Attachment #3111 for bug #2817

Lines 85-91 LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ Link Here

(-)a/Makefile.in (-1 / +1 lines)
85	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \	85	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
86	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \	86	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
87	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \	87	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
88	ssh-pkcs11.o smult_curve25519_ref.o \	88	ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
89	poly1305.o chacha.o cipher-chachapoly.o \	89	poly1305.o chacha.o cipher-chachapoly.o \
90	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \	90	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
91	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \	91	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \




	oPubkeyAuthentication,
	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
	oHostKeyAlgorithms, oBindAddress, oPKCS11URI, oPKCS11Provider,
	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
	oAddressFamily, oGssAuthentication, oGssDelegateCreds,

#ifdef ENABLE_PKCS11
	{ "smartcarddevice", oPKCS11Provider },
	{ "pkcs11provider", oPKCS11Provider },
	{ "pkcs11uri", oPKCS11URI },
# else
	{ "smartcarddevice", oUnsupported },
	{ "pkcs11provider", oUnsupported },
	{ "pkcs11uri", oUnsupported },
#endif
	{ "rsaauthentication", oUnsupported },
	{ "rhostsrsaauthentication", oUnsupported },

		charptr = &options->bind_address;
		goto parse_string;

	case oPKCS11URI:
		/* Can't use parse_string becase it would break on equal signs */
		charptr = &options->pkcs11_uri;
		if (s == NULL)
			fatal("%.200s line %d: Missing argument.", filename, linenum);
		if (*activep && *charptr == NULL)
			*charptr = xstrdup(s);
		return 0;

	case oPKCS11Provider:
		charptr = &options->pkcs11_provider;
		goto parse_string;

	options->log_level = SYSLOG_LEVEL_NOT_SET;
	options->preferred_authentications = NULL;
	options->bind_address = NULL;
	options->pkcs11_uri = NULL;
	options->pkcs11_provider = NULL;
	options->enable_ssh_keysign = - 1;
	options->no_host_authentication_for_localhost = - 1;

	dump_cfg_string(oLogLevel, log_level_name(o->log_level));
	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
#ifdef ENABLE_PKCS11
	dump_cfg_string(oPKCS11URI, o->pkcs11_uri);
	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
#endif
	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);

Lines 81-86 typedef struct { Link Here

(-)a/readconf.h (+1 lines)
81	char *user_hostfiles[SSH_MAX_HOSTS_FILES];	81	char *user_hostfiles[SSH_MAX_HOSTS_FILES];
82	char *preferred_authentications;	82	char *preferred_authentications;
83	char bind_address; / local socket address for connection to sshd */	83	char bind_address; / local socket address for connection to sshd */
		84	char pkcs11_uri; / PKCS#11 URI */
84	char pkcs11_provider; / PKCS#11 provider */	85	char pkcs11_provider; / PKCS#11 provider */
85	int verify_host_key_dns; /* Verify host key using DNS */	86	int verify_host_key_dns; /* Verify host key using DNS */
86		87




#include "misc.h"
#include "ssherr.h"
#include "digest.h"
#include "ssh-pkcs11-uri.h"

/* argv0 */
extern char *__progname;

	return ret;
}

#ifdef ENABLE_PKCS11
static int update_card(int, int, const char *);

int
update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri)
{
	struct pkcs11_uri *uri;

	/* dry-run parse to make sure the URI is valid and to report errors */
	uri = pkcs11_uri_init();
	if (pkcs11_uri_parse((char *) pkcs11_uri, uri) != 0)
		fatal("Failed to parse PKCS#11 URI");
	pkcs11_uri_cleanup(uri);

	return update_card(agent_fd, adding, pkcs11_uri);
}
#endif

static int
add_file(int agent_fd, const char *filename, int key_only, int qflag)
{

static int
do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)
{
#ifdef ENABLE_PKCS11
	if (strlen(file) >= strlen(PKCS11_URI_SCHEME) &&
	    strncmp(file, PKCS11_URI_SCHEME,
	    strlen(PKCS11_URI_SCHEME)) == 0) {
		return update_pkcs11_uri(agent_fd, !deleting, file);
	}
#endif
	if (deleting) {
		if (delete_file(agent_fd, file, key_only, qflag) == -1)
			return -1;




}

#ifdef ENABLE_PKCS11
static char *
sanitize_pkcs11_provider(const char *provider)
{
	struct pkcs11_uri *uri = NULL;
	char *sane_uri, *module_path = NULL; /* default path */
	char canonical_provider[PATH_MAX];

	if (provider == NULL)
		return NULL;

	if (strlen(provider) >= strlen(PKCS11_URI_SCHEME) &&
	    strncmp(provider, PKCS11_URI_SCHEME,
	    strlen(PKCS11_URI_SCHEME)) == 0) {
		/* PKCS#11 URI */
		uri = pkcs11_uri_init();
		if (uri == NULL) {
			error("Failed to init PCKS#11 URI");
			return NULL;
		}

		if (pkcs11_uri_parse(provider, uri) != 0) {
			error("Failed to parse PKCS#11 URI");
			return NULL;
		}
		/* validate also provider from URI */
		if (uri->module_path)
			module_path = strdup(uri->module_path);
	} else
		module_path = strdup(provider); /* simple path */

	if (module_path != NULL) { /* do not validate default NULL path in URI */
		if (realpath(module_path, canonical_provider) == NULL) {
			verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",
			    module_path, strerror(errno));
			free(module_path);
			return NULL;
		}
		free(module_path);
		if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
			verbose("refusing PKCS#11 provider \"%.100s\": "
			    "not whitelisted", canonical_provider);
			return NULL;
		}

		/* copy verified and sanitized provider path back to the uri */
		if (uri) {
			free(uri->module_path);
			uri->module_path = xstrdup(canonical_provider);
		}
	}

	if (uri) {
		sane_uri = pkcs11_uri_get(uri);
		pkcs11_uri_cleanup(uri);
		return sane_uri;
	} else {
		return xstrdup(canonical_provider); /* simple path */
	}
}

static void
process_add_smartcard_key(SocketEntry *e)
{
	char *provider = NULL, *pin = NULL, *sane_uri = NULL;
	int r, i, count = 0, success = 0, confirm = 0;
	u_int seconds;
	time_t death = 0;

			goto send;
		}
	}

	sane_uri = sanitize_pkcs11_provider(provider);
	if (sane_uri == NULL)
		goto send;
	}
	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
		verbose("refusing PKCS#11 add of \"%.100s\": "
		    "provider not whitelisted", canonical_provider);
		goto send;

	debug("%s: add %.100s", __func__, canonical_provider);
	if (lifetime && !death)
		death = monotime() + lifetime;

	debug("%s: add %.100s", __func__, sane_uri);
	count = pkcs11_add_provider(sane_uri, pin, &keys);
	for (i = 0; i < count; i++) {
		k = keys[i];
		if (lookup_identity(k) == NULL) {
			id = xcalloc(1, sizeof(Identity));
			id->key = k;
			id->provider = xstrdup(sane_uri);
			id->comment = xstrdup(sane_uri);
			id->death = death;
			id->confirm = confirm;
			TAILQ_INSERT_TAIL(&idtab->idlist, id, next);

send:
	free(pin);
	free(provider);
	free(sane_uri);
	free(keys);
	send_status(e, success);
}

static void
process_remove_smartcard_key(SocketEntry *e)
{
	char *provider = NULL, *pin = NULL, *sane_uri;
	int r, success = 0;
	Identity *id, *nxt;


	}
	free(pin);

	sane_uri = sanitize_pkcs11_provider(provider);
	if (sane_uri == NULL)
		    provider, strerror(errno));
		goto send;
	}

	debug("%s: remove %.100s", __func__, sane_uri);
	for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
		nxt = TAILQ_NEXT(id, next);
		/* Skip file--based keys */
		if (id->provider == NULL)
			continue;
		if (!strcmp(sane_uri, id->provider)) {
			TAILQ_REMOVE(&idtab->idlist, id, next);
			free_identity(id);
			idtab->nentries--;
		}
	}
	if (pkcs11_del_provider(sane_uri) == 0)
		success = 1;
	else
		error("%s: pkcs11_del_provider failed", __func__);
send:
	free(provider);
	free(sane_uri);
	send_status(e, success);
}
#endif /* ENABLE_PKCS11 */

Lines 838-843 do_download(struct passwd *pw) Link Here

(-)a/ssh-keygen.c (+1 lines)
838	free(fp);	838	free(fp);
839	} else {	839	} else {
840	(void) sshkey_write(keys[i], stdout); /* XXX check */	840	(void) sshkey_write(keys[i], stdout); /* XXX check */
		841	(void) pkcs11_uri_write(keys[i], stdout);
841	fprintf(stdout, "\n");	842	fprintf(stdout, "\n");
842	}	843	}
843	sshkey_free(keys[i]);	844	sshkey_free(keys[i]);

Lines 194-199 pkcs11_add_provider(char name, char pin, Key ***keysp) Link Here

(-)a/ssh-pkcs11-client.c (+3 lines)
194	u_int blen;	194	u_int blen;
195	Buffer msg;	195	Buffer msg;
196		196
		197	debug("%s: called, name = %s", __func__, name);
		198
197	if (fd < 0 && pkcs11_start_helper() < 0)	199	if (fd < 0 && pkcs11_start_helper() < 0)
198	return (-1);	200	return (-1);
199		201
Lines 207-212 pkcs11_add_provider(char name, char pin, Key ***keysp) Link Here
207	if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {	209	if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {
208	nkeys = buffer_get_int(&msg);	210	nkeys = buffer_get_int(&msg);
209	keysp = xcalloc(nkeys, sizeof(Key ));	211	keysp = xcalloc(nkeys, sizeof(Key ));
		212	debug("%s: nkeys = %d", __func__, nkeys);
210	for (i = 0; i < nkeys; i++) {	213	for (i = 0; i < nkeys; i++) {
211	blob = buffer_get_string(&msg, &blen);	214	blob = buffer_get_string(&msg, &blen);
212	free(buffer_get_string(&msg, NULL));	215	free(buffer_get_string(&msg, NULL));




/*
 * Copyright (c) 2017 Red Hat
 *
 * Authors: Jakub Jelen <jjelen@redhat.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#ifdef ENABLE_PKCS11

#include <stdio.h>
#include <string.h>

#include "sshkey.h"
#include "log.h"

#define CRYPTOKI_COMPAT
#include "pkcs11.h"

#include "ssh-pkcs11-uri.h"

#define PKCS11_URI_PATH_SEPARATOR ";"
#define PKCS11_URI_QUERY_SEPARATOR "&"
#define PKCS11_URI_VALUE_SEPARATOR "="
#define PKCS11_URI_ID "id"
#define PKCS11_URI_TOKEN "token"
#define PKCS11_URI_LIB_MANUF "library-manufacturer"
#define PKCS11_URI_MANUF "manufacturer"
#define PKCS11_URI_MODULE_PATH "module-path"

/* Keyword tokens. */
typedef enum {
	pId, pToken, pLibraryManufacturer, pManufacturer, pModulePath,
	pBadOption
} pkcs11uriOpCodes;

/* Textual representation of the tokens. */
static struct {
	const char *name;
	pkcs11uriOpCodes opcode;
} keywords[] = {
	{ PKCS11_URI_ID, pId },
	{ PKCS11_URI_TOKEN, pToken },
	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
	{ PKCS11_URI_MANUF, pManufacturer },
	{ PKCS11_URI_MODULE_PATH, pModulePath },
	{ NULL, pBadOption }
};

static pkcs11uriOpCodes
parse_token(const char *cp)
{
	u_int i;

	for (i = 0; keywords[i].name; i++)
		if (strncasecmp(cp, keywords[i].name,
		    strlen(keywords[i].name)) == 0)
			return keywords[i].opcode;

	return pBadOption;
}

int
percent_decode(char *data, char **outp)
{
	char tmp[3];
	char *out, *tmp_end;
	char *p = data;
	long value;
	size_t outlen = 0;

	out = malloc(strlen(data)+1); /* upper bound */
	if (out == NULL)
		return -1;
	while (*p != '\0') {
		switch (*p) {
		case '%':
			p++;
			if (*p == '\0')
				goto fail;
			tmp[0] = *p++;
			if (*p == '\0')
				goto fail;
			tmp[1] = *p++;
			tmp[2] = '\0';
			tmp_end = NULL;
			value = strtol(tmp, &tmp_end, 16);
			if (tmp_end != tmp+2)
				goto fail;
			else
				out[outlen++] = (char) value;
			break;
		default:
			out[outlen++] = *p++;
			break;
		}
	}

	/* zero terminate */
	out[outlen] = '\0';
	*outp = out;
	return outlen;
fail:
	free(out);
	return -1;
}

struct sshbuf *
percent_encode(const char *data, size_t length, const char *whitelist)
{
	struct sshbuf *b = NULL;
	char tmp[4], *cp;
	size_t i;

	if ((b = sshbuf_new()) == NULL)
		return NULL;
	for (i = 0; i < length; i++) {
		cp = strchr(whitelist, data[i]);
		/* if c is specified as '\0' pointer to terminator is returned !! */
		if (cp != NULL && *cp != '\0') { 
			if (sshbuf_put(b, &data[i], 1) != 0)
				goto err;
		} else
			if (snprintf(tmp, 4, "%%%02X", (unsigned char) data[i]) < 3
			    || sshbuf_put(b, tmp, 3) != 0)
				goto err;
	}
	if (sshbuf_put(b, "\0", 1) == 0)
		return b;
err:
	sshbuf_free(b);
	return NULL;
}

char *
pkcs11_uri_append(char *part, const char *separator, const char *key,
    struct sshbuf *value)
{
	char *new_part;
	size_t size;

	if (value == NULL)
		return NULL;

	size = asprintf(&new_part,
	    "%s%s%s"  PKCS11_URI_VALUE_SEPARATOR "%s",
	    (part != NULL ? part : ""),
	    (part != NULL ? separator : ""),
	    key, sshbuf_ptr(value));
	sshbuf_free(value);
	free(part);

	if (size < 0)
		return NULL;
	return new_part;
}

char *
pkcs11_uri_get(struct pkcs11_uri *uri)
{
	size_t size = -1;
	char *p = NULL, *path = NULL, *query = NULL;

	/* compose a percent-encoded ID */
	if (uri->id_len > 0) {
		struct sshbuf *key_id = percent_encode(uri->id, uri->id_len, "");
		path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
		    PKCS11_URI_ID, key_id);
		if (path == NULL)
			goto err;
	}

	/* Write token label */
	if (uri->token) {
		struct sshbuf *label = percent_encode(uri->token, strlen(uri->token),
		    PKCS11_URI_WHITELIST);
		path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
		    PKCS11_URI_TOKEN, label);
		if (path == NULL)
			goto err;
	}

	/* Write manufacturer */
	if (uri->manuf) {
		struct sshbuf *manuf = percent_encode(uri->manuf,
		    strlen(uri->manuf), PKCS11_URI_WHITELIST);
		path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
		    PKCS11_URI_MANUF, manuf);
		if (path == NULL)
			goto err;
	}

	/* Write module_path */
	if (uri->module_path) {
		struct sshbuf *module = percent_encode(uri->module_path,
		    strlen(uri->module_path), PKCS11_URI_WHITELIST "/");
		query = pkcs11_uri_append(query, PKCS11_URI_QUERY_SEPARATOR,
		    PKCS11_URI_MODULE_PATH, module);
		if (query == NULL)
			goto err;
	}

	size = asprintf(&p, PKCS11_URI_SCHEME "%s%s%s",
	    path != NULL ? path : "",
	    query != NULL ? "?" : "",
	    query != NULL ? query : "");
err:
	free(query);
	free(path);
	if (size < 0)
		return NULL;
	return p;
}

struct pkcs11_uri *
pkcs11_uri_init()
{
	struct pkcs11_uri *d = calloc(1, sizeof(struct pkcs11_uri));
	return d;
}

void
pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
{
	free(pkcs11->id);
	free(pkcs11->module_path);
	free(pkcs11->token);
	free(pkcs11->lib_manuf);
	free(pkcs11->manuf);
	free(pkcs11);
}

int
pkcs11_uri_parse(const char *uri, struct pkcs11_uri *pkcs11)
{
	char *saveptr1, *saveptr2, *str1, *str2, *tok;
	int rv = 0, len;
	char *p = NULL;

	size_t scheme_len = strlen(PKCS11_URI_SCHEME);
	if (strlen(uri) < scheme_len || /* empty URI matches everything */
	    strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
		error("%s: The '%s' does not look like PKCS#11 URI",
		    __func__, uri);
		return -1;
	}

	if (pkcs11 == NULL) {
		error("%s: Bad arguments. The pkcs11 can't be null", __func__);
		return -1;
	}

	/* skip URI schema name */
	p = strdup(uri);
	str1 = p;

	/* everything before ? */
	tok = strtok_r(str1, "?", &saveptr1);
	if (tok == NULL) {
		free(p);
		error("%s: pk11-path expected, got EOF", __func__);
		return -1;
	}

	/* skip URI schema name:
	 * the scheme ensures that there is at least something before "?"
	 * allowing empty pk11-path. Resulting token at worst pointing to
	 * \0 byte */
	tok = tok + scheme_len;

	/* parse pk11-path */
	for (str2 = tok; ; str2 = NULL) {
		char **charptr;
		pkcs11uriOpCodes opcode;
		tok = strtok_r(str2, PKCS11_URI_PATH_SEPARATOR, &saveptr2);
		if (tok == NULL)
			break;
		opcode = parse_token(tok);
		if (opcode == pBadOption) {
			error("Unknown key in PKCS#11 URI: %s", tok);
			return -1;
		}

		char *arg = tok + strlen(keywords[opcode].name) + 1; /* separator "=" */
		switch (opcode) {
		case pId:
			/* CKA_ID */
			if (pkcs11->id != NULL) {
				error("%s: The id already set in the PKCS#11 URI",
					__func__);
				rv = -1;
			}
			len = percent_decode(arg, &pkcs11->id);
			if (len <= 0) {
				error("%s: Failed to percent-decode CKA_ID: %s",
				    __func__, arg);
				rv = -1;
			} else
				pkcs11->id_len = len;
			debug3("%s: Setting CKA_ID = %s from PKCS#11 URI",
			    __func__, arg);
			break;
		case pToken:
			/* CK_TOKEN_INFO -> label */
			charptr = &pkcs11->token;
 parse_string:
			if (*charptr != NULL) {
				error("%s: The %s already set in the PKCS#11 URI",
				    keywords[opcode].name, __func__);
				rv = -1;
			}
			percent_decode(arg, charptr);
			debug3("%s: Setting %s = %s from PKCS#11 URI",
			    __func__, keywords[opcode].name, *charptr);
			break;

		case pManufacturer:
			/* CK_TOKEN_INFO -> manufacturerID */
			charptr = &pkcs11->manuf;
			goto parse_string;

		case pLibraryManufacturer:
			/* CK_INFO -> manufacturerID */
			charptr = &pkcs11->lib_manuf;
			goto parse_string;

		case pBadOption:
		default:
			/* Unrecognized attribute in the URI path SHOULD be error */
			error("%s: Unknown part of path in PKCS#11 URI: %s",
			    __func__, tok);
			rv = -1;
		}
	}

	tok = strtok_r(NULL, "?", &saveptr1);
	if (tok == NULL) {
		free(p);
		return rv;
	}
	/* parse pk11-query (optional) */
	for (str2 = tok; ; str2 = NULL) {
		size_t key_len = strlen(PKCS11_URI_MODULE_PATH) + 1;
		tok = strtok_r(str2, PKCS11_URI_QUERY_SEPARATOR, &saveptr2);
		if (tok == NULL)
			break;
		if (strncasecmp(tok, PKCS11_URI_MODULE_PATH
		    PKCS11_URI_VALUE_SEPARATOR, key_len) == 0) {
			/* module-path is PKCS11Provider */
			if (pkcs11->module_path != NULL) {
				error("%s: Multiple module-path attributes are"
				    "not supported the PKCS#11 URI", __func__);
				rv = -1;
			}
			percent_decode(tok + key_len, &pkcs11->module_path);
			debug3("%s: Setting PKCS11Provider = %s from PKCS#11 URI\n",
			    __func__, pkcs11->module_path);
		/* } else if ( pin-value ) { */
		} else {
			/* Unrecognized attribute in the URI query SHOULD be ignored */
			error("%s: Unknown part of query in PKCS#11 URI: %s",
			    __func__, tok);
		}
	}
	free(p);
	return rv;
}

#endif /* ENABLE_PKCS11 */




/*
 * Copyright (c) 2017 Red Hat
 *
 * Authors: Jakub Jelen <jjelen@redhat.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#define PKCS11_URI_SCHEME "pkcs11:"
#define PKCS11_DEFAULT_PROVIDER "/usr/lib64/p11-kit-proxy.so"

#define PKCS11_URI_WHITELIST	"abcdefghijklmnopqrstuvwxyz" \
				"ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
				"0123456789_-.()"

struct pkcs11_uri {
	/* path */
	char *id;
	size_t id_len;
	char *token;
	char *lib_manuf;
	char *manuf;
	/* query */
	char *module_path;
};

struct pkcs11_uri *pkcs11_uri_init();
void pkcs11_uri_cleanup(struct pkcs11_uri *);
int	pkcs11_uri_parse(const char *, struct pkcs11_uri *);
struct pkcs11_uri *pkcs11_uri_init();
char * pkcs11_uri_get(struct pkcs11_uri *uri);






struct pkcs11_provider {
	char			*name;
	char			*module_path;
	void			*handle;
	CK_FUNCTION_LIST	*function_list;
	CK_INFO			info;


int pkcs11_interactive = 0;

/*
 * This can't be in the ssh-pkcs11-uri, becase we can not depend on
 * PKCS structures in ssh-agent (using client-helper communication)
 */
int
pkcs11_uri_write(const struct sshkey *key, FILE *f)
{
	char *p = NULL;
	struct pkcs11_uri uri;
	struct pkcs11_key *k11;

	/* sanity - is it a RSA key with associated app_data? */
	if (key->type != KEY_RSA ||
	    (k11 = RSA_get_app_data(key->rsa)) == NULL)
		return -1;

	/* omit type -- we are looking for private-public or private-certificate pairs */
	uri.id = k11->keyid;
	uri.id_len = k11->keyid_len;
	uri.token = k11->provider->slotinfo[k11->slotidx].token.label;
	uri.module_path = k11->provider->module_path;
	uri.lib_manuf = k11->provider->info.manufacturerID;
	uri.manuf = k11->provider->slotinfo[k11->slotidx].token.manufacturerID;

	p = pkcs11_uri_get(&uri);
	/* do not cleanup -- we do not allocate here, only reference */
	if (p == NULL)
		return -1;

	fprintf(f, " %s", p);
	free(p);
	return 0;
}

int
pkcs11_init(int interactive)
{

			error("pkcs11_provider_unref: %p still valid", p);
		free(p->slotlist);
		free(p->slotinfo);
		free(p->name);
		free(p->module_path);
		free(p);
	}
}

	return (NULL);
}

int pkcs11_del_provider_by_uri(struct pkcs11_uri *);

/* unregister provider by name */
int
pkcs11_del_provider(char *provider_id)
{
	int rv;
	struct pkcs11_uri *uri;

	debug("%s: called, provider_id = %s", __func__, provider_id);

	uri = pkcs11_uri_init();
	if (uri == NULL)
		fatal("Failed to init PCKS#11 URI");

	if (strlen(provider_id) >= strlen(PKCS11_URI_SCHEME) &&
	    strncmp(provider_id, PKCS11_URI_SCHEME, strlen(PKCS11_URI_SCHEME)) == 0) {
		if (pkcs11_uri_parse(provider_id, uri) != 0)
			fatal("Failed to parse PKCS#11 URI");
	} else {
		uri->module_path = strdup(provider_id);
	}

	rv = pkcs11_del_provider_by_uri(uri);
	pkcs11_uri_cleanup(uri);
	return rv;
}

/* unregister provider by PKCS#11 URI */
int
pkcs11_del_provider_by_uri(struct pkcs11_uri *uri)
{
	struct pkcs11_provider *p;
	int rv = -1;
	char *provider_uri = pkcs11_uri_get(uri);

	debug3("%s(%s): called", __func__, provider_uri);

	if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
		TAILQ_REMOVE(&pkcs11_providers, p, next);
		pkcs11_provider_finalize(p);
		pkcs11_provider_unref(p);
		rv = 0;
	}
	free(provider_uri);
	return rv;
}

/* openssl callback for freeing an RSA key */

	if ((rv = f->C_OpenSession(p->slotlist[slotidx], CKF_RW_SESSION|
	    CKF_SERIAL_SESSION, NULL, NULL, &session))
	    != CKR_OK) {
		error("C_OpenSession failed for slot %lu: %lu", slotidx, rv);
		return (-1);
	}
	if (login_required && pin) {

 * keysp points to an (possibly empty) array with *nkeys keys.
 */
static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
    CK_ATTRIBUTE [], size_t, CK_ATTRIBUTE [3], struct sshkey ***, int *)
	__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));

static int
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
    struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri)
{
	size_t filter_size = 1;
	CK_OBJECT_CLASS	pubkey_class = CKO_PUBLIC_KEY;
	CK_OBJECT_CLASS	cert_class = CKO_CERTIFICATE;
	CK_ATTRIBUTE		pubkey_filter[] = {
		{ CKA_CLASS, NULL, sizeof(pubkey_class) },
		{ CKA_ID, NULL, 0 }
	};
	CK_ATTRIBUTE		cert_filter[] = {
		{ CKA_CLASS, NULL, sizeof(cert_class) },
		{ CKA_ID, NULL, 0 }
	};
	CK_ATTRIBUTE		pubkey_attribs[] = {
		{ CKA_ID, NULL, 0 },

	pubkey_filter[0].pValue = &pubkey_class;
	cert_filter[0].pValue = &cert_class;

	if (uri->id != NULL) {
		pubkey_filter[1].pValue = uri->id;
		pubkey_filter[1].ulValueLen = uri->id_len;
		cert_filter[1].pValue = uri->id;
		cert_filter[1].ulValueLen = uri->id_len;
		filter_size = 2;
	}

	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
	    pubkey_attribs, keysp, nkeys) < 0 ||
	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
	    cert_attribs, keysp, nkeys) < 0)
		return (-1);
	return (0);
}


static int
pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
    CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[3],
    struct sshkey ***keysp, int *nkeys)
{
	struct sshkey		*key;
	RSA			*rsa;
	X509 			*x509;
	EVP_PKEY		*evp = NULL;
	int			i;
	const u_char		*cp;
	CK_RV			rv;

	f = p->function_list;
	session = p->slotinfo[slotidx].session;
	/* setup a filter the looks for public keys */
	if ((rv = f->C_FindObjectsInit(session, filter, filter_size)) != CKR_OK) {
		error("C_FindObjectsInit failed: %lu", rv);
		return (-1);
	}

			}
			if (x509)
				X509_free(x509);
			if (evp)
				EVP_PKEY_free(evp);
		}
		if (rsa)
			RSA_get0_key(rsa, &n, &e, NULL);

/* register a new provider, fails if provider already exists */
int
pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp)
{
	int rv;
	struct pkcs11_uri *uri;

	debug("%s: called, provider_id = %s", __func__, provider_id);

	uri = pkcs11_uri_init();
	if (uri == NULL)
		fatal("Failed to init PCKS#11 URI");

	if (strlen(provider_id) >= strlen(PKCS11_URI_SCHEME) &&
	    strncmp(provider_id, PKCS11_URI_SCHEME, strlen(PKCS11_URI_SCHEME)) == 0) {
		if (pkcs11_uri_parse(provider_id, uri) != 0)
			fatal("Failed to parse PKCS#11 URI");
	} else {
		uri->module_path = strdup(provider_id);
	}

	rv = pkcs11_add_provider_by_uri(uri, pin, keyp);
	pkcs11_uri_cleanup(uri);
	return rv;
}

int
pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin, struct sshkey ***keyp)
{
	int nkeys, need_finalize = 0;
	struct pkcs11_provider *p = NULL;

	CK_FUNCTION_LIST *f = NULL;
	CK_TOKEN_INFO *token;
	CK_ULONG i;
	char *provider_id = strdup(uri->module_path);
	char *provider_uri = pkcs11_uri_get(uri);

	/* if no provider specified, fallback to p11-kit */
	if (provider_id == NULL) {
		provider_id = strdup(PKCS11_DEFAULT_PROVIDER);
	}

	debug("%s: called, provider_uri = %s", __func__, provider_uri);

	*keyp = NULL;
	if (pkcs11_provider_lookup(provider_uri) != NULL) {
		debug("%s: provider already registered: %s",
		    __func__, provider_uri);
		goto fail;
	}
	/* open shared pkcs11-libarary */

		goto fail;
	}
	p = xcalloc(1, sizeof(*p));
	p->name = provider_uri;
	p->module_path = provider_id;
	p->handle = handle;
	/* setup the pkcs11 callbacks */
	if ((rv = (*getfunctionlist)(&f)) != CKR_OK) {
		error("C_GetFunctionList for provider %s failed: %lu",
		    provider_uri, rv);
		goto fail;
	}
	p->function_list = f;
	if ((rv = f->C_Initialize(NULL)) != CKR_OK) {
		error("C_Initialize for provider %s failed: %lu",
		    provider_uri, rv);
		goto fail;
	}
	need_finalize = 1;
	if ((rv = f->C_GetInfo(&p->info)) != CKR_OK) {
		error("C_GetInfo for provider %s failed: %lu",
		    provider_uri, rv);
		goto fail;
	}
	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
	if (uri->lib_manuf != NULL &&
	    strcmp(uri->lib_manuf, p->info.manufacturerID)) {
		debug("%s: Skipping provider %s not matching library_manufacturer",
		    __func__, p->info.manufacturerID);
		goto fail;
	}
	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
	debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
	    " libraryDescription <%s> libraryVersion %d.%d",
	    provider_uri,
	    p->info.manufacturerID,
	    p->info.cryptokiVersion.major,
	    p->info.cryptokiVersion.minor,

