+                    certificate: smart_card_info.auth_cert_der.clone(),
+                    card_name: Some(str_encode_utf16(DEFAULT_CARD_NAME)),
+                    reader_name: str_encode_utf16(smart_card_info.reader.name.as_ref()),
+                    container_name: str_encode_utf16(smart_card_info.container_name.as_ref()),
+                    csp_name: str_encode_utf16(MICROSOFT_DEFAULT_CSP),
+                    pin: password,
+                    private_key_file_index: None,
+                    private_key_pem: Some(smart_card_info.auth_pk_pem.as_bytes().to_vec()),
+                }));
+            }
+            Err(err) => {
+                debug!(?err);
+            }
+        };
+    }
+
     // only marshaled smart card creds starts with '@' char
     #[cfg(feature = "scard")]
     if CredIsMarshaledCredentialW(username.as_ptr() as *const _) != 0 {

ffi/src/utils.rs

@@ -26,3 +26,8 @@ pub unsafe fn raw_str_into_bytes(raw_buffer: *const c_char, len: usize) -> Vec<u
 pub fn str_to_w_buff(data: &str) -> Vec<u16> {
     data.encode_utf16().chain(std::iter::once(0)).collect()
 }
+
+#[cfg(feature = "scard")]
+pub fn str_encode_utf16(data: &str) -> Vec<u8> {
+    data.encode_utf16().flat_map(|c| c.to_le_bytes()).collect()
+}

ffi/src/winscard/scard_context.rs

@@ -33,11 +33,11 @@ const SCARD_PROVIDER_KSP: u32 = 3;
 // The function retrieves the name of the card module.
 const SCARD_PROVIDER_CARD_MODULE: u32 = 0x80000001;
 
-const MICROSOFT_DEFAULT_CSP: &str = "Microsoft Base Smart Card Crypto Provider";
+pub const MICROSOFT_DEFAULT_CSP: &str = "Microsoft Base Smart Card Crypto Provider";
 const MICROSOFT_DEFAULT_KSP: &str = "Microsoft Smart Card Key Storage Provider";
 const MICROSOFT_SCARD_DRIVER_LOCATION: &str = "C:\\Windows\\System32\\msclmd.dll";
 
-const DEFAULT_CARD_NAME: &str = "Cool card";
+pub const DEFAULT_CARD_NAME: &str = "Cool card";
 
 // https://learn.microsoft.com/en-us/windows/win32/api/winscard/nf-winscard-scardgetstatuschangew
 // To be notified of the arrival of a new smart card reader,