Attachment #2054 for bug #1908

Lines 29-34 Link Here

(-)openssh-5.8p1.orig/key.h (+2 lines)
29	#include "buffer.h"	29	#include "buffer.h"
30	#include <openssl/rsa.h>	30	#include <openssl/rsa.h>
31	#include <openssl/dsa.h>	31	#include <openssl/dsa.h>
		32	#include <openssl/x509.h>
32	#ifdef OPENSSL_HAS_ECC	33	#ifdef OPENSSL_HAS_ECC
33	#include <openssl/ec.h>	34	#include <openssl/ec.h>
34	#endif	35	#endif
Lines 78-83 Link Here
78	int flags;	79	int flags;
79	RSA *rsa;	80	RSA *rsa;
80	DSA *dsa;	81	DSA *dsa;
		82	X509 *x509;
81	int ecdsa_nid; /* NID of curve */	83	int ecdsa_nid; /* NID of curve */
82	#ifdef OPENSSL_HAS_ECC	84	#ifdef OPENSSL_HAS_ECC
83	EC_KEY *ecdsa;	85	EC_KEY *ecdsa;




	key_filter[1].ulValueLen = k11->keyid_len;
	/* try to find object w/CKA_SIGN first, retry w/o */
	if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&
	    pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0 &&
            pkcs11_find(k11->provider, k11->slotidx, key_filter, 1, &obj) < 0) {
		error("cannot find private key");
	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
		error("C_SignInit failed: %lu", rv);

{
	Key			*key;
	RSA			*rsa;
	X509 			*x509;
	int			i;
	CK_RV			rv;
	CK_OBJECT_HANDLE	obj;

	CK_SESSION_HANDLE	session;
	CK_FUNCTION_LIST	*f;
	CK_OBJECT_CLASS		pubkey_class = CKO_PUBLIC_KEY;
	CK_OBJECT_CLASS		cert_class = CKO_CERTIFICATE;
	CK_ATTRIBUTE		pubkey_filter[] = {
		{ CKA_CLASS, NULL, sizeof(pubkey_class) }
	};
	CK_ATTRIBUTE		cert_filter[] = {
		{ CKA_CLASS, NULL, sizeof(cert_class) }
	};
	CK_ATTRIBUTE		attribs[] = {
		{ CKA_ID, NULL, 0 },
		{ CKA_MODULUS, NULL, 0 },
		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
	};
	CK_ATTRIBUTE attribs_cert[] = {
		{ CKA_ID, NULL, 0 },
		{ CKA_SUBJECT, NULL, 0 },
		{ CKA_VALUE, NULL, 0 },
	};

	/* some compilers complain about non-constant initializer so we
	   use NULL in CK_ATTRIBUTE above and set the value here */
	pubkey_filter[0].pValue = &pubkey_class;
	cert_filter[0].pValue = &cert_class;

	f = p->function_list;
	session = p->slotinfo[slotidx].session;

	}
	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
		error("C_FindObjectsFinal failed: %lu", rv);

	debug("Search X509");
	f = p->function_list;
	session = p->slotinfo[slotidx].session;
	/* setup a filter the looks for certificates */
	if ((rv = f->C_FindObjectsInit(session, cert_filter, 1)) != CKR_OK) {
		error("C_FindObjectsInit failed: %lu", rv);
		return (-1);
	}
	while (1) {
		/* XXX 3 attributes in attribs[] */
		for (i = 0; i < 3; i++) {
			attribs_cert[i].pValue = NULL;
			attribs_cert[i].ulValueLen = 0;
		}
		if ((rv = f->C_FindObjects(session, &obj, 1, &nfound)) != CKR_OK
		    || nfound == 0)
			break;
		/* found a key, so figure out size of the attributes */
		if ((rv = f->C_GetAttributeValue(session, obj, attribs_cert, 3))
		    != CKR_OK) {
			error("C_GetAttributeValue failed: %lu", rv);
			continue;
		}
		/* check that none of the attributes are zero length */
		if (attribs_cert[0].ulValueLen == 0 ||
		    attribs_cert[1].ulValueLen == 0 ||
		    attribs_cert[2].ulValueLen == 0) {
			continue;
		}
		/* allocate buffers for attributes */
		for (i = 0; i < 3; i++)
			attribs_cert[i].pValue = xmalloc(attribs_cert[i].ulValueLen);
		/* retrieve LABEL, SUBJECT and VALUE of X509 cert */
		if ((rv = f->C_GetAttributeValue(session, obj, attribs_cert, 3))
		    != CKR_OK) {
			error("C_GetAttributeValue failed: %lu", rv);
		} else if ((x509 = X509_new()) == NULL) {
			error("X509_new failed");
		} else {