	}
	if (p->nslots == 0) {
		debug("%s: provider %s returned no slots", __func__,
		    provider_uri);
		goto fail;
	}
	p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID));
	if ((rv = f->C_GetSlotList(CK_TRUE, p->slotlist, &p->nslots))
	    != CKR_OK) {
		error("C_GetSlotList for provider %s failed: %lu",
		    provider_uri, rv);
		goto fail;
	}
	p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo));

		if ((rv = f->C_GetTokenInfo(p->slotlist[i], token))
		    != CKR_OK) {
			error("C_GetTokenInfo for provider %s slot %lu "
			    "failed: %lu", provider_uri, (unsigned long)i, rv);
			continue;
		}
		if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
			debug2("%s: ignoring uninitialised token in "
			    "provider %s slot %lu", __func__,
			    provider_uri, (unsigned long)i);
			continue;
		}
		rmspace(token->label, sizeof(token->label));
		rmspace(token->manufacturerID, sizeof(token->manufacturerID));
		rmspace(token->model, sizeof(token->model));
		rmspace(token->serialNumber, sizeof(token->serialNumber));
		if (uri->token != NULL &&
		    strcmp(token->label, uri->token) != 0) {
			debug2("%s: ignoring token not matching label (%s) "
			    "specified by PKCS#11 URI in slot %lu", __func__,
			    token->label, (unsigned long)i);
			continue;
		}
		if (uri->manuf != NULL &&
		    strcmp(token->manufacturerID, uri->manuf) != 0) {
			debug2("%s: ignoring token not matching requrested "
			    "manufacturerID (%s) specified by PKCS#11 URI in "
			    "slot %lu", __func__,
			    token->manufacturerID, (unsigned long)i);
			continue;
		}
		debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
		    "model <%s> serial <%s> flags 0x%lx",
		    provider_uri, (unsigned long)i,
		    token->label, token->manufacturerID, token->model,
		    token->serialNumber, token->flags);
		/* open session, login with pin and retrieve public keys */
		if (pkcs11_open_session(p, i, pin) == 0)
			pkcs11_fetch_keys(p, i, keyp, &nkeys, uri);
	}
	if (nkeys > 0) {
		TAILQ_INSERT_TAIL(&pkcs11_providers, p, next);
		p->refcount++;	/* add to provider list */
		return (nkeys);
	}
	debug("%s: provider %s returned no keys", __func__, provider_uri);
	/* don't add the provider, since it does not have any keys */
fail:
	if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)
		error("C_Finalize for provider %s failed: %lu",
		    provider_uri, rv);
	if (p) {
		free(p->slotlist);
		free(p->slotinfo);

	}
	if (handle)
		dlclose(handle);
	free(provider_id);
	free(provider_uri);
	return (-1);
}


Lines 14-23 Link Here

(-)a/ssh-pkcs11.h (+5 lines)
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/	16	*/
		17
		18	#include "ssh-pkcs11-uri.h"
		19
17	int pkcs11_init(int);	20	int pkcs11_init(int);
18	void pkcs11_terminate(void);	21	void pkcs11_terminate(void);
19	int pkcs11_add_provider(char , char , struct sshkey ***);	22	int pkcs11_add_provider(char , char , struct sshkey ***);
		23	int pkcs11_add_provider_by_uri(struct pkcs11_uri , char , struct sshkey ***);
20	int pkcs11_del_provider(char *);	24	int pkcs11_del_provider(char *);
		25	int pkcs11_uri_write(const struct sshkey , FILE );
21		26
22	#if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)	27	#if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)
23	#undef ENABLE_PKCS11	28	#undef ENABLE_PKCS11

Lines 721-726 main(int ac, char **av) Link Here

(-)a/ssh.c (-6 / +26 lines)
721	options.gss_deleg_creds = 1;	721	options.gss_deleg_creds = 1;
722	break;	722	break;
723	case 'i':	723	case 'i':
		724	#ifdef ENABLE_PKCS11
		725	if (strlen(optarg) > strlen(PKCS11_URI_SCHEME) &&
		726	strncmp(optarg, PKCS11_URI_SCHEME,
		727	strlen(PKCS11_URI_SCHEME)) == 0) {
		728	options.pkcs11_uri = strdup(optarg);
		729	break;
		730	}
		731	#endif
724	p = tilde_expand_filename(optarg, original_real_uid);	732	p = tilde_expand_filename(optarg, original_real_uid);
725	if (stat(p, &st) < 0)	733	if (stat(p, &st) < 0)
726	fprintf(stderr, "Warning: Identity file %s "	734	fprintf(stderr, "Warning: Identity file %s "
Lines 1948-1953 load_public_identity_files(struct passwd *pw) Link Here
1948	#ifdef ENABLE_PKCS11	1956	#ifdef ENABLE_PKCS11
1949	struct sshkey **keys;	1957	struct sshkey **keys;
1950	int nkeys;	1958	int nkeys;
		1959	struct pkcs11_uri *uri;
1951	#endif /* PKCS11 */	1960	#endif /* PKCS11 */
1952		1961
1953	n_ids = n_certs = 0;	1962	n_ids = n_certs = 0;
Lines 1957-1979 load_public_identity_files(struct passwd *pw) Link Here
1957	memset(certificates, 0, sizeof(certificates));	1966	memset(certificates, 0, sizeof(certificates));
1958		1967
1959	#ifdef ENABLE_PKCS11	1968	#ifdef ENABLE_PKCS11
1960	if (options.pkcs11_provider != NULL &&	1969	uri = pkcs11_uri_init();
		1970	if (uri == NULL)
		1971	fatal("Failed to init PCKS#11 URI");
		1972
		1973	if (options.pkcs11_uri != NULL &&
		1974	pkcs11_uri_parse(options.pkcs11_uri, uri) != 0)
		1975	fatal("Failed to parse PKCS#11 URI");
		1976
		1977	/* we need to merge URI and provider together */
		1978	if (options.pkcs11_provider != NULL && uri->module_path == NULL)
		1979	uri->module_path = strdup(options.pkcs11_provider);
		1980
		1981	if ((options.pkcs11_uri != NULL \|\| options.pkcs11_provider != NULL) &&
		1982	pkcs11_init(!options.batch_mode) == 0 &&
1961	options.num_identity_files < SSH_MAX_IDENTITY_FILES &&	1983	options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
1962	(pkcs11_init(!options.batch_mode) == 0) &&	1984	(nkeys = pkcs11_add_provider_by_uri(uri, NULL, &keys)) > 0) {
1963	(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
1964	&keys)) > 0) {
1965	for (i = 0; i < nkeys; i++) {	1985	for (i = 0; i < nkeys; i++) {
1966	if (n_ids >= SSH_MAX_IDENTITY_FILES) {	1986	if (n_ids >= SSH_MAX_IDENTITY_FILES) {
1967	key_free(keys[i]);	1987	key_free(keys[i]);
1968	continue;	1988	continue;
1969	}	1989	}
1970	identity_keys[n_ids] = keys[i];	1990	identity_keys[n_ids] = keys[i];
1971	identity_files[n_ids] =	1991	identity_files[n_ids] = pkcs11_uri_get(uri);
1972	xstrdup(options.pkcs11_provider); /* XXX */
1973	n_ids++;	1992	n_ids++;
1974	}	1993	}
1975	free(keys);	1994	free(keys);
1976	}	1995	}
		1996	pkcs11_uri_cleanup(uri);
1977	#endif /* ENABLE_PKCS11 */	1997	#endif /* ENABLE_PKCS11 */
1978	if ((pw = getpwuid(original_real_uid)) == NULL)	1998	if ((pw = getpwuid(original_real_uid)) == NULL)
1979	fatal("load_public_identity_files: getpwuid failed");	1999	fatal("load_public_identity_files: getpwuid failed");




.Xr ssh 1
should use to communicate with a PKCS#11 token providing the user's
private RSA key.
.It Cm PKCS11URI
Specifies the key to use by PKCS#11 URI.
The argument to this keyword is a subset of the PKCS#11 URI as defined
in RFC 7512 (implemented path arguments
.Cm id ,
.Cm manufacturer ,
.Cm token
and query argument
.Cm module-path
). The URI can not be in quotes.
.It Cm Port
Specifies the port number to connect on the remote host.
The default is 22.
- 
* test PKCS#11 URI parser, generator
* test percent_encodeer and decoder
--
Makefile.in                       |  16 ++
regress/Makefile                  |   1 +
regress/unittests/Makefile        |   2 +-
regress/unittests/pkcs11/Makefile |   9 ++
regress/unittests/pkcs11/tests.c  | 314 ++++++++++++++++++++++++++++++++++++++
5 files changed, 341 insertions(+), 1 deletion(-)
create mode 100644 regress/unittests/pkcs11/Makefile
create mode 100644 regress/unittests/pkcs11/tests.c

Lines 240-245 clean: regressclean Link Here

(-)a/Makefile.in (+16 lines)
240	rm -f regress/unittests/match/test_match$(EXEEXT)	240	rm -f regress/unittests/match/test_match$(EXEEXT)
241	rm -f regress/unittests/utf8/*.o	241	rm -f regress/unittests/utf8/*.o
242	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)	242	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
		243	rm -f regress/unittests/pkcs11/*.o
		244	rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
243	rm -f regress/misc/kexfuzz/*.o	245	rm -f regress/misc/kexfuzz/*.o
244	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)	246	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
245	(cd openbsd-compat && $(MAKE) clean)	247	(cd openbsd-compat && $(MAKE) clean)
Lines 268-273 distclean: regressclean Link Here
268	rm -f regress/unittests/match/test_match	270	rm -f regress/unittests/match/test_match
269	rm -f regress/unittests/utf8/*.o	271	rm -f regress/unittests/utf8/*.o
270	rm -f regress/unittests/utf8/test_utf8	272	rm -f regress/unittests/utf8/test_utf8
		273	rm -f regress/unittests/pkcs11/*.o
		274	rm -f regress/unittests/pkcs11/test_sshbuf
271	rm -f regress/unittests/misc/kexfuzz	275	rm -f regress/unittests/misc/kexfuzz
272	(cd openbsd-compat && $(MAKE) distclean)	276	(cd openbsd-compat && $(MAKE) distclean)
273	if test -d pkg ; then \	277	if test -d pkg ; then \
Lines 429-434 regress-prep: Link Here
429	$(MKDIR_P) `pwd`/regress/unittests/kex	433	$(MKDIR_P) `pwd`/regress/unittests/kex
430	$(MKDIR_P) `pwd`/regress/unittests/match	434	$(MKDIR_P) `pwd`/regress/unittests/match
431	$(MKDIR_P) `pwd`/regress/unittests/utf8	435	$(MKDIR_P) `pwd`/regress/unittests/utf8
		436	$(MKDIR_P) `pwd`/regress/unittests/pkcs11
432	$(MKDIR_P) `pwd`/regress/misc/kexfuzz	437	$(MKDIR_P) `pwd`/regress/misc/kexfuzz
433	[ -f `pwd`/regress/Makefile ] \|\| \	438	[ -f `pwd`/regress/Makefile ] \|\| \
434	ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile	439	ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
Lines 548-553 regress/unittests/utf8/test_utf8$(EXEEXT): \ Link Here
548	regress/unittests/test_helper/libtest_helper.a \	553	regress/unittests/test_helper/libtest_helper.a \
549	-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)	554	-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
550		555
		556	UNITTESTS_TEST_PKCS11_OBJS=\
		557	regress/unittests/pkcs11/tests.o
		558
		559	regress/unittests/pkcs11/test_pkcs11$(EXEEXT): \
		560	${UNITTESTS_TEST_PKCS11_OBJS} \
		561	regress/unittests/test_helper/libtest_helper.a libssh.a
		562	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_PKCS11_OBJS) \
		563	regress/unittests/test_helper/libtest_helper.a \
		564	-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
		565
551	MISC_KEX_FUZZ_OBJS=\	566	MISC_KEX_FUZZ_OBJS=\
552	regress/misc/kexfuzz/kexfuzz.o	567	regress/misc/kexfuzz/kexfuzz.o
553		568
Lines 567-572 regress-binaries: regress/modpipe$(EXEEXT) \ Link Here
567	regress/unittests/kex/test_kex$(EXEEXT) \	582	regress/unittests/kex/test_kex$(EXEEXT) \
568	regress/unittests/match/test_match$(EXEEXT) \	583	regress/unittests/match/test_match$(EXEEXT) \
569	regress/unittests/utf8/test_utf8$(EXEEXT) \	584	regress/unittests/utf8/test_utf8$(EXEEXT) \
		585	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
570	regress/misc/kexfuzz/kexfuzz$(EXEEXT)	586	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
571		587
572	tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)	588	tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)

Lines 225-230 unit: Link Here

(-)a/regress/Makefile (+1 lines)
225	V="" ; \	225	V="" ; \
226	test "x${USE_VALGRIND}" = "x" \|\| \	226	test "x${USE_VALGRIND}" = "x" \|\| \
227	V=${.CURDIR}/valgrind-unit.sh ; \	227	V=${.CURDIR}/valgrind-unit.sh ; \
		228	$$V ${.OBJDIR}/unittests/pkcs11/test_pkcs11 ; \
228	$$V ${.OBJDIR}/unittests/sshbuf/test_sshbuf ; \	229	$$V ${.OBJDIR}/unittests/sshbuf/test_sshbuf ; \
229	$$V ${.OBJDIR}/unittests/sshkey/test_sshkey \	230	$$V ${.OBJDIR}/unittests/sshkey/test_sshkey \
230	-d ${.CURDIR}/unittests/sshkey/testdata ; \	231	-d ${.CURDIR}/unittests/sshkey/testdata ; \

Lines 1-6 Link Here

(-)a/regress/unittests/Makefile (-1 / +1 lines)
1	# $OpenBSD: Makefile,v 1.9 2017/03/14 01:20:29 dtucker Exp $	1	# $OpenBSD: Makefile,v 1.9 2017/03/14 01:20:29 dtucker Exp $
2		2
3	REGRESS_FAIL_EARLY?= yes	3	REGRESS_FAIL_EARLY?= yes
4	SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion	4	SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion pkcs11
5		5
6	.include <bsd.subdir.mk>	6	.include <bsd.subdir.mk>

Line 0 Link Here

(-)a/regress/unittests/pkcs11/Makefile (+9 lines)
	1
	2	PROG=test_pkcs11
	3	SRCS=tests.c
	4	REGRESS_TARGETS=run-regress-${PROG}
	5
	6	run-regress-${PROG}: ${PROG}
	7	env ${TEST_ENV} ./${PROG}
	8
	9	.include <bsd.regress.mk>




/*
 * Copyright (c) 2017 Red Hat
 *
 * Authors: Jakub Jelen <jjelen@redhat.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#include <locale.h>
#include <string.h>

#include "../test_helper/test_helper.h"

#include "ssh-pkcs11-uri.h"

#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL)

/* prototypes are not public -- specify them here internally for tests */
struct sshbuf *percent_encode(const char *, size_t, char *);
int percent_decode(char *, char **);

void
compare_uri(struct pkcs11_uri *a, struct pkcs11_uri *b)
{
	ASSERT_PTR_NE(a, NULL);
	ASSERT_PTR_NE(b, NULL);
	ASSERT_SIZE_T_EQ(a->id_len, b->id_len);
	ASSERT_MEM_EQ(a->id, b->id, a->id_len);
	if (b->module_path != NULL)
		ASSERT_STRING_EQ(a->module_path, b->module_path);
	else /* both should be null */
		ASSERT_PTR_EQ(a->module_path, b->module_path);
	if (b->token != NULL)
		ASSERT_STRING_EQ(a->token, b->token);
	else /* both should be null */
		ASSERT_PTR_EQ(a->token, b->token);
	if (b->manuf != NULL)
		ASSERT_STRING_EQ(a->manuf, b->manuf);
	else /* both should be null */
		ASSERT_PTR_EQ(a->manuf, b->manuf);
	if (b->lib_manuf != NULL)
		ASSERT_STRING_EQ(a->lib_manuf, b->lib_manuf);
	else /* both should be null */
		ASSERT_PTR_EQ(a->lib_manuf, b->lib_manuf);
}

void
check_parse_rv(char *uri, struct pkcs11_uri *expect, int expect_rv)
{
	char *buf = NULL, *str;
	struct pkcs11_uri *pkcs11uri = NULL;
	int rv;

	if (expect_rv == 0)
		str = "Valid";
	else
		str = "Invalid";
	asprintf(&buf, "%s PKCS#11 URI parsing: %s", str, uri);
	TEST_START(buf);
	free(buf);
	pkcs11uri = pkcs11_uri_init();
	rv = pkcs11_uri_parse(uri, pkcs11uri);
	ASSERT_INT_EQ(rv, expect_rv);
	if (rv == 0) /* in case of failure result is undefined */
		compare_uri(pkcs11uri, expect);
	pkcs11_uri_cleanup(pkcs11uri);
	free(expect);
	TEST_DONE();
}

void
check_parse(char *uri, struct pkcs11_uri *expect)
{
	check_parse_rv(uri, expect, 0);
}

struct pkcs11_uri *
compose_uri(unsigned char *id, size_t id_len, char *token, char *lib_manuf,
    char *manuf, char *module_path)
{
	struct pkcs11_uri *uri = pkcs11_uri_init();
	if (id_len > 0) {
		uri->id_len = id_len;
		uri->id = id;
	}
	uri->module_path = module_path;
	uri->token = token;
	uri->lib_manuf = lib_manuf;
	uri->manuf = manuf;
	return uri;
}

static void
test_parse_valid(void)
{
	/* path arguments */
	check_parse("pkcs11:id=%01",
	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL));
	check_parse("pkcs11:id=%00%01",
	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL));
	check_parse("pkcs11:token=SSH%20Keys",
	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL));
	check_parse("pkcs11:library-manufacturer=OpenSC",
	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL));
	check_parse("pkcs11:manufacturer=piv_II",
	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL));
	/* query arguments */
	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so"));

	/* combinations */
	/* ID SHOULD be percent encoded */
	check_parse("pkcs11:token=SSH%20Key;id=0",
	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL));
	check_parse(
	    "pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",
	    compose_uri(NULL, 0, NULL, NULL, "CAC",
	    "/usr/lib64/p11-kit-proxy.so"));

	/* empty path component matches everything */
	check_parse("pkcs11:", EMPTY_URI);

	/* empty string is a valid to match against (and different from NULL) */
	check_parse("pkcs11:token=",
	    compose_uri(NULL, 0, "", NULL, NULL, NULL));
	/* Percent character needs to be percent-encoded */
	check_parse("pkcs11:token=%25",
	     compose_uri(NULL, 0, "%", NULL, NULL, NULL));
}

static void
test_parse_invalid(void)
{
	/* Invalid percent encoding */
	check_parse_rv("pkcs11:id=%0", EMPTY_URI, -1);
	/* Invalid percent encoding */
	check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);
	/* Space MUST be percent encoded -- XXX not enforced yet */
	check_parse("pkcs11:token=SSH Keys",
	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL));
	/* MUST NOT contain duplicate attributes of the same name */
	check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);
	/* Unrecognized attribute in path SHOULD be error */
	check_parse_rv("pkcs11:key_name=SSH", EMPTY_URI, -1);
	/* Unrecognized attribute in query SHOULD be ignored */
	check_parse("pkcs11:?key_name=SSH", EMPTY_URI);
}

void
check_gen(char *expect, struct pkcs11_uri *uri)
{
	char *buf = NULL, *uri_str;

	asprintf(&buf, "Valid PKCS#11 URI generation: %s", expect);
	TEST_START(buf);
	free(buf);
	uri_str = pkcs11_uri_get(uri);
	ASSERT_PTR_NE(uri_str, NULL);
	ASSERT_STRING_EQ(uri_str, expect);
	free(uri_str);
	TEST_DONE();
}

static void
test_generate_valid(void)
{
	/* path arguments */
	check_gen("pkcs11:id=%01",
	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL));
	check_gen("pkcs11:id=%00%01",
	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL));
	check_gen("pkcs11:token=SSH%20Keys", /* space must be percent encoded */
	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL));
	/* library-manufacturer is not implmented now */
	/*check_gen("pkcs11:library-manufacturer=OpenSC",
	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL));*/
	check_gen("pkcs11:manufacturer=piv_II",
	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL));
	/* query arguments */
	check_gen("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so"));

	/* combinations */
	check_gen("pkcs11:id=%02;token=SSH%20Keys",
	    compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL));
	check_gen("pkcs11:id=%EE%02?module-path=/usr/lib64/p11-kit-proxy.so",
	    compose_uri("\xEE\x02", 2, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so"));

	/* empty path component matches everything */
	check_gen("pkcs11:", EMPTY_URI);

}

void
check_encode(char *source, size_t len, char *whitelist, char *expect)
{
	char *buf = NULL;
	struct sshbuf *b;

	asprintf(&buf, "percent_encode: expected %s", expect);
	TEST_START(buf);
	free(buf);

	b = percent_encode(source, len, whitelist);
	ASSERT_STRING_EQ(sshbuf_ptr(b), expect);
	sshbuf_free(b);
	TEST_DONE();
}

static void
test_percent_encode_multibyte(void)
{
	/* SHOULD be encoded as octets according to the UTF-8 character encoding */

	/* multi-byte characters are "for free" */
	check_encode("$", 1, "", "%24");
	check_encode("¢", 2, "", "%C2%A2");
	check_encode("€", 3, "", "%E2%82%AC");
	check_encode("𐍈", 4, "", "%F0%90%8D%88");

	/* CK_UTF8CHAR is unsigned char (1 byte) */
	/* labels SHOULD be normalized to NFC [UAX15] */

}

static void
test_percent_encode(void)
{
	/* Without whitelist encodes everything (for CKA_ID) */
	check_encode("A*", 2, "", "%41%2A");
	check_encode("\x00", 1, "", "%00");
	check_encode("\x7F", 1, "", "%7F");
	check_encode("\x80", 1, "", "%80");
	check_encode("\xff", 1, "", "%FF");

	/* Default whitelist encodes anything but safe letters */
	check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST,
	    "test%000alpha");
	check_encode(" ", 1, PKCS11_URI_WHITELIST,
	    "%20"); /* Space MUST be percent encoded */
	check_encode("/", 1, PKCS11_URI_WHITELIST,
	    "%2F"); /* '/' delimiter MUST be percent encoded (in the path) */
	check_encode("?", 1, PKCS11_URI_WHITELIST,
	    "%3F"); /* delimiter '?' MUST be percent encoded (in the path) */
	check_encode("#", 1, PKCS11_URI_WHITELIST,
	    "%23"); /* '#' MUST be always percent encoded */
	check_encode("key=value;separator?query&amp;#anch", 35, PKCS11_URI_WHITELIST,
	    "key%3Dvalue%3Bseparator%3Fquery%26amp%3B%23anch");

	/* Components in query can have '/' unencoded (useful for paths) */
	check_encode("/path/to.file", 13, PKCS11_URI_WHITELIST "/",
	    "/path/to.file");
}

void
check_decode(char *source, char *expect, int expect_len)
{
	char *buf = NULL, *out = NULL;
	int rv;

	asprintf(&buf, "percent_decode: %s", source);
	TEST_START(buf);
	free(buf);

	rv = percent_decode(source, &out);
	ASSERT_INT_EQ(rv, expect_len);
	if (rv >= 0)
		ASSERT_MEM_EQ(out, expect, expect_len);
	free(out);
	TEST_DONE();
}

static void
test_percent_decode(void)
{
	/* simple valid cases */
	check_decode("%00", "\x00", 1);
	check_decode("%FF", "\xFF", 1);

	/* normal strings shold be kept intact */
	check_decode("strings are left", "strings are left", 16);
	check_decode("10%25 of trees", "10% of trees", 12);

	/* make sure no more than 2 bytes are parsed */
	check_decode("%222", "\x22" "2", 2);

	/* invalid expects failure */
	check_decode("%0", "", -1);
	check_decode("%Z", "", -1);
	check_decode("%FG", "", -1);
}

void
tests(void)
{
	test_percent_encode();
	test_percent_encode_multibyte();
	test_percent_decode();
	test_parse_valid();
	test_parse_invalid();
	test_generate_valid();
}
* soft-pkcs11.so  from people.su.se/~lha/soft-pkcs11
 * Return correct CKR for unknown attributes
 * Adjust and build it with regress tests (allowing agent-pkcs11 test)
* Test PKCS#11 URIs support with soft-pkcs11
 * Direct usage from commandline (URI, provider and combination)
 * Usage from configuration files
 * Usage in ssh-agent (add, sign, remove)
 * Make sure it is built with correct paths
--
Makefile.in           |    6 +
regress/Makefile      |    1 +
regress/locl.h        |   78 ++
regress/pkcs11.sh     |  250 ++++++
regress/soft-pkcs11.c | 2051 +++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 2386 insertions(+)
create mode 100644 regress/locl.h
create mode 100644 regress/pkcs11.sh
create mode 100644 regress/soft-pkcs11.c

Lines 452-457 regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c $(REGRESSLIBS) Link Here

(-)a/Makefile.in (+6 lines)
452	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/netcat.c \	452	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/netcat.c \
453	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)	453	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
454		454
		455	regress/soft-pkcs11.so: $(srcdir)/regress/soft-pkcs11.c $(REGRESSLIBS)
		456	$(CC) $(CFLAGS) $(CPPFLAGS) -fpic -c $(srcdir)/regress/soft-pkcs11.c \
		457	-o $(srcdir)/regress/soft-pkcs11.o
		458	$(CC) -shared -o $@ $(srcdir)/regress/soft-pkcs11.o
		459
455	regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c $(REGRESSLIBS)	460	regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c $(REGRESSLIBS)
456	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/check-perm.c \	461	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/check-perm.c \
457	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)	462	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
Lines 573-578 regress/misc/kexfuzz/kexfuzz$(EXEEXT): ${MISC_KEX_FUZZ_OBJS} libssh.a Link Here
573	regress-binaries: regress/modpipe$(EXEEXT) \	578	regress-binaries: regress/modpipe$(EXEEXT) \
574	regress/setuid-allowed$(EXEEXT) \	579	regress/setuid-allowed$(EXEEXT) \
575	regress/netcat$(EXEEXT) \	580	regress/netcat$(EXEEXT) \
		581	regress/soft-pkcs11.so \
576	regress/check-perm$(EXEEXT) \	582	regress/check-perm$(EXEEXT) \
577	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \	583	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
578	regress/unittests/sshkey/test_sshkey$(EXEEXT) \	584	regress/unittests/sshkey/test_sshkey$(EXEEXT) \

Lines 110-115 CLEANFILES= .core actual agent-key. authorized_keys_${USERNAME} \ Link Here

(-)a/regress/Makefile (+1 lines)
110	pidfile putty.rsa2 ready regress.log \	110	pidfile putty.rsa2 ready regress.log \
111	remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \	111	remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
112	rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \	112	rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
		113	soft-pkcs11.so soft-pkcs11.o \
113	rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \	114	rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
114	scp-ssh-wrapper.scp setuid-allowed sftp-server.log \	115	scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
115	sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \	116	sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \




/*
 * Copyright (c) 2004, Stockholms universitet
 * (Stockholm University, Stockholm Sweden)
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the university nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/* $Id: locl.h,v 1.5 2005/08/28 15:30:31 lha Exp $ */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/x509.h>

#include <ctype.h>
#include <errno.h>
#include <pwd.h>
#include <stdarg.h>
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "../pkcs11.h"

#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R)			\
{									\
  unsigned char *p;							\
  (BL) = i2d_##T((S), NULL);						\
  if ((BL) <= 0) {							\
     (R) = EINVAL;							\
  } else {								\
    (B) = malloc((BL));							\
    if ((B) == NULL) {							\
       (R) = ENOMEM;							\
    } else {								\
        p = (B);							\
        (R) = 0;							\
        (BL) = i2d_##T((S), &p);					\
        if ((BL) <= 0) {						\
           free((B));                                          		\
           (R) = EINVAL;						\
        }								\
    }									\
  }									\
}




# 
#  Copyright (c) 2017 Red Hat
# 
#  Authors: Jakub Jelen <jjelen@redhat.com>
# 
#  Permission to use, copy, modify, and distribute this software for any
#  purpose with or without fee is hereby granted, provided that the above
#  copyright notice and this permission notice appear in all copies.
# 
#  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
#  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
#  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
#  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
#  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
#  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
#  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

tid="pkcs11 tests with soft token"

TEST_SSH_PIN=""
TEST_SSH_PKCS11=$OBJ/soft-pkcs11.so

test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"

# requires ssh-agent built with correct path to ssh-pkcs11-helper
# otherwise it fails to start the helper
strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"
if [ $? -ne 0 ]; then
	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"
fi

# setup environment for soft-pkcs11 token
SOFTPKCS11RC=$OBJ/pkcs11.info
rm -f $SOFTPKCS11RC
export SOFTPKCS11RC
# prevent ssh-agent from calling ssh-askpass
SSH_ASKPASS=/usr/bin/true
export SSH_ASKPASS
unset DISPLAY

