Attachment 2370 Details for Bug 1908 – extract pub key from x509 via pkcs11, skip duplicates

[patch] extract pub key from x509 via pkcs11, skip duplicates

pkcs11-cert2.diff (text/plain), 5.16 KB, created by Markus Friedl on 2013-11-01 18:59:30 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Markus Friedl

Created: 2013-11-01 18:59:30 AEDT

Size: 5.16 KB

patch

obsolete

>Index: ssh-pkcs11.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/ssh-pkcs11.c,v
>retrieving revision 1.8
>diff -u -p -u -r1.8 ssh-pkcs11.c
>--- ssh-pkcs11.c	12 Jul 2013 00:20:00 -0000	1.8
>+++ ssh-pkcs11.c	17 Oct 2013 07:24:24 -0000
>@@ -23,6 +23,8 @@
> #include <string.h>
> #include <dlfcn.h>
> 
>+#include <openssl/x509.h>
>+
> #define CRYPTOKI_COMPAT
> #include "pkcs11.h"
> 
>@@ -373,32 +375,73 @@ pkcs11_open_session(struct pkcs11_provid
>  * add 'wrapped' public keys to the 'keysp' array and increment nkeys.
>  * keysp points to an (possibly empty) array with *nkeys keys.
>  */
>+static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
>+    CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *)
>+	__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));
>+
> static int
>-pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
>-    int *nkeys)
>+pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
>+    Key ***keysp, int *nkeys)
> {
>-	Key			*key;
>-	RSA			*rsa;
>-	int			i;
>-	CK_RV			rv;
>-	CK_OBJECT_HANDLE	obj;
>-	CK_ULONG		nfound;
>-	CK_SESSION_HANDLE	session;
>-	CK_FUNCTION_LIST	*f;
> 	CK_OBJECT_CLASS		pubkey_class = CKO_PUBLIC_KEY;
>+	CK_OBJECT_CLASS		cert_class = CKO_CERTIFICATE;
> 	CK_ATTRIBUTE		pubkey_filter[] = {
> 		{ CKA_CLASS, &pubkey_class, sizeof(pubkey_class) }
> 	};
>-	CK_ATTRIBUTE		attribs[] = {
>+	CK_ATTRIBUTE		cert_filter[] = {
>+		{ CKA_CLASS, &cert_class, sizeof(cert_class) }
>+	};
>+	CK_ATTRIBUTE		pubkey_attribs[] = {
> 		{ CKA_ID, NULL, 0 },
> 		{ CKA_MODULUS, NULL, 0 },
> 		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
> 	};
>+	CK_ATTRIBUTE		cert_attribs[] = {
>+		{ CKA_ID, NULL, 0 },
>+		{ CKA_SUBJECT, NULL, 0 },
>+		{ CKA_VALUE, NULL, 0 }
>+	};
>+
>+	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,
>+	    keysp, nkeys) < 0 ||
>+	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,
>+	    keysp, nkeys) < 0)
>+		return (-1);
>+	return (0);
>+}
>+
>+static int
>+pkcs11_key_included(Key ***keysp, int *nkeys, Key *key)
>+{
>+	int i;
>+
>+	for (i = 0; i < *nkeys; i++)
>+		if (key_equal(key, *keysp[i]))
>+			return (1);
>+	return (0);
>+}
>+
>+static int
>+pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
>+    CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3],
>+    Key ***keysp, int *nkeys)
>+{
>+	Key			*key;
>+	RSA			*rsa;
>+	X509 			*x509;
>+	EVP_PKEY		*evp;
>+	int			i;
>+	const u_char		*cp;
>+	CK_RV			rv;
>+	CK_OBJECT_HANDLE	obj;
>+	CK_ULONG		nfound;
>+	CK_SESSION_HANDLE	session;
>+	CK_FUNCTION_LIST	*f;
> 
> 	f = p->function_list;
> 	session = p->slotinfo[slotidx].session;
> 	/* setup a filter the looks for public keys */
>-	if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) {
>+	if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) {
> 		error("C_FindObjectsInit failed: %lu", rv);
> 		return (-1);
> 	}
>@@ -426,32 +469,59 @@ pkcs11_fetch_keys(struct pkcs11_provider
> 		/* allocate buffers for attributes */
> 		for (i = 0; i < 3; i++)
> 			attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
>-		/* retrieve ID, modulus and public exponent of RSA key */
>+		/*
>+		 * retrieve ID, modulus and public exponent of RSA key,
>+		 * or ID, subject and value for certificates.
>+		 */
>+		rsa = NULL;
> 		if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))
> 		    != CKR_OK) {
> 			error("C_GetAttributeValue failed: %lu", rv);
>-		} else if ((rsa = RSA_new()) == NULL) {
>-			error("RSA_new failed");
>+		} else if (attribs[1].type == CKA_MODULUS ) {
>+			if ((rsa = RSA_new()) == NULL) {
>+				error("RSA_new failed");
>+			} else {
>+				rsa->n = BN_bin2bn(attribs[1].pValue,
>+				    attribs[1].ulValueLen, NULL);
>+				rsa->e = BN_bin2bn(attribs[2].pValue,
>+				    attribs[2].ulValueLen, NULL);
>+			}
> 		} else {
>-			rsa->n = BN_bin2bn(attribs[1].pValue,
>-			    attribs[1].ulValueLen, NULL);
>-			rsa->e = BN_bin2bn(attribs[2].pValue,
>-			    attribs[2].ulValueLen, NULL);
>-			if (rsa->n && rsa->e &&
>-			    pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
>-				key = key_new(KEY_UNSPEC);
>-				key->rsa = rsa;
>-				key->type = KEY_RSA;
>-				key->flags |= KEY_FLAG_EXT;
>+			cp = attribs[2].pValue;
>+			if ((x509 = X509_new()) == NULL) {
>+				error("X509_new failed");
>+			} else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen)
>+			    == NULL) {
>+				error("d2i_X509 failed");
>+			} else if ((evp = X509_get_pubkey(x509)) == NULL ||
>+			    evp->type != EVP_PKEY_RSA ||
>+			    evp->pkey.rsa == NULL) {
>+				debug("X509_get_pubkey failed or no rsa");
>+			} else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
>+			    == NULL) {
>+				error("RSAPublicKey_dup");
>+			}
>+			if (x509)
>+				X509_free(x509);
>+		}
>+		if (rsa && rsa->n && rsa->e &&
>+		    pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
>+			key = key_new(KEY_UNSPEC);
>+			key->rsa = rsa;
>+			key->type = KEY_RSA;
>+			key->flags |= KEY_FLAG_EXT;
>+			if (pkcs11_key_included(keysp, nkeys, key)) {
>+				key_free(key);
>+			} else {
> 				/* expand key array and add key */
> 				*keysp = xrealloc(*keysp, *nkeys + 1,
> 				    sizeof(Key *));
> 				(*keysp)[*nkeys] = key;
> 				*nkeys = *nkeys + 1;
> 				debug("have %d keys", *nkeys);
>-			} else {
>-				RSA_free(rsa);
> 			}
>+		} else if (rsa) {
>+			RSA_free(rsa);
> 		}
> 		for (i = 0; i < 3; i++)
> 			free(attribs[i].pValue);

Flags:

djm: ok+

Actions: View | Diff

Attachments on bug 1908: 2054 | 2354 | 2370