Allow allocating Cipher/Signature memory from CLEAR_ON_RESET

This can allow the applet to work well on cards with less transient memory that can be allocated with CLEAR_ON_DESELECT. Also adds a debug feature for SGLists to simulate having limited memory with jcardsim.
arekinath · Mar 31, 2019 · edbc10b · edbc10b · martinpaljak · Apr 1, 2019
1 parent 9d277df
commit edbc10b
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 10 deletions.
diff --git a/build.xml b/build.xml
@@ -35,6 +35,19 @@
     support for this (due to bugs in getOffsetCdata()).
   -->
   <property name="APPLET_EXTLEN" value="true" />
+  <!--
+    APPLET_USE_RESET_MEM: use CLEAR_ON_RESET memory in cipher and signature
+    instances (rather than CLEAR_ON_DESELECT). Only set this if you trust other
+    applets on the card not to leak info left in RAM after deselect (e.g.
+    PivApplet is the only applet installed). Some cards are very short on
+    CLEAR_ON_DESELECT memory and need this to use RSA.
+  -->
+  <property name="APPLET_USE_RESET_MEM" value="false" />
+  <!--
+    APPLET_SIMULATOR: tries to pretend we have memory limits like a real card
+    when running in the simulator. Useful for testing/debugging SGList code.
+  -->
+  <property name="APPLET_SIMULATOR" value="false" />
 
   <target name="preprocess" description="proprocess java source">
     <taskdef resource="jpp.xml" classpath="ext/jpp-1.0.3.jar" />

diff --git a/src/net/cooperi/pivapplet/Buffer.java b/src/net/cooperi/pivapplet/Buffer.java
@@ -21,17 +21,25 @@ public class Buffer {
 #endif
 	public static final short EEPROM_ALLOC_SIZE = 1024;
 
+#if APPLET_SIMULATOR
+	public static final short RAM_ALLOC_MAX_INDEX = 2;
+#else
+	public static final short RAM_ALLOC_MAX_INDEX = 8;
+#endif
+
 	public static final byte OFFSET = 0;
 	public static final byte LEN = 1;
 
 	public byte[] data;
 	public boolean isDynamic;
 	public boolean isTransient;
 	public short[] state;
+	public final short index;
 
 	public
-	Buffer()
+	Buffer(short idx)
 	{
+		index = idx;
 		state = JCSystem.makeTransientShortArray((short)(LEN + 1),
 		    JCSystem.CLEAR_ON_DESELECT);
 		isDynamic = false;
@@ -40,6 +48,12 @@ public class Buffer {
 		state[LEN] = (short)0;
 	}
 
+	public
+	Buffer()
+	{
+		this((short)0);
+	}
+
 	public short
 	offset()
 	{
@@ -65,6 +79,14 @@ public class Buffer {
 
 		isDynamic = true;
 
+		if (index > RAM_ALLOC_MAX_INDEX) {
+			isTransient = false;
+			data = new byte[EEPROM_ALLOC_SIZE];
+			state[OFFSET] = (short)0;
+			state[LEN] = (short)EEPROM_ALLOC_SIZE;
+			return;
+		}
+
 		try {
 			data = JCSystem.makeTransientByteArray(RAM_ALLOC_SIZE,
 			    JCSystem.CLEAR_ON_RESET);

diff --git a/src/net/cooperi/pivapplet/PivApplet.java b/src/net/cooperi/pivapplet/PivApplet.java
@@ -215,35 +215,43 @@ public class PivApplet extends Applet
 		applet.register();
 	}
 
+#if APPLET_USE_RESET_MEM
+	private static final boolean useResetMem = true;
+#else
+	private static final boolean useResetMem = false;
+#endif
+
 	protected
 	PivApplet()
 	{
 		randData = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
 		tripleDes = Cipher.getInstance(Cipher.ALG_DES_CBC_NOPAD, false);
 
