-
Notifications
You must be signed in to change notification settings - Fork 1
/
scproxy.py
executable file
·252 lines (210 loc) · 8.33 KB
/
scproxy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
#!/usr/bin/env python3
#
# Unofficial Buypass SCProxy implementation
#
# Only supports smartcard login, not signing or other use-cases.
#
from http.server import HTTPServer, BaseHTTPRequestHandler
import os
import ssl
import json
import random
import socket
import time
from urllib.parse import unquote
import smartcard.System
import smartcard.Session
from smartcard.util import toHexString, toBytes
class ScproxyHandler(BaseHTTPRequestHandler):
PORT = 31505
VERSION = '1.5.2'
CORS_ORIGIN = 'https://secure.buypass.no'
sessions = {}
refs = {}
server_version = 'SCProxy/' + VERSION
def do_GET(self):
if not self.security_check(): return
self.send_404()
def do_POST(self):
if not self.security_check(): return
if self.path == '/scard/version/':
self.handle_version()
elif self.path == '/scard/list/':
self.handle_list()
elif self.path == '/scard/getref/':
self.handle_getref()
elif self.path.startswith('/scard/apdu/'):
self.handle_apdu(unquote(self.path[12:]))
elif self.path == '/scard/disconnect/':
self.handle_disconnect()
else:
self.send_404()
def do_OPTIONS(self):
if not self.security_check(): return
self.send_response(200, 'ok')
self.send_header('Access-Control-Allow-Methods', 'POST')
self.send_header('Access-Control-Allow-Private-Network', 'true')
self.end_headers()
def end_headers(self):
self.send_header('Access-Control-Allow-Origin', self.CORS_ORIGIN)
BaseHTTPRequestHandler.end_headers(self)
#
# Helper methods
#
def security_check(self):
# security checks to avoid e.g. forms accessing this
if self.headers['Sec-Fetch-Mode'] != 'cors':
self.send_403()
return False
if self.headers['Origin'] != self.CORS_ORIGIN:
self.send_403()
return False
else:
return True
def send_404(self):
self.send_response(404)
self.end_headers()
def send_403(self):
self.send_response(403)
self.end_headers()
def send_json(self, data):
self.send_response(200)
self.send_header('Content-Type', 'application/json')
self.end_headers()
self.wfile.write(json.dumps(data).encode('utf-8'))
def get_json_body(self):
content_length = int(self.headers.get('Content-Length', 0))
return json.loads(self.rfile.read(content_length))
def get_session(self, name, sid):
session = self.sessions.get(sid)
if not session:
session = smartcard.Session(name)
self.sessions[sid] = session
return session
def close_sessions(self):
for s in self.sessions.values():
s.close()
self.sessions = {}
def unscramble_apdu(self, bytesIn):