# start command w/o tty, so ssh accepts pin from stdin (from agent-pkcs11.sh)
notty() {
	perl -e 'use POSIX; POSIX::setsid(); 
	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
}

create_key() {
	ID=$1
	LABEL=$2
	rm -f $OBJ/pkcs11-${ID}.key $OBJ/pkcs11-${ID}.crt
	openssl genrsa -out $OBJ/pkcs11-${ID}.key 2048 > /dev/null 2>&1
	chmod 600 $OBJ/pkcs11-${ID}.key 
	openssl req -key $OBJ/pkcs11-${ID}.key -new -x509 \
	    -out $OBJ/pkcs11-${ID}.crt -text -subj '/CN=pkcs11 test' >/dev/null
	printf "${ID}\t${LABEL}\t$OBJ/pkcs11-${ID}.crt\t$OBJ/pkcs11-${ID}.key\n" \
	    >> $SOFTPKCS11RC
}

trace "Create a key pairs on soft token"
ID1="02"
ID2="04"
create_key "$ID1" "SSH RSA Key"
create_key "$ID2" "SSH RSA Key 2"

trace "List the keys in the ssh-keygen with PKCS#11 URIs"
${SSHKEYGEN} -D ${TEST_SSH_PKCS11} > $OBJ/token_keys
if [ $? -ne 0 ]; then
	fail "keygen fails to enumerate keys on PKCS#11 token"
fi
grep "pkcs11:" $OBJ/token_keys > /dev/null
if [ $? -ne 0 ]; then
	fail "The keys from ssh-keygen do not contain PKCS#11 URI as a comment"
fi
tail -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER


trace "Simple connect with ssh (without PKCS#11 URI)"
echo ${TEST_SSH_PIN} | notty ${SSH} -I ${TEST_SSH_PKCS11} \
    -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with pkcs11 failed (exit code $r)"
fi


trace "Connect with PKCS#11 URI"
trace "  (second key should succeed)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
    -i "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with PKCS#11 URI failed (exit code $r)"
fi

trace "  (first key should fail)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
     -i "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5
r=$?
if [ $r -eq 5 ]; then
	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
fi


trace "Test PKCS#11 URI specification in configuration files"
echo "PKCS11URI pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \
    >> $OBJ/ssh_proxy
trace "  (second key should succeed)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with PKCS#11 URI in config failed (exit code $r)"
fi

trace "  (first key should fail)"
head -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -eq 5 ]; then
	fail "ssh connect with PKCS#11 URI in config succeeded (should fail)"
fi
sed -i -e "/PKCS11URI/d" $OBJ/ssh_proxy

trace "Test PKCS#11 URI specification in configuration files with bogus spaces"
echo "PKCS11URI     pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}    " \
    >> $OBJ/ssh_proxy
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with PKCS#11 URI with bogus spaces in config failed" \
	    "(exit code $r)"
fi
sed -i -e "/PKCS11URI/d" $OBJ/ssh_proxy


trace "Combination of PKCS11Provider and PKCS11URI on commandline"
trace "  (first key should succeed)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
    -i "pkcs11:id=${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with PKCS#11 URI and provider combination" \
	    "failed (exit code $r)"
fi

trace "  (second key should fail)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
    -i "pkcs11:id=${ID2}" -I ${TEST_SSH_PKCS11} somehost exit 5
r=$?
if [ $r -eq 5 ]; then
	fail "ssh connect with PKCS#11 URI and provider combination" \
	    "succeeded (should fail)"
fi


trace "SSH Agent can work with PKCS#11 URI"
trace "start the agent"
eval `${SSHAGENT} -s -P "${OBJ}/*"` > /dev/null

r=$?
if [ $r -ne 0 ]; then
	fail "could not start ssh-agent: exit code $r"
else
	trace "add whole provider to agent"
	echo ${TEST_SSH_PIN} | notty ${SSHADD} \
	    "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add failed with whole provider: exit code $r"
	fi

	trace " pkcs11 list via agent (all keys)"
	${SSHADD} -l > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -l failed with whole provider: exit code $r"
	fi

	trace " pkcs11 connect via agent (all keys)"
	${SSH} -F $OBJ/ssh_proxy somehost exit 5
	r=$?
	if [ $r -ne 5 ]; then
		fail "ssh connect failed with whole provider (exit code $r)"
	fi

	trace " remove pkcs11 keys (all keys)"
	${SSHADD} -d "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -d failed with whole provider: exit code $r"
	fi

	trace "add only first key to the agent"
	echo ${TEST_SSH_PIN} | notty ${SSHADD} \
	    "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add failed with first key: exit code $r"
	fi

	trace " pkcs11 connect via agent (first key)"
	${SSH} -F $OBJ/ssh_proxy somehost exit 5
	r=$?
	if [ $r -ne 5 ]; then
		fail "ssh connect failed with first key (exit code $r)"
	fi

	trace " remove first pkcs11 key"
	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \
	    > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -d failed with first key: exit code $r"
	fi

	trace "add only second key to the agent"
	echo ${TEST_SSH_PIN} | notty ${SSHADD} \
	    "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add failed with second key: exit code $r"
	fi

	trace " pkcs11 connect via agent (second key should fail)"
	${SSH} -F $OBJ/ssh_proxy somehost exit 5
	r=$?
	if [ $r -eq 5 ]; then
		fail "ssh connect passed without key (should fail)"
	fi

	trace " remove second pkcs11 key"
	${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \
	    > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -d failed with second key: exit code $r"
	fi

	trace " remove already-removed pkcs11 key should fail"
	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \
	    > /dev/null 2>&1
	r=$?
	if [ $r -eq 0 ]; then
		fail "ssh-add -d passed with non-existing key (should fail)"
	fi

	trace "kill agent"
	${SSHAGENT} -k > /dev/null
fi

rm -rf $OBJ/.tokens $OBJ/token_keys




/*
 * Copyright (c) 2004-2006, Stockholms universitet
 * (Stockholm University, Stockholm Sweden)
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the university nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include "locl.h"

/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */

#define OBJECT_ID_MASK		0xfff
#define HANDLE_OBJECT_ID(h)	((h) & OBJECT_ID_MASK)
#define OBJECT_ID(obj)		HANDLE_OBJECT_ID((obj)->object_handle)

struct st_attr {
    CK_ATTRIBUTE attribute;
    int secret;
};

struct st_object {
    CK_OBJECT_HANDLE object_handle;
    struct st_attr *attrs;
    int num_attributes;
    enum {
	STO_T_CERTIFICATE,
	STO_T_PRIVATE_KEY,
	STO_T_PUBLIC_KEY
    } type;
    union {
	X509 *cert;
	EVP_PKEY *public_key;
	struct {
	    const char *file;
	    EVP_PKEY *key;
	    X509 *cert;
	} private_key;
    } u;
};

static struct soft_token {
    CK_VOID_PTR application;
    CK_NOTIFY notify;
    struct {
	struct st_object **objs;
	int num_objs;
    } object;
    struct {
	int hardware_slot;
	int app_error_fatal;
	int login_done;
    } flags;
    int open_sessions;
    struct session_state {
	CK_SESSION_HANDLE session_handle;

	struct {
	    CK_ATTRIBUTE *attributes;
	    CK_ULONG num_attributes;
	    int next_object;
	} find;

	int encrypt_object;
	CK_MECHANISM_PTR encrypt_mechanism;
	int decrypt_object;
	CK_MECHANISM_PTR decrypt_mechanism;
	int sign_object;
	CK_MECHANISM_PTR sign_mechanism;
	int verify_object;
	CK_MECHANISM_PTR verify_mechanism;
	int digest_object;
    } state[10];
#define MAX_NUM_SESSION (sizeof(soft_token.state)/sizeof(soft_token.state[0]))
    FILE *logfile;
} soft_token;

static void
application_error(const char *fmt, ...)
{
    va_list ap;
    va_start(ap, fmt);
    vprintf(fmt, ap);
    va_end(ap);
    if (soft_token.flags.app_error_fatal)
	abort();
}

static void
st_logf(const char *fmt, ...)
{
    va_list ap;
    if (soft_token.logfile == NULL)
	return;
    va_start(ap, fmt);
    vfprintf(soft_token.logfile, fmt, ap);
    va_end(ap);
    fflush(soft_token.logfile);
}

static void
snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
{
    int len;
    va_list ap;
    len = vsnprintf(str, size, fmt, ap);
    va_end(ap);
    if (len < 0 || len > (int) size)
	return;
    while(len < (int) size)
	str[len++] = fillchar;
}

#ifndef TEST_APP
#define printf error_use_st_logf
#endif

#define VERIFY_SESSION_HANDLE(s, state)			\
{							\
    CK_RV ret;						\
    ret = verify_session_handle(s, state);		\
    if (ret != CKR_OK) {				\
	/* return CKR_OK */;				\
    }							\
}

static CK_RV
verify_session_handle(CK_SESSION_HANDLE hSession,
		      struct session_state **state)
{
    size_t i;

    for (i = 0; i < MAX_NUM_SESSION; i++){
	if (soft_token.state[i].session_handle == hSession)
	    break;
    }
    if (i == MAX_NUM_SESSION) {
	application_error("use of invalid handle: 0x%08lx\n",
			  (unsigned long)hSession);
	return CKR_SESSION_HANDLE_INVALID;
    }
    if (state)
	*state = &soft_token.state[i];
    return CKR_OK;
}

static CK_RV
object_handle_to_object(CK_OBJECT_HANDLE handle,
			struct st_object **object)
{
    int i = HANDLE_OBJECT_ID(handle);

    *object = NULL;
    if (i >= soft_token.object.num_objs)
	return CKR_ARGUMENTS_BAD;
    if (soft_token.object.objs[i] == NULL)
	return CKR_ARGUMENTS_BAD;
    if (soft_token.object.objs[i]->object_handle != handle)
	return CKR_ARGUMENTS_BAD;
    *object = soft_token.object.objs[i];
    return CKR_OK;
}

static int
attributes_match(const struct st_object *obj,
		 const CK_ATTRIBUTE *attributes,
		 CK_ULONG num_attributes)
{
    CK_ULONG i;
    int j;
    st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj));

    for (i = 0; i < num_attributes; i++) {
	int match = 0;
	for (j = 0; j < obj->num_attributes; j++) {
	    if (attributes[i].type == obj->attrs[j].attribute.type &&
		attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen &&
		memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue,
		       attributes[i].ulValueLen) == 0) {
		match = 1;
		break;
	    }
	}
	if (match == 0) {
	    st_logf("type %d attribute have no match\n", attributes[i].type);
	    return 0;
	}
    }
    st_logf("attribute matches\n");
    return 1;
}

static void
print_attributes(const CK_ATTRIBUTE *attributes,
		 CK_ULONG num_attributes)
{
    CK_ULONG i;

    st_logf("find objects: attrs: %lu\n", (unsigned long)num_attributes);

    for (i = 0; i < num_attributes; i++) {
	st_logf("  type: ");
	switch (attributes[i].type) {
	case CKA_TOKEN: {
	    CK_BBOOL *ck_true;
	    if (attributes[i].ulValueLen != sizeof(CK_BBOOL)) {
		application_error("token attribute wrong length\n");
		break;
	    }
	    ck_true = attributes[i].pValue;
	    st_logf("token: %s", *ck_true ? "TRUE" : "FALSE");
	    break;
	}
	case CKA_CLASS: {
	    CK_OBJECT_CLASS *class;
	    if (attributes[i].ulValueLen != sizeof(CK_ULONG)) {
		application_error("class attribute wrong length\n");
		break;
	    }
	    class = attributes[i].pValue;
	    st_logf("class ");
	    switch (*class) {
	    case CKO_CERTIFICATE:
		st_logf("certificate");
		break;
	    case CKO_PUBLIC_KEY:
		st_logf("public key");
		break;
	    case CKO_PRIVATE_KEY:
		st_logf("private key");
		break;
	    case CKO_SECRET_KEY:
		st_logf("secret key");
		break;
	    case CKO_DOMAIN_PARAMETERS:
		st_logf("domain parameters");
		break;
	    default:
		st_logf("[class %lx]", (long unsigned)*class);
		break;
	    }
	    break;
	}
	case CKA_PRIVATE:
	    st_logf("private");
	    break;
	case CKA_LABEL:
	    st_logf("label");
	    break;
	case CKA_APPLICATION:
	    st_logf("application");
	    break;
	case CKA_VALUE:
	    st_logf("value");
	    break;
	case CKA_ID:
	    st_logf("id");
	    break;
	default:
	    st_logf("[unknown 0x%08lx]", (unsigned long)attributes[i].type);
	    break;
	}
	st_logf("\n");
    }
}

static struct st_object *
add_st_object(void)
{
    struct st_object *o, **objs;
    int i;

    o = malloc(sizeof(*o));
    if (o == NULL)
	return NULL;
    memset(o, 0, sizeof(*o));
    o->attrs = NULL;
    o->num_attributes = 0;
    
    for (i = 0; i < soft_token.object.num_objs; i++) {
	if (soft_token.object.objs == NULL) {
	    soft_token.object.objs[i] = o;
	    break;
	}
    }
    if (i == soft_token.object.num_objs) {
	objs = realloc(soft_token.object.objs,
		       (soft_token.object.num_objs + 1) * sizeof(soft_token.object.objs[0]));
	if (objs == NULL) {
	    free(o);
	    return NULL;
	}
	soft_token.object.objs = objs;
	soft_token.object.objs[soft_token.object.num_objs++] = o;
    }	
    soft_token.object.objs[i]->object_handle =
	(random() & (~OBJECT_ID_MASK)) | i;

    return o;
}

static CK_RV
add_object_attribute(struct st_object *o, 
		     int secret,
		     CK_ATTRIBUTE_TYPE type,
		     CK_VOID_PTR pValue,
		     CK_ULONG ulValueLen)
{
    struct st_attr *a;
    int i;

    i = o->num_attributes;
    a = realloc(o->attrs, (i + 1) * sizeof(o->attrs[0]));
    if (a == NULL)
	return CKR_DEVICE_MEMORY;
    o->attrs = a;
    o->attrs[i].secret = secret;
    o->attrs[i].attribute.type = type;
    o->attrs[i].attribute.pValue = malloc(ulValueLen);
    if (o->attrs[i].attribute.pValue == NULL && ulValueLen != 0)
	return CKR_DEVICE_MEMORY;
    memcpy(o->attrs[i].attribute.pValue, pValue, ulValueLen);
    o->attrs[i].attribute.ulValueLen = ulValueLen;
    o->num_attributes++;

    return CKR_OK;
}

static CK_RV
add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
{
    switch (key_type) {
    case CKK_RSA: {
	CK_BYTE *modulus = NULL;
	size_t modulus_len = 0;
	CK_ULONG modulus_bits = 0;
	CK_BYTE *exponent = NULL;
	size_t exponent_len = 0;

	modulus_bits = BN_num_bits(key->pkey.rsa->n);

	modulus_len = BN_num_bytes(key->pkey.rsa->n);
	modulus = malloc(modulus_len);
	BN_bn2bin(key->pkey.rsa->n, modulus);
	
	exponent_len = BN_num_bytes(key->pkey.rsa->e);
	exponent = malloc(exponent_len);
	BN_bn2bin(key->pkey.rsa->e, exponent);
	
	add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
	add_object_attribute(o, 0, CKA_MODULUS_BITS,
			     &modulus_bits, sizeof(modulus_bits));
	add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
			     exponent, exponent_len);

	RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay());

	free(modulus);
	free(exponent);
    }
    default:
	/* XXX */
	break;
    }
    return CKR_OK;
}


static int
pem_callback(char *buf, int num, int w, void *key)
{
    return -1;
}


static CK_RV
add_certificate(char *label,
		const char *cert_file,
		const char *private_key_file,
		char *id,
		int anchor)
{
    struct st_object *o = NULL;
    CK_BBOOL bool_true = CK_TRUE;
    CK_BBOOL bool_false = CK_FALSE;
    CK_OBJECT_CLASS c;
    CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
    CK_KEY_TYPE key_type;
    CK_MECHANISM_TYPE mech_type;
    void *cert_data = NULL;
    size_t cert_length;
    void *subject_data = NULL;
    size_t subject_length;
    void *issuer_data = NULL;
    size_t issuer_length;
    void *serial_data = NULL;
    size_t serial_length;
    CK_RV ret = CKR_GENERAL_ERROR;
    X509 *cert;
    EVP_PKEY *public_key;

    size_t id_len = strlen(id);

    {
	FILE *f;
	
	f = fopen(cert_file, "r");
	if (f == NULL) {
	    st_logf("failed to open file %s\n", cert_file);
	    return CKR_GENERAL_ERROR;
	}

	cert = PEM_read_X509(f, NULL, NULL, NULL);
	fclose(f);
	if (cert == NULL) {
	    st_logf("failed reading PEM cert\n");
	    return CKR_GENERAL_ERROR;
	}

	OPENSSL_ASN1_MALLOC_ENCODE(X509, cert_data, cert_length, cert, ret);
	if (ret)
	    goto out;

	OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, issuer_data, issuer_length, 
				   X509_get_issuer_name(cert), ret);
	if (ret)
	    goto out;

	OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, subject_data, subject_length, 
				   X509_get_subject_name(cert), ret);
	if (ret)
	    goto out;

	OPENSSL_ASN1_MALLOC_ENCODE(ASN1_INTEGER, serial_data, serial_length, 
				   X509_get_serialNumber(cert), ret);
	if (ret)
	    goto out;

    }

    st_logf("done parsing, adding to internal structure\n");

    o = add_st_object();
    if (o == NULL) {
	ret = CKR_DEVICE_MEMORY;
	goto out;
    }
    o->type = STO_T_CERTIFICATE;
    o->u.cert = cert;
    public_key = X509_get_pubkey(o->u.cert);

    switch (EVP_PKEY_type(public_key->type)) {
    case EVP_PKEY_RSA:
	key_type = CKK_RSA;
	break;
    case EVP_PKEY_DSA:
	key_type = CKK_DSA;
	break;
    default:
	/* XXX */
	break;
    }

    c = CKO_CERTIFICATE;
    add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
    add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
    add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
    add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
    add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));

    add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
    add_object_attribute(o, 0, CKA_ID, id, id_len);

    add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);
    add_object_attribute(o, 0, CKA_ISSUER, issuer_data, issuer_length);
    add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data, serial_length);
    add_object_attribute(o, 0, CKA_VALUE, cert_data, cert_length);
    if (anchor)
	add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
    else
	add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));

    st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));

    o = add_st_object();
    if (o == NULL) {
	ret = CKR_DEVICE_MEMORY;
	goto out;
    }
    o->type = STO_T_PUBLIC_KEY;
    o->u.public_key = public_key;

    c = CKO_PUBLIC_KEY;
    add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
    add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
    add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
    add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
    add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));

    add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
    add_object_attribute(o, 0, CKA_ID, id, id_len);
    add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
    add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
    add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
    add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
    mech_type = CKM_RSA_X_509;
    add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));

    add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);
    add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));
    add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));
    add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));
    add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));
    add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));

    add_pubkey_info(o, key_type, public_key);

    st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));

    if (private_key_file) {
	CK_FLAGS flags;
	FILE *f;

	o = add_st_object();
	if (o == NULL) {
	    ret = CKR_DEVICE_MEMORY;
	    goto out;
	}
	o->type = STO_T_PRIVATE_KEY;
	o->u.private_key.file = strdup(private_key_file);
	o->u.private_key.key = NULL;

	o->u.private_key.cert = cert;

	c = CKO_PRIVATE_KEY;
	add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
	add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
	add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false));
	add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
	add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));

	add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
	add_object_attribute(o, 0, CKA_ID, id, id_len);
	add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
	add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
	add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
	add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
	mech_type = CKM_RSA_X_509;
	add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));

	add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);
	add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true));
	add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true));
	flags = 0;
	add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags));

	add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true));
	add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true));
	add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false));
	add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true));
	add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true));
	add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false));

	add_pubkey_info(o, key_type, public_key);

	f = fopen(private_key_file, "r");
	if (f == NULL) {
	    st_logf("failed to open private key\n");
	    return CKR_GENERAL_ERROR;
	}

	o->u.private_key.key = PEM_read_PrivateKey(f, NULL, pem_callback, NULL);
	fclose(f);
	if (o->u.private_key.key == NULL) {
	    st_logf("failed to read private key a startup\n");
	    /* don't bother with this failure for now, 
	       fix it at C_Login time */;
	} else {
	    /* XXX verify keytype */

	    if (key_type == CKK_RSA)
		RSA_set_method(o->u.private_key.key->pkey.rsa, 
			       RSA_PKCS1_SSLeay());

	    if (X509_check_private_key(cert, o->u.private_key.key) != 1) {
		EVP_PKEY_free(o->u.private_key.key);	    
		o->u.private_key.key = NULL;
		st_logf("private key doesn't verify\n");
	    } else {
		st_logf("private key usable\n");
		soft_token.flags.login_done = 1;
	    }
	}
    }

    ret = CKR_OK;
 out:
    if (ret != CKR_OK) {
	st_logf("something went wrong when adding cert!\n");

	/* XXX wack o */;
    }
    free(cert_data);
    free(serial_data);
    free(issuer_data);
    free(subject_data);

    return ret;
}

static void
find_object_final(struct session_state *state)
{
    if (state->find.attributes) {
	CK_ULONG i;

	for (i = 0; i < state->find.num_attributes; i++) {
	    if (state->find.attributes[i].pValue)
		free(state->find.attributes[i].pValue);
	}
	free(state->find.attributes);
	state->find.attributes = NULL;
	state->find.num_attributes = 0;
	state->find.next_object = -1;
    }
}

static void
reset_crypto_state(struct session_state *state)
{
    state->encrypt_object = -1;
    if (state->encrypt_mechanism)
	free(state->encrypt_mechanism);
    state->encrypt_mechanism = NULL_PTR;
    state->decrypt_object = -1;
    if (state->decrypt_mechanism)
	free(state->decrypt_mechanism);
    state->decrypt_mechanism = NULL_PTR;
    state->sign_object = -1;
    if (state->sign_mechanism)
	free(state->sign_mechanism);
    state->sign_mechanism = NULL_PTR;
    state->verify_object = -1;
    if (state->verify_mechanism)
	free(state->verify_mechanism);
    state->verify_mechanism = NULL_PTR;
    state->digest_object = -1;
}

static void
close_session(struct session_state *state)
{
    if (state->find.attributes) {
	application_error("application didn't do C_FindObjectsFinal\n");
	find_object_final(state);
    }

    state->session_handle = CK_INVALID_HANDLE;
    soft_token.application = NULL_PTR;
    soft_token.notify = NULL_PTR;
    reset_crypto_state(state);
}

static const char *
has_session(void)
{
    return soft_token.open_sessions > 0 ? "yes" : "no";
}

static void
read_conf_file(const char *fn)
{
    char buf[1024], *cert, *key, *id, *label, *s, *p;
    int anchor;
    FILE *f;

    f = fopen(fn, "r");
    if (f == NULL) {
	st_logf("can't open configuration file %s\n", fn);
	return;
    }

    while(fgets(buf, sizeof(buf), f) != NULL) {
	buf[strcspn(buf, "\n")] = '\0';

	anchor = 0;

	st_logf("line: %s\n", buf);

	p = buf;
	while (isspace(*p))
	    p++;
	if (*p == '#')
	    continue;
	while (isspace(*p))
	    p++;

	s = NULL;
	id = strtok_r(p, "\t", &s);
	if (id == NULL)
	    continue;
	label = strtok_r(NULL, "\t", &s);
	if (label == NULL)
	    continue;
	cert = strtok_r(NULL, "\t", &s);
	if (cert == NULL)
	    continue;
	key = strtok_r(NULL, "\t", &s);

	/* XXX */
	if (strcmp(id, "anchor") == 0) {
	    id = "\x00\x00";
	    anchor = 1;
	}

	st_logf("adding: %s\n", label);

	add_certificate(label, cert, key, id, anchor);
    }
}

static CK_RV
func_not_supported(void)
{
    st_logf("function not supported\n");
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_Initialize(CK_VOID_PTR a)
{
    CK_C_INITIALIZE_ARGS_PTR args = a;
    st_logf("Initialize\n");
    size_t i;

    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();

    srandom(getpid() ^ time(NULL));

    for (i = 0; i < MAX_NUM_SESSION; i++) {
	soft_token.state[i].session_handle = CK_INVALID_HANDLE;
	soft_token.state[i].find.attributes = NULL;
	soft_token.state[i].find.num_attributes = 0;
	soft_token.state[i].find.next_object = -1;
	reset_crypto_state(&soft_token.state[i]);
    }

    soft_token.flags.hardware_slot = 1;
    soft_token.flags.app_error_fatal = 0;
    soft_token.flags.login_done = 0;

    soft_token.object.objs = NULL;
    soft_token.object.num_objs = 0;
    
    soft_token.logfile = NULL;
#if 1
//     soft_token.logfile = stdout;
#endif
#if 0
    soft_token.logfile = fopen("/tmp/log-pkcs11.txt", "a");
#endif

    if (a != NULL_PTR) {
	st_logf("\tCreateMutex:\t%p\n", args->CreateMutex);
	st_logf("\tDestroyMutext\t%p\n", args->DestroyMutex);
	st_logf("\tLockMutext\t%p\n", args->LockMutex);
	st_logf("\tUnlockMutext\t%p\n", args->UnlockMutex);
	st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
    }

    {
	char *fn = NULL, *home = NULL;

	if (getuid() == geteuid()) {
	    fn = getenv("SOFTPKCS11RC");
	    if (fn)
		fn = strdup(fn);
	    home = getenv("HOME");
	}
	if (fn == NULL && home == NULL) {
	    struct passwd *pw = getpwuid(getuid());	
	    if(pw != NULL)
		home = pw->pw_dir;
	}
	if (fn == NULL) {
	    if (home)
		asprintf(&fn, "%s/.soft-token.rc", home);
	    else
		fn = strdup("/etc/soft-token.rc");
	}

	read_conf_file(fn);
	free(fn);
    }

    return CKR_OK;
}

CK_RV
C_Finalize(CK_VOID_PTR args)
{
    size_t i;

    st_logf("Finalize\n");

    for (i = 0; i < MAX_NUM_SESSION; i++) {
	if (soft_token.state[i].session_handle != CK_INVALID_HANDLE) {
	    application_error("application finalized without "
			      "closing session\n");
	    close_session(&soft_token.state[i]);
	}
    }

    return CKR_OK;
}

CK_RV
C_GetInfo(CK_INFO_PTR args)
{
    st_logf("GetInfo\n");

    memset(args, 17, sizeof(*args));
    args->cryptokiVersion.major = 2;
    args->cryptokiVersion.minor = 10;
    snprintf_fill((char *)args->manufacturerID, 
		  sizeof(args->manufacturerID),
		  ' ',
		  "SoftToken");
    snprintf_fill((char *)args->libraryDescription, 
		  sizeof(args->libraryDescription), ' ',
		  "SoftToken");
    args->libraryVersion.major = 1;
    args->libraryVersion.minor = 8;

    return CKR_OK;
}

extern CK_FUNCTION_LIST funcs;

CK_RV
C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
{
    *ppFunctionList = &funcs;
    return CKR_OK;
}

CK_RV
C_GetSlotList(CK_BBOOL tokenPresent,
	      CK_SLOT_ID_PTR pSlotList,
	      CK_ULONG_PTR   pulCount)
{
    st_logf("GetSlotList: %s\n",
	    tokenPresent ? "tokenPresent" : "token not Present");
    if (pSlotList)
	pSlotList[0] = 1;
    *pulCount = 1;
    return CKR_OK;
}

CK_RV
C_GetSlotInfo(CK_SLOT_ID slotID,
	      CK_SLOT_INFO_PTR pInfo)
{
    st_logf("GetSlotInfo: slot: %d : %s\n", (int)slotID, has_session());

    memset(pInfo, 18, sizeof(*pInfo));

    if (slotID != 1)
	return CKR_ARGUMENTS_BAD;

    snprintf_fill((char *)pInfo->slotDescription, 
		  sizeof(pInfo->slotDescription),
		  ' ',
		  "SoftToken (slot)");
    snprintf_fill((char *)pInfo->manufacturerID,
		  sizeof(pInfo->manufacturerID),
		  ' ',
		  "SoftToken (slot)");
    pInfo->flags = CKF_TOKEN_PRESENT;
    if (soft_token.flags.hardware_slot)
	pInfo->flags |= CKF_HW_SLOT;
    pInfo->hardwareVersion.major = 1;
    pInfo->hardwareVersion.minor = 0;
    pInfo->firmwareVersion.major = 1;
    pInfo->firmwareVersion.minor = 0;
    
    return CKR_OK;
}

CK_RV
C_GetTokenInfo(CK_SLOT_ID slotID,
	       CK_TOKEN_INFO_PTR pInfo)
{
    st_logf("GetTokenInfo: %s\n", has_session()); 

    memset(pInfo, 19, sizeof(*pInfo));

    snprintf_fill((char *)pInfo->label, 
		  sizeof(pInfo->label),
		  ' ',
		  "SoftToken (token)");
    snprintf_fill((char *)pInfo->manufacturerID, 
		  sizeof(pInfo->manufacturerID),
		  ' ',
		  "SoftToken (token)");
    snprintf_fill((char *)pInfo->model,
		  sizeof(pInfo->model),
		  ' ',
		  "SoftToken (token)");
    snprintf_fill((char *)pInfo->serialNumber, 
		  sizeof(pInfo->serialNumber),
		  ' ',
		  "4711");
    pInfo->flags = 
	CKF_TOKEN_INITIALIZED | 
	CKF_USER_PIN_INITIALIZED;

    if (soft_token.flags.login_done == 0)
	pInfo->flags |= CKF_LOGIN_REQUIRED;

