Bugzilla – Attachment 2370 Details for
Bug 1908
Extract the public key from certificate on pkcs#11
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
extract pub key from x509 via pkcs11, skip duplicates
pkcs11-cert2.diff (text/plain), 5.16 KB, created by
Markus Friedl
on 2013-11-01 18:59:30 AEDT
(
hide
)
Description:
extract pub key from x509 via pkcs11, skip duplicates
Filename:
MIME Type:
Creator:
Markus Friedl
Created:
2013-11-01 18:59:30 AEDT
Size:
5.16 KB
patch
obsolete
>Index: ssh-pkcs11.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh-pkcs11.c,v >retrieving revision 1.8 >diff -u -p -u -r1.8 ssh-pkcs11.c >--- ssh-pkcs11.c 12 Jul 2013 00:20:00 -0000 1.8 >+++ ssh-pkcs11.c 17 Oct 2013 07:24:24 -0000 >@@ -23,6 +23,8 @@ > #include <string.h> > #include <dlfcn.h> > >+#include <openssl/x509.h> >+ > #define CRYPTOKI_COMPAT > #include "pkcs11.h" > >@@ -373,32 +375,73 @@ pkcs11_open_session(struct pkcs11_provid > * add 'wrapped' public keys to the 'keysp' array and increment nkeys. > * keysp points to an (possibly empty) array with *nkeys keys. > */ >+static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, >+ CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *) >+ __attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE)))); >+ > static int >-pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, >- int *nkeys) >+pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, >+ Key ***keysp, int *nkeys) > { >- Key *key; >- RSA *rsa; >- int i; >- CK_RV rv; >- CK_OBJECT_HANDLE obj; >- CK_ULONG nfound; >- CK_SESSION_HANDLE session; >- CK_FUNCTION_LIST *f; > CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; >+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; > CK_ATTRIBUTE pubkey_filter[] = { > { CKA_CLASS, &pubkey_class, sizeof(pubkey_class) } > }; >- CK_ATTRIBUTE attribs[] = { >+ CK_ATTRIBUTE cert_filter[] = { >+ { CKA_CLASS, &cert_class, sizeof(cert_class) } >+ }; >+ CK_ATTRIBUTE pubkey_attribs[] = { > { CKA_ID, NULL, 0 }, > { CKA_MODULUS, NULL, 0 }, > { CKA_PUBLIC_EXPONENT, NULL, 0 } > }; >+ CK_ATTRIBUTE cert_attribs[] = { >+ { CKA_ID, NULL, 0 }, >+ { CKA_SUBJECT, NULL, 0 }, >+ { CKA_VALUE, NULL, 0 } >+ }; >+ >+ if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, >+ keysp, nkeys) < 0 || >+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, >+ keysp, nkeys) < 0) >+ return (-1); >+ return (0); >+} >+ >+static int >+pkcs11_key_included(Key ***keysp, int *nkeys, Key *key) >+{ >+ int i; >+ >+ for (i = 0; i < *nkeys; i++) >+ if (key_equal(key, *keysp[i])) >+ return (1); >+ return (0); >+} >+ >+static int >+pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, >+ CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], >+ Key ***keysp, int *nkeys) >+{ >+ Key *key; >+ RSA *rsa; >+ X509 *x509; >+ EVP_PKEY *evp; >+ int i; >+ const u_char *cp; >+ CK_RV rv; >+ CK_OBJECT_HANDLE obj; >+ CK_ULONG nfound; >+ CK_SESSION_HANDLE session; >+ CK_FUNCTION_LIST *f; > > f = p->function_list; > session = p->slotinfo[slotidx].session; > /* setup a filter the looks for public keys */ >- if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) { >+ if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) { > error("C_FindObjectsInit failed: %lu", rv); > return (-1); > } >@@ -426,32 +469,59 @@ pkcs11_fetch_keys(struct pkcs11_provider > /* allocate buffers for attributes */ > for (i = 0; i < 3; i++) > attribs[i].pValue = xmalloc(attribs[i].ulValueLen); >- /* retrieve ID, modulus and public exponent of RSA key */ >+ /* >+ * retrieve ID, modulus and public exponent of RSA key, >+ * or ID, subject and value for certificates. >+ */ >+ rsa = NULL; > if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) > != CKR_OK) { > error("C_GetAttributeValue failed: %lu", rv); >- } else if ((rsa = RSA_new()) == NULL) { >- error("RSA_new failed"); >+ } else if (attribs[1].type == CKA_MODULUS ) { >+ if ((rsa = RSA_new()) == NULL) { >+ error("RSA_new failed"); >+ } else { >+ rsa->n = BN_bin2bn(attribs[1].pValue, >+ attribs[1].ulValueLen, NULL); >+ rsa->e = BN_bin2bn(attribs[2].pValue, >+ attribs[2].ulValueLen, NULL); >+ } > } else { >- rsa->n = BN_bin2bn(attribs[1].pValue, >- attribs[1].ulValueLen, NULL); >- rsa->e = BN_bin2bn(attribs[2].pValue, >- attribs[2].ulValueLen, NULL); >- if (rsa->n && rsa->e && >- pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { >- key = key_new(KEY_UNSPEC); >- key->rsa = rsa; >- key->type = KEY_RSA; >- key->flags |= KEY_FLAG_EXT; >+ cp = attribs[2].pValue; >+ if ((x509 = X509_new()) == NULL) { >+ error("X509_new failed"); >+ } else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen) >+ == NULL) { >+ error("d2i_X509 failed"); >+ } else if ((evp = X509_get_pubkey(x509)) == NULL || >+ evp->type != EVP_PKEY_RSA || >+ evp->pkey.rsa == NULL) { >+ debug("X509_get_pubkey failed or no rsa"); >+ } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) >+ == NULL) { >+ error("RSAPublicKey_dup"); >+ } >+ if (x509) >+ X509_free(x509); >+ } >+ if (rsa && rsa->n && rsa->e && >+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { >+ key = key_new(KEY_UNSPEC); >+ key->rsa = rsa; >+ key->type = KEY_RSA; >+ key->flags |= KEY_FLAG_EXT; >+ if (pkcs11_key_included(keysp, nkeys, key)) { >+ key_free(key); >+ } else { > /* expand key array and add key */ > *keysp = xrealloc(*keysp, *nkeys + 1, > sizeof(Key *)); > (*keysp)[*nkeys] = key; > *nkeys = *nkeys + 1; > debug("have %d keys", *nkeys); >- } else { >- RSA_free(rsa); > } >+ } else if (rsa) { >+ RSA_free(rsa); > } > for (i = 0; i < 3; i++) > free(attribs[i].pValue);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
djm
:
ok+
Actions:
View
|
Diff
Attachments on
bug 1908
:
2054
|
2354
| 2370