			CK_BYTE_PTR der_value;
			CK_BYTE_PTR ptr;
			CK_ULONG n_der_value;
			EVP_PKEY *pubkey = NULL;

			n_der_value = attribs_cert[2].ulValueLen;
			ptr = attribs_cert[2].pValue;
			x509 = d2i_X509(NULL, (const unsigned char**)&ptr, n_der_value);
			if(x509 == NULL) {
				debug("CKA_VALUE:Error");
			} else {
				//PEM_write_X509(stdout, x509);
				pubkey = X509_get_pubkey(x509);
				rsa = pubkey->pkey.rsa;

				if (rsa->n && rsa->e &&
				    pkcs11_rsa_wrap(p, slotidx, &attribs_cert[0], rsa) == 0) {
					key = key_new(KEY_UNSPEC);
					key->rsa = rsa;
					key->type = KEY_RSA;
					key->flags |= KEY_FLAG_EXT;
					/* expand key array and add key */
					*keysp = xrealloc(*keysp, *nkeys + 1,
					    sizeof(Key *));
					(*keysp)[*nkeys] = key;
					*nkeys = *nkeys + 1;
					debug("have %d keys", *nkeys);
				} else {
					RSA_free(rsa);
				}
			}
		}
		for (i = 0; i < 3; i++)
			xfree(attribs_cert[i].pValue);
	}
	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
		error("C_FindObjectsFinal failed: %lu", rv);
	return (0);
}