    /* CFK_RNG |
       CKF_RESTORE_KEY_NOT_NEEDED |
    */
    pInfo->ulMaxSessionCount = MAX_NUM_SESSION;
    pInfo->ulSessionCount = soft_token.open_sessions;
    pInfo->ulMaxRwSessionCount = MAX_NUM_SESSION;
    pInfo->ulRwSessionCount = soft_token.open_sessions;
    pInfo->ulMaxPinLen = 1024;
    pInfo->ulMinPinLen = 0;
    pInfo->ulTotalPublicMemory = 4711;
    pInfo->ulFreePublicMemory = 4712;
    pInfo->ulTotalPrivateMemory = 4713;
    pInfo->ulFreePrivateMemory = 4714;
    pInfo->hardwareVersion.major = 2;
    pInfo->hardwareVersion.minor = 0;
    pInfo->firmwareVersion.major = 2;
    pInfo->firmwareVersion.minor = 0;

    return CKR_OK;
}

CK_RV
C_GetMechanismList(CK_SLOT_ID slotID,
		   CK_MECHANISM_TYPE_PTR pMechanismList,
		   CK_ULONG_PTR pulCount)
{
    st_logf("GetMechanismList\n");

    *pulCount = 2;
    if (pMechanismList == NULL_PTR)
	return CKR_OK;
    pMechanismList[0] = CKM_RSA_X_509;
    pMechanismList[1] = CKM_RSA_PKCS;

    return CKR_OK;
}

CK_RV
C_GetMechanismInfo(CK_SLOT_ID slotID,
		   CK_MECHANISM_TYPE type,
		   CK_MECHANISM_INFO_PTR pInfo)
{
    st_logf("GetMechanismInfo: slot %d type: %d\n",
	    (int)slotID, (int)type);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_InitToken(CK_SLOT_ID slotID,
	    CK_UTF8CHAR_PTR pPin,
	    CK_ULONG ulPinLen,
	    CK_UTF8CHAR_PTR pLabel)
{
    st_logf("InitToken: slot %d\n", (int)slotID);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_OpenSession(CK_SLOT_ID slotID,
	      CK_FLAGS flags,
	      CK_VOID_PTR pApplication,
	      CK_NOTIFY Notify,
	      CK_SESSION_HANDLE_PTR phSession)
{
    size_t i;

    st_logf("OpenSession: slot: %d\n", (int)slotID);
    
    if (soft_token.open_sessions == MAX_NUM_SESSION)
	return CKR_SESSION_COUNT;

    soft_token.application = pApplication;
    soft_token.notify = Notify;

    for (i = 0; i < MAX_NUM_SESSION; i++)
	if (soft_token.state[i].session_handle == CK_INVALID_HANDLE)
	    break;
    if (i == MAX_NUM_SESSION)
	abort();

    soft_token.open_sessions++;

    soft_token.state[i].session_handle =
	(CK_SESSION_HANDLE)(random() & 0xfffff);
    *phSession = soft_token.state[i].session_handle;

    return CKR_OK;
}

CK_RV
C_CloseSession(CK_SESSION_HANDLE hSession)
{
    struct session_state *state;
    st_logf("CloseSession\n");

    if (verify_session_handle(hSession, &state) != CKR_OK)
	application_error("closed session not open");
    else
	close_session(state);

    return CKR_OK;
}

CK_RV
C_CloseAllSessions(CK_SLOT_ID slotID)
{
    size_t i;

    st_logf("CloseAllSessions\n");

    for (i = 0; i < MAX_NUM_SESSION; i++)
	if (soft_token.state[i].session_handle != CK_INVALID_HANDLE)
	    close_session(&soft_token.state[i]);

    return CKR_OK;
}

CK_RV
C_GetSessionInfo(CK_SESSION_HANDLE hSession,
		 CK_SESSION_INFO_PTR pInfo)
{
    st_logf("GetSessionInfo\n");
    
    VERIFY_SESSION_HANDLE(hSession, NULL);

    memset(pInfo, 20, sizeof(*pInfo));

    pInfo->slotID = 1;
    if (soft_token.flags.login_done)
	pInfo->state = CKS_RO_USER_FUNCTIONS;
    else
	pInfo->state = CKS_RO_PUBLIC_SESSION;
    pInfo->flags = CKF_SERIAL_SESSION;
    pInfo->ulDeviceError = 0;

    return CKR_OK;
}

CK_RV
C_Login(CK_SESSION_HANDLE hSession,
	CK_USER_TYPE userType,
	CK_UTF8CHAR_PTR pPin,
	CK_ULONG ulPinLen)
{
    char *pin = NULL;
    int i;

    st_logf("Login\n");

    VERIFY_SESSION_HANDLE(hSession, NULL);

    if (pPin != NULL_PTR) {
	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
	st_logf("type: %d password: %s\n", (int)userType, pin);
    }

    for (i = 0; i < soft_token.object.num_objs; i++) {
	struct st_object *o = soft_token.object.objs[i];
	FILE *f;

	if (o->type != STO_T_PRIVATE_KEY)
	    continue;

	if (o->u.private_key.key)
	    continue;

	f = fopen(o->u.private_key.file, "r");
	if (f == NULL) {
	    st_logf("can't open private file: %s\n", o->u.private_key.file);
	    continue;
	}
	
	o->u.private_key.key = PEM_read_PrivateKey(f, NULL, NULL, pin);
	fclose(f);
	if (o->u.private_key.key == NULL) {
	    st_logf("failed to read key: %s error: %s\n",
		    o->u.private_key.file, 
		    ERR_error_string(ERR_get_error(), NULL));
	    /* just ignore failure */;
	    continue;
	}

	/* XXX check keytype */
	RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay());

	if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) {
	    EVP_PKEY_free(o->u.private_key.key);	    
	    o->u.private_key.key = NULL;
	    st_logf("private key %s doesn't verify\n", o->u.private_key.file);
	    continue;
	}

	soft_token.flags.login_done = 1;
    }
    free(pin);
    
    return soft_token.flags.login_done ? CKR_OK : CKR_PIN_INCORRECT;
}

CK_RV
C_Logout(CK_SESSION_HANDLE hSession)
{
    st_logf("Logout\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_GetObjectSize(CK_SESSION_HANDLE hSession,
		CK_OBJECT_HANDLE hObject,
		CK_ULONG_PTR pulSize)
{
    st_logf("GetObjectSize\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_GetAttributeValue(CK_SESSION_HANDLE hSession,
		    CK_OBJECT_HANDLE hObject,
		    CK_ATTRIBUTE_PTR pTemplate,
		    CK_ULONG ulCount)
{
    struct session_state *state;
    struct st_object *obj;
    CK_ULONG i;
    CK_RV ret;
    int j;

    st_logf("GetAttributeValue: %lx\n",
	    (unsigned long)HANDLE_OBJECT_ID(hObject));
    VERIFY_SESSION_HANDLE(hSession, &state);

    if ((ret = object_handle_to_object(hObject, &obj)) != CKR_OK) {
	st_logf("object not found: %lx\n",
		(unsigned long)HANDLE_OBJECT_ID(hObject));
	return ret;
    }

    ret = CKR_OK;
    for (i = 0; i < ulCount; i++) {
	st_logf("	getting 0x%08lx\n", (unsigned long)pTemplate[i].type);
	for (j = 0; j < obj->num_attributes; j++) {
	    if (obj->attrs[j].secret) {
		pTemplate[i].ulValueLen = (CK_ULONG)-1;
		break;
	    }
	    if (pTemplate[i].type == obj->attrs[j].attribute.type) {
		if (pTemplate[i].pValue != NULL_PTR && obj->attrs[j].secret == 0) {
		    if (pTemplate[i].ulValueLen >= obj->attrs[j].attribute.ulValueLen)
			memcpy(pTemplate[i].pValue, obj->attrs[j].attribute.pValue,
			       obj->attrs[j].attribute.ulValueLen);
		}
		pTemplate[i].ulValueLen = obj->attrs[j].attribute.ulValueLen;
		break;
	    }
	}
	if (j == obj->num_attributes) {
	    st_logf("key type: 0x%08lx not found\n", (unsigned long)pTemplate[i].type);
	    pTemplate[i].ulValueLen = (CK_ULONG)-1;
            ret = CKR_ATTRIBUTE_TYPE_INVALID;
	}

    }
    return ret;
}

CK_RV
C_FindObjectsInit(CK_SESSION_HANDLE hSession,
		  CK_ATTRIBUTE_PTR pTemplate,
		  CK_ULONG ulCount)
{
    struct session_state *state;

    st_logf("FindObjectsInit\n");

    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->find.next_object != -1) {
	application_error("application didn't do C_FindObjectsFinal\n");
	find_object_final(state);
    }
    if (ulCount) {
	CK_ULONG i;

	print_attributes(pTemplate, ulCount);

	state->find.attributes = 
	    calloc(1, ulCount * sizeof(state->find.attributes[0]));
	if (state->find.attributes == NULL)
	    return CKR_DEVICE_MEMORY;
	for (i = 0; i < ulCount; i++) {
	    state->find.attributes[i].pValue = 
		malloc(pTemplate[i].ulValueLen);
	    if (state->find.attributes[i].pValue == NULL) {
		find_object_final(state);
		return CKR_DEVICE_MEMORY;
	    }
	    memcpy(state->find.attributes[i].pValue,
		   pTemplate[i].pValue, pTemplate[i].ulValueLen);
	    state->find.attributes[i].type = pTemplate[i].type;
	    state->find.attributes[i].ulValueLen = pTemplate[i].ulValueLen;
	}
	state->find.num_attributes = ulCount;
	state->find.next_object = 0;
    } else {
	st_logf("find all objects\n");
	state->find.attributes = NULL;
	state->find.num_attributes = 0;
	state->find.next_object = 0;
    }

    return CKR_OK;
}

CK_RV
C_FindObjects(CK_SESSION_HANDLE hSession,
	      CK_OBJECT_HANDLE_PTR phObject,
	      CK_ULONG ulMaxObjectCount,
	      CK_ULONG_PTR pulObjectCount)
{
    struct session_state *state;
    int i;

    st_logf("FindObjects\n");

    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->find.next_object == -1) {
	application_error("application didn't do C_FindObjectsInit\n");
	return CKR_ARGUMENTS_BAD;
    }
    if (ulMaxObjectCount == 0) {
	application_error("application asked for 0 objects\n");
	return CKR_ARGUMENTS_BAD;
    }
    *pulObjectCount = 0;
    for (i = state->find.next_object; i < soft_token.object.num_objs; i++) {
	st_logf("FindObjects: %d\n", i);
	state->find.next_object = i + 1;
	if (attributes_match(soft_token.object.objs[i],
			     state->find.attributes,
			     state->find.num_attributes)) {
	    *phObject++ = soft_token.object.objs[i]->object_handle;
	    ulMaxObjectCount--;
	    (*pulObjectCount)++;
	    if (ulMaxObjectCount == 0)
		break;
	}
    }
    return CKR_OK;
}

CK_RV
C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
{
    struct session_state *state;

    st_logf("FindObjectsFinal\n");
    VERIFY_SESSION_HANDLE(hSession, &state);
    find_object_final(state);
    return CKR_OK;
}

static CK_RV
commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len,
	   const CK_MECHANISM_TYPE *mechs, int mechs_len,
	   const CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey,
	   struct st_object **o)
{
    CK_RV ret;
    int i;

    *o = NULL;
    if ((ret = object_handle_to_object(hKey, o)) != CKR_OK)
	return ret;

    ret = attributes_match(*o, attr_match, attr_match_len);
    if (!ret) {
	application_error("called commonInit on key that doesn't "
			  "support required attr");
	return CKR_ARGUMENTS_BAD;
    }

    for (i = 0; i < mechs_len; i++)
	if (mechs[i] == pMechanism->mechanism)
	    break;
    if (i == mechs_len) {
	application_error("called mech (%08lx) not supported\n",
			  pMechanism->mechanism);
	return CKR_ARGUMENTS_BAD;
    }
    return CKR_OK;
}


static CK_RV
dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism)
{
    CK_MECHANISM_PTR p;

    p = malloc(sizeof(*p));
    if (p == NULL)
	return CKR_DEVICE_MEMORY;

    if (*dup)
	free(*dup);
    *dup = p;
    memcpy(p, pMechanism, sizeof(*p));

    return CKR_OK;
}


CK_RV
C_EncryptInit(CK_SESSION_HANDLE hSession,
	      CK_MECHANISM_PTR pMechanism,
	      CK_OBJECT_HANDLE hKey)
{
    struct session_state *state;
    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 };
    CK_BBOOL bool_true = CK_TRUE;
    CK_ATTRIBUTE attr[] = {
	{ CKA_ENCRYPT, &bool_true, sizeof(bool_true) }
    };
    struct st_object *o;
    CK_RV ret;

    st_logf("EncryptInit\n");
    VERIFY_SESSION_HANDLE(hSession, &state);
    
    ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), 
		     mechs, sizeof(mechs)/sizeof(mechs[0]),
		     pMechanism, hKey, &o);
    if (ret)
	return ret;

    ret = dup_mechanism(&state->encrypt_mechanism, pMechanism);
    if (ret == CKR_OK) 
	state->encrypt_object = OBJECT_ID(o);
			
    return ret;
}

CK_RV
C_Encrypt(CK_SESSION_HANDLE hSession,
	  CK_BYTE_PTR pData,
	  CK_ULONG ulDataLen,
	  CK_BYTE_PTR pEncryptedData,
	  CK_ULONG_PTR pulEncryptedDataLen)
{
    struct session_state *state;
    struct st_object *o;
    void *buffer = NULL;
    CK_RV ret;
    RSA *rsa;
    int padding, len, buffer_len, padding_len;

    st_logf("Encrypt\n");

    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->encrypt_object == -1)
	return CKR_ARGUMENTS_BAD;

    o = soft_token.object.objs[state->encrypt_object];

    if (o->u.public_key == NULL) {
	st_logf("public key NULL\n");
	return CKR_ARGUMENTS_BAD;
    }

    rsa = o->u.public_key->pkey.rsa;

    if (rsa == NULL)
	return CKR_ARGUMENTS_BAD;

    RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */

    buffer_len = RSA_size(rsa);

    buffer = malloc(buffer_len);
    if (buffer == NULL) {
	ret = CKR_DEVICE_MEMORY;
	goto out;
    }

    ret = CKR_OK;
    switch(state->encrypt_mechanism->mechanism) {
    case CKM_RSA_PKCS:
	padding = RSA_PKCS1_PADDING;
	padding_len = RSA_PKCS1_PADDING_SIZE;
	break;
    case CKM_RSA_X_509:
	padding = RSA_NO_PADDING;
	padding_len = 0;
	break;
    default:
	ret = CKR_FUNCTION_NOT_SUPPORTED;
	goto out;
    }

    if (buffer_len + padding_len < (long) ulDataLen) {
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pulEncryptedDataLen == NULL) {
	st_logf("pulEncryptedDataLen NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pData == NULL_PTR) {
	st_logf("data NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    len = RSA_public_encrypt(ulDataLen, pData, buffer, rsa, padding);
    if (len <= 0) {
	ret = CKR_DEVICE_ERROR;
	goto out;
    }
    if (len > buffer_len)
	abort();
	
    if (pEncryptedData != NULL_PTR)
	memcpy(pEncryptedData, buffer, len);
    *pulEncryptedDataLen = len;

 out:
    if (buffer) {
	memset(buffer, 0, buffer_len);
	free(buffer);
    }
    return ret;
}

CK_RV
C_EncryptUpdate(CK_SESSION_HANDLE hSession,
		CK_BYTE_PTR pPart,
		CK_ULONG ulPartLen,
		CK_BYTE_PTR pEncryptedPart,
		CK_ULONG_PTR pulEncryptedPartLen)
{
    st_logf("EncryptUpdate\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}


CK_RV
C_EncryptFinal(CK_SESSION_HANDLE hSession,
	       CK_BYTE_PTR pLastEncryptedPart,
	       CK_ULONG_PTR pulLastEncryptedPartLen)
{
    st_logf("EncryptFinal\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}


/* C_DecryptInit initializes a decryption operation. */
CK_RV
C_DecryptInit(CK_SESSION_HANDLE hSession,
	      CK_MECHANISM_PTR pMechanism,
	      CK_OBJECT_HANDLE hKey)
{
    struct session_state *state;
    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 };
    CK_BBOOL bool_true = CK_TRUE;
    CK_ATTRIBUTE attr[] = {
	{ CKA_DECRYPT, &bool_true, sizeof(bool_true) }
    };
    struct st_object *o;
    CK_RV ret;

    st_logf("DecryptInit\n");
    VERIFY_SESSION_HANDLE(hSession, &state);
    
    ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), 
		     mechs, sizeof(mechs)/sizeof(mechs[0]),
		     pMechanism, hKey, &o);
    if (ret)
	return ret;

    ret = dup_mechanism(&state->decrypt_mechanism, pMechanism);
    if (ret == CKR_OK) 
	state->decrypt_object = OBJECT_ID(o);

    return CKR_OK;
}


CK_RV
C_Decrypt(CK_SESSION_HANDLE hSession,
	  CK_BYTE_PTR       pEncryptedData,
	  CK_ULONG          ulEncryptedDataLen,
	  CK_BYTE_PTR       pData,
	  CK_ULONG_PTR      pulDataLen)
{
    struct session_state *state;
    struct st_object *o;
    void *buffer = NULL;
    CK_RV ret;
    RSA *rsa;
    int padding, len, buffer_len, padding_len;

    st_logf("Decrypt\n");

    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->decrypt_object == -1)
	return CKR_ARGUMENTS_BAD;

    o = soft_token.object.objs[state->decrypt_object];

    if (o->u.private_key.key == NULL) {
	st_logf("private key NULL\n");
	return CKR_ARGUMENTS_BAD;
    }

    rsa = o->u.private_key.key->pkey.rsa;

    if (rsa == NULL)
	return CKR_ARGUMENTS_BAD;

    RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */

    buffer_len = RSA_size(rsa);

    buffer = malloc(buffer_len);
    if (buffer == NULL) {
	ret = CKR_DEVICE_MEMORY;
	goto out;
    }

    ret = CKR_OK;
    switch(state->decrypt_mechanism->mechanism) {
    case CKM_RSA_PKCS:
	padding = RSA_PKCS1_PADDING;
	padding_len = RSA_PKCS1_PADDING_SIZE;
	break;
    case CKM_RSA_X_509:
	padding = RSA_NO_PADDING;
	padding_len = 0;
	break;
    default:
	ret = CKR_FUNCTION_NOT_SUPPORTED;
	goto out;
    }

    if (buffer_len + padding_len < (long) ulEncryptedDataLen) {
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pulDataLen == NULL) {
	st_logf("pulDataLen NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pEncryptedData == NULL_PTR) {
	st_logf("data NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    len = RSA_private_decrypt(ulEncryptedDataLen, pEncryptedData, buffer, 
			      rsa, padding);
    if (len <= 0) {
	ret = CKR_DEVICE_ERROR;
	goto out;
    }
    if (len > buffer_len)
	abort();
	
    if (pData != NULL_PTR)
	memcpy(pData, buffer, len);
    *pulDataLen = len;

 out:
    if (buffer) {
	memset(buffer, 0, buffer_len);
	free(buffer);
    }
    return ret;
}


CK_RV
C_DecryptUpdate(CK_SESSION_HANDLE hSession,
		CK_BYTE_PTR pEncryptedPart,
		CK_ULONG ulEncryptedPartLen,
		CK_BYTE_PTR pPart,
		CK_ULONG_PTR pulPartLen)

{
    st_logf("DecryptUpdate\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}


CK_RV
C_DecryptFinal(CK_SESSION_HANDLE hSession,
	       CK_BYTE_PTR pLastPart,
	       CK_ULONG_PTR pulLastPartLen)
{
    st_logf("DecryptFinal\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_DigestInit(CK_SESSION_HANDLE hSession,
	     CK_MECHANISM_PTR pMechanism)
{
    st_logf("DigestInit\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_SignInit(CK_SESSION_HANDLE hSession,
	   CK_MECHANISM_PTR pMechanism,
	   CK_OBJECT_HANDLE hKey)
{
    struct session_state *state;
    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 };
    CK_BBOOL bool_true = CK_TRUE;
    CK_ATTRIBUTE attr[] = {
	{ CKA_SIGN, &bool_true, sizeof(bool_true) }
    };
    struct st_object *o;
    CK_RV ret;

    st_logf("SignInit\n");
    VERIFY_SESSION_HANDLE(hSession, &state);
    
    ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), 
		     mechs, sizeof(mechs)/sizeof(mechs[0]),
		     pMechanism, hKey, &o);
    if (ret)
	return ret;

    ret = dup_mechanism(&state->sign_mechanism, pMechanism);
    if (ret == CKR_OK) 
	state->sign_object = OBJECT_ID(o);

    return CKR_OK;
}

CK_RV
C_Sign(CK_SESSION_HANDLE hSession,
       CK_BYTE_PTR pData,
       CK_ULONG ulDataLen,
       CK_BYTE_PTR pSignature,
       CK_ULONG_PTR pulSignatureLen)
{
    struct session_state *state;
    struct st_object *o;
    void *buffer = NULL;
    CK_RV ret;
    RSA *rsa;
    int padding, len, buffer_len;
    size_t padding_len;

    st_logf("Sign\n");
    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->sign_object == -1)
	return CKR_ARGUMENTS_BAD;

    o = soft_token.object.objs[state->sign_object];

    if (o->u.private_key.key == NULL) {
	st_logf("private key NULL\n");
	return CKR_ARGUMENTS_BAD;
    }

    rsa = o->u.private_key.key->pkey.rsa;

    if (rsa == NULL)
	return CKR_ARGUMENTS_BAD;

    RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */

    buffer_len = RSA_size(rsa);

    buffer = malloc(buffer_len);
    if (buffer == NULL) {
	ret = CKR_DEVICE_MEMORY;
	goto out;
    }

    switch(state->sign_mechanism->mechanism) {
    case CKM_RSA_PKCS:
	padding = RSA_PKCS1_PADDING;
	padding_len = RSA_PKCS1_PADDING_SIZE;
	break;
    case CKM_RSA_X_509:
	padding = RSA_NO_PADDING;
	padding_len = 0;
	break;
    default:
	ret = CKR_FUNCTION_NOT_SUPPORTED;
	goto out;
    }

    if ((size_t) buffer_len < ulDataLen + padding_len) {
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pulSignatureLen == NULL) {
	st_logf("signature len NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pData == NULL_PTR) {
	st_logf("data NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    len = RSA_private_encrypt(ulDataLen, pData, buffer, rsa, padding);
    st_logf("private encrypt done\n");
    if (len <= 0) {
	ret = CKR_DEVICE_ERROR;
	goto out;
    }
    if (len > buffer_len)
	abort();
	
    if (pSignature != NULL_PTR)
	memcpy(pSignature, buffer, len);
    *pulSignatureLen = len;

    ret = CKR_OK;

 out:
    if (buffer) {
	memset(buffer, 0, buffer_len);
	free(buffer);
    }
    return ret;
}

CK_RV
C_SignUpdate(CK_SESSION_HANDLE hSession,
	     CK_BYTE_PTR pPart,
	     CK_ULONG ulPartLen)
{
    st_logf("SignUpdate\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}


CK_RV
C_SignFinal(CK_SESSION_HANDLE hSession,
	    CK_BYTE_PTR pSignature,
	    CK_ULONG_PTR pulSignatureLen)
{
    st_logf("SignUpdate\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_VerifyInit(CK_SESSION_HANDLE hSession,
	     CK_MECHANISM_PTR pMechanism,
	     CK_OBJECT_HANDLE hKey)
{
    struct session_state *state;
    CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS, CKM_RSA_X_509 };
    CK_BBOOL bool_true = CK_TRUE;
    CK_ATTRIBUTE attr[] = {
	{ CKA_VERIFY, &bool_true, sizeof(bool_true) }
    };
    struct st_object *o;
    CK_RV ret;

    st_logf("VerifyInit\n");
    VERIFY_SESSION_HANDLE(hSession, &state);
    
    ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]), 
		     mechs, sizeof(mechs)/sizeof(mechs[0]),
		     pMechanism, hKey, &o);
    if (ret)
	return ret;

    ret = dup_mechanism(&state->verify_mechanism, pMechanism);
    if (ret == CKR_OK) 
	state->verify_object = OBJECT_ID(o);
			
    return ret;
}

CK_RV
C_Verify(CK_SESSION_HANDLE hSession,
	 CK_BYTE_PTR pData,
	 CK_ULONG ulDataLen,
	 CK_BYTE_PTR pSignature,
	 CK_ULONG ulSignatureLen)
{
    struct session_state *state;
    struct st_object *o;
    void *buffer = NULL;
    CK_RV ret;
    RSA *rsa;
    int padding, len, buffer_len;

    st_logf("Verify\n");
    VERIFY_SESSION_HANDLE(hSession, &state);

    if (state->verify_object == -1)
	return CKR_ARGUMENTS_BAD;

    o = soft_token.object.objs[state->verify_object];

    if (o->u.public_key == NULL) {
	st_logf("public key NULL\n");
	return CKR_ARGUMENTS_BAD;
    }

    rsa = o->u.public_key->pkey.rsa;

    if (rsa == NULL)
	return CKR_ARGUMENTS_BAD;

    RSA_blinding_off(rsa); /* XXX RAND is broken while running in mozilla ? */

    buffer_len = RSA_size(rsa);

    buffer = malloc(buffer_len);
    if (buffer == NULL) {
	ret = CKR_DEVICE_MEMORY;
	goto out;
    }

    ret = CKR_OK;
    switch(state->verify_mechanism->mechanism) {
    case CKM_RSA_PKCS:
	padding = RSA_PKCS1_PADDING;
	break;
    case CKM_RSA_X_509:
	padding = RSA_NO_PADDING;
	break;
    default:
	ret = CKR_FUNCTION_NOT_SUPPORTED;
	goto out;
    }

    if (buffer_len < (long) ulDataLen) {
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pSignature == NULL) {
	st_logf("signature NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    if (pData == NULL_PTR) {
	st_logf("data NULL\n");
	ret = CKR_ARGUMENTS_BAD;
	goto out;
    }

    len = RSA_public_decrypt(ulDataLen, pData, buffer, rsa, padding);
    st_logf("private encrypt done\n");
    if (len <= 0) {
	ret = CKR_DEVICE_ERROR;
	goto out;
    }
    if (len > buffer_len)
	abort();
	
    if ((size_t) len != ulSignatureLen) {
	ret = CKR_GENERAL_ERROR;
	goto out;
    }
	
    if (memcmp(pSignature, buffer, len) != 0) {
	ret = CKR_GENERAL_ERROR;
	goto out;
    }

 out:
    if (buffer) {
	memset(buffer, 0, buffer_len);
	free(buffer);
    }
    return ret;
}


CK_RV
C_VerifyUpdate(CK_SESSION_HANDLE hSession,
	       CK_BYTE_PTR pPart,
	       CK_ULONG ulPartLen)
{
    st_logf("VerifyUpdate\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_VerifyFinal(CK_SESSION_HANDLE hSession,
	      CK_BYTE_PTR pSignature,
	      CK_ULONG ulSignatureLen)
{
    st_logf("VerifyFinal\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}

CK_RV
C_GenerateRandom(CK_SESSION_HANDLE hSession,
		 CK_BYTE_PTR RandomData,
		 CK_ULONG ulRandomLen)
{
    st_logf("GenerateRandom\n");
    VERIFY_SESSION_HANDLE(hSession, NULL);
    return CKR_FUNCTION_NOT_SUPPORTED;
}


CK_FUNCTION_LIST funcs = {
    { 2, 11 },
    C_Initialize,
    C_Finalize,
    C_GetInfo,
    C_GetFunctionList,
    C_GetSlotList,
    C_GetSlotInfo,
    C_GetTokenInfo,
    C_GetMechanismList,
    C_GetMechanismInfo,
    C_InitToken,
    (void *)func_not_supported, /* C_InitPIN */
    (void *)func_not_supported, /* C_SetPIN */
    C_OpenSession,
    C_CloseSession,
    C_CloseAllSessions,
    C_GetSessionInfo,
    (void *)func_not_supported, /* C_GetOperationState */
    (void *)func_not_supported, /* C_SetOperationState */
    C_Login,
    C_Logout,
    (void *)func_not_supported, /* C_CreateObject */
    (void *)func_not_supported, /* C_CopyObject */
    (void *)func_not_supported, /* C_DestroyObject */
    (void *)func_not_supported, /* C_GetObjectSize */
    C_GetAttributeValue,
    (void *)func_not_supported, /* C_SetAttributeValue */
    C_FindObjectsInit,
    C_FindObjects,
    C_FindObjectsFinal,
    C_EncryptInit,
    C_Encrypt,
    C_EncryptUpdate,
    C_EncryptFinal,
    C_DecryptInit,
    C_Decrypt,
    C_DecryptUpdate,
    C_DecryptFinal,
    C_DigestInit,
    (void *)func_not_supported, /* C_Digest */
    (void *)func_not_supported, /* C_DigestUpdate */
    (void *)func_not_supported, /* C_DigestKey */
    (void *)func_not_supported, /* C_DigestFinal */
    C_SignInit,
    C_Sign,
    C_SignUpdate,
    C_SignFinal,
    (void *)func_not_supported, /* C_SignRecoverInit */
    (void *)func_not_supported, /* C_SignRecover */
    C_VerifyInit,
    C_Verify,
    C_VerifyUpdate,
    C_VerifyFinal,
    (void *)func_not_supported, /* C_VerifyRecoverInit */
    (void *)func_not_supported, /* C_VerifyRecover */
    (void *)func_not_supported, /* C_DigestEncryptUpdate */
    (void *)func_not_supported, /* C_DecryptDigestUpdate */
    (void *)func_not_supported, /* C_SignEncryptUpdate */
    (void *)func_not_supported, /* C_DecryptVerifyUpdate */
    (void *)func_not_supported, /* C_GenerateKey */
    (void *)func_not_supported, /* C_GenerateKeyPair */
    (void *)func_not_supported, /* C_WrapKey */
    (void *)func_not_supported, /* C_UnwrapKey */
    (void *)func_not_supported, /* C_DeriveKey */
    (void *)func_not_supported, /* C_SeedRandom */
    C_GenerateRandom,
    (void *)func_not_supported, /* C_GetFunctionStatus */
    (void *)func_not_supported, /* C_CancelFunction */
    (void *)func_not_supported  /* C_WaitForSlotEvent */
};
* PKCS#11 whitelist
* PIN is not required for removing card
* Make sure ssh-agent is built with correct paths to helper
--
regress/agent-pkcs11.sh | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

