|
Lines 73-78
struct pkcs11_key {
Link Here
|
| 73 |
int keyid_len; |
73 |
int keyid_len; |
| 74 |
}; |
74 |
}; |
| 75 |
|
75 |
|
|
|
76 |
static int pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin); |
| 77 |
static int pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, struct sshkey ***keysp, int *nkeys); |
| 78 |
static int pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key); |
| 79 |
|
| 76 |
int pkcs11_interactive = 0; |
80 |
int pkcs11_interactive = 0; |
| 77 |
|
81 |
|
| 78 |
int |
82 |
int |
|
Lines 272-277
pkcs11_always_authenticate(struct pkcs11_provider *p,
Link Here
|
| 272 |
return pkcs11_login(p, si, CKU_CONTEXT_SPECIFIC); |
276 |
return pkcs11_login(p, si, CKU_CONTEXT_SPECIFIC); |
| 273 |
} |
277 |
} |
| 274 |
|
278 |
|
|
|
279 |
int pkcs11_key_is_present(struct pkcs11_key *k11) |
| 280 |
{ |
| 281 |
CK_RV rv; |
| 282 |
CK_FUNCTION_LIST *f; |
| 283 |
CK_SLOT_INFO info; |
| 284 |
CK_TOKEN_INFO tokeninfo; |
| 285 |
CK_SESSION_HANDLE session; |
| 286 |
CK_SESSION_INFO sessioninfo; |
| 287 |
|
| 288 |
f = k11->provider->function_list; |
| 289 |
rv = f->C_GetSlotInfo(k11->slotidx, &info); |
| 290 |
if (rv != CKR_OK) { |
| 291 |
/* The cryptoki is not ready to work with this slot */ |
| 292 |
return -1; |
| 293 |
} |
| 294 |
if (!(info.flags & CKF_TOKEN_PRESENT)) { |
| 295 |
return -1; |
| 296 |
} |
| 297 |
|
| 298 |
rv = f->C_GetTokenInfo(k11->slotidx, &tokeninfo); |
| 299 |
if (rv != CKR_OK) { |
| 300 |
/* The cryptoki is not ready to work with this token */ |
| 301 |
return -1; |
| 302 |
} |
| 303 |
/* TODO check if the fields of the tokeninfo match the stored values */ |
| 304 |
|
| 305 |
session = k11->provider->slotinfo[k11->slotidx].session; |
| 306 |
rv = f->C_GetSessionInfo(session, &sessioninfo); |
| 307 |
if (rv != CKR_OK) { |
| 308 |
/* The cryptoki is not ready to work with this session */ |
| 309 |
return -1; |
| 310 |
} |
| 311 |
if (sessioninfo.slotID != k11->slotidx) { |
| 312 |
return -1; |
| 313 |
} |
| 314 |
return 0; |
| 315 |
} |
| 316 |
|
| 317 |
static int pkcs11_reload_key(struct sshkey *key, struct pkcs11_key *k11) |
| 318 |
{ |
| 319 |
unsigned char *pin = NULL; |
| 320 |
int r, i; |
| 321 |
struct sshkey **keysp = NULL; |
| 322 |
int nkeys = 0; |
| 323 |
|
| 324 |
/* No need to C_CloseSession(): It is already invalidated */ |
| 325 |
|
| 326 |
pin = read_passphrase("Enter PIN for smart card", RP_USE_ASKPASS); |
| 327 |
if (!pin) |
| 328 |
return -1; |
| 329 |
|
| 330 |
r = pkcs11_open_session(k11->provider, k11->slotidx, pin); |
| 331 |
|
| 332 |
explicit_bzero(pin, strlen(pin)); |
| 333 |
free(pin); |
| 334 |
|
| 335 |
if (r == -1) |
| 336 |
return -1; |
| 337 |
|
| 338 |
/* Check that the key we are using is present in the current card */ |
| 339 |
r = pkcs11_fetch_keys(k11->provider, k11->slotidx, &keysp, &nkeys); |
| 340 |
if (r < 0) |
| 341 |
return -1; |
| 342 |
|
| 343 |
r = -1; |
| 344 |
if (pkcs11_key_included(&keysp, &nkeys, key) == 1) |
| 345 |
r = 0; |
| 346 |
|
| 347 |
/* clean up the keys */ |
| 348 |
for (i = 0; i < nkeys; i++) |
| 349 |
sshkey_free(keysp[i]); |
| 350 |
free(keysp); |
| 351 |
return r; |
| 352 |
} |
| 353 |
|
| 354 |
int pkcs11_refresh_key(struct sshkey *key) |
| 355 |
{ |
| 356 |
struct pkcs11_key *k11; |
| 357 |
|
| 358 |
if ((k11 = RSA_get_app_data(key->rsa)) == NULL) { |
| 359 |
error("RSA_get_app_data failed for rsa %p", key->rsa); |
| 360 |
return (-1); |
| 361 |
} |
| 362 |
if (!k11->provider || !k11->provider->valid) { |
| 363 |
error("no pkcs11 (valid) provider for rsa %p", key->rsa); |
| 364 |
return (-1); |
| 365 |
} |
| 366 |
|
| 367 |
if (pkcs11_key_is_present(k11) == -1) |
| 368 |
if (pkcs11_reload_key(key, k11) == -1) |
| 369 |
return -1; |
| 370 |
|
| 371 |
return 0; |
| 372 |
} |
| 373 |
|
| 275 |
/* openssl callback doing the actual signing operation */ |
374 |
/* openssl callback doing the actual signing operation */ |
| 276 |
static int |
375 |
static int |
| 277 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
376 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |