Attachment 2054 Details for Bug 1908 – Patch for extract the pubkey from cert on pkcs#11

[patch] Patch for extract the pubkey from cert on pkcs#11

openssh-pkcs11-cert.patch (text/plain), 4.74 KB, created by Laurent on 2011-06-04 03:50:46 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Laurent

Created: 2011-06-04 03:50:46 AEST

Size: 4.74 KB

patch

obsolete

>diff -u openssh-5.8p1.orig/key.h openssh-5.8p1/key.h
>--- openssh-5.8p1.orig/key.h	2010-11-05 00:19:49.000000000 +0100
>+++ openssh-5.8p1/key.h	2011-05-18 16:42:07.787884979 +0200
>@@ -29,6 +29,7 @@
> #include "buffer.h"
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
>+#include <openssl/x509.h>
> #ifdef OPENSSL_HAS_ECC
> #include <openssl/ec.h>
> #endif
>@@ -78,6 +79,7 @@
> 	int	 flags;
> 	RSA	*rsa;
> 	DSA	*dsa;
>+	X509    *x509;
> 	int	 ecdsa_nid;	/* NID of curve */
> #ifdef OPENSSL_HAS_ECC
> 	EC_KEY	*ecdsa;
>diff -u openssh-5.8p1.orig/ssh-pkcs11.c openssh-5.8p1/ssh-pkcs11.c
>--- openssh-5.8p1.orig/ssh-pkcs11.c	2010-06-26 01:36:10.000000000 +0200
>+++ openssh-5.8p1/ssh-pkcs11.c	2011-05-18 17:48:35.033733032 +0200
>@@ -277,7 +277,8 @@
> 	key_filter[1].ulValueLen = k11->keyid_len;
> 	/* try to find object w/CKA_SIGN first, retry w/o */
> 	if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&
>-	    pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0) {
>+	    pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0 &&
>+            pkcs11_find(k11->provider, k11->slotidx, key_filter, 1, &obj) < 0) {
> 		error("cannot find private key");
> 	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
> 		error("C_SignInit failed: %lu", rv);
>@@ -391,6 +392,7 @@
> {
> 	Key			*key;
> 	RSA			*rsa;
>+	X509 			*x509;
> 	int			i;
> 	CK_RV			rv;
> 	CK_OBJECT_HANDLE	obj;
>@@ -398,18 +400,28 @@
> 	CK_SESSION_HANDLE	session;
> 	CK_FUNCTION_LIST	*f;
> 	CK_OBJECT_CLASS		pubkey_class = CKO_PUBLIC_KEY;
>+	CK_OBJECT_CLASS		cert_class = CKO_CERTIFICATE;
> 	CK_ATTRIBUTE		pubkey_filter[] = {
> 		{ CKA_CLASS, NULL, sizeof(pubkey_class) }
> 	};
>+	CK_ATTRIBUTE		cert_filter[] = {
>+		{ CKA_CLASS, NULL, sizeof(cert_class) }
>+	};
> 	CK_ATTRIBUTE		attribs[] = {
> 		{ CKA_ID, NULL, 0 },
> 		{ CKA_MODULUS, NULL, 0 },
> 		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
> 	};
>+	CK_ATTRIBUTE attribs_cert[] = {
>+		{ CKA_ID, NULL, 0 },
>+		{ CKA_SUBJECT, NULL, 0 },
>+		{ CKA_VALUE, NULL, 0 },
>+	};
> 
> 	/* some compilers complain about non-constant initializer so we
> 	   use NULL in CK_ATTRIBUTE above and set the value here */
> 	pubkey_filter[0].pValue = &pubkey_class;
>+	cert_filter[0].pValue = &cert_class;
> 
> 	f = p->function_list;
> 	session = p->slotinfo[slotidx].session;
>@@ -474,6 +486,84 @@
> 	}
> 	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
> 		error("C_FindObjectsFinal failed: %lu", rv);
>+
>+	debug("Search X509");
>+	f = p->function_list;
>+	session = p->slotinfo[slotidx].session;
>+	/* setup a filter the looks for certificates */
>+	if ((rv = f->C_FindObjectsInit(session, cert_filter, 1)) != CKR_OK) {
>+		error("C_FindObjectsInit failed: %lu", rv);
>+		return (-1);
>+	}
>+	while (1) {
>+		/* XXX 3 attributes in attribs[] */
>+		for (i = 0; i < 3; i++) {
>+			attribs_cert[i].pValue = NULL;
>+			attribs_cert[i].ulValueLen = 0;
>+		}
>+		if ((rv = f->C_FindObjects(session, &obj, 1, &nfound)) != CKR_OK
>+		    || nfound == 0)
>+			break;
>+		/* found a key, so figure out size of the attributes */
>+		if ((rv = f->C_GetAttributeValue(session, obj, attribs_cert, 3))
>+		    != CKR_OK) {
>+			error("C_GetAttributeValue failed: %lu", rv);
>+			continue;
>+		}
>+		/* check that none of the attributes are zero length */
>+		if (attribs_cert[0].ulValueLen == 0 ||
>+		    attribs_cert[1].ulValueLen == 0 ||
>+		    attribs_cert[2].ulValueLen == 0) {
>+			continue;
>+		}
>+		/* allocate buffers for attributes */
>+		for (i = 0; i < 3; i++)
>+			attribs_cert[i].pValue = xmalloc(attribs_cert[i].ulValueLen);
>+		/* retrieve LABEL, SUBJECT and VALUE of X509 cert */
>+		if ((rv = f->C_GetAttributeValue(session, obj, attribs_cert, 3))
>+		    != CKR_OK) {
>+			error("C_GetAttributeValue failed: %lu", rv);
>+		} else if ((x509 = X509_new()) == NULL) {
>+			error("X509_new failed");
>+		} else {
>+
>+			CK_BYTE_PTR der_value;
>+			CK_BYTE_PTR ptr;
>+			CK_ULONG n_der_value;
>+			EVP_PKEY *pubkey = NULL;
>+
>+			n_der_value = attribs_cert[2].ulValueLen;
>+			ptr = attribs_cert[2].pValue;
>+			x509 = d2i_X509(NULL, (const unsigned char**)&ptr, n_der_value);
>+			if(x509 == NULL) {
>+				debug("CKA_VALUE:Error");
>+			} else {
>+				//PEM_write_X509(stdout, x509);
>+				pubkey = X509_get_pubkey(x509);
>+				rsa = pubkey->pkey.rsa;
>+
>+				if (rsa->n && rsa->e &&
>+				    pkcs11_rsa_wrap(p, slotidx, &attribs_cert[0], rsa) == 0) {
>+					key = key_new(KEY_UNSPEC);
>+					key->rsa = rsa;
>+					key->type = KEY_RSA;
>+					key->flags |= KEY_FLAG_EXT;
>+					/* expand key array and add key */
>+					*keysp = xrealloc(*keysp, *nkeys + 1,
>+					    sizeof(Key *));
>+					(*keysp)[*nkeys] = key;
>+					*nkeys = *nkeys + 1;
>+					debug("have %d keys", *nkeys);
>+				} else {
>+					RSA_free(rsa);
>+				}
>+			}
>+		}
>+		for (i = 0; i < 3; i++)
>+			xfree(attribs_cert[i].pValue);
>+	}
>+	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
>+		error("C_FindObjectsFinal failed: %lu", rv);
> 	return (0);
> }
>

Actions: View | Diff

Attachments on bug 1908: 2054 | 2354 | 2370