Lines 4-13 Link Here

(-)a/regress/agent-pkcs11.sh (-5 / +10 lines)
4	tid="pkcs11 agent test"	4	tid="pkcs11 agent test"
5		5
6	TEST_SSH_PIN=""	6	TEST_SSH_PIN=""
7	TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0	7	TEST_SSH_PKCS11=$OBJ/soft-pkcs11.so
8		8
9	test -f "$TEST_SSH_PKCS11" \|\| fatal "$TEST_SSH_PKCS11 does not exist"	9	test -f "$TEST_SSH_PKCS11" \|\| fatal "$TEST_SSH_PKCS11 does not exist"
10		10
		11	# requires ssh-agent built with correct path to ssh-pkcs11-helper
		12	# otherwise it fails to start the helper
		13	strings ${TEST_SSH_SSHAGENT} \| grep "$TEST_SSH_SSHPKCS11HELPER"
		14	if [ $? -ne 0 ]; then
		15	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"
		16	fi
		17
11	# setup environment for soft-pkcs11 token	18	# setup environment for soft-pkcs11 token
12	SOFTPKCS11RC=$OBJ/pkcs11.info	19	SOFTPKCS11RC=$OBJ/pkcs11.info
13	export SOFTPKCS11RC	20	export SOFTPKCS11RC
Lines 23-29 notty() { Link Here
23	}	30	}
24		31
25	trace "start agent"	32	trace "start agent"
26	eval `${SSHAGENT} -s` > /dev/null	33	eval `${SSHAGENT} -s -P "${OBJ}/*"` > /dev/null
27	r=$?	34	r=$?
28	if [ $r -ne 0 ]; then	35	if [ $r -ne 0 ]; then
29	fail "could not start ssh-agent: exit code $r"	36	fail "could not start ssh-agent: exit code $r"
Lines 60-66 else Link Here
60	fi	67	fi
61		68
62	trace "remove pkcs11 keys"	69	trace "remove pkcs11 keys"
63	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1	70	${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
64	r=$?	71	r=$?
65	if [ $r -ne 0 ]; then	72	if [ $r -ne 0 ]; then
66	fail "ssh-add -e failed: exit code $r"	73	fail "ssh-add -e failed: exit code $r"
67	-
68	option	74	option
69	--
70	regress/pkcs11.sh \| 9 +++++++++	75	regress/pkcs11.sh \| 9 +++++++++
71	ssh-pkcs11.c \| 7 ++++---	76	ssh-pkcs11.c \| 7 ++++---
72	2 files changed, 13 insertions(+), 3 deletions(-)	77	2 files changed, 13 insertions(+), 3 deletions(-)

Lines 151-156 if [ $r -eq 5 ]; then Link Here

(-)a/regress/pkcs11.sh (+9 lines)
151	"succeeded (should fail)"	151	"succeeded (should fail)"
152	fi	152	fi
153		153
		154	trace "Regress: Missing provider in PKCS11URI option"
		155	${SSH} -F $OBJ/ssh_proxy \
		156	-o PKCS11URI='pkcs11:token=segfault' somehost exit 5
		157	r=$?
		158	if [ $r -eq 139 ]; then
		159	fail "ssh connect with missing provider_id from configuration option" \
		160	"crashed (exit code $r)"
		161	fi
		162
154		163
155	trace "SSH Agent can work with PKCS#11 URI"	164	trace "SSH Agent can work with PKCS#11 URI"
156	trace "start the agent"	165	trace "start the agent"




	CK_FUNCTION_LIST *f = NULL;
	CK_TOKEN_INFO *token;
	CK_ULONG i;
	char *provider_id = NULL;
	char *provider_uri = pkcs11_uri_get(uri);

	/* if no provider specified, fallback to p11-kit */
	if (uri->module_path == NULL)
		provider_id = strdup(PKCS11_DEFAULT_PROVIDER);
	else
		provider_id = strdup(uri->module_path);

	debug("%s: called, provider_uri = %s", __func__, provider_uri);

- 
configure time
--
configure.ac     | 37 +++++++++++++++++++++++++++++++++++++
ssh-pkcs11-uri.h |  2 --
ssh-pkcs11.c     | 12 ++++++++----
3 files changed, 45 insertions(+), 6 deletions(-)




	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
])

SCARD_MSG="yes"
disable_pkcs11=
AC_ARG_ENABLE([pkcs11],
	[  --disable-pkcs11        disable PKCS#11 support code [no]],
	[
		if test "x$enableval" = "xno" ; then
			disable_pkcs11=1
			SCARD_MSG="no"
		fi
	]
)

	)
fi

# Check whether we have a p11-kit, we got default provider on command line
DEFAULT_PKCS11_PROVIDER_MSG="no"
AC_ARG_WITH([default-pkcs11-provider],
	[  --with-default-pkcs11-provider[[=PATH]]   Use default pkcs11 provider (p11-kit detected by default)],
	[ if test "x$withval" != "xno" && test "x$disable_pkcs11" = "x"; then
		if test "x$withval" = "xyes" ; then
			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
			if test "x$PKGCONFIG" != "xno"; then
				AC_MSG_CHECKING([if $PKGCONFIG knows about p11-kit])
				if "$PKGCONFIG" "p11-kit-1"; then
					AC_MSG_RESULT([yes])
					use_pkgconfig_for_p11kit=yes
				else
					AC_MSG_RESULT([no])
				fi
			fi
		else
			PKCS11_PATH="${withval}"
		fi
		if test "x$use_pkgconfig_for_p11kit" = "xyes"; then
			PKCS11_PATH=`$PKGCONFIG --variable=proxy_module p11-kit-1`
		fi
		AC_CHECK_FILE("$PKCS11_PATH",
			[ AC_DEFINE_UNQUOTED([PKCS11_DEFAULT_PROVIDER], ["$PKCS11_PATH"], [Path to default PKCS#11 provider (p11-kit proxy)])
			  DEFAULT_PKCS11_PROVIDER_MSG="$PKCS11_PATH"
			],
			[ AC_MSG_ERROR([Requested PKCS11 provided not found]) ]
		)
	else
		AC_MSG_WARN([Needs PKCS11 support to enable default pkcs11 provider])
	fi ]
)


# IRIX has a const char return value for gai_strerror()
AC_CHECK_FUNCS([gai_strerror], [
	AC_DEFINE([HAVE_GAI_STRERROR])

echo "                  BSD Auth support: $BSD_AUTH_MSG"
echo "              Random number source: $RAND_MSG"
echo "             Privsep sandbox style: $SANDBOX_STYLE"
echo "          Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG"

echo ""


Lines 17-24 Link Here

(-)a/ssh-pkcs11-uri.h (-2 lines)
17	*/	17	*/
18		18
19	#define PKCS11_URI_SCHEME "pkcs11:"	19	#define PKCS11_URI_SCHEME "pkcs11:"
20	#define PKCS11_DEFAULT_PROVIDER "/usr/lib64/p11-kit-proxy.so"
21
22	#define PKCS11_URI_WHITELIST "abcdefghijklmnopqrstuvwxyz" \	20	#define PKCS11_URI_WHITELIST "abcdefghijklmnopqrstuvwxyz" \
23	"ABCDEFGHIJKLMNOPQRSTUVWXYZ" \	21	"ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
24	"0123456789_-.()"	22	"0123456789_-.()"

Lines 701-714 pkcs11_add_provider_by_uri(struct pkcs11_uri uri, char pin, struct sshkey ***k Link Here

(-)a/ssh-pkcs11.c (-6 / +8 lines)
701	char *provider_id = NULL;	701	char *provider_id = NULL;
702	char *provider_uri = pkcs11_uri_get(uri);	702	char *provider_uri = pkcs11_uri_get(uri);
703		703
		704	debug("%s: called, provider_uri = %s", __func__, provider_uri);
		705
704	/* if no provider specified, fallback to p11-kit */	706	/* if no provider specified, fallback to p11-kit */
705	if (uri->module_path == NULL)	707	if (uri->module_path == NULL) {
		708	#ifdef PKCS11_DEFAULT_PROVIDER
706	provider_id = strdup(PKCS11_DEFAULT_PROVIDER);	709	provider_id = strdup(PKCS11_DEFAULT_PROVIDER);
707	else	710	#else
		711	error("%s: No module path provided", __func__);
		712	#endif
		713	} else
708	provider_id = strdup(uri->module_path);	714	provider_id = strdup(uri->module_path);
709		715
710	debug("%s: called, provider_uri = %s", __func__, provider_uri);
711
712	*keyp = NULL;	716	*keyp = NULL;
713	if (pkcs11_provider_lookup(provider_uri) != NULL) {	717	if (pkcs11_provider_lookup(provider_uri) != NULL) {
714	debug("%s: provider already registered: %s",	718	debug("%s: provider already registered: %s",
715	-
716	--
717	ssh-pkcs11-uri.c \| 14 +++++++-------	719	ssh-pkcs11-uri.c \| 14 +++++++-------
718	1 file changed, 7 insertions(+), 7 deletions(-)	720	1 file changed, 7 insertions(+), 7 deletions(-)




			break;
		opcode = parse_token(tok);
		if (opcode == pBadOption) {
			verbose("Unknown key in PKCS#11 URI: %s", tok);
			return -1;
		}


		case pId:
			/* CKA_ID */
			if (pkcs11->id != NULL) {
				verbose("%s: The id already set in the PKCS#11 URI",
					__func__);
				rv = -1;
			}
			len = percent_decode(arg, &pkcs11->id);
			if (len <= 0) {
				verbose("%s: Failed to percent-decode CKA_ID: %s",
				    __func__, arg);
				rv = -1;
			} else

			charptr = &pkcs11->token;
 parse_string:
			if (*charptr != NULL) {
				verbose("%s: The %s already set in the PKCS#11 URI",
				    keywords[opcode].name, __func__);
				rv = -1;
			}

		case pBadOption:
		default:
			/* Unrecognized attribute in the URI path SHOULD be error */
			verbose("%s: Unknown part of path in PKCS#11 URI: %s",
			    __func__, tok);
			rv = -1;
		}

		    PKCS11_URI_VALUE_SEPARATOR, key_len) == 0) {
			/* module-path is PKCS11Provider */
			if (pkcs11->module_path != NULL) {
				verbose("%s: Multiple module-path attributes are"
				    "not supported the PKCS#11 URI", __func__);
				rv = -1;
			}

		/* } else if ( pin-value ) { */
		} else {
			/* Unrecognized attribute in the URI query SHOULD be ignored */
			verbose("%s: Unknown part of query in PKCS#11 URI: %s",
			    __func__, tok);
		}
	}
- 
--
regress/pkcs11.sh                | 35 ++++++++++++++++++
regress/unittests/pkcs11/tests.c | 57 ++++++++++++++++++-----------
ssh-agent.c                      |  2 +-
ssh-pkcs11-uri.c                 | 20 ++++++++++-
ssh-pkcs11-uri.h                 |  1 +
ssh-pkcs11.c                     | 78 +++++++++++++++++++++++++---------------
6 files changed, 142 insertions(+), 51 deletions(-)




	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
fi

trace "Connect with various filtering options in PKCS#11 URI"
trace "  (by object label, second key should succeed)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
    -i "pkcs11:object=SSH%20RSA%20Key%202?module-path=${TEST_SSH_PKCS11}" somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with PKCS#11 URI failed (exit code $r)"
fi

trace "  (by object label, first key should fail)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
     -i "pkcs11:object=SSH%20RSA%20Key?module-path=${TEST_SSH_PKCS11}" somehost exit 5
r=$?
if [ $r -eq 5 ]; then
	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
fi

trace "  (by token label, second key should succeed)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
    -i "pkcs11:id=${ID2};token=SoftToken%20(token)?module-path=${TEST_SSH_PKCS11}" somehost exit 5
r=$?
if [ $r -ne 5 ]; then
	fail "ssh connect with PKCS#11 URI failed (exit code $r)"
fi

trace "  (by wrong token label, should fail)"
echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \
     -i "pkcs11:token=SoftToken?module-path=${TEST_SSH_PKCS11}" somehost exit 5
r=$?
if [ $r -eq 5 ]; then
	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
fi




trace "Test PKCS#11 URI specification in configuration files"
echo "PKCS11URI pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \

Lines 25-31 Link Here

(-)a/regress/unittests/pkcs11/tests.c (-21 / +36 lines)
25		25
26	#include "ssh-pkcs11-uri.h"	26	#include "ssh-pkcs11-uri.h"
27		27
28	#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL)	28	#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL)
29		29
30	/* prototypes are not public -- specify them here internally for tests */	30	/* prototypes are not public -- specify them here internally for tests */
31	struct sshbuf percent_encode(const char , size_t, char *);	31	struct sshbuf percent_encode(const char , size_t, char *);
Lines 38-43 compare_uri(struct pkcs11_uri a, struct pkcs11_uri b) Link Here
38	ASSERT_PTR_NE(b, NULL);	38	ASSERT_PTR_NE(b, NULL);
39	ASSERT_SIZE_T_EQ(a->id_len, b->id_len);	39	ASSERT_SIZE_T_EQ(a->id_len, b->id_len);
40	ASSERT_MEM_EQ(a->id, b->id, a->id_len);	40	ASSERT_MEM_EQ(a->id, b->id, a->id_len);
		41	if (b->object != NULL)
		42	ASSERT_STRING_EQ(a->object, b->object);
		43	else /* both should be null */
		44	ASSERT_PTR_EQ(a->object, b->object);
41	if (b->module_path != NULL)	45	if (b->module_path != NULL)
42	ASSERT_STRING_EQ(a->module_path, b->module_path);	46	ASSERT_STRING_EQ(a->module_path, b->module_path);
43	else /* both should be null */	47	else /* both should be null */
Lines 88-94 check_parse(char uri, struct pkcs11_uri expect) Link Here
88		92
89	struct pkcs11_uri *	93	struct pkcs11_uri *
90	compose_uri(unsigned char id, size_t id_len, char token, char *lib_manuf,	94	compose_uri(unsigned char id, size_t id_len, char token, char *lib_manuf,
91	char manuf, char module_path)	95	char manuf, char module_path, char *object)
92	{	96	{
93	struct pkcs11_uri *uri = pkcs11_uri_init();	97	struct pkcs11_uri *uri = pkcs11_uri_init();
94	if (id_len > 0) {	98	if (id_len > 0) {
Lines 99-104 compose_uri(unsigned char id, size_t id_len, char token, char *lib_manuf, Link Here
99	uri->token = token;	103	uri->token = token;
100	uri->lib_manuf = lib_manuf;	104	uri->lib_manuf = lib_manuf;
101	uri->manuf = manuf;	105	uri->manuf = manuf;
		106	uri->object = object;
102	return uri;	107	return uri;
103	}	108	}
104		109
Lines 107-143 test_parse_valid(void) Link Here
107	{	112	{
108	/* path arguments */	113	/* path arguments */
109	check_parse("pkcs11:id=%01",	114	check_parse("pkcs11:id=%01",
110	compose_uri("\x01", 1, NULL, NULL, NULL, NULL));	115	compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL));
111	check_parse("pkcs11:id=%00%01",	116	check_parse("pkcs11:id=%00%01",
112	compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL));	117	compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL));
113	check_parse("pkcs11:token=SSH%20Keys",	118	check_parse("pkcs11:token=SSH%20Keys",
114	compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL));	119	compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL));
115	check_parse("pkcs11:library-manufacturer=OpenSC",	120	check_parse("pkcs11:library-manufacturer=OpenSC",
116	compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL));	121	compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL));
117	check_parse("pkcs11:manufacturer=piv_II",	122	check_parse("pkcs11:manufacturer=piv_II",
118	compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL));	123	compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL));
		124	check_parse("pkcs11:object=SIGN%20Key",
		125	compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "SIGN Key"));
119	/* query arguments */	126	/* query arguments */
120	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",	127	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
121	compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so"));	128	compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL));
122		129
123	/* combinations */	130	/* combinations */
124	/* ID SHOULD be percent encoded */	131	/* ID SHOULD be percent encoded */
125	check_parse("pkcs11:token=SSH%20Key;id=0",	132	check_parse("pkcs11:token=SSH%20Key;id=0",
126	compose_uri("0", 1, "SSH Key", NULL, NULL, NULL));	133	compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL));
127	check_parse(	134	check_parse(
128	"pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",	135	"pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",
129	compose_uri(NULL, 0, NULL, NULL, "CAC",	136	compose_uri(NULL, 0, NULL, NULL, "CAC",
130	"/usr/lib64/p11-kit-proxy.so"));	137	"/usr/lib64/p11-kit-proxy.so", NULL));
		138	check_parse(
		139	"pkcs11:object=RSA%20Key?module-path=/usr/lib64/pkcs11/opencryptoki.so",
		140	compose_uri(NULL, 0, NULL, NULL, NULL,
		141	"/usr/lib64/pkcs11/opencryptoki.so", "RSA Key"));
131		142
132	/* empty path component matches everything */	143	/* empty path component matches everything */
133	check_parse("pkcs11:", EMPTY_URI);	144	check_parse("pkcs11:", EMPTY_URI);
134		145
135	/* empty string is a valid to match against (and different from NULL) */	146	/* empty string is a valid to match against (and different from NULL) */
136	check_parse("pkcs11:token=",	147	check_parse("pkcs11:token=",
137	compose_uri(NULL, 0, "", NULL, NULL, NULL));	148	compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL));
138	/* Percent character needs to be percent-encoded */	149	/* Percent character needs to be percent-encoded */
139	check_parse("pkcs11:token=%25",	150	check_parse("pkcs11:token=%25",
140	compose_uri(NULL, 0, "%", NULL, NULL, NULL));	151	compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL));
141	}	152	}
142		153
143	static void	154	static void
Lines 149-155 test_parse_invalid(void) Link Here
149	check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);	160	check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);
150	/* Space MUST be percent encoded -- XXX not enforced yet */	161	/* Space MUST be percent encoded -- XXX not enforced yet */
151	check_parse("pkcs11:token=SSH Keys",	162	check_parse("pkcs11:token=SSH Keys",
152	compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL));	163	compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL));
153	/* MUST NOT contain duplicate attributes of the same name */	164	/* MUST NOT contain duplicate attributes of the same name */
154	check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);	165	check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);
155	/* Unrecognized attribute in path SHOULD be error */	166	/* Unrecognized attribute in path SHOULD be error */
Lines 178-202 test_generate_valid(void) Link Here
178	{	189	{
179	/* path arguments */	190	/* path arguments */
180	check_gen("pkcs11:id=%01",	191	check_gen("pkcs11:id=%01",
181	compose_uri("\x01", 1, NULL, NULL, NULL, NULL));	192	compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL));
182	check_gen("pkcs11:id=%00%01",	193	check_gen("pkcs11:id=%00%01",
183	compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL));	194	compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL));
184	check_gen("pkcs11:token=SSH%20Keys", /* space must be percent encoded */	195	check_gen("pkcs11:token=SSH%20Keys", /* space must be percent encoded */
185	compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL));	196	compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL));
186	/* library-manufacturer is not implmented now */	197	/* library-manufacturer is not implmented now */
187	/*check_gen("pkcs11:library-manufacturer=OpenSC",	198	/*check_gen("pkcs11:library-manufacturer=OpenSC",
188	compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL));*/	199	compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL));*/
189	check_gen("pkcs11:manufacturer=piv_II",	200	check_gen("pkcs11:manufacturer=piv_II",
190	compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL));	201	compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL));
		202	check_gen("pkcs11:object=RSA%20Key",
		203	compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "RSA Key"));
191	/* query arguments */	204	/* query arguments */
192	check_gen("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",	205	check_gen("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
193	compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so"));	206	compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL));
194		207
195	/* combinations */	208	/* combinations */
196	check_gen("pkcs11:id=%02;token=SSH%20Keys",	209	check_gen("pkcs11:id=%02;token=SSH%20Keys",
197	compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL));	210	compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL));
198	check_gen("pkcs11:id=%EE%02?module-path=/usr/lib64/p11-kit-proxy.so",	211	check_gen("pkcs11:id=%EE%02?module-path=/usr/lib64/p11-kit-proxy.so",
199	compose_uri("\xEE\x02", 2, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so"));	212	compose_uri("\xEE\x02", 2, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL));
		213	check_gen("pkcs11:object=Encryption%20Key;manufacturer=piv_II",
		214	compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, "Encryption Key"));
200		215
201	/* empty path component matches everything */	216	/* empty path component matches everything */
202	check_gen("pkcs11:", EMPTY_URI);	217	check_gen("pkcs11:", EMPTY_URI);

Lines 671-677 send: Link Here

(-)a/ssh-agent.c (-1 / +1 lines)
671	static void	671	static void
672	process_remove_smartcard_key(SocketEntry *e)	672	process_remove_smartcard_key(SocketEntry *e)
673	{	673	{
674	char provider = NULL, pin = NULL, *sane_uri;	674	char provider = NULL, pin = NULL, *sane_uri = NULL;
675	int r, success = 0;	675	int r, success = 0;
676	Identity id, nxt;	676	Identity id, nxt;
677		677




#define PKCS11_URI_VALUE_SEPARATOR "="
#define PKCS11_URI_ID "id"
#define PKCS11_URI_TOKEN "token"
#define PKCS11_URI_OBJECT "object"
#define PKCS11_URI_LIB_MANUF "library-manufacturer"
#define PKCS11_URI_MANUF "manufacturer"
#define PKCS11_URI_MODULE_PATH "module-path"

/* Keyword tokens. */
typedef enum {
	pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pModulePath,
	pBadOption
} pkcs11uriOpCodes;


} keywords[] = {
	{ PKCS11_URI_ID, pId },
	{ PKCS11_URI_TOKEN, pToken },
	{ PKCS11_URI_OBJECT, pObject },
	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
	{ PKCS11_URI_MANUF, pManufacturer },
	{ PKCS11_URI_MODULE_PATH, pModulePath },

			goto err;
	}

	/* Write object label */
	if (uri->object) {
		struct sshbuf *label = percent_encode(uri->object, strlen(uri->object),
		    PKCS11_URI_WHITELIST);
		path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
		    PKCS11_URI_OBJECT, label);
		if (path == NULL)
			goto err;
	}

	/* Write token label */
	if (uri->token) {
		struct sshbuf *label = percent_encode(uri->token, strlen(uri->token),

	free(pkcs11->id);
	free(pkcs11->module_path);
	free(pkcs11->token);
	free(pkcs11->object);
	free(pkcs11->lib_manuf);
	free(pkcs11->manuf);
	free(pkcs11);

			    __func__, keywords[opcode].name, *charptr);
			break;

		case pObject:
			/* CK_TOKEN_INFO -> manufacturerID */
			charptr = &pkcs11->object;
			goto parse_string;

		case pManufacturer:
			/* CK_TOKEN_INFO -> manufacturerID */
			charptr = &pkcs11->manuf;

Lines 26-31 struct pkcs11_uri { Link Here

(-)a/ssh-pkcs11-uri.h (+1 lines)
26	char *id;	26	char *id;
27	size_t id_len;	27	size_t id_len;
28	char *token;	28	char *token;
		29	char *object;
29	char *lib_manuf;	30	char *lib_manuf;
30	char *manuf;	31	char *manuf;
31	/* query */	32	/* query */




	int			(*orig_finish)(RSA *rsa);
	RSA_METHOD		*rsa_method;
	char			*keyid;
	char			*label;
	int			keyid_len;
};



/*
 * This can't be in the ssh-pkcs11-uri, becase we can not depend on
 * PKCS#11 structures in ssh-agent (using client-helper communication)
 */
int
pkcs11_uri_write(const struct sshkey *key, FILE *f)

	uri.id = k11->keyid;
	uri.id_len = k11->keyid_len;
	uri.token = k11->provider->slotinfo[k11->slotidx].token.label;
	uri.object = k11->label;
	uri.module_path = k11->provider->module_path;
	uri.lib_manuf = k11->provider->info.manufacturerID;
	uri.manuf = k11->provider->slotinfo[k11->slotidx].token.manufacturerID;

		if (k11->provider)
			pkcs11_provider_unref(k11->provider);
		free(k11->keyid);
		free(k11->label);
		free(k11);
	}
	return (rv);

/* redirect private key operations for rsa key to pkcs11 token */
static int
pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
    CK_ATTRIBUTE *keyid_attrib, CK_ATTRIBUTE *label_attrib, RSA *rsa)
{
	struct pkcs11_key	*k11;
	const RSA_METHOD	*def = RSA_get_default_method();

		k11->keyid = xmalloc(k11->keyid_len);
		memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
	}
	if (label_attrib->ulValueLen > 0 ) {
		k11->label = xmalloc(label_attrib->ulValueLen+1);
		memcpy(k11->label, label_attrib->pValue, label_attrib->ulValueLen);
		k11->label[label_attrib->ulValueLen] = 0;
	}
	k11->orig_finish = RSA_meth_get_finish(def);
	if ((k11->rsa_method = RSA_meth_dup(def)) == NULL ||
	    RSA_meth_set1_name(k11->rsa_method, "pkcs11") == 0 ||

	CK_OBJECT_CLASS	cert_class = CKO_CERTIFICATE;
	CK_ATTRIBUTE		pubkey_filter[] = {
		{ CKA_CLASS, NULL, sizeof(pubkey_class) },
		{ CKA_ID, NULL, 0 },
		{ CKA_LABEL, NULL, 0 }
	};
	CK_ATTRIBUTE		cert_filter[] = {
		{ CKA_CLASS, NULL, sizeof(cert_class) },
		{ CKA_ID, NULL, 0 },
		{ CKA_LABEL, NULL, 0 }
	};
	CK_ATTRIBUTE		pubkey_attribs[] = {
		{ CKA_ID, NULL, 0 },
		{ CKA_LABEL, NULL, 0 },
		{ CKA_MODULUS, NULL, 0 },
		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
	};
	CK_ATTRIBUTE		cert_attribs[] = {
		{ CKA_ID, NULL, 0 },
		{ CKA_LABEL, NULL, 0 },
		{ CKA_SUBJECT, NULL, 0 },
		{ CKA_VALUE, NULL, 0 }
	};

	cert_filter[0].pValue = &cert_class;

	if (uri->id != NULL) {
		pubkey_filter[filter_size].pValue = uri->id;
		pubkey_filter[filter_size].ulValueLen = uri->id_len;
		cert_filter[filter_size].pValue = uri->id;
		cert_filter[filter_size].ulValueLen = uri->id_len;
		filter_size++;
	}
	if (uri->object != NULL) {
		pubkey_filter[filter_size].pValue = uri->object;
		pubkey_filter[filter_size].ulValueLen = strlen(uri->object);
		pubkey_filter[filter_size].type = CKA_LABEL;
		cert_filter[filter_size].pValue = uri->object;
		cert_filter[filter_size].ulValueLen = strlen(uri->object);
		cert_filter[filter_size].type = CKA_LABEL;
		filter_size++;
	}

	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,


static int
pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
    CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
    struct sshkey ***keysp, int *nkeys)
{
	struct sshkey		*key;

	X509 			*x509;
	EVP_PKEY		*evp = NULL;
	int			i;
	int			nattribs = 4;
	const u_char		*cp;
	CK_RV			rv;
	CK_OBJECT_HANDLE	obj;

	}
	while (1) {
		/* XXX 3 attributes in attribs[] */
		for (i = 0; i < nattribs; i++) {
			attribs[i].pValue = NULL;
			attribs[i].ulValueLen = 0;
		}

		    || nfound == 0)
			break;
		/* found a key, so figure out size of the attributes */
		if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
		    != CKR_OK) {
			error("C_GetAttributeValue failed: %lu", rv);
			continue;
		}
		/*
		 * Allow CKA_ID (always first attribute) and CKA_LABEL (second)
		 * to be empty, but ensure that none of the others are zero length.
		 * XXX assumes CKA_ID is always first.
		 */
		if (attribs[2].ulValueLen == 0 ||
		    attribs[3].ulValueLen == 0) {
			continue;
		}
		/* allocate buffers for attributes */
		for (i = 0; i < nattribs; i++) {
			if (attribs[i].ulValueLen > 0) {
				attribs[i].pValue = xmalloc(
				    attribs[i].ulValueLen);

		}

		/*
		 * retrieve ID, label, modulus and public exponent of RSA key,
		 * or ID, label, subject and value for certificates.
		 */
		rsa = NULL;
		if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
		    != CKR_OK) {
			error("C_GetAttributeValue failed: %lu", rv);
		} else if (attribs[2].type == CKA_MODULUS ) {
			if ((rsa = RSA_new()) == NULL) {
				error("RSA_new failed");
			} else {
				BIGNUM *rsa_n, *rsa_e;

				rsa_n = BN_bin2bn(attribs[2].pValue,
				    attribs[1].ulValueLen, NULL);
				rsa_e = BN_bin2bn(attribs[2].pValue,
				    attribs[2].ulValueLen, NULL);
				rsa_e = BN_bin2bn(attribs[3].pValue,
				    attribs[3].ulValueLen, NULL);
				if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0)
					error("RSA_set0_key failed");
			}
		} else {
			cp = attribs[3].pValue;
			if ((x509 = X509_new()) == NULL) {
				error("X509_new failed");
			} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
			    == NULL) {
				error("d2i_X509 failed");
			} else if ((evp = X509_get_pubkey(x509)) == NULL ||

		if (rsa)
			RSA_get0_key(rsa, &n, &e, NULL);
		if (rsa && n && e &&
		    pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
			if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
				fatal("sshkey_new failed");
			key->rsa = rsa;