Return to bug 1908

Lines 277-283 Link Here

(-)openssh-5.8p1.orig/ssh-pkcs11.c (-1 / +91 lines)
277	key_filter[1].ulValueLen = k11->keyid_len;	277	key_filter[1].ulValueLen = k11->keyid_len;
278	/* try to find object w/CKA_SIGN first, retry w/o */	278	/* try to find object w/CKA_SIGN first, retry w/o */
279	if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&	279	if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&
280	pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0) {	280	pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0 &&
		281	pkcs11_find(k11->provider, k11->slotidx, key_filter, 1, &obj) < 0) {
281	error("cannot find private key");	282	error("cannot find private key");
282	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {	283	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
283	error("C_SignInit failed: %lu", rv);	284	error("C_SignInit failed: %lu", rv);
Lines 391-396 Link Here
391	{	392	{
392	Key *key;	393	Key *key;
393	RSA *rsa;	394	RSA *rsa;
		395	X509 *x509;
394	int i;	396	int i;
395	CK_RV rv;	397	CK_RV rv;
396	CK_OBJECT_HANDLE obj;	398	CK_OBJECT_HANDLE obj;
Lines 398-415 Link Here
398	CK_SESSION_HANDLE session;	400	CK_SESSION_HANDLE session;
399	CK_FUNCTION_LIST *f;	401	CK_FUNCTION_LIST *f;
400	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;	402	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
		403	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
401	CK_ATTRIBUTE pubkey_filter[] = {	404	CK_ATTRIBUTE pubkey_filter[] = {
402	{ CKA_CLASS, NULL, sizeof(pubkey_class) }	405	{ CKA_CLASS, NULL, sizeof(pubkey_class) }
403	};	406	};
		407	CK_ATTRIBUTE cert_filter[] = {
		408	{ CKA_CLASS, NULL, sizeof(cert_class) }
		409	};
404	CK_ATTRIBUTE attribs[] = {	410	CK_ATTRIBUTE attribs[] = {
405	{ CKA_ID, NULL, 0 },	411	{ CKA_ID, NULL, 0 },
406	{ CKA_MODULUS, NULL, 0 },	412	{ CKA_MODULUS, NULL, 0 },
407	{ CKA_PUBLIC_EXPONENT, NULL, 0 }	413	{ CKA_PUBLIC_EXPONENT, NULL, 0 }
408	};	414	};
		415	CK_ATTRIBUTE attribs_cert[] = {
		416	{ CKA_ID, NULL, 0 },
		417	{ CKA_SUBJECT, NULL, 0 },
		418	{ CKA_VALUE, NULL, 0 },
		419	};
409		420
410	/* some compilers complain about non-constant initializer so we	421	/* some compilers complain about non-constant initializer so we
411	use NULL in CK_ATTRIBUTE above and set the value here */	422	use NULL in CK_ATTRIBUTE above and set the value here */
412	pubkey_filter[0].pValue = &pubkey_class;	423	pubkey_filter[0].pValue = &pubkey_class;
		424	cert_filter[0].pValue = &cert_class;
413		425
414	f = p->function_list;	426	f = p->function_list;
415	session = p->slotinfo[slotidx].session;	427	session = p->slotinfo[slotidx].session;
Lines 474-479 Link Here
474	}	486	}
475	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)	487	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
476	error("C_FindObjectsFinal failed: %lu", rv);	488	error("C_FindObjectsFinal failed: %lu", rv);
		489
		490	debug("Search X509");
		491	f = p->function_list;
		492	session = p->slotinfo[slotidx].session;
		493	/* setup a filter the looks for certificates */
		494	if ((rv = f->C_FindObjectsInit(session, cert_filter, 1)) != CKR_OK) {
		495	error("C_FindObjectsInit failed: %lu", rv);
		496	return (-1);
		497	}
		498	while (1) {
		499	/* XXX 3 attributes in attribs[] */
		500	for (i = 0; i < 3; i++) {
		501	attribs_cert[i].pValue = NULL;
		502	attribs_cert[i].ulValueLen = 0;
		503	}
		504	if ((rv = f->C_FindObjects(session, &obj, 1, &nfound)) != CKR_OK
		505	\|\| nfound == 0)
		506	break;
		507	/* found a key, so figure out size of the attributes */
		508	if ((rv = f->C_GetAttributeValue(session, obj, attribs_cert, 3))
		509	!= CKR_OK) {
		510	error("C_GetAttributeValue failed: %lu", rv);
		511	continue;
		512	}
		513	/* check that none of the attributes are zero length */
		514	if (attribs_cert[0].ulValueLen == 0 \|\|
		515	attribs_cert[1].ulValueLen == 0 \|\|
		516	attribs_cert[2].ulValueLen == 0) {
		517	continue;
		518	}
		519	/* allocate buffers for attributes */
		520	for (i = 0; i < 3; i++)
		521	attribs_cert[i].pValue = xmalloc(attribs_cert[i].ulValueLen);
		522	/* retrieve LABEL, SUBJECT and VALUE of X509 cert */
		523	if ((rv = f->C_GetAttributeValue(session, obj, attribs_cert, 3))
		524	!= CKR_OK) {
		525	error("C_GetAttributeValue failed: %lu", rv);
		526	} else if ((x509 = X509_new()) == NULL) {
		527	error("X509_new failed");
		528	} else {
		529
		530	CK_BYTE_PTR der_value;
		531	CK_BYTE_PTR ptr;
		532	CK_ULONG n_der_value;
		533	EVP_PKEY *pubkey = NULL;
		534
		535	n_der_value = attribs_cert[2].ulValueLen;
		536	ptr = attribs_cert[2].pValue;
		537	x509 = d2i_X509(NULL, (const unsigned char**)&ptr, n_der_value);
		538	if(x509 == NULL) {
		539	debug("CKA_VALUE:Error");
		540	} else {
		541	//PEM_write_X509(stdout, x509);
		542	pubkey = X509_get_pubkey(x509);
		543	rsa = pubkey->pkey.rsa;
		544
		545	if (rsa->n && rsa->e &&
		546	pkcs11_rsa_wrap(p, slotidx, &attribs_cert[0], rsa) == 0) {
		547	key = key_new(KEY_UNSPEC);
		548	key->rsa = rsa;
		549	key->type = KEY_RSA;
		550	key->flags \|= KEY_FLAG_EXT;
		551	/* expand key array and add key */
		552	keysp = xrealloc(keysp, *nkeys + 1,
553	sizeof(Key *));
554	(keysp)[nkeys] = key;
555	nkeys = nkeys + 1;
556	debug("have %d keys", *nkeys);
557	} else {
558	RSA_free(rsa);
559	}
560	}
561	}
562	for (i = 0; i < 3; i++)
563	xfree(attribs_cert[i].pValue);
564	}
565	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
566	error("C_FindObjectsFinal failed: %lu", rv);
477	return (0);	567	return (0);
478	}	568	}
479		569