# Example incoming APDU:
# FF FF 01 04 - indicator about special packet
# xx xx xx xx - ref to unscramble pin with
# 05 - length of apdu prefix (guess)
# 04 - length of pin (guess)
# A0 20 00 82 08 - apdu prefix
# xx xx xx xx - scrambled pin
# FF FF FF FF - placeholder (for longer pins)
# FF FF FF FF - padding?
bytesOut = []
# lookup ref for data to unscramble
ref = (((bytesIn[4] << 8) + bytesIn[5] << 8) + bytesIn[6] << 8) + bytesIn[7]
refdata = self.refs[ref] # TODO handle missing ref
# data lengths
prefixLen = bytesIn[8]
pinLen = bytesIn[9]
# prefix
bytesOut += bytesIn[10:(10+prefixLen)]
# unscramble pin
pin = bytesIn[(10+prefixLen):(10+prefixLen+pinLen)]
pin = [d ^ refdata[i] ^ refdata[i+len(pin)] for i, d in enumerate(pin)]
bytesOut += pin
# suffix
bytesOut += bytesIn[(10+prefixLen+pinLen):]
return bytesOut
#
# Request handlers (see do_POST)
#
def handle_version(self):
self.send_json({ 'version': self.VERSION, 'port': self.PORT })
def handle_list(self):
# status must be 301 (no card) or 302 (card present) to be recognized by Buypass
# status must be >= 302 for Buypass pin-change app
# TODO proper status based on card reader
readers = [{ 'cardstatus': 302, 'name': r.name } for r in smartcard.System.readers()]
self.send_json({ 'readers': readers, 'errorcode': 0, 'errordetail': 0 })
def handle_getref(self):
ref = random.randrange(0,0x80000000) # 4 bytes, except highest bit to avoid signed/unsigned issues
data = [random.randrange(0x100) for r in range(16)]
# TODO drop old entries
self.refs[ref] = data
self.send_json({ 'ref': ref, 'data': toHexString(data).replace(' ', '') })
def handle_disconnect(self):
# only called when client version >= 1.3
body = self.get_json_body()
sid = body['session']
s = self.sessions.get(sid)
if s:
s.close()
self.sessions.pop(sid)
self.send_response(200)
self.end_headers()
else:
self.send_404()
def handle_apdu(self, reader):
body = self.get_json_body()
session = self.get_session(reader, body['session'])
responses = []
for apdu in body['apducommands']:
apduBytes = toBytes(apdu['apdu'])
# special command to handle PIN entry, we decrypt PIN and send a different command
if apduBytes[0:4] == [0xff, 0xff, 0x01, 0x04]:
apduBytes = self.unscramble_apdu(apduBytes)
response, sw1, sw2 = session.sendCommandAPDU(apduBytes)
# status indicates we need another request to fech data
if sw1 == 0x61:
response, sx1, sx2 = session.sendCommandAPDU([0x00, 0xc0, 0x00, 0x00, sw2])
data = response
# special case: response of two bytes, add status to bytes
# not sure why this is needed, but it makes the responses match the official proxy
elif response and apduBytes[-1] == 2:
data = [*response, sw1, sw2]
# response
elif response:
data = response
# no response, just status
else:
data = [sw1, sw2]
responses.append({ 'apdu': toHexString(data).replace(' ', '') })
self.send_json({ 'apduresponses': responses, 'errorcode': 0, 'errordetail': 0 })
if __name__ == '__main__':
def get_systemd_socket():
"""Get socket from systemd with socket activation"""
SYSTEMD_FIRST_SOCKET_FD = 3
return socket.fromfd(SYSTEMD_FIRST_SOCKET_FD, HTTPServer.address_family, HTTPServer.socket_type)
def setup_ssl(httpd, datadir):
"""Setup SSL for HTTP server"""
sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
sslctx.check_hostname = False
sslctx.load_cert_chain(certfile=datadir+'/certs/scproxy.chain', keyfile=datadir+'/certs/scproxy.key')
httpd.socket = sslctx.wrap_socket(httpd.socket, server_side=True)
# figure out where the certificates are located
datadir = None
for prefix in ['/var/lib/scproxy', '.']:
if os.path.isfile(prefix + '/certs/scproxy.crt'):
datadir = prefix
break
if not datadir:
raise Exception('Could not find certificate, did you generate it?')
if os.environ.get('LISTEN_PID', None) == str(os.getpid()):
# systemd socket activation
httpd = HTTPServer(('localhost', ScproxyHandler.PORT), ScproxyHandler, bind_and_activate=False)
httpd.timeout = 1
httpd.socket = get_systemd_socket()
httpd.server_activate()
setup_ssl(httpd, datadir)
SHUTDOWN_DELAY = 60
start = time.monotonic()
while time.monotonic() < start + SHUTDOWN_DELAY:
httpd.handle_request()
# connections are closed by smartcard's finalizers
httpd.server_close()
else:
# regular http server
httpd = HTTPServer(('localhost', ScproxyHandler.PORT), ScproxyHandler)
setup_ssl(httpd, datadir)
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
# connections are closed by smartcard's finalizers
httpd.server_close()