		} else if (rsa) {
			RSA_free(rsa);
		}
		for (i = 0; i < nattribs; i++)
			free(attribs[i].pValue);
	}
	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
- 

Return to bug 2817

Lines 1145-1150 The argument to this keyword is the PKCS#11 shared library Link Here

(-)a/ssh_config.5 (-2 / +10 lines)
1145	.Xr ssh 1	1145	.Xr ssh 1
1146	should use to communicate with a PKCS#11 token providing the user's	1146	should use to communicate with a PKCS#11 token providing the user's
1147	private RSA key.	1147	private RSA key.
		1148	.It Cm PKCS11URI
		1149	Specifies the key to use by PKCS#11 URI.
		1150	The argument to this keyword is a subset of the PKCS#11 URI as defined
		1151	in RFC 7512 (implemented path arguments
		1152	.Cm id ,
		1153	.Cm manufacturer ,
		1154	.Cm token
		1155	and query argument
		1156	.Cm module-path
		1157	). The URI can not be in quotes.
1148	.It Cm Port	1158	.It Cm Port
1149	Specifies the port number to connect on the remote host.	1159	Specifies the port number to connect on the remote host.
1150	The default is 22.	1160	The default is 22.
1151	-
1152	* test PKCS#11 URI parser, generator	1161	* test PKCS#11 URI parser, generator
1153	* test percent_encodeer and decoder	1162	* test percent_encodeer and decoder
1154	--
1155	Makefile.in \| 16 ++	1163	Makefile.in \| 16 ++
1156	regress/Makefile \| 1 +	1164	regress/Makefile \| 1 +
1157	regress/unittests/Makefile \| 2 +-	1165	regress/unittests/Makefile \| 2 +-
1158	regress/unittests/pkcs11/Makefile \| 9 ++	1166	regress/unittests/pkcs11/Makefile \| 9 ++
1159	regress/unittests/pkcs11/tests.c \| 314 ++++++++++++++++++++++++++++++++++++++	1167	regress/unittests/pkcs11/tests.c \| 314 ++++++++++++++++++++++++++++++++++++++
1160	5 files changed, 341 insertions(+), 1 deletion(-)	1168	5 files changed, 341 insertions(+), 1 deletion(-)
1161	create mode 100644 regress/unittests/pkcs11/Makefile	1169	create mode 100644 regress/unittests/pkcs11/Makefile
1162	create mode 100644 regress/unittests/pkcs11/tests.c	1170	create mode 100644 regress/unittests/pkcs11/tests.c

Lines 1840-1851 AC_LINK_IFELSE( Link Here

(-)a/configure.ac (+37 lines)
1840	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])	1840	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1841	])	1841	])
1842		1842
		1843	SCARD_MSG="yes"
1843	disable_pkcs11=	1844	disable_pkcs11=
1844	AC_ARG_ENABLE([pkcs11],	1845	AC_ARG_ENABLE([pkcs11],
1845	[ --disable-pkcs11 disable PKCS#11 support code [no]],	1846	[ --disable-pkcs11 disable PKCS#11 support code [no]],
1846	[	1847	[
1847	if test "x$enableval" = "xno" ; then	1848	if test "x$enableval" = "xno" ; then
1848	disable_pkcs11=1	1849	disable_pkcs11=1
		1850	SCARD_MSG="no"
1849	fi	1851	fi
1850	]	1852	]
1851	)	1853	)
Lines 1858-1863 if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then Link Here
1858	)	1860	)
1859	fi	1861	fi
1860		1862
		1863	# Check whether we have a p11-kit, we got default provider on command line
		1864	DEFAULT_PKCS11_PROVIDER_MSG="no"
		1865	AC_ARG_WITH([default-pkcs11-provider],
		1866	[ --with-default-pkcs11-provider[[=PATH]] Use default pkcs11 provider (p11-kit detected by default)],
		1867	[ if test "x$withval" != "xno" && test "x$disable_pkcs11" = "x"; then
		1868	if test "x$withval" = "xyes" ; then
		1869	AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
		1870	if test "x$PKGCONFIG" != "xno"; then
		1871	AC_MSG_CHECKING([if $PKGCONFIG knows about p11-kit])
		1872	if "$PKGCONFIG" "p11-kit-1"; then
		1873	AC_MSG_RESULT([yes])
		1874	use_pkgconfig_for_p11kit=yes
		1875	else
		1876	AC_MSG_RESULT([no])
		1877	fi
		1878	fi
		1879	else
		1880	PKCS11_PATH="${withval}"
		1881	fi
		1882	if test "x$use_pkgconfig_for_p11kit" = "xyes"; then
		1883	PKCS11_PATH=`$PKGCONFIG --variable=proxy_module p11-kit-1`
		1884	fi
		1885	AC_CHECK_FILE("$PKCS11_PATH",
		1886	[ AC_DEFINE_UNQUOTED([PKCS11_DEFAULT_PROVIDER], ["$PKCS11_PATH"], [Path to default PKCS#11 provider (p11-kit proxy)])
		1887	DEFAULT_PKCS11_PROVIDER_MSG="$PKCS11_PATH"
		1888	],
		1889	[ AC_MSG_ERROR([Requested PKCS11 provided not found]) ]
		1890	)
		1891	else
		1892	AC_MSG_WARN([Needs PKCS11 support to enable default pkcs11 provider])
		1893	fi ]
		1894	)
		1895
		1896
1861	# IRIX has a const char return value for gai_strerror()	1897	# IRIX has a const char return value for gai_strerror()
1862	AC_CHECK_FUNCS([gai_strerror], [	1898	AC_CHECK_FUNCS([gai_strerror], [
1863	AC_DEFINE([HAVE_GAI_STRERROR])	1899	AC_DEFINE([HAVE_GAI_STRERROR])
Lines 5134-5139 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" Link Here
5134	echo " BSD Auth support: $BSD_AUTH_MSG"	5170	echo " BSD Auth support: $BSD_AUTH_MSG"
5135	echo " Random number source: $RAND_MSG"	5171	echo " Random number source: $RAND_MSG"
5136	echo " Privsep sandbox style: $SANDBOX_STYLE"	5172	echo " Privsep sandbox style: $SANDBOX_STYLE"
		5173	echo " Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG"
5137		5174
5138	echo ""	5175	echo ""
5139		5176

Lines 289-295 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here

(-)a/ssh-pkcs11-uri.c (-9 / +7 lines)
289	break;	289	break;
290	opcode = parse_token(tok);	290	opcode = parse_token(tok);
291	if (opcode == pBadOption) {	291	if (opcode == pBadOption) {
292	error("Unknown key in PKCS#11 URI: %s", tok);	292	verbose("Unknown key in PKCS#11 URI: %s", tok);
293	return -1;	293	return -1;
294	}	294	}
295		295
Lines 298-310 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here
298	case pId:	298	case pId:
299	/* CKA_ID */	299	/* CKA_ID */
300	if (pkcs11->id != NULL) {	300	if (pkcs11->id != NULL) {
301	error("%s: The id already set in the PKCS#11 URI",	301	verbose("%s: The id already set in the PKCS#11 URI",
302	__func__);	302	__func__);
303	rv = -1;	303	rv = -1;
304	}	304	}
305	len = percent_decode(arg, &pkcs11->id);	305	len = percent_decode(arg, &pkcs11->id);
306	if (len <= 0) {	306	if (len <= 0) {
307	error("%s: Failed to percent-decode CKA_ID: %s",	307	verbose("%s: Failed to percent-decode CKA_ID: %s",
308	__func__, arg);	308	__func__, arg);
309	rv = -1;	309	rv = -1;
310	} else	310	} else
Lines 317-323 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here
317	charptr = &pkcs11->token;	317	charptr = &pkcs11->token;
318	parse_string:	318	parse_string:
319	if (*charptr != NULL) {	319	if (*charptr != NULL) {
320	error("%s: The %s already set in the PKCS#11 URI",	320	verbose("%s: The %s already set in the PKCS#11 URI",
321	keywords[opcode].name, __func__);	321	keywords[opcode].name, __func__);
322	rv = -1;	322	rv = -1;
323	}	323	}
Lines 339-345 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here
339	case pBadOption:	339	case pBadOption:
340	default:	340	default:
341	/* Unrecognized attribute in the URI path SHOULD be error */	341	/* Unrecognized attribute in the URI path SHOULD be error */
342	error("%s: Unknown part of path in PKCS#11 URI: %s",	342	verbose("%s: Unknown part of path in PKCS#11 URI: %s",
343	__func__, tok);	343	__func__, tok);
344	rv = -1;	344	rv = -1;
345	}	345	}
Lines 360-366 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here
360	PKCS11_URI_VALUE_SEPARATOR, key_len) == 0) {	360	PKCS11_URI_VALUE_SEPARATOR, key_len) == 0) {
361	/* module-path is PKCS11Provider */	361	/* module-path is PKCS11Provider */
362	if (pkcs11->module_path != NULL) {	362	if (pkcs11->module_path != NULL) {
363	error("%s: Multiple module-path attributes are"	363	verbose("%s: Multiple module-path attributes are"
364	"not supported the PKCS#11 URI", __func__);	364	"not supported the PKCS#11 URI", __func__);
365	rv = -1;	365	rv = -1;
366	}	366	}
Lines 370-376 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here
370	/* } else if ( pin-value ) { */	370	/* } else if ( pin-value ) { */
371	} else {	371	} else {
372	/* Unrecognized attribute in the URI query SHOULD be ignored */	372	/* Unrecognized attribute in the URI query SHOULD be ignored */
373	error("%s: Unknown part of query in PKCS#11 URI: %s",	373	verbose("%s: Unknown part of query in PKCS#11 URI: %s",
374	__func__, tok);	374	__func__, tok);
375	}	375	}
376	}	376	}
377	-
378	--
379	regress/pkcs11.sh \| 35 ++++++++++++++++++	377	regress/pkcs11.sh \| 35 ++++++++++++++++++
380	regress/unittests/pkcs11/tests.c \| 57 ++++++++++++++++++-----------	378	regress/unittests/pkcs11/tests.c \| 57 ++++++++++++++++++-----------
381	ssh-agent.c \| 2 +-	379	ssh-agent.c \| 2 +-
382	ssh-pkcs11-uri.c \| 20 ++++++++++-	380	ssh-pkcs11-uri.c \| 20 ++++++++++-
383	ssh-pkcs11-uri.h \| 1 +	381	ssh-pkcs11-uri.h \| 1 +
384	ssh-pkcs11.c \| 78 +++++++++++++++++++++++++---------------	382	ssh-pkcs11.c \| 78 +++++++++++++++++++++++++---------------
385	6 files changed, 142 insertions(+), 51 deletions(-)	383	6 files changed, 142 insertions(+), 51 deletions(-)

Lines 156-162 typedef enum { Link Here

(-)a/readconf.c (-1 / +14 lines)
156	oPubkeyAuthentication,	156	oPubkeyAuthentication,
157	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	157	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
158	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	158	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
159	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,	159	oHostKeyAlgorithms, oBindAddress, oPKCS11URI, oPKCS11Provider,
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
Lines 207-215 static struct { Link Here
207	#ifdef ENABLE_PKCS11	207	#ifdef ENABLE_PKCS11
208	{ "smartcarddevice", oPKCS11Provider },	208	{ "smartcarddevice", oPKCS11Provider },
209	{ "pkcs11provider", oPKCS11Provider },	209	{ "pkcs11provider", oPKCS11Provider },
		210	{ "pkcs11uri", oPKCS11URI },
210	# else	211	# else
211	{ "smartcarddevice", oUnsupported },	212	{ "smartcarddevice", oUnsupported },
212	{ "pkcs11provider", oUnsupported },	213	{ "pkcs11provider", oUnsupported },
		214	{ "pkcs11uri", oUnsupported },
213	#endif	215	#endif
214	{ "rsaauthentication", oUnsupported },	216	{ "rsaauthentication", oUnsupported },
215	{ "rhostsrsaauthentication", oUnsupported },	217	{ "rhostsrsaauthentication", oUnsupported },
Lines 1099-1104 parse_char_array: Link Here
1099	charptr = &options->bind_address;	1101	charptr = &options->bind_address;
1100	goto parse_string;	1102	goto parse_string;
1101		1103
		1104	case oPKCS11URI:
		1105	/* Can't use parse_string becase it would break on equal signs */
		1106	charptr = &options->pkcs11_uri;
		1107	if (s == NULL)
		1108	fatal("%.200s line %d: Missing argument.", filename, linenum);
		1109	if (activep && charptr == NULL)
		1110	*charptr = xstrdup(s);
		1111	return 0;
		1112
1102	case oPKCS11Provider:	1113	case oPKCS11Provider:
1103	charptr = &options->pkcs11_provider;	1114	charptr = &options->pkcs11_provider;
1104	goto parse_string;	1115	goto parse_string;
Lines 1800-1805 initialize_options(Options * options) Link Here
1800	options->log_level = SYSLOG_LEVEL_NOT_SET;	1811	options->log_level = SYSLOG_LEVEL_NOT_SET;
1801	options->preferred_authentications = NULL;	1812	options->preferred_authentications = NULL;
1802	options->bind_address = NULL;	1813	options->bind_address = NULL;
		1814	options->pkcs11_uri = NULL;
1803	options->pkcs11_provider = NULL;	1815	options->pkcs11_provider = NULL;
1804	options->enable_ssh_keysign = - 1;	1816	options->enable_ssh_keysign = - 1;
1805	options->no_host_authentication_for_localhost = - 1;	1817	options->no_host_authentication_for_localhost = - 1;
Lines 2522-2527 dump_client_config(Options o, const char host) Link Here
2522	dump_cfg_string(oLogLevel, log_level_name(o->log_level));	2534	dump_cfg_string(oLogLevel, log_level_name(o->log_level));
2523	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);	2535	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
2524	#ifdef ENABLE_PKCS11	2536	#ifdef ENABLE_PKCS11
		2537	dump_cfg_string(oPKCS11URI, o->pkcs11_uri);
2525	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);	2538	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
2526	#endif	2539	#endif
2527	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);	2540	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);

Lines 64-69 Link Here

(-)a/ssh-add.c (+26 lines)
64	#include "misc.h"	64	#include "misc.h"
65	#include "ssherr.h"	65	#include "ssherr.h"
66	#include "digest.h"	66	#include "digest.h"
		67	#include "ssh-pkcs11-uri.h"
67		68
68	/* argv0 */	69	/* argv0 */
69	extern char *__progname;	70	extern char *__progname;
Lines 183-188 delete_all(int agent_fd) Link Here
183	return ret;	184	return ret;
184	}	185	}
185		186
		187	#ifdef ENABLE_PKCS11
		188	static int update_card(int, int, const char *);
		189
		190	int
		191	update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri)
		192	{
		193	struct pkcs11_uri *uri;
		194
		195	/* dry-run parse to make sure the URI is valid and to report errors */
		196	uri = pkcs11_uri_init();
		197	if (pkcs11_uri_parse((char *) pkcs11_uri, uri) != 0)
		198	fatal("Failed to parse PKCS#11 URI");
		199	pkcs11_uri_cleanup(uri);
		200
		201	return update_card(agent_fd, adding, pkcs11_uri);
		202	}
		203	#endif
		204
186	static int	205	static int
187	add_file(int agent_fd, const char *filename, int key_only, int qflag)	206	add_file(int agent_fd, const char *filename, int key_only, int qflag)
188	{	207	{
Lines 434-439 lock_agent(int agent_fd, int lock) Link Here
434	static int	453	static int
435	do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)	454	do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)
436	{	455	{
		456	#ifdef ENABLE_PKCS11
		457	if (strlen(file) >= strlen(PKCS11_URI_SCHEME) &&
		458	strncmp(file, PKCS11_URI_SCHEME,
		459	strlen(PKCS11_URI_SCHEME)) == 0) {
		460	return update_pkcs11_uri(agent_fd, !deleting, file);
		461	}
		462	#endif
437	if (deleting) {	463	if (deleting) {
438	if (delete_file(agent_fd, file, key_only, qflag) == -1)	464	if (delete_file(agent_fd, file, key_only, qflag) == -1)
439	return -1;	465	return -1;

Lines 534-543 no_identities(SocketEntry *e) Link Here

(-)a/ssh-agent.c (-22 / +77 lines)
534	}	534	}
535		535
536	#ifdef ENABLE_PKCS11	536	#ifdef ENABLE_PKCS11
		537	static char *
		538	sanitize_pkcs11_provider(const char *provider)
		539	{
		540	struct pkcs11_uri *uri = NULL;
		541	char sane_uri, module_path = NULL; /* default path */
		542	char canonical_provider[PATH_MAX];
		543
		544	if (provider == NULL)
		545	return NULL;
		546
		547	if (strlen(provider) >= strlen(PKCS11_URI_SCHEME) &&
		548	strncmp(provider, PKCS11_URI_SCHEME,
		549	strlen(PKCS11_URI_SCHEME)) == 0) {
		550	/* PKCS#11 URI */
		551	uri = pkcs11_uri_init();
		552	if (uri == NULL) {
		553	error("Failed to init PCKS#11 URI");
		554	return NULL;
		555	}
		556
		557	if (pkcs11_uri_parse(provider, uri) != 0) {
		558	error("Failed to parse PKCS#11 URI");
		559	return NULL;
		560	}
		561	/* validate also provider from URI */
		562	if (uri->module_path)
		563	module_path = strdup(uri->module_path);
		564	} else
		565	module_path = strdup(provider); /* simple path */
		566
		567	if (module_path != NULL) { /* do not validate default NULL path in URI */
		568	if (realpath(module_path, canonical_provider) == NULL) {
		569	verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",
		570	module_path, strerror(errno));
		571	free(module_path);
		572	return NULL;
		573	}
		574	free(module_path);
		575	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
		576	verbose("refusing PKCS#11 provider \"%.100s\": "
		577	"not whitelisted", canonical_provider);
		578	return NULL;
		579	}
		580
		581	/* copy verified and sanitized provider path back to the uri */
		582	if (uri) {
		583	free(uri->module_path);
		584	uri->module_path = xstrdup(canonical_provider);
		585	}
		586	}
		587
		588	if (uri) {
		589	sane_uri = pkcs11_uri_get(uri);
		590	pkcs11_uri_cleanup(uri);
		591	return sane_uri;
		592	} else {
		593	return xstrdup(canonical_provider); /* simple path */
		594	}
		595	}
		596
537	static void	597	static void
538	process_add_smartcard_key(SocketEntry *e)	598	process_add_smartcard_key(SocketEntry *e)
539	{	599	{
540	char provider = NULL, pin = NULL, canonical_provider[PATH_MAX];	600	char provider = NULL, pin = NULL, *sane_uri = NULL;
541	int r, i, count = 0, success = 0, confirm = 0;	601	int r, i, count = 0, success = 0, confirm = 0;
542	u_int seconds;	602	u_int seconds;
543	time_t death = 0;	603	time_t death = 0;
Lines 573-600 process_add_smartcard_key(SocketEntry *e) Link Here
573	goto send;	633	goto send;
574	}	634	}
575	}	635	}
576	if (realpath(provider, canonical_provider) == NULL) {	636
577	verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",	637	sane_uri = sanitize_pkcs11_provider(provider);
578	provider, strerror(errno));	638	if (sane_uri == NULL)
579	goto send;
580	}
581	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
582	verbose("refusing PKCS#11 add of \"%.100s\": "
583	"provider not whitelisted", canonical_provider);
584	goto send;	639	goto send;
585	}	640
586	debug("%s: add %.100s", __func__, canonical_provider);
587	if (lifetime && !death)	641	if (lifetime && !death)
588	death = monotime() + lifetime;	642	death = monotime() + lifetime;
589		643
590	count = pkcs11_add_provider(canonical_provider, pin, &keys);	644	debug("%s: add %.100s", __func__, sane_uri);
		645	count = pkcs11_add_provider(sane_uri, pin, &keys);
591	for (i = 0; i < count; i++) {	646	for (i = 0; i < count; i++) {
592	k = keys[i];	647	k = keys[i];
593	if (lookup_identity(k) == NULL) {	648	if (lookup_identity(k) == NULL) {
594	id = xcalloc(1, sizeof(Identity));	649	id = xcalloc(1, sizeof(Identity));
595	id->key = k;	650	id->key = k;
596	id->provider = xstrdup(canonical_provider);	651	id->provider = xstrdup(sane_uri);
597	id->comment = xstrdup(canonical_provider); /* XXX */	652	id->comment = xstrdup(sane_uri);
598	id->death = death;	653	id->death = death;
599	id->confirm = confirm;	654	id->confirm = confirm;
600	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);	655	TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
Lines 608-613 process_add_smartcard_key(SocketEntry *e) Link Here
608	send:	663	send:
609	free(pin);	664	free(pin);
610	free(provider);	665	free(provider);
		666	free(sane_uri);
611	free(keys);	667	free(keys);
612	send_status(e, success);	668	send_status(e, success);
613	}	669	}
Lines 615-621 send: Link Here
615	static void	671	static void
616	process_remove_smartcard_key(SocketEntry *e)	672	process_remove_smartcard_key(SocketEntry *e)
617	{	673	{
618	char provider = NULL, pin = NULL, canonical_provider[PATH_MAX];	674	char provider = NULL, pin = NULL, *sane_uri;
619	int r, success = 0;	675	int r, success = 0;
620	Identity id, nxt;	676	Identity id, nxt;
621		677
Lines 626-655 process_remove_smartcard_key(SocketEntry *e) Link Here
626	}	682	}
627	free(pin);	683	free(pin);
628		684
629	if (realpath(provider, canonical_provider) == NULL) {	685	sane_uri = sanitize_pkcs11_provider(provider);
630	verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",	686	if (sane_uri == NULL)
631	provider, strerror(errno));
632	goto send;	687	goto send;
633	}
634		688
635	debug("%s: remove %.100s", __func__, canonical_provider);	689	debug("%s: remove %.100s", __func__, sane_uri);
636	for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {	690	for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
637	nxt = TAILQ_NEXT(id, next);	691	nxt = TAILQ_NEXT(id, next);
638	/* Skip file--based keys */	692	/* Skip file--based keys */
639	if (id->provider == NULL)	693	if (id->provider == NULL)
640	continue;	694	continue;
641	if (!strcmp(canonical_provider, id->provider)) {	695	if (!strcmp(sane_uri, id->provider)) {
642	TAILQ_REMOVE(&idtab->idlist, id, next);	696	TAILQ_REMOVE(&idtab->idlist, id, next);
643	free_identity(id);	697	free_identity(id);
644	idtab->nentries--;	698	idtab->nentries--;
645	}	699	}
646	}	700	}
647	if (pkcs11_del_provider(canonical_provider) == 0)	701	if (pkcs11_del_provider(sane_uri) == 0)
648	success = 1;	702	success = 1;
649	else	703	else
650	error("%s: pkcs11_del_provider failed", __func__);	704	error("%s: pkcs11_del_provider failed", __func__);
651	send:	705	send:
652	free(provider);	706	free(provider);
		707	free(sane_uri);
653	send_status(e, success);	708	send_status(e, success);
654	}	709	}
655	#endif /* ENABLE_PKCS11 */	710	#endif /* ENABLE_PKCS11 */

Line 0 Link Here

(-)a/ssh-pkcs11-uri.c (+381 lines)
		1	/*
		2	* Copyright (c) 2017 Red Hat
		3	*
		4	* Authors: Jakub Jelen <jjelen@redhat.com>
		5	*
		6	* Permission to use, copy, modify, and distribute this software for any
		7	* purpose with or without fee is hereby granted, provided that the above
		8	* copyright notice and this permission notice appear in all copies.
		9	*
		10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17	*/
		18
		19	#include "includes.h"
		20
		21	#ifdef ENABLE_PKCS11
		22
		23	#include <stdio.h>
		24	#include <string.h>
		25
		26	#include "sshkey.h"
		27	#include "log.h"
		28
		29	#define CRYPTOKI_COMPAT
		30	#include "pkcs11.h"
		31
		32	#include "ssh-pkcs11-uri.h"
		33
		34	#define PKCS11_URI_PATH_SEPARATOR ";"
		35	#define PKCS11_URI_QUERY_SEPARATOR "&"
		36	#define PKCS11_URI_VALUE_SEPARATOR "="
		37	#define PKCS11_URI_ID "id"
		38	#define PKCS11_URI_TOKEN "token"
		39	#define PKCS11_URI_LIB_MANUF "library-manufacturer"
		40	#define PKCS11_URI_MANUF "manufacturer"
		41	#define PKCS11_URI_MODULE_PATH "module-path"
		42
		43	/* Keyword tokens. */
		44	typedef enum {
		45	pId, pToken, pLibraryManufacturer, pManufacturer, pModulePath,
		46	pBadOption
		47	} pkcs11uriOpCodes;
		48
		49	/* Textual representation of the tokens. */
		50	static struct {
		51	const char *name;
		52	pkcs11uriOpCodes opcode;
		53	} keywords[] = {
		54	{ PKCS11_URI_ID, pId },
		55	{ PKCS11_URI_TOKEN, pToken },
		56	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
		57	{ PKCS11_URI_MANUF, pManufacturer },
		58	{ PKCS11_URI_MODULE_PATH, pModulePath },
		59	{ NULL, pBadOption }
		60	};
		61
		62	static pkcs11uriOpCodes
		63	parse_token(const char *cp)
		64	{
65	u_int i;
66
67	for (i = 0; keywords[i].name; i++)
68	if (strncasecmp(cp, keywords[i].name,
69	strlen(keywords[i].name)) == 0)
70	return keywords[i].opcode;
71
72	return pBadOption;
73	}
74
75	int
76	percent_decode(char data, char *outp)
77	{
78	char tmp[3];
79	char out, tmp_end;
80	char *p = data;
81	long value;
82	size_t outlen = 0;
83
84	out = malloc(strlen(data)+1); /* upper bound */
85	if (out == NULL)
86	return -1;
87	while (*p != '\0') {
88	switch (*p) {
89	case '%':
90	p++;
91	if (*p == '\0')
92	goto fail;
93	tmp[0] = *p++;
94	if (*p == '\0')
95	goto fail;
96	tmp[1] = *p++;
97	tmp[2] = '\0';
98	tmp_end = NULL;
99	value = strtol(tmp, &tmp_end, 16);
100	if (tmp_end != tmp+2)
101	goto fail;
102	else
103	out[outlen++] = (char) value;
104	break;
105	default:
106	out[outlen++] = *p++;
107	break;
108	}
109	}
110
111	/* zero terminate */
112	out[outlen] = '\0';
113	*outp = out;
114	return outlen;
115	fail:
116	free(out);
117	return -1;
118	}
119
120	struct sshbuf *
121	percent_encode(const char data, size_t length, const char whitelist)
122	{
123	struct sshbuf *b = NULL;
124	char tmp[4], *cp;
125	size_t i;
126
127	if ((b = sshbuf_new()) == NULL)
128	return NULL;
129	for (i = 0; i < length; i++) {
130	cp = strchr(whitelist, data[i]);
131	/* if c is specified as '\0' pointer to terminator is returned !! */
132	if (cp != NULL && *cp != '\0') {
133	if (sshbuf_put(b, &data[i], 1) != 0)
134	goto err;
135	} else
136	if (snprintf(tmp, 4, "%%%02X", (unsigned char) data[i]) < 3
137	\|\| sshbuf_put(b, tmp, 3) != 0)
138	goto err;
139	}
140	if (sshbuf_put(b, "\0", 1) == 0)
141	return b;
142	err:
143	sshbuf_free(b);
144	return NULL;
145	}
146
147	char *
148	pkcs11_uri_append(char part, const char separator, const char *key,
149	struct sshbuf *value)
150	{
151	char *new_part;
152	size_t size;
153
154	if (value == NULL)
155	return NULL;
156
157	size = asprintf(&new_part,
158	"%s%s%s" PKCS11_URI_VALUE_SEPARATOR "%s",
159	(part != NULL ? part : ""),
160	(part != NULL ? separator : ""),
161	key, sshbuf_ptr(value));
162	sshbuf_free(value);
163	free(part);
164
165	if (size < 0)
166	return NULL;
167	return new_part;
168	}
169
170	char *
171	pkcs11_uri_get(struct pkcs11_uri *uri)
172	{
173	size_t size = -1;
174	char p = NULL, path = NULL, *query = NULL;
175
176	/* compose a percent-encoded ID */
177	if (uri->id_len > 0) {
178	struct sshbuf *key_id = percent_encode(uri->id, uri->id_len, "");
179	path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
180	PKCS11_URI_ID, key_id);
181	if (path == NULL)
182	goto err;
183	}
184
185	/* Write token label */
186	if (uri->token) {
187	struct sshbuf *label = percent_encode(uri->token, strlen(uri->token),
188	PKCS11_URI_WHITELIST);
189	path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
190	PKCS11_URI_TOKEN, label);
191	if (path == NULL)
192	goto err;
193	}
194
195	/* Write manufacturer */
196	if (uri->manuf) {
197	struct sshbuf *manuf = percent_encode(uri->manuf,
198	strlen(uri->manuf), PKCS11_URI_WHITELIST);
199	path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
200	PKCS11_URI_MANUF, manuf);
201	if (path == NULL)
202	goto err;
203	}
204
205	/* Write module_path */
206	if (uri->module_path) {
207	struct sshbuf *module = percent_encode(uri->module_path,
208	strlen(uri->module_path), PKCS11_URI_WHITELIST "/");
209	query = pkcs11_uri_append(query, PKCS11_URI_QUERY_SEPARATOR,
210	PKCS11_URI_MODULE_PATH, module);
211	if (query == NULL)
212	goto err;
213	}
214
215	size = asprintf(&p, PKCS11_URI_SCHEME "%s%s%s",
216	path != NULL ? path : "",
217	query != NULL ? "?" : "",
218	query != NULL ? query : "");
219	err:
220	free(query);
221	free(path);
222	if (size < 0)
223	return NULL;
224	return p;
225	}
226
227	struct pkcs11_uri *
228	pkcs11_uri_init()
229	{
230	struct pkcs11_uri *d = calloc(1, sizeof(struct pkcs11_uri));
231	return d;
232	}
233
234	void
235	pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
236	{
237	free(pkcs11->id);
238	free(pkcs11->module_path);
239	free(pkcs11->token);
240	free(pkcs11->lib_manuf);
241	free(pkcs11->manuf);
242	free(pkcs11);
243	}
244
245	int
246	pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11)
247	{
248	char saveptr1, saveptr2, str1, str2, *tok;
249	int rv = 0, len;
250	char *p = NULL;
251
252	size_t scheme_len = strlen(PKCS11_URI_SCHEME);
253	if (strlen(uri) < scheme_len \|\| /* empty URI matches everything */
254	strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
255	error("%s: The '%s' does not look like PKCS#11 URI",
256	__func__, uri);
257	return -1;
258	}
259
260	if (pkcs11 == NULL) {
261	error("%s: Bad arguments. The pkcs11 can't be null", __func__);
262	return -1;
263	}
264
265	/* skip URI schema name */
266	p = strdup(uri);
267	str1 = p;
268
269	/* everything before ? */
270	tok = strtok_r(str1, "?", &saveptr1);
271	if (tok == NULL) {
272	free(p);
273	error("%s: pk11-path expected, got EOF", __func__);
274	return -1;
275	}
276
277	/* skip URI schema name:
278	* the scheme ensures that there is at least something before "?"
279	* allowing empty pk11-path. Resulting token at worst pointing to
280	* \0 byte */
281	tok = tok + scheme_len;
282
283	/* parse pk11-path */
284	for (str2 = tok; ; str2 = NULL) {
285	char **charptr;
286	pkcs11uriOpCodes opcode;
287	tok = strtok_r(str2, PKCS11_URI_PATH_SEPARATOR, &saveptr2);
288	if (tok == NULL)
289	break;
290	opcode = parse_token(tok);
291	if (opcode == pBadOption) {
292	error("Unknown key in PKCS#11 URI: %s", tok);
293	return -1;
294	}
295
296	char arg = tok + strlen(keywords[opcode].name) + 1; / separator "=" */
297	switch (opcode) {
298	case pId:
299	/* CKA_ID */
300	if (pkcs11->id != NULL) {
301	error("%s: The id already set in the PKCS#11 URI",
302	__func__);
303	rv = -1;
304	}
305	len = percent_decode(arg, &pkcs11->id);
306	if (len <= 0) {
307	error("%s: Failed to percent-decode CKA_ID: %s",
308	__func__, arg);
309	rv = -1;
310	} else
311	pkcs11->id_len = len;
312	debug3("%s: Setting CKA_ID = %s from PKCS#11 URI",
313	__func__, arg);
314	break;
315	case pToken:
316	/* CK_TOKEN_INFO -> label */
317	charptr = &pkcs11->token;
318	parse_string:
319	if (*charptr != NULL) {
320	error("%s: The %s already set in the PKCS#11 URI",
321	keywords[opcode].name, __func__);
322	rv = -1;
323	}
324	percent_decode(arg, charptr);
325	debug3("%s: Setting %s = %s from PKCS#11 URI",
326	__func__, keywords[opcode].name, *charptr);
327	break;
328
329	case pManufacturer:
330	/* CK_TOKEN_INFO -> manufacturerID */
331	charptr = &pkcs11->manuf;
332	goto parse_string;
333
334	case pLibraryManufacturer:
335	/* CK_INFO -> manufacturerID */
336	charptr = &pkcs11->lib_manuf;
337	goto parse_string;
338
339	case pBadOption:
340	default:
341	/* Unrecognized attribute in the URI path SHOULD be error */
342	error("%s: Unknown part of path in PKCS#11 URI: %s",
343	__func__, tok);
344	rv = -1;
345	}
346	}
347
348	tok = strtok_r(NULL, "?", &saveptr1);
349	if (tok == NULL) {
350	free(p);
351	return rv;
352	}
353	/* parse pk11-query (optional) */
354	for (str2 = tok; ; str2 = NULL) {
355	size_t key_len = strlen(PKCS11_URI_MODULE_PATH) + 1;
356	tok = strtok_r(str2, PKCS11_URI_QUERY_SEPARATOR, &saveptr2);
357	if (tok == NULL)
358	break;
359	if (strncasecmp(tok, PKCS11_URI_MODULE_PATH
360	PKCS11_URI_VALUE_SEPARATOR, key_len) == 0) {
361	/* module-path is PKCS11Provider */
362	if (pkcs11->module_path != NULL) {
363	error("%s: Multiple module-path attributes are"
364	"not supported the PKCS#11 URI", __func__);
365	rv = -1;
366	}
367	percent_decode(tok + key_len, &pkcs11->module_path);
368	debug3("%s: Setting PKCS11Provider = %s from PKCS#11 URI\n",
369	__func__, pkcs11->module_path);
370	/* } else if ( pin-value ) { */
371	} else {
372	/* Unrecognized attribute in the URI query SHOULD be ignored */
373	error("%s: Unknown part of query in PKCS#11 URI: %s",
374	__func__, tok);
375	}
376	}
377	free(p);
378	return rv;
379	}
380
381	#endif /* ENABLE_PKCS11 */

