|
Lines 23-28
Link Here
|
| 23 |
#include <string.h> |
23 |
#include <string.h> |
| 24 |
#include <dlfcn.h> |
24 |
#include <dlfcn.h> |
| 25 |
|
25 |
|
|
|
26 |
#include <openssl/x509.h> |
| 27 |
|
| 26 |
#define CRYPTOKI_COMPAT |
28 |
#define CRYPTOKI_COMPAT |
| 27 |
#include "pkcs11.h" |
29 |
#include "pkcs11.h" |
| 28 |
|
30 |
|
|
Lines 373-404
pkcs11_open_session(struct pkcs11_provid
Link Here
|
| 373 |
* add 'wrapped' public keys to the 'keysp' array and increment nkeys. |
375 |
* add 'wrapped' public keys to the 'keysp' array and increment nkeys. |
| 374 |
* keysp points to an (possibly empty) array with *nkeys keys. |
376 |
* keysp points to an (possibly empty) array with *nkeys keys. |
| 375 |
*/ |
377 |
*/ |
|
|
378 |
static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, |
| 379 |
CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *) |
| 380 |
__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE)))); |
| 381 |
|
| 376 |
static int |
382 |
static int |
| 377 |
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, |
383 |
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, |
| 378 |
int *nkeys) |
384 |
Key ***keysp, int *nkeys) |
| 379 |
{ |
385 |
{ |
| 380 |
Key *key; |
|
|
| 381 |
RSA *rsa; |
| 382 |
int i; |
| 383 |
CK_RV rv; |
| 384 |
CK_OBJECT_HANDLE obj; |
| 385 |
CK_ULONG nfound; |
| 386 |
CK_SESSION_HANDLE session; |
| 387 |
CK_FUNCTION_LIST *f; |
| 388 |
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; |
386 |
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; |
|
|
387 |
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; |
| 389 |
CK_ATTRIBUTE pubkey_filter[] = { |
388 |
CK_ATTRIBUTE pubkey_filter[] = { |
| 390 |
{ CKA_CLASS, &pubkey_class, sizeof(pubkey_class) } |
389 |
{ CKA_CLASS, &pubkey_class, sizeof(pubkey_class) } |
| 391 |
}; |
390 |
}; |
| 392 |
CK_ATTRIBUTE attribs[] = { |
391 |
CK_ATTRIBUTE cert_filter[] = { |
|
|
392 |
{ CKA_CLASS, &cert_class, sizeof(cert_class) } |
| 393 |
}; |
| 394 |
CK_ATTRIBUTE pubkey_attribs[] = { |
| 393 |
{ CKA_ID, NULL, 0 }, |
395 |
{ CKA_ID, NULL, 0 }, |
| 394 |
{ CKA_MODULUS, NULL, 0 }, |
396 |
{ CKA_MODULUS, NULL, 0 }, |
| 395 |
{ CKA_PUBLIC_EXPONENT, NULL, 0 } |
397 |
{ CKA_PUBLIC_EXPONENT, NULL, 0 } |
| 396 |
}; |
398 |
}; |
|
|
399 |
CK_ATTRIBUTE cert_attribs[] = { |
| 400 |
{ CKA_ID, NULL, 0 }, |
| 401 |
{ CKA_SUBJECT, NULL, 0 }, |
| 402 |
{ CKA_VALUE, NULL, 0 } |
| 403 |
}; |
| 404 |
|
| 405 |
if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, |
| 406 |
keysp, nkeys) < 0 || |
| 407 |
pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, |
| 408 |
keysp, nkeys) < 0) |
| 409 |
return (-1); |
| 410 |
return (0); |
| 411 |
} |
| 412 |
|
| 413 |
static int |
| 414 |
pkcs11_key_included(Key ***keysp, int *nkeys, Key *key) |
| 415 |
{ |
| 416 |
int i; |
| 417 |
|
| 418 |
for (i = 0; i < *nkeys; i++) |
| 419 |
if (key_equal(key, *keysp[i])) |
| 420 |
return (1); |
| 421 |
return (0); |
| 422 |
} |
| 423 |
|
| 424 |
static int |
| 425 |
pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, |
| 426 |
CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], |
| 427 |
Key ***keysp, int *nkeys) |
| 428 |
{ |
| 429 |
Key *key; |
| 430 |
RSA *rsa; |
| 431 |
X509 *x509; |
| 432 |
EVP_PKEY *evp; |
| 433 |
int i; |
| 434 |
const u_char *cp; |
| 435 |
CK_RV rv; |
| 436 |
CK_OBJECT_HANDLE obj; |
| 437 |
CK_ULONG nfound; |
| 438 |
CK_SESSION_HANDLE session; |
| 439 |
CK_FUNCTION_LIST *f; |
| 397 |
|
440 |
|
| 398 |
f = p->function_list; |
441 |
f = p->function_list; |
| 399 |
session = p->slotinfo[slotidx].session; |
442 |
session = p->slotinfo[slotidx].session; |
| 400 |
/* setup a filter the looks for public keys */ |
443 |
/* setup a filter the looks for public keys */ |
