Skip to content

Commit

Permalink
Allow allocating Cipher/Signature memory from CLEAR_ON_RESET
Browse files Browse the repository at this point in the history
This can allow the applet to work well on cards with less
transient memory that can be allocated with CLEAR_ON_DESELECT.

Also adds a debug feature for SGLists to simulate having
limited memory with jcardsim.
  • Loading branch information
Alex Wilson committed Mar 31, 2019
1 parent 9d277df commit edbc10b
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 10 deletions.
13 changes: 13 additions & 0 deletions build.xml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,19 @@
support for this (due to bugs in getOffsetCdata()).
-->
<property name="APPLET_EXTLEN" value="true" />
<!--
APPLET_USE_RESET_MEM: use CLEAR_ON_RESET memory in cipher and signature
instances (rather than CLEAR_ON_DESELECT). Only set this if you trust other
applets on the card not to leak info left in RAM after deselect (e.g.
PivApplet is the only applet installed). Some cards are very short on
CLEAR_ON_DESELECT memory and need this to use RSA.
-->
<property name="APPLET_USE_RESET_MEM" value="false" />
<!--
APPLET_SIMULATOR: tries to pretend we have memory limits like a real card
when running in the simulator. Useful for testing/debugging SGList code.
-->
<property name="APPLET_SIMULATOR" value="false" />

<target name="preprocess" description="proprocess java source">
<taskdef resource="jpp.xml" classpath="ext/jpp-1.0.3.jar" />
Expand Down
24 changes: 23 additions & 1 deletion src/net/cooperi/pivapplet/Buffer.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,17 +21,25 @@ public class Buffer {
#endif
public static final short EEPROM_ALLOC_SIZE = 1024;

#if APPLET_SIMULATOR
public static final short RAM_ALLOC_MAX_INDEX = 2;
#else
public static final short RAM_ALLOC_MAX_INDEX = 8;
#endif

public static final byte OFFSET = 0;
public static final byte LEN = 1;

public byte[] data;
public boolean isDynamic;
public boolean isTransient;
public short[] state;
public final short index;

public
Buffer()
Buffer(short idx)
{
index = idx;
state = JCSystem.makeTransientShortArray((short)(LEN + 1),
JCSystem.CLEAR_ON_DESELECT);
isDynamic = false;
Expand All @@ -40,6 +48,12 @@ public class Buffer {
state[LEN] = (short)0;
}

public
Buffer()
{
this((short)0);
}

public short
offset()
{
Expand All @@ -65,6 +79,14 @@ public class Buffer {

isDynamic = true;

if (index > RAM_ALLOC_MAX_INDEX) {
isTransient = false;
data = new byte[EEPROM_ALLOC_SIZE];
state[OFFSET] = (short)0;
state[LEN] = (short)EEPROM_ALLOC_SIZE;
return;
}

try {
data = JCSystem.makeTransientByteArray(RAM_ALLOC_SIZE,
JCSystem.CLEAR_ON_RESET);
Expand Down
24 changes: 16 additions & 8 deletions src/net/cooperi/pivapplet/PivApplet.java
Original file line number Diff line number Diff line change
Expand Up @@ -215,35 +215,43 @@ public class PivApplet extends Applet
applet.register();
}

#if APPLET_USE_RESET_MEM
private static final boolean useResetMem = true;
#else
private static final boolean useResetMem = false;
#endif

protected
PivApplet()
{
randData = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
tripleDes = Cipher.getInstance(Cipher.ALG_DES_CBC_NOPAD, false);

#if PIV_SUPPORT_RSA
rsaPkcs1 = Cipher.getInstance(Cipher.ALG_RSA_NOPAD, false);
rsaPkcs1 = Cipher.getInstance(Cipher.ALG_RSA_NOPAD, useResetMem);