Line 0 Link Here

(-)a/ssh-pkcs11-uri.h (+42 lines)
	1	/*
	2	* Copyright (c) 2017 Red Hat
	3	*
	4	* Authors: Jakub Jelen <jjelen@redhat.com>
	5	*
	6	* Permission to use, copy, modify, and distribute this software for any
	7	* purpose with or without fee is hereby granted, provided that the above
	8	* copyright notice and this permission notice appear in all copies.
	9	*
	10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	17	*/
	18
	19	#define PKCS11_URI_SCHEME "pkcs11:"
	20	#define PKCS11_DEFAULT_PROVIDER "/usr/lib64/p11-kit-proxy.so"
	21
	22	#define PKCS11_URI_WHITELIST "abcdefghijklmnopqrstuvwxyz" \
	23	"ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
	24	"0123456789_-.()"
	25
	26	struct pkcs11_uri {
	27	/* path */
	28	char *id;
	29	size_t id_len;
	30	char *token;
	31	char *lib_manuf;
	32	char *manuf;
	33	/* query */
	34	char *module_path;
	35	};
	36
	37	struct pkcs11_uri *pkcs11_uri_init();
	38	void pkcs11_uri_cleanup(struct pkcs11_uri *);
	39	int pkcs11_uri_parse(const char , struct pkcs11_uri );
	40	struct pkcs11_uri *pkcs11_uri_init();
	41	char * pkcs11_uri_get(struct pkcs11_uri *uri);
	42

Lines 50-55 struct pkcs11_slotinfo { Link Here

(-)a/ssh-pkcs11.c (-30 / +171 lines)
50		50
51	struct pkcs11_provider {	51	struct pkcs11_provider {
52	char *name;	52	char *name;
		53	char *module_path;
53	void *handle;	54	void *handle;
54	CK_FUNCTION_LIST *function_list;	55	CK_FUNCTION_LIST *function_list;
55	CK_INFO info;	56	CK_INFO info;
Lines 74-79 struct pkcs11_key { Link Here
74		75
75	int pkcs11_interactive = 0;	76	int pkcs11_interactive = 0;
76		77
		78	/*
		79	* This can't be in the ssh-pkcs11-uri, becase we can not depend on
		80	* PKCS structures in ssh-agent (using client-helper communication)
		81	*/
		82	int
		83	pkcs11_uri_write(const struct sshkey key, FILE f)
		84	{
		85	char *p = NULL;
		86	struct pkcs11_uri uri;
		87	struct pkcs11_key *k11;
		88
		89	/* sanity - is it a RSA key with associated app_data? */
		90	if (key->type != KEY_RSA \|\|
		91	(k11 = RSA_get_app_data(key->rsa)) == NULL)
		92	return -1;
		93
		94	/* omit type -- we are looking for private-public or private-certificate pairs */
		95	uri.id = k11->keyid;
		96	uri.id_len = k11->keyid_len;
		97	uri.token = k11->provider->slotinfo[k11->slotidx].token.label;
		98	uri.module_path = k11->provider->module_path;
		99	uri.lib_manuf = k11->provider->info.manufacturerID;
		100	uri.manuf = k11->provider->slotinfo[k11->slotidx].token.manufacturerID;
		101
		102	p = pkcs11_uri_get(&uri);
		103	/* do not cleanup -- we do not allocate here, only reference */
		104	if (p == NULL)
		105	return -1;
		106
		107	fprintf(f, " %s", p);
		108	free(p);
		109	return 0;
		110	}
		111
77	int	112	int
78	pkcs11_init(int interactive)	113	pkcs11_init(int interactive)
79	{	114	{
Lines 124-129 pkcs11_provider_unref(struct pkcs11_provider *p) Link Here
124	error("pkcs11_provider_unref: %p still valid", p);	159	error("pkcs11_provider_unref: %p still valid", p);
125	free(p->slotlist);	160	free(p->slotlist);
126	free(p->slotinfo);	161	free(p->slotinfo);
		162	free(p->name);
		163	free(p->module_path);
127	free(p);	164	free(p);
128	}	165	}
129	}	166	}
Lines 155-173 pkcs11_provider_lookup(char *provider_id) Link Here
155	return (NULL);	192	return (NULL);
156	}	193	}
157		194
		195	int pkcs11_del_provider_by_uri(struct pkcs11_uri *);
		196
158	/* unregister provider by name */	197	/* unregister provider by name */
159	int	198	int
160	pkcs11_del_provider(char *provider_id)	199	pkcs11_del_provider(char *provider_id)
		200	{
		201	int rv;
		202	struct pkcs11_uri *uri;
		203
		204	debug("%s: called, provider_id = %s", __func__, provider_id);
		205
		206	uri = pkcs11_uri_init();
		207	if (uri == NULL)
		208	fatal("Failed to init PCKS#11 URI");
		209
		210	if (strlen(provider_id) >= strlen(PKCS11_URI_SCHEME) &&
		211	strncmp(provider_id, PKCS11_URI_SCHEME, strlen(PKCS11_URI_SCHEME)) == 0) {
		212	if (pkcs11_uri_parse(provider_id, uri) != 0)
		213	fatal("Failed to parse PKCS#11 URI");
		214	} else {
		215	uri->module_path = strdup(provider_id);
		216	}
		217
		218	rv = pkcs11_del_provider_by_uri(uri);
		219	pkcs11_uri_cleanup(uri);
		220	return rv;
		221	}
		222
		223	/* unregister provider by PKCS#11 URI */
		224	int
		225	pkcs11_del_provider_by_uri(struct pkcs11_uri *uri)
161	{	226	{
162	struct pkcs11_provider *p;	227	struct pkcs11_provider *p;
		228	int rv = -1;
		229	char *provider_uri = pkcs11_uri_get(uri);
		230
		231	debug3("%s(%s): called", __func__, provider_uri);
163		232
164	if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {	233	if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
165	TAILQ_REMOVE(&pkcs11_providers, p, next);	234	TAILQ_REMOVE(&pkcs11_providers, p, next);
166	pkcs11_provider_finalize(p);	235	pkcs11_provider_finalize(p);
167	pkcs11_provider_unref(p);	236	pkcs11_provider_unref(p);
168	return (0);	237	rv = 0;
169	}	238	}
170	return (-1);	239	free(provider_uri);
		240	return rv;
171	}	241	}
172		242
173	/* openssl callback for freeing an RSA key */	243	/* openssl callback for freeing an RSA key */
Lines 381-387 pkcs11_open_session(struct pkcs11_provider p, CK_ULONG slotidx, char pin) Link Here
381	if ((rv = f->C_OpenSession(p->slotlist[slotidx], CKF_RW_SESSION\|	451	if ((rv = f->C_OpenSession(p->slotlist[slotidx], CKF_RW_SESSION\|
382	CKF_SERIAL_SESSION, NULL, NULL, &session))	452	CKF_SERIAL_SESSION, NULL, NULL, &session))
383	!= CKR_OK) {	453	!= CKR_OK) {
384	error("C_OpenSession failed: %lu", rv);	454	error("C_OpenSession failed for slot %lu: %lu", slotidx, rv);
385	return (-1);	455	return (-1);
386	}	456	}
387	if (login_required && pin) {	457	if (login_required && pin) {
Lines 405-424 pkcs11_open_session(struct pkcs11_provider p, CK_ULONG slotidx, char pin) Link Here
405	* keysp points to an (possibly empty) array with *nkeys keys.	475	* keysp points to an (possibly empty) array with *nkeys keys.
406	*/	476	*/
407	static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,	477	static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
408	CK_ATTRIBUTE [], CK_ATTRIBUTE [3], struct sshkey **, int )	478	CK_ATTRIBUTE [], size_t, CK_ATTRIBUTE [3], struct sshkey **, int )
409	__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));	479	__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));
410		480
411	static int	481	static int
412	pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,	482	pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
413	struct sshkey **keysp, int nkeys)	483	struct sshkey **keysp, int nkeys, struct pkcs11_uri *uri)
414	{	484	{
		485	size_t filter_size = 1;
415	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;	486	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
416	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;	487	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
417	CK_ATTRIBUTE pubkey_filter[] = {	488	CK_ATTRIBUTE pubkey_filter[] = {
418	{ CKA_CLASS, NULL, sizeof(pubkey_class) }	489	{ CKA_CLASS, NULL, sizeof(pubkey_class) },
		490	{ CKA_ID, NULL, 0 }
419	};	491	};
420	CK_ATTRIBUTE cert_filter[] = {	492	CK_ATTRIBUTE cert_filter[] = {
421	{ CKA_CLASS, NULL, sizeof(cert_class) }	493	{ CKA_CLASS, NULL, sizeof(cert_class) },
		494	{ CKA_ID, NULL, 0 }
422	};	495	};
423	CK_ATTRIBUTE pubkey_attribs[] = {	496	CK_ATTRIBUTE pubkey_attribs[] = {
424	{ CKA_ID, NULL, 0 },	497	{ CKA_ID, NULL, 0 },
Lines 433-442 pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
433	pubkey_filter[0].pValue = &pubkey_class;	506	pubkey_filter[0].pValue = &pubkey_class;
434	cert_filter[0].pValue = &cert_class;	507	cert_filter[0].pValue = &cert_class;
435		508
436	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,	509	if (uri->id != NULL) {
437	keysp, nkeys) < 0 \|\|	510	pubkey_filter[1].pValue = uri->id;
438	pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,	511	pubkey_filter[1].ulValueLen = uri->id_len;
439	keysp, nkeys) < 0)	512	cert_filter[1].pValue = uri->id;
		513	cert_filter[1].ulValueLen = uri->id_len;
		514	filter_size = 2;
		515	}
		516
		517	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
		518	pubkey_attribs, keysp, nkeys) < 0 \|\|
		519	pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
		520	cert_attribs, keysp, nkeys) < 0)
440	return (-1);	521	return (-1);
441	return (0);	522	return (0);
442	}	523	}
Lines 454-466 pkcs11_key_included(struct sshkey **keysp, int nkeys, struct sshkey *key) Link Here
454		535
455	static int	536	static int
456	pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,	537	pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
457	CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3],	538	CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[3],
458	struct sshkey **keysp, int nkeys)	539	struct sshkey **keysp, int nkeys)
459	{	540	{
460	struct sshkey *key;	541	struct sshkey *key;
461	RSA *rsa;	542	RSA *rsa;
462	X509 *x509;	543	X509 *x509;
463	EVP_PKEY *evp;	544	EVP_PKEY *evp = NULL;
464	int i;	545	int i;
465	const u_char *cp;	546	const u_char *cp;
466	CK_RV rv;	547	CK_RV rv;
Lines 473-479 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
473	f = p->function_list;	554	f = p->function_list;
474	session = p->slotinfo[slotidx].session;	555	session = p->slotinfo[slotidx].session;
475	/* setup a filter the looks for public keys */	556	/* setup a filter the looks for public keys */
476	if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) {	557	if ((rv = f->C_FindObjectsInit(session, filter, filter_size)) != CKR_OK) {
477	error("C_FindObjectsInit failed: %lu", rv);	558	error("C_FindObjectsInit failed: %lu", rv);
478	return (-1);	559	return (-1);
479	}	560	}
Lines 547-552 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
547	}	628	}
548	if (x509)	629	if (x509)
549	X509_free(x509);	630	X509_free(x509);
		631	if (evp)
		632	EVP_PKEY_free(evp);
550	}	633	}
551	if (rsa)	634	if (rsa)
552	RSA_get0_key(rsa, &n, &e, NULL);	635	RSA_get0_key(rsa, &n, &e, NULL);
Lines 581-586 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
581	/* register a new provider, fails if provider already exists */	664	/* register a new provider, fails if provider already exists */
582	int	665	int
583	pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp)	666	pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp)
		667	{
		668	int rv;
		669	struct pkcs11_uri *uri;
		670
		671	debug("%s: called, provider_id = %s", __func__, provider_id);
		672
		673	uri = pkcs11_uri_init();
		674	if (uri == NULL)
		675	fatal("Failed to init PCKS#11 URI");
		676
		677	if (strlen(provider_id) >= strlen(PKCS11_URI_SCHEME) &&
		678	strncmp(provider_id, PKCS11_URI_SCHEME, strlen(PKCS11_URI_SCHEME)) == 0) {
		679	if (pkcs11_uri_parse(provider_id, uri) != 0)
		680	fatal("Failed to parse PKCS#11 URI");
		681	} else {
		682	uri->module_path = strdup(provider_id);
		683	}
		684
		685	rv = pkcs11_add_provider_by_uri(uri, pin, keyp);
		686	pkcs11_uri_cleanup(uri);
		687	return rv;
		688	}
		689
		690	int
		691	pkcs11_add_provider_by_uri(struct pkcs11_uri uri, char pin, struct sshkey ***keyp)
584	{	692	{
585	int nkeys, need_finalize = 0;	693	int nkeys, need_finalize = 0;
586	struct pkcs11_provider *p = NULL;	694	struct pkcs11_provider *p = NULL;
Lines 590-600 pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp) Link Here
590	CK_FUNCTION_LIST *f = NULL;	698	CK_FUNCTION_LIST *f = NULL;
591	CK_TOKEN_INFO *token;	699	CK_TOKEN_INFO *token;
592	CK_ULONG i;	700	CK_ULONG i;
		701	char *provider_id = strdup(uri->module_path);
		702	char *provider_uri = pkcs11_uri_get(uri);
		703
		704	/* if no provider specified, fallback to p11-kit */
		705	if (provider_id == NULL) {
		706	provider_id = strdup(PKCS11_DEFAULT_PROVIDER);
		707	}
		708
		709	debug("%s: called, provider_uri = %s", __func__, provider_uri);
593		710
594	*keyp = NULL;	711	*keyp = NULL;
595	if (pkcs11_provider_lookup(provider_id) != NULL) {	712	if (pkcs11_provider_lookup(provider_uri) != NULL) {
596	debug("%s: provider already registered: %s",	713	debug("%s: provider already registered: %s",
597	__func__, provider_id);	714	__func__, provider_uri);
598	goto fail;	715	goto fail;
599	}	716	}
600	/* open shared pkcs11-libarary */	717	/* open shared pkcs11-libarary */
Lines 607-637 pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp) Link Here
607	goto fail;	724	goto fail;
608	}	725	}
609	p = xcalloc(1, sizeof(*p));	726	p = xcalloc(1, sizeof(*p));
610	p->name = xstrdup(provider_id);	727	p->name = provider_uri;
		728	p->module_path = provider_id;
611	p->handle = handle;	729	p->handle = handle;
612	/* setup the pkcs11 callbacks */	730	/* setup the pkcs11 callbacks */
613	if ((rv = (*getfunctionlist)(&f)) != CKR_OK) {	731	if ((rv = (*getfunctionlist)(&f)) != CKR_OK) {
614	error("C_GetFunctionList for provider %s failed: %lu",	732	error("C_GetFunctionList for provider %s failed: %lu",
615	provider_id, rv);	733	provider_uri, rv);
616	goto fail;	734	goto fail;
617	}	735	}
618	p->function_list = f;	736	p->function_list = f;
619	if ((rv = f->C_Initialize(NULL)) != CKR_OK) {	737	if ((rv = f->C_Initialize(NULL)) != CKR_OK) {
620	error("C_Initialize for provider %s failed: %lu",	738	error("C_Initialize for provider %s failed: %lu",
621	provider_id, rv);	739	provider_uri, rv);
622	goto fail;	740	goto fail;
623	}	741	}
624	need_finalize = 1;	742	need_finalize = 1;
625	if ((rv = f->C_GetInfo(&p->info)) != CKR_OK) {	743	if ((rv = f->C_GetInfo(&p->info)) != CKR_OK) {
626	error("C_GetInfo for provider %s failed: %lu",	744	error("C_GetInfo for provider %s failed: %lu",
627	provider_id, rv);	745	provider_uri, rv);
628	goto fail;	746	goto fail;
629	}	747	}
630	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));	748	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
		749	if (uri->lib_manuf != NULL &&
		750	strcmp(uri->lib_manuf, p->info.manufacturerID)) {
		751	debug("%s: Skipping provider %s not matching library_manufacturer",
		752	__func__, p->info.manufacturerID);
		753	goto fail;
		754	}
631	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));	755	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
632	debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"	756	debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
633	" libraryDescription <%s> libraryVersion %d.%d",	757	" libraryDescription <%s> libraryVersion %d.%d",
634	provider_id,	758	provider_uri,
635	p->info.manufacturerID,	759	p->info.manufacturerID,
636	p->info.cryptokiVersion.major,	760	p->info.cryptokiVersion.major,
637	p->info.cryptokiVersion.minor,	761	p->info.cryptokiVersion.minor,
Lines 644-657 pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp) Link Here
644	}	768	}
645	if (p->nslots == 0) {	769	if (p->nslots == 0) {
646	debug("%s: provider %s returned no slots", __func__,	770	debug("%s: provider %s returned no slots", __func__,
647	provider_id);	771	provider_uri);
648	goto fail;	772	goto fail;
649	}	773	}
650	p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID));	774	p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID));
651	if ((rv = f->C_GetSlotList(CK_TRUE, p->slotlist, &p->nslots))	775	if ((rv = f->C_GetSlotList(CK_TRUE, p->slotlist, &p->nslots))
652	!= CKR_OK) {	776	!= CKR_OK) {
653	error("C_GetSlotList for provider %s failed: %lu",	777	error("C_GetSlotList for provider %s failed: %lu",
654	provider_id, rv);	778	provider_uri, rv);
655	goto fail;	779	goto fail;
656	}	780	}
657	p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo));	781	p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo));
Lines 662-700 pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp) Link Here
662	if ((rv = f->C_GetTokenInfo(p->slotlist[i], token))	786	if ((rv = f->C_GetTokenInfo(p->slotlist[i], token))
663	!= CKR_OK) {	787	!= CKR_OK) {
664	error("C_GetTokenInfo for provider %s slot %lu "	788	error("C_GetTokenInfo for provider %s slot %lu "
665	"failed: %lu", provider_id, (unsigned long)i, rv);	789	"failed: %lu", provider_uri, (unsigned long)i, rv);
666	continue;	790	continue;
667	}	791	}
668	if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {	792	if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
669	debug2("%s: ignoring uninitialised token in "	793	debug2("%s: ignoring uninitialised token in "
670	"provider %s slot %lu", __func__,	794	"provider %s slot %lu", __func__,
671	provider_id, (unsigned long)i);	795	provider_uri, (unsigned long)i);
672	continue;	796	continue;
673	}	797	}
674	rmspace(token->label, sizeof(token->label));	798	rmspace(token->label, sizeof(token->label));
675	rmspace(token->manufacturerID, sizeof(token->manufacturerID));	799	rmspace(token->manufacturerID, sizeof(token->manufacturerID));
676	rmspace(token->model, sizeof(token->model));	800	rmspace(token->model, sizeof(token->model));
677	rmspace(token->serialNumber, sizeof(token->serialNumber));	801	rmspace(token->serialNumber, sizeof(token->serialNumber));
		802	if (uri->token != NULL &&
		803	strcmp(token->label, uri->token) != 0) {
		804	debug2("%s: ignoring token not matching label (%s) "
		805	"specified by PKCS#11 URI in slot %lu", __func__,
		806	token->label, (unsigned long)i);
		807	continue;
		808	}
		809	if (uri->manuf != NULL &&
		810	strcmp(token->manufacturerID, uri->manuf) != 0) {
		811	debug2("%s: ignoring token not matching requrested "
		812	"manufacturerID (%s) specified by PKCS#11 URI in "
		813	"slot %lu", __func__,
		814	token->manufacturerID, (unsigned long)i);
		815	continue;
		816	}
678	debug("provider %s slot %lu: label <%s> manufacturerID <%s> "	817	debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
679	"model <%s> serial <%s> flags 0x%lx",	818	"model <%s> serial <%s> flags 0x%lx",
680	provider_id, (unsigned long)i,	819	provider_uri, (unsigned long)i,
681	token->label, token->manufacturerID, token->model,	820	token->label, token->manufacturerID, token->model,
682	token->serialNumber, token->flags);	821	token->serialNumber, token->flags);
683	/* open session, login with pin and retrieve public keys */	822	/* open session, login with pin and retrieve public keys */
684	if (pkcs11_open_session(p, i, pin) == 0)	823	if (pkcs11_open_session(p, i, pin) == 0)
685	pkcs11_fetch_keys(p, i, keyp, &nkeys);	824	pkcs11_fetch_keys(p, i, keyp, &nkeys, uri);
686	}	825	}
687	if (nkeys > 0) {	826	if (nkeys > 0) {
688	TAILQ_INSERT_TAIL(&pkcs11_providers, p, next);	827	TAILQ_INSERT_TAIL(&pkcs11_providers, p, next);
689	p->refcount++; /* add to provider list */	828	p->refcount++; /* add to provider list */
690	return (nkeys);	829	return (nkeys);
691	}	830	}
692	debug("%s: provider %s returned no keys", __func__, provider_id);	831	debug("%s: provider %s returned no keys", __func__, provider_uri);
693	/* don't add the provider, since it does not have any keys */	832	/* don't add the provider, since it does not have any keys */
694	fail:	833	fail:
695	if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)	834	if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)
696	error("C_Finalize for provider %s failed: %lu",	835	error("C_Finalize for provider %s failed: %lu",
697	provider_id, rv);	836	provider_uri, rv);
698	if (p) {	837	if (p) {
699	free(p->slotlist);	838	free(p->slotlist);
700	free(p->slotinfo);	839	free(p->slotinfo);
Lines 702-707 fail: Link Here
702	}	841	}
703	if (handle)	842	if (handle)
704	dlclose(handle);	843	dlclose(handle);
		844	free(provider_id);
		845	free(provider_uri);
705	return (-1);	846	return (-1);
706	}	847	}
707		848

Line 0 Link Here

(-)a/regress/locl.h (+78 lines)
		1	/*
		2	* Copyright (c) 2004, Stockholms universitet
		3	* (Stockholm University, Stockholm Sweden)
		4	* All rights reserved.
		5	*
		6	* Redistribution and use in source and binary forms, with or without
		7	* modification, are permitted provided that the following conditions
		8	* are met:
		9	*
		10	* 1. Redistributions of source code must retain the above copyright
		11	* notice, this list of conditions and the following disclaimer.
		12	*
		13	* 2. Redistributions in binary form must reproduce the above copyright
		14	* notice, this list of conditions and the following disclaimer in the
		15	* documentation and/or other materials provided with the distribution.
		16	*
		17	* 3. Neither the name of the university nor the names of its contributors
		18	* may be used to endorse or promote products derived from this software
		19	* without specific prior written permission.
		20	*
		21	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
		22	* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
		24	* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
		25	* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
		26	* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
		27	* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
		28	* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
		29	* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		30	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
		31	* POSSIBILITY OF SUCH DAMAGE.
		32	*/
		33
		34	/* $Id: locl.h,v 1.5 2005/08/28 15:30:31 lha Exp $ */
		35
		36	#ifdef HAVE_CONFIG_H
		37	#include <config.h>
		38	#endif
		39
		40	#include <openssl/err.h>
		41	#include <openssl/evp.h>
		42	#include <openssl/pem.h>
		43	#include <openssl/rand.h>
		44	#include <openssl/x509.h>
		45
		46	#include <ctype.h>
		47	#include <errno.h>
		48	#include <pwd.h>
		49	#include <stdarg.h>
		50	#define _GNU_SOURCE
		51	#include <stdio.h>
		52	#include <stdlib.h>
		53	#include <string.h>
		54	#include <unistd.h>
		55
		56	#include "../pkcs11.h"
		57
		58	#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \
		59	{ \
		60	unsigned char *p; \
		61	(BL) = i2d_##T((S), NULL); \
		62	if ((BL) <= 0) { \
		63	(R) = EINVAL; \
		64	} else { \
65	(B) = malloc((BL)); \
66	if ((B) == NULL) { \
67	(R) = ENOMEM; \
68	} else { \
69	p = (B); \
70	(R) = 0; \
71	(BL) = i2d_##T((S), &p); \
72	if ((BL) <= 0) { \
73	free((B)); \
74	(R) = EINVAL; \
75	} \
76	} \
77	} \
78	}