| 401 |
if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) { |
444 |
if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) { |
| 402 |
error("C_FindObjectsInit failed: %lu", rv); |
445 |
error("C_FindObjectsInit failed: %lu", rv); |
| 403 |
return (-1); |
446 |
return (-1); |
| 404 |
} |
447 |
} |
|
Lines 426-457
pkcs11_fetch_keys(struct pkcs11_provider
Link Here
|
| 426 |
/* allocate buffers for attributes */ |
469 |
/* allocate buffers for attributes */ |
| 427 |
for (i = 0; i < 3; i++) |
470 |
for (i = 0; i < 3; i++) |
| 428 |
attribs[i].pValue = xmalloc(attribs[i].ulValueLen); |
471 |
attribs[i].pValue = xmalloc(attribs[i].ulValueLen); |
| 429 |
/* retrieve ID, modulus and public exponent of RSA key */ |
472 |
/* |
|
|
473 |
* retrieve ID, modulus and public exponent of RSA key, |
| 474 |
* or ID, subject and value for certificates. |
| 475 |
*/ |
| 476 |
rsa = NULL; |
| 430 |
if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) |
477 |
if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) |
| 431 |
!= CKR_OK) { |
478 |
!= CKR_OK) { |
| 432 |
error("C_GetAttributeValue failed: %lu", rv); |
479 |
error("C_GetAttributeValue failed: %lu", rv); |
| 433 |
} else if ((rsa = RSA_new()) == NULL) { |
480 |
} else if (attribs[1].type == CKA_MODULUS ) { |
| 434 |
error("RSA_new failed"); |
481 |
if ((rsa = RSA_new()) == NULL) { |
|
|
482 |
error("RSA_new failed"); |
| 483 |
} else { |
| 484 |
rsa->n = BN_bin2bn(attribs[1].pValue, |
| 485 |
attribs[1].ulValueLen, NULL); |
| 486 |
rsa->e = BN_bin2bn(attribs[2].pValue, |
| 487 |
attribs[2].ulValueLen, NULL); |
| 488 |
} |
| 435 |
} else { |
489 |
} else { |
| 436 |
rsa->n = BN_bin2bn(attribs[1].pValue, |
490 |
cp = attribs[2].pValue; |
| 437 |
attribs[1].ulValueLen, NULL); |
491 |
if ((x509 = X509_new()) == NULL) { |
| 438 |
rsa->e = BN_bin2bn(attribs[2].pValue, |
492 |
error("X509_new failed"); |
| 439 |
attribs[2].ulValueLen, NULL); |
493 |
} else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen) |
| 440 |
if (rsa->n && rsa->e && |
494 |
== NULL) { |
| 441 |
pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { |
495 |
error("d2i_X509 failed"); |
| 442 |
key = key_new(KEY_UNSPEC); |
496 |
} else if ((evp = X509_get_pubkey(x509)) == NULL || |
| 443 |
key->rsa = rsa; |
497 |
evp->type != EVP_PKEY_RSA || |
| 444 |
key->type = KEY_RSA; |
498 |
evp->pkey.rsa == NULL) { |
| 445 |
key->flags |= KEY_FLAG_EXT; |
499 |
debug("X509_get_pubkey failed or no rsa"); |
|
|
500 |
} else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) |
| 501 |
== NULL) { |
| 502 |
error("RSAPublicKey_dup"); |
| 503 |
} |
| 504 |
if (x509) |
| 505 |
X509_free(x509); |
| 506 |
} |
| 507 |
if (rsa && rsa->n && rsa->e && |
| 508 |
pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { |
| 509 |
key = key_new(KEY_UNSPEC); |
| 510 |
key->rsa = rsa; |
| 511 |
key->type = KEY_RSA; |
| 512 |
key->flags |= KEY_FLAG_EXT; |
| 513 |
if (pkcs11_key_included(keysp, nkeys, key)) { |
| 514 |
key_free(key); |
| 515 |
} else { |
| 446 |
/* expand key array and add key */ |
516 |
/* expand key array and add key */ |
| 447 |
*keysp = xrealloc(*keysp, *nkeys + 1, |
517 |
*keysp = xrealloc(*keysp, *nkeys + 1, |
| 448 |
sizeof(Key *)); |
518 |
sizeof(Key *)); |
| 449 |
(*keysp)[*nkeys] = key; |
519 |
(*keysp)[*nkeys] = key; |
| 450 |
*nkeys = *nkeys + 1; |
520 |
*nkeys = *nkeys + 1; |
| 451 |
debug("have %d keys", *nkeys); |
521 |
debug("have %d keys", *nkeys); |
| 452 |
} else { |
|
|
| 453 |
RSA_free(rsa); |
| 454 |
} |
522 |
} |
|
|
523 |
} else if (rsa) { |
| 524 |
RSA_free(rsa); |
| 455 |
} |
525 |
} |
| 456 |
for (i = 0; i < 3; i++) |
526 |
for (i = 0; i < 3; i++) |
| 457 |
free(attribs[i].pValue); |
527 |
free(attribs[i].pValue); |