 #if PIV_SUPPORT_RSA
-		rsaPkcs1 = Cipher.getInstance(Cipher.ALG_RSA_NOPAD, false);
+		rsaPkcs1 = Cipher.getInstance(Cipher.ALG_RSA_NOPAD, useResetMem);
 
+#if YKPIV_ATTESTATION
 		try {
 			rsaSha = Signature.getInstance(
-			    Signature.ALG_RSA_SHA_PKCS1, false);
+			    Signature.ALG_RSA_SHA_PKCS1, useResetMem);
 		} catch (CryptoException ex) {
 			if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
 				throw (ex);
 		}
 		try {
 			rsaSha256 = Signature.getInstance(
-			    ALG_RSA_SHA_256_PKCS1, false);
+			    ALG_RSA_SHA_256_PKCS1, useResetMem);
 		} catch (CryptoException ex) {
 			if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
 				throw (ex);
 		}
 #endif
+#endif
 
 #if PIV_SUPPORT_EC
 		try {
 			ecdh = KeyAgreement.getInstance(ALG_EC_SVDP_DH_PLAIN,
-			    false);
+			    useResetMem);
 		} catch (CryptoException ex) {
 			if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
 				throw (ex);
@@ -252,7 +260,7 @@ public class PivApplet extends Applet
 		if (ecdh == null) {
 			try {
 				ecdh = KeyAgreement.getInstance(
-				    ALG_EC_SVDP_DHC_PLAIN, false);
+				    ALG_EC_SVDP_DHC_PLAIN, useResetMem);
 			} catch (CryptoException ex) {
 				if (ex.getReason() !=
 				    CryptoException.NO_SUCH_ALGORITHM)
@@ -263,7 +271,7 @@ public class PivApplet extends Applet
 		if (ecdh == null) {
 			try {
 				ecdhSha = KeyAgreement.getInstance(
-				    KeyAgreement.ALG_EC_SVDP_DH, false);
+				    KeyAgreement.ALG_EC_SVDP_DH, useResetMem);
 			} catch (CryptoException ex) {
 				if (ex.getReason() !=
 				    CryptoException.NO_SUCH_ALGORITHM)
@@ -273,14 +281,14 @@ public class PivApplet extends Applet
 
 		try {
 			ecdsaP256Sha = Signature.getInstance(
-			    Signature.ALG_ECDSA_SHA, false);
+			    Signature.ALG_ECDSA_SHA, useResetMem);
 		} catch (CryptoException ex) {
 			if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
 				throw (ex);
 		}
 		try {
 			ecdsaP256Sha256 = Signature.getInstance(
-			    ECParams.ALG_ECDSA_SHA_256, false);
+			    ECParams.ALG_ECDSA_SHA_256, useResetMem);
 		} catch (CryptoException ex) {
 			if (ex.getReason() != CryptoException.NO_SUCH_ALGORITHM)
 				throw (ex);

diff --git a/src/net/cooperi/pivapplet/SGList.java b/src/net/cooperi/pivapplet/SGList.java
@@ -36,7 +36,7 @@ public class SGList implements Readable {
 	{
 		buffers = new Buffer[MAX_BUFS];
 		for (short i = 0; i < MAX_BUFS; ++i)
-			buffers[i] = new Buffer();
+			buffers[i] = new Buffer(i);
 		state = JCSystem.makeTransientShortArray((short)(STATE_MAX + 1),
 		    JCSystem.CLEAR_ON_DESELECT);
 		this.reset();
@@ -241,6 +241,9 @@ public class SGList implements Readable {
 			if (buf.data == null || buf.state[Buffer.LEN] == 0)
 				buf.allocTransient();
 			if (buf.state[Buffer.LEN] < len) {
+				buf.state[Buffer.LEN] = 0;
+				if (buf.state[Buffer.OFFSET] == 0)
+					buf.state[Buffer.OFFSET] = 1;
 				continue;
 			}
 			into.data = buf.data;