Line 0 Link Here

(-)a/regress/pkcs11.sh (+250 lines)
		1	#
		2	# Copyright (c) 2017 Red Hat
		3	#
		4	# Authors: Jakub Jelen <jjelen@redhat.com>
		5	#
		6	# Permission to use, copy, modify, and distribute this software for any
		7	# purpose with or without fee is hereby granted, provided that the above
		8	# copyright notice and this permission notice appear in all copies.
		9	#
		10	# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		11	# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		12	# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		13	# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		14	# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		15	# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		16	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17
		18	tid="pkcs11 tests with soft token"
		19
		20	TEST_SSH_PIN=""
		21	TEST_SSH_PKCS11=$OBJ/soft-pkcs11.so
		22
		23	test -f "$TEST_SSH_PKCS11" \|\| fatal "$TEST_SSH_PKCS11 does not exist"
		24
		25	# requires ssh-agent built with correct path to ssh-pkcs11-helper
		26	# otherwise it fails to start the helper
		27	strings ${TEST_SSH_SSHAGENT} \| grep "$TEST_SSH_SSHPKCS11HELPER"
		28	if [ $? -ne 0 ]; then
		29	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"
		30	fi
		31
		32	# setup environment for soft-pkcs11 token
		33	SOFTPKCS11RC=$OBJ/pkcs11.info
		34	rm -f $SOFTPKCS11RC
		35	export SOFTPKCS11RC
		36	# prevent ssh-agent from calling ssh-askpass
		37	SSH_ASKPASS=/usr/bin/true
		38	export SSH_ASKPASS
		39	unset DISPLAY
		40
		41	# start command w/o tty, so ssh accepts pin from stdin (from agent-pkcs11.sh)
		42	notty() {
		43	perl -e 'use POSIX; POSIX::setsid();
		44	if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
		45	}
		46
		47	create_key() {
		48	ID=$1
		49	LABEL=$2
		50	rm -f $OBJ/pkcs11-${ID}.key $OBJ/pkcs11-${ID}.crt
		51	openssl genrsa -out $OBJ/pkcs11-${ID}.key 2048 > /dev/null 2>&1
		52	chmod 600 $OBJ/pkcs11-${ID}.key
		53	openssl req -key $OBJ/pkcs11-${ID}.key -new -x509 \
		54	-out $OBJ/pkcs11-${ID}.crt -text -subj '/CN=pkcs11 test' >/dev/null
		55	printf "${ID}\t${LABEL}\t$OBJ/pkcs11-${ID}.crt\t$OBJ/pkcs11-${ID}.key\n" \
		56	>> $SOFTPKCS11RC
		57	}
		58
		59	trace "Create a key pairs on soft token"
		60	ID1="02"
		61	ID2="04"
		62	create_key "$ID1" "SSH RSA Key"
		63	create_key "$ID2" "SSH RSA Key 2"
		64
65	trace "List the keys in the ssh-keygen with PKCS#11 URIs"
66	${SSHKEYGEN} -D ${TEST_SSH_PKCS11} > $OBJ/token_keys
67	if [ $? -ne 0 ]; then
68	fail "keygen fails to enumerate keys on PKCS#11 token"
69	fi
70	grep "pkcs11:" $OBJ/token_keys > /dev/null
71	if [ $? -ne 0 ]; then
72	fail "The keys from ssh-keygen do not contain PKCS#11 URI as a comment"
73	fi
74	tail -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER
75
76
77	trace "Simple connect with ssh (without PKCS#11 URI)"
78	echo ${TEST_SSH_PIN} \| notty ${SSH} -I ${TEST_SSH_PKCS11} \
79	-F $OBJ/ssh_proxy somehost exit 5
80	r=$?
81	if [ $r -ne 5 ]; then
82	fail "ssh connect with pkcs11 failed (exit code $r)"
83	fi
84
85
86	trace "Connect with PKCS#11 URI"
87	trace " (second key should succeed)"
88	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
89	-i "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5
90	r=$?
91	if [ $r -ne 5 ]; then
92	fail "ssh connect with PKCS#11 URI failed (exit code $r)"
93	fi
94
95	trace " (first key should fail)"
96	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
97	-i "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5
98	r=$?
99	if [ $r -eq 5 ]; then
100	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
101	fi
102
103
104	trace "Test PKCS#11 URI specification in configuration files"
105	echo "PKCS11URI pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \
106	>> $OBJ/ssh_proxy
107	trace " (second key should succeed)"
108	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5
109	r=$?
110	if [ $r -ne 5 ]; then
111	fail "ssh connect with PKCS#11 URI in config failed (exit code $r)"
112	fi
113
114	trace " (first key should fail)"
115	head -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER
116	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5
117	r=$?
118	if [ $r -eq 5 ]; then
119	fail "ssh connect with PKCS#11 URI in config succeeded (should fail)"
120	fi
121	sed -i -e "/PKCS11URI/d" $OBJ/ssh_proxy
122
123	trace "Test PKCS#11 URI specification in configuration files with bogus spaces"
124	echo "PKCS11URI pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11} " \
125	>> $OBJ/ssh_proxy
126	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5
127	r=$?
128	if [ $r -ne 5 ]; then
129	fail "ssh connect with PKCS#11 URI with bogus spaces in config failed" \
130	"(exit code $r)"
131	fi
132	sed -i -e "/PKCS11URI/d" $OBJ/ssh_proxy
133
134
135	trace "Combination of PKCS11Provider and PKCS11URI on commandline"
136	trace " (first key should succeed)"
137	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
138	-i "pkcs11:id=${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5
139	r=$?
140	if [ $r -ne 5 ]; then
141	fail "ssh connect with PKCS#11 URI and provider combination" \
142	"failed (exit code $r)"
143	fi
144
145	trace " (second key should fail)"
146	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
147	-i "pkcs11:id=${ID2}" -I ${TEST_SSH_PKCS11} somehost exit 5
148	r=$?
149	if [ $r -eq 5 ]; then
150	fail "ssh connect with PKCS#11 URI and provider combination" \
151	"succeeded (should fail)"
152	fi
153
154
155	trace "SSH Agent can work with PKCS#11 URI"
156	trace "start the agent"
157	eval `${SSHAGENT} -s -P "${OBJ}/*"` > /dev/null
158
159	r=$?
160	if [ $r -ne 0 ]; then
161	fail "could not start ssh-agent: exit code $r"
162	else
163	trace "add whole provider to agent"
164	echo ${TEST_SSH_PIN} \| notty ${SSHADD} \
165	"pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
166	r=$?
167	if [ $r -ne 0 ]; then
168	fail "ssh-add failed with whole provider: exit code $r"
169	fi
170
171	trace " pkcs11 list via agent (all keys)"
172	${SSHADD} -l > /dev/null 2>&1
173	r=$?
174	if [ $r -ne 0 ]; then
175	fail "ssh-add -l failed with whole provider: exit code $r"
176	fi
177
178	trace " pkcs11 connect via agent (all keys)"
179	${SSH} -F $OBJ/ssh_proxy somehost exit 5
180	r=$?
181	if [ $r -ne 5 ]; then
182	fail "ssh connect failed with whole provider (exit code $r)"
183	fi
184
185	trace " remove pkcs11 keys (all keys)"
186	${SSHADD} -d "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
187	r=$?
188	if [ $r -ne 0 ]; then
189	fail "ssh-add -d failed with whole provider: exit code $r"
190	fi
191
192	trace "add only first key to the agent"
193	echo ${TEST_SSH_PIN} \| notty ${SSHADD} \
194	"pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
195	r=$?
196	if [ $r -ne 0 ]; then
197	fail "ssh-add failed with first key: exit code $r"
198	fi
199
200	trace " pkcs11 connect via agent (first key)"
201	${SSH} -F $OBJ/ssh_proxy somehost exit 5
202	r=$?
203	if [ $r -ne 5 ]; then
204	fail "ssh connect failed with first key (exit code $r)"
205	fi
206
207	trace " remove first pkcs11 key"
208	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \
209	> /dev/null 2>&1
210	r=$?
211	if [ $r -ne 0 ]; then
212	fail "ssh-add -d failed with first key: exit code $r"
213	fi
214
215	trace "add only second key to the agent"
216	echo ${TEST_SSH_PIN} \| notty ${SSHADD} \
217	"pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1
218	r=$?
219	if [ $r -ne 0 ]; then
220	fail "ssh-add failed with second key: exit code $r"
221	fi
222
223	trace " pkcs11 connect via agent (second key should fail)"
224	${SSH} -F $OBJ/ssh_proxy somehost exit 5
225	r=$?
226	if [ $r -eq 5 ]; then
227	fail "ssh connect passed without key (should fail)"
228	fi
229
230	trace " remove second pkcs11 key"
231	${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \
232	> /dev/null 2>&1
233	r=$?
234	if [ $r -ne 0 ]; then
235	fail "ssh-add -d failed with second key: exit code $r"
236	fi
237
238	trace " remove already-removed pkcs11 key should fail"
239	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \
240	> /dev/null 2>&1
241	r=$?
242	if [ $r -eq 0 ]; then
243	fail "ssh-add -d passed with non-existing key (should fail)"
244	fi
245
246	trace "kill agent"
247	${SSHAGENT} -k > /dev/null
248	fi
249
250	rm -rf $OBJ/.tokens $OBJ/token_keys

Lines 698-710 pkcs11_add_provider_by_uri(struct pkcs11_uri uri, char pin, struct sshkey ***k Link Here

(-)a/ssh-pkcs11.c (-5 / +4 lines)
698	CK_FUNCTION_LIST *f = NULL;	698	CK_FUNCTION_LIST *f = NULL;
699	CK_TOKEN_INFO *token;	699	CK_TOKEN_INFO *token;
700	CK_ULONG i;	700	CK_ULONG i;
701	char *provider_id = strdup(uri->module_path);	701	char *provider_id = NULL;
702	char *provider_uri = pkcs11_uri_get(uri);	702	char *provider_uri = pkcs11_uri_get(uri);
703		703
704	/* if no provider specified, fallback to p11-kit */	704	/* if no provider specified, fallback to p11-kit */
705	if (provider_id == NULL) {	705	if (uri->module_path == NULL)
706	provider_id = strdup(PKCS11_DEFAULT_PROVIDER);	706	provider_id = strdup(PKCS11_DEFAULT_PROVIDER);
707	}	707	else
		708	provider_id = strdup(uri->module_path);
708		709
709	debug("%s: called, provider_uri = %s", __func__, provider_uri);	710	debug("%s: called, provider_uri = %s", __func__, provider_uri);
710		711
711	-
712	configure time	712	configure time
713	--
714	configure.ac \| 37 +++++++++++++++++++++++++++++++++++++	713	configure.ac \| 37 +++++++++++++++++++++++++++++++++++++
715	ssh-pkcs11-uri.h \| 2 --	714	ssh-pkcs11-uri.h \| 2 --
716	ssh-pkcs11.c \| 12 ++++++++----	715	ssh-pkcs11.c \| 12 ++++++++----
717	3 files changed, 45 insertions(+), 6 deletions(-)	716	3 files changed, 45 insertions(+), 6 deletions(-)

Lines 100-105 if [ $r -eq 5 ]; then Link Here

(-)a/regress/pkcs11.sh (+35 lines)
100	fail "ssh connect with PKCS#11 URI succeeded (should fail)"	100	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
101	fi	101	fi
102		102
		103	trace "Connect with various filtering options in PKCS#11 URI"
		104	trace " (by object label, second key should succeed)"
		105	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
		106	-i "pkcs11:object=SSH%20RSA%20Key%202?module-path=${TEST_SSH_PKCS11}" somehost exit 5
		107	r=$?
		108	if [ $r -ne 5 ]; then
		109	fail "ssh connect with PKCS#11 URI failed (exit code $r)"
		110	fi
		111
		112	trace " (by object label, first key should fail)"
		113	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
		114	-i "pkcs11:object=SSH%20RSA%20Key?module-path=${TEST_SSH_PKCS11}" somehost exit 5
		115	r=$?
		116	if [ $r -eq 5 ]; then
		117	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
		118	fi
		119
		120	trace " (by token label, second key should succeed)"
		121	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
		122	-i "pkcs11:id=${ID2};token=SoftToken%20(token)?module-path=${TEST_SSH_PKCS11}" somehost exit 5
		123	r=$?
		124	if [ $r -ne 5 ]; then
		125	fail "ssh connect with PKCS#11 URI failed (exit code $r)"
		126	fi
		127
		128	trace " (by wrong token label, should fail)"
		129	echo ${TEST_SSH_PIN} \| notty ${SSH} -F $OBJ/ssh_proxy \
		130	-i "pkcs11:token=SoftToken?module-path=${TEST_SSH_PKCS11}" somehost exit 5
		131	r=$?
		132	if [ $r -eq 5 ]; then
		133	fail "ssh connect with PKCS#11 URI succeeded (should fail)"
		134	fi
		135
		136
		137
103		138
104	trace "Test PKCS#11 URI specification in configuration files"	139	trace "Test PKCS#11 URI specification in configuration files"
105	echo "PKCS11URI pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \	140	echo "PKCS11URI pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \

Lines 36-48 Link Here

(-)a/ssh-pkcs11-uri.c (-1 / +19 lines)
36	#define PKCS11_URI_VALUE_SEPARATOR "="	36	#define PKCS11_URI_VALUE_SEPARATOR "="
37	#define PKCS11_URI_ID "id"	37	#define PKCS11_URI_ID "id"
38	#define PKCS11_URI_TOKEN "token"	38	#define PKCS11_URI_TOKEN "token"
		39	#define PKCS11_URI_OBJECT "object"
39	#define PKCS11_URI_LIB_MANUF "library-manufacturer"	40	#define PKCS11_URI_LIB_MANUF "library-manufacturer"
40	#define PKCS11_URI_MANUF "manufacturer"	41	#define PKCS11_URI_MANUF "manufacturer"
41	#define PKCS11_URI_MODULE_PATH "module-path"	42	#define PKCS11_URI_MODULE_PATH "module-path"
42		43
43	/* Keyword tokens. */	44	/* Keyword tokens. */
44	typedef enum {	45	typedef enum {
45	pId, pToken, pLibraryManufacturer, pManufacturer, pModulePath,	46	pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pModulePath,
46	pBadOption	47	pBadOption
47	} pkcs11uriOpCodes;	48	} pkcs11uriOpCodes;
48		49
Lines 53-58 static struct { Link Here
53	} keywords[] = {	54	} keywords[] = {
54	{ PKCS11_URI_ID, pId },	55	{ PKCS11_URI_ID, pId },
55	{ PKCS11_URI_TOKEN, pToken },	56	{ PKCS11_URI_TOKEN, pToken },
		57	{ PKCS11_URI_OBJECT, pObject },
56	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },	58	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
57	{ PKCS11_URI_MANUF, pManufacturer },	59	{ PKCS11_URI_MANUF, pManufacturer },
58	{ PKCS11_URI_MODULE_PATH, pModulePath },	60	{ PKCS11_URI_MODULE_PATH, pModulePath },
Lines 182-187 pkcs11_uri_get(struct pkcs11_uri *uri) Link Here
182	goto err;	184	goto err;
183	}	185	}
184		186
		187	/* Write object label */
		188	if (uri->object) {
		189	struct sshbuf *label = percent_encode(uri->object, strlen(uri->object),
		190	PKCS11_URI_WHITELIST);
		191	path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
		192	PKCS11_URI_OBJECT, label);
		193	if (path == NULL)
		194	goto err;
		195	}
		196
185	/* Write token label */	197	/* Write token label */
186	if (uri->token) {	198	if (uri->token) {
187	struct sshbuf *label = percent_encode(uri->token, strlen(uri->token),	199	struct sshbuf *label = percent_encode(uri->token, strlen(uri->token),
Lines 237-242 pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11) Link Here
237	free(pkcs11->id);	249	free(pkcs11->id);
238	free(pkcs11->module_path);	250	free(pkcs11->module_path);
239	free(pkcs11->token);	251	free(pkcs11->token);
		252	free(pkcs11->object);
240	free(pkcs11->lib_manuf);	253	free(pkcs11->lib_manuf);
241	free(pkcs11->manuf);	254	free(pkcs11->manuf);
242	free(pkcs11);	255	free(pkcs11);
Lines 326-331 pkcs11_uri_parse(const char uri, struct pkcs11_uri pkcs11) Link Here
326	__func__, keywords[opcode].name, *charptr);	339	__func__, keywords[opcode].name, *charptr);
327	break;	340	break;
328		341
		342	case pObject:
		343	/* CK_TOKEN_INFO -> manufacturerID */
		344	charptr = &pkcs11->object;
		345	goto parse_string;
		346
329	case pManufacturer:	347	case pManufacturer:
330	/* CK_TOKEN_INFO -> manufacturerID */	348	/* CK_TOKEN_INFO -> manufacturerID */
331	charptr = &pkcs11->manuf;	349	charptr = &pkcs11->manuf;

Lines 70-75 struct pkcs11_key { Link Here

(-)a/ssh-pkcs11.c (-29 / +50 lines)
70	int (orig_finish)(RSA rsa);	70	int (orig_finish)(RSA rsa);
71	RSA_METHOD *rsa_method;	71	RSA_METHOD *rsa_method;
72	char *keyid;	72	char *keyid;
		73	char *label;
73	int keyid_len;	74	int keyid_len;
74	};	75	};
75		76
Lines 77-83 int pkcs11_interactive = 0; Link Here
77		78
78	/*	79	/*
79	* This can't be in the ssh-pkcs11-uri, becase we can not depend on	80	* This can't be in the ssh-pkcs11-uri, becase we can not depend on
80	* PKCS structures in ssh-agent (using client-helper communication)	81	* PKCS#11 structures in ssh-agent (using client-helper communication)
81	*/	82	*/
82	int	83	int
83	pkcs11_uri_write(const struct sshkey key, FILE f)	84	pkcs11_uri_write(const struct sshkey key, FILE f)
Lines 95-100 pkcs11_uri_write(const struct sshkey key, FILE f) Link Here
95	uri.id = k11->keyid;	96	uri.id = k11->keyid;
96	uri.id_len = k11->keyid_len;	97	uri.id_len = k11->keyid_len;
97	uri.token = k11->provider->slotinfo[k11->slotidx].token.label;	98	uri.token = k11->provider->slotinfo[k11->slotidx].token.label;
		99	uri.object = k11->label;
98	uri.module_path = k11->provider->module_path;	100	uri.module_path = k11->provider->module_path;
99	uri.lib_manuf = k11->provider->info.manufacturerID;	101	uri.lib_manuf = k11->provider->info.manufacturerID;
100	uri.manuf = k11->provider->slotinfo[k11->slotidx].token.manufacturerID;	102	uri.manuf = k11->provider->slotinfo[k11->slotidx].token.manufacturerID;
Lines 253-258 pkcs11_rsa_finish(RSA *rsa) Link Here
253	if (k11->provider)	255	if (k11->provider)
254	pkcs11_provider_unref(k11->provider);	256	pkcs11_provider_unref(k11->provider);
255	free(k11->keyid);	257	free(k11->keyid);
		258	free(k11->label);
256	free(k11);	259	free(k11);
257	}	260	}
258	return (rv);	261	return (rv);
Lines 381-387 pkcs11_rsa_private_decrypt(int flen, const u_char from, u_char to, RSA *rsa, Link Here
381	/* redirect private key operations for rsa key to pkcs11 token */	384	/* redirect private key operations for rsa key to pkcs11 token */
382	static int	385	static int
383	pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,	386	pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
384	CK_ATTRIBUTE keyid_attrib, RSA rsa)	387	CK_ATTRIBUTE keyid_attrib, CK_ATTRIBUTE label_attrib, RSA *rsa)
385	{	388	{
386	struct pkcs11_key *k11;	389	struct pkcs11_key *k11;
387	const RSA_METHOD *def = RSA_get_default_method();	390	const RSA_METHOD *def = RSA_get_default_method();
Lines 396-401 pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, Link Here
396	k11->keyid = xmalloc(k11->keyid_len);	399	k11->keyid = xmalloc(k11->keyid_len);
397	memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);	400	memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
398	}	401	}
		402	if (label_attrib->ulValueLen > 0 ) {
		403	k11->label = xmalloc(label_attrib->ulValueLen+1);
		404	memcpy(k11->label, label_attrib->pValue, label_attrib->ulValueLen);
		405	k11->label[label_attrib->ulValueLen] = 0;
		406	}
399	k11->orig_finish = RSA_meth_get_finish(def);	407	k11->orig_finish = RSA_meth_get_finish(def);
400	if ((k11->rsa_method = RSA_meth_dup(def)) == NULL \|\|	408	if ((k11->rsa_method = RSA_meth_dup(def)) == NULL \|\|
401	RSA_meth_set1_name(k11->rsa_method, "pkcs11") == 0 \|\|	409	RSA_meth_set1_name(k11->rsa_method, "pkcs11") == 0 \|\|
Lines 487-505 pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
487	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;	495	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
488	CK_ATTRIBUTE pubkey_filter[] = {	496	CK_ATTRIBUTE pubkey_filter[] = {
489	{ CKA_CLASS, NULL, sizeof(pubkey_class) },	497	{ CKA_CLASS, NULL, sizeof(pubkey_class) },
490	{ CKA_ID, NULL, 0 }	498	{ CKA_ID, NULL, 0 },
		499	{ CKA_LABEL, NULL, 0 }
491	};	500	};
492	CK_ATTRIBUTE cert_filter[] = {	501	CK_ATTRIBUTE cert_filter[] = {
493	{ CKA_CLASS, NULL, sizeof(cert_class) },	502	{ CKA_CLASS, NULL, sizeof(cert_class) },
494	{ CKA_ID, NULL, 0 }	503	{ CKA_ID, NULL, 0 },
		504	{ CKA_LABEL, NULL, 0 }
495	};	505	};
496	CK_ATTRIBUTE pubkey_attribs[] = {	506	CK_ATTRIBUTE pubkey_attribs[] = {
497	{ CKA_ID, NULL, 0 },	507	{ CKA_ID, NULL, 0 },
		508	{ CKA_LABEL, NULL, 0 },
498	{ CKA_MODULUS, NULL, 0 },	509	{ CKA_MODULUS, NULL, 0 },
499	{ CKA_PUBLIC_EXPONENT, NULL, 0 }	510	{ CKA_PUBLIC_EXPONENT, NULL, 0 }
500	};	511	};
501	CK_ATTRIBUTE cert_attribs[] = {	512	CK_ATTRIBUTE cert_attribs[] = {
502	{ CKA_ID, NULL, 0 },	513	{ CKA_ID, NULL, 0 },
		514	{ CKA_LABEL, NULL, 0 },
503	{ CKA_SUBJECT, NULL, 0 },	515	{ CKA_SUBJECT, NULL, 0 },
504	{ CKA_VALUE, NULL, 0 }	516	{ CKA_VALUE, NULL, 0 }
505	};	517	};
Lines 507-517 pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
507	cert_filter[0].pValue = &cert_class;	519	cert_filter[0].pValue = &cert_class;
508		520
509	if (uri->id != NULL) {	521	if (uri->id != NULL) {
510	pubkey_filter[1].pValue = uri->id;	522	pubkey_filter[filter_size].pValue = uri->id;
511	pubkey_filter[1].ulValueLen = uri->id_len;	523	pubkey_filter[filter_size].ulValueLen = uri->id_len;
512	cert_filter[1].pValue = uri->id;	524	cert_filter[filter_size].pValue = uri->id;
513	cert_filter[1].ulValueLen = uri->id_len;	525	cert_filter[filter_size].ulValueLen = uri->id_len;
514	filter_size = 2;	526	filter_size++;
		527	}
		528	if (uri->object != NULL) {
		529	pubkey_filter[filter_size].pValue = uri->object;
		530	pubkey_filter[filter_size].ulValueLen = strlen(uri->object);
		531	pubkey_filter[filter_size].type = CKA_LABEL;
		532	cert_filter[filter_size].pValue = uri->object;
		533	cert_filter[filter_size].ulValueLen = strlen(uri->object);
		534	cert_filter[filter_size].type = CKA_LABEL;
		535	filter_size++;
515	}	536	}
516		537
517	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,	538	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
Lines 535-541 pkcs11_key_included(struct sshkey **keysp, int nkeys, struct sshkey *key) Link Here
535		556
536	static int	557	static int
537	pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,	558	pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
538	CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[3],	559	CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
539	struct sshkey **keysp, int nkeys)	560	struct sshkey **keysp, int nkeys)
540	{	561	{
541	struct sshkey *key;	562	struct sshkey *key;
Lines 543-548 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
543	X509 *x509;	564	X509 *x509;
544	EVP_PKEY *evp = NULL;	565	EVP_PKEY *evp = NULL;
545	int i;	566	int i;
		567	int nattribs = 4;
546	const u_char *cp;	568	const u_char *cp;
547	CK_RV rv;	569	CK_RV rv;
548	CK_OBJECT_HANDLE obj;	570	CK_OBJECT_HANDLE obj;
Lines 560-566 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
560	}	582	}
561	while (1) {	583	while (1) {
562	/* XXX 3 attributes in attribs[] */	584	/* XXX 3 attributes in attribs[] */
563	for (i = 0; i < 3; i++) {	585	for (i = 0; i < nattribs; i++) {
564	attribs[i].pValue = NULL;	586	attribs[i].pValue = NULL;
565	attribs[i].ulValueLen = 0;	587	attribs[i].ulValueLen = 0;
566	}	588	}
Lines 568-589 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
568	\|\| nfound == 0)	590	\|\| nfound == 0)
569	break;	591	break;
570	/* found a key, so figure out size of the attributes */	592	/* found a key, so figure out size of the attributes */
571	if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))	593	if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
572	!= CKR_OK) {	594	!= CKR_OK) {
573	error("C_GetAttributeValue failed: %lu", rv);	595	error("C_GetAttributeValue failed: %lu", rv);
574	continue;	596	continue;
575	}	597	}
576	/*	598	/*
577	* Allow CKA_ID (always first attribute) to be empty, but	599	* Allow CKA_ID (always first attribute) and CKA_LABEL (second)
578	* ensure that none of the others are zero length.	600	* to be empty, but ensure that none of the others are zero length.
579	* XXX assumes CKA_ID is always first.	601	* XXX assumes CKA_ID is always first.
580	*/	602	*/
581	if (attribs[1].ulValueLen == 0 \|\|	603	if (attribs[2].ulValueLen == 0 \|\|
582	attribs[2].ulValueLen == 0) {	604	attribs[3].ulValueLen == 0) {
583	continue;	605	continue;
584	}	606	}
585	/* allocate buffers for attributes */	607	/* allocate buffers for attributes */
586	for (i = 0; i < 3; i++) {	608	for (i = 0; i < nattribs; i++) {
587	if (attribs[i].ulValueLen > 0) {	609	if (attribs[i].ulValueLen > 0) {
588	attribs[i].pValue = xmalloc(	610	attribs[i].pValue = xmalloc(
589	attribs[i].ulValueLen);	611	attribs[i].ulValueLen);
Lines 591-621 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
591	}	613	}
592		614
593	/*	615	/*
594	* retrieve ID, modulus and public exponent of RSA key,	616	* retrieve ID, label, modulus and public exponent of RSA key,
595	* or ID, subject and value for certificates.	617	* or ID, label, subject and value for certificates.
596	*/	618	*/
597	rsa = NULL;	619	rsa = NULL;
598	if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))	620	if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
599	!= CKR_OK) {	621	!= CKR_OK) {
600	error("C_GetAttributeValue failed: %lu", rv);	622	error("C_GetAttributeValue failed: %lu", rv);
601	} else if (attribs[1].type == CKA_MODULUS ) {	623	} else if (attribs[2].type == CKA_MODULUS ) {
602	if ((rsa = RSA_new()) == NULL) {	624	if ((rsa = RSA_new()) == NULL) {
603	error("RSA_new failed");	625	error("RSA_new failed");
604	} else {	626	} else {
605	BIGNUM rsa_n, rsa_e;	627	BIGNUM rsa_n, rsa_e;
606		628
607	rsa_n = BN_bin2bn(attribs[1].pValue,	629	rsa_n = BN_bin2bn(attribs[2].pValue,
608	attribs[1].ulValueLen, NULL);
609	rsa_e = BN_bin2bn(attribs[2].pValue,
610	attribs[2].ulValueLen, NULL);	630	attribs[2].ulValueLen, NULL);
		631	rsa_e = BN_bin2bn(attribs[3].pValue,
		632	attribs[3].ulValueLen, NULL);
611	if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0)	633	if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0)
612	error("RSA_set0_key failed");	634	error("RSA_set0_key failed");
613	}	635	}
614	} else {	636	} else {
615	cp = attribs[2].pValue;	637	cp = attribs[3].pValue;
616	if ((x509 = X509_new()) == NULL) {	638	if ((x509 = X509_new()) == NULL) {
617	error("X509_new failed");	639	error("X509_new failed");
618	} else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen)	640	} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
619	== NULL) {	641	== NULL) {
620	error("d2i_X509 failed");	642	error("d2i_X509 failed");
621	} else if ((evp = X509_get_pubkey(x509)) == NULL \|\|	643	} else if ((evp = X509_get_pubkey(x509)) == NULL \|\|
Lines 634-640 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
634	if (rsa)	656	if (rsa)
635	RSA_get0_key(rsa, &n, &e, NULL);	657	RSA_get0_key(rsa, &n, &e, NULL);
636	if (rsa && n && e &&	658	if (rsa && n && e &&
637	pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {	659	pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
638	if ((key = sshkey_new(KEY_UNSPEC)) == NULL)	660	if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
639	fatal("sshkey_new failed");	661	fatal("sshkey_new failed");
640	key->rsa = rsa;	662	key->rsa = rsa;
Lines 653-659 pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
653	} else if (rsa) {	675	} else if (rsa) {
654	RSA_free(rsa);	676	RSA_free(rsa);
655	}	677	}
656	for (i = 0; i < 3; i++)	678	for (i = 0; i < nattribs; i++)
657	free(attribs[i].pValue);	679	free(attribs[i].pValue);
658	}	680	}
659	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)	681	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
660	-