#if YKPIV_ATTESTATION
try {
rsaSha = Signature.getInstance(
Signature.ALG_RSA_SHA_PKCS1, false);
Signature.ALG_RSA_SHA_PKCS1, useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
throw (ex);
}
try {
rsaSha256 = Signature.getInstance(
ALG_RSA_SHA_256_PKCS1, false);
ALG_RSA_SHA_256_PKCS1, useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
throw (ex);
}
#endif
#endif

#if PIV_SUPPORT_EC
try {
ecdh = KeyAgreement.getInstance(ALG_EC_SVDP_DH_PLAIN,
false);
useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
throw (ex);
Expand All @@ -252,7 +260,7 @@ public class PivApplet extends Applet
if (ecdh == null) {
try {
ecdh = KeyAgreement.getInstance(
ALG_EC_SVDP_DHC_PLAIN, false);
ALG_EC_SVDP_DHC_PLAIN, useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() !=
CryptoException.NO_SUCH_ALGORITHM)
Expand All @@ -263,7 +271,7 @@ public class PivApplet extends Applet
if (ecdh == null) {
try {
ecdhSha = KeyAgreement.getInstance(
KeyAgreement.ALG_EC_SVDP_DH, false);
KeyAgreement.ALG_EC_SVDP_DH, useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() !=
CryptoException.NO_SUCH_ALGORITHM)
Expand All @@ -273,14 +281,14 @@ public class PivApplet extends Applet

try {
ecdsaP256Sha = Signature.getInstance(
Signature.ALG_ECDSA_SHA, false);
Signature.ALG_ECDSA_SHA, useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
throw (ex);
}
try {
ecdsaP256Sha256 = Signature.getInstance(
ECParams.ALG_ECDSA_SHA_256, false);
ECParams.ALG_ECDSA_SHA_256, useResetMem);
} catch (CryptoException ex) {
if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
throw (ex);
Expand Down
5 changes: 4 additions & 1 deletion src/net/cooperi/pivapplet/SGList.java
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ public class SGList implements Readable {
{
buffers = new Buffer[MAX_BUFS];
for (short i = 0; i < MAX_BUFS; ++i)
buffers[i] = new Buffer();
buffers[i] = new Buffer(i);
state = JCSystem.makeTransientShortArray((short)(STATE_MAX + 1),
JCSystem.CLEAR_ON_DESELECT);
this.reset();
Expand Down Expand Up @@ -241,6 +241,9 @@ public class SGList implements Readable {
if (buf.data == null || buf.state[Buffer.LEN] == 0)
buf.allocTransient();
if (buf.state[Buffer.LEN] < len) {
buf.state[Buffer.LEN] = 0;
if (buf.state[Buffer.OFFSET] == 0)
buf.state[Buffer.OFFSET] = 1;
continue;
}
into.data = buf.data;
Expand Down

4 comments on commit edbc10b

@martinpaljak
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a strange change. Are you saying that J3H145 has less memory available as CLEAR_ON_DESELECT than CLEAR_ON_RESET ?

@Valodim
Copy link

@Valodim Valodim commented on edbc10b Apr 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just gave it a shot and the same trick didn't work for me for a different applet on JC30M48CR. Odd.

@arekinath
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@martinpaljak It seems that way? At least for the JC30M48CR card I'm trying it on, this applet instantiates fine with this change, but without it runs out of transient memory during instantiation (and the thing that runs out is in the constructor). On the J3H145 it seems we normally run out of memory doing the attestation feature setup instead, but with this change it works fine. I haven't gotten attestation to fit in the JC30M48CR yet.

@martinpaljak
Copy link

@martinpaljak martinpaljak commented on edbc10b Apr 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Signature and cipher, you should not need to allocate "shareable" instances (second option set to true).

Think of this hypothetical case: there is 2KB total of transient memory available, no matter when it gets cleared (j3h has a bit more, but not that much more). Applet A allocates 1KB of clear on deselect. Applet B can allocate 2KB of clear on deselect. If applet A allocates 1 KB of clear on reset, applet B has maximum of 1KB eihter reset or deselect memory available. Unless you access eeprom from non-applet contexts or have weird multi-select scenarios, deselect should be preferred.

Please sign in to comment.