|
Lines 252-257
pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
Link Here
|
| 252 |
return (ret); |
252 |
return (ret); |
| 253 |
} |
253 |
} |
| 254 |
|
254 |
|
|
|
255 |
int |
| 256 |
pkcs11_always_authenticate(struct pkcs11_provider *p, |
| 257 |
struct pkcs11_slotinfo *si, CK_OBJECT_HANDLE obj) |
| 258 |
{ |
| 259 |
CK_RV rv; |
| 260 |
CK_FUNCTION_LIST *f; |
| 261 |
CK_SESSION_HANDLE session; |
| 262 |
CK_BBOOL always_authenticate = 0; |
| 263 |
CK_ATTRIBUTE template = { CKA_ALWAYS_AUTHENTICATE, &always_authenticate, 1}; |
| 264 |
char *pin = NULL, prompt[1024]; |
| 265 |
|
| 266 |
f = p->function_list; |
| 267 |
session = si->session; |
| 268 |
rv = f->C_GetAttributeValue(session, obj, &(template), 1); |
| 269 |
if (rv != CKR_OK || always_authenticate == CK_FALSE) { |
| 270 |
/* not needed */ |
| 271 |
return (0); |
| 272 |
} |
| 273 |
|
| 274 |
if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) |
| 275 |
verbose("Deferring PIN entry to reader keypad."); |
| 276 |
else { |
| 277 |
snprintf(prompt, sizeof(prompt), |
| 278 |
"Enter PIN for '%s': ", si->token.label); |
| 279 |
pin = read_passphrase(prompt, RP_ALLOW_EOF); |
| 280 |
if (pin == NULL) |
| 281 |
return (-1); /* bail out */ |
| 282 |
} |
| 283 |
/* context specific login */ |
| 284 |
rv = f->C_Login(session, CKU_CONTEXT_SPECIFIC, (u_char *)pin, |
| 285 |
(pin != NULL) ? strlen(pin) : 0); |
| 286 |
|
| 287 |
if (pin != NULL) { |
| 288 |
explicit_bzero(pin, strlen(pin)); |
| 289 |
free(pin); |
| 290 |
} |
| 291 |
if (rv != CKR_OK) { |
| 292 |
return (-1); |
| 293 |
} |
| 294 |
/* authentication successful */ |
| 295 |
return (0); |
| 296 |
} |
| 297 |
|
| 255 |
/* openssl callback doing the actual signing operation */ |
298 |
/* openssl callback doing the actual signing operation */ |
| 256 |
static int |
299 |
static int |
| 257 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
300 |
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
|
Lines 274-280
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
Link Here
|
| 274 |
{CKA_SIGN, NULL, sizeof(true_val) } |
317 |
{CKA_SIGN, NULL, sizeof(true_val) } |
| 275 |
}; |
318 |
}; |
| 276 |
char *pin = NULL, prompt[1024]; |
319 |
char *pin = NULL, prompt[1024]; |
| 277 |
int rval = -1; |
320 |
int rval = -1, login_performed = 0; |
| 278 |
|
321 |
|
| 279 |
key_filter[0].pValue = &private_key_class; |
322 |
key_filter[0].pValue = &private_key_class; |
| 280 |
key_filter[2].pValue = &true_val; |
323 |
key_filter[2].pValue = &true_val; |
|
Lines 316-321
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
Link Here
|
| 316 |
return (-1); |
359 |
return (-1); |
| 317 |
} |
360 |
} |
| 318 |
si->logged_in = 1; |
361 |
si->logged_in = 1; |
|
|
362 |
login_performed = 1; |
| 319 |
} |
363 |
} |
| 320 |
key_filter[1].pValue = k11->keyid; |
364 |
key_filter[1].pValue = k11->keyid; |
| 321 |
key_filter[1].ulValueLen = k11->keyid_len; |
365 |
key_filter[1].ulValueLen = k11->keyid_len; |
|
Lines 325-330
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
Link Here
|
| 325 |
error("cannot find private key"); |
369 |
error("cannot find private key"); |
| 326 |
} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { |
370 |
} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { |
| 327 |
error("C_SignInit failed: %lu", rv); |
371 |
error("C_SignInit failed: %lu", rv); |
|
|
372 |
} else if (!login_performed && |
| 373 |
pkcs11_always_authenticate(k11->provider, si, obj) < 0) { |
| 374 |
error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE object"); |
| 328 |
} else { |
375 |
} else { |
| 329 |
/* XXX handle CKR_BUFFER_TOO_SMALL */ |
376 |
/* XXX handle CKR_BUFFER_TOO_SMALL */ |
| 330 |
tlen = RSA_size(rsa); |
377 |
tlen = RSA_size(rsa); |
| 331 |
- |
|
|