Bugzilla – Attachment 2354 Details for
Bug 1908
Extract the public key from certificate on pkcs#11
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch for extracting the pubkey from x509 via pkcs#11
pkcs11-cert.diff (text/plain), 4.97 KB, created by
Markus Friedl
on 2013-10-17 02:17:03 AEDT
(
hide
)
Description:
updated patch for extracting the pubkey from x509 via pkcs#11
Filename:
MIME Type:
Creator:
Markus Friedl
Created:
2013-10-17 02:17:03 AEDT
Size:
4.97 KB
patch
obsolete
>diff --git ssh-pkcs11.c ssh-pkcs11.c >index e91895c..cf0038d 100644 >--- ssh-pkcs11.c >+++ ssh-pkcs11.c >@@ -23,6 +23,8 @@ > #include <string.h> > #include <dlfcn.h> > >+#include <openssl/x509.h> >+ > #define CRYPTOKI_COMPAT > #include "pkcs11.h" > >@@ -373,32 +375,62 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) > * add 'wrapped' public keys to the 'keysp' array and increment nkeys. > * keysp points to an (possibly empty) array with *nkeys keys. > */ >+static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, >+ CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *) >+ __attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE)))); >+ > static int >-pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, >- int *nkeys) >+pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, >+ Key ***keysp, int *nkeys) > { >- Key *key; >- RSA *rsa; >- int i; >- CK_RV rv; >- CK_OBJECT_HANDLE obj; >- CK_ULONG nfound; >- CK_SESSION_HANDLE session; >- CK_FUNCTION_LIST *f; > CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; >+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; > CK_ATTRIBUTE pubkey_filter[] = { > { CKA_CLASS, &pubkey_class, sizeof(pubkey_class) } > }; >- CK_ATTRIBUTE attribs[] = { >+ CK_ATTRIBUTE cert_filter[] = { >+ { CKA_CLASS, &cert_class, sizeof(cert_class) } >+ }; >+ CK_ATTRIBUTE pubkey_attribs[] = { > { CKA_ID, NULL, 0 }, > { CKA_MODULUS, NULL, 0 }, > { CKA_PUBLIC_EXPONENT, NULL, 0 } > }; >+ CK_ATTRIBUTE cert_attribs[] = { >+ { CKA_ID, NULL, 0 }, >+ { CKA_SUBJECT, NULL, 0 }, >+ { CKA_VALUE, NULL, 0 } >+ }; >+ >+ if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, >+ keysp, nkeys) < 0 || >+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, >+ keysp, nkeys) < 0) >+ return (-1); >+ return (0); >+} >+ >+static int >+pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, >+ CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], >+ Key ***keysp, int *nkeys) >+{ >+ Key *key; >+ RSA *rsa; >+ X509 *x509; >+ EVP_PKEY *evp; >+ int i; >+ const u_char *cp; >+ CK_RV rv; >+ CK_OBJECT_HANDLE obj; >+ CK_ULONG nfound; >+ CK_SESSION_HANDLE session; >+ CK_FUNCTION_LIST *f; > > f = p->function_list; > session = p->slotinfo[slotidx].session; > /* setup a filter the looks for public keys */ >- if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) { >+ if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) { > error("C_FindObjectsInit failed: %lu", rv); > return (-1); > } >@@ -426,32 +458,55 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, > /* allocate buffers for attributes */ > for (i = 0; i < 3; i++) > attribs[i].pValue = xmalloc(attribs[i].ulValueLen); >- /* retrieve ID, modulus and public exponent of RSA key */ >+ /* >+ * retrieve ID, modulus and public exponent of RSA key, >+ * or ID, subject and value for certificates. >+ */ >+ rsa = NULL; > if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) > != CKR_OK) { > error("C_GetAttributeValue failed: %lu", rv); >- } else if ((rsa = RSA_new()) == NULL) { >- error("RSA_new failed"); >- } else { >- rsa->n = BN_bin2bn(attribs[1].pValue, >- attribs[1].ulValueLen, NULL); >- rsa->e = BN_bin2bn(attribs[2].pValue, >- attribs[2].ulValueLen, NULL); >- if (rsa->n && rsa->e && >- pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { >- key = key_new(KEY_UNSPEC); >- key->rsa = rsa; >- key->type = KEY_RSA; >- key->flags |= KEY_FLAG_EXT; >- /* expand key array and add key */ >- *keysp = xrealloc(*keysp, *nkeys + 1, >- sizeof(Key *)); >- (*keysp)[*nkeys] = key; >- *nkeys = *nkeys + 1; >- debug("have %d keys", *nkeys); >+ } else if (attribs[1].type == CKA_MODULUS ) { >+ if ((rsa = RSA_new()) == NULL) { >+ error("RSA_new failed"); > } else { >- RSA_free(rsa); >+ rsa->n = BN_bin2bn(attribs[1].pValue, >+ attribs[1].ulValueLen, NULL); >+ rsa->e = BN_bin2bn(attribs[2].pValue, >+ attribs[2].ulValueLen, NULL); >+ } >+ } else { >+ cp = attribs[2].pValue; >+ if ((x509 = X509_new()) == NULL) { >+ error("X509_new failed"); >+ } else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen) >+ == NULL) { >+ error("d2i_X509 failed"); >+ } else if ((evp = X509_get_pubkey(x509)) == NULL || >+ evp->type != EVP_PKEY_RSA || >+ evp->pkey.rsa == NULL) { >+ debug("X509_get_pubkey failed or no rsa"); >+ } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) >+ == NULL) { >+ error("RSAPublicKey_dup"); > } >+ if (x509) >+ X509_free(x509); >+ } >+ if (rsa && rsa->n && rsa->e && >+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { >+ key = key_new(KEY_UNSPEC); >+ key->rsa = rsa; >+ key->type = KEY_RSA; >+ key->flags |= KEY_FLAG_EXT; >+ /* expand key array and add key */ >+ *keysp = xrealloc(*keysp, *nkeys + 1, >+ sizeof(Key *)); >+ (*keysp)[*nkeys] = key; >+ *nkeys = *nkeys + 1; >+ debug("have %d keys", *nkeys); >+ } else if (rsa) { >+ RSA_free(rsa); > } > for (i = 0; i < 3; i++) > free(attribs[i].pValue);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1908
:
2054
|
2354
|
2370